Snort mailing list archives
Re: Initial public release: Charlotte
From: Russ via Snort-users <snort-users () lists snort org>
Date: Mon, 26 Mar 2018 09:21:58 -0400
Snort 3 does generate u2 logs but we are transitioning to other, better supported formats like JSON (available now) and FlatBuffers (available now for perf stats, planned for IPS events). Pseudo-packets and "extra data" are two of the areas where better support is desired.
Snort 3 does not generate pseudo-packets for all IPS events the way Snort 2 does since most events are on buffers, not packets. Eg, dechunked, decompressed HTTP really doesn't have a wire packet. It is just a block of data associated with a flow and Snort 3 wants to log it that way. However, it generates a pseudo-packet just for u2 logging. The difference with Snort 2 is that the Snort 3 pseudo-packet is always eth:ip:tcp (ip4 or ip6) and not the full encapsulations present on the flow.
Extra data refers to additional buffers for which Snort 2 does not generate a pseudo-packet but that provide context for an IPS event, such as SMTP RCPTTO and HTTP hostname. Several such extra data buffers have been logged by Snort 2 for years and never supported by Barnyard2 or Snorby. The intent is to eliminate all "extra data" and just log everything as either packets (when a wire packet alerts) or buffers.
JSON is not as compact but the flexibility and ease of use are hard to beat. Data is encoded in base64. If you want to discuss possible updates for Charlotte, please contact me and I'll be glad to assist.
Thanks Russ On 3/26/18 8:50 AM, Richard Monk via Snort-users wrote:
On 03/21/2018 09:07 PM, alanyeowork--- via Snort-users wrote:Snort for Barnyard2 still not compatible for Snort3 .. It is fixed?I was under the impression that snort3 output unified2 files, just like snort2? I haven't looked at it, but if something is different I could always take a look at including support in Charlotte. _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Initial public release: Charlotte Richard Monk via Snort-users (Mar 21)
- Re: Initial public release: Charlotte Y M via Snort-users (Mar 21)
- Re: Initial public release: Charlotte alanyeowork--- via Snort-users (Mar 21)
- Re: Initial public release: Charlotte Richard Monk via Snort-users (Mar 26)
- Re: Initial public release: Charlotte Russ via Snort-users (Mar 26)
- Re: Initial public release: Charlotte Richard Monk via Snort-users (Mar 28)
- Re: Initial public release: Charlotte alanyeowork--- via Snort-users (Mar 21)
- Re: Initial public release: Charlotte Y M via Snort-users (Mar 21)