Logging Alerts to a Database
Problem
You want your Snort alerts to be logged to a database.
Solution
Snort can log to a database by using the database output plug-ins in the snort.conf file. The following is the section of the snort.conf file where you must uncomment and configure the particular line for the database you are using:
# database: log to a variety of databases # --------------------------------------- # See the README.database file for more information about configuring # and using this plugin. # # output database: log, mysql, user=root password=test dbname=db # host=localhost # output database: alert, postgresql, user=snort dbname=snort # output database: log, odbc, user=snort dbname=snort # output database: log, mssql, dbname=snort user=snort password=test # output database: log, oracle, dbname=snort user=snort password=test
You must run Snort in NIDS mode so that it uses the snort.conf file to invoke the output plug-in:
C:Snortin>snort -l c:snortlog -c c:snortetcsnort.conf
Discussion
Currently, Snort has database output plug-ins for MySQL, PostgresSQL, unixODBC, Oracle, and MS-SQL Server. You must make sure that you have the appropriate parameters for the database configured including database type, username, password, and database name. You must also determine if you want to log both alerts and logs. If the database plug-in is configured for "alert," it only logs output from alert rules. If it is configured for "log," it logs both log and alert rules. You can log to multiple databases at once, including multiple instances of the same database, if desired. However, the more ways you log, the more load it places on the Snort engine and the CPU. Choose your hardware and operating system carefully when logging to multiple databases.
See Also
Recipe 2.12
Recipe 2.5
http://www.mysql.org
http://www.postgresql.org
http://www.unixodbc.org
http://www.oracle.org
http://www.microsoft.com
Installing and Configuring MySQL
|