Topic: Howto snort 2.1.1 + Acid

[ajkeane]

Yes

I am installing on 6.01-01 custom.

Tony

[wykyd]

---
error: error accessing /var/log/snort/*: No such file or directory
error: snort:4 glob failed for /var/log/snort/*/*log
---
The entries are, however, added up and viewable in Acid ???

I am getting this to, I am also running the new rpm's.

It still gives me an event when I come tot his forum to.

But everything is fine in ACID though, Its logging away quite well.

[MasterSleepy]

Hi,

Could you tell me wath kind of alert do you have?
Is that a "http_inspect"?

Regards.

[Appesteijn]

Maybe a little off-topic, but does anyone know if this version of snort works in combination with the trevor-mitel-guardian-1.7.rpm ?

[ajkeane]

I had it installed and it was reporting that it was blocking the I.P.s I never actually checked the logs to see what it was doing though.

In short yes it seems to work.

Tony

[Appesteijn]

Ok, good to hear. I've just installed it and i'm getting weird e-mail's from guardian:

Guardian has blocked ip: eth1. (instead of e.g. 123.456.789.102)

I've tried the ./db configuration set ExternalInterface eth1 and also eth0, but none worked. Should I check the Interface's in snort.conf?

$HOME_NET and EXTERNALIP are both correct. Still snort is mostly logging my internal ipadresses.

[wykyd]

Hi,

Could you tell me wath kind of alert do you have?
Is that a "http_inspect"?

Regards.

WEB-PHP viewtopic.php access web-application
http://www.securityfocus.com/bid/7979

phpBB Viewtopic.PHP SQL Injection Vulnerability

bugtraq id 7979
object  
class Input Validation Error
cve CAN-2003-0486
 
remote Yes
local No
published Jun 19, 2003
updated Jun 28, 2003
vulnerable phpBB Group phpBB 2.0.4
phpBB Group phpBB 2.0.5


I get it everytime I come to this site and browsae the forums.

[mrjhb3]

I have just installed this package and am seeing the below errors during install:

/var/tmp/rpm-tmp.32310: ehco: command not found

WARNING in /etc/e-smith/templates-custom//etc/snort/snort.conf/20OutputSetting: Use of uninitialized value in string eq at /etc/e-smith/templates-custom//etc/snort/snort.conf/20OutputSetting line 20.

WARNING: Template processing succeeded for //etc/snort/snort.conf: 1 fragment generated warnings
 at /sbin/e-smith/expand-template line 49

I ran the expand-template a second time and I didn't get the error.  

Could there be a typo in the rpm (ehco instead of echo)?  I get this on every install I do.

Thanks,

JB

[MasterSleepy]

Hi,

I think that you install an old version.
Try to re download sme-snort and retry.
That kind of problem was solve with the new one.

Regards.

[mrjhb3]

Master Sleepy,

I did download the latest versions.
Here is what I have installed on SME 6.01-01

sme-snort-0.2-1
snort-mysql-2.1.1-1
sme-acid-0.2-1
snort-2.1.1-1

I'll re-download them and install it again and see what I get.

JB

[mrjhb3]

I see the possible issue.

sme-snort is at 0.2-2, but the howto states
0.2-1.  I didn't bother to look in the download section to see if there were any newer files.  I'll re-install and see what I get.  

Thanks again,

JB

[SoundSailor]

Just installed as per your "How To". Worked as advertised. Thanks Michel for a great effort.

[Drifting]

Tony

Are you installing to the 6.01.01 custom?

Richard

Not sure about Tony, but the install went well on my custom ISO sme server. All I would like now is the Guardian program  

Paul.

[ajkeane]

As previously stated I have guardian installed and it is working. Only issue is that I get messages saying thet 127.0.0.1 has been blocked.

Tony

[guest]

A workaround could be to add 127.0.0.1 to /etc/guardian.ignore