Topic: Acid Webpanel Showing No Alerts

[Brian]

Hey Everyone,

I have recently installed the SME SNORT/Acid/Guardian contribs from Ari Novikoff of Marari Network Solutions.

I installed the following rpms using the howto and additional information for 5.6 found on this forum:
http://www.snort.org/dl/binaries/1.9.0/snort-1.9.0-1snort.i386.rpm
http://www.snort.org/dl/binaries/1.9.0/snort-mysql-1.9.0-1snort.i386.rpm
http://www.marari.net/downloads/snort/sme-acid-2.0.0-1ari.noarch.rpm
http://www.marari.net/downloads/snort/trevor-mitel-guardian-2.0-1.noarch.rpm

Info From Forums:
"I then installed snort-2.0.2-5.i386.rpm and snort-mysql-2.0.2-5.i386.rpm. I then made a copy of snort.conf and then installed sme-acid-2.0.0-1ari.noarch.rpm. I replaced the snort.conf that sme-acid installed with the copy that I made. I then went through the snort.conf and changed what needed to be changed. I copied the var HOME_NET, var EXTERNAL_NET and output database: lines from the template fragment in /etc/e-smith/templates/etc/snort/snort.conf. I had to add dbname=snort_log between mysql, and user. Snort also adds a file, /etc/sysconfig/snort that needs to be modified to fit your system. I then deleted /etc/e-smith/templates/etc/snort so my snort.conf doesn't get overwritten before I have time to create new templates.""

So after following both the HOWTO details AND the details above, the installation went off without a hitch. However, after a couple days, it seems that perhaps something is wrong, as the ACID webpanel is not reporting any alerts.

I have checked /var/log/snort, but there are no files within this directory.

"ps aux | grep snort" -- shows 1 process, snort, running

/etc/snort/snort.conf shows the following variables:
  var HOME_NET [127.0.0.1/32,192.168.0.0/24,192.168.1.100/32]
  var EXTERNAL_NET !$HOME_NET

"ps aux | grep acid " -- shows 1 process, acid, running

It looks like everything is running fine, but I still have no alerts. I find this unlikely as web traffic on this server is significant.

Anyone know any other ways to check the ACID/Snort installation or has anyone had this problem before? Searching the forums has given little help, one post described a similar problem was solved by adding an email to the admin alerts panel of email-options in the server-panel. I have done this, still no alerts.

Any ideas?

Thanks
Brian

[Brian]

Let me clarify something from the first post.

The rpms listed:
http://www.snort.org/dl/binaries/1.9.0/snort-1.9.0-1snort.i386.rpm
http://www.snort.org/dl/binaries/1.9.0/snort-mysql-1.9.0-1snort.i386.rpm
http://www.marari.net/downloads/snort/sme-acid-2.0.0-1ari.noarch.rpm
http://www.marari.net/downloads/snort/trevor-mitel-guardian-2.0-1.noarch.rpm

are no longer listed, and the updated versions are  snort-2.0.2-5.i386.rpm and snort-mysql-2.0.2-5.i386.rpm per the additional forum comments above. These are the files I used, not the 1.90 versions.

Brian

[wykyd]

Yes I have the same problem, Have tried this twice and both times the same result.

Let me know how you fix it.

[Brian]

Well, it is good to know that others are having difficulty.

Hopefully one of the uber-intelligent helpers will pick up this subject and help us out.

Brian

[RayG]

I have had problems and ended up going back to 1.9.0. Things have been fine since. With 1.9.1 and 2.0 I was having tons of error messages dumped into the log file also.

[Brian]

Are the 1.9.0 files still available for download?

Brian

[Abe Loveless]

Hmm.... I've got 2.0 running fine.

What were the errors showing?

If I get a chance I may try to update the howto a little.