Snort mailing list archives

Re: u2 binary format question

From: Avery Rozar <avery.rozar () insecure-it com>
Date: Wed, 27 May 2015 17:26:11 -0400

I'll check these out, thanks!

On Wed, May 27, 2015 at 5:22 PM, Victor Roemer <viroemer () cisco com> wrote:

 Huh, weird that was missed. Thanks for the heads up in documentation

Have you checked "README.unified2" - this was the original outline, and
then was translated to latex for the pdf manual. It may be accurate.

Otherwise, take a look at "src/sfutil/Unified2_common.h"- if in doubt go
to the source.


On 5/26/15 12:48, Avery Rozar wrote:

In the snort_manual.pdf for 2.9.x it does not mention anything about the 2
extra bytes for "policy_id" before the 2 bytes of padding in the U2(V2)
Event .
(Question): Is it safe to assume this was just missed in the documentation
and I can move forward with the 2 bytes for "policy_id"?

 Also, the U2 packet does not mention anything about the extra 4 bytes
for "packet seconds".
(Question): Is is also safe to assume this was just missed in the
documentation and I can move forward with the 4 bytes for "packet seconds"?
Is this the same for U2 extra data as well?


 Thanks,
Avery Rozar


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM 
Insight.http://ad.doubleclick.net/ddm/clk/290420510;117567292;y



_______________________________________________
Snort-devel mailing listSnort-devel@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

u2 binary format question Avery Rozar (May 26)
- Re: u2 binary format question Victor Roemer (May 27)
  - Re: u2 binary format question Avery Rozar (May 27)