[Snort-users] Snort and ARIS Extractor

Erek Adams erek at ...577...
Wed Oct 24 07:39:06 EDT 2001

On Wed, 24 Oct 2001, Mike Walter wrote:

> 	I am sure someone has covered this, but I can't seem to find it.  I
> downloaded and registered with ARIS so I could upload my logs.  I am
> logging to mySQL, and thought I could just use the portscan.log with the
> ARIS extractor.  This does not seem to be the case.  How do I log snort to
> mySQL and to the proper file format so I could run the ARIS extractor?
> Thanks in advance.

Two options that I can come up with.

	1)  Use Barnyard, which is still in beta, to dump from the unified
logging format into the DB.
	2)  Configure fast or full alerts _along with_ the DB output.  Snort
can dump to two logging formats at the same time.  Just don't try this on a
Fat Pipe(tm).  You could also do post-processing of the data if you
wanted--log to binary and mysql, then come back over that at the end of the
night to dump out the full/fast alerts.

Hope that helps!

Erek Adams

