Prerequisites

Installation

1. Database Installation

In order to log from Snort, the RDBMS must first be installed. The specifics of this process can be found in the database documentation.

In most UNIX configurations, snort will be using the appropriate database's shared client library to log to the database. Therefore, the run-time linker must be able to resolve the path to this shared library. Verify that the path to database shared library (see Table 2) is either in the environment variable LD_LIBRARY_PATH or on Linux systems, that this directory is in the /etc/ld.so.conf file (remember to run ldconfig after updating ld.so.conf).

Table #2: Filenames of the required shared client libraries
MySQL libmysqlclient.so
PostgreSQL libpq.so
Oracle
UnixODBC libodbc.so

For example, if libmysqlclient.so, the MySQL client library was installed in /usr/local/mysql/lib, then this directory would need to be either in the LD_LIBRARY_PATH environment variable or in /etc/ld.so.conf on Linux systems.

Failure by the run-time linker to locate the database library will result in an error as follows (for MySQL) at snort start-up: 

snort: error loading shared libraries: libmysqlclient.so ... : No such file or directory

2. Install Snort

2a. Building from Source on Unix

shell> ./configure
shell> make
shell> make install
If MySQL, Postgresql, Oracle, or unixODBC is installed in a standard place, the ./configure script will automatically detect the location of the include and library files.

Note: native MS-SQL Server support is NOT possible on Unix without the use of ODBC. For native SQL Server support use snort on Windows.

If they are not installed in a standard directory, the appropriate switch to ./configure script needs to be used. 

  --with-mysql=DIR        support for mysql
  --with-odbc=DIR         support for odbc
  --with-postgresql=DIR   support for postgresql
  --with-oracle=DIR       support for oracle
The DIR value should be set to the base directory of the database installation. For example, to add MySQL database support where the base directory of the installation is /usr/local/mysql: 
  ./configure --with-mysql=/usr/local/mysql
The following is database specific output of the ./configure script: 
  checking for mysql... yes
  checking for odbc... yes
  checking for postgresql... yes
  checking for oracle... yes

If "yes" is not returned for the desired database type, then the database library has not been detected correctly. Specify the appropriate directory in the ./configure script switch (i.e., --with-<database_type>=DIR).

Attempting to later use database logging without support being compiled it will result in the following error message at snort start-up: (This example assumes that MySQL logging was configured but this build of snort does not support it) 

database: compiled support for ( )
database: configured to use mysql
database: mysql support is not compiled in this copy

Check your configuration file to be sure you did not mis-spell "mysql".
If you did not, you will need to reconfigure and recompile ensuring that
you have set the correct options to the configure script. Type
"./configure --help" to see options for the configure script.

Fatal Error, Quitting..

2b. Installing Snort under Windows

Snort can be built from source under Windows, however, the standard UNIX configure script will not be present. The appropriate MS Visual Studio project files are included in the win32/.

Pre-compiled Snort binaries for Windows with database support can be found at:

Note: Native MS-SQL Server support is only possible on the Windows version of snort.

3. Create a new database

Create a new database into which to log Snort events. 
[MySQL]

  shell> echo "CREATE DATABASE snort;" | mysql -u root -p

[PostgreSQL]

  shell> createdb snort

[Oracle]

  Use DBA Studio to create the new database

[MS SQL Server]

  Use the appropriate DBA tool to execute the following SQL

    CREATE DATABASE snort;

4. Create the database tables

Supplied in the contrib/ directory of the Snort distribution will be the appropriate table creation (DDL) script.

Table 3: DDL script names
Database Type Script Name
Mysql create_mysql
PostgreSQL create_postgresql
Oracle create_oracle.sql
MS SQL Server create_mssql

The appropriate script which corresponds to the deployed database type must be run against the new database created in Step #3. Note: All the examples below assume that the database name is "snort", and that the relative path to the DDL script is "./contrib". 
[MySQL]

  shell> mysql -D snort -u root -p < ./contrib/create_mysql

[PostgreSQL]

  shell> psql snort < ./contrib/create_postgresql

  Note: This example assumes that the current user has the appropriate
        privileges to create tables in the snort datbase.

[Oracle]

  Use DBA Studio or SQL Plus run the create_oracle.sql script.

[MS SQL Server]

  Use the appropriate DBA tool to run the create_mssql script.

5. Create a new database user

Create a dedicated database user that Snort will use to log to the database. Note: All the examples below assume that the database name is "snort", the database username is "snort_db_name", and this user will be connecting from a host named "sensor1". 
[MySQL]

  shell> mysql -u root -D mysql -p

  mysql> GRANT INSERT, SELECT on snort_db_name.* to snort@sensor1 \
               IDENTIFIED BY 'snort_password';
  mysql> quit;

  Note: Remember that MySQL users consist of a user name and 
        a hostname.  From each host that a connection to the database
        will be made, there must be a corresponding user/hostname
        entry.

[PostgreSQL]

  shell> createuser snort_db_user
  Shall the new user be allowed to create databases? (y/n) n
  Shall the new user be allowed to create more new users? (y/n) n
  CREATE USER

[Oracle] and [MS SQL Server]

  Use the appropriate DBA tool to create a user named "snort_db_user"
Note on assigning password: There are known issues with using certain special characters such as '$' (dollar sign) in the passwords when passed from Snort. If everything appears to be configured correctly, but authentication always fails trying testing with a password without these characters.

6. Grant permission to the database user

Table 4: Required Permission on the database objects (tables and sequences) 
                                    DB Permission    Applies to Database
                                    | S | I | U || 
                                    | E | N | P || 
                                    | L | S | D || 
                                    | E | E | A || 
                                    | C | R | T || 
    DB Object Name                  | T | T | E || MySQL PgSQL MSSQL Oracle
  +===============================+===+===+===+============================+
  | data                            |   | X |   ||  X   |  X  |  X  |  X   |
  | detail                          | X |   |   ||  X   |  X  |  X  |  X   |
  | encoding                        | X |   |   ||  X   |  X  |  X  |  X   |
  | event                           | X | X |   ||  X   |  X  |  X  |  X   |
  | icmphdr                         |   | X |   ||  X   |  X  |  X  |  X   |
  | iphdr                           |   | X |   ||  X   |  X  |  X  |  X   |
  | opt                             |   | X |   ||  X   |  X  |  X  |  X   |
  | reference                       |   | X |   ||  X   |  X  |  X  |  X   |
  | reference_system                | X | X |   ||  X   |  X  |  X  |  X   |
  | schema                          | X |   |   ||  X   |  X  |  X  |  X   |
  | sensor                          | X | X |   ||  X   |  X  |  X  |  X   |
  | sig_class                       | X | X |   ||  X   |  X  |  X  |  X   |
  | sig_reference                   | X | X |   ||  X   |  X  |  X  |  X   |
  | signature                       | X | X |   ||  X   |  X  |  X  |  X   |
  | tcphdr                          |   | X |   ||  X   |  X  |  X  |  X   |
  | udphdr                          |   | X |   ||  X   |  X  |  X  |  X   |
  | reference_ref_id_seq            | X |   | X ||      |  X  |     |  X   |
  | reference_sys_ref_system_id_seq | X |   | X ||      |  X  |     |  X   |
  | sensor_sid_seq                  | X |   | X ||      |  X  |     |  X   |
  | sig_class_sig_class_id_seq      | X |   | X ||      |  X  |     |  X   |
  | signature_sig_id_seq            | X |   | X ||      |  X  |     |  X   |
  +=================================+===+===+===++======+=====+=====+======+

  X = required permission

[MySQL]

  If the database user was created successfully per the instructions in step 5,
  no additional action is necessary.  If an existing user will be used, issue
  the following command:

  shell> echo "GRANT INSERT, SELECT on snort_db_name.* to snort@sensor1" | \
         mysql -u root -D mysql -p

[PostgreSQL]

  shell> psql snort

  psql> GRANT SELECT ON detail, encoding, event, reference_system, schema, \
                         sensor, sig_class, sig_reference, signature \
               TO snort_db_user;
  psql> GRANT INSERT ON data, event, icmphdr, iphdr, opt, reference,\
                         reference_system, sensor, sig_class, sig_reference \
                         signature, tcphdr, udphdr \
               TO snort_db_user;
  psql> GRANT UPDATE ON reference_ref_id_seq, reference_sys_ref_system_id_seq \
                         sensor_sid_seq, sig_class_sig_class_id_seq, \
                         signature_sig_id_seq \
               TO snort_db_user;

[Oracle] and  [MS SQL Server]

  Use the appropriate DBA tool to assign the permissions.
Snort DB logging: Installation
[ Home | < | > ]