Topic: Announcing sme-acid-2.0.0-1ari (obsoletes ari-mitel-acid)

[Ari]

Announcing sme-acid-2.0.0-1ari.noarch.rpm

This release obsoletes the previous version of ari-mitel-acid with a 'proper'
naming convention and some other significant changes including:

 - ACID updated to 0.96b23 from b21 - takes care of the missing year 2003
variable
 - PHPlot has been replaced with jpgraph and graphing is now fully functional
 - Added the /var/log/snort/scan.log into the acid_conf.php file so that port
scans are reported (experimental)
 - Cosmetic differences.

PLEASE NOTE: Because this new release obsoletes ari-mitel-acid, if you install
using the -U option, the rpm will actually delete itself after installing
(haven't figured out that one yet...) PLEASE COMPLETELY REMOVE ANY PREVIOUS
INSTALLATION OF ARI-MITEL-ACID BEFORE INSTALLING USING THE -i OPTION.

As always, .noarch and .src RPMs are available and the how-to has been updated.

http://www.marari.net/downloads/snort/acid-howto.htm
http://www.marari.net/downloads/snort/sme-acid-2.0.0-1ari.noarch.rpm
http://www.marari.net/downloads/snort/sme-acid-2.0.0-1ari.src.rpm

Cheers!
Ari Novikoff
Marari Network Solutions
http://www.marari.net

[Cyrus Bharda]

Howdy Ari,

I followed your howto and installed all the nessessary files for 5.5, and today I just downloaded your new sme-acid file to install it. So first I uninstalled ari-mitel-acid:

[root@esmith snort]# rpm -e ari-mitel-acid

Manually removing /opt/administration/acid directory...
Removing SNORT rules auto update
Uninstall complete.

Went to install sme-acid and got the following errors:


[root@esmith snort]# rpm -ivh sme-acid-2.0.0-1ari.noarch.rpm
Preparing...                ########################################### [100%]
   1:sme-acid               ########################################### [100%]

Installing...
/usr/bin/mysqladmin: CREATE DATABASE failed; error: 'Can't create database 'snort_log'. Database exists'
ERROR 1050 at line 23: Table 'schema' already exists
/usr/bin/mysqladmin: CREATE DATABASE failed; error: 'Can't create database 'snort_archive'. Database exists'
ERROR 1050 at line 23: Table 'schema' already exists
/etc/snort/snortd' -> /etc/rc.d/init.d/snortd'

Expanding templates.  One moment please...(this can take up to one minute)
Starting Snort-MySQL...
Starting snort: Initializing Output Plugins!
[ FAILED ]

Setting up SNORT rules auto update.
Updating SNORT rules
SETTING UP WORKING DIRECTORY
DOWNLOAD AND EXTRACT CURRENT RULE-SET
--08:21:02--  http://www.snort.org/dl/rules/snortrules-stable.tar.gz
           => snortrules-stable.tar.gz'
Connecting to www.snort.org:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 104,052 [application/x-tar]

    0K .......... .......... .......... .......... .......... 49% @   2.61 KB/s
   50K .......... .......... .......... .......... .......... 98% @   4.03 KB/s
  100K .                                                     100% @   1.58 MB/s

08:21:34 (3.22 KB/s) - snortrules-stable.tar.gz' saved [104052/104052]

STOP SNORTD SNORT-MYSQL SERVICE
Stopping snort: [ FAILED ]
COPY OLD RULES TO BACKUP LOCATION
COPY NEW RULES IN PLACE
START SNORTD SNORT-MYSQL SERVICE
Starting snort: Initializing Output Plugins!
[ FAILED ]
SHOW SNORTD STATUS
snort-mysql is stopped
FINISHED

ACID-SNORT Installation is complete.

To access the interface, open up your web browser and point it to:

https://192.168.0.1/acid

You will be prompted for your admin username and password.

You will then be greeted with a screen that reads something
like: The database version is valid, but the ACID DB structure
is not present.

Use the Setup page to configure and optimize the DB.  Simply
follow the Setup Page link and click on the Create ACID AG
button on the left to proceed.

[root@esmith snort]#

I am assuming that the snort-mysql service is not starting because I am using a dial-up connection for internet access?

So how do I go about changing snort to watch ppp0, and will that fix the problem?

Also I opened the page and I did not need to configure the DB.

If there is any other information that you need from me just ask away

Thanks a lot for your time,

Cyrus Bharda