Snort mailing list archives
Re: Extending unified2 output with custom information from dynamic preprocessor
From: Russ via Snort-devel <snort-devel () lists snort org>
Date: Mon, 4 Sep 2017 09:29:14 -0400
On 9/2/17 3:46 AM, Jan Hermes wrote:
Good job. The new information sounds like what Snort calls u2 "extra data". Extra data handling is a bit involved so before you get too far make sure you have something that can consume the extra data. Barnyard2 and Snorby do not handle u2 extra data.Hello, I developed a dynamic preprocessor that extracts custom important information out of network packages that are not included in the unified2 output. Under the following assumptions: - There is a fully working dynamic preprocessor SNIFF that works on a new network protocol - I wrote a rule that makes SNIFF trigger a Snort alert with a custom message if a specified source name was matched. - The message is in the form of ** (...) sourcename -> destname etc...** it gets created in the SNIFF preprocessor and added to the alert message. - Normal console Alerts or alert.log are showing this additional information - The unified2 output with it's specified information with different variables is not showing any of this additional alert message information Is there a way to add new information to the unified2 output? If yes, can you point me towards a specific direction?
If you still want to go for it, have a look at these files: ./src/sfutil/Unified2_common.h -- look for UNIFIED2_EXTRA_DATA, SerialUnified2ExtraData, and related ./src/output-plugins/spo_unified2.c -- look for _WriteExtraData, etc. ./src/preprocessors/Stream6/snort_stream_tcp.c -- read the "extra, extra" comments ./src/preprocessors/stream_api.h -- look for the *xtra* methods ./src/dynamic-preprocessors/smtp/smtp_util.c ./src/preprocessors/snort_httpinspect.c -- calls to set_extra_data, clear_extra_data ./tools/u2spewfoo/u2spewfoo.c -- extradata_dump Hope that helps. Russ
Thanks and Greetings Jan _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Extending unified2 output with custom information from dynamic preprocessor Jan Hermes (Sep 02)
- Re: Extending unified2 output with custom information from dynamic preprocessor Russ via Snort-devel (Sep 04)