Snort mailing list archives
RE: Re: Win32 Snort w/ ACID on NT 4.0/IIS (Thatcher Rea)
From: "Michael Steele" <michaels () silicondefense com>
Date: Wed, 26 Dec 2001 22:34:53 -0800
Joe, Go to our site for all your Windows IDS needs. Everything you are trying to do is well documented there. -Mike Commercial Snort Support 1.866.41.SNORT Silicon Defense - www.silicondefense.com Home of the new SERTRUS Snort Sensor Michael Steele - Snort Support Technician -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Joe Pampel Sent: Thursday, December 20, 2001 11:29 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Re: Win32 Snort w/ ACID on NT 4.0/IIS (Thatcher Rea) 4. Win32 Snort w/ ACID on NT 4.0/IIS (Thatcher Rea) 6. Re: Win32 Snort w/ ACID on NT 4.0/IIS (ed.davis) 7. RE: Win32 Snort w/ ACID on NT 4.0/IIS (John Rodley) 8. Re: how to disable spp_porscan? (Roberto Suarez Soto) 9. RE: IDS Center (Peter Charbonneau) 10. Re: how to disable spp_porscan? (Phil Wood) _-- Message: 4 From: Thatcher Rea <T_Rea () BARTWEST COM> To: snort-users () lists sourceforge net Date: Thu, 20 Dec 2001 09:05:17 -0600 Subject: [Snort-users] Win32 Snort w/ ACID on NT 4.0/IIS Here's my problem: When I login to the machine I first get a Dr. Watson error saying "srvany has caused an access violation (0xC0000005) at Address (0x77F64D8A)" srvany is the tool that lets an app run as a service. Here is a link with some troubleshooting info on it.. maybe there's something here that will help: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q152460 First maybe try running snort manually, not as a service and see what happens.
And then, when I open my browser and type the path
<http://localhost/acid/index.html> to view ACID I am redirected to <http://localhost/acid/adic_main.php> (which I'm assuming is normal). Yes, that's the normal page you should end up at. I've not gotten the graphs to work (haven't tried that hard to be honest!) but I got ACID running on Apache server for win32. The config is easy (if I did it!) just couple trick lines to tell apache where to find PHP and run it. I pasted the key stuff below if you're interested. Just might be a better web server platform for an IDS system. maybe less vulnerable? Certainly simpler to run IMHO. IIS used to give me fits. Apache also makes it easy to create ACL's to control who can view your website (by IP address, etc) in addition to authentication. Anyhow, (sorry for the ad!) the first time you run ACID you should get an error and a request to click a button to generate some stuff.. after that you should be in business.
I then get a CGI error saying that "The specified CGI application
misbehaved by not returning a complete set of HTTP headers. The headers it did return are: abnormal program termination". << Sounds like PHP is not running. IIS sees the funky code and is choking on it methinks. Before I got Apache fixed up it would just spit the page of code out to my browser. .. not quite what you want!
If anyone is using Win32 Snort on NT 4.0 I would appreciate any
feedback you might be able to give me on this. I've had really good luck with it honestly. Never had a crash. (knock wood!) To make my life simpler I built a dedcated Snort box, PIII 933 with 512MB RAM and 2 NICs. Made one huge C:\ NTFS partition so I could stick with the SD instructions (got tired of re-doing all the pathing!) and the install is painless with their directions except that I have not done 2 things you're doing: 1 - running snort as a service and 2 - using IIS. The hard part of the Apache config is below if anyone's interested: (this is assuming you keep the default apache pub dir which is htdocs, and assuming you install everyhing in C:\ per the SD website.. I sanitized this a bit.. ------------------------------------------------------------------ Find this section of the httpd.conf file and adjust it to fit your install... # ScriptAlias: This controls which directories contain server scripts. # ScriptAliases are essentially the same as Aliases, except that # documents in the realname directory are treated as applications and # run by the server when requested rather than as documents sent to the client. # The same rules about trailing "/" apply to ScriptAlias directives as to # Alias. # # ScriptAlias /cgi-bin/ "C:/Program Files/Apache/Apache/cgi-bin/" ScriptAlias /php/ "c:/snort/php/" AddType application/x-httpd-php .php Action application/x-httpd-php "/php/php.exe" # # "C:/Program Files/Apache/Apache/cgi-bin" should be changed to whatever your ScriptAliased # CGI directory exists, if you have that configured. # <Directory "C:/Program Files/Apache/Apache/cgi-bin"> AllowOverride None Options None Order allow,deny Allow from all </Directory> </IfModule> # End of aliases. (this is very basic, there is a lot more you can do) hope some of that helped. - Joe _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Win32 Snort w/ ACID on NT 4.0/IIS (Thatcher Rea) Joe Pampel (Dec 20)
- RE: Re: Win32 Snort w/ ACID on NT 4.0/IIS (Thatcher Rea) Michael Steele (Dec 26)