Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Support » configure snort for remote MySQL logging

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

configure snort for remote MySQL logging


Posted by roastmules on March 15, 2005 06:04:45

I'm trying to configure 3 snort sensors to all report to one central MySQL database server. I run into problem when I run the ./configure program for snort. According to most direction I should use the --with-mysql switch but I don't know how to tell it what server to point to. Then when edit the snort.conf file and edit the output database secetion to read as:

output database: log, mysql, user=snort password=****** dbname=snort host=192.*.*.*

then when I run snort -c /etc/snort/snort.conf

I get the build was not configured with MySQL etc...

can anyone tell me where I've gone wrong?

Also should I use Barnyard for this configuration?

Posted by maverick on March 15, 2005 06:23:46

Did you use the --with-mysql directive to ./configure? This should cover any "not compiled with mysql" errors. Did you install the necessary mysql packages on the snort boxes? Even though the database won't exist on these boxes, they still require certain mysql libraries for the mysql reporting functionality to work. Your config snippet looks correct.

Posted by roastmules on March 15, 2005 07:49:03

I tried the ./configure --with-mysql however it would error out because MySQL is installed on another host. I did not install any MySQL files on the sensor itself. No where in my reading did I come across any mention of this. If you have some more guidance on this I'd love to hear what I need to install on the sensor.

Posted by maverick on March 15, 2005 09:34:57

If I'm not mistaken, you need at least the mysql client tools installed on the sensor to be able to configure snort with mysql. It needs one of the libraries installed with it. I run redhat so I just installed the rpms of the mysql site. Go to http://dev.mysql.com/downloads/mysql/4.1.html (or whatever version is appropriate) and download the approrpiate packages. I'm not positive which exact ones you need, I think client tools, but you may also need the libraries and header files.

Posted by roastmules on March 15, 2005 11:02:28

Ok figured out the minium setting for the snort sensor. You only need mysql-client and mysql-devel. Now I have a new issue, I went back and configured the snort.conf file then ran "snort -c /etc/snort/snort.conf" and it returned this error:

database: compiled support for ( mysql )
database: configured to use mysql
database: user = snort
database: password is set
database: database name = snort
database: host = 1.1.1.1
database: sensor name = 1.1.1.1
ERROR: database: mysql_error: Access denied for user: 'snort@1.1.1.1' (Using password: YES)
Fatal Error, Quitting..

I went back to the MySQL server and tried to configure access for user=snort at that host but it returns the same error. This is what I tried in MySQL:

grant INSERT,SELECT on root.* to snort@1.1.1.1;
SET PASSWORD FOR snort@1.1.1.1=PASSWORD('******')
grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@1.1.1.1;
grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;

is there anything else I may have missed?



Posted by maverick on March 15, 2005 11:24:10

"grant all on *.* to username@'1.1.1.1' identified by 'password';" Try that and then when you can connect, then tighten your permissions. This is a mysql issue, not snort at this point, you're almost there.

Posted by roastmules on March 15, 2005 11:51:31

Ok figured out the minium setting for the snort sensor. You only need mysql-client and mysql-devel. Now I have a new issue, I went back and configured the snort.conf file then ran "snort -c /etc/snort/snort.conf" and it returned this error:

database: compiled support for ( mysql )
database: configured to use mysql
database: user = snort
database: password is set
database: database name = snort
database: host = 1.1.1.1
database: sensor name = 1.1.1.1
ERROR: database: mysql_error: Access denied for user: 'snort@1.1.1.1' (Using password: YES)
Fatal Error, Quitting..

I went back to the MySQL server and tried to configure access for user=snort at that host but it returns the same error. This is what I tried in MySQL:

grant INSERT,SELECT on root.* to snort@1.1.1.1;
SET PASSWORD FOR snort@1.1.1.1=PASSWORD('******')
grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@1.1.1.1;
grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;

is there anything else I may have missed?



Posted by roastmules on March 15, 2005 11:54:17

Not sure what you're trying to say. Do I configure that in MySQL or just in the permissions of the box itself? I'm very new to this so I can only understand step-by-step directions.

Posted by roastmules on March 15, 2005 12:01:51

Not sure what you're trying to say. Do I configure that in MySQL or just in the permissions of the box itself? I'm very new to this so I can only understand step-by-step directions.

Posted by roastmules on March 15, 2005 12:14:24

Ok got it to work. Going to leave it over night to see what it reports. By the way all I did was blow away the database and recreate with all user=snort@1.1.1.1
Thanks, I'll let you know what it sees.

site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.