[Snort-users] Snort and ARIS Extractor

Mike Walter mike at ...3781...
Wed Oct 24 10:52:08 EDT 2001

	That worked the best out of all the others suggested. 

Mike Walter,
3z.net a PCD Company,
PCD Network Solutions, Inc,
�When Success the Only Solution  t h i n K  3z.net�

-----Original Message-----
From: Peter Bates [mailto:Peter.Bates at ...79...]
Sent: Wednesday, October 24, 2001 1:23 PM
To: snort-users
Subject: Re: [Snort-users] Snort and ARIS Extractor

Hello all...

Peter Bates, Systems Support Officer, Network Support Team.
London School of Hygiene & Tropical Medicine.
Telephone:0207-927 2124 / Fax: 0207-436 5389 / Pager: 07625 255362

>>> "Mike Walter" <mike at ...3781...> 24/10/01 15:19:39 >>>
  How do I log snort to mySQL and to the proper file format so I could run the ARIS extractor?  Thanks in advance.

I've been sending my logs to ARIS since the whole system was in beta, and it works fine and jolly... I have the following in snort.conf -
(this is snort 1.8.1 now)

# Outputs
output alert_syslog: LOG_AUTH LOG_ALERT
output alert_full: alert
output database: alert, mysql, dbname=snort user=snort

I then use 

extractor -c w.x.y.z -f /var/log/snort/portscan.log -u user -p password /var/log/snort/alert 

(in a script) to send to ARIS.

It's a bit over the top, but I personally view the syslog messages,
the alerts and portscan.log go to ARIS, and I have a gander at 
the MySQL version with ACID... well OTT considering it seems a bit
'quiet' at the moment here (too quiet for my liking!), but it worked 
over-time during CodeRed/Nimda ...

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list