Topic: [Snort+acid]?howto install on SME5.5?

[Geert]

Can anybody give me a good howto to install snort + acid on sme5.5?
i have a @home cable connection with a fixed ip (212.204.148.xxx)
i already installed this rpm's -->

libpcap-0.6.2-11.7.1.0.i386.rpm
snort-1.8.7-1snort.i386.rpm
snort-mysql-1.8.7-1snort.i386.rpm
ari-mitel-acid-1.0-11.noarch.rpm
trevor-mitel-guardian-1.0-2.noarch.rpm

But ik can't get it working...
what files do i need to config , and how??
if i let my router run for a day en then check acid it says absolutly nothing..
despite i let another person do various scans & hack attempts...
what file do i need to config..??
and i also don't know what the internet connection is.. eth0 or eth1 .. how can i find that out??....
and i want to monitor my lan network to... eth0 and 1 , where can i config that...
sorry for the n00b questions... i'm not so very good @ linux... yet..
thanxz in advance

greetz geert

[stanley]

look in the howto section its there

[Tom Veitch]

Ok you first need to fix the snort config file its missing a line

var HTTP_PORTS 80

put this in to the snort file

you then need to type ifconfig to see what the device is call that you connect to the internet with it might be ppp0 or eth1 look for you fixed ip when you have that infor mation you now need to edit the snortd file its in /rc.d/init.d/snortd and change the eth1 to match you connection,

when you have done that start the service with ./snortd-restart

then chsek the logs to see if it starts ok

tom

[Larry]

Hi there,

[SME 55 upd 2 + snort/acid/guardian with dynamic IP on cable]

I did modify the snort.conf (template expanded) then checked /rc.d/init.d/snortd and see eth1 as used then I did ifconfig -> eth1 is the external card,
restarted snortd (./snortd restart) -> stopping snortd = failed but starting snortd = OK.

But I go to: http://scan.sygate.com/quickscan.html or use superscan, I find nothing in /var/log/snort nor in https://my.server/acid (Added 0 alert(s) to the Alert cache : Sensors: 4)

It is few days alrady I am trying to figure out what is the problem but I am now getting nervous.

Any idea?

Larry

[Tom Veitch]

Check you logs and tel me whats the error is please

[Larry]

In snort.conf is also missing ORACLE_PORTS that I set to 80:
var ORACLE_PORTS 80
then restarted:
cd ./rc.d/init.d
./snortd restart

now it is working!

snort-mysql: FATAL ERROR: ERROR => Undefined variable name: (/etc/snort/.//misc.rules:66): ORACLE_PORTS
Sep 12 07:12:01 XXX snortd: snort-mysql shutdown failed
Sep 12 07:12:01 XXX snort-mysql: Initializing daemon mode
Sep 12 07:12:01 XXX snort-mysql: PID stat checked out ok, PID set to /var/run/
Sep 12 07:12:01 XXX snortd: snort-mysql startup succeeded
Sep 12 07:12:01 XXX snort-mysql: Writing PID file to "/var/run/"
Sep 12 07:12:01 XXX snort-mysql: Snort initialization completed successfully, Snort running

However, guardian doesn't block the IP, because the website (http://scan.sygate.com/prequickscan.html) can still scan my machine.
Where can I ckeck the list of blocked IP?