Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: snort output

From: "Slighter, Tim" <tslighter () itc nrcs usda gov>
Date: Tue, 5 Aug 2003 08:13:41 -0600
i can understand what you are saying and what i am attempting to accomplish
will most likely push the system beyond the limit.  but the goal is to drop
all alerts into the MySQL database, retrievable by ACID and at the same time
have a unified converted to binary for tcpflow and barnyard.  have been
using sguil and i suppose that the php scripts could be reconfigured in ACID
to extract the sguildb data instead.  

-----Original Message-----
From: Bamm Visscher [mailto:bamm () satx rr com]
Sent: Tuesday, August 05, 2003 7:15 AM
To: snort-users () lists sourceforge net
Cc: tslighter () itc nrcs usda gov
Subject: Re: [Snort-users] snort output


To answer your question:

  http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5

But why oh why would you do this?  The whole point of barnyard is to take
the overhead of output plugins off from snort.  This might not be such a big
deal if you were using '-A fast', but you are talking about the slowest
plugin out there and probably the primary reason that barnyard was
developed. Do yourself a favour and use the ACID plugin in for barnyard
(op_acid_db).

Bammkkkk


On Tue, Aug 05, 2003 at 06:39:57AM -0600, Slighter, Tim wrote:

Can the snort.conf file be configured for more than one output at the same
time?  In other words, can there be an output for unified for the purpose

of

Barnyard, and also an output for MySQL Database for the purpose of ACID?

(Snort.conf file extract)

output log_unified: filename snort.log, limit 128
output database: log, mysql, user=root password=test dbname=db
host=localhost




-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: