Subsections

5.3 Unified2 File Format

Unified 2 records should not be assumed to be in any order. All values are stored in network byte order.

An example structure of unified2 files

    [ Serial Unified2 Header    ]
    [ Unified2 IDS Event        ]
    [ Unified2 Packet           ]
    [ Unified2 Extra Data       ]
    .
    .
    .
    [ Serial Unified2 Header    ]
    [ Unified2 IDS Event        ]
    [ Unified2 Packet           ]
    [ Unified2 Extra Data       ]

5.3.1 Serial Unified2 Header

    record type             4 bytes
    record length           4 bytes

All unified2 records are preceded by a Serial Unified2 header. This unified2 record allows an interpreting application to skip past and apply simple heuristics against records.

The Record Type indicates one of the following unified2 records follows the Serial Unified2 Header:

    Value           Record Type
    ----------      -----------
    2               Unified2 Packet
    7               Unified2 IDS Event
    72              Unified2 IDS Event IP6
    104             Unified2 IDS Event      (Version 2)
    105             Unified2 IDS Event IP6  (Version 2)
    110             Unified2 Extra Data

The record length field specifies the entire length of the record (not including the Serial Unified2 Header itself) up to the next Serial Unified2 Header or EOF.

5.3.2 Unified2 Packet

    sensor id               4 bytes
    event id                4 bytes
    event seconds           4 bytes
    packet seconds          4 bytes
    packet microseconds     4 bytes
    linktype                4 bytes
    packet length           4 bytes
    packet data             <variable length>

A Unified2 Packet is provided with each Unified2 Event record. This packet is the `alerting' packet that caused a given event.

Unified2 Packet records contain contain a copy of the packet that caused an alert (Packet Data) and is packet length octets long.

5.3.3 Unified2 IDS Event

    sensor id               4 bytes
    event id                4 bytes
    event second            4 bytes
    event microsecond       4 bytes
    signature id            4 bytes
    generator id            4 bytes
    signature revision      4 bytes
    classification id       4 bytes
    priority id             4 bytes
    ip source               4 bytes
    ip destination          4 bytes
    source port/icmp type   2 bytes
    dest. port/icmp code    2 bytes
    protocol                1 byte
    impact flag             1 byte
    impact                  1 byte
    blocked                 1 byte

Unified2 IDS Event is logged for IPv4 Events without VLAN or MPLS tagging.

5.3.4 Unified2 IDS Event IP6

    sensor id               4 bytes
    event id                4 bytes
    event second            4 bytes
    event microsecond       4 bytes
    signature id            4 bytes
    generator id            4 bytes
    signature revision      4 bytes
    classification id       4 bytes
    priority id             4 bytes
    ip source               16 bytes
    ip destination          16 bytes
    source port/icmp type   2 bytes
    dest. port/icmp code    2 bytes
    protocol                1 byte
    impact flag             1 byte
    impact                  1 byte
    blocked                 1 byte

Unified2 IDS Event IP6 is logged for IPv6 Events without VLAN or MPLS tagging.

5.3.5 Unified2 IDS Event (Version 2)

    sensor id               4 bytes
    event id                4 bytes
    event second            4 bytes
    event microsecond       4 bytes
    signature id            4 bytes
    generator id            4 bytes
    signature revision      4 bytes
    classification id       4 bytes
    priority id             4 bytes
    ip source               4 bytes
    ip destination          4 bytes
    source port/icmp type   2 bytes
    dest. port/icmp code    2 bytes
    protocol                1 byte
    impact flag             1 byte
    impact                  1 byte
    blocked                 1 byte
    mpls label              4 bytes
    vlan id                 2 bytes
    padding                 2 bytes

Unified2 IDS Event (Version 2) are logged for IPv4 packets which contain either MPLS or VLAN headers. Otherwise a Unified2 IDS Event is logged.

Note:  
  • Note that you'll need to pass -enable-mpls to configure in order to have Snort fill in the mpls label field.

  • Note that you'll need to configure unified2 logging with either mpls_event_types or vlan_event_types to get this record type.

5.3.6 Unified2 IDS Event IP6 (Version 2)

    sensor id               4 bytes
    event id                4 bytes
    event second            4 bytes
    event microsecond       4 bytes
    signature id            4 bytes
    generator id            4 bytes
    signature revision      4 bytes
    classification id       4 bytes
    priority id             4 bytes
    ip source               16 bytes
    ip destination          16 bytes
    source port/icmp type   2 bytes
    dest. port/icmp code    2 bytes
    protocol                1 byte
    impact flag             1 byte
    impact                  1 byte
    blocked                 1 byte
    mpls label              4 bytes
    vlan id                 2 bytes
    padding                 2 bytes

Unified2 IDS Event IP6 (Version 2) are logged for IPv6 packets which contain either MPLS or VLAN headers. Otherwise a Unified2 IDS Event IP6 is logged.

Note:  
  • Note that you'll need to pass -enable-mpls to configure in order to have Snort fill in the mpls label field.

  • Note that you'll need to configure unified2 logging with either mpls_event_types or vlan_event_types to get this record type.

5.3.7 Unified2 Extra Data

    sensor id               4 bytes
    event id                4 bytes
    event second            4 bytes
    type                    4 bytes
    data type               4 bytes
    data length             4 bytes
    data                    <variable length>

5.3.8 Description of Fields