THIS CODE IS DEPRECATED. NEWER VERSIONS CAN BE FOUND ON SNORT.ORG HERE
This is the current home of SnortUnified.pm
It's fully functional and as time permits I will continue to expand it's capabilities.
If you have suggestions please send them to jason [at] brvenik [dot] com or jasonb [at] sourcefire [dot] com. Testers wanted.
Download SnortUnified_Perl.tgz
LICENSE The GPL.
SnortUnified.pm The meat of it all.
SnortUnified::Database Database interactions.
uftester.pl For testing handling of unified files.
ufdbtest.pl For testing of database interactions.
uf_syslog.pl Generate unified to syslog output.
uf_xml.pl Generate XML output from a unified file.
uf_hasher.pl Create a csv including an md5 hash of the record ( and packet for .log files)
pcaptodb.pl Given a pcap file will insert the packets into a BASE/ACID database as if they were logged using snort.
uf_csv.pl Create a csv. Handles a unified file as follows
fatboy:~/src/test/unified jbrvenik$ date; ./uf_csv.pl ./snort-unified.alert.little > ./t.out ; date
Fri Jul 28 17:13:17 EDT 2006
Fri Jul 28 17:13:38 EDT 2006
fatboy:~/src/test/unified jbrvenik$ wc t.out
155369 155369 16000324 t.out
#### That is 155368 records in ~ 21 sec (7398.4762 records per sec ) on a powerbook g4
output looks like this.
fatboy:~/src/test/unified jbrvenik$ head -5 t.out
row,sig_gen,sig_id,sig_rev,class,pri,event_id,reference,tv_sec,tv_usec,tv_sec2,tv_usec2,sip,dip,sp,dp,protocol,flags
1,1,2950,2,26,3,1,1,1124501712,508840,1124501712,507466,2828995132,184454385,1205,139,6,146
2,1,2950,2,26,3,5,5,1124501719,863766,1124501719,862277,2828995085,184454385,2944,139,6,146
3,1,1801,9,28,1,13,13,1124501722,937638,1124501713,180692,183705683,184438578,3684,80,6,146
4,1,1801,9,28,1,16,16,1124501722,958066,1124501722,956814,183705683,184438578,3684,80,6,146