Change Snort's alert output.



  • Hi all.
    I have installed pfSense for transparent HTTP, HTTPs proxy and now try to combine Snort IDS and Mikrotik router for interaction https://wiki.mikrotik.com/wiki/Mikrotik_IPS_IDS

    But I have a problem, becouse now alert log of snort is looks like:
    10/23/18-16:12:02.427084 ,119,7,1,"(http_inspect) IIS UNICODE CODEPOINT ENCODING",TCP,192.168.1.46,1223,37.202.1.229,80,8114,Unknown Traffic,3

    There is not "Priority" in alert record. Is it possible to edit something in snort's config file that's output was 10/23/18-16:12:02.427084 ,119,7,1,"(http_inspect) IIS UNICODE CODEPOINT ENCODING",TCP,192.168.1.46,1223,37.202.1.229,80,8114,Unknown Traffic,Priority 3

    Thanks



  • That "3" in the output is the Priority. The Snort implementation on pfSense uses the CSV output logging option of Snort to produce the alert log. The code within the GUI knows which CSV field is which in the alert log output. You can't add any additional text to the CSV output.