Snort Question

flakzeus · 2008-02-25 14:00:26

I've been looking for a way to setup snort with mysql support on arch and I can't seem to find how to do it. I searched the forum and saw a post by someone who said that mysql support was not built into snort and that one would have to rebuild the package. Well I'm not really sure how to do that. Could anyone help?

Thanks.

FeatherMonkey · 2008-02-25 14:07:50

http://wiki.archlinux.org/index.php/ABS Use ABS and modify the pkgbuild hopefully for you all it will be is to remove --without-mysql

Last edited by FeatherMonkey (2008-02-25 14:08:24)

flakzeus · 2008-02-25 14:58:44

thanks for you reply, but I can't seem to find any pkgbuilds on my system. Where are they located?

FeatherMonkey · 2008-02-25 15:12:44

Follow the wiki page first you got to get abs then download them all, as on the wiki page. The actual pkgbuild will be /var/abs/extra/system/snort then copy it out of there to a build environment as wiki.

flakzeus · 2008-02-26 16:07:15

Ok, so I've built a custom binary with "--with-mysql-libraries=/usr/lib/mysql" and when I try to run snort, it states that it does not have mysql support built in. During the configuration I see "checking for mysql... yes" which tells me that it finds the mysql libraries and they look ok.

I'm confused as to what to do next.

FeatherMonkey · 2008-02-26 20:33:23

mmm I'm really unsure I've struggled through this I've played with snort only as a hobby.

So what I found helped was the docs http://www.snort.org/docs/Snort_Mysql_BASE.pdf

Now in the PKGBUILD I did also add --with-mysql=/usr/bin/mysql --with-mysql-libraries=/usr/lib/mysql

With the database not sure but I found the create_mysql in the src folders and not as a zip so just used a cat. Now using the above howto I have got a db I do have some records in it, but I'm really unsure.

Seems to be logging to it

Perhaps this may point you in the right direction

Also the conf has local in some path names that aren't correct.

Last edited by FeatherMonkey (2008-02-26 20:39:34)

flakzeus · 2008-02-27 18:15:35

I already had all of the other stuff setup and working until I tried to start logging to a databse.

I've rebuilt the package with the options that you did and it still says it doesn't have mysql built in support. It's almost as if when I removed the old version, that a binary or something stuck around that did not have mysql support or something.

Thanks for your help btw.

FeatherMonkey · 2008-02-27 18:19:57

mmm really unsure thats what worked for me unsure where you get told it doesn't have mysql built in. Here's the pkgbuild that I used.

# $Id: PKGBUILD,v 1.36 2007/12/02 12:59:53 andyrtr Exp $
# Maintainer: Andreas Radke <andyrtr@archlinux.org>
# Contributor: dorphell <dorphell@archlinux.org>
# Contributor: Gregor Ibic <gregor.ibic@intelicom.si>
pkgname=snort
pkgver=2.8.0.2
pkgrel=1
pkgdesc="A lightweight network intrusion detection system"
arch=('i686' 'x86_64')
license=('GPL')
depends=('libpcap>=0.9.8' 'pcre')
backup=('etc/conf.d/snort' 'etc/snort/snort.conf')
source=(http://www.snort.org/dl/current/$pkgname-$pkgver.tar.gz snort snort.conf.d
    http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz) # rules RELEASED: 2007-04-27
url="http://www.snort.org"
options=('!makeflags' '!libtool')
md5sums=('c4aeac8aa198a5e4d4bc67b5b2d9bdcb'
         '53284a7996ee41c4c58d13c65d46d776'
         'a117b68ec3d188e40e117f3197e1db25'
         'f236b8a4ac12e99d3e7bd81bf3b5a482')

build() {
  cd $startdir/src/$pkgname-$pkgver
  ./configure --prefix=/usr --sysconfdir=/etc/snort --with-libpcap-includes=/usr/include/pcap \
  --with-mysql=/usr/bin/mysql --with-mysql-libraries=/usr/lib/mysql \
  --without-postgresql  --without-oracle --without-odbc
  make || return 1
  make DESTDIR=$startdir/pkg install
  mkdir -p $startdir/pkg/{etc/rc.d,etc/snort/rules,var/log/snort}
  install -D -m644 etc/{*.conf*,*.map} $startdir/pkg/etc/snort
  install -D -m644 ../../snort.conf.d $startdir/pkg/etc/conf.d/snort
  install -D -m644 $startdir/src/rules/*.rules $startdir/pkg/etc/snort/rules
  install -D -m755 $startdir/snort $startdir/pkg/etc/rc.d/snort
  sed 's|RULE_PATH ../rules|RULE_PATH /etc/snort/rules|' -i $startdir/pkg/etc/snort/snort.conf
}

It's certainly logging to the DB but have tbh not to keen struggle to make sense out of the data, also rarely run mysql so at the mo its not even starting.

I certainly prefer the flat alert log Also I did this over the top of the other one.

No errors at all.
[root@myhost donald]# /etc/rc.d/mysqld start
:: Starting MySQL [DONE]
[root@myhost donald]# /etc/rc.d/snort start
:: Starting Intrusion Database System: SNORT [DONE]

I've only changed the one line in snort.conf and removed the local bits that where wrong.

Last edited by FeatherMonkey (2008-02-27 18:26:31)

flakzeus · 2008-02-27 21:44:10

Ah, thanks to your help I got it working and I believe I know what the problem was. I think what the problem was is when makepkg compiles snort, it or I did not clear out the old files. I'm sure this is an option somewhere. I changed the PKGBUILD file to download the 2.8.0.2 version and did a fresh compile and it worked.

Thanks for your help FeatherMonkey.

FeatherMonkey · 2008-02-27 21:47:33

NP think I did something similar so just wiped it out after not getting very far with make clean.

Do you use an interface for the DB, if so may ask what, phpMyAdmin just makes it confusing?

flakzeus · 2008-02-28 13:35:57

There are several options really, I normally use a project called Base (http://base.secureideas.net/) however I'm having some issues with it because of adodb on arch. I also found liveSnort (http://www.aanval.com/liveSnort/) which is neat for just a quick overview. There are also some desktop apps such as swguil (http://sguil.sourceforge.net/).

FeatherMonkey · 2008-02-28 14:24:06

thanks fkakzeus of to look

Arch Linux

#1 2008-02-25 14:00:26

Snort Question

#2 2008-02-25 14:07:50

Re: Snort Question

#3 2008-02-25 14:58:44

Re: Snort Question

#4 2008-02-25 15:12:44

Re: Snort Question

#5 2008-02-26 16:07:15

Re: Snort Question

#6 2008-02-26 20:33:23

Re: Snort Question

#7 2008-02-27 18:15:35

Re: Snort Question

#8 2008-02-27 18:19:57

Re: Snort Question

#9 2008-02-27 21:44:10

Re: Snort Question

#10 2008-02-27 21:47:33

Re: Snort Question

#11 2008-02-28 13:35:57

Re: Snort Question

#12 2008-02-28 14:24:06

Re: Snort Question

Board footer