Barnyard2 and snort++ get errors about snort3 HOT 4 CLOSED

from snort3.

I checked the unified2 output format between snort2 and snort3 and there is a difference :

SNORT 3 :
(Event)
Snort ID: 0 Event ID: 536 Seconds: 1501690577.646865
Policy ID: Context: 0 Inspect: 0 Detect: 0
Rule 1:1288:16 Class: 27 Priority: 2
MPLS Label: 0 VLAN ID: 0 IP Version: 0x44 IP Proto: 6
Src IP: 192.168.2.98 Port: 36708
Dst IP: 10.33.128.217 Port: 80
App Name: none
Status: allow Action: pass

Packet
sensor id: 0 event id: 536 event second: 1501690577
packet second: 1501690577 packet microsecond: 646865
linktype: 1 packet_length: 227
[ 0] 02 2B BC 7D 70 8F 02 EC 9A 99 3C B9 08 00 45 00 .+.}p.....<...E.
[ 16] 00 D5 B7 EF 40 00 3F 06 35 2F C0 A8 02 62 0A 21 ....@.?.5/...b.!
[ 32] 80 D9 8F 64 00 50 A6 B7 5B B4 6F 8D 1B A6 80 18 ...d.P..[.o.....
[ 48] 03 CE E9 0A 00 00 01 01 08 0A 00 0C 95 E8 02 AE ................
[ 64] 17 AF 47 45 54 20 2F 5F 76 74 69 5F 62 69 6E 2F ..GET /_vti_bin/
[ 80] 5F 76 74 69 5F 61 75 74 2F 77 73 5F 66 74 70 2E _vti_aut/ws_ftp.
[ 96] 6C 6F 67 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F log HTTP/1.1..Ho
[ 112] 73 74 3A 20 31 30 2E 33 33 2E 31 32 38 2E 32 31 st: 10.33.128.21
[ 128] 37 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 7..User-Agent: M
[ 144] 6F 7A 69 6C 6C 61 2F 35 2E 30 30 20 28 4E 69 6B ozilla/5.00 (Nik
[ 160] 74 6F 2F 32 2E 31 2E 36 29 20 28 45 76 61 73 69 to/2.1.6) (Evasi
[ 176] 6F 6E 73 3A 4E 6F 6E 65 29 20 28 54 65 73 74 3A ons:None) (Test:
[ 192] 30 30 36 38 38 30 29 0D 0A 43 6F 6E 6E 65 63 74 006880)..Connect
[ 208] 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D ion: Keep-Alive.
[ 224] 0A 0D 0A

SNORT 2 :
(Event)
sensor id: 0 event id: 424 event second: 1501003311 event microsecond: 982977
sig id: 33 gen id: 119 revision: 1 classification: 2
priority: 3 ip source: 10.33.129.180 ip destination: 10.33.129.197
src port: 38931 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0

Packet
sensor id: 0 event id: 424 event second: 1501003311
packet second: 1501003311 packet microsecond: 982977
linktype: 1 packet_length: 577
[ 0] 06 42 71 E1 47 5F 06 00 25 D4 85 05 08 00 45 00 .Bq.G_..%.....E.
[ 16] 02 33 37 63 40 00 FF 06 2A A6 0A 21 81 B4 0A 21 .37c@...*..!...!
[ 32] 81 C5 98 13 00 50 AB 5C D5 33 73 9A FF 5C 80 18 .....P..3s....
[ 48] 00 71 52 86 00 00 01 01 08 0A 7A 9E FA 19 0E BD .qR.......z.....
[ 64] 7D C2 3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D }.<soap:En
[ 112] 76 65 6C 6F 70 65 20 78 6D 6C 6E 73 3A 73 6F 61 velope xmlns:soa
[ 128] 70 3D 22 68 74 74 70 3A 2F 2F 73 63 68 65 6D 61 p="http://schema
[ 144] 73 2E 78 6D 6C 73 6F 61 70 2E 6F 72 67 2F 73 6F s.xmlsoap.org/so
[ 160] 61 70 2F 65 6E 76 65 6C 6F 70 65 2F 22 20 78 6D ap/envelope/" xm
[ 176] 6C 6E 73 3A 78 73 69 3D 22 68 74 74 70 3A 2F 2F lns:xsi="http://
[ 192] 77 77 77 2E 77 33 2E 6F 72 67 2F 32 30 30 31 2F www.w3.org/2001/
[ 208] 58 4D 4C 53 63 68 65 6D 61 2D 69 6E 73 74 61 6E XMLSchema-instan
[ 224] 63 65 22 20 78 6D 6C 6E 73 3A 78 73 64 3D 22 68 ce" xmlns:xsd="h
[ 240] 74 74 70 3A 2F 2F 77 77 77 2E 77 33 2E 6F 72 67 ttp://www.w3.org
.....

As you can see the (Event) sections are different.
Is there any way to change the output format in snort3?

Thank you

from snort3.

I am using snorby. I am looking for a Web interface to plug to snort3 to get the alerts graphically.
Do you know one?

Thank you

Cyril

from snort3.

Check the additional downloads on snort.org to see what else is available, but nothing that supports snort3 AFAIK.

Since I haven't heard anything from the barnyard2 groups, I've resurrected the old unified2 logger as unified2x in the extras. You will need to build and install the extras and use --plugin-path to point to the installed plugins and then add unified2x = { } (or however you configure it) to your snort.lua. The existing unified2 logger will only generate newer events so you must use unified2x instead.

from snort3.