Snort and Acid on RedHat 9

For the record, in case anyone else googles for this at some time in the future …

Installed Snort and Acid at a customer site yesterday, on RedHat 9. The install went flawlessly. However, when I was configuring it, I could not make it log to mysql no matter what I tried. 3 hours later (to make a long story short) I asked on #snort, and was nudged in the right direction almost unintentionally. Turns out that RedHat has a config file /etc/sysconfig/snort in addition to the /etc/snort/snort.conf file, and settings appearing there (in the sysconfig location, that is) override settings in the snort.conf file. In particular, the ALERTMODE setting in that file was overriding my attempts to get Snort to log to mysql rather than to /var/log/snort. Commenting out that line removed that conflict.

As another note, mostly for my own benefit, I should mention that, in order to get the thing to listen on multiple interfaces, instead of just the one, I had to hack on the /etc/init.d/snortd script, and add:


immediately following the if block that set INTERFACE to various other things. Once again, I’m sure there’s a *right* way to do that, but this worked. Working code, rough consensus, etc.