[Snort-users] MySQL support for Snort 2.9.4

Kaya Saman kayasaman at ...11827...
Mon Dec 10 21:24:14 EST 2012


On 12/11/2012 02:16 AM, Michael Steele wrote:
> Is there any chance that all the rules that are available have the to the
> public have the snort.conf replaced with correct versions that don't have
> the output database included as an option.
>
> As an example the Registered Users Release of the rules labeled
> snortrules-snapshot-2931.tar.gz still has a reference in the snort.conf to
> the output database option. Might be a thought to go back to any of the
> rules that are available to the public that reference a version of Snort
> that doesn't support the output database and update the snort.conf to not
> reference it. Just a thought...
>
> Best regards,
> Michael...

I disabled that option:

# unified2
# Recommended for most installs
# output unified2: filename merged.log, limit 128, nostamp, 
mpls_event_types, vlan_event_types
output unified2: filename snort.u2, limit 128

# Additional configuration for specific types of installs
# output alert_unified2: filename snort.alert, limit 128, nostamp
# output log_unified2: filename snort.log, limit 128, nostamp

# syslog
# output alert_syslog: LOG_AUTH LOG_ALERT

# pcap
# output log_tcpdump: tcpdump.log

# database
# output database: alert, <db_type>, user=<username> password=<password> 
test dbname=<name> host=<hostname>
# output database: log, <db_type>, user=<username> password=<password> 
test dbname=<name> host=<hostname>
t

# prelude
# output alert_prelude

# metadata reference data.  do not modify these lines
include classification.config
include reference.config


I got the unified2 code from here: 
http://www.securixlive.com/barnyard2/faq.php


It also seems that I do have preprocessor modules:

# ls
libsf_dce2_preproc.a libsf_ftptelnet_preproc.a 
libsf_pop_preproc.a                  libsf_smtp_preproc.a
libsf_dce2_preproc.la libsf_ftptelnet_preproc.la 
libsf_pop_preproc.la                 libsf_smtp_preproc.la
libsf_dce2_preproc.so libsf_ftptelnet_preproc.so 
libsf_pop_preproc.so.0.0             libsf_smtp_preproc.so
libsf_dce2_preproc.so.0.0 libsf_ftptelnet_preproc.so.0.0 
libsf_reputation_preproc.a           libsf_smtp_preproc.so.0.0
libsf_dcerpc_preproc.a libsf_gtp_preproc.a 
libsf_reputation_preproc.la          libsf_ssh_preproc.a
libsf_dcerpc_preproc.so libsf_gtp_preproc.la 
libsf_reputation_preproc.so.0.0      libsf_ssh_preproc.la
libsf_dnp3_preproc.a libsf_gtp_preproc.so.0.0 
libsf_sdf_preproc.a                  libsf_ssh_preproc.so
libsf_dnp3_preproc.la libsf_imap_preproc.a 
libsf_sdf_preproc.la                 libsf_ssh_preproc.so.0.0
libsf_dnp3_preproc.so.0.0 libsf_imap_preproc.la 
libsf_sdf_preproc.so                 libsf_ssl_preproc.a
libsf_dns_preproc.a libsf_imap_preproc.so.0.0 
libsf_sdf_preproc.so.0.0             libsf_ssl_preproc.la
libsf_dns_preproc.la libsf_modbus_preproc.a 
libsf_sip_preproc.a                  libsf_ssl_preproc.so
libsf_dns_preproc.so libsf_modbus_preproc.la 
libsf_sip_preproc.la                 libsf_ssl_preproc.so.0.0
libsf_dns_preproc.so.0.0 libsf_modbus_preproc.so.0.0          
libsf_sip_preproc.so.0.0


So that shouldn't be an issue.


Everything looks correct, unless it's something to do with compile and 
my architecture? - though it shouldn't I'm guessing....

>
> -----Original Message-----
> From: Jeremy Hoel [mailto:jthoel at ...11827...]
> Sent: Monday, December 10, 2012 7:48 PM
> To: Kaya Saman
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] MySQL support for Snort 2.9.4
>
> Database support has been removed from snort.  Use the unified2 output and
> Barnyard2 to put data into a databse.
>
>
> On Tue, Dec 11, 2012 at 12:15 AM, Kaya Saman <kayasaman at ...11827...> wrote:
>> Hi,
>>
>> I've installed Daq 2.0 and Snort 2.9.4 however, I'm confused about the
>> MySQL support.
>>
>> Initially running ./configure --help didn't yield any option for
>> support: --enable-mysql=
>>
>> Also adding the option: output database - in the snort.conf file
>> doesn't work either.
>>
>> Should I downgrade to version 2.9.3 or am I missing something?
>>
>> I have gone through the Snort user manual from www.snort.org/docs and
>> saw some information on this under preprocessor_stream5 but nothing to
>> add to my snort.conf.
>>
>>
>> What am I missing???
>>
>>
>> Thanks.
>>
>>
>> Kaya
>>
>> ----------------------------------------------------------------------
>> -------- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free
>> Trial Remotely access PCs and mobile devices and provide instant
>> support Improve your efficiency, and focus on delivering more
>> value-add services Discover what IT Professionals Know. Rescue
>> delivers http://p.sf.net/sfu/logmein_12329d2d
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
>
> ----------------------------------------------------------------------------
> --
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely
> access PCs and mobile devices and provide instant support Improve your
> efficiency, and focus on delivering more value-add services Discover what IT
> Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
>
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list