[Snort-users] Re: Snort and Mysql for statistics purposes

David Jiménez Domínguez djdsecurity at ...11827...
Wed Mar 9 23:03:19 EST 2005


I'm developing a data analysis interface with mod_perl and rrdtool,
just like the Olaf's examples......I have read the documentation and
even the maillist.... and It appears that ntop doesn't support log to
mySQL anymore.... some users have reported problems and they have lost
data with it.... for example:

http://listgateway.unipi.it/pipermail/ntop/2005-February/009892.html
**************************************************************
TOP 10 - the questions everyone asks...
 
Q1(a). Can I store data in a SQL database?
Q1(b). When ntop stops I lose all my data.  Why?
Q1(c). Why doesn't the -S option work?
 
A. ntop used to optionally store some data in a SQL database.  The code was
   broken, difficult to maintain, etc. and was removed.  A LONG TIME AGO.
   If you are reading about this in 'some' documentation - update.
 
   Current ntop is 3.1, which is the only version we support.
 
   There are scripts that various users have offered to take the data dump
   and insert it into a SQL database.  Search the back traffic on the
   mailing list for them.
 
   Yes, ntop uses memory based structures to hold usage data and they are
lost when you reset or restart ntop.
 
   Persistent storage is in the RRD databases - there's a paper @
SourceForge  that explains them.
 
   There was another option for some persistence - it was -S - look down
about  5K lines in this FAQ for an article about it, "What was the -S option?".
**********************************************************************
I'm trying to use Snort and I have just 4 rules in order to get all
the traffic I need...

log tcp $EXTERNAL_NET any -> $HOME_NET any
log udp $EXTERNAL_NET any -> $HOME_NET any
log icmp $EXTERNAL_NET any -> $HOME_NET any
log ip $EXTERNAL_NET any -> $HOME_NET any

In my snort.conf I used to use the following entry:

output database: log, mysql, user=test password=test dbname=test
host=XXX.XXX.XXX.XXX detail=fast

But with this configuration, I couldn't get all the information I
needed, just the following data:

- timestamp
- signature 
- source ip,
- destination ip 
- source port 
- destination port 
- tcp flags 
- protocol

But I need the ip_len column in order to graph the network activity in
bytes... so I changed the entry to:

output database: log, mysql, user=test password=test dbname=test
host=XXX.XXX.XXX.XXX detail=full

But this implies that I'm going to have a ton of useless data .....!!!!

Do you have another option to do this kind of development?????




More information about the Snort-users mailing list