Snort mailing list archives
Re: Initial public release: Charlotte
From: Richard Monk via Snort-users <snort-users () lists snort org>
Date: Wed, 28 Mar 2018 14:29:15 -0400
On 03/26/2018 09:21 AM, Russ via Snort-users wrote:
Snort 3 does generate u2 logs but we are transitioning to other, better supported formats like JSON (available now) and FlatBuffers (available now for perf stats, planned for IPS events). Pseudo-packets and "extra data" are two of the areas where better support is desired. Snort 3 does not generate pseudo-packets for all IPS events the way Snort 2 does since most events are on buffers, not packets. Eg, dechunked, decompressed HTTP really doesn't have a wire packet. It is just a block of data associated with a flow and Snort 3 wants to log it that way. However, it generates a pseudo-packet just for u2 logging. The difference with Snort 2 is that the Snort 3 pseudo-packet is always eth:ip:tcp (ip4 or ip6) and not the full encapsulations present on the flow. Extra data refers to additional buffers for which Snort 2 does not generate a pseudo-packet but that provide context for an IPS event, such as SMTP RCPTTO and HTTP hostname. Several such extra data buffers have been logged by Snort 2 for years and never supported by Barnyard2 or Snorby. The intent is to eliminate all "extra data" and just log everything as either packets (when a wire packet alerts) or buffers. JSON is not as compact but the flexibility and ease of use are hard to beat. Data is encoded in base64. If you want to discuss possible updates for Charlotte, please contact me and I'll be glad to assist.
If it's in json it'll be about a million times easier to process, json is supported pretty easily in python. I think that would be the way to go for snort 3 support. -- Richard Monk (rmonk () redhat com) - Senior Principal Security Analyst Red Hat Inc. - Raleigh NC GPG Key ID: 0x766EB165942CDB25
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Initial public release: Charlotte Richard Monk via Snort-users (Mar 21)
- Re: Initial public release: Charlotte Y M via Snort-users (Mar 21)
- Re: Initial public release: Charlotte alanyeowork--- via Snort-users (Mar 21)
- Re: Initial public release: Charlotte Richard Monk via Snort-users (Mar 26)
- Re: Initial public release: Charlotte Russ via Snort-users (Mar 26)
- Re: Initial public release: Charlotte Richard Monk via Snort-users (Mar 28)
- Re: Initial public release: Charlotte alanyeowork--- via Snort-users (Mar 21)
- Re: Initial public release: Charlotte Y M via Snort-users (Mar 21)