- Package: MySQL Version: 3.23.x+ Description: Open Source RDBMS Reason: Back-end database Homepage: http://www.mysql.com/ - Package: PostgreSQL Version: 7.1+ Description: Open Source RDBMS Reason: Back-end database Homepage: http://www.postgresql.org/ - Package: Microsoft SQL Server Version: 7+ Description: Production RDBMS Reason: Back-end database Homepage: http://www.microsoft.com/sql/default.asp - Package: Oracle Version: 8+ Description: Production RDBMS Reason: Back-end database Homepage: http://www.oracle.com/ - Package: unixODBC Version: 2.2.* Description: non-Windows ODBC library Reason: ODBC library Homepage: http://www.unixodbc.org/
- Package: Snort Version: 1.7+ Description: Network Intrusion Detection System Reason: Detects security events Homepage: http://www.snort.com/
In order to log from Snort, the RDBMS must first be installed. The specifics of this process can be found in the database documentation.
Note with Red Hat packages (.rpm): MySQL is distributed as 5 different packages.
Table #1: Required .RPMs for installing MySQL
|Snort and MySQL|
on same machine
|Library and Headers||X||X||X|
|Client Shared libraries||X||X||X|
LD_LIBRARY_PATHor on Linux systems, that this directory is in the
/etc/ld.so.conffile (remember to run
Table #2: Filenames of the required shared client libraries
For example, if
libmysqlclient.so, the MySQL client library was installed
/usr/local/mysql/lib, then this directory would need to be either
LD_LIBRARY_PATH environment variable or in
on Linux systems.
Failure by the run-time linker to locate the database library will result in an error as follows (for MySQL) at snort start-up:
snort: error loading shared libraries: libmysqlclient.so ... : No such file or directory
2. Install Snort
shell> ./configure shell> make shell> make installIf MySQL, Postgresql, Oracle, or unixODBC is installed in a standard place, the
./configurescript will automatically detect the location of the include and library files.
Note: native MS-SQL Server support is NOT possible on Unix without the use of ODBC. For native SQL Server support use snort on Windows.
If they are not installed in a standard directory, the appropriate
./configure script needs to be used.
--with-mysql=DIR support for mysql --with-odbc=DIR support for odbc --with-postgresql=DIR support for postgresql --with-oracle=DIR support for oracleThe
DIRvalue should be set to the base directory of the database installation. For example, to add MySQL database support where the base directory of the installation is
./configure --with-mysql=/usr/local/mysqlThe following is database specific output of the
checking for mysql... yes checking for odbc... yes checking for postgresql... yes checking for oracle... yes
If "yes" is not returned for the desired database type,
then the database library has not been detected correctly. Specify the
appropriate directory in the
./configure script switch
Attempting to later use database logging without support being compiled it will result in the following error message at snort start-up: (This example assumes that MySQL logging was configured but this build of snort does not support it)
database: compiled support for ( ) database: configured to use mysql database: mysql support is not compiled in this copy Check your configuration file to be sure you did not mis-spell "mysql". If you did not, you will need to reconfigure and recompile ensuring that you have set the correct options to the configure script. Type "./configure --help" to see options for the configure script. Fatal Error, Quitting..
Snort can be built from source under Windows, however, the standard UNIX
configure script will not be present. The appropriate
MS Visual Studio project files are included in the
Pre-compiled Snort binaries for Windows with database support can be found at:
Note: Native MS-SQL Server support is only possible on the Windows version of snort.
[MySQL] shell> echo "CREATE DATABASE snort;" | mysql -u root -p [PostgreSQL] shell> createdb snort [Oracle] Use DBA Studio to create the new database [MS SQL Server] Use the appropriate DBA tool to execute the following SQL CREATE DATABASE snort;
Supplied in the
contrib/ directory of the Snort
distribution will be the appropriate table creation (DDL) script.
Table 3: DDL script namesThe appropriate script which corresponds to the deployed database type must be run against the new database created in Step #3. Note: All the examples below assume that the database name is "snort", and that the relative path to the DDL script is "./contrib".
Database Type Script Name Mysql
MS SQL Server
[MySQL] shell> mysql -D snort -u root -p < ./contrib/create_mysql [PostgreSQL] shell> psql snort < ./contrib/create_postgresql Note: This example assumes that the current user has the appropriate privileges to create tables in the snort datbase. [Oracle] Use DBA Studio or SQL Plus run the
create_oracle.sqlscript. [MS SQL Server] Use the appropriate DBA tool to run the
[MySQL] shell> mysql -u root -D mysql -p mysql> GRANT INSERT, SELECT on snort_db_name.* to snort@sensor1 \ IDENTIFIED BY 'snort_password'; mysql> quit; Note: Remember that MySQL users consist of a user name and a hostname. From each host that a connection to the database will be made, there must be a corresponding user/hostname entry. [PostgreSQL] shell> createuser snort_db_user Shall the new user be allowed to create databases? (y/n) n Shall the new user be allowed to create more new users? (y/n) n CREATE USER [Oracle] and [MS SQL Server] Use the appropriate DBA tool to create a user named "snort_db_user"Note on assigning password: There are known issues with using certain special characters such as '$' (dollar sign) in the passwords when passed from Snort. If everything appears to be configured correctly, but authentication always fails trying testing with a password without these characters.
6. Grant permission to the database user
Table 4: Required Permission on the database objects (tables and sequences)
DB Permission Applies to Database | S | I | U || | E | N | P || | L | S | D || | E | E | A || | C | R | T || DB Object Name | T | T | E || MySQL PgSQL MSSQL Oracle +===============================+===+===+===+============================+ | data | | X | || X | X | X | X | | detail | X | | || X | X | X | X | | encoding | X | | || X | X | X | X | | event | X | X | || X | X | X | X | | icmphdr | | X | || X | X | X | X | | iphdr | | X | || X | X | X | X | | opt | | X | || X | X | X | X | | reference | | X | || X | X | X | X | | reference_system | X | X | || X | X | X | X | | schema | X | | || X | X | X | X | | sensor | X | X | || X | X | X | X | | sig_class | X | X | || X | X | X | X | | sig_reference | X | X | || X | X | X | X | | signature | X | X | || X | X | X | X | | tcphdr | | X | || X | X | X | X | | udphdr | | X | || X | X | X | X | | reference_ref_id_seq | X | | X || | X | | X | | reference_sys_ref_system_id_seq | X | | X || | X | | X | | sensor_sid_seq | X | | X || | X | | X | | sig_class_sig_class_id_seq | X | | X || | X | | X | | signature_sig_id_seq | X | | X || | X | | X | +=================================+===+===+===++======+=====+=====+======+ X = required permission
[MySQL] If the database user was created successfully per the instructions in step 5, no additional action is necessary. If an existing user will be used, issue the following command: shell> echo "GRANT INSERT, SELECT on snort_db_name.* to snort@sensor1" | \ mysql -u root -D mysql -p [PostgreSQL] shell> psql snort psql> GRANT SELECT ON detail, encoding, event, reference_system, schema, \ sensor, sig_class, sig_reference, signature \ TO snort_db_user; psql> GRANT INSERT ON data, event, icmphdr, iphdr, opt, reference,\ reference_system, sensor, sig_class, sig_reference \ signature, tcphdr, udphdr \ TO snort_db_user; psql> GRANT UPDATE ON reference_ref_id_seq, reference_sys_ref_system_id_seq \ sensor_sid_seq, sig_class_sig_class_id_seq, \ signature_sig_id_seq \ TO snort_db_user; [Oracle] and [MS SQL Server] Use the appropriate DBA tool to assign the permissions.