Wednesday, July 18, 2012

Database output is dead. R.I.P.

Last June (2011) we gave you a heads up (and several reminders since) that in Snort 2.9.3.0, we were going to remove the spo_database output module as well as Aruba and Prelude outputs.

For those of you that originally compiled Snort like: ./configure --enable-mysql

Or, if you look in your snort.conf and your "output" lines look like this:
output database: alert
AND/OR
output database: log


this will affect YOU.

Our recommendation is that after you upgrade to Snort 2.9.3.0, you move to full unified2 logging and use barnyard2 to read those unified2 files and input them into your mysql database.

You can find more information about barnyard2 here:
https://github.com/firnsy/barnyard2
http://www.securixlive.com/barnyard2/

As always questions can be asked on the Snort Mailing Lists!  Thank you!

5 comments:

  1. WE are getting an error of "unknown output plugin :database' how to get the output plugin for database.
    Thankyou

    ReplyDelete
    Replies
    1. Because it doesn't exist anymore. It's dead. Hence this post. It's been moved to Barnyard2.

      Delete
  2. how can i get a windows version of baryard2? i am running snort in windows 7 and i want to store the log in mysql database.

    ReplyDelete
  3. about where is the error? already in brain-tweaking the database in snort.cont but it did not work


    --== Initializing Snort ==--
    Initializing Output Plugins!
    Initializing Preprocessors!
    Initializing Plug-ins!
    Parsing Rules file "/etc/snort/snort.conf"
    PortVar 'HTTP_PORTS' defined : [ 80 ]
    PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
    PortVar 'ORACLE_PORTS' defined : [ 1521 ]
    Tagged Packet Limit: 256
    Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... Failed to find CheckCompatibility() function in /usr/local/lib/snort_dynamicengine/libsf_engine.so: /usr/local/lib/snort_dynamicengine/libsf_engine.so: undefined symbol: CheckCompatibility
    done
    Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/...
    Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
    Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
    Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done
    Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done
    Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
    Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
    Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
    Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
    Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
    Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done
    Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
    Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
    Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
    Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
    Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
    Log directory = /var/log/snort
    ERROR: /etc/snort/snort.conf(793) Unknown output plugin: "database"
    Fatal Error, Quitting..

    ReplyDelete
    Replies
    1. Because it has been removed. Hence this post.

      Delete