Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
A Rough Guide to Snort and ACID
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
b4rtm4n
n00b
n00b


Joined: 14 May 2003
Posts: 19
Location: www.security-forums.com

PostPosted: Wed Jul 30, 2003 1:31 pm    Post subject: A Rough Guide to Snort and ACID Reply with quote

I put the following together in the hope it'd make life a little easier for anyine else trying to install ACID.

A rough guide to Snort and ACID

I've been playing with everyones favourite pig for some time now and decided that I wanted a better way of analysing results from it.

ACID is Analysis Console for Intrusion Databases.

Preparing the system.

Standard LAMP config mainly taken from here. (I found the forum article after I set everything up and went through merry hell with mismatched versions of PHP and Apache)


Installing Snort.

If you haven't changed make.conf to include all the USE options then the basic build of snort doesn't include mysql support.

Code:

#USE="mysql" emerge snort
#rc-update add snort default   /adds snort to the default run level


Configuring Snort to log to mysql

The file README.database.gz is installed to /usr/share/doc/snort-2.0.0 (or whatever version).Read this file. These instructions tell you how to configure mysql to support snort and how to configure snort.conf to log into the db.

To sumarise the readme

Create a snort database and a user

Code:

% echo "CREATE DATABASE snort;" | mysql -u root -p


First create a user - for this example we will use "snortusr"
now grant the right privileges for that user
Code:

grant INSERT,SELECT on snort.* to snortusr@localhost;


Build the database
Code:

% mysql -D snort -u root -p < ./contrib/create_mysql


Configure snort.conf

Uncomment the line

Code:

# output database: log, mysql, user=root password=test dbname=db host=localhost

and change it to show the correct username etc.


restart snort and it should now be logging directly to the db - check messages for errors. (I have an xconsole running to catch messages in real time -I can recommend this in preference to su - and tail -f messages)

NB If an init.d deamon fails to start properly then attempting to start it again may give an error saying it's already running. Using
Code:
#/etc/init.d/snort zap
will clear the problem.


ACID

The installation guide is very complete and installation of ACID and it's dependancies is a breeze. Simply untar them into the document root of your webserver. Once untared removing the version numbers from the folders saves changing acid_conf.php to the full paths. (I found reference to this somewhere online but I've lost the link :( )

My first run of ACID failed with DB errors and didn't give me the nice "Go to setup page" message.

If this happens the page is acid_db_setup.php. Just go straight to it.

Click create ACID AG and once the database has been created you're ready to roll.




I've had ACID running for little over a day and I can really appreciate its usefullness. I intend to run various scans at snort and see how well ACID highlights them.

There is a real wealth of information on configuring ACID and Snort on both websites that makes setting up this excellent tool relatively straight forward. In my opinion it would make for an excellent central control panel for anyone planning to deploy Snort in their networked environment. Additionally the protocol decode pages make analysis of intrusion attempts a much simpler affair.
Back to top
View user's profile Send private message
puggy
Bodhisattva
Bodhisattva


Joined: 28 Feb 2003
Posts: 1992
Location: Oxford, UK

PostPosted: Wed Jul 30, 2003 2:32 pm    Post subject: Reply with quote

Looks good. Moving to Documentation, Tips & Tricks.

Puggy
_________________
Where there's open source , there's a way.
Back to top
View user's profile Send private message
axxackall
l33t
l33t


Joined: 06 Nov 2002
Posts: 651
Location: Toronto, Ontario, 3rd Rock From Sun

PostPosted: Fri Feb 20, 2004 2:33 am    Post subject: Reply with quote

I wonder if someone created an ebuild for ACID? It's too bad to have such a nice guide to software that is not yet in Portage.
_________________
"Lisp is a programmable programming language." - John Foderaro, CACM, September 1991
Back to top
View user's profile Send private message
not_registered
Tux's lil' helper
Tux's lil' helper


Joined: 04 Feb 2003
Posts: 148

PostPosted: Fri Feb 20, 2004 7:53 am    Post subject: Reply with quote

I'm sorry but I can't resist:

Have you ever tried Snort and ACID... on Weed?!
_________________
It's Floam, it's Floam. It's flying foam!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum