[Snort-users] Filename in alert_CSV

waldo kitty wkitty42 at ...14940...
Sat Jun 15 13:01:11 EDT 2013


On 6/13/2013 16:24, Parker, Jonathan E. wrote:
> I am processing multiple .pcap files using the --pcap-dir option, and have my
> snort.conf setup to put alerts in a csv file using alert_CSV. After processing
> with Snort I load the results into a MySQL database. I want to include the
> filename of the pertinent .pcap for each alert, but there does not seem to be an
> option for that for the csv output module. Can anyone suggest a way to do this?

the only way i can currently see is by processing the pcaps individually and the 
stuffing the filename into the CSV after it is generated...

perhaps something like (pseudo code off the top of my head)

for %i in (*.pcap) do
   snort --pcap %i
   foobar.pl %i CSV_file
enddo

foobar.pl is a perl simple script that runs thru each line of the CSV file and 
stuffs ",filename" onto the end of each CSV record line... "filename" is taken 
from the first parameter fed to the perl script and the second parameter is the 
destination CSV filename...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-users mailing list