Snort mailing list archives
Snort++ json Feature Requests
From: Noah Dietrich <noah_dietrich () 86penny org>
Date: Thu, 22 Mar 2018 19:28:49 +0200
Hello, I've been working on integrating snort++ json_alert output into Splunk, and I have a few requests / comments: 1. Add higher granularity for time in the "seconds" field it would be nice if the seconds field also contained nano or milliseconds, separated from the seconds by a period (gnu date-time format) for example: 1511592071.123456789 (For GNU date-time nanoseconds: date +%s.%N) When processing a large number of events within one second, it would allow for accurate ordering of those events. It is easier to ingest the time if it's one string (1234567890.123456789), rather than two fields (seconds=1234567890, nanoseconds=123456789). 2. include the text name of the generator in the output. Right now, the GID for an alert has to be looked up in another table, it would be nice if this info could be included in the alert (like you're doing right now with the 'class' field, this is very helpful). This was really difficult with snort 2, where you had to consider the precedence of the sid-msg.map, gen-msg.map, and classification files (thanks for making this simpler). Having the json output from snort be authoritative makes things much simpler. 3. Is there a plan to move the gen-msg.map file in the snort-community rules to v2? version 2 allows for a lot more information, and is it possible for this information to be added to the json output (less table look-ups make life easier with post-processing)? 4. Is there a plan for implementing another json output for additional information (for example extra output that can be enabled for the SMTP processor like headers, and the To/from field, with unified2)? I find this output to be really helpful. Maybe you could create a second logger (can you have two loggers running at the same time?) to output extra data from plugins to a separate json file? This would also allow other plugins to easily write extra data in a generic way (their own field names and data). Otherwise, things are working great, i am a huge fan of the json logger. Pulling data into Splunk and the ELK stack is a breeze, especially compared to the old process of unified2 -> barnyard2 -> mySQL -> BASE/Snorby thank you Noah
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort++ json Feature Requests Noah Dietrich (Mar 22)