[Snort-users] multiple output feeds from snort

Martin Roesch roesch at ...421...
Mon Oct 2 14:35:54 EDT 2000

Erik Engberg wrote:
> I know this has been up before but I don´t remember it being "resolved" or
> implemented.
> I would like (as others before me) to log snort alerts and data both
> normally (without DB) to /var/log/snort with the -A full and -d options to
> the localhost. This to build up a script to show continous reporting on a
> web page with snortsnarf on the local snort sensor (only). In addition to
> this I would like to do ODBC to a mysql server that logs a huge amount of
> stuff from several snort sensors for more comprehensive analysis.
> If I haven´t missed something I cannot specify in the rules file both to log
> to files and to ODBC. It just generates errors when I try. Are there any
> special reasons for this? Could this be implemented/allowed?  Can I
> circumvent this in any smart ways?

It should work, have you tried snort-1.6.3-patch2?  Give that a shot. 
Basically, from the rules file you can specify multiple output facilities by
activating the various output plugins.

> Also I wondered about if I can log to more than one ODBC dump directly from
> snort? For instance one remote and one local. Or would it be a better idea
> to "periodically" just let the remote database fetch from the snort host?

This should also be doable, but the performance might suck.

> Btw, excuse my ignorance how would I do to make snortsnarf read data from a
> MySQL database instead of files? Can I?

Not currently...


> Thanx,
> Erik
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

Martin Roesch
roesch at ...421...

More information about the Snort-users mailing list