Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Windows » How to log & alert to MSSQL?

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

How to log & alert to MSSQL?


Posted by ggdayup on November 17, 2005 00:13:08

Hello everyone! I am just starting in snort. I have read
http://www.winsnort.com/modules.php?op=modload&name=Sections&file=index&req=viewarticle&artid=14&page=1
very carefully, and User Manual[pdf] too.

But I still don't know how to send both "log" and "alert" to MSSQL.


1 . I suppose this sentence in snort.conf will affect the ouput of snort, but I can't figure it out how.

Quote: › output database: alert, mssql, user=snort password=l0gg3r dbname=snort host=X.X.X.X port=1433 sensor_name=HOSTNAME



2. Command like

Quote: › ./snort -d -h 192.168.1.0/24 -l ./log -c snort.conf

just log file in local disk, but how can I log to MSSQL



3. How does it affect the ouput if I use command like this without specification of "-l" option:

Quote: › ./snort -b -A fast -c snort.conf

Posted by chris on December 23, 2005 14:32:39

Hi ggday,
I hope I've understood your questions correctly, but if I'm being to obvious, sorry.
1)
You'll have to include two database output plug-in configuration lines, one for each of the 'alert' and 'logging' databases, the first one you have will log data to the 'alert' database, the oother line will be for the 'log' database.
2)
This is correct, but the configuration line to start snort will take care of logging to the databases.
3)
the problem with logging from snort directly to a database, is that snort has to cope with the database connections, insert to the database, etc. Which all takes time, while if you have a big pipe, you stand a chance of lossing some packets, while snort is busy working with the database.
The config line you have will log in binary so you could use barnyard to read the snort logs generated and the insert them into the database, where you can the read them.
I hope this helps, Merry Xmas.
Chris

Posted by sibi on June 23, 2006 03:24:27

Hope i too have the same prblm but in mysql .
I have installed snort in windows 2000 server. When i run snort in command line , im getting log files created in log directory and an alert.ids file in the same directory. But i couldnt get data in my db . Is that i have 2 change my snort.conf file r else wat shlod i do ? please help. Please suggest how 2 convert data of alert.ids file 2 readable format. Thank you.


site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.