[Snort-users] Extending CSV output plug-in

Kamran Shafi kamran.shafi at ...11827...
Sun Mar 2 23:19:42 EST 2008


Ok .... It is finally producing alert.csv but only when I dont use -A flag
as you mentioned.
Thanks for this tip Jason.

But what is going wrong? Why does snort log alerts in tcpdump and other
formats with -A flag but not with csv? Do I need to set my path somewhere?

On Mon, Mar 3, 2008 at 1:48 PM, Jason <security at ...5028...> wrote:

>
>
> Kamran Shafi wrote:
> > Yes - all other outputs i.e. tcpdump, fast, standard are working
> properly.
> > Its only csv that is not producing any output.
>
> Possibly. Paste your conf to http://snort.pastebin.com and the entire
> output of running the command snort -l /tmp -i lo -c test.conf
>
> >
> > Thanks for pointing to the Snort development site.
> >
> > Apologies for posting to private e-mail unintentionally.
> >
> > Come on guys, is there anyone to point out where I might have
> problem??????
> >
> > On Mon, Mar 3, 2008 at 12:14 PM, Jason <security at ...5028...> wrote:
> >
> >>
> >> Kamran Shafi wrote:
> >>> Hi Jason,
> >>>
> >>> Thanks for the reply. However, due to my ignorance I couldn't get much
> >> out
> >>> of it.
> >>>>> inline -- could you please elobarate more.
> >>>>> Perhaps it is because command line options override the config file.
> >>> I don't really think so, because the tcpdump output is working without
> >> any
> >>> glitches.
> >> Did you try?
> >>
> >>>>> You will have to write the code to make packet data available in the
> >> csv.
> >>> I guessed so -- can you provide any useful links, where to start from
> >> and
> >>> which module/preprocessor to modify??
> >> You should start reading here - http://www.snort.org/docs/#devel
> >>
> >> Specifically, look at src/output-plugins/spo_csv.c
> >>
> >> For templates check out hte sources in the templates directories.
> >>
> >> Please keep replies on list, it doesn't much help the next person when
> >> things go off-line.
> >>
> >>
> >>> On Sun, Mar 2, 2008 at 12:52 PM, Jason <security at ...5028...> wrote:
> >>>
> >>>> inline
> >>>>
> >>>> Kamran Shafi wrote:
> >>>>> Hi All,
> >>>>>
> >>>>> I am new to Snort and this is my first mail to this list so please
> >> bear
> >>>> with
> >>>>> me.
> >>>>>
> >>>>> First - I have been trying hard for last few days to get csv plug-in
> >>>> work
> >>>>> for me but it has not. I am on Fedora Core 7 and running Snort
> 2.8.1the
> >>>>> latest version. I am running Snort with the following command:
> >>>>>
> >>>>> snort -A console -i lo -c test.conf  (please see the output of
> running
> >>>> this
> >>>>> command at the bottom of this mail)
> >>>>>
> >>>>> I have enabled only one rules file i.e. local.rules and have some
> test
> >>>> rules
> >>>>> in it.
> >>>>>
> >>>>> the entry for my csv output plug-in in the test.conf file is
> >>>>>
> >>>>> output alert_CSV: /var/log/alert.csv default
> >>>>>
> >>>>> Afterwards I generate some attack traffic and get some alerts on the
> >>>>> console. (please see the output at the end of this mail).
> >>>>>
> >>>>> The problem is that the alert.csv is never created!!!
> >>>>>
> >>>>> I have tried using full mode, -h flag and few other tricks but
> nothing
> >>>> is
> >>>>> working
> >>>> Perhaps it is because command line options override the config file.
> >>>>
> >>>>> Please note that I have not installed barnyard and assume that it is
> >> not
> >>>> a
> >>>>> must for csv module to work.
> >>>>>
> >>>>> My second question is the following:
> >>>>>
> >>>>> If I am lucky enough to configure the csv module correctly with the
> >> help
> >>>> of
> >>>>> you gurus, then how can I extend this module to add more details
> about
> >>>> the
> >>>>> packet payload to the csv output ?
> >>>>>
> >>>>> I have posted similar messages on Snort forum without any response.
> >> Any
> >>>> help
> >>>>> is appreciated.
> >>>> You will have to write the code to make packet data available in the
> >> csv.
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> >
> -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Microsoft
> > Defy all challenges. Microsoft(R) Visual Studio 2008.
> > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Regards
Kamran Shafi
+61 41 824 9510
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080303/43654d8e/attachment.html>


More information about the Snort-users mailing list