PeterHarding: Created page with "Vincent Danen, TechRepublic Last week, we looked at setting up Snort (http://cgi.cnet.com.au/link/?id=22018), a Network Intrusion Detection System. Now we will look at conf..."

2021-10-16T19:21:35Z

Created page with "Vincent Danen, TechRepublic Last week, we looked at setting up Snort (http://cgi.cnet.com.au/link/?id=22018), a Network Intrusion Detection System. Now we will look at conf..."

New page

Vincent Danen, TechRepublic

Last week, we looked at setting up Snort
(http://cgi.cnet.com.au/link/?id=22018), a Network Intrusion Detection
System. Now we will look at configuring Snort to log packets to a remote
MySQL server where a graphical Web interface can be used to view captured
packets and statistics.

To begin with, on the MySQL server, the database must be created. In this
scenario, the Snort server is "snort.host" and the MySQL server is
"mysql.host". Connect to the database as root:

# mysql -u root -p

mysql> create database snort;

mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on snort.* to
snort@snort.host;

mysql> set password for snort@snort.host=PASSWORD(\'snortpass\');

mysql> flush privileges;

mysql> q

With the Snort documentation comes a file called create_mysql, which has
the schema for the database. On a typical Linux install, this file would
be found in /usr/share/doc/snort-[version]/create_mysql. Load this file as
root:

# mysql -u root -p snort </usr/share/doc/snort-doc/create_mysql

Next, on the system where Snort will be running, edit the
/etc/snort/snort.conf configuration file and tell it to log to the
database:

output database: log, mysql, user=snort password=snortpass dbname=snort
host=mysql.host

Finally, make sure that /etc/snort/snort.conf is mode 0640 and owned
root:snort:

# chown root:snort /etc/snort/snort.conf

# chmod 0640 /etc/snort/snort.conf

The next step is to start Snort; a supplied initscript will start Snort
monitoring or you can launch it to the background:

# /usr/sbin/snort -c /etc/snort/snort.conf &

Starting Snort once without sending it to the background is a good idea to
ensure the connection takes. You can also look on the MySQL server to
ensure that logging is active:

# echo "SELECT hostname FROM sensor;" | mysql -u root -p snort

The IP address that Snort is listening on should be displayed. Now that
Snort is logging data to MySQL, using BASE Basic Analysis and Security
Engine (http://base.secureideas.net/) is a great way to view the data via
a Web interface. BASE requires a Web server and PHP. Once you have
unarchived it where it needs to be, copy the base_conf.php.dist file to
base_conf.php and edit it, in particular, setting the $alert_dbname and
related variables to point to the Snort log database.

You will also want to add a snort@localhost user with privileges to the
MySQL database if you did not do so earlier (i.e., if your Snort and MySQL
servers are physically separate).

Once that is done, navigate to the BASE install that you just set up and
follow the instructions presented to set up the caching table for BASE.
When that is complete, BASE is now available to view and graph the logged
Snort data.

[[Category:Technet]]
[[Category:Whitepapers]]

Configure Snort to Log Packets to MySQL - Revision history

PeterHarding: Created page with "Vincent Danen, TechRepublic Last week, we looked at setting up Snort (http://cgi.cnet.com.au/link/?id=22018), a Network Intrusion Detection System. Now we will look at conf..."