'Re: [Snort-users] Extending CSV output plug-in'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-users
Subject:    Re: [Snort-users] Extending CSV output plug-in
From:       Jason <security () brvenik ! com>
Date:       2008-03-03 4:36:07
Message-ID: 47CB8037.9040109 () brvenik ! com
[Download RAW message or body]



Kamran Shafi wrote:
> Ok .... It is finally producing alert.csv but only when I dont use -A flag
> as you mentioned.
> Thanks for this tip Jason.

Happily, I wish you had tried it earlier.

> 
> But what is going wrong? Why does snort log alerts in tcpdump and other
> formats with -A flag but not with csv? Do I need to set my path somewhere?

Absolutely nothing is wrong, it is clearly noted in the manual that 
command line options override config options.

Your output for tcpdump is a log output, for csv it is an alert output, 
-A console (Alert to console) overrides and alerts to console as you 
requested.

> 
> On Mon, Mar 3, 2008 at 1:48 PM, Jason <security@brvenik.com> wrote:
> 
>>
>> Kamran Shafi wrote:
>>> Yes - all other outputs i.e. tcpdump, fast, standard are working
>> properly.
>>> Its only csv that is not producing any output.
>> Possibly. Paste your conf to http://snort.pastebin.com and the entire
>> output of running the command snort -l /tmp -i lo -c test.conf
>>
>>> Thanks for pointing to the Snort development site.
>>>
>>> Apologies for posting to private e-mail unintentionally.
>>>
>>> Come on guys, is there anyone to point out where I might have
>> problem??????
>>> On Mon, Mar 3, 2008 at 12:14 PM, Jason <security@brvenik.com> wrote:
>>>
>>>> Kamran Shafi wrote:
>>>>> Hi Jason,
>>>>>
>>>>> Thanks for the reply. However, due to my ignorance I couldn't get much
>>>> out
>>>>> of it.
>>>>>>> inline -- could you please elobarate more.
>>>>>>> Perhaps it is because command line options override the config file.
>>>>> I don't really think so, because the tcpdump output is working without
>>>> any
>>>>> glitches.
>>>> Did you try?
>>>>
>>>>>>> You will have to write the code to make packet data available in the
>>>> csv.
>>>>> I guessed so -- can you provide any useful links, where to start from
>>>> and
>>>>> which module/preprocessor to modify??
>>>> You should start reading here - http://www.snort.org/docs/#devel
>>>>
>>>> Specifically, look at src/output-plugins/spo_csv.c
>>>>
>>>> For templates check out hte sources in the templates directories.
>>>>
>>>> Please keep replies on list, it doesn't much help the next person when
>>>> things go off-line.
>>>>
>>>>
>>>>> On Sun, Mar 2, 2008 at 12:52 PM, Jason <security@brvenik.com> wrote:
>>>>>
>>>>>> inline
>>>>>>
>>>>>> Kamran Shafi wrote:
>>>>>>> Hi All,
>>>>>>>
>>>>>>> I am new to Snort and this is my first mail to this list so please
>>>> bear
>>>>>> with
>>>>>>> me.
>>>>>>>
>>>>>>> First - I have been trying hard for last few days to get csv plug-in
>>>>>> work
>>>>>>> for me but it has not. I am on Fedora Core 7 and running Snort
>> 2.8.1the
>>>>>>> latest version. I am running Snort with the following command:
>>>>>>>
>>>>>>> snort -A console -i lo -c test.conf  (please see the output of
>> running
>>>>>> this
>>>>>>> command at the bottom of this mail)
>>>>>>>
>>>>>>> I have enabled only one rules file i.e. local.rules and have some
>> test
>>>>>> rules
>>>>>>> in it.
>>>>>>>
>>>>>>> the entry for my csv output plug-in in the test.conf file is
>>>>>>>
>>>>>>> output alert_CSV: /var/log/alert.csv default
>>>>>>>
>>>>>>> Afterwards I generate some attack traffic and get some alerts on the
>>>>>>> console. (please see the output at the end of this mail).
>>>>>>>
>>>>>>> The problem is that the alert.csv is never created!!!
>>>>>>>
>>>>>>> I have tried using full mode, -h flag and few other tricks but
>> nothing
>>>>>> is
>>>>>>> working
>>>>>> Perhaps it is because command line options override the config file.
>>>>>>
>>>>>>> Please note that I have not installed barnyard and assume that it is
>>>> not
>>>>>> a
>>>>>>> must for csv module to work.
>>>>>>>
>>>>>>> My second question is the following:
>>>>>>>
>>>>>>> If I am lucky enough to configure the csv module correctly with the
>>>> help
>>>>>> of
>>>>>>> you gurus, then how can I extend this module to add more details
>> about
>>>>>> the
>>>>>>> packet payload to the csv output ?
>>>>>>>
>>>>>>> I have posted similar messages on Snort forum without any response.
>>>> Any
>>>>>> help
>>>>>>> is appreciated.
>>>>>> You will have to write the code to make packet data available in the
>>>> csv.
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>> -------------------------------------------------------------------------
>>> This SF.net email is sponsored by: Microsoft
>>> Defy all challenges. Microsoft(R) Visual Studio 2008.
>>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users@lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic