Snort mailing list archives

Re: snort + aris

From: Ron 'The InSaNe One' Rosson <insane () lunatic oneinsane net>
Date: Tue, 15 May 2001 07:52:43 -0700

So there is no command line or config file for snort that will allow it
to keep logging to a database while creating an alert file for aris's
extractor to use.  It got to be something simple that we are missing.

TIA

Robert D. Hughes (rob () robhughes com) wrote:

Maybe so. I don't know. You'll have to log to the alert file if you want to
use ARIS though.

-----Original Message-----
From: Ron Rosson [mailto:insane () lunatic oneinsane net]
Sent: Sunday, May 13, 2001 11:40 AM
To: Robert D. Hughes
Cc: Ryan Russell; snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort + aris

Robert D. Hughes (rob () robhughes com) wrote:

Check the ARIS and extractor (sfclean is now extractor) docs. They'll give
you the command line for both snort and extractor. Mine is
/usr/local/bin/snort -A full -c /usr/local/etc/snort.conf -dDeX -i xl0 -u
nobody. It works at least. Last time I checked, -A full and -d are the only
required ones.

-----Original Message-----
From: Ron 'The InSaNe One' Rosson [mailto:insane () lunatic oneinsane net]
Sent: Saturday, May 12, 2001 5:10 PM
To: Ryan Russell
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort + aris

Ryan Russell (ryan () securityfocus com) wrote:

Was the question regarding how to get Snort running, or how to get it to
feed to ARIS?

                  Ryan

On Fri, 11 May 2001, Ron 'The InSaNe One' Rosson wrote:

I am getting ready to reset up aris on my network but I am confused on
what my command line should be.

Here is my basic setup:

IDS system logging to a remote Database

Command line for snort is:
/usr/local/bin/snort -D -d -c /etc/snort.rules

Here is the output part of my  snort.rules file

output database: alert, mysql, user=nobody dbname=snort host=postal


I am looking for the proper command line to run with SNORT.

TIA


If I read the man page right that overrides the databse logging.


-- 
------------------------------------------------------------------------------
Ron Rosson                                    ... and a UNIX user said ...
The InSaNe One                                        rm -rf *
insane () oneinsane net                     and all was /dev/null and *void()
------------------------------------------------------------------------------
         Adults are just kids that owe money

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort + aris Ron 'The InSaNe One' Rosson (May 11)
- Re: snort + aris Ryan Russell (May 11)
  - Re: snort + aris Ron 'The InSaNe One' Rosson (May 12)
- RE: snort + aris Aaron McKinnon (May 11)
- <Possible follow-ups>
- RE: snort + aris Robert D. Hughes (May 12)
  - Re: snort + aris Ron Rosson (May 13)
- Re: snort + aris Ron 'The InSaNe One' Rosson (May 15)
  - Re: snort + aris Andreas Hasenack (May 15)