[Snort-users] snort and mysql

Jed Pickel jed at ...153...
Mon Aug 7 13:31:14 EDT 2000

> hi, i want to use snort 1.6.3 with mysql 3.22.32 instead of postgres (pc-linux).
> what i have to do for this?
> in the configure file there are only options to configure it with postgres, but not with mysql (so that i can say where to find the includefiles oder libraries).
> so which options (configure --with-libpcap...., --with-libpg.....) i have to use, or where i can find the a README.
> which line i have to add in the rule file???
> output log_database: mysql, dbname=snort user=root
> is this right?

Hey Werner,

Appended are the latest instructions from the snortdb web page.
(http://www.snort.org/snortdb) This should answer all of your
questions above.

* Jed

The first step is compiling database support into snort 

1) The configure script has various options of interest to the
   database plug-in.

   --with-mysql-includes=DIR      mysql include directory
   --with-mysql-libraries=DIR     mysql library directory
   --with-unixodbc-includes=DIR   unixodbc include directory
   --with-unixodbc-libraries=DIR  unixodbc library directory
   --with-libpq-includes=DIR      libpq include directory
   --with-libpq-libraries=DIR     libpq library directory

   You will need to supply the proper arguments to the "./configure"
   script to get this working.

   For example, to get MySQL support on my system compiled in I would

   % ./configure --with-mysql-includes=/usr/include/mysql \

   When the script runs you should see the following two lines
   somewhere in the output.

   checking for /usr/include/mysql/mysql.h... yes
   checking for mysql_init in -lmysqlclient... yes

   If you have made it this far, then run make and you are ready to
   move on to the next step. Note that if you do not get a "yes" for
   both of those your database plug-in will not work.

   I have received some reports of people getting a "no" for the
   checking for mysql_init in -lmysqlclient when they did supply the
   proper argument. This is most likely because on some systems, to
   link mysqlclient you also need the math library "-lm". If you see
   this problem please let me know what kind of system you are
   running, and as a temporary solution you can manually modify a few
   lines of your Makefile (until I am able to come up with a better
   solution in the ./configure script).

   You will need to have something like the following lines in the
   Makefile. Edit the current CPPFLAGS, LDFLAGS, AND LIBS lines to
   look something like this.

   CPPFLAGS =  -I/usr/include/mysql -I/usr/include/mysql -DENABLE_MYSQL
   LDFLAGS =  -L/usr/lib/mysql LIBS = -lpcap -lnsl -lmysqlclient -lm

   After compiling snort with database support enabled, follow these
   instructions for configuration:

2) If you have not already, install MySQL, Postgresql, or 
   (unixODBC + some other RDBMS)
       MySQL      => http://www.mysql.org
       Postgresql => http://www.postgesql.org
       unixODBC   => http://www.unixodbc.org

3) Follow directions from your database vendor to be sure your
   RDBMS is properly configured and secured.

4) Follow directions from vendor to create a database for snort.
      MySQL example
      % echo "CREATE DATABASE snort;" | mysql -u root -p

5) Create a user that has privileges to INSERT, SELECT, and CREATE
   on that database.
      - First create a user - for this example we will use "jed"
      - now grant the right privileges for that user
      > grant INSERT,CREATE,SELECT on snort.* to jed at ...274...;

   If you do not set the proper permissions, you may see an error
   message that says:

     "Problem obtaining SENSOR ID (sid) from mysql->snort->sensor"

   Many people have reported seeing this error and later learned that
   they did not set the proper permissions (INSERT, SELECT, and
   CREATE) for the db user connecting from snort.

6) Build the structure of the database according to files supplied
   with snort in the "contrib" directory as the user created in step 4.

   For MySQL
   % mysql snort < contrib/create_mysql

   For Postgresql
   % psql snort < contrib/create_postgresql

   If you are using unixODBC, be sure to properly configure and test
   that you can connect to your data source (DSN) with isql before
   trying to run snort.

   For RDBMS other than MySQL and Postgresql that are accessed through
   ODBC you will need to create the database structure yourself
   because datatypes vary for different databases. You will need to
   have the same column names and functionality for each column as in
   the mysql and postgresql examples. The mysql file is the best
   example to follow since it is optimized (given that mysql supports
   tiny ints and unsigned ints). I intend to document this process
   better in the future to make this process easier.

   As you create database structure files for new RDBMS mail them in
   so they can be included as part of the distribution.

7) Add configuration information to the snort configuration file
   as detailed below.

      output log_database: [type of database], [parameter list]
      For the first argument, you must supply the type of database.
      The possible values are mysql, postgresql, and unixodbc.
      The parameter list consists of key value pairs. The proper
      format is a list of key=value pairs each separated a space.

      The only parameter that is absolutely necessary is "dbname".
      All other parameters are optional but may be necessary depending
      on how you have configured your RDBMS.

        dbname - the name of the database you are connecting to

        host - the host the RDBMS is on
        port - the port number the RDBMS is listening on
        user - connect to the database as this user
        password - the password for given user

      The configuration I am currently using is MySQL with the
      database name of "snort". The user "jed at ...274..." has INSERT
      and SELECT and CREATE privileges on the "snort" database and
      does not require a password. The following line enables snort to
      log to this database.
      output log_database: mysql, dbname=snort user=jed host=localhost

More information about the Snort-users mailing list