[Snort-users] Snort and ARIS Extractor

Mike Walter mike at ...3781...
Wed Oct 24 10:52:08 EDT 2001


Peter,
	That worked the best out of all the others suggested. 
	Thanks,

Mike Walter,
3z.net a PCD Company,
PCD Network Solutions, Inc,
�When Success the Only Solution  t h i n K  3z.net�
www.pcdnet.net
www.3z.net



-----Original Message-----
From: Peter Bates [mailto:Peter.Bates at ...79...]
Sent: Wednesday, October 24, 2001 1:23 PM
To: snort-users
Subject: Re: [Snort-users] Snort and ARIS Extractor



Hello all...

-------------------------------------------------------------------------------------------------------------------->
Peter Bates, Systems Support Officer, Network Support Team.
London School of Hygiene & Tropical Medicine.
Telephone:0207-927 2124 / Fax: 0207-436 5389 / Pager: 07625 255362

>>> "Mike Walter" <mike at ...3781...> 24/10/01 15:19:39 >>>
<snip>
  How do I log snort to mySQL and to the proper file format so I could run the ARIS extractor?  Thanks in advance.

I've been sending my logs to ARIS since the whole system was in beta, and it works fine and jolly... I have the following in snort.conf -
(this is snort 1.8.1 now)

# Outputs
output alert_syslog: LOG_AUTH LOG_ALERT
output alert_full: alert
output database: alert, mysql, dbname=snort user=snort

I then use 

extractor -c w.x.y.z -f /var/log/snort/portscan.log -u user -p password /var/log/snort/alert 

(in a script) to send to ARIS.

It's a bit over the top, but I personally view the syslog messages,
the alerts and portscan.log go to ARIS, and I have a gander at 
the MySQL version with ACID... well OTT considering it seems a bit
'quiet' at the moment here (too quiet for my liking!), but it worked 
over-time during CodeRed/Nimda ...




_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users






More information about the Snort-users mailing list