Comments (6)
First, I did question storing the raw binary bytes at first, thinking they may be useful at some point down the road, but I do not think they are useful for throwing into a database.
This is not really a problem with idstools, but more of a problem that the JSON encoder doesn't know how to handle the data. The YAML encoder however, does - it appears to recognize the data as binary as base64 encodes before writing out to the YAML.
Is there some encoding/decoding/formatting of the "*_raw" fields I should do before
trying to index them ?
Personally I'd remove the fields before JSON encoding them, or convert them to base64.
from py-idstools.
Sorry to be a bother, again, but would you have a list of fields which have "raw binary" so I could
ignore them. Or is there a python-way to detect a binary ... my python skills are not great.
From looking at packet.py my list so far is:
- tcp_options_raw
- ip_options_raw
- ip6_source_raw
- ip6_destination_raw
... and the payload data: - ["packets"]["data"] - which is saved as base64, and also saved with unprintable chars removed
I'm just trying to ensure the daemon stays up/running and that it doesn't miss any events ... missing
fields are ok.
from py-idstools.
Personally I would construct a new intermediary object where you assemble the data that will be serialized into JSON. This should prevent any surprises like new fields being added to the decoders that may not be JSON friendly by default.
from py-idstools.
Thanks for the suggestion, but I'm also trying to keep the code simple, small, and as fast as possible to keep up with snort. I guess any field derived from an ".unpack" statement within idstools is a possible problem for serialization, so I will just git clone and search for unpack.
from py-idstools.
I didn't want to open a new issue, but I'm seeing this message sometimes:
"Discarding non-event type while not in event context."
... what does this mean ?
I can't tell from looking at the add function in unified2.py.
Thanks.
from py-idstools.
A unified file is made up of records, where a record can be an event, a packet or extra data.
Some unified2 files do not start with an event record, but instead start with a packet or extra data record. As we don't have an event to associate these records with, they are discarded..
The process is, read event records, read the following packet and extra data records and associate them with the event. When a new event record is seen, flush the previous event with its associated data.
I believe this is seen as Snort will roll over unified2 log files based on size, and it must be checking after each record, instead of after each event. So you can end up with the event records at the end of one file, and its packets and extra data in the new file.
The SpoolEventReader is the work around for this. Its meant to be used with a spool directory that Snort is logging to, using unified2 files with a timestamp suffix. It uses a cache (much like Barnyard2 I believe) to associate records at the start of one file with an event that started in a previous file.
from py-idstools.
Related Issues (20)
- cannot parse rule HOT 2
- appStats u2 can't work HOT 1
- Bug: Multiple instances of rule options fields clobber eachother HOT 4
- Recent versions of Snort unified2 not supported. HOT 5
- Feature Request: ability to parse the source, destination, protocol using dictionary.
- SoolRecordReader stop working HOT 2
- eve2pcap.py fails with IPv6 addresses HOT 1
- python2-scapy as pkg dependency
- Connection with suricata-update HOT 2
- Coverting packets object to pcap file HOT 7
- Feature request: mutate metadata key value pairs
- Add .md5 extension between URL's filename and its parameters HOT 1
- Provide option for idstools-u2eve to reload sid-msg.map after updating sid-msg.map contents. HOT 1
- Unified2 Event Types mpls, vlan, and appid not included in u2eve output
- u2json event.appid output is in byte format and mangled
- Tests fail with python 3.11 HOT 1
- Rule parsing fails if last option doesn't close with semi-colon HOT 1
- memory usage increase issue HOT 3
- New release to support python 3.13 HOT 6
- Wrong parsing of pcre and possibly others
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from py-idstools.