Configure Snort to log packets to MySQL
Author : Vincent Danen, ZDNet Asia
Administrators can take advantage of the Snort facility to to detect intrusions to the network.
Snort, a network intrusion detection system, can be configured to log packets to a remote MySQL server. A graphical Web interface can be used to view captured packets and statistics.
To begin on the MySQL server, the database must first be created.
In this scenario, the Snort server is “snort.host” and the MySQL server is "mysql.host".
Connect to the database as root:
# mysql -u root -p
mysql> create database snort;
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on snort.*
to snort@snort.host;
mysql> set password for snort@snort.host=PASSWORD('snortpass');
mysql> flush privileges;
mysql> q
With the Snort documentation comes a file called create_mysql, which has the schema for the database.
On a typical Linux install, this file would be found in /usr/share/doc/snort-[version]/create_mysql.
Load this file as root:
# mysql -u root -p snort
Next, on the system where Snort will be running, edit the /etc/snort/snort.conf configuration file and tell it to log to the database:
output database: log, mysql, user=snort password=snortpass
dbname=snort host=mysql.host
Finally, make sure that /etc/snort/snort.conf is mode 0640 and owned root:snort:
# chown root:snort /etc/snort/snort.conf
# chmod 0640 /etc/snort/snort.conf
The next step is to start Snort; a supplied initscript will start Snort monitoring or you can launch it to the background:
# /usr/sbin/snort -c /etc/snort/snort.conf &
Starting Snort once without sending it to the background is a good idea to ensure the connection takes. You can also look on the MySQL server to ensure that logging is active:
# echo "SELECT hostname FROM sensor;" | mysql -u root -p snort
The IP address that Snort is listening on should be displayed.
Now that Snort is logging data to MySQL, using BASE (Basic Analysis and Security Engine) is a great way to view the data via a Web interface. BASE requires a Web server and PHP. Once you have unarchived it where it needs to be, copy the base_conf.php.dist file to base_conf.php and edit it, in particular, setting the $alert_dbname and related variables to point to the Snort log database.
You will also want to add a snort@localhost user with privileges to the MySQL database if you did not do so earlier (i.e., if your Snort and MySQL servers are physically separate).
Once that is done, navigate to the BASE install that you just set up and follow the instructions presented to set up the caching table for BASE. When that is complete, BASE is now available to view and graph the logged Snort data.