[Snort-users] Log to MySQL but without MySQL

Nibar Anonymous novalupo at ...131...
Fri Mar 1 08:38:05 EST 2002

I ran into this problem too: you shouldn't have to
install databases or other trappings on sensor nodes.
In my case I wanted to deploy snort host sensors on
hardened (stripped down,  locked down,
special-purpose) nodes on my company's firewall
perimeter, but centralize the database and console
*behind* the firewall. The only files that should be
deployed on exposed sensor nodes are the minimum: the
snort daemon binary, a *copy* of the config/rule
files, and the boot script.

My solution was to use the snort "unified binary
format" option and set the max log file size to the
smallest possible (1MB). It was easy enough to write a
perl script (I call "snortbot"--currently a 280-line
commented script) to run on a central node protected
behind the firewall that periodically connects out to
each sensor (every 15 mins--or whatever), pull down
the log files, clean up the old remote files, process
the logs into a combined archive, etc. I'm currently
using IP-restricted FTP, but I'm looking into sftp in
the near future.

I figured out I didn't really need a database since
all of the data is time-series and can be preprocessed
into summaries and stats easily. I used the perl
Storable.pm module (check out CPAN) to store the
alerts and packet dumps into a structured filesystem
archive. The place I work for is fairly large, 30K
ping-answering nodes (three class B netblocks plus
misc. class C's), so I was surprised how well the file
system scheme scaled. Also, fewer moving parts and
dependencies means it's easier to deploy, host, and
maintain. HOWEVER, I probably will next look into
having snortbot feed the aggregated data into the
MySQL schema (using the approp. perl DBI module),
since many preexisting consoles rely on a database of
some sort (I wrote my own minimal console in perl to
access the file system archive).

I'd like to contribute the script but it will take a
bit of work to get it into general-purpose shape. If
anyone is interested in seeing the as-is version (the
perl unified binary format parsing routines may be of
interest), let me know. I based the code on the snort
C source header information, and didn't borrow from
any other perl scripts, so it's possible I have
duplicated some effort.

--- Paul.Simons at ...5169... wrote:
> OK Strange subject but I am trying to build a Snort
> Sensor which will log
> to a MySQL database on another machine.
> I don't want to have all the MySQL packages (and
> dependants) on the
> machine. I guess I have to have to have them there
> when I build Snort but I
> would like to know if anyone has done this and knows
> which bits of MySQL
> absolutely MUST be there for Snort to run?
> Regards

Do You Yahoo!?
Yahoo! Greetings - Send FREE e-cards for every occasion!

More information about the Snort-users mailing list