.NODE

Logging to a CSV File

Problem

You want to log your output to a comma-separated value (CSV) file.

Solution

Use the Barnyard alert_csv plug-in by editing the /etc/barnyard.conf file:


output alert_csv: /var/log/snort/csv.out timestamp,msg,srcip,sport,

dstip,dport,protoname,itype,icode

 

Discussion

Snort alerts can be logged in comma-separated value format for ease of use with databases and spreadsheets. This also allows portability of output data to numerous software applications on a variety of operating systems. To do this, you must use the Barnyard output utility and Snort's unified logging feature. Barnyard contains the alert_csv module, which you can configure to log your choice of the fields in the output, in any order you specify. You can use the Barnyard alert_csv plug-in by editing the /etc/barnyard.conf file:

# alert_csv (experimental)

#---------------------------

# Creates a CSV output file of alerts (optionally using a user 

# specified format) Arguments: filepath [format]

#

# The format is a comma-seperated list of fields to output (no spaces 

# allowed)

# The available fields are:

# sig_gen - signature generator

# sig_id - signature id

# sig_rev - signatrue revision

# sid - SID triplet

# class - class id

# classname - textual name of class

# priority - priority id

# event_id - event id

# event_reference - event reference

# ref_tv_sec - reference seconds

# ref_tv_usec - reference microseconds

# tv_sec - event seconds

# tv_usec - event microseconds

# timestamp - timestamp (2001-01-01 01:02:03) in UTC

# src - src address as a u_int32_t

# srcip - src address as a dotted quad

# dst - dst address as a u_int32_t

# dstip - dst address as a dotted quad

# sport_itype - source port or ICMP type (or 0)

# sport - source port (if UDP or TCP)

# itype - ICMP type (if ICMP)

# dport_icode - dest port or ICMP code (or 0)

# dport - dest port

# icode - ICMP code (if ICMP)

# proto - protocol number

# protoname - protocol name

# flags - flags from UnifiedAlertRecord

# msg - message text

# hostname - hostname (from barnyard.conf)

# interface - interface (from barnyard.conf)

#

# Examples:

# output alert_csv: /var/log/snort/csv.out

# output alert_csv: /var/log/snort/csv.out timestamp,

msg,srcip,sport,dstip,dport,protoname,itype,icode

# output alert_csv: csv.out timestamp,msg,srcip,sport,

dstip,dport,protoname,itype,icode

 

output alert_csv: /var/log/snort/csv.out timestamp,msg,

srcip,sport,dstip,dport,protoname,itype,icode

This logs the fields specified, in the order specified, to the file /var/log/snort/csv.out. The output looks like the following:

[testuser@localhost snort]# more csv.out

"2004-11-06 00:32:05",ICMP PING NMAP,192.168.206.129,,192.168.100.5,,

"ICMP",8,0

"2004-11-06 00:32:10",ICMP PING NMAP,192.168.206.129,,192.168.100.5,,

"ICMP",8,0

"2004-11-06 00:35:35",SNMP request tcp,192.168.206.129,36252,192.168.100.5,161,"TCP",,

 

See Also

Recipe 5.9

Recipe 2.1

Logging to a Specific File

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index

show all menu





Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167
Similar book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net