Re: unified2_extra_data

[Brad Tilley <rtilley () vt edu>]

On Thu, Jan 10, 2013 at 05:22:10PM -0500, Russ Combs wrote:
> Check the Snort manual under "Extra Data Configurations".  There are
> several types.  config log_ipv6_extra_data is one way.  http_inspect and
> smtp preprocessors also can capture extra data for logging.

I got some extra data written out by using config log_ipv6_extra (I don't parse it just yet, just note it and keep on 
going):

------------------
u2 header type: 110
header length: 48
offset: 2160
Extra Data not yet implemented.
------------------
u2 header type: 2
header length: 122
offset: 2216
Sensor_id: 0
Event_id: 7
Event_second: 1357905255
Packet_second: 1357905255
Packet_microsecond: 948346
Linktype: 1
Packet_length: 94
Packet: 
FFFFFFAA0004000A0400FFFFFFD001FFFFFFA6FFFFFFC800FFFFFF86FFFFFFDD600000000028063C200104680CFFFFFF80212F020C29FFFFFFFFFFFFFFFEFFFFFFFDFFFFFFCA2C200104680CFFFFFF80FFFFFFC1111A0373FFFFFFFFFFFFFFFE4D0B0DFFFFFFB67005FFFFFFF13D3620FFFFFFDA00000000FFFFFFA002384014070000020405FFFFFFA00402080AFFFFFF9DFFFFFFE772FFFFFFCD0000000001030307
------------------

I did not realize that the manual had the unified2 specification. I just read the source code, but the manual section 
makes for a nice reference.

Thanks to all the replies (on and off list).

Brad


------------------------------------------------------------------------------
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!