[Snort-users] snort and mysql
jed at ...153...
Mon Aug 7 13:31:14 EDT 2000
> hi, i want to use snort 1.6.3 with mysql 3.22.32 instead of postgres (pc-linux).
> what i have to do for this?
> in the configure file there are only options to configure it with postgres, but not with mysql (so that i can say where to find the includefiles oder libraries).
> so which options (configure --with-libpcap...., --with-libpg.....) i have to use, or where i can find the a README.
> which line i have to add in the rule file???
> output log_database: mysql, dbname=snort user=root
> is this right?
Appended are the latest instructions from the snortdb web page.
(http://www.snort.org/snortdb) This should answer all of your
The first step is compiling database support into snort
1) The configure script has various options of interest to the
--with-mysql-includes=DIR mysql include directory
--with-mysql-libraries=DIR mysql library directory
--with-unixodbc-includes=DIR unixodbc include directory
--with-unixodbc-libraries=DIR unixodbc library directory
--with-libpq-includes=DIR libpq include directory
--with-libpq-libraries=DIR libpq library directory
You will need to supply the proper arguments to the "./configure"
script to get this working.
For example, to get MySQL support on my system compiled in I would
% ./configure --with-mysql-includes=/usr/include/mysql \
When the script runs you should see the following two lines
somewhere in the output.
checking for /usr/include/mysql/mysql.h... yes
checking for mysql_init in -lmysqlclient... yes
If you have made it this far, then run make and you are ready to
move on to the next step. Note that if you do not get a "yes" for
both of those your database plug-in will not work.
I have received some reports of people getting a "no" for the
checking for mysql_init in -lmysqlclient when they did supply the
proper argument. This is most likely because on some systems, to
link mysqlclient you also need the math library "-lm". If you see
this problem please let me know what kind of system you are
running, and as a temporary solution you can manually modify a few
lines of your Makefile (until I am able to come up with a better
solution in the ./configure script).
You will need to have something like the following lines in the
Makefile. Edit the current CPPFLAGS, LDFLAGS, AND LIBS lines to
look something like this.
CPPFLAGS = -I/usr/include/mysql -I/usr/include/mysql -DENABLE_MYSQL
LDFLAGS = -L/usr/lib/mysql LIBS = -lpcap -lnsl -lmysqlclient -lm
After compiling snort with database support enabled, follow these
instructions for configuration:
2) If you have not already, install MySQL, Postgresql, or
(unixODBC + some other RDBMS)
MySQL => http://www.mysql.org
Postgresql => http://www.postgesql.org
unixODBC => http://www.unixodbc.org
3) Follow directions from your database vendor to be sure your
RDBMS is properly configured and secured.
4) Follow directions from vendor to create a database for snort.
% echo "CREATE DATABASE snort;" | mysql -u root -p
5) Create a user that has privileges to INSERT, SELECT, and CREATE
on that database.
- First create a user - for this example we will use "jed"
- now grant the right privileges for that user
> grant INSERT,CREATE,SELECT on snort.* to jed at ...274...;
If you do not set the proper permissions, you may see an error
message that says:
"Problem obtaining SENSOR ID (sid) from mysql->snort->sensor"
Many people have reported seeing this error and later learned that
they did not set the proper permissions (INSERT, SELECT, and
CREATE) for the db user connecting from snort.
6) Build the structure of the database according to files supplied
with snort in the "contrib" directory as the user created in step 4.
% mysql snort < contrib/create_mysql
% psql snort < contrib/create_postgresql
If you are using unixODBC, be sure to properly configure and test
that you can connect to your data source (DSN) with isql before
trying to run snort.
For RDBMS other than MySQL and Postgresql that are accessed through
ODBC you will need to create the database structure yourself
because datatypes vary for different databases. You will need to
have the same column names and functionality for each column as in
the mysql and postgresql examples. The mysql file is the best
example to follow since it is optimized (given that mysql supports
tiny ints and unsigned ints). I intend to document this process
better in the future to make this process easier.
As you create database structure files for new RDBMS mail them in
so they can be included as part of the distribution.
7) Add configuration information to the snort configuration file
as detailed below.
output log_database: [type of database], [parameter list]
For the first argument, you must supply the type of database.
The possible values are mysql, postgresql, and unixodbc.
The parameter list consists of key value pairs. The proper
format is a list of key=value pairs each separated a space.
The only parameter that is absolutely necessary is "dbname".
All other parameters are optional but may be necessary depending
on how you have configured your RDBMS.
dbname - the name of the database you are connecting to
host - the host the RDBMS is on
port - the port number the RDBMS is listening on
user - connect to the database as this user
password - the password for given user
The configuration I am currently using is MySQL with the
database name of "snort". The user "jed at ...274..." has INSERT
and SELECT and CREATE privileges on the "snort" database and
does not require a password. The following line enables snort to
log to this database.
output log_database: mysql, dbname=snort user=jed host=localhost
More information about the Snort-users