i'm a newbie in snort. i'd install snort rpm in redhat linux 9.

currently the snort is running fine. However, i'm having some problems with its output. i'm wanted to have it output to be dumped into mysql. However, i dun really have any idea of how to do it.

i've modified the snort.conf as below but it does not work.
"output database: alert, mysql, user=snort password=snort dbname=snort host=localhost"

as for the mysql db, i created the snort database myself separately. i wonder if that's why it doesn't work. morever, i cant access the snort db as "snort" but instead can only access it as "root" user.

plz help...

personally I would set up ACID/Snort/MySql to work together. There are excellent tutorials on how to accomplish the setup here --> http://internetsecurityguru.com/
Good luck to ya.

linux_terror

is there any possibility if i only use snort with mysql without the ACID tool? this is because i wish to reduce the usage of extra tools if possible.

thanx.

ACID will help you infinitely as far as analyzing the reports that snort will log to the database, otherwise you will end up with a database full of warnings and how are you going to view them? ACID is very simple to set up and its a web based interface that is accessible via browser, it will not eat system resources, it will simply query your database for the results from snort and present them to you in an organized graphical fashion for analysis.

linux_terror

ehmm, actually i wanted to do some data matching based on the snort log that i dump into mysql. correct me if i'm wrong, acid seems to be a reporting tool for mysql.

or will acid help me with the data matching that i want to do?

The Analysis Console for Intrusion Databases (ACID) is a PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools. The features currently include:

* Query-builder and search interface for finding alerts matching on alert meta information (e.g. signature, detection time) as well as the underlying network evidence (e.g. source/destination address, ports, payload, or flags).

* Packet viewer (decoder) will graphically display the layer-3 and layer-4 packet information of logged alerts

* Alert management by providing constructs to logically group alerts to create incidents (alert groups), deleting the handled alerts or false positives, exporting to email for collaboration, or archiving of alerts to transfer them between alert databases.

* Chart and statistics generation based on time, sensor, signature, protocol, IP address, TCP/UDP ports, or classification

ACID has the ability to analyze a wide variety of events which are post-processed into its database. Tools exist for the following formats:

* using Snort (www.snort.org)
o Snort alerts
o tcpdump binary logs
* using logsnorter ( www.snort.org/downloads/logsnorter-0.2.tar.gz)
o ipchains
o iptables
o ipfw

taken from http://acidlab.sourceforge.net/

linux_terror

This is your problem. Until you can access the snort db as the snort user, you're not going to be able to log to mysql (unless you do it as root, which is really not a good idea). There is a very good pdf that explains how to set up Snort and mysql on the Snort site. Don't let the fact that it is aimed at Fedora fool you, the majority of the information is applicable to any distro. In your case, you need to look at the section describing how to set up your snort user

If you didn't do something like this, then it isn't giong to work.

well, i get to access my snort db as snort user.
however, there's another problem arise which is my snort.

i used to have snort running smoothly but not my snort can't run.
i run my snort using "/etc/init.d/snortd start", it shows OK
but when i checked its status using "/etc/init.d/snortd status"
i get this message "snort dead but subsys locked"

i've checked out and found out that there are a few suggested solutions
such as
- removed the /var/lock/subsys/snort file
- commented out the "classification.config" in snort.conf file
- check for config file error with "snort -T"

for the first 2 method i tried but i doesn't work.

the 3rd method, it shows the message

Running in IDS mode with inferred config file: ./snort.conf
Log directory = /var/log/snort
ERROR:
[!] ERROR: Can not get write access to logging directory "/var/log/snort".
(directory doesn't exist or permissions are set incorrectly
or it is not a directory at all)

Fatal Error, Quitting..

is there any other solutions to get the snort running properly??

i am wondering what is the difference if i run snort with "/etc/init.d/snortd start" and "/usr/sbin/snort [options]"
although i cant run snort with "/etc/...", i still manage to run snort with "/usr/..."

Check the permissions on /var/log/snort. If snort is running under its own user (i.e. snort) then the snort user must have write permissions to /var/log/snort and everything in that directory.

P.S. For any Gentoo users this guide rocks for setting up Snort, Acid, and MySql:

http://forums.gentoo.org/viewtopic.php?t=78718

i think my problem lies on the owner of snort ... but how can i check the owner of my application as well as the privileges i have ( such as read, write)

is the command "ll" applicable to the situation??
as i noe by typing the command "ll", the owner, group and privileges get to be seen ...
but it's for files and folders ... what about application??
is it the same way, too??