NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2004-01

[Snort-users] Re: Snort-users digest, Vol 1 #3872 - 13 msgs

From: Russell Fulton (r.fultonauckland.ac.nz)
Date: Fri Jan 02 2004 - 21:06:22 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Date: Fri, 2 Jan 2004 16:07:37 -0000
> From: "Russell Packer" <russell.packerarnoldinteractive.com>
> To: <Snort-userslists.sourceforge.net>
> Subject: [Snort-users] Snort, Mudpit, Unified logs and me...
>
> Hi all,
>
> I'm trying to set up what I think is "a normal" system pair:
>
> System 1: The Snort machine (Devil)
> System 2: The log processing / alerting machine (Slackware 9.x)

> As I'm sure anyone else using mudpit is aware, there isn't a whole lot =
> of documentation ;)
>
> I'm currently getting my head round the Mudpit configuration, more =
> specifically the Spool section. The section starts like this:

Here is what I am using:

from snort.conf:
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128

These files get written to the directory specified with the -l option.

In mudpit config I have:

spool "/home/snort/LOGS/DMZ-O/unified" { # as specified with the -l option to snort
lock = "mysql"
arch_dir= "/home/snort/arch"
checkpoint = "checkpoint"

# The name of the output plugin. At least one plugin must be specified.
# The string after comma is a parameter sent to the plugin; its format
# depends on a plugin type (mp_out_init entry should understand it).
# Default: none.
output = "/home/snort/mudpit-1.2/output/acid/mp_acid_out.so",
"server xxxxxx.auckland.ac.nz, user snort, database snort, \
hostname yyyyy.auckland.ac.nz, interface 1, password zzzzzz"
}

If you are still having trouble send me your configs off list and I will
look over them.

--
Russell Fulton /~\ The ASCII
Network Security Officer \ / Ribbon Campaign
The University of Auckland X Against HTML
New Zealand / \ Email!

-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]