[Snort-users] Extending CSV output plug-in

Jason security at ...5028...
Sun Mar 2 21:48:23 EST 2008



Kamran Shafi wrote:
> Yes - all other outputs i.e. tcpdump, fast, standard are working properly.
> Its only csv that is not producing any output.

Possibly. Paste your conf to http://snort.pastebin.com and the entire 
output of running the command snort -l /tmp -i lo -c test.conf

> 
> Thanks for pointing to the Snort development site.
> 
> Apologies for posting to private e-mail unintentionally.
> 
> Come on guys, is there anyone to point out where I might have problem??????
> 
> On Mon, Mar 3, 2008 at 12:14 PM, Jason <security at ...5028...> wrote:
> 
>>
>> Kamran Shafi wrote:
>>> Hi Jason,
>>>
>>> Thanks for the reply. However, due to my ignorance I couldn't get much
>> out
>>> of it.
>>>>> inline -- could you please elobarate more.
>>>>> Perhaps it is because command line options override the config file.
>>> I don't really think so, because the tcpdump output is working without
>> any
>>> glitches.
>> Did you try?
>>
>>>>> You will have to write the code to make packet data available in the
>> csv.
>>> I guessed so -- can you provide any useful links, where to start from
>> and
>>> which module/preprocessor to modify??
>> You should start reading here - http://www.snort.org/docs/#devel
>>
>> Specifically, look at src/output-plugins/spo_csv.c
>>
>> For templates check out hte sources in the templates directories.
>>
>> Please keep replies on list, it doesn't much help the next person when
>> things go off-line.
>>
>>
>>> On Sun, Mar 2, 2008 at 12:52 PM, Jason <security at ...5028...> wrote:
>>>
>>>> inline
>>>>
>>>> Kamran Shafi wrote:
>>>>> Hi All,
>>>>>
>>>>> I am new to Snort and this is my first mail to this list so please
>> bear
>>>> with
>>>>> me.
>>>>>
>>>>> First - I have been trying hard for last few days to get csv plug-in
>>>> work
>>>>> for me but it has not. I am on Fedora Core 7 and running Snort 2.8.1the
>>>>> latest version. I am running Snort with the following command:
>>>>>
>>>>> snort -A console -i lo -c test.conf  (please see the output of running
>>>> this
>>>>> command at the bottom of this mail)
>>>>>
>>>>> I have enabled only one rules file i.e. local.rules and have some test
>>>> rules
>>>>> in it.
>>>>>
>>>>> the entry for my csv output plug-in in the test.conf file is
>>>>>
>>>>> output alert_CSV: /var/log/alert.csv default
>>>>>
>>>>> Afterwards I generate some attack traffic and get some alerts on the
>>>>> console. (please see the output at the end of this mail).
>>>>>
>>>>> The problem is that the alert.csv is never created!!!
>>>>>
>>>>> I have tried using full mode, -h flag and few other tricks but nothing
>>>> is
>>>>> working
>>>> Perhaps it is because command line options override the config file.
>>>>
>>>>> Please note that I have not installed barnyard and assume that it is
>> not
>>>> a
>>>>> must for csv module to work.
>>>>>
>>>>> My second question is the following:
>>>>>
>>>>> If I am lucky enough to configure the csv module correctly with the
>> help
>>>> of
>>>>> you gurus, then how can I extend this module to add more details about
>>>> the
>>>>> packet payload to the csv output ?
>>>>>
>>>>> I have posted similar messages on Snort forum without any response.
>> Any
>>>> help
>>>>> is appreciated.
>>>> You will have to write the code to make packet data available in the
>> csv.
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list