[Snort-users] CSV Output problems...

Glenn Larsson ichinin at ...5794...
Thu May 23 16:45:02 EDT 2002


Hi.

I have a question regarding Snort's CSV output.

Im using the following line with CSV:

output CSV: CSV.txt default

in comparison with standard output.

"dstport"	reports ""
"tcplen" 	reports ""

Here is a sample line: (Lines wrapped)

05/24/02-00:55:17.468971 ,SHELLCODE x86 NOOP,TCP,
192.168.1.70,1028,192.168.1.35,,0:0:E8:3A:B8:58
,0:60:8:54:59:EA,0x5CF,***AP***,0x994C1F09,0x635F50
,,0x4404,128,0,1126,1473,20,,,,

You can clearly see that after [dst] ("192.168.1.35"),
the [dstport] is "" and after [tcpack] ("0x635F50"),
tcplen is "".

I now tried using the entire parameter set: (lines...)

output CSV: CSV.txt timestamp, msg, proto, src, srcport,
dst, dstport, ethsrc, ethdst, ethlen, tcpflags, tcpseq,
tcpack, tcplen, tcpwindow, ttl, tos, id, dgmlen, iplen,
icmptype, icmpcode, icmpid, icmpseq

all i got was records like this:

"05/24/02-01:25:46.063680 ,,,,,,,,,,,,,,,,,,,,,,,"


Is there some other way to dump info from snort (in a
reliable way), or do i have to continue to use the
default output format? Also, Does CSV output work
properly under linux?

Regards,
Glenn
_______________________________________________

Config: 	Snort 1.8.5 (Win32)
		WinPCAP 2.3
		NT Srv 4.0 (x86, SP5)




More information about the Snort-users mailing list