Hello everyone. This How To: will walk you through the entire process of installing SNORT IDS along with the ACID Console for monitoring SNORT's output.
This is suited for CPanel servers, although will work for ENsim and likely any other RedHat Servers with only minor changes.

##########################################
EDITED 11/11/2003:
Replaced snort version 2.0.3 with 2.0.4
Edited line:
#### Edit line 69 to look like this: $ChartLib_path = "/var/www/html/jpgraph";
To show:
#### Edit line 69 to look like this: $ChartLib_path = "/var/www/html/jpgraph/src";
As this was an overlooked error that I did not notice because I had not attempted to graph any alerts.

Also have confirmed that this How-To will work for Ensim Webppliance 3.1.X and 3.5.X with the following requirement:

cd /usr/lib
ls -lah | grep mysql
ln -s libmysqlclient.so.10.0.0 libmysqlclient.so
##libmysqlclient.so.10.0.0 may need to be modified to match what you see in this directory as libmysqlclient.so.*##

Also no need to add the Alias /acid line to httpd.conf as /var/www/html/acid will already be reachable by the URL:
https://[server name or IP]/acid (Ensim Only)
##########################################

(Most of these lines can be pasted directly into SSH)

mkdir /root/installs
cd /root/installs
mkdir snort
cd snort/

wget http://www.snort.org/dl/snort-2.0.4.tar.gz
tar zxf snort-2.0.4.tar.gz
wget http://www.tcpdump.org/release/libpcap-0.7.2.tar.gz

tar zxf libpcap-0.7.2.tar.gz
cd libpcap-0.7.2
./configure
make
make install
cd ..

wget http://phplens.com/lens/dl/adodb390.tgz
wget http://acidlab.sourceforge.net/acid-0.9.6b23.tar.gz
wget http://flow.dl.sourceforge.net/sourceforge...ib-1.1.4.tar.gz
wget http://www.aditus.nu/jpgraph/downloads/jpg...aph-1.13.tar.gz
tar zxf acid-0.9.6b23.tar.gz
tar zxf adodb390.tgz
tar zxf zlib-1.1.4.tar.gz
tar zxf jpgraph-1.13.tar.gz

cd snort-2.0.4
./configure --with-mysql

mkdir /etc/snort
mkdir /var/log/snort
groupadd snort
useradd -g snort snort
passwd snort ## then enter password you would like to use for snort twice

make
make install
cd rules
cp * /etc/snort
cd ../etc
cp snort.conf /etc/snort
cp *.config /etc/snort

vi /etc/snort/snort.conf
#### to go to a specific line number hit [escape]:## (##= number such as 102)
#### edit line 102 to look like this: var RULE_PATH /etc/snort
#### edit line 448 to look like this:
#### output database: log, mysql, user=snort password=[your_password_for_snorts_DB_user] dbname=snort host=localhost

cd ..
cp contrib/S99snort /etc/init.d/snort
vi /etc/init.d/snort
#### edit line 11 to look like this: CONFIG=/etc/snort/snort.conf
#### edit line 17 to look like this: SNORT_GID=snort

cd /etc/init.d
chmod 755 snort
cd /etc/rc3.d
ln -s ../init.d/snort S99snort
ln -s ../init.d/snort K99snort
cd /etc/rc5.d
ln -s ../init.d/snort S99snort
ln -s ../init.d/snort K99snort

mysql -u root -p #enter password for root
#### Enter the following at the mysql> prompt:
#### create database snort;
#### grant INSERT,SELECT on root.* to snort@localhost;
#### SET PASSWORD FOR snort@localhost=PASSWORD('[your_password_for_snorts_DB_user]');
#### grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
#### grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
#### exit

cd /root/installs/snort/snort-2.0.4/
mysql -u root -p < contrib/create_mysql snort #enter password for root
zcat contrib/snortdb-extra.gz | mysql -p snort #enter password for root

mysql -u root -p #enter password for root
#### Enter the following at the mysql> prompt:
#### SHOW DATABASES; #### You should see a list of all DB's. Make sure snort is there.
#### use snort
#### SHOW TABLES; #### You should see a list of 19 tables.
#### exit

vi /etc/httpd/conf/httpd.conf
#### Add the following in below the section where "Alias"'s are listed:
Alias /acid /var/www/html/acid

AuthType Basic
AuthName "SnortIDS"
AuthUserFile /var/www/.htpasswd
Require user acid

#### Exit and save using [escape]:wq
service httpd restart

cd /root/installs/snort/
cp -Rf jpgraph-1.13 /var/www/html/jpgraph
cp -Rf acid /var/www/html/
cp -Rf adodb /var/www/html/
cd /var/www/html/acid/

vi acid_conf.php
#### Edit line 12 to look like this: $DBlib_path = "/var/www/html/adodb";
#### Edit line 32 to look like this: $alert_dbname = "snort";
#### Edit line 35 to look like this: $alert_user = "snort";
#### Edit line 36 to look like this: $alert_password = "[your_password_for_snorts_DB_user]";
#### Edit line 69 to look like this: $ChartLib_path = "/var/www/html/jpgraph/src";

/etc/rc.d/init.d/snort restart ## twice to make sure
cd ../..
htpasswd -c .htpasswd acid ## then enter password you would like to use for acid twice


Now go to the URL https://YOUR-IP-ADDRESS/acid/ (make sure you put the trailing slash)
You should be able to login with the username acid and the password you specified in the htpasswd command.
When logged in you should see:

#################
The underlying database snort@localhost appears to be incomplete/invalid.
The database version is valid, but the ACID DB structure (table: acid_ag) is not present.
Use the Setup page to configure and optimize the DB.
#################

Click on the words "Setup page" in the second line as it is a link to the page that will add the Acid tables into the snort DB.
Click on the button "Create ACID AG" to proceed with adding the needed tables.
Click on the "Home" link in the Banner at the top right of the page to proceed to the main page of your ACID console.
You should see data specified such as the amount of alerts and percentage of alerts that are from ICMP packets.
It should show a red bar if you have had any alerts so far.

You have now completed the entire basic setup of Snort with ACID Monitoring Console!

For any additional information see the following:
http://www.snort.org (SNORT home page)
http://www.internetsecurityguru.com/docume...rt_acid_rh9.pdf (PDF File used to guide me in setting this up)

OK, I am almost done!! But I have ran into one small, minor problem.....


Here is what I get....

# [/var/www/html/acid]# htpasswd -c .htpasswd
-bash: htpasswd: command not found

I tried it in the following
var/www/
var/www/html/
var/www/html/acid

All three give the same error. Help?

This prevents me from going to http://ipaddy/acid/

I suppose it is OK just to make a .htaccess file in the /var/www/ folder with only the password, correct?

After I do that, I get an Internal Server Error.

Any ideas?

ok... I removed

Alias /acid /var/www/html/acid

AuthType Basic
AuthName "SnortIDS"
AuthUserFile /var/www/.htpasswd
Require user acid


and restarted httpd. NOW I get a 404 page not found. And I am accessing it http://idaddy/acid/

I wonder if this should have gone to /usr/local/htdocs/ instead?

Blaze64,
For the moment you can add just the following to the httpd.conf to have it show the site correctly:

Alias /acid /var/www/html/acid

you may need to specify the path to the htpasswd executable to make this command work like so:

/usr/bin/htpasswd -c .htpasswd

Actually, I got it to work. I moved everything from the var/www/ to usr/local/apache/htdocs and then changed the httpd.conf to read


AuthType Basic
AuthName "SnortIDS"
Order allow,deny
Allow from all


so there is no .htaccess file at all


I am now in, and getting ready to configure it. (The underlying database snort@localhost appears to be incomplete/invalid.)

Glad you got it to work that way although you should still definitely setup the htpasswd authentication or else if somebody else was attacking your server they could easily remove all signs of their attempts through acid.

Yea, that got it going. Everythings seems to be ok now.

Thanks! Nice post!

It does take some time to get it installed but maybe my post will help others with different setups.

True... but for some reason I cant get the .htaccess file in place and to allow me access...???

You should not be using a .htaccess file as with adding the following into your httpd.conf file you are eliminating the need for a seperate .htaccess file:

Alias /acid /usr/local/apache/htdocs/acid

AuthType Basic
AuthName "SnortIDS"
AuthUserFile /usr/local/apache/.htpasswd
Require user acid



And then running the htpasswd with the following line should create the .htpasswd file with the user acid which will be used for authentication:

/usr/bin/htpasswd -c /usr/local/apache/.htpasswd acid
#enter new password for user acid twice

ok, got it.... it was a tad differnet but here is how I had to do it:

[/usr/local/apache/htdocs]# /usr/local/apache/bin/htpasswd -c .htpasswd acid
New password:
Re-type new password:
Adding password for user acid


Hopes this helps.....

Wonderful how-to, everything went smoothly.
The only thing is that I realized that ACID is not that easy to make sense of. Any pointers/links that might help us better utilize it?

Do you already have an alert on your ACID?

yep, about 74

wow! Either I have something WRONG!!! Or I am lucky. I have had it installed for about 48 hours and nothing....

I guess I missed something somewhere. At this stage, it is almost impossible to see what I missed... unless I am just lucky!

Looking forward to trying this!

easier logger u can use is : SnortReport...

i like it very much...
and u don't need to configure anything except specifing the current Snort mySQL db ... i mean username/password/dbname

here is the link :
http://www.circuitsmaximus.com/download.html

make sure to see the screenshots ... it should give u a good idea about what u should expect from that script..


regards.

DomineauX
can i use your instruction for rh 7.3? seems like this guide is for rh 9

Yes these instructions will work fine on at least the following:
Redhat 7.1, 7.2, 7.3, 8.0, 9.0

Hey, I am probably missing something, but it looks like you are using /var/www/html as the dopcumetn root, but on cpanel it is /usr/local/apache/htdocs.

Can you explain, please?

Yes you are right, I could have used the default document root for CPanel, however I am just too used to Ensim and like making things difficult...lol

That is why I say to add the following into the httpd.conf:

vi /etc/httpd/conf/httpd.conf
#### Add the following in below the section where "Alias"'s are listed:
Alias /acid /var/www/html/acid

AuthType Basic
AuthName "SnortIDS"
AuthUserFile /var/www/.htpasswd
Require user acid

#### Exit and save using [escape]:wq
service httpd restart

You can of course leave out the line Alias /acid /var/www/html/acid
and edit the path used to reflect /usr/local/apache/htdocs.

aha. ok, thanks!

Just wanted to thank you for a very precise and easy to follow How-To. Cheers

edit - snort 2.0.5 is out now, any simple upgrade method?

What exactly does it detect? I ran a portscan on my machine and was hoping to see some info appear in ACID but got nothing

Great how to. Thank you.
Would it be possible that we will have problems with search eangines after installing snort since I see that it stops access to robots.txt?
Regards

Thanks for a great HowTo. I have both snort and acid installed and running.

They have been running for 4 days now with no warnings at all. Is this normal ?

How can I test the system by simulating an attack that snort will see and report.

PLESK users note :
For all those following this install and using Plesk. Snort mysql access is required at root level. The only trouble is the plesk install removes the root login to mysql and replaces it with an admin login. To get the above install to work correctly create a mysql root mysql account before you start.

I keep getting "command not found" do mis something?
Thanks in advance

Any time you get command not found, start out by performing the following to find the full path to the utility so you can issue the command including full path:

which groupadd
(or whatever the executables name is)

If that does not work (should normally), then do:
locate groupadd
(or whatever the executables name is)

once you know the path, you can use it like this:
/usr/sbin/groupadd snort

Thanks for the respond,

Everything is find until


Did I missed something again?

Thanks in advance

Hey Guys,
This is what I got after installing "Snort"

Any ideas ?

Same here. I even ran a nessus scan using all the plugins which is something like 1800+ security checks and nothing showed up in snort/acid.

Maybe snort is not running underzen.

nope its running

Anyone that is having issues with Snort not logging to MySQL, please attache a txt file with your /var/log/snort/log file.
The problem is most likely due to a permission problem, or possibly a lib that is needed to connect to MySQL.

To check to see if the MySQL connection will be established, do the following:

cd /usr/lib
ls -lah | grep mysql

And post your results, as you may need to create a symlink called libmysqlclient.so which points to whatever version of libmysqlclient.so.X.X.X you have installed such as:

ln -s libmysqlclient.so.10.0.0 libmysqlclient.so
##libmysqlclient.so.10.0.0 may need to be modified to match what you see in this directory as libmysqlclient.so.*##

Easy way to control snort (from http://www.snort.org/docs/snort-rh7-mysql-ACID-1-5.pdf):

Webmin Installation Install dependencies for using SSL connections with Webmin. You can download Net_SSLeay from http://symlabs.com/Net_SSLeay/.

# cp Net_SSLeayrpm-*-**.tar.gz /usr/src/redhat/SOURCES
# cd /usr/src/redhat/SOURCES
# tar –zxvf Net_SSLeay.rpm-*-**.tar.gz
# cd Net_*
# perl Makefile.PL
# make install

Install the Webmin RPM. Download from http://www.webmin.com/

# rpm –ivh webmin-0.99.-1.noarch.rpm

Configure SSL
a. Open Mozilla browser and go to address: http://127.0.0.1:10000
b. Login as ROOT
c. Select, “Webmin Configuration” icon
d. Select, “SSL Encryption” icon
e. Select, “Enable SSL support if available” and click the “Save” button


Install Snort Webmin plugin
a. Select, “Webmin Configuration” icon
b. Select, “Webmin Modules” icon
c. Install module from url: http://www.snort.org/dl/contrib/front_ends...n/snort-1.0.wbm and click “Install”



Configure Snort Plugin
a. Select, “Servers” icon from the TOP of the web page.
b. Select, “Snort IDS Admin” icon (Looks like a pig!)
c. Select the “Module Config” tab in the left hand corner.
Your configuration should match the following:

Full path to Snort executable (with options) = /usr/local/bin/snort -U -d -D -c /etc/snort/snort.conf
Full path to Snort configuration file = /etc/snort/snort.conf
Full path to Snort rule files directory = /etc/snort
Full path to Snort PID file = /var/run/snort_eth1.pid
Command to start Snort (optional) = /etc/rc.d/init.d/snort start When finished click the “Save” button. You’re done!

Hope this helps to easy config your snort.

My result is
[root@svr01 lib]# ls -lah | grep mysql
drwxr-xr-x 2 root root 4.0K Nov 28 11:22 mysql

What does that mean. My snort cd /var/log/snort/ directory is full of ip addresses but no results on my acid page.

Install webmin and change the logging to mysql database.
Hope this works for you.

Well I installed this and all seems to work great other then I have yet to get any alerts?

hi DomineauX,
I am not able to connect to the database ..

Database ERROR:Access denied for user: 'snort@localhost' (Using password: YES)

when i go to http://myip/acid/acid_main.php

realise my silly error :

SET PASSWORD FOR snort@localhost=PASSWORD('[mypassword]');


should type this way


#### SET PASSWORD FOR snort@localhost=PASSWORD('mypassword');

without the [ and ]

Thanks,

This was as an excellent How to. Up and running with no problems to report.

- Ricoche

well I had this up and running for a while but now snort will not run.

when I run the command /etc/rc.d/init.d/snort restart i get this

Stoping Intrusion Database System: SNORT
SNORT is not running!
Starting Intrusion Database System: SNORT
SNORT is up and running!

I see the pid file but if i run the command again /etc/rc.d/init.d/snort restart I get the same it says Snort is not running plus I no logner get any alerts.

I'm getting this error when trying to run the SNORT:

root@sm011 [/usr/lib]# /etc/rc.d/init.d/snort restart
Stoping Intrusion Database System: SNORT
/etc/rc.d/init.d/snort: pidof: command not found
SNORT is not running!
Starting Intrusion Database System: SNORT
/etc/rc.d/init.d/snort: pidof: command not found


Any ideas on how to fix it :confused:

Thanks in advance for any help you can provide

Its been ages since I last used VI forgot commands

How do I search for a line using pico?

Cos is I use VI and press enter, nothing happends?

USed to Pico.................

Anyone

Cannot access the acid main web page, says password or username is wrong?

All done as per instructions.

How can I delete the bit were it ask's for the password so I know it works, and then add a pasword after.

>>Delete<<

Does Snort work with RedHat Enterprise? Anyone knows how to configure it for RedHat Enterprise?
Regards

>>Delete<<

>>Delete<<

>>Delete<<

Problem sorted. Can a mod please delete my posts above.

Now gota sort the password problem out.

Laters