[英]How to get the VLAN ID in snort alert?
I am trying to parse snort alerts and filter necessary information such as vlan id where a malicious internal machine belong to! 我正在尝试解析snort警报并过滤必要的信息,例如恶意内部机器所属的vlan id! However, I only can get the message, source and destination IPs, I need to get the VLAN ID too.
但是,我只能获取消息,源IP和目标IP,我也需要获取VLAN ID。
Thanks 谢谢
(Assuming you're using Unified2 log format) (假设您使用的是Unified2日志格式)
You can get the VLAN ID logged by using the vlan_event_types
parameter when specifying the alert configuration: 指定警报配置时,可以使用
vlan_event_types
参数获取记录的VLAN ID:
output alert_unified2: \
filename <base filename> [, <limit <size in MB>] [, nostamp] [, mpls_event_types] \
[, vlan_event_types]
When enabled and the packet contains a VLAN header, a log item will contain the following record with vlan id
: 启用后,当数据包包含VLAN标头时,日志项将包含以下带有
vlan id
记录:
E. Unified2 IDS Event (Version 2)
E. Unified2 IDS事件(版本2)
sensor id 4 bytes event id 4 bytes event second 4 bytes event microsecond 4 bytes signature id 4 bytes generator id 4 bytes signature revision 4 bytes classification id 4 bytes priority id 4 bytes ip source 4 bytes ip destination 4 bytes source port/icmp type 2 bytes dest. port/icmp code 2 bytes protocol 1 byte impact flag 1 byte impact 1 byte blocked 1 byte mpls label 4 bytes vlan id 2 bytes padding 2 bytes
Unified2 IDS Event (Version 2) are logged for IPv4 packets which contain either MPLS or VLAN headers.
记录包含MPLS或VLAN标头的IPv4数据包的Unified2 IDS事件(版本2)。 Otherwise a Unified2 IDS Event is logged.
否则,将记录一个Unified2 IDS事件。
Note that you'll need to pass –enable-mpls to configure in order to have Snort fill in the mpls label field.
请注意,您需要传递–enable-mpls进行配置,以使Snort填充mpls标签字段。
Note that you'll need to configure unified2 logging with either mpls_event_types or vlan_event_types to get this record type.
请注意,您需要使用mpls_event_types或vlan_event_types配置Unified2日志记录以获取此记录类型。
[ https://www.snort.org/faq/readme-unified2]
[ https://www.snort.org/faq/readme-unified2]
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.