CSV Output problems...

[Glenn Larsson <ichinin () swipnet se>]

Hi.

I have a question regarding Snort's CSV output.

Im using the following line with CSV:

output CSV: CSV.txt default

in comparison with standard output.

"dstport"       reports ""
"tcplen"        reports ""

Here is a sample line: (Lines wrapped)

05/24/02-00:55:17.468971 ,SHELLCODE x86 NOOP,TCP,
192.168.1.70,1028,192.168.1.35,,0:0:E8:3A:B8:58
,0:60:8:54:59:EA,0x5CF,***AP***,0x994C1F09,0x635F50
,,0x4404,128,0,1126,1473,20,,,,

You can clearly see that after [dst] ("192.168.1.35"),
the [dstport] is "" and after [tcpack] ("0x635F50"),
tcplen is "".

I now tried using the entire parameter set: (lines...)

output CSV: CSV.txt timestamp, msg, proto, src, srcport,
dst, dstport, ethsrc, ethdst, ethlen, tcpflags, tcpseq,
tcpack, tcplen, tcpwindow, ttl, tos, id, dgmlen, iplen,
icmptype, icmpcode, icmpid, icmpseq

all i got was records like this:

"05/24/02-01:25:46.063680 ,,,,,,,,,,,,,,,,,,,,,,,"


Is there some other way to dump info from snort (in a
reliable way), or do i have to continue to use the
default output format? Also, Does CSV output work
properly under linux?

Regards,
Glenn
_______________________________________________

Config:         Snort 1.8.5 (Win32)
                WinPCAP 2.3
                NT Srv 4.0 (x86, SP5)

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users