Snort mailing list archives
Re: Snort, MySql, Apache, & PHP Problem - Checked by Vexira -
From: Jim Hendrick <jrhendri () maine rr com>
Date: Fri, 12 Mar 2004 12:02:28 -0500
Hi Scott, Couple of thoughts: First, you should give relevant versions of all components when posting a problem (OS, snort/mysql/acid, etc. etc.) Second (well, kind of first also :-) you probably ought not be installing an IDS on the production server. (especially until you have done it on another system and understand the risks. Running snort/mysql/acid is great, but also opens up a web service and a database service on a critical machine. The less a server runs, the more secure it is. Third, (well, kind of First or Second and a half...) You could easily set something up on an older box and then have *it* monitor the mail server. Even an old 500Mhz 256MB desktop running Linux would work well. You could then have the switch do "port mirroring" of the mail server to the IDS port (or even splice in a cheap hub to watch the traffic) And finally, if you have been hacked already, make sure the mail server is really clean (nuke and re-install is the best way) and then hardened before it goes back into service. You should probably look at running a host-based IDS on it like tripwire or AIDE. Something that records the state of critical files (stored on read-only media) is pretty useful and pretty simple. Good luck, Jim On Fri, 2004-03-12 at 10:10, Scott Bounds wrote:
Hello all. I have been following Mr. Patrick Harpers guide on installation of the above mentioned software packages. Basically using ACID to monitor your IDS through Snort, etc... I have success up until the very last part. I am to the section where you go to http://my.host.here/ACID and it takes me to a page that says " The database snort@localhost is either complete or invalid". This is expected and shown in Mr. Harpers tutorial. You are then directed to click on "Setup"; I did. Then you are supposed to click on the button which creates the ACID tables in the snort database. I did. If you watch the bottom of the screen, it says that it is transferring data to and from your.host.here. Then it says that when you now return to my.host.here/ACID it will take you to a new page which is the actual interface and gives you the hits, ip's, etc.. My problem is this: After performing all of the above steps, when I return to my.host.here/ACID I get taken right back to the same page that says the database is incomplete or invalid. Well, when you check the database, there are no new tables. So it is correct. I have removed and reinstalled Snort, dropped the database and recreated, and check access and permissions the best that I know how. I am a total noob at this so please bear with me. Can anyone give me an idea what could be causing this or has anyone else experienced this and what was your solution? This is on a operational mail server so I want to get it right. We have already been hacked once and I don't want to go through that again. Much thanks in advance for any help you can give. Scott Bounds, BSEE Benton/Washington Regional Public Water Authority 15531 Woods Lodge Road Rogers, AR 72756 PH: (479) 451-9516 FAX: (479) 451-9992 scott.bounds () bwrpwa org
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort, MySql, Apache, & PHP Problem - Checked by Vexira - Scott Bounds (Mar 12)
- Re: Snort, MySql, Apache, & PHP Problem - Checked by Vexira - Jim Hendrick (Mar 12)
- Hummm... Michael Steele (Mar 12)
- RE: Hummm... Jerry Shenk (Mar 12)
- Re: Hummm... Jason Haar (Mar 14)
- Re: Hummm... ypwhich (Mar 14)
- RE: Hummm... Michael Steele (Mar 14)
- RE: Hummm... Ben (Mar 14)
- RE: Hummm... Michael Steele (Mar 15)
- Re: Hummm... Martin Roesch (Mar 15)
- RE: Hummm... ypwhich (Mar 14)
- RE: Hummm... Ted Kaczmarek (Mar 16)
- RE: Hummm... Jerry Shenk (Mar 12)