SPO_CSV Usage Guide
Brian Caswell <bmc@snort.org>

$Id: README.csv,v 1.5 2004/01/15 20:38:07 jh8 Exp $



Overview:
----
The CSV output plugin gives an interface for users to specify what
information they see for alerts. csv provides this by outputting the
data in comma separated value format, configured by the user in the
snort configuration file.

Using limited output configurations can greatly increase the speed of
snort.


Usage:
----
The CSV output plugin can be configured to output specific portions
of a snort alert.

spo_csv requires the following format.

output alert_CSV: location_to_your_file fieldname,fieldname2,fieldname3


The following line is an example CSV configuration:
output csv: /my/snort.log msg,proto,timestamp,src,srcport,dst,dstport

That configuration will append the following output to /my/snort.log
WEB-MISC phf access,TCP,02/23-11:06:59.600820 ,192.168.0.1,1021,192.168.0.2,80


Possible Field Names:
----

The following field names are available (As of 01/13/2004)

timestamp, sig_generator, sig_id, sig_rev, msg, proto, src, srcport, dst,
dstport, ethsrc, ethdst, ethlen, tcpflags, tcpseq, tcpack, tcpln, tcpwindow, ttl,
tos, id, dgmlen, iplen, icmptype, icmpcode, icmpid, icmpseq, and default

By specifying "default" as a field name, a default set of field names
is used. `grep DEFAULT_CSV spo_csv.h` for the default set of fields