为公司信息安全要求,上周配置了一台网络***检测系统(NIDS),今天把安装过程记录下来,供自己和其它朋友们以后参考。
关于本NIDS成功安装及本文的形成,我参考了很多网上的相关文档,具体文档略,不过非常感谢各位前辈们的无私奉献。
一、安装环境
操作系统:Red Hat Enterprise Linux 5.4
数据库:MySQL:mysql-5.1.46
Web服务器:Apache:httpd-2.2.15
WEB语言:PHP:php-5.2.13
二、安装MySQL
软件包mysql-5.1.46.tar.gz
下载地址http://dev.mysql.com/downloads/mysql/
# tar -zxvf mysql-5.1.46.tar.gz //解压缩
# cd mysql-5.1.46 //进入解压缩后的文件目录
# ./configure --prefix=/usr/local/mysql \ //设定安装目录
--enable-thread-safe-client \ //编译线程安全版的客户端库
--without-debug \ //关闭debug功能
# make //编译
# make install //安装
# /usr/local/mysql/bin/mysql_install_db //初始化授权表
# chown –R root /usr/local/mysql //文件属性改为root用户
# chgrp –R root /usr/local/mysql //文件属性改为root用户所属组
# /usr/local/mysql/bin/mysqld_safe --user=root & //启动MySQL
# /usr/local/mysql/bin/mysqladmin –u root password ‘123456’ //修改root用户的密码为123456
注:如果接下来在安装Snort后进行配置测试时提示无法找到以下文件:libmysqlclient.so.16和mysql.sock
请按照以下方法解决:
1、libmysqlclient.so.16:
方法1 # vi /etc/ ld.so.conf 向此文件添加以下两行内容
/usr/local/mysql/lib/mysql
/usr/local/lib
保存ld.so.conf退出
# ldconfig
方法2 # ln –s /usr/local/mysql/lib/mysql/libmysqlclient.so.16 /usr/local/lib/libmysqlclient.so.16
2、mysql.sock:
ln –s /var/lib/mysql/mysql.sock /tmp/mysql.sock
三、安装Apache
软件包httpd-2.2.15.tar.gz
下载地址http://httpd.apache.org/download.cgi
# tar -zxvf httpd-2.2.15.tar.gz
# cd httpd-2.2.15
# ./configure --prefix=/usr/local/apache --enable-module=most --enable-shared=max –enable-so
# make
# make install
# /usr/local/apache/bin/apachectl start //启动MySQL
四、安装PHP
软件包php-5.2.13.tar.gz
下载地址http://www.php.net/downloads.php
# tar -zxvf php-5.2.13.tar.gz
# cd php-5.2.13
# ./configure –prefix=/usr/local/php \
–with-mysql=/usr/local/mysql --with-apxs2=/usr/local/apache/bin/apxs --with-zlib --with-gd --enable-sockets –disable-debug
# make
# make install
# cp php.ini-dist /usr/local/php/lib/php.ini
五、配置Apache
服务的httpd.conf
文件及测试
1、编辑/usr/local/apache/conf/httpd.conf文件
在DirectoryIndex后添加index.php
在AddType application后面添加以下两行
AddType application/x-httpd-php .php
AddType applicatoin/x-httpd-php-source .phps
2、重启apache
# /usr/local/apache/bin/apachectl restart
3、测试
写个index.php文件放入主页所在目录
内容如下:
phpinfo();
?>
在浏览器中输入http://服务器IP/
如果有php的信息,则说明apache+php+mysql配置成功了,注意 gd和mysql的支持信息
六、安装snort
1、安装pcre
软件包pcre-8.02.tar.gz
下载地址http://sourceforge.net/projects/pcre/files/
# tar –zxvf pcre-8.02.tar.gz
# cd pcre-8.02
# ./configure
# make
# make install
2、安装snort
软件包snort-2.4.5.tar.gz
下载地址http://down1.chinaunix.net/distfiles/snort-2.4.5.tar.gz
# tar -zxvf snort-2.4.5.tar.gz
# cd snort-2.4.5
# ./configure --with-mysql
# make
# make install
# mkdir /etc/snort //建立snort目录
# cd etc
# cp * /etc/snort //拷贝配置文件
3、安装snort rules
软件包snortrules-pr-2.4.tar.gz
下载地址http://down1.chinaunix.net/distfiles/snortrules-pr-2.4.tar.gz
# tar -zxvf snortrules-pr-2.4.tar.gz
# cd rules
# mkdir /etc/snort/rules //建立snort规则目录
# mkdir /var/log/snort //建立snort日志目录
# cp * /etc/snort/rules //拷贝规则
4、编辑/etc/snort/snort.conf文件
更改var HOME_NET 192.168.6.0/24 //你的实际工作网段
更改”var RULE_PATH ../rules” 为 “var RULE_PATH /etc/snort/rules”
把下面一行前面的#去掉,并改为
output database: log,mysql, user=root password=mysql密码 dbname=snort host=localhost
把以下11行前面的#号都删除
# include ?$RULE_PATH/web-attacks.rules
# include ?$RULE_PATH/backdoor.rules
# include ?$RULE_PATH/shellcode.rules
# include ?$RULE_PATH/policy.rules
# include ?$RULE_PATH/porn.rules
# include ?$RULE_PATH/info.rules
# include ?$RULE_PATH/icmp-info.rules
include ?$RULE_PATH/virus.rules
# include ?$RULE_PATH/chat.rules
# include ?$RULE_PATH/multimedia.rules
# include ?$RULE_PATH/p2p.rules
保存退出
七、建立snort
数据库及检查数据库和数据结构
1、建立snort数据库
mysql> create database snort;
mysql> grant INSERT,SELECT on snort.* to root@localhost;
mysql> exit
# mysql –u root -p < /usr/local/snort-2.4.5/schemas /create_mysql snort //为snort建立数据表
2、检查数据库和数据结构
# mysql -u root -p
Enter password: //
输入
root
密码
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.1.46 Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| snort |
| test |
+--------------------+
4 rows in set (0.02 sec)
mysql> use snort;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+------------------+
| Tables_in_snort |
+------------------+
| data |
| detail |
| encoding |
| event |
| icmphdr |
| iphdr |
| opt |
| reference |
| reference_system |
| schema |
| sensor |
| sig_class |
| sig_reference |
| signature |
| tcphdr |
| udphdr |
+------------------+
16 rows in set (0.00 sec)
看到上面的表就成功了
八、安装配置和测试acid
1、软件包acid-0.9.6b23.tar.gz
下载地址http://acidlab.sourceforge.net/
软件包adodb511.tgz
下载地址http://sourceforge.net/projects/adodb/files/
软件包jpgraph-1.16.tar.gz
下载地址http://sourceforge.net/projects/jpgraph/files/
2、安装acid及相关支持文件
把acid-0.9.6b23.tar.gz,adodb511.tgz,jpgraph-1.16.tar.gz放入网站根目录下,我这里是/usr/local/apache/htdocs
# cd /usr/local/apache/htdocs
# tar -zxvf jpgraph-1.16.tar.gz
# tar -zxvf adodb511.tgz
# mv jpgraph-1.16 jpgraph
# mv adodb5 adodb
# tar -zxvf acid-0.9.6b23.tar.gz
3、编辑/usr/local/apache/htdocs/acid/acid_conf.php
把“?$DBlib_path = ";” 改成“?$DBlib_path = "/usr/local/apache/htdocs/adodb”
?$alert_dbname = "snort";
?$alert_host = "localhost";
?$alert_port = "";
?$alert_user = "root";
?$alert_password = "test"; //改成你的数据库密码
?$archive_dbname = "snort";
?$archive_host = "localhost";
?$archive_port = "";
?$archive_user = "root";
?$archive_password = "test” //改成你的数据库密码
把“?$ChartLib_path = ";” 改成“?$ChartLib_path = "/usr/local/apache/htdocs/jpgraph/src";”
保存退出
4、配置测试
重启apache
# /usr/local/apache/bin/apachectl restart
运行snort把数据写入mysql
# snort -c /etc/snort/snort.conf
在浏览器中输入
http://你的主机地址/acid/acid_main.php,点"Setup Page"链接 ->Create Acid AG
然后再访问http://你的主机地址/acid/ ACID界面出现
用一些扫描工具对主机进行扫描,将产生警告记录,访问acid,可查看记录
RHEL5.4
下Apache+php+MySQL+Snort+acid
配置完成,帖几张图片秀一下