[Snort-users] Snort Sensors + logging to MSSQL

Paulo Filipe Mira paulo.mira at ...5092...
Thu Jan 16 03:37:01 EST 2003

Last time i checked, snort didn't have native support for MSSQL, and
you had to let unixodbc handle the data. So first of all, you had to set up
unixodbc. unixodbc itself needs a driver to be able to talk to MSSQL.

I set up a driver called FreeTDS, which comes with a good set of
utilities for communicating with MSSQL, including one called isql, which
is a command line client similar to osql for Win. I was able to log on to
the DB using isql, and issue some queries to the DB, and aparently all was
working fine.
The schema for what you are trying to do is this:

snort ---> unixodbc ---> (some TDS driver) ---> MSSQL

However, i was never able to make snort log data to the MSSQL DB:
it failed on the very first query, when it queried the DB for the
sensors' names. You should search snort-users' archives for my post
to the list describing the errors i got. Search for 'mssql freetds'
on the subject.

All this was back in the 1.8.6/1.8.7 days, so things might have changed
since then. I resorted to using mysql, and haven't tried MSSQL since then.

Good luck, and let us know if you get somewhere.

Paulo Filipe Mira
paulo dot mira at soquimica dot pt

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of shreerang
> vaidya
> Sent: quarta-feira, 15 de Janeiro de 2003 12:38
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Snort Sensors + logging to MSSQL
> Hi,
> Hi 
> I am running a couple of snort sensors on redhat 8.0 nodes . 
> I need to log all alerts and data to a central server running 
> WindoZe and MSSQL 2000.
> I have edited the snort.conf file to enable the necessary 
> changes to log to the MSSQL server.
> The SQL database has been configured and the necessary 
> database had been created.
> Do i need to run/enable anything else in order to log to the 
> SQL server?
> Thank You,
> Shree.
> -------------------------------------------------------
> This SF.NET email is sponsored by: Take your first step 
> towards giving 
> your online business a competitive advantage. Test-drive a Thawte SSL 
> certificate - our easy online guide will show you how. Click 
> here to get 
> started: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0027en
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list