[Snort-users] multiple output feeds from snort

Erik Engberg Erik.Engberg at ...511...
Mon Sep 25 15:00:33 EDT 2000


I know this has been up before but I don´t remember it being "resolved" or
implemented.

I would like (as others before me) to log snort alerts and data both
normally (without DB) to /var/log/snort with the -A full and -d options to
the localhost. This to build up a script to show continous reporting on a
web page with snortsnarf on the local snort sensor (only). In addition to
this I would like to do ODBC to a mysql server that logs a huge amount of
stuff from several snort sensors for more comprehensive analysis.

If I haven´t missed something I cannot specify in the rules file both to log
to files and to ODBC. It just generates errors when I try. Are there any
special reasons for this? Could this be implemented/allowed?  Can I
circumvent this in any smart ways?

Also I wondered about if I can log to more than one ODBC dump directly from
snort? For instance one remote and one local. Or would it be a better idea
to "periodically" just let the remote database fetch from the snort host?

Btw, excuse my ignorance how would I do to make snortsnarf read data from a
MySQL database instead of files? Can I?

Thanx,

Erik




More information about the Snort-users mailing list