[Snort-users] Setting up Snort

Ueli Kistler iuk at ...1171...
Tue Dec 10 06:40:08 EST 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

hello

This is a short description of how to install ACID on a working
apache server with running PHP and using IDScenter to monitor the
whole thing.

- - make sure apache is running correctly with working php (check
apache.org for documentation if you have got problems, or want to use
http authentication for example)
- - install required PHP libs (see www.cert.org/kb/acid).. means ADODB,
 JPGraph
 -> ADODB: http://php.weblogs.com/adodb, JPGraph:
http://www.aditus.nu/jpgraph/
- - install ACID in your htdocs folder
- - edit acid_conf.php file: make sure you set the right mysql database
server and port as well as a correct username and user
- -> open command prompt: start mysql command line program from your
directory (C:\mysql\bin for example)

create the database & exit:
CREATE DATABASE snort;
exit;

copy the file "create_mysql" from your "contrib" subfolder in Snort
folder to your "mysql\bin" folder

initialize the table:
type "mysql -u snort snort < create_mysql

and give access to it (GRANT INSERT, etc.. to snort at ...274...
identified by "your pass";   )
- -> see
http://www.silicondefense.com/techsupport/winsnortacid-apache_1.8.7.htm

If you use IDScenter (www.packx.net):
- - setup a database output plugin (IDS rules -> Output plugins -> Add
- -> Database alert plugin
- - type the required options (host, database name (snort), username
(snort), password, encoding)
- - Add it to the list
- - Go to panel "Alerts" -> click on "Alert detection" -> deactivate
file monitoring and activate MySQL alert monitoring, specify the
options (host, password, database name, etc)
- - Click on Apply

- -> Activate support for ACID viewer: Go to "General" -> "Main
configuration" -> Log viewer -> "Explorer URL" -> set
http://localhost/Acid  (or the URL of ACID on your webserver)

Done.

Now you've got a running Snort-MySQL-AMP-Acid environment and
IDScenter will inform you about the last attack as soon it occurs.
To activate e-mail notification you still have to use file logging
(and activate file monitoring!) though.
If you have a Wireless LAN and a laptop with IDScenter you also will
be always up2date about latest attacks, as long as IDScenter has
access to the database server for example.
Multiple Snort sensors logging to your MySQL database can now be
handled easily too.

Regards,
    Eclipse
    eclipse at ...5277...
    www.packx.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32) - WinPT 0.5.13

iD8DBQE99fyZad+bo3Jl9EkRAuYnAJ9geMFx+L8JbspmmYcyxfMHWS2HfACg3ZKx
P4odzZCYNIZAnaimuWt9fpM=
=7rE8
-----END PGP SIGNATURE-----


Salloum, Camile schrieb:

>Hi.  I am in the process of setting up Snort using mysql version 1.2.  I am
>using windows2000 professional.  I have created the snort database and ran
>the command from the dos prompt to execute snort.exe - l and rules -o.  It
>seems like it runs fine, but I can't access the acid page in my web browser.
>Http://127.0.0.1 returns an error page message.  I have my snort set up in
>the D drive, php set up in my c drive and copied the acid folder to
>inetpub/wwwroot, but still am having noluck.  I tried to run the CIS scanner
>on my local host and received no stats via acid.  Any suggestions?  Thanks.
>
>Cam Salloum
>
>
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>  
>






More information about the Snort-users mailing list