Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort++ json Feature Requests

From: Noah Dietrich <noah_dietrich () 86penny org>
Date: Thu, 22 Mar 2018 19:28:49 +0200
Hello,

I've been working on integrating snort++ json_alert output into Splunk, and
I have a few requests / comments:

1.  Add higher granularity for time in the "seconds" field
it would be nice if the seconds field also contained nano or milliseconds,
separated from the seconds by a period (gnu date-time format) for example:
1511592071.123456789 (For GNU date-time nanoseconds:   date +%s.%N)
When processing a large number of events within one second, it would allow
for accurate ordering of those events.
It is easier to ingest the time if it's one string (1234567890.123456789),
rather than two fields (seconds=1234567890, nanoseconds=123456789).

2.  include the text name of the generator in the output.
Right now, the GID for an alert has to be looked up in another table, it
would be nice if this info could be included in the alert  (like you're
doing right now with the 'class' field, this is very helpful).
This was really difficult with snort 2, where you had to consider the
precedence of the sid-msg.map, gen-msg.map, and classification files
(thanks for making this simpler).  Having the json output from snort be
authoritative makes things much simpler.

3.  Is there a plan to move the gen-msg.map file in the snort-community
rules to v2?
version 2 allows for a lot more information, and is it possible for this
information to be added to the json output (less table look-ups make life
easier with post-processing)?

4.  Is there a plan for implementing another json output for additional
information (for example extra output that can be enabled for the SMTP
processor like headers, and the To/from field, with unified2)?  I find this
output to be really helpful.  Maybe you could create a second logger (can
you have two loggers running at the same time?) to output extra data from
plugins to a separate json file?  This would also allow other plugins to
easily write extra data in a generic way (their own field names and data).


Otherwise, things are working great, i am a huge fan of the json logger.
Pulling data into Splunk and the ELK stack is a breeze, especially compared
to the old process of unified2 -> barnyard2 -> mySQL -> BASE/Snorby

thank you
Noah

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: