Posted by: jasonk2600 | January 18, 2010

FreeBSD PostgreSQL Backend for Snort IDS


This howto will describe how to setup a system running FreeBSD and PostgreSQL DBMS to act as a backend database for the Snort Intrusion Detection System (IDS).  It is assumed that PostgreSQL has already been installed on the FreeBSD system.  For more information on installing PostgreSQL DBMS on FreeBSD refer to the following post:


Install the Snort IDS from the FreeBSD ports collection.  When configuring the port, be sure to enable the FLEXRESP2 and POSTGRESQL options.

# cd /usr/ports/security/snort
# make config
# make install clean
# rehash



Setup a database and user for Snort in the PostgreSQL DBMS.  The following will create a new database named snort owned by a new user named snortuser with a password of your choice.

# su pgsql
$ createuser -P snortuser
Enter password for new role: ******
Enter it again: ******
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n

$ createdb -O snortuser snort
$ cd /usr/local/share/examples/snort
$ cat create_postgresql | psql snort snortuser

$ exit


Next, configure Snort to report to the new PostgreSQL database.  Modify /usr/local/etc/snort/snort.conf configuration file to reflect the following settings. Replace YourPassword with the password you chose for the snortuser and replace YourHost with the host name of your system.  Be sure to comment out the line containing include $RULE_PATH/local.rules.

output database: log, postgresql, user=snortuser
   password=YourPassword dbname=snort host=localhost sensor_name=YourHost

#include $RULE_PATH/local.rules


Download a current copy of the Snort IDS signatures from and extract them to /usr/local/etc/snort/rules/.

Enable the Snort IDS to automatically start at system boot and start Snort for the first time.

# echo 'snort_enable="YES"' >> /etc/rc.conf
# /usr/local/etc/rc.d/snort start



If the Snort IDS fails to start check /var/log/messages for any error messages.  To verify that the Snort IDS is analyzing network traffic, ping the system running Snort from another system.  Check the event table in the snort database for information that Snort is reporting.

# su pgsql
$ psql snort

psql (8.4.2)
Type "help" for help.

snort=# SELECT * FROM event;

sid | cid | signature | timestamp

snort=# \q
$ exit





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: