Friday, November 21, 2008

Snort Report 21 Posted

My 21st Snort Report titled Understanding Snort's Unified2 output has been posted. From the article:

Welcome to the 21st edition of the Snort Report! In July 2007 I described Snort's Unified output, first released in July 2001 with Snort 1.8.0. Unified output allows Snort to write sets of data to a sensor's hard drive. Writing to the hard drive, instead of performing database inserts, allows Snort to operate faster and minimize packet loss.

Unified2 output first appeared in Snort 2.8.0, released in September 2007.


I came across this comparison of Unified and Unified2 format at SecurixLive.com but didn't get to include it in my article.

If you're worried about the Barnyard2 implementation at SecurixLive having licensing issues, the author is addressing those as we speak; he did not intend to cause any trouble. So, I am looking forward to seeing greater adoption of Unified2 formats once solutions like those in my article are tested.


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

1 comment:

firnsy said...

G'day Richard and readers,

We've had a very hectic 10 days of coding and have finally arrived at a GPLv2 complete copy of barnyard2.

It's based almost entirely of Snort 2.8.3.1 for packet processing and plugin architecture. With the addition of an intelligent spooler with bookmarking support the new barnyard2 picks up where the old one left of plus a few extra paces.

Please direct any comments, queries or flames our way.

Regards,
Firnsy