Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi!
I've been trying to get my SNORT to log to a mysql database. I'm working on an assignment and really need this to work. It doesn't matter wether the database is local or not. My problem is that I doestn't seem to get SNORT to start my database. It looks like this when i run snort:
[root@localhost root]# snort -vi eth1 -A full -c /root/snort-2.2.0/etc/snort.conf
Running in IDS mode
Log directory = /var/log/snort
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/ping.rules
My problem is that I doestn't seem to get SNORT to start my database
Maybe I'm misunderstanding you, but you have to have mySQL up and running (with a properly configured datatbase)
for Snort to use. Snort isn't going to start the datatbase for you.
There is an excellent how-to on the Snort site on getting Snort, MySQL and Aide to run on an RH system. Even if you
aren't using RH, it will give you plenty of advice on how to get this working.
The mysql database is up and running, with the correct database and tables (described in the documents directory in snort) from the ./contrib/create_mysql file.
I manage to generate verbose alerts, so I see them. But they don't store in my database..
I'v tried using the documents on the snort homepages, without any success..
OK, if mysql is running, can you log into it with the same account you are having snort use? Also have a look in your mysql error logs (usually in the directory with your databases) and see what kind of complaining is going on.
I have no problems logging into snort myself. I can log in and view the tables, only none of them contain anything. I've gone throug my errorlogs, but there doesn't seem to be a problem. The only thing it complains about is beeing given another emmory adress than it asks for.
I think the problem is that snort don't understand that I want it to write to the database. When i start snort I do not get a message that says that it is logged in to my database. Nor do I get an error saying that it can't log in.
I'll post the relevant section of my snort configuration file when I get home tonight, but I believe that all it involved was uncommenting the mysql line and changing the user and passwords to match the snort mysql user.
Look carefully at the line I've got uncommented. It is a bit in front of the line you show in your snort.conf and I'm guessing that you need to do what I did.
Code:
# Step #3: Configure output plugins
#
# Uncomment and configure the output plugins you decide to use.
# General configuration for output plugins is of the form:
#
# output <name_of_plugin>: <configuration_options>
#
# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments. Win32 can also
# optionally specify a particular hostname/port. Under Win32, the
# default hostname is '127.0.0.1', and the default port is 514.
#
# [Unix flavours should use this format...]
# output alert_syslog: LOG_AUTH LOG_ALERT
#
# [Win32 can use any of these formats...]
# output alert_syslog: LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
# log_tcpdump: log packets in binary tcpdump format
# -------------------------------------------------
# The only argument is the output file name.
#
# output log_tcpdump: tcpdump.log
# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about configuring
# and using this plugin.
#
output database: log, mysql, user=snort password=snortpassword dbname=snort host=localhost
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, unixodbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.