5.3 Unified2 File Format

Unified 2 records should not be assumed to be in any order. All values are stored in network byte order.

An example structure of unified2 files

    [ Serial Unified2 Header    ]
    [ Unified2 IDS Event        ]
    [ Unified2 Packet           ]
    [ Unified2 Extra Data       ]
    .
    .
    .
    [ Serial Unified2 Header    ]
    [ Unified2 IDS Event        ]
    [ Unified2 Packet           ]
    [ Unified2 Extra Data       ]

5.3.1 Serial Unified2 Header

    record type             4 bytes
    record length           4 bytes

All unified2 records are preceded by a Serial Unified2 header. This unified2 record allows an interpreting application to skip past and apply simple heuristics against records.

The Record Type indicates one of the following unified2 records follows the Serial Unified2 Header:

    Value           Record Type
    ----------      -----------
    2               Unified2 Packet
    7               Unified2 IDS Event
    72              Unified2 IDS Event IP6
    104             Unified2 IDS Event      (Version 2)
    105             Unified2 IDS Event IP6  (Version 2)
    110             Unified2 Extra Data

The record length field specifies the entire length of the record (not including the Serial Unified2 Header itself) up to the next Serial Unified2 Header or EOF.

5.3.2 Unified2 Packet

    sensor id               4 bytes
    event id                4 bytes
    event seconds           4 bytes
    packet seconds          4 bytes
    packet microseconds     4 bytes
    linktype                4 bytes
    packet length           4 bytes
    packet data             <variable length>

A Unified2 Packet is provided with each Unified2 Event record. This packet is the `alerting' packet that caused a given event.

Unified2 Packet records contain contain a copy of the packet that caused an alert (Packet Data) and is packet length octets long.

5.3.3 Unified2 IDS Event

    sensor id               4 bytes
    event id                4 bytes
    event second            4 bytes
    event microsecond       4 bytes
    signature id            4 bytes
    generator id            4 bytes
    signature revision      4 bytes
    classification id       4 bytes
    priority id             4 bytes
    ip source               4 bytes
    ip destination          4 bytes
    source port/icmp type   2 bytes
    dest. port/icmp code    2 bytes
    protocol                1 byte
    impact flag             1 byte
    impact                  1 byte
    blocked                 1 byte

Unified2 IDS Event is logged for IPv4 Events without VLAN or MPLS tagging.

5.3.4 Unified2 IDS Event IP6

    sensor id               4 bytes
    event id                4 bytes
    event second            4 bytes
    event microsecond       4 bytes
    signature id            4 bytes
    generator id            4 bytes
    signature revision      4 bytes
    classification id       4 bytes
    priority id             4 bytes
    ip source               16 bytes
    ip destination          16 bytes
    source port/icmp type   2 bytes
    dest. port/icmp code    2 bytes
    protocol                1 byte
    impact flag             1 byte
    impact                  1 byte
    blocked                 1 byte

Unified2 IDS Event IP6 is logged for IPv6 Events without VLAN or MPLS tagging.

5.3.5 Unified2 IDS Event (Version 2)

    sensor id               4 bytes
    event id                4 bytes
    event second            4 bytes
    event microsecond       4 bytes
    signature id            4 bytes
    generator id            4 bytes
    signature revision      4 bytes
    classification id       4 bytes
    priority id             4 bytes
    ip source               4 bytes
    ip destination          4 bytes
    source port/icmp type   2 bytes
    dest. port/icmp code    2 bytes
    protocol                1 byte
    impact flag             1 byte
    impact                  1 byte
    blocked                 1 byte
    mpls label              4 bytes
    vlan id                 2 bytes
    padding                 2 bytes

Unified2 IDS Event (Version 2) are logged for IPv4 packets which contain either MPLS or VLAN headers. Otherwise a Unified2 IDS Event is logged.

Note:  

• Note that you'll need to pass -enable-mpls to configure in order to have Snort fill in the mpls label field.

• Note that you'll need to configure unified2 logging with either mpls_event_types or vlan_event_types to get this record type.

5.3.6 Unified2 IDS Event IP6 (Version 2)

    sensor id               4 bytes
    event id                4 bytes
    event second            4 bytes
    event microsecond       4 bytes
    signature id            4 bytes
    generator id            4 bytes
    signature revision      4 bytes
    classification id       4 bytes
    priority id             4 bytes
    ip source               16 bytes
    ip destination          16 bytes
    source port/icmp type   2 bytes
    dest. port/icmp code    2 bytes
    protocol                1 byte
    impact flag             1 byte
    impact                  1 byte
    blocked                 1 byte
    mpls label              4 bytes
    vlan id                 2 bytes
    padding                 2 bytes

Unified2 IDS Event IP6 (Version 2) are logged for IPv6 packets which contain either MPLS or VLAN headers. Otherwise a Unified2 IDS Event IP6 is logged.

Note:  

• Note that you'll need to pass -enable-mpls to configure in order to have Snort fill in the mpls label field.

• Note that you'll need to configure unified2 logging with either mpls_event_types or vlan_event_types to get this record type.

5.3.7 Unified2 Extra Data

    sensor id               4 bytes
    event id                4 bytes
    event second            4 bytes
    type                    4 bytes
    data type               4 bytes
    data length             4 bytes
    data                    <variable length>

5.3.8 Description of Fields

• Sensor ID

  Unused

• Event ID

  The upper 2 bytes represent the snort instance, if specified by passing the -G option to Snort.

  The lower 2 bytes indicate the unique id of the event.

  The Event ID field is used to facilitate the task of coalescing events with packet data.

• Event Seconds and Event Microseconds

  Timestamp represented as seconds since the epoch of when the alert was generated.

• Link Type (Unified2 Packet)

  The Datalink type of the packet, typically EN10M but could be any of the values as returned by pcap_datalink that Snort handles.

• Packet Length (Unified2 Packet)

  Length of the Packet Data.

• Packet Data (Unified2 Packet)

  The alerting packet, of Packet Length bytes long.

• Type (Unified2 Extra Data)

  Type specifies the type of extra data that was logged, the valid types are:

      Value           Description 
      ----------      -----------
      1               Original Client IPv4 
      2               Original Client IPv6
      3               UNUSED
      4               GZIP Decompressed Data
      5               SMTP Filename
      6               SMTP Mail From
      7               SMTP RCPT To
      8               SMTP Email Headers
      9               HTTP URI
      10              HTTP Hostname
      11              IPv6 Source Address
      12              IPv6 Destination Address
      13              Normalized Javascript Data
  

• Data Type (Unified2 Extra Data)

  The type of extra data in the record.

      Value           Description 
      ----------      -----------
      1               Blob
  

• Data Length (Unified2 Extra Data)

  Length of the data stored in the extra data record

• Data (Unified2 Extra Data)

  Raw extra event data up to Data Length bytes in size.

  All of these Extra data types, with the exception of 1, 2, 11, and 12 (IP Addresses) are stored in plain-text. The IP Address types need to be interpreted as if they were coming off the wire.

• Signature ID

  The Signature ID of the alerting rule, as specified by the sid keyword.

• Generator ID

  The Generator ID of the alerting rule, as specified by the gid keyword.

• Signature Revision

  Revision of the rule as specified by the rev keyword.

• Classification ID

  Classification ID as mapped in the file classifications.conf

• Priority ID

  Priority of the rule as mapped in the file classifications.conf or overridden by the priority keyword for text rules.

• IP Source

  Source IP of the packet that generated the event.

• IP Destination

  Destination IP of the packet that generated the event.

• Source Port/ICMP Type

  If Protocol is TCP or UDP than this field contains the source port of the alerting packet.

  If Protocol is ICMP than this field contains the ICMP type of the alerting packet.

• Destination Port/ICMP Code

  If protocol is TCP or UDP than this field contains the source port of the alerting packet.

  If protocol is icmp than this field contains the icmp code of the alerting packet.

• Protocol

  Transport protocol of the alerting packet. One of: ip, tcp, udp, or icmp.

• Impact flag

  Legacy field, specifies whether a packet was dropped or not.

      Value           Description 
      ----------      -----------
      32              Blocked
  

• Impact

  UNUSED; deprecated.

• Blocked

  Whether the packet was not dropped, was dropped or would have been dropped.

      Value           Description 
      ----------      -----------
      0               Was NOT Dropped 
      1               Was Dropped
      2               Would Have Dropped*
  

  Note:   Note that you'll obtain Would Have Dropped on rules which are set to drop while Snort is running in inline-test mode. Would Have Dropped is also obtained when a drop rule fires while pruning sessions or during shutdown.

• MPLS Label (4 bytes)

  The extracted mpls label from the mpls header in the alerting packet.

• VLAN ID

  The extracted vlan id from the vlan header in the alerting packet.

• Padding

  Padding is used to keep the event structures aligned on a 4 byte boundary.