Snort FAQ

README.csv

SPO_CSV Usage Guide Brian Caswell bmc@snort.org

$Id$

Overview:

The CSV output plugin gives an interface for users to specify what information they see for alerts. csv provides this by outputting the data in comma separated value format, configured by the user in the snort configuration file.

Using limited output configurations can greatly increase the speed of snort.

Usage:

The CSV output plugin can be configured to output specific portions of a snort alert.

spo_csv requires the following format.

output alert_CSV: location_to_your_file fieldname,fieldname2,fieldname3

The following line is an example CSV configuration: output csv: /my/snort.log msg,proto,timestamp,src,srcport,dst,dstport

That configuration will append the following output to /my/snort.log WEB-MISC phf access,TCP,02/23-11:06:59.600820 ,192.168.0.1,1021,192.168.0.2,80

Possible Field Names:

The following field names are available (As of 01/13/2004)

timestamp, sig_generator, sig_id, sig_rev, msg, proto, src, srcport, dst, dstport, ethsrc, ethdst, ethlen, tcpflags, tcpseq, tcpack, tcpln, tcpwindow, ttl, tos, id, dgmlen, iplen, icmptype, icmpcode, icmpid, icmpseq, and default

By specifying “default” as a field name, a default set of field names is used. grep DEFAULT_CSV spo_csv.h for the default set of fields