Re: Snort, MySql, Apache, & PHP Problem - Checked by Vexira -

[Jim Hendrick <jrhendri () maine rr com>]

Hi Scott,

Couple of thoughts:

First, you should give relevant versions of all components when posting
a problem (OS, snort/mysql/acid, etc. etc.)

Second (well, kind of first also :-) you probably ought not be
installing an IDS on the production server. (especially until you have
done it on another system and understand the risks. Running
snort/mysql/acid is great, but also opens up a web service and a
database service on a critical machine. The less a server runs, the more
secure it is.

Third, (well, kind of First or Second and a half...)
You could easily set something up on an older box and then have *it*
monitor the mail server. Even an old 500Mhz 256MB desktop running Linux
would work well. You could then have the switch do "port mirroring" of
the mail server to the IDS port (or even splice in a cheap hub to watch
the traffic)

And finally, if you have been hacked already, make sure the mail server
is really clean (nuke and re-install is the best way) and then hardened
before it goes back into service.
You should probably look at running a host-based IDS on it like tripwire
or AIDE. Something that records the state of critical files (stored on
read-only media) is pretty useful and pretty simple.

Good luck,
Jim


On Fri, 2004-03-12 at 10:10, Scott Bounds wrote:
> Hello all.  I have been following Mr. Patrick Harpers guide on
> installation of the above mentioned software packages.  Basically
> using ACID to monitor your IDS through Snort, etc...  I have success
> up until the very last part.  I am to the section where you go to
> http://my.host.here/ACID and it takes me to a page that says " The
> database snort@localhost is either complete or invalid".  This is
> expected and shown in Mr. Harpers tutorial.  You are then directed to
> click on "Setup"; I did.  Then you are supposed to click on the button
> which creates the ACID tables in the snort database.  I did.  If you
> watch the bottom of the screen, it says that it is transferring data
> to and from your.host.here.  Then it says that when you now return to
> my.host.here/ACID it will take you to a new page which is the actual
> interface and gives you the hits, ip's, etc..  My problem is this:
> After performing all of the above steps, when I return to
> my.host.here/ACID I get taken right back to the same page that says
> the database is incomplete or invalid.  Well, when you check the
> database, there are no new tables.  So it is correct.  I have removed
> and reinstalled Snort, dropped the database and recreated, and check
> access and permissions the best that I know how.  I am a total noob at
> this so please bear with me.  Can anyone give me an idea what could be
> causing this or has anyone else experienced this and what was your
> solution?  This is on a operational mail server so I want to get it
> right.  We have already been hacked once and I don't want to go
> through that again.  Much thanks in advance for any help you can give.
>  
>
> Scott Bounds, BSEE
> Benton/Washington Regional Public Water Authority
> 15531 Woods Lodge Road
> Rogers, AR 72756
> PH:  (479) 451-9516
> FAX: (479) 451-9992
>
> scott.bounds () bwrpwa org



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users