How to build Snort with the ACID PHP user interface and MySQL backend database.

This was my second time through this. The first time was painfull, but I got it working. This time I took advantage of a lot of RPMs, which makes this a not so system independant instruction list, but it is the only ?complete? set of instructions I'm aware of that shows how to build snort w/ the ACID interface from start to finish. The information is otherwise scattered about in a number of readme files that come with souces for the following gazillion packages. --I went the all source code route on my last trip through w/ OpenBSD, but didn't document too well, so if you want to do that you'll have to adapt the instructions to suite your needs. One of the biggest pitfalls I ran into the first time around was getting a PHP module that had support for everything. That was mostly trial and error. Also, setting up the database was not so easy the first time nor was guessing what order to install and compile in. Hopefully this saves someone some time.

GROCERY LIST:

RPMS:

• apache-1.3.20-16.i386.rpm
• apache-devel-1.3.20-16.i386.rpm
• libpng-1.0.12-2.i386.rpm
• libpng-devel-1.0.12-2.rpm
• mysql-server-3.23.41-1.i386.rpm
• mysql-3.23.41-1.i386.rpm
• mysql-devel-3.23.41-1.i386.rpm
• zlib-1.1.3-24.i386.rpm
• zlib-devel-1.1.3.rpm
• gd-1.8.4-4.i386.rpm
• gd-devel-1.8.4-4.i386.rpm
• freetype-2.0.3-7.i386.rpm
• freetype-devel-2.0.3-7.i386.rpm
• libpcap-0.6.2-9.rpm
• snort-1.8.3-5.i386.rpm
• snort-mysql-1.8.3-5.i386.rpm
• snort-1.8.3-5snort.src.rpm or the tarball

SOURCE:

• acid-0.9.6b19.tar.gz
• adodb140.tgz
• phplot-4.4.6.tar.gz
• php-4.0.6.tar.gz

INSTALLATION INSTRUCTIONS

1. Install all the RPMS.


2. Unzip the php-4.0.6.tar.gz tarball and install.
   
   Simple install instructions:
   
   1. ./configure
   2. ./make
   3. ./make install
   4. cp src/php-4.0.6/php.ini-dist /etc/php.ini
   5. vi /etc/php.ini to set "display_errors = Off" also uncomment and set var "sendmail_path = /usr/sbin/sendmail"
   
   The tricky part is that you need to config the mod w/ support for everything under the sun. My config line looks like this.
   
   ./configure --with-mysql=/usr --with-gd=/usr --with-apxs --with-zlib=/usr --with-png-dir=/usr --with-xpm-dir=/usr/X11R6 --with-ttf=/usr --prefix=/usr
   
   When finding paths for config variables, `rpm -ql [package]` is invaluable. Also, ./config takes the --help flag.
   
   
3. I suggest using the src rpm snort-1.8.3-5snort.src.rpm which unpacks to /usr/src/redhat/SOURCES/ and gives you a tarball and a nice init script for the sys V stuff. I couldn't actually do this though due to weird compile problems on my one machine. What's weirder is that I don't have those problems on my lap top w/ the same OS and Kernel version. Ugh! Anyway, the compile from souce line would look something like:
   
   ./configure --with-mysql=/usr --prefix=/usr
   make
   make install
   
   Anway, I used the binaries on my RedHat box when making these instructions:
   
   
   1. rpm -i snort-1.8.3-5.i386.rpm
   2. rpm -i snort-mysql-1.8.3-5.i386.rpm
   3. rpm -i snort-1.8.3-5snort.src.rpm # Needed for one measly file in contribs.
   
   
4. Make the database. Instructions are either in the source tree, or /usr/share/doc/snort-1.8.3/README.database if you used the rpm. You'll still need the source code either way for the contribs/create_mysql script which *surprise* creates the database.
   
   Note: # is a root prompt and > is a mysql prompt.
   1. Start the db server: `/etc/rc.d/init.d/mysqld start`
   2. Type `echo "CREATE DATABASE snort;" | mysql -u root`
   3. Use the mysql client to give the snort user access.
      # mysql snort
      > grant INSERT,SELECT on snort.* to snort@localhost;
      > quit
   4. Do the same to make a user w/ proper permissions for ACID.
      # mysql snort
      > grant INSERT,SELECT,UPDATE,DELETE on snort.* to acid@localhost;
      > quit
   5. create the database structure using the "create_mysql" script found
      in the contribs directory of the source tarball.
      # mysql snort < ./create_mysql
   
   
   6. unhash/edit the appropriat output line in /etc/snort/snort.conf output database: log, mysql, user=snort dbname=snort host=localhost
   7. edit the following lines of /etc/rc.d/init.d/snort.d to look like:
      daemon /usr/sbin/snort -D -i $INTERFACE -c /etc/snort/snort.conf
   8. start the daemon /etc/rc.d/init.d/snortd


5. Unzip the following packages in /var/www/html/
   • phplot-4.4.6.tar.gz
   • acid-0.9.6b19.tar.gz
   • adodb140.tgz


6. vi /var/www/html/acid/acid_conf.php and set the following values:
   • $DBlib_path = "/var/www/html/adodb";
   • $DBtype = "mysql";
   • $alert_dbname = "snort";
   • $alert_host = "localhost";
   • $alert_user = "acid";
   • $alert_password = "";
   • $ChartLib_path = "/var/www/html/phplot-4.4.6";
   • $chart_file_format = "png";
   For added speed at a price, you can also change:
   • $event_cache_auto_update = 0; If you do this you have to manually update cache.
   • $maintain_history = 0; You won't be able to use the back button which is 50% broken anyway.


7. Open http://127.0.0.1/acid/acid_main.php in a browser and follow the links to create the database fields for acid. (2 clicks.)


8. Now visit this cert advisory about nimda. http://www.cert.org/advisories/CA-2001-26.html When you go back to acid, you should have a false alert for readme.eml autoload attemt.


9. Now we'll fix an error I found on my own.
   
   `vi /var/www/html/acid/acid_qry_alert.php` type 152 then ctrl+g and you should drop to the correct line if you have the same version of acid as I do.
   
   The block of code looks like this:
   
   echo "<FORM METHOD=\"POST\" ACTION=\"acid_qry_alert.php\">\n";
   PrintPacketLookupBrowseButtons($seq, $save_sql, $db, $previous, $next);
   echo "<CENTER>\n<B>Alert #".($seq+1)."</B><BR>\n$previous &nbsp&nbsp&nbsp\n$next\n</CENTER>\n";
   echo "<HR>\n";
   
   Just delete the "+1" where it saise ($seq+1)
   
   What this fixes is numbering when you are looking at a series of packets. You have a back button with a number on it and a forwards button with another number, and above the butons you have the current packet number. Well, the programmer thought it would be more appropriat to start with packet #1, but never corrected the number of the entire set or the buttons, so without the fix it looks like: [back 0] Alert #2 [next 2] my fix makes it [back 0] Alert #1 [next #2]. It's cosmetic and minor but it annoyed me.


10. If you want an archive database, go back to the database creation steps and make a new database with a different name, then plug it into acid_conf.php and you can move or copy allerts in a seperate archive database within acid. Of course you'll also want to optimise the snort.conf file to meet your needs and perhaps add some sort of authentication to the webserver. If you'r really lazy, you can just bind it to the loopback address in httpd.conf and then portforward it though ssh. ` ssh foo -L 8000:127.0.0.1:80 ` will forward port 80 on the loopback of foo to port 8000 on the loopback of your remote host. You can then access the interface over the tunnel at http://127.0.0.1:8000.


11. Last but not least, add some links in the /etc/rc.d/rd[1-6]/ directories to start and stop httpd, mysqld and snortd automatically when you boot or shutdown if thats what you prefer.
    
    
    • rc[1-6] are init levels, [ S | K ][ ## ]service is for Start or Kill and ## is what order they are started and killed in. The Files themselves are just links to /etc/rc.d/init.d/service init scripts. There are also friendly tools to do this for you. Webmin comes to mind.

Have fun.

Feel free to use and post this document to your heart's content.

--Ray Ferguson.