Topic: snort rpm install only makes 50%

[John Lewis]

I'm trying to get ari's snort/acid/guardian installed.

When I install the snort packages, I get the following:

[root@gluon snort-acid]# rpm -Uvh snort-1.8.4-1snort.i386.rpm snort-mysql-1.8.4-1snort.i386.rpm
Preparing...                ########################################### [100%]
   1:snort                  ########################################### [ 50%]
   2:snort-mysql            ########################################### [100%

After installing ari's RPM, it does not recognize a sensor...

I tried rpm -e to the rpm's, removed the databases from mysql, and reinstalled, with the same effect.

What could be preventing a 100% for the snort rpm?  Where can I look to see what went wrong?

Thanks.

[Ari Novikoff]

> [root@gluon snort-acid]# rpm -Uvh snort-1.8.4-1snort.i386.rpm
> snort-mysql-1.8.4-1snort.i386.rpm
> Preparing...              
> ########################################### [100%]
>    1:snort                
> ########################################### [ 50%]
>    2:snort-mysql          
> ########################################### [100%
>

This is normal. Snort is 50% of the total installation. Snort-MySQL is the other 50%. The RPM is installed in full.


> After installing ari's RPM, it does not recognize a sensor...
>
> What could be preventing a 100% for the snort rpm?  Where can
> I look to see what went wrong?
>

Are you running DSL? If so, there's a couple of changes you'll have to make.
The configuration is based on an assumption that your external interface is called eth1. I stress this point because DSL calls the external interface ppp1, not eth1. You'll have to edit /etc/e-smith/templates/etc/snort/snort.conf/00snort.conf and /etc/guardian.conf (if you installed the guardian add-on) to reflect that change.
Then expand the template, restart snort (and guardian) and away you go.

Please keep in mind the following:
1) This installation assumes that you are running in server/gateway mode and have both an internal -and- external interface.
2) This installation assumes that you have not drastically modified your server or changed the default MySQL password (you know, that really long obnoxious 75+ character password in /root/.my.cnf)
3) There is no performance guarantee. No warranty either express or implied that it will suit your needs, and, you assume full responsibility when you install the package. If you don't know what you're doing, I -strongly- suggest that you obtain a bit of help from someone who does so you don't compromise your security.

Hope that didn't scare you too much

Cheers!
Ari

[Dan Brown]

Just for clarity, Ari, the eth1/ppp1 thing has nothing to do with DSL, it's PPPoE.  I have DSL without PPPoE, and I've heard of PPPoE on non-DSL connections.

[Ari Novikoff]

yeah, but there seems to be a few people out there with dsl that have made mention (in various emails to me) to the fact that their external interface is called ppp1 instead of eth1.

Can't please everybody all of the time

Ari

[Jehu]

Mine is called ppp0 and I use DSL.

cheer,
Jehu.

[John Lewis]

Ari, thanks.  Its up and running fine!  Many thanks.

You should add what you said to me into your howto.  The more info in your howto, the  better IMHO.

My other problem was that I had tried to get demarc running some time ago, at it installed snort as well, with a different config etc.  I needed to remove it and its databases before I could get your rpm's to install successfully.

Have you looked at demarc (demarc.org)

Their interface is really sweet for snort alerts, it automates getting updated rules for snort, and it does device monitoring and file change monitoring...

Any interest in building an RPM that is a professional and easy to install as this one for demarc?  Its the all in one package that I'm sure many SME users are desparate for...

I use dsl, and the interface for it is Eth1.

[Rotor]

Hi,

if you use just Guardian together with snort, you could install a snort binary that ist built without mysql support. It's not necessary to have mysql support if you don't use it with demarc or  a similar package. If you want this, leave a message - i made a functional snort.rpm without sql support. Btw. if you use Guardian.pl, take care that you have excluded vital hosts such as NIS, maybe DNS and so on. You could lock yourself out... snort is very sensitiv.

[Sam]

Hi

I tried to install snort to run on my SME box everything seems to have been installed and checking back on previous messages i changed my snortd to ppp0

# Specify your network interface here
INTERFACE=ppp0

thats the only mention i could find to eth1

this is the error msg i am getting

Warning: Access denied for user: 'root@localhost' (Using password: YES) in /opt/administration/acid/adodb/drivers/adodb-mysql.inc.php on line 115


Error (p)connecting to DB : snort_log@localhost

Check the DB connection variables in acid_conf.php

               = $alert_dbname   : MySQL database name where the alerts are stored
               = $alert_host     : host where the database is stored
               = $alert_port     : port where the database is stored
               = $alert_user     : username into the database
               = $alert_password : password for the username



thanks for any help

[Dan Brown]

So, Sam, did you check those variables?  Were they correct?  Have you verified the mysql password?

[Sam]

I didnt actually get that far since I dont think snort is running

when i tried

./snortd restart
Stopping snort:                                            [ FAILED ]
Starting snort:                                            [ FAILED ]

this is what i got, so i was thinking that was the problem.  ll have a look at the variables, also how would i verify the mySQL passwd ?

[Dan Brown]

To verify the mysql password, you could search here to see one of the *MANY* times it's come up before, or take a look at the contrib howtos for one on the subject.

Now, it does look like snort isn't running, but that wouldn't be causing the "access denied" error.