Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-users digest, Vol 1 #3872 - 13 msgs

From: Russell Fulton <r.fulton () auckland ac nz>
Date: Sat, 03 Jan 2004 16:06:22 +1300


Date: Fri, 2 Jan 2004 16:07:37 -0000
From: "Russell Packer" <russell.packer () arnoldinteractive com>
To: <Snort-users () lists sourceforge net>
Subject: [Snort-users] Snort, Mudpit, Unified logs and me...

Hi all,

I'm trying to set up what I think is "a normal" system pair:

System 1: The Snort machine (Devil)
System 2: The log processing / alerting machine (Slackware 9.x)



As I'm sure anyone else using mudpit is aware, there isn't a whole lot =
of documentation ;)

I'm currently getting my head round the Mudpit configuration, more =
specifically the Spool section. The section starts like this:


Here is what I am using:

from snort.conf:
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
 
These files get written to the directory specified with the -l option.

In mudpit config I have:


spool "/home/snort/LOGS/DMZ-O/unified" {  # as specified with the -l option to snort
lock = "mysql" 
arch_dir= "/home/snort/arch"
checkpoint = "checkpoint"
 
# The name of the output plugin. At least one plugin must be specified.
# The string after comma is a parameter sent to the plugin; its format
# depends on a plugin type (mp_out_init entry should understand it).
# Default: none.
output = "/home/snort/mudpit-1.2/output/acid/mp_acid_out.so",
  "server xxxxxx.auckland.ac.nz, user snort, database snort, \
   hostname yyyyy.auckland.ac.nz, interface 1, password zzzzzz"
}
 
If you are still having trouble send me your configs off list and I will
look over them.

-- 
Russell Fulton                                    /~\  The ASCII
Network Security Officer                          \ /  Ribbon Campaign
The University of Auckland                         X   Against HTML
New Zealand                                       / \  Email!




-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: