Logging to a CSV File

Table of contents:

Problem

You want to log your output to a comma-separated value (CSV) file.

Solution

Use the Barnyard alert_csv plug-in by editing the /etc/barnyard.conf file:


output alert_csv: /var/log/snort/csv.out timestamp,msg,srcip,sport,

dstip,dport,protoname,itype,icode

 

Discussion

Snort alerts can be logged in comma-separated value format for ease of use with databases and spreadsheets. This also allows portability of output data to numerous software applications on a variety of operating systems. To do this, you must use the Barnyard output utility and Snort's unified logging feature. Barnyard contains the alert_csv module, which you can configure to log your choice of the fields in the output, in any order you specify. You can use the Barnyard alert_csv plug-in by editing the /etc/barnyard.conf file:

# alert_csv (experimental)

#---------------------------

# Creates a CSV output file of alerts (optionally using a user 

# specified format) Arguments: filepath [format]

#

# The format is a comma-seperated list of fields to output (no spaces 

# allowed)

# The available fields are:

# sig_gen - signature generator

# sig_id - signature id

# sig_rev - signatrue revision

# sid - SID triplet

# class - class id

# classname - textual name of class

# priority - priority id

# event_id - event id

# event_reference - event reference

# ref_tv_sec - reference seconds

# ref_tv_usec - reference microseconds

# tv_sec - event seconds

# tv_usec - event microseconds

# timestamp - timestamp (2001-01-01 01:02:03) in UTC

# src - src address as a u_int32_t

# srcip - src address as a dotted quad

# dst - dst address as a u_int32_t

# dstip - dst address as a dotted quad

# sport_itype - source port or ICMP type (or 0)

# sport - source port (if UDP or TCP)

# itype - ICMP type (if ICMP)

# dport_icode - dest port or ICMP code (or 0)

# dport - dest port

# icode - ICMP code (if ICMP)

# proto - protocol number

# protoname - protocol name

# flags - flags from UnifiedAlertRecord

# msg - message text

# hostname - hostname (from barnyard.conf)

# interface - interface (from barnyard.conf)

#

# Examples:

# output alert_csv: /var/log/snort/csv.out

# output alert_csv: /var/log/snort/csv.out timestamp,

msg,srcip,sport,dstip,dport,protoname,itype,icode

# output alert_csv: csv.out timestamp,msg,srcip,sport,

dstip,dport,protoname,itype,icode

 

output alert_csv: /var/log/snort/csv.out timestamp,msg,

srcip,sport,dstip,dport,protoname,itype,icode

This logs the fields specified, in the order specified, to the file /var/log/snort/csv.out. The output looks like the following:

[testuser@localhost snort]# more csv.out

"2004-11-06 00:32:05",ICMP PING NMAP,192.168.206.129,,192.168.100.5,,

"ICMP",8,0

"2004-11-06 00:32:10",ICMP PING NMAP,192.168.206.129,,192.168.100.5,,

"ICMP",8,0

"2004-11-06 00:35:35",SNMP request tcp,192.168.206.129,36252,192.168.100.5,161,"TCP",,

 

See Also

Recipe 5.9

Recipe 2.1

Logging to a Specific File

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index



Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167

Similar book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net