|
Snort setup
ACID won't display Snort statistics. Everything is running
ps -ef|grep httpd ps -ef|grep mysql ps -ef|grep snort I have the ACID page up and running. I tried http://IPaddress/etc/passwd in hoping that it will generated an alert, but it didn't come up with anything. I'm running snort as '#/usr/local/bin/snort -b -D -A full' so I'm not sure if I'm missing something or whether I just haven't put a potential attack on it. Its in our network, so its behind many layers of subnets. I'm gonna put down what i compiled below. Only reason I'm including this is maybe I missed something out during compiling which effects display the statistics from the snort database to the web page. This is what i compiled Apache 1.3.31 with CFLAGS='-DEAPI' \ SSL_BASE=../openssl-0.9.7d \ ./configure \ --prefix=/usr/local/apache --enable-module=ssl \ --enable-shared=ssl \ --enable-module=rewrite \ --enabled-shared=max \ --enable-module=so \ --activate-module=src/modules/perl/libperl.a \ --enable-module=perl and this is what i compiled PHP 4.3.9 with.. CFLAGS='-02 -I/usr/local/src/openssl-0.9.7d -DEAPI' \ ./configure \ --with-apxs=/usr/local/apache/bin/apxs \ --disable-debug --enable-ftp \ --enable-inline-optimization --enable-magic-quotes --enable-mbstring \ --enable-mm=shared \ --enable-safe-mode \ --enable-track-vars \ --enable-trans-sid \ --enable-wddx=shared \ --enable-xml \ --with-dom \ --with-gd \ --with-gettext \ --with-mysql=/usr/local/mysql \ --with-regex=system \ --with-xml \ --with-zlib-dir=/usr/lib ANY IDEAS?!?!? Cheers!! |
If I'm not misstaken there are some tests shipped with SNORT, to test it's function.
Have a closer look at the documentation. Also try to download the latest rule sets to see if you can catch any port 445 attacks, they are very common these days. |
First, where is your snort.conf file? Is it /etc/snort/snort.conf?
Do this at your command prompt.. snort -T This will start snort in test mode... If it starts running with no errors your in good shape.... If you do get an error it will tell you what the error is, go and fix it.... or post it here.... Second, Make sure that you uncommented the line that starts with: output database: Which ever one cooralates with the database your using...ie; MySQL Third, Once everything looks good start snort like this if you have it sitting on eth0 or whatever /dev you have it sitting on... Mine is on eth0 , so I start my snort like this..... snort -y -c /etc/snort/snort.conf -i eth0 -D Basically this tells snort to log timestamp w/ year then, -c load the rule sets I have in snort.conf , then -i listen on interface eth0, and last -D run as a daemon in the Background.... If you want to test it yourself, use a second machine to ping your box w/ snort..... If you dont have a second machine go to http://www.grc.com and run sheildsup - It will produce multiple ICMP alerts on your system...... trying to pull up http://ipaddress/etc/passwd will never produce an alert... cause there is NO way that you can pull up the /etc dir from your webserver...... imagine the chaos if someone could do that....heh.... Cheers! Hope this helps |
| All times are GMT -5. The time now is 11:14 PM. |