Snort mailing list archives
Unified2 with EXTRA_DATA fields
From: Jaime Blasco <jaime.blasco () alienvault com>
Date: Thu, 24 May 2012 13:14:07 +0200
Hi, I want to explain a problem that we have while adapting our Unified2 parser to the new extra-data fields. The problem is that when you want to parse the vents in real time you don't have a way to know if the Event will have an ExtraData later in the file. Example: (Event) 1663 sensor id: 0 event id: 31 event second: 1337848659 event microsecond: 228367 1664 sig id: 99999 gen id: 1 revision: 1 classification: 0 1665 priority: 0 ip source: 188.40.16.205 ip destination: 192.168.2.183 1666 src port: 80 dest port: 49892 protocol: 6 impact_flag: 0 blocked: 0 1667 1668 Packet 1669 sensor id: 0 event id: 31 event second: 1337848659 1670 packet second: 1337848659 packet microsecond: 228367 1671 linktype: 1 packet_length: 1506 ... ... 1768 (ExtraDataHdr) 1769 event type: 4 event length: 62 1770 1771 (ExtraData) 1772 sensor id: 0 event id: 14 event second: 1337848659 1773 type: 9 datatype: 1 bloblength: 38 HTTP URI: /forums/showthread.php?t=57055 1774 1775 (ExtraDataHdr) 1776 event type: 4 event length: 50 1777 1778 (ExtraData) 1779 sensor id: 0 event id: 14 event second: 1337848659 1780 type: 10 datatype: 1 bloblength: 26 HTTP Hostname: www.howtoforge.com 1781 1782 (ExtraDataHdr) 1783 event type: 4 event length: 62 1784 1785 (ExtraData) 1786 sensor id: 0 event id: 15 event second: 1337848659 1787 type: 9 datatype: 1 bloblength: 38 HTTP URI: /forums/showthread.php?t=57055 1788 1789 (ExtraDataHdr) 1790 event type: 4 event length: 50 1791 1792 (ExtraData) 1793 sensor id: 0 event id: 15 event second: 1337848659 1794 type: 10 datatype: 1 bloblength: 26 HTTP Hostname: www.howtoforge.com ... So, is there a way of knowing if an Event will have an ExtraData entry later? Best Regards -- _______________________________ Jaime Blasco AlienVault Labs Manager www.ossim.com labs.alienvault.com Email: jaime.blasco () alienvault com http://twitter.com/jaimeblascob
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Unified2 with EXTRA_DATA fields Jaime Blasco (May 24)
- Re: Unified2 with EXTRA_DATA fields beenph (May 24)
- Re: Unified2 with EXTRA_DATA fields Jaime Blasco (May 25)
- Re: Unified2 with EXTRA_DATA fields Steven Sturges (May 25)
- Re: Unified2 with EXTRA_DATA fields Jaime Blasco (May 25)
- Re: Unified2 with EXTRA_DATA fields beenph (May 24)