[Snort-users] multiple output feeds from snort

Martin Roesch roesch at ...421...
Mon Oct 2 14:35:54 EDT 2000


Erik Engberg wrote:
> 
> I know this has been up before but I don´t remember it being "resolved" or
> implemented.
> 
> I would like (as others before me) to log snort alerts and data both
> normally (without DB) to /var/log/snort with the -A full and -d options to
> the localhost. This to build up a script to show continous reporting on a
> web page with snortsnarf on the local snort sensor (only). In addition to
> this I would like to do ODBC to a mysql server that logs a huge amount of
> stuff from several snort sensors for more comprehensive analysis.
> 
> If I haven´t missed something I cannot specify in the rules file both to log
> to files and to ODBC. It just generates errors when I try. Are there any
> special reasons for this? Could this be implemented/allowed?  Can I
> circumvent this in any smart ways?

It should work, have you tried snort-1.6.3-patch2?  Give that a shot. 
Basically, from the rules file you can specify multiple output facilities by
activating the various output plugins.

> Also I wondered about if I can log to more than one ODBC dump directly from
> snort? For instance one remote and one local. Or would it be a better idea
> to "periodically" just let the remote database fetch from the snort host?

This should also be doable, but the performance might suck.

> Btw, excuse my ignorance how would I do to make snortsnarf read data from a
> MySQL database instead of files? Can I?

Not currently...

    -Marty

> 
> Thanx,
> 
> Erik
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list