Using BPF Fileters Prentice.Hall – Intrusion.Detection.Systems.with.Snort
159
The scheme you choose depends on your particular requirements. For example, if you are running only one sensor and don’t have any pre-existing database server, it is a
natural choice to install the database on the Snort machine itself. However if you have many Snort machines, it makes sense to set up a centralized database server as shown in
Figure 5-3.
If you are running a separate database server and are logging to it from remote Snort machines, you can send data without any security or you can use some type of
encryption. A possible scheme using the Stunnel package is discussed at the end of this chapter. Using Stunnel, you can encrypt all data between the Snort machine and the
database server. This system also helps to pass data through firewalls, because you can use the ports that are already open in the firewall with Stunnel.
Before you start logging to MySQL database, you have to create a database on the database server for Snort. After creating the database, you have to create tables where
Snort data is logged. The table schema used with the database is available from http: www.incident.orgsnortdb for your review. However, you don’t need to create tables
manually because Snort comes with a script that will do the entire job for you. To work with MySQL, you may have to recompile Snort with MySQL support, as will be
explained later in this chapter.
Figure 5-3 Many Snort PCs logging data to a centralized MySQL database server.
160 Chapter 5 • Using Snort with MySQL
After going through this chapter, you should be able to install Snort and MySQL so that all of the Snort activity is logged to the database. You should also be able to set
up a centralized database server and enable multiple Snort machines to log to this server. The last part of this chapter provides information about using the Stunnel packet
for secure data exchange between Snort machine and a remote database server.