Configure Snort to log packets to MySQL
- Date: March 21st, 2008
- Author: Vincent Danen
- Category: General, Networking, data protection, open source
- Tags: Snort, MySQL, Open Source, Databases, Enterprise Software, Software, Data Management, Vincent Danen
Last week, we looked at setting up Snort, a Network Intrusion Detection System. Now we will look at configuring Snort to log packets to a remote MySQL server where a graphical Web interface can be used to view captured packets and statistics.
To begin with, on the MySQL server, the database must be created. In this scenario, the Snort server is “snort.host” and the MySQL server is “mysql.host”. Connect to the database as root:
# mysql -u root -p
mysql> create database snort;
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on snort.* to snort@snort.host;
mysql> set password for snort@snort.host=PASSWORD('snortpass');
mysql> flush privileges;
mysql> q
With the Snort documentation comes a file called create_mysql, which has the schema for the database. On a typical Linux install, this file would be found in /usr/share/doc/snort-[version]/create_mysql. Load this file as root:
# mysql -u root -p snort </usr/share/doc/snort-doc/create_mysql
Next, on the system where Snort will be running, edit the /etc/snort/snort.conf configuration file and tell it to log to the database:
output database: log, mysql, user=snort password=snortpass dbname=snort host=mysql.host
Finally, make sure that /etc/snort/snort.conf is mode 0640 and owned root:snort:
# chown root:snort /etc/snort/snort.conf
# chmod 0640 /etc/snort/snort.conf
The next step is to start Snort; a supplied initscript will start Snort monitoring or you can launch it to the background:
# /usr/sbin/snort -c /etc/snort/snort.conf &
Starting Snort once without sending it to the background is a good idea to ensure the connection takes. You can also look on the MySQL server to ensure that logging is active:
# echo "SELECT hostname FROM sensor;" | mysql -u root -p snort
The IP address that Snort is listening on should be displayed. Now that Snort is logging data to MySQL, using BASE (Basic Analysis and Security Engine) is a great way to view the data via a Web interface. BASE requires a Web server and PHP. Once you have unarchived it where it needs to be, copy the base_conf.php.dist file to base_conf.php and edit it, in particular, setting the $alert_dbname and related variables to point to the Snort log database.
You will also want to add a snort@localhost user with privileges to the MySQL database if you did not do so earlier (i.e., if your Snort and MySQL servers are physically separate).
Once that is done, navigate to the BASE install that you just set up and follow the instructions presented to set up the caching table for BASE. When that is complete, BASE is now available to view and graph the logged Snort data.
Delivered each Tuesday, TechRepublic’s free Linux and Open Source newsletter provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!
Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years. Read his full bio and profile.
Print/View all Posts Comments on this blog
What about windows
Bob.Roy | 03/22/08
|
 
Windows
vdanen | 03/26/08
|
|
Not for production deployment
david@... | 04/01/08
|
|
RE: Configure Snort to log packets to MySQL
Hidzwan Bellamy | 03/02/09
|
|
RE: Configure Snort to log packets to MySQL
emari2@... | 04/06/09
|
