Over the last few days I've reviewed several add-ons for Snort. First, everyone using Snort knows about Barnyard. Barnyard processes the output from the spo_unified plugin, which Marty first described in June 2001. spo-unified creates two log files. To paraphrase Marty, the alert file contains event data (generator, sid, rev, classification, priority, event_reference), timestamp, source IP, destination IP, source port, destination port, protocol, and TCP flags (if applicable). The log file contains the event data, flags that indicate the...