159 The scheme you choose depends on your particular requirements. For example, if you are running only one sensor and don’t have any pre-existing database server, it is a natural choice to install the database on the Snort machine itself. However if you have many Snort machines, it makes sense to set up a centralized database server as shown in Figure 5-3. If you are running a separate database server and are logging to it from remote Snort machines, you can send data without any security or you can use some type of encryption. A possible scheme using the Stunnel package is discussed at the end of this chapter. Using Stunnel, you can encrypt all data between the Snort machine and the database server. This system also helps to pass data through firewalls, because you can use the ports that are already open in the firewall with Stunnel. Before you start logging to MySQL database, you have to create a database on the database server for Snort. After creating the database, you have to create tables where Snort data is logged. The table schema used with the database is available from http: www.incident.orgsnortdb for your review. However, you don’t need to create tables manually because Snort comes with a script that will do the entire job for you. To work with MySQL, you may have to recompile Snort with MySQL support, as will be explained later in this chapter. Figure 5-3 Many Snort PCs logging data to a centralized MySQL database server. 160 Chapter 5 • Using Snort with MySQL After going through this chapter, you should be able to install Snort and MySQL so that all of the Snort activity is logged to the database. You should also be able to set up a centralized database server and enable multiple Snort machines to log to this server. The last part of this chapter provides information about using the Stunnel packet for secure data exchange between Snort machine and a remote database server.

5.1 Making Snort Work with MySQL

There are a few basic steps to make Snort work with MySQL. A high level step- by-step approach to build a Snort-MySQL system follows. Details of each step will be presented later in the chapter.

1. Compile Snort with MySQL support and install it. Make sure that Snort is

working properly by creating some alert messages. You have to use -- with- mysql command line argument with the configure script as mentioned in Chapter 2.

2. Install MySQL and use

mysql client to make sure the database is available. See Appendix C for basic information about how to get started with MySQL.

3. Create a database on the MySQL server for Snort. I have named this database

“snort.” You may choose any name for the database. This is explained later in this chapter.

4. Create a user name and password in the database. The user name will be used

by Snort to log data.

5. Create tables in this database using scripts that came with Snort distribution in

the contrib directory.

6. Modify the

snort.conf file to enable the database plug-in as explained later. You will use the database name, user name and password for the database that you just created. 7. Restart Snort. If everything goes well, Snort will start logging to the database. 8. Generate some alerts and use the mysql client program to make sure that alerts are being logged into the database. The rest of the chapter will provide explanations about how to perform all of these steps. The next chapter discusses the use of ACID, which will make real use of the work that you do in this chapter.