[Snort-users] Database Logging with redundency

Jed Pickel jed at ...153...
Tue Aug 29 14:23:05 EDT 2000


> Ok...here is the situation.  Multiple remote machines running snort all
> logging to a central mysql database.  What if the central database server
> goes down?  Is there any way to build some sort of redundency into this
> system?  Back up text logging?  Backup Mysql on the remote machine?
> I know it would be better to have the remote machines log to a local
> mysql and then have cron do a mysql dump and send the file over to
> the central database server, but then I would not have real time
> access to the data at my central mysql server.  What to do here?
> Can I run snort twice with one logging to local mysql and one to
> remote?

You can build redundancy by using multiple output plugins. Here are
some examples.

Multiple instantiations of the database plugin:

  output log_database: mysql, dbname=snort host=localhost user=xyz
  output log_database: mysql, dbname=snort host=remote.loghost.com user=xyz

Remote database and local tcpdump:

  output log_database: mysql, dbname=snort host=remote.loghost.com user=xyz
  output log_tcpdump: /var/log/snort.tcpdump

  Then you can replay the tcpdump file through snort to recreate the 
  database.
  
Remote database, local xml (development version only):

  output log_database: mysql, dbname=snort host=remote.loghost.com user=xyz
  output xml: alert, file=/tmp/snort.xml 

You can even use your own rule types to only redundantly log only
certain rules.

  output log_database: mysql, dbname=snort host=localhost user=xyz

  ruletype VeryRedundantLog
  {
    type log
    output log_database: mysql, dbname=snort host=localhost user=xyz
    output log_database: mysql, dbname=snort host=remote.loghost.com user=xyz
    output log_tcpdump: /var/log/snort.tcpdump
    output xml: alert, file=/tmp/snort.xml 
  }

  # only this rule gets redundantly logged all others just go to 
  # the local database
  VeryRedudantLog tcp any any -> any any (msg:"TCP Packet";)

  alert udp any any -> any any (msg:"UDP Packet";)
  alert icmp any any -> any any (msg:"ICMP Packet";)

Snort is very configurable. You can log almost any way you choose. I
hope to make snort even more configurable by adding input plugins.
This way you could for example use data in a database or xml file as
an input to snort and generate any kind of output you want. The idea
is to be able to translate any one of the structured output formats to
any other format.

> Will snort crash if it looses its connect to the remote
> mysql database? 

Nope.. It should spit out an error message. I have never tested that
condition though. If you find it behaves different than I expect let
me know.

* Jed



More information about the Snort-users mailing list