COMPLETE guide to Snort, MySQL, and Acid

[Shemite_Dog]

I wonder if anyone could help me?
I had this working beautifully until my hard drive crashed and had to reinstall everything.

Now, I've followed the guide to the letter again. I'm at the part where you edit /etc/snort/snort.conf, but it seems to be missing. There is an /etc/snort/snort.conf.distrib but it doesn't contain the proper "output database" line. I tried the latest and previous three versions of snort with no luck. I tried copying snort.conf.distrib to snort.conf and adding the output database line but that didn't work either. I'm guessing some step in the how-to is generating the snort.conf file but somehow I've botched it
_________________
"Mr. Mc Cluck Cluck!"

[ixion]

What do you mean by it not working? Please paste relevant snort entries from your system log and maybe we can help figure this out for you!

The snort.conf.dist should be fine to copy to snort.conf with a little tweaking (as you have already done). I had the same trouble with snort, but after reading the system log it was very easy to fix. Snort (along with many other proggies;) ) is very informative in the log.

Please post back your findings!

EDIT: This is my output entry in the snort.conf file:

output database: alert, mysql, user=snort password=passwordd dbname=snort host=localhost socket=/var/run/mysqld/mysqld.sock
_________________
only the paranoid survive

[Shemite_Dog]

Ok I must have messed up the snort.conf because I just copied it over again and re-edited, restarted snort and all's fine now..

Sorry for that sketchy previous post. I was trying to write it and eat and get to work all in 20 minutes
_________________
"Mr. Mc Cluck Cluck!"

[ixion]

Hey congrats that it works! I've learned so many times already that taking a break from something and coming back to it after a good night's rest can do wonders.
_________________
only the paranoid survive

[mazirian]

Which libnet package is required? Is it net-libs/libnet or dev-perl/libnet. I am assuming the former.

What needs libnet anyway? Not ACID, apparently.

[Shemite_Dog]

I used net-libs/libnet. Not sure if this is in fact the correct libnet, but it seems to be working fine for me
_________________
"Mr. Mc Cluck Cluck!"

[ixion]

yes net-libs/libnet is what you need.. it's a dependency of snort..
_________________
only the paranoid survive

[r4d1x]

nice howto. for you people that arent getting snort to log correctly, make sure that its logging into mysql properly. i had that problem forever, cept i was doing everything from source on slackware . Once you get it set correctly, you may want to filter out icmp in the rule set. it creates huge alert files. or in my case, just have iptables drop icmp all together. anyway. good job on this, should help alot of people.

[stickboy2642]

I have a problem with snort logging from multiple systems to the same database. This works fine until I have to restart one of the snort daemons, and then I am plagued with errors similar to the following:

[mayday147]

I get a strange error from MySQL when I execute the following thing:

[maalth]

You need to make this change for ACID to work with PHP 5. The check specifically checks for 4.0.4 or newer, so you get the error message that your PHP is too old. The main problem is that there is NO newer version of ACID which is no big deal since the fix is easy. Here is the fix for that:

Open /acid_directory/acid_db_common.php

Find this section of code in the function verify_php_build:

[Shienarier]

I think this needs to be updated. All of the needed programs are now in the portage tree for exampel.

[Zyne]

thanks mucho's for this howto... I have been looking at snort for a while, but couldn't figure out how to make it work... Thanks to this howto it actually does work (hopefully )

but I'm getting a few errors...
As someone said before, there are ebuilds for every single package needed, so I just emerged all the needed packages.

Of courses some paths have changed, so I had to change them in the php too...

however, now I get the following error:

Fatal error: Call to undefined function session_module_name() in /var/www/localhost/htdocs/acid/acid_state_common.inc on line 49

Anyone has a clue on what I'm supposed to do now?


edit: hmm this got posted twice for some reason...
either way, it's solved, and the solution is in the next post...

[Zyne]

thanks mucho's for this howto... I have been looking at snort for a while, but couldn't figure out how to make it work... Thanks to this howto it actually does work (hopefully )

but I'm getting a few errors...
As someone said before, there are ebuilds for every single package needed, so I just emerged all the needed packages.

Of courses some paths have changed, so I had to change them in the php too...

however, now I get the following error:

[operad]

Just wanted to say thanks a lot for this awesome howto. Work perfect for me the first time besides getting my second nic to lisen because snort wanted to lisen on eth0. Anyways, great job.

[echo6]

[Vulpes_Vulpes]

Great HOWTO! I stumbeled upon it from the gentoo-wiki page. The installation went as smooth as a hot knife through melted butter! I just love the Gentoo documentation!

[PLum]

damn i used the ebuild
and install everythink
but got somthing like that - when i try to open web with acid

emerge dev-php/adodb
emerge dev-php/jpgraph/jpgraph-1.12.2.ebuild
emerge net-analyzer/acid/acid-0.9.6_beta23.ebuild

[maalth]

[maalth]

[srbamber]

[PLum]

crap that was it - thx

did i tell im noob in php/mysql ?

its working nicely now

[blackcell]

Hi all,

I'd like to setup this Mysql, Snort, Acid tool up myself in addition to Snortsam. I already have apache, mysql, and mod_php installed and working. After reading all the posts here, a dozen or so sporadic updates and seeing all the packages are now in portage; I have a few questions before I start this Snort journey.
Has anyone successful installed using the newer guide posted on Gentoo-wiki http://gentoo-wiki.com/HOWTO_Use_Snort%2C_Acid%2C_and_MySQL_Effectively ?? I'm curious because it looks too simple.

If so, please reply back. If not, then please post the issues you had and if possible the resolutions.

Also, has anyone here used Oinkmaster? (Rule mgmt for Snort) Does it actually work?

Anyone here use Snortsam? Any comments welcome.

thanks!

[stickboy2642]

I have not used SnortSam myself, but I do have a friend that is running it on one of his servers, and he seems to swear by it. The only problem that he has reported is that it does not give enough information when it notifies of a block. Rather than reporting the reason for the block, it just states that there was one. Other than that, he seems to like it.

With regards to Oinkmaster, I have been using it for a while now and it works pretty well. You can run it in a cron job with the -c flag and it will just show the rules that it needs to replace, so that you can go in and do them manually at your convenience. There is also a site that has "Bleeding Edge" snort rules that you can integrate with oinkmaster that catches the very latest worm signatures, etc.

http://www.bleedingsnort.com/
_________________
<?PHP
if ($desireToSolveProblem > 0){
solve($problem);
}else{
drink($beer);
} ?>

[juppe22]