[Snort-users] Snort replay into ACID - Sensor Identification

Erek Adams erek at ...950...
Wed Jan 8 08:26:02 EST 2003


On Tue, 7 Jan 2003, Dustin Decker wrote:

[...snip...]

> for i in /var/log/snort/local_queue/*;
> do /usr/sbin/snort -d -c /root/snort/snort.conf -r $i;
> done
>
> Again - pretty vanilla.  Now I'm getting into a situation where I'll be
> pulling binary files from a handful of hosts, and I don't know how to
> specify that each represents a different sensor in ACID.  Can anyone clue
> me in on the right way to approach this, or where a doc might be for it?

If you'll check the DB output plugin, you'll see that you can specify the
sensor ID in it's .conf setup.  Now this means you'll have to go from
vanilla to chocolate, but that's a good thing.  :)  One .conf for each box
and a "host x.x.x.x" added to the command line would get you fixed right
up.

Cheers!

-----
Erek Adams

   "When things get wierd, the wierd turn pro."   H.S. Thompson




More information about the Snort-users mailing list