Topic: Howto snort 2.1.1 + Acid

[MasterSleepy]

Hello,

I just finish an howto and some rpm for the installation of snort 2.1.1 and Acid on a SME-server 6.0 or greater.

http://vanhees.homeip.net/index.php?module=ContentExpress&func=display&ceid=19

Regards

[Anonymous]

I'll try this out.  Do you have any suggestions on how to update the signatures on a regular basis?

[Anonymous]

when installing sme-acid i get the following:
Preparing...                ########################################### [100%]
   1:sme-acid               error: unpacking of archive failed on file /opt/administration/acid/acid_main.php;40618538: cpio: read failed - Bad file descriptor

[MasterSleepy]

Hello,

It seems that your download have a problem, try to redownload the rpm.
I've make a test for a test server and download the link that was specified in the howto and there is no problem.

Regards.

[jahlewis]

ok, redownloaded and installed fine

started snort, and could access acid interface no problem

I edited /etc/sysconfig/snort to have it use eth1 (my external nic) and restarted snortd

I'm seeing alerts in /var/log/snort

But nothing in acid

I see no output plugin setting in /etc/snort/snort.conf, nor any reference to it in /etc/sysconfig/snort

Nor did I see any access settings for the snort_log db in phpMyAdmin

I added a snort user, and gave it admin priv's to the snort_log db, and added a output line in snort.conf, but got this when restarting snortd

Mar 24 08:43:19 gluon snort: command line overrides rules file alert plugin!

So how do I find out what that output plugin line is (to troubleshoot why alerts aren't being entered into snort_log/acid?

Is portscanning on?  Will it show up in acid?

Thanks

[MasterSleepy]

Hi,

Normally you don't have to change file /etc/sysconfig/snort, all settings are made in /etc/snort/snort.conf.

For problem with mysql,
In your /etc/snort/snort.conf at line 457 you should have an entry like :
output database: log, mysql, use...

That is the configuration for the output. This option is initialized at the installation of the package sme-snort-0.1-1.

Regards,

[MasterSleepy]

OK I apologize, I made a mistake.

Just forgot to change some things else.

I have update sme-snort-0.1-1

Please update the installed contrib and relaunch snort.

Thanks

[Anonymous]

ok, downloaded sme-snort-0.1.1.noarch.rpm

#rpm -e sme-snort sme-acid

# rpm -Uvh sme-snort-0.1-1.noarch.rpm sme-acid-0.1-1.noarch.rpm
Preparing...                ########################################### [100%]
file /etc/rc.d/init.d/snortd from install of sme-snort-0.1-1 conflicts with file from package snort-2.1.1-1

Now I can't install sme-snort...

[MasterSleepy]

Remove the old one
rpm -e sme-snort-0.1-1

and install the new one

rpm -ivh --force sme-snort-0.1-1.noarch.rpm

I have update the doc to signal this command.

[jahlewis]

I've done so.  Snort is running, and logging alerts to /var/log/snort/

However, there is still no uncommented output entry in snort.conf, nor is there a user setup for snort_log in mysql

How is snort supposed to access snort_log?  Could you send me the output line to jlewis@arachnerd.org?

Thanks.

[MasterSleepy]

Snort-myqsl is configured to access mysql DB with root login and password is find and integrated.
I have add an option to control mysql output.
check with
/sbin/e-smith/db configuration print snortd

You should have
snortd=service|InitscriptOrder|97|mysql|enabled|status|enabled

If you have
snortd=service|InitscriptOrder|97|mysql|disabled|status|enabled

make :
/sbin/e-smith/db configuration setprop snortd mysql enabled
/sbin/e-smith/expand-template /etc/snort/snort.conf

and restart snortd.

Regards.

[jahlewis]

[root@gluon snort]# /sbin/e-smith/db configuration print snortd
snortd=service|InitscriptOrder|97|mysql|enabled|status|enabled

however, nothing was being updated to the db

using msql_setpermissions, I added a snort user and gave access to snort_log, i then added
output database: log, mysql, user=snort password=???? dbname=snort_log host=localhost
to /etc/snort/snort.conf

now eth0 shows up in db as a sensor, so that's working

NOw... how to I force snort to use eth1, not eth0?
I edited /etc/sysconfig/snort, to no avail, do I need to manually edit /etc/init.d/snortd?

Thanks for your help and for the packages.

[MasterSleepy]

Hi jahlewis,
You don't have to create a new mysql user.
Normally, all mysql access are configured during the rpm install.
Except one things, after installing sme-snort, make :
/sbin/e-smith/expand-template /etc/snort/snort.conf

You don't have to do anything else.

Regards,

[wyron]

You don't have to do anything else.

Well, Master Sleepy, I'm not so sure about that.
Since I created a download ibay for the community last night, and can see that its rather heavily visited, I installed Snort and Acid too, just now, to keep track of the traffic on my server.
I also did the expand-template thing but still the  number of sensors is 0 ?

[Anonymous]

I´m having the same problem. The snort logfiles are filled up, but the mysql db is not updated.