[Snort-users] Feeding mysql db with alert log files.

Erek Adams erek at ...950...
Mon Jun 23 08:01:11 EDT 2003


On Sun, 22 Jun 2003, Daniel Gil wrote:

> Iam using snort 2 with mysql and ACID.
>
> Iam just want to know if its posible to feed a mysql db with snort log
> files that have already been written to disk in text format (portscan,
> alerts, and packet logs) in order to analyze them with ACID.
>
> It's seems this task is easy to perform if the logs are in tcpdump
> format.
>
> I have just found an old script (for snort 1.6.x) by Sean Brown. I
> couldn´t find any sample of a snort 1.6.x alert log file in order to
> compare them with my snort 2 alert log files.
>
> Any advice (as change yer log format to tcpdump) is welcome !.

It is easy...  Sorta.

If you have the alerts in a pcap, you only get those packets.  If you save
the entire network data, then you'll also be able to get alerts from
stream4.

Just keep in mind:  The snort.log pcap output only has the data from the
alerts and the associated packet.  Nothing else.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list