[Dshield] Perhaps someone on this list can help me out.
jsage at finchhaven.com
Tue Oct 8 16:49:26 GMT 2002
I'd suggest that you take this line of questions off to the snort list
to get some accurate answers.
Unified is *very* different from the previous -b binary logging mode.
On Mon, Oct 07, 2002 at 05:14:01PM -0400, Manuel Lanctot wrote:
> On Monday 07 October 2002 02:26 pm, John Draper wrote:
> > >John Draper wrote:
> > >
> > >I am not sure if _Unified_ Binary output is the same as binary output, if
> > >not please ignore this/flame me, whichever you consider most appropriate.
> > >
> > >but binary output (obtained by "snort -l <log_directory> -b"), logs
> > >everything to a single file (maybe this is where the "unified" comes
> > > from?) in a format that tcpdump understands...
> > Right - I got that part, but nobody can tell me if this Unified Binary is
> > the same as regular binary, or what the differences are.
> > John
> >From what I know, it's the same thing as 'binary output' (everything in the same file).
> And you don't need tcpdump to read it, just do [snort -r <output binary file>].
> Anyway, it's the same, just a fancier name.
This is not true at all: Unified is hardly "..the same, just a fancier
The unified log format is new, and stable in development, as far as
snort release 1.9.0 dated 10/03/02:
"Snort 1.9.0 Released -- Thu Oct 3 17:03:59 EDT 2002
Snort 1.9.0 was released today. This release of snort includes a
large number of enhancements and bug fixes. If you've been tracking
rule changes, this is the first release to use the "flow" keyword.
Chris will be sending a detailed changelog to the mailing lists, so
keep an eye out for his email."
Unified is intended to become the primary logging format for use by
the new Barnyard tool, and others.
The unified output plugin is designed to be the fastest possible method
of logging Snort events. It logs events into an alert file and a packet
log file. The alert file contains the high-level details of an event
(ips, protocol, port, message id). The log file contains the detailed
packet information (a packet dump with the associated event id ).
Both portions of the files are written in a binary format described
in spo_unified.h. Barnyard, when available, will incorporate the
current output plugins into a new architecture so that logging.
The Unified-output format will soon become the standard method of
logging Snort data for sensors that have high amounts of
activity. Snort will focus only only on collecting data in realtime
while Barnyard will allow complex logging methods that would otherwise
diminish sensor effectiveness..."
Barnyard (barnyard-0.1.0-rc3) *is* currently available, see:
PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705
More information about the list