Snort mailing list archives
Re: Process Snort alerts on real time
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 22 Feb 2017 06:49:25 -0700
On Wed, 2017-02-22 at 12:22 +0000, Nora Aron wrote:
http://seclists.org/snort/2017/q1/11Thanks Marcin, Yes, that is great for static logs. But unfortunately my problem is not the same than in that thread, unless there is something that I misunderstood. I also could obtain the content of the packet in hexadecimal from u2Spewfoo ( after parsing it ). But, u2Spewfoo is only for static logs as well. So I am trying to use the SpoolEventReader from ids-tools that provides you real time events, already converted to a readable format. The problem is that this tools provide the packet info in some kind of binary raw that I don't know how to process. I add an extract as an example \x00!\xd7j\xe4\x00RT\x00\xfc\xa9\xf6 I could use both u2spewfoo or the combination of tools you proposed if I had the event in unified2 from SpoolEventReader, but this is not the case. Thanks
Use Barnyard2 to process the u2 files, or take a look at the the alert full method. James
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Process Snort alerts on real time Nora Aron (Feb 20)
- Re: Process Snort alerts on real time wkitty42 (Feb 20)
- Re: Process Snort alerts on real time Ana Serrano Mamolar (Feb 21)
- Re: Process Snort alerts on real time wkitty42 (Feb 21)
- Re: Process Snort alerts on real time Ana Serrano Mamolar (Feb 21)
- <Possible follow-ups>
- Process Snort alerts on real time Nora Aron (Feb 21)
- Re: Process Snort alerts on real time Giles Coochey (Feb 21)
- Re: Process Snort alerts on real time Marcin Dulak (Feb 21)
- Process Snort alerts on real time Nora Aron (Feb 21)
- Process Snort alerts on real time Nora Aron (Feb 22)
- Re: Process Snort alerts on real time James Lay (Feb 22)
- Re: Process Snort alerts on real time Marcin Dulak (Feb 22)
- Re: Process Snort alerts on real time Nora Aron (Feb 22)
- Re: Process Snort alerts on real time Marcin Dulak (Feb 22)
- Re: Process Snort alerts on real time wkitty42 (Feb 20)