Snort mailing list archives

Re: Snort syslog message format

From: Erek Adams <erek () snort org>
Date: Wed, 8 Jan 2003 11:36:16 -0500 (EST)

On Tue, 7 Jan 2003, Douglas Corner wrote:

Is there documentation describing what is posted to syslog?  There seem to
be several message formats, one for when rules fire and different formats
for pre-processors.  I am doing some programming to process Snort syslog
messages and would like to be precise and complete.


Well, there only real docs on that is the source.

And yes, there are 'different formats'.  Many moons ago there was no real
format for the output from plugins.  That's starting to become more and
more standardized.

Keep in mind the basic format is the same:  [xx:yyy:zz] <message>
Where xx is the Generator ID (GID), yyy is the Snort ID (SID), and zz is
the Revision of the SID.

Hope that helps!

-----
Erek Adams

   "When things get wierd, the wierd turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort syslog message format Douglas Corner (Jan 07)
- Re: Snort syslog message format Erek Adams (Jan 08)