Snort mailing list archives

RE: Snort and ARIS Extractor

From: "Mike Walter" <mike () pcdnet net>
Date: Wed, 24 Oct 2001 13:51:33 -0400

Peter,
        That worked the best out of all the others suggested. 
        Thanks,

Mike Walter,
3z.net a PCD Company,
PCD Network Solutions, Inc,
When Success the Only Solution  t h i n K  3z.net
www.pcdnet.net
www.3z.net



-----Original Message-----
From: Peter Bates [mailto:Peter.Bates () lshtm ac uk]
Sent: Wednesday, October 24, 2001 1:23 PM
To: snort-users
Subject: Re: [Snort-users] Snort and ARIS Extractor



Hello all...

-------------------------------------------------------------------------------------------------------------------->
Peter Bates, Systems Support Officer, Network Support Team.
London School of Hygiene & Tropical Medicine.
Telephone:0207-927 2124 / Fax: 0207-436 5389 / Pager: 07625 255362

"Mike Walter" <mike () pcdnet net> 24/10/01 15:19:39 >>>

<snip>
  How do I log snort to mySQL and to the proper file format so I could run the ARIS extractor?  Thanks in advance.

I've been sending my logs to ARIS since the whole system was in beta, and it works fine and jolly... I have the 
following in snort.conf -
(this is snort 1.8.1 now)

# Outputs
output alert_syslog: LOG_AUTH LOG_ALERT
output alert_full: alert
output database: alert, mysql, dbname=snort user=snort

I then use 

extractor -c w.x.y.z -f /var/log/snort/portscan.log -u user -p password /var/log/snort/alert 

(in a script) to send to ARIS.

It's a bit over the top, but I personally view the syslog messages,
the alerts and portscan.log go to ARIS, and I have a gander at 
the MySQL version with ACID... well OTT considering it seems a bit
'quiet' at the moment here (too quiet for my liking!), but it worked 
over-time during CodeRed/Nimda ...




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort and ARIS Extractor Mike Walter (Oct 24)
- Re: Snort and ARIS Extractor Erek Adams (Oct 24)
- Re: Snort and ARIS Extractor Demetri Mouratis (Oct 24)
- <Possible follow-ups>
- Re: Snort and ARIS Extractor Peter Bates (Oct 24)
- RE: Snort and ARIS Extractor Mike Walter (Oct 24)
- RE: Snort and ARIS Extractor Peter Bates (Oct 25)