Hey Everyone,
I have recently installed the SME SNORT/Acid/Guardian contribs from Ari Novikoff of Marari Network Solutions.
I installed the following rpms using the howto and additional information for 5.6 found on this forum:
http://www.snort.org/dl/binaries/1.9.0/snort-1.9.0-1snort.i386.rpmhttp://www.snort.org/dl/binaries/1.9.0/snort-mysql-1.9.0-1snort.i386.rpmhttp://www.marari.net/downloads/snort/sme-acid-2.0.0-1ari.noarch.rpm http://www.marari.net/downloads/snort/trevor-mitel-guardian-2.0-1.noarch.rpm Info From Forums:
"I then installed snort-2.0.2-5.i386.rpm and snort-mysql-2.0.2-5.i386.rpm. I then made a copy of snort.conf and then installed sme-acid-2.0.0-1ari.noarch.rpm. I replaced the snort.conf that sme-acid installed with the copy that I made. I then went through the snort.conf and changed what needed to be changed. I copied the var HOME_NET, var EXTERNAL_NET and output database: lines from the template fragment in /etc/e-smith/templates/etc/snort/snort.conf. I had to add dbname=snort_log between mysql, and user. Snort also adds a file, /etc/sysconfig/snort that needs to be modified to fit your system. I then deleted /etc/e-smith/templates/etc/snort so my snort.conf doesn't get overwritten before I have time to create new templates.""
So after following both the HOWTO details AND the details above, the installation went off without a hitch. However, after a couple days, it seems that perhaps something is wrong, as the ACID webpanel is not reporting any alerts.
I have checked /var/log/snort, but there are no files within this directory.
"ps aux | grep snort" -- shows 1 process, snort, running
/etc/snort/snort.conf shows the following variables:
var HOME_NET [127.0.0.1/32,192.168.0.0/24,192.168.1.100/32]
var EXTERNAL_NET !$HOME_NET
"ps aux | grep acid " -- shows 1 process, acid, running
It looks like everything is running fine, but I still have no alerts. I find this unlikely as web traffic on this server is significant.
Anyone know any other ways to check the ACID/Snort installation or has anyone had this problem before? Searching the forums has given little help, one post described a similar problem was solved by adding an email to the admin alerts panel of email-options in the server-panel. I have done this, still no alerts.
Any ideas?
Thanks
Brian