[Snort-users] snort + aris

Ron 'The InSaNe One' Rosson insane at ...321...
Tue May 15 10:52:43 EDT 2001


So there is no command line or config file for snort that will allow it
to keep logging to a database while creating an alert file for aris's
extractor to use.  It got to be something simple that we are missing.

TIA

Robert D. Hughes (rob at ...1932...) wrote:
> Maybe so. I don't know. You'll have to log to the alert file if you want to
> use ARIS though.
> 
> -----Original Message-----
> From: Ron Rosson [mailto:insane at ...321...]
> Sent: Sunday, May 13, 2001 11:40 AM
> To: Robert D. Hughes
> Cc: Ryan Russell; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] snort + aris
> 
> 
> Robert D. Hughes (rob at ...1932...) wrote:
> > Check the ARIS and extractor (sfclean is now extractor) docs. They'll give
> > you the command line for both snort and extractor. Mine is
> > /usr/local/bin/snort -A full -c /usr/local/etc/snort.conf -dDeX -i xl0 -u
> > nobody. It works at least. Last time I checked, -A full and -d are the only
> > required ones.
> > 
> > -----Original Message-----
> > From: Ron 'The InSaNe One' Rosson [mailto:insane at ...321...]
> > Sent: Saturday, May 12, 2001 5:10 PM
> > To: Ryan Russell
> > Cc: snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] snort + aris
> > 
> > 
> > Ryan Russell (ryan at ...35...) wrote:
> > > Was the question regarding how to get Snort running, or how to get it to
> > > feed to ARIS?
> > > 
> > > 			Ryan
> > > 
> > > On Fri, 11 May 2001, Ron 'The InSaNe One' Rosson wrote:
> > > 
> > > > I am getting ready to reset up aris on my network but I am confused on
> > > > what my command line should be.
> > > >
> > > > Here is my basic setup:
> > > >
> > > > IDS system logging to a remote Database
> > > >
> > > > Command line for snort is:
> > > > /usr/local/bin/snort -D -d -c /etc/snort.rules
> > > >
> > > > Here is the output part of my  snort.rules file
> > > >
> > > > output database: alert, mysql, user=nobody dbname=snort host=postal
> > > >
> > 
> > I am looking for the proper command line to run with SNORT.
> > 
> > TIA
> > 
> 
> If I read the man page right that overrides the databse logging.
> 

-- 
------------------------------------------------------------------------------
Ron Rosson          			      ... and a UNIX user said ...
The InSaNe One                 			      rm -rf *
insane at ...322...     	            and all was /dev/null and *void()
------------------------------------------------------------------------------
         Adults are just kids that owe money




More information about the Snort-users mailing list