Topic: Snort IDS and ACID howto

[booker]

Hey,

I'm amazed at all the success outlined here. I have not even been able to find the RPMS listed as downloads needed. I went to rpmfind.

Thanks for any help

[booker]

I found all the RPMS installed them and everything went perfectly I think. Thank you Ari.

[Garret]

Has anybody been able to get port scanning to show on acid well?

Thanks

Garret

[sabu]

ok, to who ever can help me...

i followed the exact howto and now my httpd is not working

i try to start it back up again:

[root@stypel /root]# /usr/sbin/httpd
Syntax error on line 1893 of /etc/httpd/conf/httpd.conf:
Invalid command 'php_flag', perhaps mis-spelled or defined by a module not included in the server configuration
[root@stypel /root]#

so, then i edit /etc/httpd/conf/httpd.conf and change this:
    php_flag magic_quotes_gpc  on
    php_flag track_vars        on
to this:
    #php_flag magic_quotes_gpc  on
    #php_flag track_vars        on

i then start the httpd daemon and everything else works fine, but when i try and reach http://192.168.0.1/acid or http://www/acid (192.168.0.1 being my servers ip), i get "You are not authorized to view this page" in IE.

what to do?

note: i upgraded php and horde and imp, or something like that using one of the guides, then while trying to update blades (using 5.1.2), i got conflict errors, so i had to uninstall some stuff...


thanks,

sabu

[sabu]

now, come to think about it
ever since, i've updated my blades and had to uninstall imp and php my www/stats being phpSysInfo has not been working, it just lists the directory and it's contents, and when i goto www/stats/index.php, it still doesn't work.

i've gone back to the PHP upgrade page, tried to upgrade it again...
but still no success. im going to try and upgrade imp, because thats what i had installed last time and had to uninstall.

lets just hope this is a success

[Guy McLean]

I can't help with your httpd problem but the correct address for acid is https://www.yourservername/acid.

Guy

[sabu]

well, that was a start...

i got to the part where it was checking on security, i clicked yes, after that instead of loading the php page, it asked me if i wanted to download it. yes, my php is corrupt, broken, stuffed or however you want to put it. because the same thing happens with phpSysInfo. Can someone help me reinstall it,

thanks
sabu

[Cyrus Bharda]

Hello, I followed Ari's snort+ACID howto here:
 
http://marari.net/downloads/snort/acid-howto.htm
 
to the letter, I even cut and pasted all the commands in so I didnt make and
spelling mistakes, the ACID page works fine, but it display's 0 detects, so
I typed this:
 
[root@esmith root]# service snortd status
snort-mysql is stopped

so I tryed starting it:
 
[root@esmith root]# service snortd start
Starting snort: Initializing Output Plugins!
                                                           [ FAILED ]
 
Even restarting didnt work:
 
[root@esmith root]# service snortd restart
Stopping snort:                                            [ FAILED ]
Starting snort: Initializing Output Plugins!
                                                           [ FAILED ]

What have I done wrong?
 
My system is 5.5 U3 and I did install the 5.5 specifice files as well as the
guardian module, and in the order specified in your howto, still it does not
work, tryed rebooting even, nothing!!
 
Any help would be greatly appreciated!!
 
Thanks for your time!
 
Cyrus Bharda

[Cyrus Bharda]

Just some more info, I was pouring through logs to find out why it isnt starting and found this in my messages log:

Feb  5 09:18:09 esmith snort-mysql: Initializing Output Plugins!
Feb  5 09:18:10 esmith snort-mysql: ioctl(SIOC*MTU):No such device
Feb  5 09:18:10 esmith snort-mysql: Automagic MTU discovery failed. Using default 1500
Feb  5 09:18:10 esmith snort-mysql: FATAL ERROR: ERROR: OpenPcap() device eth1 open:  ^Ibind: No such device
Feb  5 09:18:10 esmith snortd: snort-mysql startup failed


Any idea's what all that means?

Thanks again in advance!

Cyrus Bharda

[michael]

hi all,

i have succesfully installed ari's snort contrib - thx ari !

but snort is "snorting"  only on the internal interface eth0.
i am using dsl over ppp0 with a dynamic ip - so i need to tell
snort this dynamic ip.

BUT HOW ?

this seems the same reason for this:

rpm -ivh trevor-mitel-guardian-2.0-1.noarch.rpm
Preparing...                ########################################### [100%]
   1:trevor-mitel-guardian  ########################################### [100%]

Installation complete.
Starting guardian: OS shows Linux
Warning! HostIpAddr is undefined! Attempting to guess..
Couldn't figure out the ip address
[ FAILED ]

The logfile can be found at /var/log/guardian.log
Configuration file is found at /etc/guardian.conf

By default, guardian will block the IP and mail the
administrator account.  To change these actions edit
the /bin/guardian_block.sh file.

PLEASE NOTE: This RPM is for use with SME Server 5.6
and subsequent releases using the linux 2.4 kernel and
iptables. Use on earlier versions of the SME server
will not work.