Configuring MySQL for Snort

Problem

You want to use MySQL with Snort.

Solution

Install Snort with MySQL support with the following:

[root@localhost snort-2.2.x]# ./configure 

--with-mysql=/usr/local/mysql

[root@localhost snort-2.2.x]# make

[root@localhost snort-2.2.x]# make install

Next, create the Snort database, set the password, and grant permissions:

[root@localhost root]# /usr/local/mysql/bin/mysql -u root -p

Enter password:

Welcome to the MySQL monitor. Commands end with ; or g.

Your MySQL connection id is 4 to server version: 4.0.20-standard

 

Type 'help;' or 'h' for help. Type 'c' to clear the buffer.

 

mysql> create database snort;

Query OK, 1 row affected (0.07 sec)

 

mysql> SET PASSWORD FOR snort@localhost=PASSWORD('password');

Query OK, 0 rows affected (0.00 sec)

 

mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to 

snort@localhost;

Query OK, 0 rows affected (0.00 sec)

 

mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;

Query OK, 0 rows affected (0.00 sec)

 

mysql> exit

Next, run the Snort create_mysql script and snortdb-extra.gz to generate the appropriate tables in the database:

[root@localhost root]# cd snort-2.2.x

[root@localhost snort-2.2.x]# /usr/local/mysql/bin/mysql -u root -p < ./contrib/create_mysql snort

Enter password:

[root@localhost snort-2.2.x]# cd contrib

[root@localhost contrib]# zcat snortdb-extra.gz | 

/usr/local/mysql/bin/mysql -p snort

Enter password:

Finally, add a line in the snort.conf file to use the database output plug-in, making sure you configure it with the right parameters for your database:

output database: log, mysql, user=snort password=password dbname=snort host=localhost

 

Discussion

Once you have MySQL installed and configured, you must make the necessary Snort configurations. First, when you install Snort, you need to install it with MySQL support. There are quite a few things you must do when configuring Snort to interact with MySQL. Once you have followed the preceding steps, you can use the following commands to check that the Snort database was created correctly. First, log into MySQL using the following command and supply the password that you previously created:

[root@localhost contrib]# /usr/local/mysql/bin/mysql -p

Enter password:

Welcome to the MySQL monitor. Commands end with ; or g.

Your MySQL connection id is 7 to server version: 4.0.20-standard

 

Type 'help;' or 'h' for help. Type 'c' to clear the buffer.

The following command will show the current MySQL databases; make sure that your newly created Snort database is listed:

mysql> show databases;

+----------+

| Database |

+----------+

| mysql |

| snort |

| test |

+----------+

3 rows in set (0.00 sec)

The following commands will select the Snort database as the current database and then show the existing Snort tables:

mysql> use snort;

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

 

Database changed

mysql> show tables;

+------------------+

| Tables_in_snort |

+------------------+

| data |

| detail |

| encoding |

| event |

| flags |

| icmphdr |

| iphdr |

| opt |

| protocols |

| reference |

| reference_system |

| schema |

| sensor |

| services |

| sig_class |

| sig_reference |

| signature |

| tcphdr |

| udphdr |

+------------------+

19 rows in set (0.00 sec)

 

mysql> exit

Next, you can run some traffic that creates eventssuch as an Nmap scanand check the database to make sure the events are logged:

mysql> select * from event;

+-----+-----+-----------+---------------------+

| sid | cid | signature | timestamp |

+-----+-----+-----------+---------------------+

| 1 | 1 | 1 | 2004-11-06 03:24:51 |

| 1 | 2 | 1 | 2004-11-06 03:24:57 |

| 1 | 3 | 2 | 2004-11-06 03:32:41 |

| 1 | 4 | 2 | 2004-11-06 03:32:47 |

| 1 | 5 | 3 | 2004-11-06 03:33:29 |

| 1 | 6 | 3 | 2004-11-06 03:33:35 |

| 1 | 7 | 4 | 2004-11-06 03:33:41 |

| 1 | 8 | 4 | 2004-11-06 03:33:47 |

| 1 | 9 | 5 | 2004-11-06 03:34:53 |

| 1 | 10 | 5 | 2004-11-06 03:34:59 |

| 1 | 11 | 6 | 2004-11-06 03:35:05 |

| 1 | 12 | 6 | 2004-11-06 03:35:11 |

| 1 | 13 | 7 | 2004-11-06 03:35:17 |

| 1 | 14 | 7 | 2004-11-06 03:35:23 |

| 1 | 15 | 7 | 2004-11-06 03:37:42 |

+-----+-----+-----------+---------------------+

15 rows in set (0.00 sec)

 

See Also

Recipe 2.11

Recipe 1.2

http://www.snort.org/docs/snort_acid_rh9.pdf

Using PostgreSQL with Snort and ACID

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index



Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net