IPCop, Snort, and MySQL

Alex Dean alex at crackpot.org
Fri Mar 31 10:09:59 MST 2006 

On Mar 30, 2006, at 6:10 PM, Edward Norton wrote:

> On 3/30/06, Alex Dean <alex at crackpot.org> wrote:
> On Mar 30, 2006, at 11:42 AM, Jim wrote:
>
> ps - I haven't yet found an addon package that will support Snort
> (intrusion detection) logging to MySQL.  All you get by default is
> logging to a text file, which you can read via IPCop's web
> interface.  Not very useful, as you basically have to troll through
> pages and pages of log entries looking for possible problems.  I've
> turned Snort off until I find a more effective way to analyze its
> logs.  That's maybe a little off topic, but it's the only thing I've
> yet wanted from IPCop that hasn't been easy to add.
>
> I'm not aware of any add-on's like that, but you could presumably  
> upload one of the snort analyzers to the IPCop box and go from there.

I may try some of the tools for analyzing Snort's text-based logs,  
but I was most interested in the RDBMS options.  The package I really  
want to use is BASE (http://secureideas.sourceforge.net/), which is a  
successor to a similar project called ACID (http:// 
acidlab.sourceforge.net/).  It's a PHP/MySQL app for analyzing Snort  
logs.

You can't use BASE if Snort isn't logging to MySQL.  If I was  
building Snort from scratch, adding MySQL support looks pretty  
simple, but not on IPCop.  It doesn't seem to include the basics like  
cc or make.  This makes a lot of sense, given IPCop's purpose as a  
stripped-down firewall, but it leaves me a little stuck on how to  
expand it.  I guess maybe I need to figure out how some of the other  
addon providers packages their upgrades, and that might clue me in.

I've asked twice on the IPCop users list as to how I might add a  
mysql-enabled Snort, and have gotten 0 responses.  Searching their  
list archives, all I found was a note from 2004 suggesting that the  
way to do this was to build your own IPCop distribution.  (IPCop is  
based on Linux From Scratch.)  I got the source for IPCop and poked  
around, but haven't made a ton of progress.  Seems like there should  
be a simpler way.

All that is really needed is a different version of snort (actually,  
just compiled with 1 extra flag set) and the MySQL client library.   
I'm still surprised this isn't already out there, but maybe someday  
I'll actually figure out how to make it happen. :)  Any help/advice  
is appreciated.

alex
.

More information about the PLUG-discuss mailing list