[Snort-users] Filename in alert_CSV
wkitty42 at ...14940...
Sat Jun 15 13:01:11 EDT 2013
On 6/13/2013 16:24, Parker, Jonathan E. wrote:
> I am processing multiple .pcap files using the --pcap-dir option, and have my
> snort.conf setup to put alerts in a csv file using alert_CSV. After processing
> with Snort I load the results into a MySQL database. I want to include the
> filename of the pertinent .pcap for each alert, but there does not seem to be an
> option for that for the csv output module. Can anyone suggest a way to do this?
the only way i can currently see is by processing the pcaps individually and the
stuffing the filename into the CSV after it is generated...
perhaps something like (pseudo code off the top of my head)
for %i in (*.pcap) do
snort --pcap %i
foobar.pl %i CSV_file
foobar.pl is a perl simple script that runs thru each line of the CSV file and
stuffs ",filename" onto the end of each CSV record line... "filename" is taken
from the first parameter fed to the perl script and the second parameter is the
destination CSV filename...
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
More information about the Snort-users