157 C H A P T E R 5 Using Snort with MySQL ll systems need some type of efficient logging feature, usually using a database at the backend. Snort can be made to work with MySQL, Oracle or any other Open Database Connectivity ODBC com- pliant database. 1 You already know from the discussion of output modules in the previous chapter that you can save logs and alerts to a database. Logging to a database is very useful for maintaining history data, generat- ing reports and analyzing information. By using other tools like Analysis Control for Intrusion Detection ACID, discussed in the next chapter, you can get very useful information from the database about attack patterns. For example, you can get a report about the last fifteen unique attacks, information about hosts that are continuously attacking your network, the distribution of attacks by different protocols, and so on. Since MySQL is a freely available database and works perfectly well on Linux and other operating systems, this is a natural choice for Snort. Some different scenarios for using a database with Snort are: • You can install and run the MySQL database server on the same machine where Snort is running, as shown in Figure 5-1. 1. ODBC provides a standard way for clients to connect to a database. Refer to ODBS FAQ at http: www.ensyncsolutions.comodbc_faq.htm or http:www.odbc.org for more information. A 158 Chapter 5 • Using Snort with MySQL • You can also install the MySQL server on a different machine and configure Snort to log to that database, as shown in Figure 5-2. • You can have multiple Snort sensors to log to a centralized database server running MySQL server, as shown in Figure 5-3. Figure 5-1 A single computer running Snort and MySQL database server. Figure 5-2 A computer running Snort logging to a separate MySQL database server. 159 The scheme you choose depends on your particular requirements. For example, if you are running only one sensor and don’t have any pre-existing database server, it is a natural choice to install the database on the Snort machine itself. However if you have many Snort machines, it makes sense to set up a centralized database server as shown in Figure 5-3. If you are running a separate database server and are logging to it from remote Snort machines, you can send data without any security or you can use some type of encryption. A possible scheme using the Stunnel package is discussed at the end of this chapter. Using Stunnel, you can encrypt all data between the Snort machine and the database server. This system also helps to pass data through firewalls, because you can use the ports that are already open in the firewall with Stunnel. Before you start logging to MySQL database, you have to create a database on the database server for Snort. After creating the database, you have to create tables where Snort data is logged. The table schema used with the database is available from http: www.incident.orgsnortdb for your review. However, you don’t need to create tables manually because Snort comes with a script that will do the entire job for you. To work with MySQL, you may have to recompile Snort with MySQL support, as will be explained later in this chapter. Figure 5-3 Many Snort PCs logging data to a centralized MySQL database server.