IPCop, Snort, and MySQL
Alex Dean
alex at crackpot.org
Fri Mar 31 10:09:59 MST 2006
On Mar 30, 2006, at 6:10 PM, Edward Norton wrote:
> On 3/30/06, Alex Dean <alex at crackpot.org> wrote:
> On Mar 30, 2006, at 11:42 AM, Jim wrote:
>
> ps - I haven't yet found an addon package that will support Snort
> (intrusion detection) logging to MySQL. All you get by default is
> logging to a text file, which you can read via IPCop's web
> interface. Not very useful, as you basically have to troll through
> pages and pages of log entries looking for possible problems. I've
> turned Snort off until I find a more effective way to analyze its
> logs. That's maybe a little off topic, but it's the only thing I've
> yet wanted from IPCop that hasn't been easy to add.
>
> I'm not aware of any add-on's like that, but you could presumably
> upload one of the snort analyzers to the IPCop box and go from there.
I may try some of the tools for analyzing Snort's text-based logs,
but I was most interested in the RDBMS options. The package I really
want to use is BASE (http://secureideas.sourceforge.net/), which is a
successor to a similar project called ACID (http://
acidlab.sourceforge.net/). It's a PHP/MySQL app for analyzing Snort
logs.
You can't use BASE if Snort isn't logging to MySQL. If I was
building Snort from scratch, adding MySQL support looks pretty
simple, but not on IPCop. It doesn't seem to include the basics like
cc or make. This makes a lot of sense, given IPCop's purpose as a
stripped-down firewall, but it leaves me a little stuck on how to
expand it. I guess maybe I need to figure out how some of the other
addon providers packages their upgrades, and that might clue me in.
I've asked twice on the IPCop users list as to how I might add a
mysql-enabled Snort, and have gotten 0 responses. Searching their
list archives, all I found was a note from 2004 suggesting that the
way to do this was to build your own IPCop distribution. (IPCop is
based on Linux From Scratch.) I got the source for IPCop and poked
around, but haven't made a ton of progress. Seems like there should
be a simpler way.
All that is really needed is a different version of snort (actually,
just compiled with 1 extra flag set) and the MySQL client library.
I'm still surprised this isn't already out there, but maybe someday
I'll actually figure out how to make it happen. :) Any help/advice
is appreciated.
alex
.
More information about the PLUG-discuss
mailing list