Frequently Asked Questions (FAQ)

Last Updated: April 14. 2002

About

(A-1) What databases are supported?
(A-2) How can I get database support in snort?
(A-3) What is the database schema?
(A-4) What application are there to read the database?

Logging

(B-1) No events are getting logged to the database
(B-2) Certain events (i.e., portscans, spade) are not logging to the database
(B-3) Every alerts generates two events in the database
(B-4) How are IP addresses represented?
(B-5) How can the database be purged and reloaded with new data?

Errors

(C-1) Common compilation errors
(C-2) Common startup errors
(C-3) Common MySQL errors

About

(A-1) What databases are supported?

Snort natively supports logging to MySQL, PostgreSQL, Oracle, Microsoft SQL Server, and any ODBC compliant database through unixodbc.

(A-2) How can I get database support in snort?

Snort includes database support, no additional downloads are necessary. The database functionality is implemented as an output plugin in the the files spo_database.h and spo_database.c.

(A-3) What is the database schema?

See the Snort database schema documentation.

(A-4) What applications are there to read the database?

ACID - Analysis Console for Intrusion Databases: A very powerful web based PHP application to analyze, display, query, organize, and manage data in a snort database.

DEMARC: A powerful and visually appealing web application to monitor your MySQL snort database.

SnortReport: A tool to generate (near) real-time intrusion detection reports in an easy to read format based on data collected in a MySQL database.

Logging

(B-1) No events are getting logged to the database

There are potentially numerous causes for this problem:
Confirm that the database output plugin has actually been configured in the configuration file being used (see Configuration for details). There should be a line in the configuration file that starts as follows:
  output database: ...
If snort is being run in daemon-mode (-D), run it without this option to see if any errors will be generated.

Confirm that the command line arguments are not overriding the logging configuration. (an error of "WARNING: command line overrides rules file alert plugin!" should be displayed). Using "-A" or "-s" will override any database logging configuration. If multiple output targets are desired (e.g. logging to a file and the database), use the configuration file to setup these plugins.

Confirm that snort is actually generating events to be logged. Exit from snort by hitting ^C (Control-C). Are the associated statistics for "ALERTS" and "LOGGED" under "Action Stats" non-zero?

(B-2) Certain events (i.e., portscans, spade) are not logging to the database

Certain pre-processors such as the portscan and spade only use the "alert" facility. Change the configuration of the database output plugin use to use alert. For example,
  output database: alert, mysql, user=snort dbname=snort_db host=localhost password=foo

(B-3) Every alerts generates two events in the database

More than likely there two configuration entries for the database output plugin in the configuration file. Remove one of them. It is unnecessary to output on both the "alert" and "log" facility to the database.

(B-4) How are IP addresses represented?

IP addresses are stored in the database as unsigned 32-bit integers. This format allows for more efficient storage as well as complex queries involving network masks. The database schema stores IP addresses in two fields: iphdr.ip_src and iphdr.ip_dst/CODE>. The following is a description of how to convert a 32-bit unsigned integer representation of an IP address into a human readable 4-byte format. [Theoretical] Let IP = the 32-bit unsigned integer representation of the IP address ip1 = octet 1 of 4 (high-order) ip2 = octet 2 of 4 ip3 = octet 3 of 4 ip4 = octet 4 of 4 (low-order) >> = bitwise shift right operator; takes an operand of the number bits to shift AND = bitwise AND operator Then, ip1 = IP >> 24 ip2 = (IP AND 00000000 11111111 00000000 00000000) >> 16 ip3 = (IP AND 00000000 00000000 11111111 00000000) >> 8 ip4 = (IP AND 00000000 00000000 00000000 11111111) IP = ip1 . ip2 . ip3 . ip4 [MySQL] MySQL provides a native function, inet_ntoa(), which will convert an unsigned 32-bit integer into a 4-octet IP address. mysql> SELECT ip_src, inet_ntoa(ip_src) FROM iphdr; +------------+-------------------+ | ip_src | inet_ntoa(ip_src) | +------------+-------------------+ | 2130706433 | 127.0.0.1 | +------------+-------------------+ [PostgreSQL] PostgreSQL does not provide a native function to convert the unsigned 32-bit representation into a 4-octet IP address. However, the following custom function provides the same functionality (courtesy of Phil Mayers). CREATE FUNCTION plpgsql_call_handler () RETURNS OPAQUE AS '/usr/lib/pgsql/plpgsql.so' LANGUAGE 'C'; -- Note: remember to change the above path to 'plpgsql.so' CREATE TRUSTED PROCEDURAL LANGUAGE 'plpgsql' HANDLER plpgsql_call_handler LANCOMPILER 'PL/pgSQL'; CREATE FUNCTION int8ip_to_str(int8) RETURNS inet AS ' DECLARE t inet; BEGIN t = (($1>>24) & 255::int8) || ''.'' || (($1>>16) & 255::int8) || ''.'' || (($1>>8) & 255::int8) || ''.'' || ($1 & 255::int8); RETURN t; END; ' LANGUAGE 'plpgsql'; The following is an example of the custom function int8ip_to_str(): snort_db=# SELECT ip_src, int8ip_to_str(ip_src) FROM iphdr; ip_src | int8ip_to_str ------------+--------------- 2130706433 | 127.0.0.1



(B-5) How can the database be purged and reloaded with new data?

The most straightforward method to delete all the data (i.e., return to the state of an
empty database) out of a database is to execute the following SQL statements:


  DELETE FROM sensor;
  DELETE FROM event;
  DELETE FROM iphdr;
  DELETE FROM tcphdr;
  DELETE FROM udphdr;
  DELETE FROM icmphdr;
  DELETE FROM data;
  DELETE FROM opt;
  DELETE FROM signature;
  DELETE FROM sig_class;
  DELETE FROM sig_reference;
  DELETE FROM reference;
  DELETE FROM reference_system;



Remember, this is not a selective delete process.  All alerts in the database will be 
irrecoverably purged.






Errors



(C-1) Common compilation errors



libmysqlclient.a(my_compress.o): In function `my_uncompress':
   my_compress.o(.text+0x9a): undefined reference to `uncompress'
libmysqlclient.a(my_compress.o): In function `my_compress_alloc':
   my_compress.o(.text+0x12a): undefined reference to `compress'


The linker is unable to resolve certain compression routines needed by the
MySQL client library.  Add "-lz" to the "LIBS"
variable in the Makefile







(C-2) Common startup errors



database: compiled support for ( )
database: configured to use mysql
database: mysql support is not compiled in this copy

Check your configuration file to be sure you did not mis-spell "mysql".
If you did not, you will need to reconfigure and recompile ensuring that
you have set the correct options to the configure script. Type
"./configure --help" to see options for the configure script.

Fatal Error, Quitting..


Support for each database needs to be explicitly compiled into snort.
This error indicates that the build of snort currently being used does
not support the desired database (e.g., mysql, postgresql, oracle, mssql, odbc).


If this instance of snort was built from source, see 
Step #2: Install Snort of the 
database plugin Installation documentation 


If this instance of snort was a rebuilt binary, go back to the
distributer and look for a pre-built binary of snort with database support.
Such builds are often named "snort+mysql" or "snort-mysql".





WARNING: command line overrides rules file alert plugin!


In snort, the command line arguments will always override the configuration directives
set in the configuration file.  Using the "-A" or "-s" arguments
will override and disable any database logging configuration. If multiple output targets 
are desired (e.g. logging to a file and the database), use the configuration file to setup 
these plugins.





database: The underlying database seems to be running an older version of the DB schema.


In order to support the richer features found in snort with every new release, the database
schema used to log events must change.  When an upgrade of snort is deployed, it is often the
case that the database used to store alerts from the previous version is no longer compatible.

In certain cases, the older database can be undated, but when large changes occur re-creating
a new database is the only easy option.  The schema to use with a given version of snort can
always be found in the "contrib" directory in the snort distribution.  See the
database schema documentation for more information.





database: Problem obtaining SENSOR ID (sid) from ...


Prior to logging any alerts, the database plugin will lookup (and if necessary write) information
about this instance of snort into the database. This error indicates that snort was able to
successfully connect to the alert database, but was unable to read or write to the one of the 
tables (i.e., sensor). Most likely insufficient privileges have been given to
the snort database user.  See the 
Step #6: Grant permission to the database user
of the installation instructions.




(C-3) Common MySQL errors



database: mysql_error: Can't connect to local MySQL server through socket 'some_path/mysql.sock' (2)



MySQL has been configured to communicate over a UNIX domain socket, but this socket file could not be found 
in the default directory.

 Verify that the MySQL server has been started.
 
 
Verify that the mysql.sock file exists in the directory listed in the error and confirm that the appropriate permission have been set (the user running the MySQL daemon needs to have at least read access).
 
     The socket file is often found in /tmp or /var/lib/mysql.
 

 
If the socket file does not exist in the directory indicated in the error message, the location 
     must be explicitly specified.  Use the --socket switch of the MySQL server 
     (mysqld --socket=path_to_socket) to set the correct socket directory
     or set the path in the MySQL configuration file my.cnf as follows:
            [client]
       socket=path-for-socket-file

       [mysqld]
       socket=path-for-socket-file
     






FATAL ERROR: database: mysql_error: Access denied for user: 'acid@localhost' (Using password: YES)


The database user and the provided credentials cannot authenticate to the MySQL alert database.


 Verify that the password specified is correct.  If you use special characters in the password, such as 
     '$' (a dollar sign), try removing them.

 
 
MySQL assigns privileges on a per-user-per-host basis.  Verify that the particular
     host (i.e. the web server) and user combination have the appropriate privileges. 

 
 
Some resolvers have difficulty with 'localhost' as a hostname.  Try
     specifying "127.0.0.1" as the hostname.


For additional information on "Accessed denied" error messages consult the
MySQL documentation: http://www.mysql.com/doc/A/c/Access_denied.html






snort: error loading shared libraries: libmysqlclient.so ... : No such file or directory


The run-time linker is unable to find the MySQL library. Locate the directory in which this
shared library is stored then either update the environment variable LD_LIBRARY_PATH
with this path or (if in Linux) add this directory to /etc/ld.so.conf (and run
ldconfig).





Snort DB logging: FAQ

[ Home |
   <  |
   >  ]