Document toolbox

ids.snort

Owned by Juan Tomás Alonso Nieto (Deactivated), created

Aug 21, 2023

1 min read

[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 Table structure ]

Introduction

The tags beginning with ids.snort identify events generated by Snort.

Valid tags and data tables

The full tag must have 3 levels. The first two are fixed as ids.snort. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
Snort Intrusion Detection	`ids.snort.unified2`	`ids.snort.unified2`

For more information, read more About Devo tags.

Table structure

These are the fields displayed in this table:

ids.snort.unified2

Field	Type	Field transformation	Source field name	Extra fields

Field	Type	Field transformation	Source field name	Extra fields
eventdate	`timestamp`
sensor	`str`		vmachine
linktype	`int4`
pktSec	`int4`
pktUSec	`int4`
pktMicros	`int8`	`int8(pktSec) * 1000000 + pktUSec`	pktSec pktUSec
pktDate	`timestamp`	`timestamp(pktMicros / 1000)`	pktMicros
pktLen	`int4`
srcmac	`str`	`str(ethersrc(pcp))`	pcp
dstmac	`str`		pcp
ttl	`int4`		pcp
ds	`int4`		pcp
ip4flags	`int4`		pcp
tcpflags	`int4`		pcp
srcPort	`int4`		pcp
dstPort	`int4`		pcp
tcpPayload	`str`		dstPort srcPort pcp
pkt	`str`
protocol	`int4`
srcIp	`ip4`
dstIp	`ip4`
recordTypeName	`str`
priorityId	`int4`
eventId	`int4`
impact	`int4`
signatureRevision	`int4`
generatorId	`int4`
blocked	`int4`
dp	`int4`
classificationId	`int4`
eventSecond	`int4`
sp	`int4`
sensorId	`int4`
tvUSec	`int4`
msgLen	`int4`
signatureId	`str`
pktAction	`str`
unknown	`str`
hostchain	`str`
tag	`str`			✓