Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i'm a newbie in snort. i'd install snort rpm in redhat linux 9.
currently the snort is running fine. However, i'm having some problems with its output. i'm wanted to have it output to be dumped into mysql. However, i dun really have any idea of how to do it.
i've modified the snort.conf as below but it does not work.
"output database: alert, mysql, user=snort password=snort dbname=snort host=localhost"
as for the mysql db, i created the snort database myself separately. i wonder if that's why it doesn't work. morever, i cant access the snort db as "snort" but instead can only access it as "root" user.
personally I would set up ACID/Snort/MySql to work together. There are excellent tutorials on how to accomplish the setup here --> http://internetsecurityguru.com/
Good luck to ya.
ACID will help you infinitely as far as analyzing the reports that snort will log to the database, otherwise you will end up with a database full of warnings and how are you going to view them? ACID is very simple to set up and its a web based interface that is accessible via browser, it will not eat system resources, it will simply query your database for the results from snort and present them to you in an organized graphical fashion for analysis.
ehmm, actually i wanted to do some data matching based on the snort log that i dump into mysql. correct me if i'm wrong, acid seems to be a reporting tool for mysql.
or will acid help me with the data matching that i want to do?
The Analysis Console for Intrusion Databases (ACID) is a PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools. The features currently include:
* Query-builder and search interface for finding alerts matching on alert meta information (e.g. signature, detection time) as well as the underlying network evidence (e.g. source/destination address, ports, payload, or flags).
* Packet viewer (decoder) will graphically display the layer-3 and layer-4 packet information of logged alerts
* Alert management by providing constructs to logically group alerts to create incidents (alert groups), deleting the handled alerts or false positives, exporting to email for collaboration, or archiving of alerts to transfer them between alert databases.
* Chart and statistics generation based on time, sensor, signature, protocol, IP address, TCP/UDP ports, or classification
ACID has the ability to analyze a wide variety of events which are post-processed into its database. Tools exist for the following formats:
Originally posted by jarien
as for the mysql db, i created the snort database myself separately. i wonder if that's why it doesn't work. morever, i cant access the snort db as "snort" but instead can only access it as "root" user.
plz help...
This is your problem. Until you can access the snort db as the snort user, you're not going to be able to log to mysql (unless you do it as root, which is really not a good idea). There is a very good pdf that explains how to set up Snort and mysql on the Snort site. Don't let the fact that it is aimed at Fedora fool you, the majority of the information is applicable to any distro. In your case, you need to look at the section describing how to set up your snort user
Code:
mysql> SET PASSWORD FOR snort@localhost=PASSWORD('password_from_snort.conf');
>Query OK, 0 rows affected (0.25 sec)
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
>Query OK, 0 rows affected (0.02 sec)
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
>Query OK, 0 rows affected (0.02 sec)
If you didn't do something like this, then it isn't giong to work.
well, i get to access my snort db as snort user.
however, there's another problem arise which is my snort.
i used to have snort running smoothly but not my snort can't run.
i run my snort using "/etc/init.d/snortd start", it shows OK
but when i checked its status using "/etc/init.d/snortd status"
i get this message "snort dead but subsys locked"
i've checked out and found out that there are a few suggested solutions
such as
- removed the /var/lock/subsys/snort file
- commented out the "classification.config" in snort.conf file
- check for config file error with "snort -T"
for the first 2 method i tried but i doesn't work.
the 3rd method, it shows the message
Running in IDS mode with inferred config file: ./snort.conf
Log directory = /var/log/snort
ERROR:
[!] ERROR: Can not get write access to logging directory "/var/log/snort".
(directory doesn't exist or permissions are set incorrectly
or it is not a directory at all)
Fatal Error, Quitting..
is there any other solutions to get the snort running properly??
i am wondering what is the difference if i run snort with "/etc/init.d/snortd start" and "/usr/sbin/snort [options]"
although i cant run snort with "/etc/...", i still manage to run snort with "/usr/..."
Check the permissions on /var/log/snort. If snort is running under its own user (i.e. snort) then the snort user must have write permissions to /var/log/snort and everything in that directory.
P.S. For any Gentoo users this guide rocks for setting up Snort, Acid, and MySql:
i think my problem lies on the owner of snort ... but how can i check the owner of my application as well as the privileges i have ( such as read, write)
is the command "ll" applicable to the situation??
as i noe by typing the command "ll", the owner, group and privileges get to be seen ...
but it's for files and folders ... what about application??
is it the same way, too??
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.