Snort mailing list archives
Re: Snort syslog message format
From: Erek Adams <erek () snort org>
Date: Wed, 8 Jan 2003 11:36:16 -0500 (EST)
On Tue, 7 Jan 2003, Douglas Corner wrote:
Is there documentation describing what is posted to syslog? There seem to be several message formats, one for when rules fire and different formats for pre-processors. I am doing some programming to process Snort syslog messages and would like to be precise and complete.
Well, there only real docs on that is the source. And yes, there are 'different formats'. Many moons ago there was no real format for the output from plugins. That's starting to become more and more standardized. Keep in mind the basic format is the same: [xx:yyy:zz] <message> Where xx is the Generator ID (GID), yyy is the Snort ID (SID), and zz is the Revision of the SID. Hope that helps! ----- Erek Adams "When things get wierd, the wierd turn pro." H.S. Thompson ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort syslog message format Douglas Corner (Jan 07)
- Re: Snort syslog message format Erek Adams (Jan 08)