Problem
You want to use MySQL with Snort.
Solution
Install Snort with MySQL support with the following:
[root@localhost snort-2.2.x]# ./configure --with-mysql=/usr/local/mysql [root@localhost snort-2.2.x]# make [root@localhost snort-2.2.x]# make install
Next, create the Snort database, set the password, and grant permissions:
[root@localhost root]# /usr/local/mysql/bin/mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or g. Your MySQL connection id is 4 to server version: 4.0.20-standard Type 'help;' or 'h' for help. Type 'c' to clear the buffer. mysql> create database snort; Query OK, 1 row affected (0.07 sec) mysql> SET PASSWORD FOR snort@localhost=PASSWORD('password'); Query OK, 0 rows affected (0.00 sec) mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost; Query OK, 0 rows affected (0.00 sec) mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort; Query OK, 0 rows affected (0.00 sec) mysql> exit
Next, run the Snort create_mysql script and snortdb-extra.gz to generate the appropriate tables in the database:
[root@localhost root]# cd snort-2.2.x [root@localhost snort-2.2.x]# /usr/local/mysql/bin/mysql -u root -p < ./contrib/create_mysql snort Enter password: [root@localhost snort-2.2.x]# cd contrib [root@localhost contrib]# zcat snortdb-extra.gz | /usr/local/mysql/bin/mysql -p snort Enter password:
Finally, add a line in the snort.conf file to use the database output plug-in, making sure you configure it with the right parameters for your database:
output database: log, mysql, user=snort password=password dbname=snort host=localhost
Discussion
Once you have MySQL installed and configured, you must make the necessary Snort configurations. First, when you install Snort, you need to install it with MySQL support. There are quite a few things you must do when configuring Snort to interact with MySQL. Once you have followed the preceding steps, you can use the following commands to check that the Snort database was created correctly. First, log into MySQL using the following command and supply the password that you previously created:
[root@localhost contrib]# /usr/local/mysql/bin/mysql -p Enter password: Welcome to the MySQL monitor. Commands end with ; or g. Your MySQL connection id is 7 to server version: 4.0.20-standard Type 'help;' or 'h' for help. Type 'c' to clear the buffer.
The following command will show the current MySQL databases; make sure that your newly created Snort database is listed:
mysql> show databases; +----------+ | Database | +----------+ | mysql | | snort | | test | +----------+ 3 rows in set (0.00 sec)
The following commands will select the Snort database as the current database and then show the existing Snort tables:
mysql> use snort; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; +------------------+ | Tables_in_snort | +------------------+ | data | | detail | | encoding | | event | | flags | | icmphdr | | iphdr | | opt | | protocols | | reference | | reference_system | | schema | | sensor | | services | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +------------------+ 19 rows in set (0.00 sec) mysql> exit
Next, you can run some traffic that creates eventssuch as an Nmap scanand check the database to make sure the events are logged:
mysql> select * from event; +-----+-----+-----------+---------------------+ | sid | cid | signature | timestamp | +-----+-----+-----------+---------------------+ | 1 | 1 | 1 | 2004-11-06 03:24:51 | | 1 | 2 | 1 | 2004-11-06 03:24:57 | | 1 | 3 | 2 | 2004-11-06 03:32:41 | | 1 | 4 | 2 | 2004-11-06 03:32:47 | | 1 | 5 | 3 | 2004-11-06 03:33:29 | | 1 | 6 | 3 | 2004-11-06 03:33:35 | | 1 | 7 | 4 | 2004-11-06 03:33:41 | | 1 | 8 | 4 | 2004-11-06 03:33:47 | | 1 | 9 | 5 | 2004-11-06 03:34:53 | | 1 | 10 | 5 | 2004-11-06 03:34:59 | | 1 | 11 | 6 | 2004-11-06 03:35:05 | | 1 | 12 | 6 | 2004-11-06 03:35:11 | | 1 | 13 | 7 | 2004-11-06 03:35:17 | | 1 | 14 | 7 | 2004-11-06 03:35:23 | | 1 | 15 | 7 | 2004-11-06 03:37:42 | +-----+-----+-----------+---------------------+ 15 rows in set (0.00 sec)
See Also
Recipe 2.11
Recipe 1.2
http://www.snort.org/docs/snort_acid_rh9.pdf
Using PostgreSQL with Snort and ACID |
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance
Index