[Snort-users] Acid / MySQL question

Guillaume guillaume at ...4029...
Thu Nov 8 08:40:04 EST 2001


En réponse à Lance Spitzner <lance at ...2024...>:

> Okay, I'm going over the MySQL manual and my head is ready
> to explode, I be database ignorant.  Question.
> 
>   "How do I create seperate mysql accounts for each
>    one of my Snort sensors feeding data to the ACID
>    database?"
> 
> I have 5 remote Snort sensors I want to feed data to my
> backend ACID/MySQL database.  To do this, I have to add
> the mysql user account and password to each snort.conf file
> so each Snort sensor can send alerts to the database.
> 
> output database: log, mysql, user=root password=test dbname=db
> host=localhost
> 
> For security reasons, I want each sensor to have a unique
> user account and password on the mysql database.  I feel user
> root is a bad thing, as this is full privalleges on the mysql
> database.  So what is the >mysql command systax to add seperate
> users and passwords so each sensor has privalleges to add data to
> the snort database?


Hope I understood what you wanna do... Try this :

mysql> GRANT ALL PRIVILEGES ON snort.* TO username at ...4034... IDENTIFIED BY 
PASSWORD('pass');

With : 
- snort being the name of the DB you are using to logg snort's outputs, 
- username the user's name used by your sensor and this.host.com the FQDN of 
the sensor. You can - in fact you should - write the IP/netmask of this host 
instead of the FQDN : username@'192.168.10.12/255.255.255.O' <- do not forget 
the single quote !
- pass the password for this user. Do not forget to use the PASSWORD() 
function !

You can be more restrictive by just allowing INSERT and SELECT requests (I took 
a look at the code of the db plugin output, I do not remind having seen other 
SQL statements than this two ones) : 

GRANT SELECT,INSERT ON snort.* TO username@'192.168.10.12/255.255.255.0' etc...

IMPORTANT : you'll have to reload MySQL privileges by running :
mysql> FLUSH PRIVILEGES ;

For this new rights to be activated !

Repeat this with as much as users you need/want.

If you simply give SELECT and INSERT privileges to the sensor's users, do not 
forget to create a snort super-user you'll use for ACID. This super-user will 
have to have UPDATE and DELETE privileges in addition of SELECT/INSERT ones.
Using this kind of super-user just for the snort DB will avoid using the 
general super-user root. Interesting when you use the same MySQL server for 
different DBs ! :-)

> Thanks!

You're welcome. I am very interested by any discussion about the DB SQL schema 
of snort database anyway.
 
> -- 
> Lance Spitzner
> http://project.honeynet.org

Oops... I should have written : You're welcome, Sir... ;-)

-------------------------------------------------------------------------------




More information about the Snort-users mailing list