Description of Fields

• Sensor ID

  Unused

• Event ID

  The upper 2 bytes represent the snort instance, if specified by passing the -G option to Snort.

  The lower 2 bytes indicate the unique id of the event.

  The Event ID field is used to facilitate the task of coalescing events with packet data.

• Event Seconds and Event Microseconds

  Timestamp represented as seconds since the epoch of when the alert was generated.

• Link Type (Unified2 Packet)

  The Datalink type of the packet, typically EN10M but could be any of the values as returned by pcap_datalink that Snort handles.

• Packet Length (Unified2 Packet)

  Length of the Packet Data.

• Packet Data (Unified2 Packet)

  The alerting packet, of Packet Length bytes long.

• Type (Unified2 Extra Data)

  Type specifies the type of extra data that was logged, the valid types are:

      Value           Description 
      ----------      -----------
      1               Original Client IPv4 
      2               Original Client IPv6
      3               UNUSED
      4               GZIP Decompressed Data
      5               SMTP Filename
      6               SMTP Mail From
      7               SMTP RCPT To
      8               SMTP Email Headers
      9               HTTP URI
      10              HTTP Hostname
      11              IPv6 Source Address
      12              IPv6 Destination Address
      13              Normalized Javascript Data
  

• Data Type (Unified2 Extra Data)

  The type of extra data in the record.

      Value           Description 
      ----------      -----------
      1               Blob
  

• Data Length (Unified2 Extra Data)

  Length of the data stored in the extra data record

• Data (Unified2 Extra Data)

  Raw extra event data upto Data Length bytes in size.

  All of these Extra data types, with the exception of 1, 2, 11, and 12 (IP Addresses) are stored in plain-text. The IP Address types need to be interpreted as if they were comming off the wire.

• Signature ID

  The Signature ID of the alerting rule, as specified by the sid keyword.

• Generator ID

  The Generator ID of the alerting rule, as specified by the gid keyword.

• Signature Revision

  Revision of the rule as specified by the rev keyword.

• Classification ID

  Classification ID as mapped in the file classifcations.conf

• Priority ID

  Priority of the rule as mapped in the file classifications.conf or overridden by the priority keyword for text rules.

• IP Source

  Source IP of the packet that generated the event.

• IP Destination

  Destination IP of the packet that generated the event.

• Source Port/ICMP Type

  If Protocol is TCP or UDP than this field contains the source port of the alerting packet.

  If Protocol is ICMP than this field contains the ICMP type of the alerting packet.

• Destination Port/ICMP Code

  If protocol is TCP or UDP than this field contains the source port of the alerting packet.

  If protocol is icmp than this field contains the icmp code of the alerting packet.

• Protocol

  Transport protcol of the alerting packet. One of: ip, tcp, udp, or icmp.

• Impact flag

  Legacy field, specifies whether a packet was dropped or not.

      Value           Description 
      ----------      -----------
      32              Blocked
  

• Impact

  UNUSED; deprecated.

• Blocked

  Whether the packet was not dropped, was dropped or would have been dropped.

      Value           Description 
      ----------      -----------
      0               Was NOT Dropped 
      1               Was Dropped
      2               Would Have Dropped*
  

  Note:   Note that you'll only obtain Would Have Dropped on rules which are set to drop while Snort is running in inline-test mode.

• MPLS Label (4 bytes)

  The extracted mpls label from the mpls header in the alerting packet.

• VLAN ID

  The extracted vlan id from the vlan header in the alerting packet.

• Padding

  Padding is used to keep the event structures aligned on a 4 byte boundary.