[Snort-users] Apache/Acid + server

Nigel Houghton nigel at ...1935...
Fri May 28 07:39:14 EDT 2004

On  0, snort-users-request at lists.sourceforge.net allegedly wrote:
>    3. Apache/Acid + server (Cilin)
> --__--__--
> Message: 3
> Date: Thu, 27 May 2004 16:45:18 -0700 (PDT)
> From: Cilin <cilin5 at ...131...>
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Apache/Acid + server
> I am trying to figure out what purpose does the Apache
> server play along with Acid to display the Snort
> report. I want to configure Apache for a small cgi
> website and am wondering if i can configure it while
> its is still doing its job with Acid/Snort. Anyone
> have any idea IF it can be done? or only one instance
> of Apache can be used per computer(serever)? As far as
> i know the report generated by acid shouldn't be
> displayed online it should be for local view. If
> anyone can clear my state of confusion, it will be
> greatly appreciated.

Apache is only used to display your pages. It has no impact on processing
or anything else that happens between your Snort instance and ACID.

ACID is a PHP application that generates HTML from information in your database
only when requested it to do so, i.e. you browse to a page and it returns the
HTML for the page you request. Stopping the Apache server will just mean 
you can't browse to any pages.

You could run more than one instance of Apache if you really wanted to,
but there is no need. You can bind the process to multiple ports and use
Virtual hosting to present different sites from the same box. Details on
how to achieve this are in the most excellent Apache manual.

If you want to access your ACID site from somewhere external to your home
net, you could always run Apache with SSL and require a login to your ACID
site. Details on how to achieve this are also found in the most excellent
Apache manual.

> Regards, 
> Vents
> P.S. On a side note, has anyone noticed fewer major(i
> mean non-scan) attacks during the last month or so? I
> used to log 50x more before and now everything seems
> calm and eerie. I did get the latest snort rules, but
> still not loggin much except WebDAV search access,
> Javascript URL host spoofing attempt, and the various
> scans.

That's a pretty subjective thing really. The most prevalent "major" 
alerts generated by my installation of Snort at home are from boxes
infected with MS Worms, (particularly the MS-SQL ones) I also get regular
pings from my ISP which I duly filter out. 
Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.

More information about the Snort-users mailing list