Snort mailing list archives

Re: mysql support is not compiled into this build of snort

From: Marcin Dulak via Snort-users <snort-users () lists snort org>
Date: Sat, 7 Apr 2018 22:13:42 +0200

On Sat, Apr 7, 2018 at 9:20 PM, <wkitty42 () windstream net> wrote:

On 04/07/2018 04:41 AM, 2014/2015 - Nsabimana Thierry wrote:

Could you please help me to overcome this issue?



1. please don't bold your lines in your posts... we can see and read them
quite easily ;)

2. as Al noted, snort 2.6 is very old and out of date... snort no longer
talks directly to the databases like it once did... there were too many
situations that would cause snort to miss traffic (eg: the database was
down)... snort would get hung up on the database stuff and simply miss
traffic... so the database code was ripped out and snort only writes to its
log files... now you use a tool like barnyard2



https://github.com/firnsy/barnyard2 is not maintained.
You may want to try barnyard2 anyway or look at
https://lists.snort.org/pipermail/snort-users/2018-March/071164.html which
uses https://github.com/jasonish/py-idstools to convert snort log into
json, and write that into mysql.
Once at that you may also push the logs into elasticsearch instead and
check whether snort is supported by modern alert management systems like
https://evebox.org/ or https://github.com/dunbarcyber/cyphon.
People report using elasticsearch for storing snort logs
https://www.arl.army.mil/www/default.cfm?technical_report=7965, it just
needs to be better documented to become mainstream.

Marcin

to take the data from snort's U2 log files and put it into the database...
this separates the sniffing from the database insertions... then you can go
from there doing your database thing with the alert data...


--
 NOTE: No off-list assistance is given without prior approval.
       *Please keep mailing list traffic on the list unless*
       *a signed and pre-paid contract is in effect with us.*
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

Please follow these rules: https://snort.org/faq/what-is-
the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

mysql support is not compiled into this build of snort 2014/2015 - Nsabimana Thierry (Apr 07)
- Re: mysql support is not compiled into this build of snort Al Lewis (allewi) via Snort-users (Apr 07)
- Re: mysql support is not compiled into this build of snort wkitty42 (Apr 07)
  - Re: mysql support is not compiled into this build of snort Marcin Dulak via Snort-users (Apr 07)
    - Re: mysql support is not compiled into this build of snort wkitty42 (Apr 07)
    - Re: mysql support is not compiled into this build of snort Joel Esler (jesler) via Snort-users (Apr 07)
    - Re: mysql support is not compiled into this build of snort Jim Campbell (Apr 08)
    - Re: mysql support is not compiled into this build of snort wkitty42 (Apr 08)
    - Re: mysql support is not compiled into this build of snort 2014/2015 - Nsabimana Thierry (Apr 08)
- Re: mysql support is not compiled into this build of snort Diamond Foyer (Apr 07)