Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Win32 Snort w/ ACID on NT 4.0/IIS (Thatcher Rea)

From: "Joe Pampel" <joe () ardsley com>
Date: Thu, 20 Dec 2001 14:28:42 -0500
   4. Win32 Snort w/ ACID on NT 4.0/IIS (Thatcher Rea)
    6. Re: Win32 Snort w/ ACID on NT 4.0/IIS (ed.davis)
   7. RE: Win32 Snort w/ ACID on NT 4.0/IIS (John Rodley)
   8. Re: how to disable spp_porscan? (Roberto Suarez Soto)
   9. RE: IDS Center (Peter Charbonneau)
  10. Re: how to disable spp_porscan? (Phil Wood)
_--

Message: 4
From: Thatcher Rea <T_Rea () BARTWEST COM>
To: snort-users () lists sourceforge net 
Date: Thu, 20 Dec 2001 09:05:17 -0600
Subject: [Snort-users] Win32 Snort w/ ACID on NT 4.0/IIS

Here's my problem: 
When I login to the machine I first get a Dr. Watson error saying "srvany
has caused an access violation (0xC0000005) at Address (0x77F64D8A)" 

srvany is the tool that lets an app run as a service. Here is a link with some
troubleshooting info on it.. maybe there's something here that will help:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q152460

First maybe try running snort manually, not as a service and see what happens.


And then, when I open my browser and type the path

<http://localhost/acid/index.html> to view ACID I am redirected to
<http://localhost/acid/adic_main.php> (which I'm assuming is normal). 

Yes, that's the normal page you should end up at. I've not gotten the graphs to work
(haven't tried that hard to be honest!) but I got ACID running on Apache server for
win32. The config is easy (if I did it!) just couple trick lines to tell apache where to find
PHP and run it. I pasted the key stuff below if you're interested. Just might be a better web
server platform for an IDS system. maybe less vulnerable? Certainly simpler to run IMHO. IIS
used to give me fits. Apache also makes it easy to create ACL's to control who can view
your website (by IP address, etc) in addition to authentication. 

Anyhow, (sorry for the ad!) the first time you run ACID you should get an error and a request
to click a button to generate some stuff.. after that you should be in business. 


I then get a CGI error saying that "The specified CGI application misbehaved by not

returning a complete set of HTTP headers. The headers it did return are:
abnormal program termination". <<

Sounds like PHP is not running. IIS sees the funky code and is choking on it methinks. Before I got Apache fixed up it 
would just spit the page of code out to my browser. .. not quite what you want!


If anyone is using Win32 Snort on NT 4.0 I would appreciate any feedback you

might be able to give me on this. 

I've had really good luck with it honestly. Never had a crash. (knock wood!) To make my life simpler I built a dedcated 
Snort box, PIII 933 with 512MB RAM and 2 NICs. Made one huge C:\  NTFS partition so I could stick with the SD 
instructions (got tired of re-doing all the pathing!) and the install is painless with their directions except that I 
have not done 2 things you're doing: 1 - running snort as a service and 2 - using IIS.

The hard part of the Apache config is below if anyone's interested: (this is assuming you keep the default apache pub 
dir which is htdocs, and assuming you install everyhing in C:\ per the SD website.. I sanitized this a bit.. 
------------------------------------------------------------------
Find this section of the httpd.conf file and adjust it to fit your install... 

# ScriptAlias: This controls which directories contain server scripts.
    # ScriptAliases are essentially the same as Aliases, except that
    # documents in the realname directory are treated as applications and
    # run by the server when requested rather than as documents sent to the client.
    # The same rules about trailing "/" apply to ScriptAlias directives as to
    # Alias.
    #
    # ScriptAlias /cgi-bin/ "C:/Program Files/Apache/Apache/cgi-bin/"
    ScriptAlias /php/ "c:/snort/php/"
    AddType application/x-httpd-php .php
    Action application/x-httpd-php "/php/php.exe"


    #
    # "C:/Program Files/Apache/Apache/cgi-bin" should be changed to whatever your ScriptAliased
    # CGI directory exists, if you have that configured.
    #
    <Directory "C:/Program Files/Apache/Apache/cgi-bin">
        AllowOverride None
        Options None
        Order allow,deny
        Allow from all
    </Directory>

</IfModule>
# End of aliases.

(this is very basic, there is a lot more you can do)
hope some of that helped. 

- Joe

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: