[Snort-users] Snort and ARIS Extractor

Peter Bates Peter.Bates at ...79...
Wed Oct 24 10:24:06 EDT 2001


Hello all...

-------------------------------------------------------------------------------------------------------------------->
Peter Bates, Systems Support Officer, Network Support Team.
London School of Hygiene & Tropical Medicine.
Telephone:0207-927 2124 / Fax: 0207-436 5389 / Pager: 07625 255362

>>> "Mike Walter" <mike at ...3781...> 24/10/01 15:19:39 >>>
<snip>
  How do I log snort to mySQL and to the proper file format so I could run the ARIS extractor?  Thanks in advance.

I've been sending my logs to ARIS since the whole system was in beta, and it works fine and jolly... I have the following in snort.conf -
(this is snort 1.8.1 now)

# Outputs
output alert_syslog: LOG_AUTH LOG_ALERT
output alert_full: alert
output database: alert, mysql, dbname=snort user=snort

I then use 

extractor -c w.x.y.z -f /var/log/snort/portscan.log -u user -p password /var/log/snort/alert 

(in a script) to send to ARIS.

It's a bit over the top, but I personally view the syslog messages,
the alerts and portscan.log go to ARIS, and I have a gander at 
the MySQL version with ACID... well OTT considering it seems a bit
'quiet' at the moment here (too quiet for my liking!), but it worked 
over-time during CodeRed/Nimda ...







More information about the Snort-users mailing list