Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Change Snort's alert output.

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 318 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      StasStryukov
      last edited by StasStryukov

      Hi all.
      I have installed pfSense for transparent HTTP, HTTPs proxy and now try to combine Snort IDS and Mikrotik router for interaction https://wiki.mikrotik.com/wiki/Mikrotik_IPS_IDS

      But I have a problem, becouse now alert log of snort is looks like:
      10/23/18-16:12:02.427084 ,119,7,1,"(http_inspect) IIS UNICODE CODEPOINT ENCODING",TCP,192.168.1.46,1223,37.202.1.229,80,8114,Unknown Traffic,3

      There is not "Priority" in alert record. Is it possible to edit something in snort's config file that's output was 10/23/18-16:12:02.427084 ,119,7,1,"(http_inspect) IIS UNICODE CODEPOINT ENCODING",TCP,192.168.1.46,1223,37.202.1.229,80,8114,Unknown Traffic,Priority 3

      Thanks

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        That "3" in the output is the Priority. The Snort implementation on pfSense uses the CSV output logging option of Snort to produce the alert log. The code within the GUI knows which CSV field is which in the alert log output. You can't add any additional text to the CSV output.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.