Problem
You want to log to a MySQL database but don't have it installed.
Solution
Before you install MySQL, you must create a group and user for MySQL to run as:
[root@localhost root]# groupadd mysql [root@localhost root]# useradd -g mysql mysql
Next, download MySQL (we saved it in the /root directory). Use the following commands to install and configure MySQL:
[root@localhost root]# cd /usr/local [root@localhost local]# tar zxvf /root/mysql-standard-4.0.20-pc-linux-i686.tar.gz [root@localhost local]# ln -s /usr/local/mysql-standard-4.0.20-pc-linux-i686/ mysql [root@localhost local]# cd mysql [root@localhost mysql]# scripts/mysql_install_db --user=mysql [root@localhost mysql]# chown -R root . [root@localhost mysql]# chown -R mysql data [root@localhost mysql]# chgrp -R mysql .
Next, to start the MySQL server, you can use the following command:
[root@localhost mysql]# bin/mysqld_safe --user=mysql &
Finally, once MySQL is started, you must assign passwords to the local accounts for the database:
[root@localhost mysql]# ./bin/mysqladmin -u root password newpassword [root@localhost mysql]# ./bin/mysqladmin -u root -h localhost.localdomain password newpassword
Discussion
MySQL is a popular open source freeware database. Snort has built-in support for logging to a MySQL database. MySQL can be downloaded from the following site: http://dev.mysql.com/downloads/. Be sure to download the latest production release for your platform, such as mysql-standard-4.x.yy-pc-linux-i686.tar.gz.
The MySQL installation creates a directory with a long name for the version of MySQL that you are installing in the /usr/local directory. It's easier to work with it if you create a symbolic link to it with the simple name mysql, allowing you to refer to the directory as /usr/local/mysql. The mysql_install_db script, located in the scripts subdirectory, initializes the database and creates the appropriate grant tables. Next you must change the ownership of the program binaries to root and the data directory to the user that MySQL runs as (which is mysql, in this case). Once you start the MySQL server, you should see it listed in the process list by viewing it with ps -aef. After starting the server, you should assign passwords to the accounts that were created with the grant tables. You must use a stronger password than newpassword, which we used in the example. Now that MySQL is officially installed and configured, you can access it by typing /usr/local/mysql/bin/mysql.
If you would like MySQL to start up automatically when you boot the system, you can add the following commands:
[root@localhost root]# cp /usr/local/mysql/support-files/mysql.server /etc/init.d/mysql [root@localhost root]# cd /etc/rc3.d [root@localhost rc3.d]# ln -s ../init.d/mysql S85mysql [root@localhost rc3.d]# ln -s ../init.d/mysql K85mysql [root@localhost rc3.d]# cd /etc/rc5.d [root@localhost rc5.d]# ln -s ../init.d/mysql S85mysql [root@localhost rc5.d]# ln -s ../init.d/mysql K85mysql [root@localhost rc5.d]# cd ../init.d [root@localhost init.d]# chmod 755 mysql
See Also
Recipe 2.12
http://dev.mysql.com/downloads/
/usr/local/mysql/INSTALL-BINARY
Configuring MySQL for Snort |
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance
Index