<div dir='auto'>Hello Armar, <div dir="auto"><br></div><div dir="auto">If you are using unified2 with Barnyard2 you might want to consider looking at Meer (http;//github.com/beave/meet). .it works like Barnyard2 but reads Suricata EVE files rather than Unified2. This would allow you to keep you existing backend while moving away from Unified2. </div><div dir="auto"><br></div><div dir="auto">Hope this helps .</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Apr 10, 2019 1:16 AM, Amar Rathore - CounterSnipe Systems <amar@countersnipe.com> wrote:<br type="attribution" /><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div style="font-size:12pt;font-family:'arial' , 'helvetica' , sans-serif;color:rgb( 0 , 0 , 128 )">
Hi Victor
<br />
</div>
<div style="font-size:12pt;font-family:'arial' , 'helvetica' , sans-serif;color:rgb( 0 , 0 , 128 )">
<br />
</div>
<div style="font-size:12pt;font-family:'arial' , 'helvetica' , sans-serif;color:rgb( 0 , 0 , 128 )">
Hope all is well with you. I thought I should ask this on the Forum rather than 121.
<br />
</div>
<div style="font-size:12pt;font-family:'arial' , 'helvetica' , sans-serif;color:rgb( 0 , 0 , 128 )">
Regards Unified2 support, the web site says: "After 18 months, the feature will be removed in the first major release."
<br />
</div>
<div style="font-size:12pt;font-family:'arial' , 'helvetica' , sans-serif;color:rgb( 0 , 0 , 128 )">
When is the next Major release planned for?
<br />
</div>
<div style="font-size:12pt;font-family:'arial' , 'helvetica' , sans-serif;color:rgb( 0 , 0 , 128 )">
We run with a slightly older version when it comes to integrating Suri with our software.
</div>
<div style="font-size:12pt;font-family:'arial' , 'helvetica' , sans-serif;color:rgb( 0 , 0 , 128 )">
What is/will be the latest/last fully Unified2 tested version of Suricata?
<br />
</div>
<div style="font-size:12pt;font-family:'arial' , 'helvetica' , sans-serif;color:rgb( 0 , 0 , 128 )">
That will enable us to ensure supported product for few more years.
<br />
</div>
<div style="font-size:12pt;font-family:'arial' , 'helvetica' , sans-serif;color:rgb( 0 , 0 , 128 )">
<br />
</div>
<div style="font-size:12pt;font-family:'arial' , 'helvetica' , sans-serif;color:rgb( 0 , 0 , 128 )">
Thank you
<br />
</div>
<div style="font-size:12pt;font-family:'arial' , 'helvetica' , sans-serif;color:rgb( 0 , 0 , 128 )">
Amar
<br />
</div>
<div style="font-size:12pt;font-family:'arial' , 'helvetica' , sans-serif;color:rgb( 0 , 0 , 128 )">
<br />
</div>
<div style="font-size:12pt;font-family:'arial' , 'helvetica' , sans-serif;color:rgb( 0 , 0 , 128 )">
<br />
</div>
<div style="font-size:12pt;font-family:'arial' , 'helvetica' , sans-serif;color:rgb( 0 , 0 , 128 )">
<br />
</div>
<div style="font-size:12pt;font-family:'arial' , 'helvetica' , sans-serif;color:rgb( 0 , 0 , 128 )">
<br />
</div>
<div style="font-size:12pt;font-family:'arial' , 'helvetica' , sans-serif;color:rgb( 0 , 0 , 128 )">
<br />
</div>
<blockquote>
<div>
On April 9, 2019 at 7:08 AM Victor Julien <
<a href="mailto:lists@inliniac.net">lists@inliniac.net</a>> wrote:
</div>
<div>
<br />
</div>
<div>
<br />
</div>
<div>
Hi Champ!
</div>
<div>
<br />
</div>
<div>
On 08-04-19 17:31, Champ Clark III wrote:
</div>
<blockquote>
<div>
I was under the impression, perhaps incorrectly, that 'xbit' data gets
</div>
<div>
stored in the Suricata EVE files. For example, if an 'xbit' gets
</div>
<div>
'set' or checked ('isset'), is there an EVE record of that happening?
</div>
<div>
I've search by Suricata instances EVE files for 'xbits' an can't find
</div>
<div>
any records of that. However, it might be that I haven't triggered any
</div>
<div>
rules that have 'xbits' in them. I'd like to see how this data get
</div>
<div>
recorded.
</div>
</blockquote>
<div>
<br />
</div>
<div>
Inside Suricata, xbits are implemented as various other bits. Per host
</div>
<div>
bits (hostbits) and per IP Pair. These 2 variants are not logged in EVE
</div>
<div>
currently. Feel free to open a feature ticket.
</div>
<div>
<br />
</div>
<div>
<br />
</div>
<blockquote>
<div>
Secondly, I know there are plans to depreciate 'unified2'. Is there a
</div>
<div>
target date for this.
</div>
</blockquote>
<div>
<br />
</div>
<div>
Yes, it's actually quite close: June this year which means we can
</div>
<div>
probably already throw it out in our git master.
</div>
<div>
<br />
</div>
<div>
<a href="https://suricata-ids.org/about/deprecation-policy/">https://suricata-ids.org/about/deprecation-policy/</a>
<br />
</div>
<div>
<br />
</div>
<div>
--
</div>
<div>
---------------------------------------------
</div>
<div>
Victor Julien
</div>
<div>
<a href="http://www.inliniac.net/">http://www.inliniac.net/</a>
<br />
</div>
<div>
PGP:
<a href="http://www.inliniac.net/victorjulien.asc">http://www.inliniac.net/victorjulien.asc</a>
<br />
</div>
<div>
---------------------------------------------
</div>
<div>
<br />
</div>
<div>
_______________________________________________
</div>
<div>
Suricata IDS Users mailing list:
<a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
<br />
</div>
<div>
Site:
<a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support:
<a href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>
<br />
</div>
<div>
List:
<a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
<br />
</div>
<div>
<br />
</div>
<div>
Conference:
<a href="https://suricon.net">https://suricon.net</a>
<br />
</div>
<div>
Trainings:
<a href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a>
<br />
</div>
</blockquote>
</div>
</blockquote></div><br></div>