Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Initial public release: Charlotte

From: Richard Monk via Snort-users <snort-users () lists snort org>
Date: Wed, 28 Mar 2018 14:29:15 -0400
On 03/26/2018 09:21 AM, Russ via Snort-users wrote:

Snort 3 does generate u2 logs but we are transitioning to other, better
supported formats like JSON (available now) and FlatBuffers (available now for
perf stats, planned for IPS events).  Pseudo-packets and "extra data" are two of
the areas where better support is desired.

Snort 3 does not generate pseudo-packets for all IPS events the way Snort 2 does
since most events are on buffers, not packets.  Eg, dechunked, decompressed HTTP
really doesn't have a wire packet.  It is just a block of data associated with a
flow and Snort 3 wants to log it that way.  However, it generates a
pseudo-packet just for u2 logging.  The difference with Snort 2 is that the
Snort 3 pseudo-packet is always eth:ip:tcp (ip4 or ip6) and not the full
encapsulations present on the flow.

Extra data refers to additional buffers for which Snort 2 does not generate a
pseudo-packet but that provide context for an IPS event, such as SMTP RCPTTO and
HTTP hostname.  Several such extra data buffers have been logged by Snort 2 for
years and never supported by Barnyard2 or Snorby.  The intent is to eliminate
all "extra data" and just log everything as either packets (when a wire packet
alerts) or buffers.

JSON is not as compact but the flexibility and ease of use are hard to beat. 
Data is encoded in base64.  If you want to discuss possible updates for
Charlotte, please contact me and I'll be glad to assist.


If it's in json it'll be about a million times easier to process, json is
supported pretty easily in python.  I think that would be the way to go for
snort 3 support.


-- 
Richard Monk (rmonk () redhat com) - Senior Principal Security Analyst
Red Hat Inc. - Raleigh NC
GPG Key ID: 0x766EB165942CDB25

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: