[Snort-users] MySQL Help Needed w Snort

shawn . moyer shawn at ...1184...
Thu Mar 1 01:31:21 EST 2001


ryan wrote:

> output database: log, mysql,  user=snort dbname=snort host=localhost
> password=snotty encoding=ascii detail=full

I'd use the second one if you want to look at actual packets -- it will
be a bit slower, but you'll get more data. You may have performance
problems if (as your rules imply) your DB is on the same box as Snort
itself and you're running on a very noisy segment, though.
 
> WARNING: command line overrides rules file alert plugin!

As Jed stated -A full will disable the DB plugin. 

Once you get DB logging working you should see something like this when
Snort starts:

database: compiled support for ( postgresql )
database: configured to use postgresql
database: database name = snort
database:          user = snort
database:   sensor name = Blah
database: data encoding = ascii
database: detail level  = full
database:          host = X.X.X.X
database:     sensor id = 1
database: using the "alert" facility
Using LOCAL time
database: Closing postgresql connection to database "snort"

> Lastly I don't know if anyone else had this problem but you have to
> modify snort's configure/makes considerably to understand how to link
> its client out files to the mysql lib. It especially sucks for some of
> our basic users who use Nusphere installs(mysql,perl,php,ssl,webmin,..)

./configure --with-<db>=/path/to/db_installation works fine for me on
multiple boxen. 

Do an ldd of the Snort binary and verify that the libmysqlclient.so dep
is in ld.so.conf, or alternatively add an LD_LIBRARY_PATH envar in your
Snort startup script. 





--shawn

-- 
s h a w n   m o y e r
shawn at ...1184...

Man will occasionally stumble over the truth,
but most of the time he will pick himself up and continue on.

					-- Churchill




More information about the Snort-users mailing list