Output Modules

151

Table 4 2 List of Parameters for the Database

Parameter

Description

host

Host where database server is running.

port

Port number used by the database server.

dbname

Name of the database.

user

Name of the database user.

password

Password for the user. If you don't want to use a password, you can omit this param 

eter (a bad idea!).

sensor_name

Name of the sensor used by Snort. This is useful when many Snort sensors are log 

ging to the database and later on you want to know which alert is related to a partic 

ular sensor. This name is also used by tools like ACID to distinguish different 

sensors.

detail

You can use either full or fast detail. By default full detail is saved to the database.

encoding

You can use ASCII, hex, or base64 encoding for data.

To enable support of databases, you need to compile Snort with database support

enabled. The following configure script enables MySQL database support in Snort.

./configure   prefix=/opt/snort   with mysql=/usr/lib/mysql

Refer to Chapter 2 for details on how to build Snort.

4.2.8

CSV Output Module

Comma separated text files are sometimes useful when you want to import data

into other software packages like databases and spreadsheets, e.g., Microsoft Excel.

Using the CSV output module, you can save output data to a CSV file. The general for 

mat of the CSV file is as follows:

output csv:  

The file is created in the logging directory which is /var/log/snort by

default. Formatting options are used to define what information should be stored in the

CSV file and in what order. If you use the keyword  default  in the formatting

option, all parameters about the alert are stored in the file.

output csv: csv_log default