Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Linux » Snort/Acid on Debian

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Snort/Acid on Debian


Posted by jim1954 on February 23, 2006 11:58:08

I deployed Snort on my Linux 2.6 Kernel Debian-Distro mail server very simply/easily. The server is running EXIM4, Apache2, SquirrelMail, ClamAV and Spamassassin, protected by Shorewall, and Snort just went on and worked!

I used Synaptic for the install, it's worked for all my other Debian installs and made it possible to document processes that others could do without in-depth knowledge. For some time now, Snort has been giving me an email each day telling me what exploits it had seen.

However, I tried to get ACID to run on it and despite following what few descriptions and howtos I found, it just refused to cooperate! Its primarily down to the MySQL DB, which seems to have been created wrongly. I'm getting the following errors "Table 'snort.iphdr' doesn't exist"
"Unable to CREATE INDEX for 'signature' : Database ERROR:Table 'snort.event' doesn't exist" and

"Unable to CREATE INDEX for 'timestamp' : Database ERROR:Table 'snort.event' doesn't exist"

OK, that is probaly simple to fix if you understand DBs, but I'm a network engineer, and I have tried and always seem to get back to this point....

Is there anyone out there who can give me some hints?

Thanks for anything you can suggest

Jim




Posted by gbobeck on March 01, 2006 22:17:52

You may want to use BASE instead of ACID.

Posted by LeonW on May 10, 2006 07:25:48

you need to set up the schema before ACID / BASE etc can work. Take a look in /usr/share/doc/snort/ (if you installed snort from Debian) for some additional help.

IIRC the deb postinst does not handle the DB schema.

Also gbobeck is correct. You should NOT be using ACID. It is dead.

Posted by jim1954 on May 10, 2006 07:47:22

Thanks guys, I'll have a little play with BASE and see what happens! Appreciate the help

Jim
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.