Snort Migration question

[Doug Metz]

When we set up Aanval we were running on a 2.91 version of snort with output to a central MySQL database.

Currently we are upgrading to Snort 2.94 as signatures are no longer available for 2.91.  However with 2.94 "database" is no longer an available output format.

Looking for advice on easiest method to be able to support the new output while making as little change as possible to the overall infrastructure.

[SuperheroSmith]

With the latest edition of Snort, you'll need Barnyard2 to parse those logs in the Unified2 format to the MySQL database. You can get the download for Barnyard2 at the following link: http://www.securixlive.com/barnyard2/download.php

You'll find configuration instructions at this link: http://wiki.aanval.com/wiki/Aanval:Snort,_Barnyard2,_and_Aanval_Detailed_Installation_Guide_for_OS_X_Lion#Barnyard2

With the latest builds, you must remove "no stamp" from the "output unified2" line; you'll find those instructions at this link: http://wiki.aanval.com/wiki/Aanval:Snort,_Barnyard2,_and_Aanval_Detailed_Installation_Guide_for_OS_X_Lion#Snort

Each instance of Snort will require its own instance of Barnyard2.