Snort, MySQL and ACID

I have used Snort for quite some time now, and am very happy with it.

Recently, I decided to give MySQL logging with the ACID console a try.

I got mysql up and running just fine and created the snort database. Followed the instructions for ACID, and went to http://localhost/ACID/ . In the instructions, I was told that I would find a link to create the ACID table. However, when I went to that address, I got nothing except the contents of acid_main.php

I should mention that I have NEVER used PHP in my life. I have always used CGI, so I know nothing about PHP at all. (which seems to be the source of the problem.)

I was told to add

AddType application/x-httpd-php .php

to httpd.conf. Tryed that, no luck

I tried uncommenting the line in httpd.conf that contains

#Include /etc/apache/mod_php.conf

no luck.

There is a file in /etc/apache called mod_php.conf, which contains

#
# mod_php - PHP Hypertext Preprocessor module
#

# Load the PHP module:
LoadModule php4_module libexec/apache/libphp4.so

# Tell Apache to feed all *.php files through the PHP module:
AddType application/x-httpd-php .php

# This will display PHP files in colored syntax form. Use with caution.
#AddType application/x-httpd-php-source .phps

So I tried all these different things, trying to get ACID working (actually any PHP script!...tried several others also, to make sure it wasnt an ACID specific problem.) and depending on what I did, I either got the contents of the file (the source code-so to speak) or I got a download popup window, asking me if I wanted to save the file to disk.

I also ran into a problem at some point (with one particular configuration, that when I went to http://localhost/ACID/, it returned an error about about not being able to load libphp4.so, something about (ACID?) being compiled with a different version, and that they must match...I have no idea!

I have used Linux in general and Slackware in particular for a long time now, and consider myself very linux literate. So I feel completely stupid in this case, because I just can not seem to get this working no matter what I do!

I used Google extensively to try to solve the problem, and found nothing of relevance.

So apparently, there is something that I am totally NOT getting! I'm sure it's something simple (it always is!), but I am unable to figure it out!

Does anyone have ANY information on this that might help?

Thanks a bunch.

The only thing to do in httpd.conf is uncomment the line :
#Include /etc/apache/mod_php.conf

Then, go into /etc/rc.d and :
./rc.httpd start (or restart if it is already started)

Ok. Did that, and here is the output of my php scripts

PHP Warning: Unknown(): Unable to load dynamic library '/usr/lib/php/extensions/mysql.so' - /usr/lib/php/extensions/mysql.so: undefined symbol: OnUpdateLong in Unknown on line 0
PHP Warning: Unknown(): (null): Unable to initialize module
Module compiled with module API=20041030, debug=0, thread-safety=0
PHP compiled with module API=20020429, debug=0, thread-safety=0
These options need to match
in Unknown on line 0
HTTP/1.1 200 OK
Date: Wed, 01 Jun 2005 11:19:13 GMT
Server: Apache
X-Powered-By: PHP/4.3.11
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

Make sure you use mysql, php and apache compatible packages

What do you mean exactly? PHP, Apache and MySQL are already installed in Slackware. ACID is set up to use with snort, and mysql. Snort is properly logging to MySQL. The only thing that isnt working is the ACID PHP scripts. Actually, ANY PHP scripts! They are all returning the error above. I dont get it!

How weird! I removed php.ini from /etc/apache, and now suddenly all my php scripts work! Go figure. I would have never guessed, had it not been for trying every damn thing else! Geez!

But When logging into ACID, it now informs me that the prebuilt Slackware PHP was not configured with mysql support. Geez! So, I have to recompile PHP!

Oh well, at least I am finally up and running!

Ok, damnit! This is really getting frusterating!

I downloaded the newest version of php and configured with ./configure --with-mysql and installed

Went to the ACID URL, and again, I got the same message

PHP ERROR: PHP build incomplete: the prerequisite MySQL support required to read the alert database was not built into PHP. Please recompile PHP with the necessary library (--with-mysql)

Well, thats exatly what I did!

I placed the php.ini file back into /etc/apache, and I got the exact same eroor as I posted above.

So, PHP IS working (other non-mysql scripts work fine) I recompiled PHP with mysql support, and I am still getting the above message.

When I put the php.ini file (which contains the line to Load the mysql module) I get the error message about

PHP Warning: Unknown(): Unable to load dynamic library '/usr/lib/php/extensions/mysql.so' - /usr/lib/php/extensions/mysql.so: undefined symbol: OnUpdateLong in Unknown on line 0
PHP Warning: Unknown(): (null): Unable to initialize module
Module compiled with module API=20041030, debug=0, thread-safety=0
PHP compiled with module API=20020429, debug=0, thread-safety=0
These options need to match
in Unknown on line 0


Can anyone give me ANY inside into this??? Geez!

Ok, according to this page http://us2.php.net/mysql , the --with-mysql option is enabled by default in PHP4, but not in 5. Slackware 10.1 includes PHP 4.3(?) I think. So I got rid of the PHP 4, and replaced with the original Slackware 4.3, so mysql support IS there. Again, PHP is working fine. Snort is logging to mysql fine. The only problem now, is that when I run ACID , it returns the error

PHP ERROR: PHP build incomplete: the prerequisite MySQL support required to read the alert database was not built into PHP. Please recompile PHP with the necessary library (--with-mysql)

That is with the php.ini file REMOVED from /etc/apache.

And when I put the file PHP.ini BACK into /etc/apache (which contains the line

; Load the MySQL module by default. Comment this out if you don't use MySQL.
extension=mysql.so

and then go to the ACID console, it says

PHP Warning: Unknown(): Unable to load dynamic library '/usr/lib/php/extensions/mysql.so' - /usr/lib/php/extensions/mysql.so: undefined symbol: OnUpdateLong in Unknown on line 0
PHP Warning: Unknown(): (null): Unable to initialize module
Module compiled with module API=20041030, debug=0, thread-safety=0
PHP compiled with module API=20020429, debug=0, thread-safety=0
These options need to match
in Unknown on line 0

So, it seems to have something to do with the mysql.so extension. But I can't figure out WHAT the problem is. Especially since MySQL and PHP are part of the Slackware installation!

Are you using official packages? I've never seen that problem, PHP works fine along with mysql and Apache on both of my machines.

Edit, put a file in /var/www/htdocs/ with this content (call it somethine like test.php):

Code:

<?
phpinfo();
?>

That should display all php info and will tell you if MySQL support is included.
Go to it with: http://localhost/test.php

Yep. all original, official packages.

Well, guess what? I just downloaded and reinstalled the Slackware php package from slackware.com, and now it's working. The mysql module is now loading properly. But remember that PHP security update? I am wondering what will happen when I install that.

I wonder if that has anything to do with it breaking?

If not, then I am at a TOTAL lost of what happened.

This is an original Slackware 10.1 install. Full install. And things like Mysql and PHP have not been TOUCHED until now! So nothing has changed from the original install, as far as those packages go. And then I reinstall the same package from slackware.com, and all is working now! Bizarre!

Well, okay, here I go. I am going to try the security update and see if it still loads the mysql module after that. Wish me luck!

Ok, downlaoded and installed the 2 security patches for PHP, and it said that they were already installed (I thought I would have to reinstall them, since I reinstalled php)

So, like I said, I am at a total loss of what happened!

I have been working for 2 days straight on this, trying everything I could think of, with absolutely no luck at all.

I download and reinstall the very same package that was installed with Slack10.1, and voila, everythings working. ???? I dont know....

At least it's finally running though. Geez! I'll have to remember this one in the future! I never had to struggle with anything like this so hard ever! lol!

Quote:

I'm sure it's something simple (it always is!)

Uh..huh!
What'd I tell ya!