snort and mysql

lord-fu · 11-19-2005, 01:03 PM

Hello,

I know this topic has been posted a bunch and I think I have read all the posts, but I am still stuck getting snort to log to mysql. The error I recieve is one of not having the table created on my SNORT db.

Code:

database: mysql_error: Table 'SNORT.sensor' doesn't exist
database: mysql_error: Table 'SNORT.sensor' doesn't exist
SQL=INSERT INTO sensor (hostname, interface, detail, encoding, last_cid) VALUES ('192.168.1.1','xl0','1','0', '0')
database: mysql_error: Table 'SNORT.sensor' doesn't exist
database: Problem obtaining SENSOR ID (sid) from SNORT->sensor
ERROR:
 When this plugin starts, a SELECT query is run to find the sensor id for the
 currently running sensor. If the sensor id is not found, the plugin will run
 an INSERT query to insert the proper data and generate a new sensor id. Then a
 SELECT query is run to get the newly allocated sensor id. If that fails then
 this error message is generated.

 Some possible causes for this error are:
  * the user does not have proper INSERT or SELECT privileges
  * the sensor table does not exist

I have not created any tables, so I know thats why I recieve the error. I have been following this tut:
http://www.bsdguides.org/guides/free...nortreport.php
That is using snortreport, but I just kinda skip over that stuff. I was just more interested in the mysql part,as well as reading a bunch of others.
I have created the user snort and given him insert,select,update,delete privledges on the SNORT db I created....however I have not created a table on the db so I guess thats where I am at right now.
On the link I posted above there was a section from the tut that looked like it was creating the table

Code:

cd /usr/ports/security/snort/work/snort-*/contrib
mysql -u root -p -D snort < create_mysql

However that path is not valid in my ports collection.
So I am sorry to beat a dead horse on the snort sql subject, but any help is greatly appreciated.
Many thanks in advance.

mysql -V
mysql Ver 14.7 Distrib 4.1.14, for portbld-freebsd5.4 (i386) using 4.3
snort -V
,,_ -*> Snort! <*-
o" )~ Version 2.4.3 (Build 26) FreeBSD
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2005 Sourcefire Inc., et al.
NOTE: Snort's default output has changed in version 2.4.1!
The default logging mode is now PCAP, use "-K ascii" to activate
the old default logging mode.

lord-fu · 11-20-2005, 09:11 PM

Well I have figured the above problem. When I installed snort I installed with the

Code:

make install clean

This wipes out the work dir that contained the create_mysql script. After a quick backup of /usr/local/etc/snort/snort.conf and a

Code:

make deinstall clean

then

Code:

make install

Copy snort.conf back and then from within the /usr/ports/security/snort/work/snort-2.4.3/schemas dir.

Code:

mysql -p -D SNORT < create_mysql

The needed tables are now created.
Now I recieve this error when trying to start snort.

Code:

 Unable to open rules file: ./rules//local.rules or /usr/local/etc/snort/./rules//local.rules

Off to googleland....
[edit] Got my rules file dir in place, but have a new error

Code:

ERROR: Undefined variable name: (/usr/local/etc/snort/rules/exploit.rules:35): SMTP_SERVERS

I should be able to comment out rules I dont need right? Only one way to find out....[/edit]
[edit]I swear this is the last post to this.....I just did not have the include statements commented out in snort.conf. Sorry to keep reposting...hope my issues help someone in the future.[/edit]