SPO_CSV Usage Guide Brian Caswell bmc@snort.org
$Id$
The CSV output plugin gives an interface for users to specify what information they see for alerts. csv provides this by outputting the data in comma separated value format, configured by the user in the snort configuration file.
Using limited output configurations can greatly increase the speed of snort.
The CSV output plugin can be configured to output specific portions of a snort alert.
spo_csv requires the following format.
output alert_CSV: location_to_your_file fieldname,fieldname2,fieldname3
The following line is an example CSV configuration: output csv: /my/snort.log msg,proto,timestamp,src,srcport,dst,dstport
That configuration will append the following output to /my/snort.log WEB-MISC phf access,TCP,02/23-11:06:59.600820 ,192.168.0.1,1021,192.168.0.2,80
The following field names are available (As of 01/13/2004)
timestamp, sig_generator, sig_id, sig_rev, msg, proto, src, srcport, dst, dstport, ethsrc, ethdst, ethlen, tcpflags, tcpseq, tcpack, tcpln, tcpwindow, ttl, tos, id, dgmlen, iplen, icmptype, icmpcode, icmpid, icmpseq, and default
By specifying “default” as a field name, a default set of field names
is used. grep DEFAULT_CSV spo_csv.h for the default set of fields
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
