RE: Program that reads unified log format natively

[Erek Adams <erek () snort org>]

On Fri, 24 Oct 2003, Williams Jon wrote:

> This gets into one of the fundamental problems that I've had with
> barnyard in the first place.  Today, we use snort to log directly to
> libpcap-format files locally and send the data across the net to the DB
> server.  As I understand it, in order to have the same two functions
> (i.e. being able to use any libpcap-based tool to read the local files
> and data aggregation via the DB), I end up having to have nearly
> duplicate log files on my sensors, one in unified format that is then
> read and converted into libpcap.
>
> I understand the Snort Team's motiviation behind externalizing the log
> processing, but by choosing a proprietary format for the first pass,
> they've either doubled the amount of disk space I need for logs or made
> a feature that I won't use.

Actaully, it's all good.  :)

Unified format is very similar to pcap.  There are a few minor tweaks, but
very similar for the most part.  With that said....  Dragos has written a
Unified to Pcap converter that he posted here some time ago [0].

Spool with one, convert to the other for storage onto CD or whatever.  :)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     http://marc.theaimsgroup.com/?l=snort-users&m=102967603902978&w=2


-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users