Open Source

Configure Snort to log packets to MySQL

Learn how to use Snort to log packets to a remote MySQL server where a graphical Web interface can be used to view captured packets and statistics.

Last week, we looked at setting up Snort, a Network Intrusion Detection System. Now we will look at configuring Snort to log packets to a remote MySQL server where a graphical Web interface can be used to view captured packets and statistics.

To begin with, on the MySQL server, the database must be created. In this scenario, the Snort server is "snort.host" and the MySQL server is "mysql.host". Connect to the database as root:

# mysql -u root -p
mysql> create database snort;
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on snort.* to snort@snort.host;
mysql> set password for snort@snort.host=PASSWORD('snortpass');
mysql> flush privileges;
mysql> q

With the Snort documentation comes a file called create_mysql, which has the schema for the database. On a typical Linux install, this file would be found in /usr/share/doc/snort-[version]/create_mysql. Load this file as root:

# mysql -u root -p snort </usr/share/doc/snort-doc/create_mysql

Next, on the system where Snort will be running, edit the /etc/snort/snort.conf configuration file and tell it to log to the database:

output database: log, mysql, user=snort password=snortpass dbname=snort host=mysql.host

Finally, make sure that /etc/snort/snort.conf is mode 0640 and owned root:snort:

# chown root:snort /etc/snort/snort.conf
# chmod 0640 /etc/snort/snort.conf

The next step is to start Snort; a supplied initscript will start Snort monitoring or you can launch it to the background:

# /usr/sbin/snort -c /etc/snort/snort.conf &

Starting Snort once without sending it to the background is a good idea to ensure the connection takes. You can also look on the MySQL server to ensure that logging is active:

# echo "SELECT hostname FROM sensor;" | mysql -u root -p snort

The IP address that Snort is listening on should be displayed. Now that Snort is logging data to MySQL, using BASE (Basic Analysis and Security Engine) is a great way to view the data via a Web interface. BASE requires a Web server and PHP. Once you have unarchived it where it needs to be, copy the base_conf.php.dist file to base_conf.php and edit it, in particular, setting the $alert_dbname and related variables to point to the Snort log database.

You will also want to add a snort@localhost user with privileges to the MySQL database if you did not do so earlier (i.e., if your Snort and MySQL servers are physically separate).

Once that is done, navigate to the BASE install that you just set up and follow the instructions presented to set up the caching table for BASE. When that is complete, BASE is now available to view and graph the logged Snort data.

Delivered each Tuesday, TechRepublic's free Linux and Open Source newsletter provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

7 comments
sameerads
sameerads

i've configured snort to log packets in database using above mentioned commands..but still the packets are not getting captured when am running snort in sniffer mode..any solution?

emari2
emari2

$ zcat create_mysql.gz | mysql -u -h -p this is what I have to type after installing the package snort-mysql but I get an error if I type zcat create4_mysql.gz | mysql -u root -h snort.host -p snort any help?

Hidzwan Bellamy
Hidzwan Bellamy

how about to deploy alert fusion?..ex: if alert output to a log.txt, how can we find the similarity between two or more alert?..but if we store in databse will be much easier to fusion it..am i rite?

david
david

I wouldn't recommend this method for production IDS systems. The thing is, while Snort is busy doing a database insert, it's not processing packets from the network. Under a small load, you might not miss much, but as traffic increases, this is significant overhead. And if the database happens to be down or a table is locked for maintenance or something, you've got further trouble. The best practice right now is to have Snort log output in the "unified" log format, which can be written very quickly. This frees up Snort to concentrate on processing packets, while another program (usually barnyard) comes along and reads the unified logs and inserts them into the database. There are a number of decent web references to setting up barnyard (for example, http://searchenterpriselinux.techtarget.com/tip/0,289483,sid39_gci1255683,00.html).

rapell
rapell

Hello, nice tip, but how would I accomplish this on a windows box.

vdanen
vdanen

Well, AFAIK, snort runs on windows, so does MySQL, and so does PHP (so BASE would run too). I guess the rest is an exercise in playing around... I haven't used Windows in years so I can't really offer any advice there, but just pretend the above was written for Windows and install the Windows versions of the software? Or you could always install Linux. =)

Editor's Picks