Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Filename in alert_CSV

From: waldo kitty <wkitty42 () windstream net>
Date: Sat, 15 Jun 2013 13:01:11 -0400
On 6/13/2013 16:24, Parker, Jonathan E. wrote:

I am processing multiple .pcap files using the --pcap-dir option, and have my
snort.conf setup to put alerts in a csv file using alert_CSV. After processing
with Snort I load the results into a MySQL database. I want to include the
filename of the pertinent .pcap for each alert, but there does not seem to be an
option for that for the csv output module. Can anyone suggest a way to do this?


the only way i can currently see is by processing the pcaps individually and the 
stuffing the filename into the CSV after it is generated...

perhaps something like (pseudo code off the top of my head)

for %i in (*.pcap) do
   snort --pcap %i
   foobar.pl %i CSV_file
enddo

foobar.pl is a perl simple script that runs thru each line of the CSV file and 
stuffs ",filename" onto the end of each CSV record line... "filename" is taken 
from the first parameter fed to the perl script and the second parameter is the 
destination CSV filename...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: