Snort mailing list archives
Re: Snort and ARIS Extractor
From: Peter Bates <Peter.Bates () lshtm ac uk>
Date: Wed, 24 Oct 2001 18:22:49 +0100
Hello all... --------------------------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-927 2124 / Fax: 0207-436 5389 / Pager: 07625 255362
"Mike Walter" <mike () pcdnet net> 24/10/01 15:19:39 >>>
<snip> How do I log snort to mySQL and to the proper file format so I could run the ARIS extractor? Thanks in advance. I've been sending my logs to ARIS since the whole system was in beta, and it works fine and jolly... I have the following in snort.conf - (this is snort 1.8.1 now) # Outputs output alert_syslog: LOG_AUTH LOG_ALERT output alert_full: alert output database: alert, mysql, dbname=snort user=snort I then use extractor -c w.x.y.z -f /var/log/snort/portscan.log -u user -p password /var/log/snort/alert (in a script) to send to ARIS. It's a bit over the top, but I personally view the syslog messages, the alerts and portscan.log go to ARIS, and I have a gander at the MySQL version with ACID... well OTT considering it seems a bit 'quiet' at the moment here (too quiet for my liking!), but it worked over-time during CodeRed/Nimda ... _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and ARIS Extractor Mike Walter (Oct 24)
- Re: Snort and ARIS Extractor Erek Adams (Oct 24)
- Re: Snort and ARIS Extractor Demetri Mouratis (Oct 24)
- <Possible follow-ups>
- Re: Snort and ARIS Extractor Peter Bates (Oct 24)
- RE: Snort and ARIS Extractor Mike Walter (Oct 24)
- RE: Snort and ARIS Extractor Peter Bates (Oct 25)