Multi Snort and MS SQL

["Stephen Shepherd" <drew600_1999 () yahoo com>]

If you want to use MSSQL then you will have to configure your Snort engines
to write directly to the MSSQL DB.  The sensors(engines) will have to be
running on a WIN32 platform to do this. I have included some brief
instructions on how to do this.  There are MSSQL snort executables on the
silicon defense web site

http://www.silicondefense.com/

If your sensors are not WIN32 then you will have to use MYSQL or Postgres (I
would use MySql since barnyard will support it).  If you go this route I
would recommend using barnyard to do the DB Writes.  If you let snort do the
DB writes and you have a lot of traffic you will start dropping packets  due
to the overhead.  Barnyard does not currently support MSSQL so if you go the
MSSQL route your only option is to have snort log directly to the DB.

Finally once you get your snort alerts into a DB you will want ACID to do
the analysis.  You can find ACID info on the SD website and the ACID
website.

http://www.cert.org/kb/acid/


Brief MSSQL Instructions:

Well they don't have a sheet yet. Mike asked me to type one up but I have

yet to get time. Here are the basic steps:

1.) Have SQL installed and running either local or on another box.

2.) Create a DB called snort on the SQL server

3.) Use the sql script mssql.conf that comes with the Win32 distribution.

This is a text file with TSQL statements for creating the tables. You can

run this in many different ways, but I used SQL Query analyzer tool

4.) Create a User for the snort DB and make sure it has enough rights to

add/updated the DB. I just made my snortuser DBO for the snort DB.

5.) The machine that is running Snort will need the MS SQL client installed.

Install this by running SQL Server setup on the workstation and selecting

the client tools install.

6.) Configure the DB plug-in line in snort.conf to point to the right DB

server and give it the appropriate credentials.

that's the best I can come up with from memory right now. Give it a try and

see how it goes.
--__--__--

Message: 2
Date: Thu, 06 Dec 2001 14:20:52 -0600
To: snort-users () lists sourceforge net
From: "Djinn D'Angel" <djinn () insight rr com>
Subject: [Snort-users] Multi Snort and MS SQL

All,
I just started in the networking group and was asked to consolidate our IDS
systems and have central reporting with the ability to do historical
comparisons. So, here goes my questions. First, how do I get all my Snort
engines to report to a the same box? Next, how can I have all the output
going to an MS-SQL database, specifically MSSQL2000? We already have the
MS-SQL 2000 server, thus the reason for not wanting to starting using
another SQL server.
I would appreciate any help I can get,
Djinn


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users