Comments (3)
jasonish
commented on July 30, 2024
A better tool to verify the sensor_id would be Snort's own u2spewfoo. In all my logs, both u2spewfoo and u2json show a sensor_id of 0. I suspect that Barnyard2 is altering this value in some way, or the field you are seeing in the Dashboard is a different sensor id.
I believe the Barnyard database output will create new sensor IDs in the database in an incrementing fashion to distinguish between the different sensors logging to the database. This is outside the scope of a unified2 log file though.
from py-idstools.
cleesmith
commented on July 30, 2024
In case anyone is curious and to clarify:
- sensor id is a part of the Unified2 file format and it is in the packet and IDS events, see:
http://manual.snort.org/node44.html - another project offered a clue for handling/setting sensor id,
see the "Examples" section in readme at:
https://github.com/mephux/unified2
... makes sense ... as these are set in the barnyard2 conf file and it appears barnyard2
just uses the last digits of the "interface" value for the "sensor id" (sid ?)
from py-idstools.
jasonish
commented on July 30, 2024
Yeah, I was curious that there wasn't a Snort command line option or config option to set that sensor_id value in the unified2 file. Could be useful I suppose.
from py-idstools.
Related Issues (20)
- appStats u2 can't work HOT 1
- Bug: Multiple instances of rule options fields clobber eachother HOT 4
- Recent versions of Snort unified2 not supported. HOT 5
- Feature Request: ability to parse the source, destination, protocol using dictionary.
- SoolRecordReader stop working HOT 2
- eve2pcap.py fails with IPv6 addresses HOT 1
- python2-scapy as pkg dependency
- Connection with suricata-update HOT 2
- Coverting packets object to pcap file HOT 7
- Feature request: mutate metadata key value pairs
- Add .md5 extension between URL's filename and its parameters HOT 1
- Provide option for idstools-u2eve to reload sid-msg.map after updating sid-msg.map contents. HOT 1
- Unified2 Event Types mpls, vlan, and appid not included in u2eve output
- u2json event.appid output is in byte format and mangled
- Tests fail with python 3.11 HOT 1
- Rule parsing fails if last option doesn't close with semi-colon HOT 1
- memory usage increase issue HOT 3
- New release to support python 3.13 HOT 6
- Wrong parsing of pcre and possibly others
- Invalid issue
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from py-idstools.