Making Snort Work with MySQL

171

database server is not the same as where Snort is running, you can use the following

lines in the snort.conf file.

output database: log, mysql, user=rr password=rr78x \

  dbname=snort host=192.168.1.23

The MySQL database server for the above example is running on host

192.168.1.23. If many Snort sensors are installed and all of them are logging data to the

same database server 192.168.1.23, all of the sensors must have the same line in their

snort.conf files.  The database server must be running before starting Snort.

5.1.7

Step 7: Starting Snort with Database Support

When you start Snort after database configuration, the starting message shows

what database is being used. The boldface lines show database related information.

[root@laptop]# /opt/snort/bin/snort  c /etc/snort/snort.conf 

Log directory = /var/log/snort

Initializing Network Interface eth0

          == Initializing Snort ==  

Decoding Ethernet on interface eth0

Initializing Preprocessors!

Initializing Plug ins!

Initializing Output Plugins!

Parsing Rules file /etc/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++

Initializing rule chains...

No arguments to frag2 directive, setting defaults to:

    Fragment timeout: 60 seconds

    Fragment memory cap: 4194304 bytes

Stream4 config:

    Stateful inspection: ACTIVE

    Session statistics: INACTIVE

    Session timeout: 30 seconds

    Session memory cap: 8388608 bytes

    State alerts: INACTIVE

    Scan alerts: ACTIVE

    Log Flushed Streams: INACTIVE

No arguments to stream4_reassemble, setting defaults:

     Reassemble client: ACTIVE

     Reassemble server: INACTIVE

     Reassemble ports: 21 23 25 53 80 143 110 111 513

     Reassembly alerts: ACTIVE

     Reassembly method: FAVOR_OLD