Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Re: Win32 Snort w/ ACID on NT 4.0/IIS (Thatcher Rea)

From: "Michael Steele" <michaels () silicondefense com>
Date: Wed, 26 Dec 2001 22:34:53 -0800
Joe,

Go to our site for all your Windows IDS needs. Everything you are trying
to do is well documented there.

-Mike
 
        Commercial Snort Support
              1.866.41.SNORT
Silicon Defense - www.silicondefense.com
  Home of the new SERTRUS Snort Sensor
Michael Steele - Snort Support Technician


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Joe Pampel
Sent: Thursday, December 20, 2001 11:29 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Re: Win32 Snort w/ ACID on NT 4.0/IIS (Thatcher
Rea)

   4. Win32 Snort w/ ACID on NT 4.0/IIS (Thatcher Rea)
    6. Re: Win32 Snort w/ ACID on NT 4.0/IIS (ed.davis)
   7. RE: Win32 Snort w/ ACID on NT 4.0/IIS (John Rodley)
   8. Re: how to disable spp_porscan? (Roberto Suarez Soto)
   9. RE: IDS Center (Peter Charbonneau)
  10. Re: how to disable spp_porscan? (Phil Wood)
_--

Message: 4
From: Thatcher Rea <T_Rea () BARTWEST COM>
To: snort-users () lists sourceforge net 
Date: Thu, 20 Dec 2001 09:05:17 -0600
Subject: [Snort-users] Win32 Snort w/ ACID on NT 4.0/IIS

Here's my problem: 
When I login to the machine I first get a Dr. Watson error saying
"srvany
has caused an access violation (0xC0000005) at Address (0x77F64D8A)" 

srvany is the tool that lets an app run as a service. Here is a link
with some
troubleshooting info on it.. maybe there's something here that will
help:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q152460

First maybe try running snort manually, not as a service and see what
happens.


And then, when I open my browser and type the path

<http://localhost/acid/index.html> to view ACID I am redirected to
<http://localhost/acid/adic_main.php> (which I'm assuming is normal). 

Yes, that's the normal page you should end up at. I've not gotten the
graphs to work
(haven't tried that hard to be honest!) but I got ACID running on Apache
server for
win32. The config is easy (if I did it!) just couple trick lines to tell
apache where to find
PHP and run it. I pasted the key stuff below if you're interested. Just
might be a better web
server platform for an IDS system. maybe less vulnerable? Certainly
simpler to run IMHO. IIS
used to give me fits. Apache also makes it easy to create ACL's to
control who can view
your website (by IP address, etc) in addition to authentication. 

Anyhow, (sorry for the ad!) the first time you run ACID you should get
an error and a request
to click a button to generate some stuff.. after that you should be in
business. 


I then get a CGI error saying that "The specified CGI application

misbehaved by not
returning a complete set of HTTP headers. The headers it did return are:
abnormal program termination". <<

Sounds like PHP is not running. IIS sees the funky code and is choking
on it methinks. Before I got Apache fixed up it would just spit the page
of code out to my browser. .. not quite what you want!


If anyone is using Win32 Snort on NT 4.0 I would appreciate any

feedback you
might be able to give me on this. 

I've had really good luck with it honestly. Never had a crash. (knock
wood!) To make my life simpler I built a dedcated Snort box, PIII 933
with 512MB RAM and 2 NICs. Made one huge C:\  NTFS partition so I could
stick with the SD instructions (got tired of re-doing all the pathing!)
and the install is painless with their directions except that I have not
done 2 things you're doing: 1 - running snort as a service and 2 - using
IIS.

The hard part of the Apache config is below if anyone's interested:
(this is assuming you keep the default apache pub dir which is htdocs,
and assuming you install everyhing in C:\ per the SD website.. I
sanitized this a bit.. 
------------------------------------------------------------------
Find this section of the httpd.conf file and adjust it to fit your
install... 

# ScriptAlias: This controls which directories contain server scripts.
    # ScriptAliases are essentially the same as Aliases, except that
    # documents in the realname directory are treated as applications
and
    # run by the server when requested rather than as documents sent to
the client.
    # The same rules about trailing "/" apply to ScriptAlias directives
as to
    # Alias.
    #
    # ScriptAlias /cgi-bin/ "C:/Program Files/Apache/Apache/cgi-bin/"
    ScriptAlias /php/ "c:/snort/php/"
    AddType application/x-httpd-php .php
    Action application/x-httpd-php "/php/php.exe"


    #
    # "C:/Program Files/Apache/Apache/cgi-bin" should be changed to
whatever your ScriptAliased
    # CGI directory exists, if you have that configured.
    #
    <Directory "C:/Program Files/Apache/Apache/cgi-bin">
        AllowOverride None
        Options None
        Order allow,deny
        Allow from all
    </Directory>

</IfModule>
# End of aliases.

(this is very basic, there is a lot more you can do)
hope some of that helped. 

- Joe

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: