Making Snort Work with MySQL 171 database server is not the same as where Snort is running, you can use the following lines in the snort.conf file. output database: log, mysql, user=rr password=rr78x \ dbname=snort host=192.168.1.23 The MySQL database server for the above example is running on host 192.168.1.23. If many Snort sensors are installed and all of them are logging data to the same database server 192.168.1.23, all of the sensors must have the same line in their snort.conf files. The database server must be running before starting Snort.

5.1.7 Step 7: Starting Snort with Database Support

When you start Snort after database configuration, the starting message shows what database is being used. The boldface lines show database related information. [rootlaptop] optsnortbinsnort -c etcsnortsnort.conf Log directory = varlogsnort Initializing Network Interface eth0 --== Initializing Snort ==-- Decoding Ethernet on interface eth0 Initializing Preprocessors Initializing Plug-ins Initializing Output Plugins Parsing Rules file etcsnortsnort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE No arguments to stream4_reassemble, setting defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE Reassembly method: FAVOR_OLD 172 Chapter 5 • Using Snort with MySQL Back Orifice detection brute force: DISABLED Using LOCAL time database: compiled support for mysql database: configured to use mysql database: user = rr database: database name = snort database: host = localhost database: sensor name = 10.100.1.111 database: sensor id = 1 database: schema version = 105 database: using the log facility 886 Snort rules read... 886 Option Chains linked into 99 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: -activation-dynamic-alert-pass- log --== Initialization Complete ==-- - Snort - Version 1.8.6 Build 105 By Martin Roesch roeschsourcefire.com, www.snort.org The name of the database, the name of user and the host where the database is installed are all listed in the output. The schema version is saved in the schema table in MySQL database.

5.1.8 Step 8: Logging to Database

After configuring the database properly, you should check if log and alert mes- sages are being saved in the database tables. We use the following two rules for Snort to test the database. alert ip any any - any any ipopts: lsrr; msg: \ LSRR Options set; logto: test; alert icmp any any - 192.168.1.024 any fragbits: D; \ msg: Dont Fragment bit set; To test these rules, we use the following two commands on a Microsoft Windows machine. I have used Windows XP Home Edition for the sake of experiment. ping -n 1 -f 192.168.1.2 ping -n 1 -j 192.168.1.2 192.168.1.2