.\"                                      Hey, EMACS: -*- nroff -*-
.\" First parameter, NAME, should be all caps
.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
.\" other parameters are allowed: see man(7), man(1)
.TH U2SPEWFOO 8  "12th December 2014"
.\" Please adjust this date whenever revising the manpage.
.\"
.\" Some roff macros, for reference:
.\" .nh        disable hyphenation
.\" .hy        enable hyphenation
.\" .ad l      left justify
.\" .ad b      justify to both left and right margins
.\" .nf        disable filling
.\" .fi        enable filling
.\" .br        insert line break
.\" .sp <n>    insert n+1 empty lines
.\" for manpage-specific macros, see man(7)
.SH NAME
u2spewfoo \-  tool for dumping the contents of unified2 files to stdout
.SH SYNOPSIS
.B u2boat
.RI <infile>
.br
.SH DESCRIPTION
This manual page documents briefly the
.B u2spewfoo
command.
This manual page was written for the Debian distribution
because the original program does not have a manual page.
.PP
.B u2spewfoo
is a lightweight tool for dumping the contents of Snort's Unified2 log files to
stdout. In order to use it Snort first has to be configured to use this format
in its configuration file. 

The tool will take the log file and dump the information on the events in
Standard output. This information includes the event and relevant information
about it (such as IP addresses and ports, the time the event was
detected, etc.) as well as the packet that triggered the event (if Snort has
been configured to store a packet capture associated with events).

.SH EXAMPLES

To use it run it against a unified2 log file by running:
.B u2spewfoo snort.log

The following is a sample output of this tool:

.nf
(Event)
    sensor id: 0    event id: 4 event second: 1299698138    event microsecond: 146591
    sig id: 1   gen id: 1   revision: 0  classification: 0
    priority: 0 ip source: 10.1.2.3 ip destination: 10.9.8.7
    src port: 60710 dest port: 80   protocol: 6 impact_flag: 0  blocked: 0

Packet
    sensor id: 0    event id: 4 event second: 1299698138
    packet second: 1299698138   packet microsecond: 146591
    linktype: 1 packet_length: 54
[    0] 02 09 08 07 06 05 02 01 02 03 04 05 08 00 45 00  ..............E.
[   16] 00 28 00 06 00 00 40 06 5C B7 0A 01 02 03 0A 09  .(....@.\.......
[   32] 08 07 ED 26 00 50 00 00 00 62 00 00 00 2D 50 10  ...&.P...b...-P.
[   48] 01 00 A2 BB 00 00                                ......

(ExtraDataHdr)
    event type: 4   event length: 33

(ExtraData)
    sensor id: 0    event id: 2 event second: 1299698138
    type: 9 datatype: 1 bloblength: 9   HTTP URI: /

(ExtraDataHdr)
    event type: 4   event length: 78

(ExtraData)
    sensor id: 0    event id: 2 event second: 1299698138
    type: 10    datatype: 1 bloblength: 12  HTTP Hostname: example.com
.fi


.SH SEE ALSO
.B snort (8)

.SH AUTHOR
This program was written by Adam Keeton.

This manual page was written by Javier Fernandez-Sanguino <jfs@debian.org>,
for the Debian GNU/Linux system (but may be used by others).