https://community.cisco.com/t5/network-security/snort-and-alert-modes/m-p/5136353#M1113812 <P>Hello</P><P>At the beginning I have a lot of problem with&nbsp;information chaos with the differences between Snort 2 and Snort 3. There are plenty books and info about Snort 2, but not many about Snort 3. For example Snort 2 Manual (y. 2020) is 270 page book and but Snort 3 Manual (y. 2024) is 116 page book and there is very little info.</P><P>I can only&nbsp;guess what is the latest&nbsp;approach in using Snort 3, for example thanks to the latest videotutorials on YT.&nbsp; I really miss the forum on Snort to not making spam for example here <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>To the point, there are up-to-date such logger modules in Snort (alerts and packet logger).</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mariolak3_0-1719404339516.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/221659i5935E05EEA60E1FF/image-size/medium?v=v2&amp;px=400" role="button" title="mariolak3_0-1719404339516.png" alt="mariolak3_0-1719404339516.png" /></span></P><P>At this point, I used alert_fast, alert_full and alert_json, because I found tutorial which recomended alert_json because there is possibility to integrate this with Splunk (I found myself alert_fast and alert_full too). OK. I did that.</P><P>But, what with unified2? The old materials tell a lot about it. But now, nothing.&nbsp;</P><P>From Snort 2 manual:<BR />Unified2 can work in one of threemodes, packet logging (log_unified), alert logging (alert_unified2), or true unified logging(unified2).</P><P>In Snort 3 Manual is mentioned only about unified2.</P><P>Is unified2 mode is used by anyone? Or this is only history? Is Snort 3&nbsp;at all&nbsp;is able to use log_unified, alert_unified2 or only unified2(packet and alert)?</P> Wed, 26 Jun 2024 13:23:02 GMT mariolak3 2024-06-26T13:23:02Z https://community.cisco.com/t5/network-security/snort-and-alert-modes/m-p/5136353#M1113812 <P>Hello</P><P>At the beginning I have a lot of problem with&nbsp;information chaos with the differences between Snort 2 and Snort 3. There are plenty books and info about Snort 2, but not many about Snort 3. For example Snort 2 Manual (y. 2020) is 270 page book and but Snort 3 Manual (y. 2024) is 116 page book and there is very little info.</P><P>I can only&nbsp;guess what is the latest&nbsp;approach in using Snort 3, for example thanks to the latest videotutorials on YT.&nbsp; I really miss the forum on Snort to not making spam for example here <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>To the point, there are up-to-date such logger modules in Snort (alerts and packet logger).</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mariolak3_0-1719404339516.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/221659i5935E05EEA60E1FF/image-size/medium?v=v2&amp;px=400" role="button" title="mariolak3_0-1719404339516.png" alt="mariolak3_0-1719404339516.png" /></span></P><P>At this point, I used alert_fast, alert_full and alert_json, because I found tutorial which recomended alert_json because there is possibility to integrate this with Splunk (I found myself alert_fast and alert_full too). OK. I did that.</P><P>But, what with unified2? The old materials tell a lot about it. But now, nothing.&nbsp;</P><P>From Snort 2 manual:<BR />Unified2 can work in one of threemodes, packet logging (log_unified), alert logging (alert_unified2), or true unified logging(unified2).</P><P>In Snort 3 Manual is mentioned only about unified2.</P><P>Is unified2 mode is used by anyone? Or this is only history? Is Snort 3&nbsp;at all&nbsp;is able to use log_unified, alert_unified2 or only unified2(packet and alert)?</P> Wed, 26 Jun 2024 13:23:02 GMT https://community.cisco.com/t5/network-security/snort-and-alert-modes/m-p/5136353#M1113812 mariolak3 2024-06-26T13:23:02Z