Re: Read and parse Snort3 unified2 file

["Russ Combs \(rucombs\) via Snort-devel" <snort-devel () lists snort org>]

You must set this to true:


  *   bool unified2.legacy_events = false: generate Snort 2.X style events for barnyard2 compatibility

You can always develop your own log processor.  In that case you might want to try the csv or json loggers instead.  
They can include the packet data in base64.

From: Snort-devel <snort-devel-bounces () lists snort org<mailto:snort-devel-bounces () lists snort org>> on behalf of 
Aden Snort via Snort-devel <snort-devel () lists snort org<mailto:snort-devel () lists snort org>>
Reply-To: Aden Snort <adensnort () gmail com<mailto:adensnort () gmail com>>
Date: Thursday, July 18, 2019 at 8:27 AM
To: "snort-devel () lists snort org<mailto:snort-devel () lists snort org>" <snort-devel () lists snort 
org<mailto:snort-devel () lists snort org>>
Subject: [Snort-devel] Read and parse Snort3 unified2 file

Hi,
Currently I am reading Snort 2.x Unified2 file using Barnyard2.
Now I want to use Snort3 beta version. My question is that can I still use Barnyard2 for reading Snort3 unified2 file 
or there are some other ways. Also can we develop our own program to read snort3 unified2 file.

Regards,
Aden Mehmud


_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!