
The perl scripts have been written by Jason Brvenik:

  SnortUnified v1.4devel20060831 - Copyright (c) 2006 Jason Brvenik

This README has been written by me, Juergen Leising.


A. Changes:

The scripts have in unmodified form worked for me 
- under fedora 7 
- with perl-5.8.8
- with NetPacket-0.04
in terms of the syntax or perl.  However, I have not performed any tests
about the validity of each field, at all.

To get the plugin working
- under fedora 9
- with perl-5.10.0 and
- with Net::Packet-3.25
I have modified the plugin, mainly in SnortUnified/Database.pm and
pcaptodb.pl, and to a less extent in other files.  Notably, I have
replaced gmtime() by localtime().  The time should be inserted as
it has been received from the *.pcap or snortunified files - without
modification and conversion.



B. Usage:

I. Read in snort unified version 1 files,
   and write them

1. to stdout in CSV form (comma separated values):

  ./uf_csv.pl /tmp/snort.alert.unified.1214046468


2. to stdout in XML format:

  ./uf_xml.pl /tmp/snort.alert.unified.1214046468


3. to stdout in form of an enumeration of all of the single fields 
that have been recognized:

  ./uftester.pl /tmp/snort.alert.unified.1214046468


4. to a socket on which syslogd is listening:

  # WARNING: sid-msg.map, gen-msg.map and classification are required!
  ./uf_syslog.pl /tmp/snort.alert.unified.1214046468


5. into a mysql database as follows:

a) Preparation of a test database "snorttest" in mysql:

Interaction with a mysql database:

# As root:
mysql -p
mysql> create database snorttest;
mysql> use snorttest;
mysql> source /usr/local/src/snort-2.8.1_unpatched/schemas/create_mysql;
mysql> show tables;
mysql> set password for "snort"@"localhost" = password("snort");
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snorttest.* to "snort"@"localhost";
mysql> flush privileges;
mysql> show grants for "snort"@"localhost";
mysql> quit


b) Reading an a snort unified version 1 file and writing it into the
   mysql database:

   # WARNING: sid-msg.map, gen-msg.map and classification are required!
  ./ufdbtest.pl /tmp/snort.alert.unified.1214046468




II. Read in pcap files, as generated by snort via its output module
    "output log_tcpdump", and write them into the database:

1. Preparation of a test database "snorttest" in mysql:

   See above.

2. Usage:

   ./pcaptodb.pl /tmp/snort.pcap_08_06_2008_17:27:02



