COMPLETE guide to Snort, MySQL, and Acid

[outspoken]

[exklusve]

It's been quite a while sence this was HOW-TO was updated.
I have a clean Gentoo install on my laptop so I'll start working on re-vamping this How-to really soon.
Anyone have any thing they would like included? Know a cool trick or shoudl something else be added?
Thanks in advance!

_________________
eXklusve

You do know that no one gives a shit about your system spec's right?

[GentooBox]

[5xl]

I followed the setup but acid says that no data is being logged and my Action Stats are all zeros. It is counting and getting the packets but not logging them. What could the problem be?
_________________
--------------------
*Gentoo 2004.3*
Athlon XP 3200+ OC'ed 3350
Liquid Cooled CPU GPU Northbridge
GB DDR400, 240 SATA, 230 PATA
And Windoze is still slow...

[exklusve]

check your database and see if the data is at least getting there.
There could be lots of potential problems. please give us as much info as you can, so as to help us help you.
_________________
eXklusve

You do know that no one gives a shit about your system spec's right?

[5xl]

Something interesting:

I got some info googling around. It turns out it is only storing alerts, which then show up in acid (duh). I did a ping -s 1600 192.168.0.box and it worked fine. But I guess I am looking the wrong thing. I want to analize all traffic from my lan, and then alert me. Kind of like etherreal, but web based. Can snort and log all data??? Is there anything that will email me or page me on alerts?
_________________
--------------------
*Gentoo 2004.3*
Athlon XP 3200+ OC'ed 3350
Liquid Cooled CPU GPU Northbridge
GB DDR400, 240 SATA, 230 PATA
And Windoze is still slow...

[Satori80]

[Satori80]

Update to above, I went ahead and emerged snort -mysql just to see if it would work... so far I can't get past adding snortdb-extra to the db because it's not part of the snort package as far as I can tell. The create_mysql.gz has moved from contrib to schemas since this howto was last updated, but the snortdb-extra is nowhere to be found. Is it manditory to have this for it to work as expected?

[Satori80]

[Bobrepuss]

mysql> grant INSERT,SELECT on root.* to snort@localhost;
ERROR 1047: Unknown command


tried to follow it.. why is this happening?

cheers

[exklusve]

did you run the two previous lines?

[[sinz]]

I just ran through this guide (a few slight modifications for newer versions) and am using the latest (masked) version of acid in portage (0.9.6_beta23). Everything works well except when I go to graph the alert detection times or get a profile. The dates only go up to 2004. Is there something I'm missing or is this a bug in the app itself?

[stillman]

acid is dead since 2 years, there's a living project called BASE based on ACID, check out this thread.

[r4d1x]

Just curious, but shouldnt ethX be running in PROMISC also? I've setup a few snort/acid/snortcenter boxes and have always had it in promisc for the logging to work correctly. if your having problems with events not logging try setting it that way.

[tyne]

I was wondering if any one knew if there were rules for snort that created alerts for failed ssh login attempts. I get a lot of brute force attacks and would like to be able to easily monitor the traffic. I have snort, acid, and mysql all working together. I think that I will also look into using base. Any help would be appreciated.
Thanks,
T

[r4d1x]

check in

[exklusve]

[daern]

OK, I was able to set this up successfully on a workstation at school for a project for one of the professors, but for some reason I can't get this to work on my home system. I've followed the forum and wiki as best I could, but there is still something wrong. When I try to go to: http://<ipaddress>/acid/acid_main.php I get a socket error with links, page cannot be displayed from IE and Firefox just sits there and never loads anything. I've checked my logs and I'm not able to find any errors with mysql, snort or apache. I made a PHP file in the acid directory to make sure it was able to load PHP files and it worked fine (I just used the <?phpinfo() ?> to display the PHP stats). I've checked the mysql users and I am able to connect to mysql using the snort user and display the tables.. I've searched for docs and asked a few non-n00bs I know if they had ever run into this and they have not.

Basically All i've done to this system is set it up as a router using the Gentoo Home Router howto, and then I used this howto to setup snort/acid/mysql/apache2.

Any ideas or assistance would be greatly appreciated! Also, if there is specific info that I should post that would help, please let me know that as well. Thanks in advance!

-Daern

[r4d1x]

give BASE a try and see if you get the same errors.
_________________
Gentoo Linux 2.6.19.2-grsec
Dual Athlon-MP 1900
1024Mb PC2100 DDR
Radeon 9600 pro
1TB File Server / FTP

[shredder]

If snort does not log any activities to the desired database make sure that snort is running without -A or -s option. Check with:

[exklusve]

Ok,
Its been way too long since this was updated.
I'm running an emerge sync on my laptop right now so I can start documenting a new install of snort, etc.

I'm going to be setting up Snort (newest version), Mysql 5, apache 2, php, and BASE (http://secureideas.sourceforge.net/support.php).

I saw a really cool program at the Linux World Expo a few months ago in San Francisco at the Snort booth. Its called Sguil (http://sguil.sourceforge.net/)

Going to see if i can get this running and document it also.

Possibly even try to get oinkmaster going too.
(http://oinkmaster.sourceforge.net/)

if there is any other software related to Snort, etc, that you would like documented in here also.. please pm me.

Thanks!
_________________
eXklusve

You do know that no one gives a shit about your system spec's right?

[exklusve]

Ok as promised....Heres an updated how to page with BASE

http://forums.gentoo.org/viewtopic-t-399801.html
_________________
eXklusve

You do know that no one gives a shit about your system spec's right?