How to request features with devs (pfsense and snort)

I’ve never done this before- finding what might be a bug(?) or just being nitpicky, but regardless I’m curious how to go forward with this:

When installing Snort on pfsense (some time ago snort and suricata ditched barnyard2 in pfsense and use Unified2 now) and checking “send logs to syslog…”

It does as it says, and I have a transforms.conf in the SIEM to source type it appropriately to have a technology add-on’s regex made for Unified2 format to do field extraction.

Example of output I am getting:

image942×68 8.87 KB

Example of output the Unified2 TA is expecting:

image949×62 10.1 KB

Note my snort output does not have interface information, the Unified2 example does. From memory before the Snort and Suricata drop of barnyard2 to Unified2, it used to have interface.

I can fix the regex but to me it seems snort’s implementation of Unified2 is not completely accurate.

How would one go about “reporting” this appropriately, tastefully and with the right information/logs/terminology?

If they’ve got a Jira, or some other public bug tracker set up you can post your findings there. In my experience the trick is to do the research and simply present what you’ve found. That way you’re not just asking for support, but you’ve actually done something to help improve the software just like the devs are doing. Just doing that without the OMG WORST SOFTWARE EVAR attitude is usually enough to stand out from the noise.

I’ll look around for their Jira and git, but yeah this is FOR SURE not a “worst software evar” haha. Great software, amazed at what can be had for free- either this is a ‘feature’ or maybe a legit oversight I can help with bringing to their attention.