[Snort-users] snort and ACID

Jason Haar Jason.Haar at ...294...
Tue Jan 30 18:33:18 EST 2001


On Wed, Jan 31, 2001 at 12:08:06PM +1300, Steve Hutchins wrote:
> Yes, what I would ideally like to be able to do,
> is to have all the snort sensors just log to syslog,
> across the net to an ACID console. Then run a script
> on the console looking for syslog alerts and then updating
> the database. But the data logged to syslog is 'slim'
> compared with what the db plugin provides.

Yes... and the SQL backend data is 'slim' compared with what's logged via
the "-l" option...

I think you're asking too much of syslog there. It's meant for one-line
messages - the data quality you're after covers multiple lines. Unless you
hack snort to do it's expanded syslog reports as one big HEX line - I don't
think it'll do what you want ;-)


-- 
Cheers

Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417




More information about the Snort-users mailing list