Installing Snort

[Gilles Gravier]

Hi, Damien!

On 26/06/2011 23:33, Damien Hull wrote:
> I see some instructions for snort include MySQL. Is there a good
> reason to use MySQL with Snort

Let me first ask a question to you : why are you installing SNORT? I
mean really?

SNORT is an intrusion detection system. It generates LOTS of data
potentially. This data is very technical. Unless you are a security
specialist, most of it will be meaningless to you, and probably many
alerts SNORT will generate will seem frightening to you when they are,
actually, possibly insignificant.

That said, and taking it into account, you get potentially lots of data.
You will then want to do things like pattern searching, recognition,
statistics, trends... all these things are much easier done (and faster)
if your data is stored in a structured way, and accessible with adapted
querying mecanisms... An SQL database is the way to go.

Most open source software that needs a database is usually written for
MySQL (and the rest for PostgreSQL). Picking a different database than
the one initially planned is possible (most of the time) but again, if
you are asking the question initially, chances are, you don't want to
try to use a different one than the one suggested with the SNORT distrib
you plan to use.

Note that since version 5.5 of MySQL, you get it installed (MySQL that
is) with InnoDB, the transactionnal datastore, enabled by default, this
means even better performance (and stability) than the original default
ISAM datastore in MySQL.

So all in all... do as said in the instructions. Use MySQL. It's easy to
set up.

If you are still worried about getting Snort and MySQL together... then
why not just install SNORT from Ubuntu's Synaptics repository which will
install all that is needed for you... which means it installs it
configured for standard files... you will need to manually install
snort-mysql and then the MySQL packages to get all you need to run it
with MySQL...

Gilles.