IPCop, Snort, and MySQL

Richard Wilson r.wilson9 at cox.net
Sun Apr 2 22:53:32 MST 2006 

All,

Last August I attended the O'Reilly Open Source Convention in Portland
and attended a session where Jeremy Brinkley spoke specifically on the
subject of Snort and MySQL working together.  The presentation slides
can be found at
http://www.batray.net/jeremy/Getting_the_Right_Answers_from_Snort/

It's on my list of "neat things I really want to check out further
because they're likely to be really useful..."

Richard Wilson
-----------------------------------------------------
On Fri, 2006-03-31 at 10:09 -0700, Alex Dean wrote:
> On Mar 30, 2006, at 6:10 PM, Edward Norton wrote:
> 
> > On 3/30/06, Alex Dean <alex at crackpot.org> wrote:
> > On Mar 30, 2006, at 11:42 AM, Jim wrote:
> >
> > ps - I haven't yet found an addon package that will support Snort
> > (intrusion detection) logging to MySQL.  All you get by default is
> > logging to a text file, which you can read via IPCop's web
> > interface.  Not very useful, as you basically have to troll through
> > pages and pages of log entries looking for possible problems.  I've
> > turned Snort off until I find a more effective way to analyze its
> > logs.  That's maybe a little off topic, but it's the only thing I've
> > yet wanted from IPCop that hasn't been easy to add.
> >
> > I'm not aware of any add-on's like that, but you could presumably  
> > upload one of the snort analyzers to the IPCop box and go from there.
> 
> I may try some of the tools for analyzing Snort's text-based logs,  
> but I was most interested in the RDBMS options.  The package I really  
> want to use is BASE (http://secureideas.sourceforge.net/), which is a  
> successor to a similar project called ACID (http:// 
> acidlab.sourceforge.net/).  It's a PHP/MySQL app for analyzing Snort  
> logs.
> 
> You can't use BASE if Snort isn't logging to MySQL.  If I was  
> building Snort from scratch, adding MySQL support looks pretty  
> simple, but not on IPCop.  It doesn't seem to include the basics like  
> cc or make.  This makes a lot of sense, given IPCop's purpose as a  
> stripped-down firewall, but it leaves me a little stuck on how to  
> expand it.  I guess maybe I need to figure out how some of the other  
> addon providers packages their upgrades, and that might clue me in.
> 
> I've asked twice on the IPCop users list as to how I might add a  
> mysql-enabled Snort, and have gotten 0 responses.  Searching their  
> list archives, all I found was a note from 2004 suggesting that the  
> way to do this was to build your own IPCop distribution.  (IPCop is  
> based on Linux From Scratch.)  I got the source for IPCop and poked  
> around, but haven't made a ton of progress.  Seems like there should  
> be a simpler way.
> 
> All that is really needed is a different version of snort (actually,  
> just compiled with 1 extra flag set) and the MySQL client library.   
> I'm still surprised this isn't already out there, but maybe someday  
> I'll actually figure out how to make it happen. :)  Any help/advice  
> is appreciated.
> 
> alex
> .
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

More information about the PLUG-discuss mailing list