Getting more help
To install the ACID alert viewer, you need to decompress and move the ACID folder into the root folder of your default Web site (typically C:\Inetpub\wwwroot\). Then, configure the ACID acid_conf.php file in the Acid folder as shown in Listing C. Next, reboot your machine, start your browser, and type: http://localhost/Acid/Index.html. You'll see an error indicating that the underlying database is incomplete the first time you run ACID. Select Setup Page when this error appears. Select Create ACID AG to complete the Acid Alert Group configuration, and then go back to your browser and retype http://localhost/Acid/Index.html.
Congratulations, you've installed Snort
Once everything is installed and working properly, it may take a few minutes before alerts show up. To make sure things are okay, verify that the Services applet shows Snort as started and that it also shows up as a running process under the Task Manager.
If Snort doesn’t show under Task Manager, there is a problem with the service automatically starting using the srvany file. Try deleting the services you created with instsrv, rebooting the workstation, and recreating the services. You'll have a problem if you delete the services and then try to re-create them without rebooting the workstation.
From the application side, watch the information that Snort reports closely before hitting the panic button. Some of the items Snort will report are actually normal NT-to-NT communications, but some could be hacking attempts if either the source or destination address in the alert is not coming from your network. As with reporting software, Snort will be only as good as the version of rules you're using to find hacking attempts. Visit the Snort Web site periodically to make sure you have the latest rules install.
Getting more help
Keep in mind that you have a basic install of Snort; additional features can be enabled. For more information on the details of configuring the various packages used with Snort, take a look at these sites:
In addition to the above sites, you can subscribe to the Snort Users mailing list on the Snort Web site. This mailing list offers more specific help for your Snort installation. Another option for commercial-level support for Snort would be the Silicon Defense Web.
Editorial disclaimer: The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.
TechRepublic is the online community and
information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written
for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to fire walls, we
offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2001
TechRepublic, Inc.
