View previous topic :: View next topic |
Author |
Message |
Shemite_Dog n00b
Joined: 22 Jul 2003 Posts: 35 Location: Hailing from parts unknown!!
|
Posted: Tue May 04, 2004 10:54 am Post subject: |
|
|
I wonder if anyone could help me?
I had this working beautifully until my hard drive crashed and had to reinstall everything.
Now, I've followed the guide to the letter again. I'm at the part where you edit /etc/snort/snort.conf, but it seems to be missing. There is an /etc/snort/snort.conf.distrib but it doesn't contain the proper "output database" line. I tried the latest and previous three versions of snort with no luck. I tried copying snort.conf.distrib to snort.conf and adding the output database line but that didn't work either. I'm guessing some step in the how-to is generating the snort.conf file but somehow I've botched it _________________ "Mr. Mc Cluck Cluck!" |
|
Back to top |
|
|
ixion l33t
Joined: 16 Dec 2002 Posts: 708
|
Posted: Tue May 04, 2004 1:07 pm Post subject: |
|
|
What do you mean by it not working? Please paste relevant snort entries from your system log and maybe we can help figure this out for you!
The snort.conf.dist should be fine to copy to snort.conf with a little tweaking (as you have already done). I had the same trouble with snort, but after reading the system log it was very easy to fix. Snort (along with many other proggies;) ) is very informative in the log.
Please post back your findings!
EDIT: This is my output entry in the snort.conf file:
output database: alert, mysql, user=snort password=passwordd dbname=snort host=localhost socket=/var/run/mysqld/mysqld.sock _________________ only the paranoid survive |
|
Back to top |
|
|
Shemite_Dog n00b
Joined: 22 Jul 2003 Posts: 35 Location: Hailing from parts unknown!!
|
Posted: Wed May 05, 2004 9:46 am Post subject: |
|
|
Ok I must have messed up the snort.conf because I just copied it over again and re-edited, restarted snort and all's fine now..
Sorry for that sketchy previous post. I was trying to write it and eat and get to work all in 20 minutes _________________ "Mr. Mc Cluck Cluck!" |
|
Back to top |
|
|
ixion l33t
Joined: 16 Dec 2002 Posts: 708
|
Posted: Wed May 05, 2004 12:02 pm Post subject: |
|
|
Hey congrats that it works! I've learned so many times already that taking a break from something and coming back to it after a good night's rest can do wonders. _________________ only the paranoid survive |
|
Back to top |
|
|
mazirian Apprentice
Joined: 26 Jun 2003 Posts: 273 Location: Yarmouth, ME
|
Posted: Mon May 17, 2004 8:03 pm Post subject: |
|
|
Which libnet package is required? Is it net-libs/libnet or dev-perl/libnet. I am assuming the former.
What needs libnet anyway? Not ACID, apparently. |
|
Back to top |
|
|
Shemite_Dog n00b
Joined: 22 Jul 2003 Posts: 35 Location: Hailing from parts unknown!!
|
Posted: Tue May 18, 2004 9:51 am Post subject: |
|
|
I used net-libs/libnet. Not sure if this is in fact the correct libnet, but it seems to be working fine for me _________________ "Mr. Mc Cluck Cluck!" |
|
Back to top |
|
|
ixion l33t
Joined: 16 Dec 2002 Posts: 708
|
Posted: Tue May 18, 2004 11:28 am Post subject: |
|
|
yes net-libs/libnet is what you need.. it's a dependency of snort.. _________________ only the paranoid survive |
|
Back to top |
|
|
r4d1x Apprentice
Joined: 25 Nov 2003 Posts: 157 Location: Japan
|
Posted: Tue Jun 15, 2004 1:07 pm Post subject: nice..... |
|
|
nice howto. for you people that arent getting snort to log correctly, make sure that its logging into mysql properly. i had that problem forever, cept i was doing everything from source on slackware . Once you get it set correctly, you may want to filter out icmp in the rule set. it creates huge alert files. or in my case, just have iptables drop icmp all together. anyway. good job on this, should help alot of people.
Code: |
output database: log, mysql, user=<sql user> password=<sql password> dbname=snort host=<box IP here>
|
that should work for those of you who had localhost in there. thats what i had to do to get it to connect properly. also make sure that mysql is running. |
|
Back to top |
|
|
stickboy2642 Tux's lil' helper
Joined: 21 Jan 2004 Posts: 129 Location: MT, USA
|
Posted: Thu Aug 12, 2004 7:33 pm Post subject: |
|
|
I have a problem with snort logging from multiple systems to the same database. This works fine until I have to restart one of the snort daemons, and then I am plagued with errors similar to the following:
Code: | snort: database: mysql_error: Duplicate entry '1-34247' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '34247', '1406', '2004-08-12 12:36:44-06') |
For whatever reason, it seems to be resetting either the SID or the CID, and is not able to log the events properly. I saw a post somewhere where someone mentioned this problem and that he commented out a line in the snort.conf file, but did not give any detail. Does anyone have any idea what I would need to do to fix this problem?[/code] _________________ <?PHP
if ($desireToSolveProblem > 0){
solve($problem);
}else{
drink($beer);
} ?> |
|
Back to top |
|
|
mayday147 l33t
Joined: 22 Mar 2004 Posts: 825 Location: Bucharest, Romania
|
Posted: Sun Aug 22, 2004 1:47 am Post subject: |
|
|
I get a strange error from MySQL when I execute the following thing:
Code: | # mysql -u root -p < /snort/contrib/create_mysql snort
Enter password:
ERROR 1062 at line 26: Duplicate entry '106' for key 1 |
And it does create only one table, named "schema". I tried to delete that single table and reexecute the script, but:
Code: | # mysql -u root -p < ./create_mysql snort
Enter password:
ERROR 1062 at line 155: Duplicate entry '0' for key 1 |
This time it does create all the tables( I think), but snort isn't logging nothing to snort-db though. _________________ gentoo.ro |
|
Back to top |
|
|
maalth Tux's lil' helper
Joined: 06 Jun 2003 Posts: 76 Location: Can't tell you...
|
Posted: Sun Aug 22, 2004 5:43 am Post subject: You need to make a change for PHP 5.0.1 |
|
|
You need to make this change for ACID to work with PHP 5. The check specifically checks for 4.0.4 or newer, so you get the error message that your PHP is too old. The main problem is that there is NO newer version of ACID which is no big deal since the fix is easy. Here is the fix for that:
Open /acid_directory/acid_db_common.php
Find this section of code in the function verify_php_build:
Code: |
/* Check PHP version >= 4.0.4 */
$current_php_version = phpversion();
$version = explode(".", $current_php_version);
/* account for x.x.xXX subversions possibly having text like 4.0.4pl1 */
if ( is_numeric(substr($version[2], 1, 1)) )
$version[2] = substr($version[2], 0, 2);
else
$version[2] = substr($version[2], 0, 1);
/* only version PHP 4.0.4+ or 4.1+.* are valid */
if ( !( ($version[0] >= 4) && ( ( ($version[1] == 0) && ($version[2] >= 4) ) ||
($version[1] > 0) ) ) )
|
Change this line:
Code: |
From: if ( !( ($version[0] >= 4) && ( ( ($version[1] == 0) && ($version[2] >= 4) ) ||
To: if ( !( ($version[0] >= 4) && ( ( ($version[1] == 0) && ($version[2] >= 0) ) ||
|
That should solve your problem for future PHP builds. If you're using anything less than 4.0.4, you have a serious need to upgrade anyway. _________________ Screw you guys, I'm going home...
Last edited by maalth on Sun Sep 12, 2004 7:40 am; edited 1 time in total |
|
Back to top |
|
|
Shienarier Apprentice
Joined: 16 Jun 2003 Posts: 278
|
Posted: Fri Aug 27, 2004 8:51 pm Post subject: |
|
|
I think this needs to be updated. All of the needed programs are now in the portage tree for exampel. |
|
Back to top |
|
|
Zyne Guru
Joined: 08 Jun 2004 Posts: 334
|
Posted: Sat Aug 28, 2004 6:53 pm Post subject: |
|
|
thanks mucho's for this howto... I have been looking at snort for a while, but couldn't figure out how to make it work... Thanks to this howto it actually does work (hopefully )
but I'm getting a few errors...
As someone said before, there are ebuilds for every single package needed, so I just emerged all the needed packages.
Of courses some paths have changed, so I had to change them in the php too...
however, now I get the following error:
Fatal error: Call to undefined function session_module_name() in /var/www/localhost/htdocs/acid/acid_state_common.inc on line 49
Anyone has a clue on what I'm supposed to do now?
edit: hmm this got posted twice for some reason...
either way, it's solved, and the solution is in the next post...
Last edited by Zyne on Sun Aug 29, 2004 7:49 pm; edited 1 time in total |
|
Back to top |
|
|
Zyne Guru
Joined: 08 Jun 2004 Posts: 334
|
Posted: Sat Aug 28, 2004 6:54 pm Post subject: |
|
|
thanks mucho's for this howto... I have been looking at snort for a while, but couldn't figure out how to make it work... Thanks to this howto it actually does work (hopefully )
but I'm getting a few errors...
As someone said before, there are ebuilds for every single package needed, so I just emerged all the needed packages.
Of courses some paths have changed, so I had to change them in the php too...
however, now I get the following error:
Code: | Fatal error: Call to undefined function session_module_name() in /var/www/localhost/htdocs/acid/acid_state_common.inc on line 49 |
Anyone has a clue on what I'm supposed to do now?
edit: all solved now...
appearantly acid doesn't work with PHP5 and/or mod_php5 |
|
Back to top |
|
|
operad n00b
Joined: 21 Aug 2004 Posts: 2
|
Posted: Sun Sep 05, 2004 11:11 am Post subject: |
|
|
Just wanted to say thanks a lot for this awesome howto. Work perfect for me the first time besides getting my second nic to lisen because snort wanted to lisen on eth0. Anyways, great job. |
|
Back to top |
|
|
echo6 Guru
Joined: 04 Jan 2003 Posts: 587
|
Posted: Sun Sep 05, 2004 6:57 pm Post subject: |
|
|
Zyne wrote: | edit: all solved now...
appearantly acid doesn't work with PHP5 and/or mod_php5 | Brilliant! wish I had seen this earlier.. |
|
Back to top |
|
|
Vulpes_Vulpes Apprentice
Joined: 10 Dec 2003 Posts: 264 Location: Amsterdam
|
Posted: Mon Sep 06, 2004 7:45 pm Post subject: |
|
|
Great HOWTO! I stumbeled upon it from the gentoo-wiki page. The installation went as smooth as a hot knife through melted butter! I just love the Gentoo documentation! |
|
Back to top |
|
|
PLum Tux's lil' helper
Joined: 20 May 2004 Posts: 108 Location: /dev/world/poland/gliwice
|
Posted: Sun Sep 12, 2004 2:18 am Post subject: |
|
|
damn i used the ebuild
and install everythink
but got somthing like that - when i try to open web with acid
emerge dev-php/adodb
emerge dev-php/jpgraph/jpgraph-1.12.2.ebuild
emerge net-analyzer/acid/acid-0.9.6_beta23.ebuild
Quote: |
Parse error: parse error, unexpected T_VARIABLE in /usr/share/webapps/acid/0.9.6_beta23/htdocs/acid_conf.php on line 20
|
can anyone help ?
im kinda noob "php mysql" |
|
Back to top |
|
|
maalth Tux's lil' helper
Joined: 06 Jun 2003 Posts: 76 Location: Can't tell you...
|
Posted: Sun Sep 12, 2004 7:44 am Post subject: |
|
|
Zyne wrote: |
edit: hmm this got posted twice for some reason...
either way, it's solved, and the solution is in the next post... |
Did you try my post from Aug 22? I actually did fix the problem. _________________ Screw you guys, I'm going home... |
|
Back to top |
|
|
maalth Tux's lil' helper
Joined: 06 Jun 2003 Posts: 76 Location: Can't tell you...
|
Posted: Sun Sep 12, 2004 7:45 am Post subject: |
|
|
PLum wrote: | damn i used the ebuild
and install everythink
but got somthing like that - when i try to open web with acid
emerge dev-php/adodb
emerge dev-php/jpgraph/jpgraph-1.12.2.ebuild
emerge net-analyzer/acid/acid-0.9.6_beta23.ebuild
Quote: |
Parse error: parse error, unexpected T_VARIABLE in /usr/share/webapps/acid/0.9.6_beta23/htdocs/acid_conf.php on line 20
|
can anyone help ?
im kinda noob "php mysql" |
ACID is version dependent. Try my post and see how it goes, date is Aug 22. _________________ Screw you guys, I'm going home... |
|
Back to top |
|
|
srbamber n00b
Joined: 13 Nov 2003 Posts: 20 Location: Scotland
|
Posted: Sun Sep 12, 2004 5:29 pm Post subject: |
|
|
PLum wrote: | damn i used the ebuild
and install everythink
but got somthing like that - when i try to open web with acid
emerge dev-php/adodb
emerge dev-php/jpgraph/jpgraph-1.12.2.ebuild
emerge net-analyzer/acid/acid-0.9.6_beta23.ebuild
Quote: |
Parse error: parse error, unexpected T_VARIABLE in /usr/share/webapps/acid/0.9.6_beta23/htdocs/acid_conf.php on line 20
|
can anyone help ?
im kinda noob "php mysql" |
there's a type in the acid_conf.php file - line 12 is missing a trailing semicolon, i.e.
$DBlib_path = "/usr/lib/php/adodb"
instead of
$DBlib_path = "/usr/lib/php/adodb";
add the semicolon and you should be in business
|
|
Back to top |
|
|
PLum Tux's lil' helper
Joined: 20 May 2004 Posts: 108 Location: /dev/world/poland/gliwice
|
Posted: Sun Sep 12, 2004 10:26 pm Post subject: |
|
|
crap that was it - thx
did i tell im noob in php/mysql ?
its working nicely now |
|
Back to top |
|
|
blackcell n00b
Joined: 17 Aug 2002 Posts: 56 Location: Oregon
|
Posted: Sat Sep 18, 2004 2:56 am Post subject: |
|
|
Hi all,
I'd like to setup this Mysql, Snort, Acid tool up myself in addition to Snortsam. I already have apache, mysql, and mod_php installed and working. After reading all the posts here, a dozen or so sporadic updates and seeing all the packages are now in portage; I have a few questions before I start this Snort journey.
Has anyone successful installed using the newer guide posted on Gentoo-wiki http://gentoo-wiki.com/HOWTO_Use_Snort%2C_Acid%2C_and_MySQL_Effectively ?? I'm curious because it looks too simple.
If so, please reply back. If not, then please post the issues you had and if possible the resolutions.
Also, has anyone here used Oinkmaster? (Rule mgmt for Snort) Does it actually work?
Anyone here use Snortsam? Any comments welcome.
thanks! |
|
Back to top |
|
|
stickboy2642 Tux's lil' helper
Joined: 21 Jan 2004 Posts: 129 Location: MT, USA
|
Posted: Mon Sep 20, 2004 2:58 pm Post subject: |
|
|
I have not used SnortSam myself, but I do have a friend that is running it on one of his servers, and he seems to swear by it. The only problem that he has reported is that it does not give enough information when it notifies of a block. Rather than reporting the reason for the block, it just states that there was one. Other than that, he seems to like it.
With regards to Oinkmaster, I have been using it for a while now and it works pretty well. You can run it in a cron job with the -c flag and it will just show the rules that it needs to replace, so that you can go in and do them manually at your convenience. There is also a site that has "Bleeding Edge" snort rules that you can integrate with oinkmaster that catches the very latest worm signatures, etc.
http://www.bleedingsnort.com/ _________________ <?PHP
if ($desireToSolveProblem > 0){
solve($problem);
}else{
drink($beer);
} ?> |
|
Back to top |
|
|
juppe22 n00b
Joined: 10 Jun 2003 Posts: 74
|
Posted: Sat Oct 02, 2004 12:52 pm Post subject: |
|
|
blackcell wrote: | Hi all,
I'd like to setup this Mysql, Snort, Acid tool up myself in addition to Snortsam. I already have apache, mysql, and mod_php installed and working. After reading all the posts here, a dozen or so sporadic updates and seeing all the packages are now in portage; I have a few questions before I start this Snort journey.
Has anyone successful installed using the newer guide posted on Gentoo-wiki http://gentoo-wiki.com/HOWTO_Use_Snort%2C_Acid%2C_and_MySQL_Effectively ?? I'm curious because it looks too simple.
If so, please reply back. If not, then please post the issues you had and if possible the resolutions.
Also, has anyone here used Oinkmaster? (Rule mgmt for Snort) Does it actually work?
Anyone here use Snortsam? Any comments welcome.
thanks! |
I try gentoo wiki's guide and simply it works perfectly!!
EDIT:
btw...how I should use these...??
Code: |
ALTER TABLE data TYPE=InnoDB;
ALTER TABLE detail TYPE=InnoDB;
ALTER TABLE encoding TYPE=InnoDB;
ALTER TABLE event TYPE=InnoDB;
ALTER TABLE flags TYPE=InnoDB;
ALTER TABLE icmphdr TYPE=InnoDB;
ALTER TABLE iphdr TYPE=InnoDB;
ALTER TABLE opt TYPE=InnoDB;
ALTER TABLE protocols TYPE=InnoDB;
ALTER TABLE reference TYPE=InnoDB;
ALTER TABLE reference_system TYPE=InnoDB;
ALTER TABLE schema TYPE=InnoDB;
ALTER TABLE sensor TYPE=InnoDB;
ALTER TABLE services TYPE=InnoDB;
ALTER TABLE sig_class TYPE=InnoDB;
ALTER TABLE sig_reference TYPE=InnoDB;
ALTER TABLE signature TYPE=InnoDB;
ALTER TABLE tcphdr TYPE=InnoDB;
ALTER TABLE udphdr TYPE=InnoDB; |
|
|
Back to top |
|
|
|