MySQL is a cross-platform Open Source database that can be downloaded from http://www.mysql.com/. Binary packages, as well as source, are available. Most GNU/Linux distributions include a prepackaged version of MySQL.
Although Snort will log to MySQL, PostgreSQL, Oracle, and ODBC databases, I have only covered MySQL here. PostgreSQL is an excellent choice of database deployment, especially with the 7.1.1 release. I chose to use MySQL because we are focusing on cross-platform sensor deployment, and only MySQL-enabled binaries are available for the Win32 platform.
After installing the MySQL database, you need to create a database for Snort, and users to add and manage data. First, create the database using the mysqladmin client program:mysqladmin u root p snort_log
Next, create a user for both the sensor and the ACID console, and grant each user permission to the database. Do this by launching the mysql client:mysql u root p snort_log
Issue the following SQL statements:
grant SELECT,CREATE,INSERT,DELETE on snort_log.* to snort_console@localhost identified by 'console_passwd'; grant SELECT,CREATE,INSERT,DELETE on snort_log.* to email@example.com identified by 'console_passwd'; grant SELECT,CREATE,INSERT on snort_log.* to firstname.lastname@example.org identified by 'sensor_passwd';
Rather than use the SQL wildcard of '%', it is preferred for security reasons to specify the specific IP address of the remote Snort sensor. It requires slightly more administrative work on your part, but increases security because anyone would be able to connect and insert data to the database, otherwise. Additionally, if you are managing the database from the server on which it is running, you must include "localhost."
Create the database schema using the contributed script in the Snort distribution. These commands are executed from the shell command-line:
mysql u root p snort_log < contrib/create_mysql mysql u root p snort_log < c:\snort\bin\create_mysql
Users using Snort and MySQL on Windows platforms will not have the create_mysql script. You will need to download the original source archive, and extract the appropriate file. Otherwise, you will have to create the schema by hand.