[Snort-users] Snort and ARIS Extractor
erek at ...577...
Wed Oct 24 07:39:06 EDT 2001
On Wed, 24 Oct 2001, Mike Walter wrote:
> I am sure someone has covered this, but I can't seem to find it. I
> downloaded and registered with ARIS so I could upload my logs. I am
> logging to mySQL, and thought I could just use the portscan.log with the
> ARIS extractor. This does not seem to be the case. How do I log snort to
> mySQL and to the proper file format so I could run the ARIS extractor?
> Thanks in advance.
Two options that I can come up with.
1) Use Barnyard, which is still in beta, to dump from the unified
logging format into the DB.
2) Configure fast or full alerts _along with_ the DB output. Snort
can dump to two logging formats at the same time. Just don't try this on a
Fat Pipe(tm). You could also do post-processing of the data if you
wanted--log to binary and mysql, then come back over that at the end of the
night to dump out the full/fast alerts.
Hope that helps!
More information about the Snort-users