Configure Snort to log packets to MySQL

From PeformIQ Upgrade
Jump to navigation Jump to search

Vincent Danen, TechRepublic


Last week, we looked at setting up Snort (http://cgi.cnet.com.au/link/?id=22018), a Network Intrusion Detection System. Now we will look at configuring Snort to log packets to a remote MySQL server where a graphical Web interface can be used to view captured packets and statistics.

To begin with, on the MySQL server, the database must be created. In this scenario, the Snort server is "snort.host" and the MySQL server is "mysql.host". Connect to the database as root:

  1. mysql -u root -p

mysql> create database snort;

mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on snort.* to snort@snort.host;

mysql> set password for snort@snort.host=PASSWORD(\'snortpass\');

mysql> flush privileges;

mysql> q

With the Snort documentation comes a file called create_mysql, which has the schema for the database. On a typical Linux install, this file would be found in /usr/share/doc/snort-[version]/create_mysql. Load this file as root:

  1. mysql -u root -p snort </usr/share/doc/snort-doc/create_mysql

Next, on the system where Snort will be running, edit the /etc/snort/snort.conf configuration file and tell it to log to the database:

output database: log, mysql, user=snort password=snortpass dbname=snort host=mysql.host

Finally, make sure that /etc/snort/snort.conf is mode 0640 and owned root:snort:

  1. chown root:snort /etc/snort/snort.conf
  1. chmod 0640 /etc/snort/snort.conf

The next step is to start Snort; a supplied initscript will start Snort monitoring or you can launch it to the background:

  1. /usr/sbin/snort -c /etc/snort/snort.conf &

Starting Snort once without sending it to the background is a good idea to ensure the connection takes. You can also look on the MySQL server to ensure that logging is active:

  1. echo "SELECT hostname FROM sensor;" | mysql -u root -p snort

The IP address that Snort is listening on should be displayed. Now that Snort is logging data to MySQL, using BASE Basic Analysis and Security Engine (http://base.secureideas.net/) is a great way to view the data via a Web interface. BASE requires a Web server and PHP. Once you have unarchived it where it needs to be, copy the base_conf.php.dist file to base_conf.php and edit it, in particular, setting the $alert_dbname and related variables to point to the Snort log database.

You will also want to add a snort@localhost user with privileges to the MySQL database if you did not do so earlier (i.e., if your Snort and MySQL servers are physically separate).

Once that is done, navigate to the BASE install that you just set up and follow the instructions presented to set up the caching table for BASE. When that is complete, BASE is now available to view and graph the logged Snort data.