Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Brian on November 07, 2003, 03:43:31 AM
-
Hey Everyone,
I have recently installed the SME SNORT/Acid/Guardian contribs from Ari Novikoff of Marari Network Solutions.
I installed the following rpms using the howto and additional information for 5.6 found on this forum:
http://www.snort.org/dl/binaries/1.9.0/snort-1.9.0-1snort.i386.rpm
http://www.snort.org/dl/binaries/1.9.0/snort-mysql-1.9.0-1snort.i386.rpm
http://www.marari.net/downloads/snort/sme-acid-2.0.0-1ari.noarch.rpm
http://www.marari.net/downloads/snort/trevor-mitel-guardian-2.0-1.noarch.rpm
Info From Forums:
"I then installed snort-2.0.2-5.i386.rpm and snort-mysql-2.0.2-5.i386.rpm. I then made a copy of snort.conf and then installed sme-acid-2.0.0-1ari.noarch.rpm. I replaced the snort.conf that sme-acid installed with the copy that I made. I then went through the snort.conf and changed what needed to be changed. I copied the var HOME_NET, var EXTERNAL_NET and output database: lines from the template fragment in /etc/e-smith/templates/etc/snort/snort.conf. I had to add dbname=snort_log between mysql, and user. Snort also adds a file, /etc/sysconfig/snort that needs to be modified to fit your system. I then deleted /etc/e-smith/templates/etc/snort so my snort.conf doesn't get overwritten before I have time to create new templates.""
So after following both the HOWTO details AND the details above, the installation went off without a hitch. However, after a couple days, it seems that perhaps something is wrong, as the ACID webpanel is not reporting any alerts.
I have checked /var/log/snort, but there are no files within this directory.
"ps aux | grep snort" -- shows 1 process, snort, running
/etc/snort/snort.conf shows the following variables:
var HOME_NET [127.0.0.1/32,192.168.0.0/24,192.168.1.100/32]
var EXTERNAL_NET !$HOME_NET
"ps aux | grep acid " -- shows 1 process, acid, running
It looks like everything is running fine, but I still have no alerts. I find this unlikely as web traffic on this server is significant.
Anyone know any other ways to check the ACID/Snort installation or has anyone had this problem before? Searching the forums has given little help, one post described a similar problem was solved by adding an email to the admin alerts panel of email-options in the server-panel. I have done this, still no alerts.
Any ideas?
Thanks
Brian
-
Let me clarify something from the first post.
The rpms listed:
http://www.snort.org/dl/binaries/1.9.0/snort-1.9.0-1snort.i386.rpm
http://www.snort.org/dl/binaries/1.9.0/snort-mysql-1.9.0-1snort.i386.rpm
http://www.marari.net/downloads/snort/sme-acid-2.0.0-1ari.noarch.rpm
http://www.marari.net/downloads/snort/trevor-mitel-guardian-2.0-1.noarch.rpm
are no longer listed, and the updated versions are snort-2.0.2-5.i386.rpm and snort-mysql-2.0.2-5.i386.rpm per the additional forum comments above. These are the files I used, not the 1.90 versions.
Brian
-
Yes I have the same problem, Have tried this twice and both times the same result.
Let me know how you fix it.
-
Well, it is good to know that others are having difficulty.
Hopefully one of the uber-intelligent helpers will pick up this subject and help us out.
Brian
-
I have had problems and ended up going back to 1.9.0. Things have been fine since. With 1.9.1 and 2.0 I was having tons of error messages dumped into the log file also.
-
Are the 1.9.0 files still available for download?
Brian
-
Hmm.... I've got 2.0 running fine.
What were the errors showing?
If I get a chance I may try to update the howto a little.