Logging to a CSV File

Problem

You want to log your output to a comma-separated value (CSV) file.

Solution

Use the Barnyard alert_csv plug-in by editing the /etc/barnyard.conf file:

output alert_csv: /var/log/snort/csv.out timestamp,msg,srcip,sport, dstip,dport,protoname,itype,icode

Discussion

Snort alerts can be logged in comma-separated value format for ease of use with databases and spreadsheets. This also allows portability of output data to numerous software applications on a variety of operating systems. To do this, you must use the Barnyard output utility and Snort's unified logging feature. Barnyard contains the alert_csv module, which you can configure to log your choice of the fields in the output, in any order you specify. You can use the Barnyard alert_csv plug-in by editing the /etc/barnyard.conf file:

# alert_csv (experimental) #--------------------------- # Creates a CSV output file of alerts (optionally using a user # specified format) Arguments: filepath [format] # # The format is a comma-seperated list of fields to output (no spaces # allowed) # The available fields are: # sig_gen - signature generator # sig_id - signature id # sig_rev - signatrue revision # sid - SID triplet # class - class id # classname - textual name of class # priority - priority id # event_id - event id # event_reference - event reference # ref_tv_sec - reference seconds # ref_tv_usec - reference microseconds # tv_sec - event seconds # tv_usec - event microseconds # timestamp - timestamp (2001-01-01 01:02:03) in UTC # src - src address as a u_int32_t # srcip - src address as a dotted quad # dst - dst address as a u_int32_t # dstip - dst address as a dotted quad # sport_itype - source port or ICMP type (or 0) # sport - source port (if UDP or TCP) # itype - ICMP type (if ICMP) # dport_icode - dest port or ICMP code (or 0) # dport - dest port # icode - ICMP code (if ICMP) # proto - protocol number # protoname - protocol name # flags - flags from UnifiedAlertRecord # msg - message text # hostname - hostname (from barnyard.conf) # interface - interface (from barnyard.conf) # # Examples: # output alert_csv: /var/log/snort/csv.out # output alert_csv: /var/log/snort/csv.out timestamp, msg,srcip,sport,dstip,dport,protoname,itype,icode # output alert_csv: csv.out timestamp,msg,srcip,sport, dstip,dport,protoname,itype,icode output alert_csv: /var/log/snort/csv.out timestamp,msg, srcip,sport,dstip,dport,protoname,itype,icode

This logs the fields specified, in the order specified, to the file /var/log/snort/csv.out. The output looks like the following:

[testuser@localhost snort]# more csv.out "2004-11-06 00:32:05",ICMP PING NMAP,192.168.206.129,,192.168.100.5,, "ICMP",8,0 "2004-11-06 00:32:10",ICMP PING NMAP,192.168.206.129,,192.168.100.5,, "ICMP",8,0 "2004-11-06 00:35:35",SNMP request tcp,192.168.206.129,36252,192.168.100.5,161,"TCP",,

See Also

Recipe 5.9

Recipe 2.1