[Snort-users] Snort to Oracle

Kreimendahl, Chad J Chad.Kreimendahl at ...4716...
Fri Jan 3 16:34:03 EST 2003


Download Oracle from the OTN site:
http://otn.oracle.com/software/content.html
If you're only using it for snort, try 9i Lite.  If you're going to use
some customized interface in a language like perl or C, you may want to
just go ahead and get the whole DB... (9i lite may have the libs you
need, but I have yet to see anyone test it).
Recompile the latest version of snort (1.9 or current) from cvs. Using
the following:

./configure --with-oracle=$ORACLE_HOME
Where $ORACLE_HOME is the variable you set as your ORACLE_HOME when you
installed.
Also, you MUST make sure ORACLE_HOME is defined for all users that are
going to use ORACLE... I recommend just doing it in /etc/profile.

In the contrib folder, make sure you create the database in oracle...
And make sure you set up a user to access that db.  This part is
definitely much more dificult than MySQL... Oracle is much more picky.

Then, in the config file... 

output database: alert, oracle, user=<oracle_user> dbname=<db_sid>
password=<password> sensor_name=<name for your sensor>

-----Original Message-----
From: Steven Rudolph [mailto:srudolph at ...4612...] 
Sent: Friday, January 03, 2003 10:06 AM
To: Snort-Users (E-mail)
Subject: [Snort-users] Snort to Oracle


Does anyone have any tips/tricks on getting snort to send logs to
oracle? 
I am getting well over 15K detected attempts a day and my database grows
too quickly for MySql to handle (my current setup)
I have been using the Acid front end to help analyze. 
Steve Rudolph, CCSE 
Network Security Engineer 
Internet Operations Center 




More information about the Snort-users mailing list