snort+base搭建IDS入侵检测系统

Snort是美国Sourcefire公司开发的发布在GPL v2下的IDS(Intrusion Detection System)软件

Snort有 三种工作模式:嗅探器、数据包记录器、网络入侵检测系统模式。嗅探器模式仅仅是从网络上读取数据包并作为连续不断的流显示在终端上。数据包记录器模式把数 据包记录到硬盘上。网路入侵检测模式分析网络数据流以匹配用户定义的一些规则,并根据检测结果采取一定的动作。网络入侵检测系统模式是最复杂的,而且是可 配置的。

Snort可以用来监测各种数据包如端口扫描等之外,还提供了以XML形式或数据库形式记录日志的各种插件。

Snort作为常见的支持分布式的网络入侵检测系统(NIDS),能够进行实时网络流量分析并记录各类攻击行为和相关网络数据包。BASE(Basic Analysis and Security Engine)是基于PHP的广泛使用的一种高效Snort分析查询系统。虽然这两者配合安装配置有些复杂,但是因为其比较灵活,扩展性好,只要配置使用得当,也适合用来构建校园网入侵检测平台。

Snort 支持多种操作系统(Windows/Linux/Solaris等),源代码和安装包可以从 http://www.snort.org获取,由于Snort版本一直都在持续更新,以下介绍以 2.8.5 版本为例。综合性能和功能考虑,不建议在Windows下安装Snort。可以选择的Linux发行版本,推荐CentOS、Fedora、Redhat。虽然Snort都有 rpm 包提供,安装比较方便,不过从源代码编译会更加灵活和便于进行优化。

Snort的一些功能:
- 实时通讯分析和信息包记录
- 包装有效载荷检查
- 协议分析和内容查询匹配
- 探测缓冲溢出、秘密端口扫描、CGI攻击、SMB探测、操作系统侵入尝试
- 对系统日志、指定文件、Unix socket或通过Samba的WinPopus 进行实时警
Snort有三种主要模式:信息包嗅探器、信息包记录器或成熟的侵入探测系统。遵循开发/自由软件最重要的惯例,Snort支持各种形式的插件、扩充和定制,包括数据库或是XML记录、小帧探测和统计的异常探测等。
信息包有效载荷探测是Snort最有用的一个特点,这就意味着很多额外种类的敌对行为可以被探测到。 
 

下载地址:
1.在http://www.snort.org/ 注册就可以下载到 snortrules-snapshot

2.在 http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/rules/ 可以下载到一个第三方的 rules 文件 rules.tar.gz,这个系列更新也比较频繁,snortrules-snapshot-2.8.tar.gz 是在51cto上下载的。

3.BASE 可以从http://sourceforge.net/projects/secureideas/ 获取版本或者用软件SnortCenter是一个基于Web的snort探针和规则管理系统,用于远程修改snort探针的配置,起动、停止探针,编辑、分发snort特征码规则。http://users.telenet.be/larc/download/

4.Adodb 可以从 http://sourceforge.net/projects/adodb/ 下载.ADODB 是 Active Data Objects Data Base 的简称,它是一种 PHP 存取数据库的中间函式组件


5.[root@localhost centos6]# rpm -ivh snort-2.8.5.1-1.fc13.i686.rpm //安装snort包出现依赖关系
warning: snort-2.8.5.1-1.fc13.i686.rpm: Header V3 RSA/SHA256 Signature, key ID e8e40fde: NOKEY
error: Failed dependencies:
        libgnutls.so.26 is needed by snort-2.8.5.1-1.fc13.i686
        libpcap >= 0.4 is needed by snort-2.8.5.1-1.fc13.i686
        libpcap.so.1 is needed by snort-2.8.5.1-1.fc13.i686
        libprelude.so.2 is needed by snort-2.8.5.1-1.fc13.i686


[root@localhost centos6]# rpm -q libpcap//查询libpcap没装
package libpcap is not installed


[root@localhost centos6]# yum -y install libpcap//安装libpcap包

[root@localhost centos6]# rpm -ivh snort-2.8.5.1-1.fc13.i686.rpm//在次安装snort出现两个依赖
warning: snort-2.8.5.1-1.fc13.i686.rpm: Header V3 RSA/SHA256 Signature, key ID e8e40fde: NOKEY
error: Failed dependencies:
        libgnutls.so.26 is needed by snort-2.8.5.1-1.fc13.i686
        libprelude.so.2 is needed by snort-2.8.5.1-1.fc13.i686

[root@localhost centos6]# yum -y install libgnutls26//安装libgnutls26包
Loaded plugins: fastestmirror
Determining fastest mirrors
 * base: centos.ustc.edu.cn
 * extras: centos.ustc.edu.cn
 * updates: centos.ustc.edu.cn
Setting up Install Process
No package libgnutls26 available.
Error: Nothing to do


[root@localhost centos6]# yum -y install gnutls//安装gnutls包
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.ustc.edu.cn
 * extras: centos.ustc.edu.cn
 * updates: centos.ustc.edu.cn
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package gnutls.i686 0:2.8.5-4.el6_2.2 set to be updated
--> Processing Dependency: libtasn1.so.3(LIBTASN1_0_3) for package: gnutls-2.8.5-4.el6_2.2.i686
--> Processing Dependency: libtasn1.so.3 for package: gnutls-2.8.5-4.el6_2.2.i686
--> Running transaction check
---> Package libtasn1.i686 0:2.3-3.el6_2.1 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package           Arch          Version                    Repository     Size
================================================================================
Installing:
 gnutls            i686          2.8.5-4.el6_2.2            base          336 k
Installing for dependencies:
 libtasn1          i686          2.3-3.el6_2.1              base          239 k

Transaction Summary
================================================================================
Install       2 Package(s)
Upgrade       0 Package(s)

Total download size: 575 k
Installed size: 1.4 M
Downloading Packages:
(1/2): gnutls-2.8.5-4.el6_2.2.i686.rpm                   | 336 kB     00:00     
(2/2): libtasn1-2.3-3.el6_2.1.i686.rpm                   | 239 kB     00:00     
--------------------------------------------------------------------------------
Total                                           1.7 MB/s | 575 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
  Installing     : libtasn1-2.3-3.el6_2.1.i686                              1/2 
  Installing     : gnutls-2.8.5-4.el6_2.2.i686                              2/2

Installed:
  gnutls.i686 0:2.8.5-4.el6_2.2                                                

Dependency Installed:
  libtasn1.i686 0:2.3-3.el6_2.1                                                

Complete!//完成安装。

[root@localhost centos6]# ls//显示当前目录
                                     libprelude-1.0.0-3.fc13.i686.rpm
adodb517.zip                         snort-2.8.5.1-1.fc13.i686.rpm
base-1.4.5.tar.gz                    snortcenter-v1.0-RC1.tar.gz
daq-1.1.1_rc-1.RHEL6.i386.rpm        snortrules-snapshot-2.8.tar.gz
libprelude-0.9.24.1-2.fc12.i686.rpm


[root@localhost centos6]# rpm -ivh snort-2.8.5.1-1.fc13.i686.rpm//安装snort出现依赖
warning: snort-2.8.5.1-1.fc13.i686.rpm: Header V3 RSA/SHA256 Signature, key ID e8e40fde: NOKEY
error: Failed dependencies:
        libprelude.so.2 is needed by snort-2.8.5.1-1.fc13.i686
[root@localhost centos6]# rpm -ivh libprelude-1.0.0-3.fc13.i686.rpm //安装依赖包
warning: libprelude-1.0.0-3.fc13.i686.rpm: Header V3 RSA/SHA256 Signature, key ID e8e40fde: NOKEY
Preparing...                ########################################### [100%]
   1:libprelude             ########################################### [100%]

[root@localhost centos6]# ls//查看当前目录
adodb4992.tgz                  libprelude-1.0.0-3.fc13.i686.rpm
adodb517.zip                   snort-2.8.5.1-1.fc13.i686.rpm
base-1.4.5.tar.gz              snortcenter-v1.0-RC1.tar.gz
daq-1.1.1_rc-1.RHEL6.i386.rpm  snortrules-snapshot-2.8.tar.gz

[root@localhost centos6]# rpm -ivh daq-1.1.1_rc-1.RHEL6.i386.rpm  //安装daq包

[root@localhost centos6]# rpm -ivh snort-mysql-2.8.5.1-1.fc13.i686.rpm //安装snort-mysql软件包支持mysql数据库,在设置/etc/snort/snort.conf配置output database参数的时候启动snort -c /etc/snort/snort.conf时候会出错

database: 'mysql' support is not compiled into this build of snort

ERROR: If this build of snort was obtained as a binary distribution (e.g., rpm,
or Windows), then check for alternate builds that contains the necessary
'mysql' support.

If this build of snort was compiled by you, then re-run the
the ./configure script using the '--with-mysql' switch.
For non-standard installations of a database, the '--with-mysql=DIR'
syntax may need to be used to specify the base directory of the DB install.

See the database documentation for cursory details (doc/README.database).
and the URL to the most recent database plugin documentation.
Fatal Error, Quitting..

[root@localhost centos6]# rpm -ivh snort-2.8.5.1-1.fc13.i686.rpm //最后成功安装snort
warning: snort-2.8.5.1-1.fc13.i686.rpm: Header V3 RSA/SHA256 Signature, key ID e8e40fde: NOKEY
Preparing...                ########################################### [100%]
   1:snort                  ########################################### [100%]

[root@localhost centos6]# cp -rf snortrules-snapshot-2.8.tar.gz /etc/snort/rules //拷贝snortrules到/etc/snort/rules目录下
 
[root@localhost centos6]# cd /etc/snort/rules //切换到snort目录

[root@localhost rules]# tar -zxvf snortrules-snapshot-2.8.tar.gz //解压tar.gz包。如果启动不了拷贝rules到/etc/rules里去。

[root@localhost snort]# service snortd start//启动snortd服务失败
Starting snort:                                            [FAILED]


[root@localhost ~]# cat /var/log/messages //查看messages错误


 14 02:47:53 localhost snort[2351]:     Ports:
Jul 14 02:47:53 localhost snort[2351]: #01122
Jul 14 02:47:53 localhost snort[2351]: 
Jul 14 02:47:53 localhost snort[2351]: FATAL ERROR: /etc/snort/snort.conf(616) Unknown preprocessor: "dcerpc2".//提示的错误找到snort.conf文件注释掉

# DCE/RPC 2 //注释掉下面两个dcerpc2.
#----------------------------------------
# See doc/README.dcerpc2 for explanations of what the
# preprocessor does and how to configure it.
#
#preprocessor dcerpc2
#preprocessor dcerpc2_server: default


[root@localhost ~]# service snortd start//最后启动成功
Starting snort:                                            [  OK  ]

[root@localhost ~]# snort -V//查看snort版本提示成功。

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.5.1 (Build 114)  
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2009 Sourcefire, Inc., et al.
           Using PCRE version: 7.8 2008-09-05

 

[root@localhost ~]# service snortd restart//重启成功
Stopping snort:                                            [  OK  ]
Starting snort:                                            [  OK  ]
[root@localhost ~]# service snortd status//查看snortd服务状态。
snort (pid 1677) is running...


[root@localhost centos6]# yum -y install mysql mysql-server httpd php php-mysql php-gd//安装mysql httpd php,如果不安装php-mysql会出现500内部服务器错误。


[root@localhost centos6]# mysqladmin -uroot password 123456//修改mysqladmin密码为123456


[root@localhost centos6]# cp -rf adodb517.zip base-1.4.5.tar.gz /var/www/html//拷贝adodb和base到/var/www/html目录下

[root@localhost centos6]# cd /var/www/html//切换到/var/www/html目录下

[root@localhost html]# ls//查看目录内容
adodb517.zip  base-1.4.5.tar.gz

[root@localhost html]# unzip adodb517.zip |tar -zxvf base-1.4.5.tar.gz //解压adodb和base包

[root@localhost html]# rm -rf adodb517.zip base-1.4.5.tar.gz //删除包

[root@localhost html]# ls//显示当前目录
adodb5  base-1.4.5
[root@localhost html]# mv adodb5 adodb//修改名字为adodb

[root@localhost html]# cp -rf base-1.4.5/* . //拷贝base目录所有内容到当前目录

[root@localhost html]# rm -rf base-1.4.5/  //删除base-1.4.5文件夹。

[root@localhost html]# rpm -ql snort//查看snort rpm包的路径。

/usr/share/doc/snort-2.8.5.1/create_mysql//创建mysql数据库文件create_mysql.

[root@localhost centos6]# mysql -uroot -p123456//进入mysql

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.1.61 Source distribution

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;//查看当前数据库
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| test               |
+--------------------+
3rows in set (0.00 sec)

mysql> create database snort;//创建snort数据库
mysql> create database snortarchive;//创建归档数据库。
Query OK, 1 row affected (0.00 sec)

mysql> use snort//进入snort数据库
Database changed
mysql> source /usr/share/doc/snort-2.8.5.1/create_mysql//创建数据库成功如下

Query OK, 0 rows affected (0.00 sec)
......

Query OK, 1 row affected (0.00 sec)//导入成功提示


mysql>grant all privileges on snort.* to snort@'localhost' identified by "snort";//给snort授权。

mysql> use snortarchive;//重新导入snortarchive数据库。
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> source /usr/share/doc/snort-2.8.5.1/create_mysql
//导入数据库。

6.打开ie8浏览器浏览http://ip/setup/index.php 出现config writeable no 错误直接chmod 777 /var/www/html就可以了默认为755只有读执行的权限所以错误。最后修改回来权限即可最好加上-R 参数。


Your PHP Logging Level is too high to handle the running of BASE!
Please set the 'error_reporting' variable to at least 'E_ALL & ~E_NOTICE' in your php.ini!
修改/etc/php.ini文件
error_reporting  =  E_ALL
改为:error_reporting = E_ALL & ~E_NOTICE

 填写adodb路径如下:

填写一些数据库信息如下:

创建base管理员账号和密码如下:

自动创建数据库如下:

 

软件没有主动在/var/www/html目录下创建base_conf.php配置文件,只要自己创建一个base_conf.php复制以下内容,或者直接修改/var/www/html的权限即可自己创建。

 

成功安装base如下:

 

配置文件/etc/snort/snort.conf参考

[root@localhost snort]# cat snort.conf

var HOME_NET any

var EXTERNAL_NET any


var DNS_SERVERS $HOME_NET

var SMTP_SERVERS $HOME_NET

var HTTP_SERVERS $HOME_NET

var SQL_SERVERS $HOME_NET

var TELNET_SERVERS $HOME_NET

var FTP_SERVERS $HOME_NET

var SNMP_SERVERS $HOME_NET

portvar HTTP_PORTS 80


portvar SHELLCODE_PORTS !80

portvar ORACLE_PORTS 1521

portvar FTP_PORTS 21

var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

var RULE_PATH /etc/snort/rules

var PREPROC_RULE_PATH ../preproc_rules


dynamicpreprocessor directory /usr/lib/snort/dynamicpreprocessor/
dynamicengine /usr/lib/snort/dynamicengine/libsf_engine.so

 

preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies overlap_limit 10

preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
                              track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes

 

preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length 500


preprocessor rpc_decode: 111 32771

preprocessor bo


preprocessor ftp_telnet: global \
   encrypted_traffic yes \
   inspection_type stateful

preprocessor ftp_telnet_protocol: telnet \
   normalize \
   ayt_attack_thresh 200

preprocessor ftp_telnet_protocol: ftp server default \
   def_max_param_len 100 \
   alt_max_param_len 200 { CWD } \
   cmd_validity MODE < char ASBCZ > \
   cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
   chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
   telnet_cmds yes \
   data_chan

preprocessor ftp_telnet_protocol: ftp client default \
   max_resp_len 256 \
   bounce yes \
   telnet_cmds yes


preprocessor smtp: \
  ports { 25 587 691 } \
  inspection_type stateful \
  normalize cmds \
  normalize_cmds { EXPN VRFY RCPT } \
  alt_max_command_line_len 260 { MAIL } \
  alt_max_command_line_len 300 { RCPT } \
  alt_max_command_line_len 500 { HELP HELO ETRN } \
  alt_max_command_line_len 255 { EXPN VRFY }

preprocessor sfportscan: proto  { all } \
                         memcap { 10000000 } \
                         sense_level { low }

preprocessor ssh: server_ports { 22 } \
                  max_client_bytes 19600 \
                  max_encrypted_packets 20 \
                  enable_respoverflow enable_ssh1crc32 \
                  enable_srvoverflow enable_protomismatch


preprocessor dns: \
    ports { 53 } \
    enable_rdata_overflow


preprocessor ssl: noinspect_encrypted, trustservers


output database: log, mysql, user=root password=123456 dbname=snort host=localhost


include classification.config

include reference.config

include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/experimental.rules

 编辑/etc/snort/snort.conf,开启下面两项,也可以使用snortrules配置文件中的/etc/snort.conf文件修改var RULE_PATH ,var PREPROC_RULE_PATH,output database: log, mysql, user=root password=123456 dbname=snort host=127.0.0.1,
include $RULE_PATH/local.rules   /* 可以灵活控制加载的入侵检测规则类别 */include threshold.conf   threshold.conf 实际上是定义了例外规则的一张列表,您可以通过修改这个文件来消除误报或者不关注的网络行为带来的大量告警信息。只要Snort源源不断地把入侵检测信息送入数据库,您就可以通过http://server ip来查看了解当前以及长期的网络入侵记录。启动Snort监测并把信息输出到Mysql数据库里
使用以下命令指定监测网卡和配置文件以及参数#PCAP_FRAMES=max snort -i eth0 -c /etc/snort.conf d -e

 snortd实质上=snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort 
直接:snort -b -d -c /etc/snort/snort.conf -l /var/log/snort -D   好用出数据
 

修改内容:具体情况分析修改,有些时候路径是正确的所以就不需要修改了。

output database: log, mysql, user=snort password=123456 dbname=snort host=localhost

# This example will create a rule type that will log to syslog and a mysql //这里去掉井号即可。
# database:
 ruletype redalert
 {
   type alert
   output alert_syslog: LOG_AUTH LOG_ALERT
   output database: log, mysql, user=snort dbname=snort host=localhost
 }

[root@localhost snort]# export PCAP_FRAMES=max//设置环境变量

安装gd后出现问题如下显示不了图形。

error loading the Graphing library:

Check your Pear::Image_Graph installation!


Image_Graph can be found here:at http://pear.veggerby.dk/. Without this library no graphing operations can be performed.

Make sure PEAR libraries can be found by php at all:

pear config-show | grep "PEAR directory"PEAR directory      php_dir     /usr/share/pear
This path must be part of the include path of php (cf. /etc/php.ini):

php -i | grep "include_path"include_path => .:/usr/share/pear:/usr/share/php => .:/usr/share/pear:/usr/share/php


[root@localhost snort]# yum -y install php-pear//安装php-pear

[root@localhost snort]# pear config-show|grep "PEAR directory"
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php/modules/msql.so' - /usr/lib/php/modules/msql.so: cannot open shared object file: No such file or directory in Unknown on line 0
Binary file (standard input) matches
[root@localhost snort]# php -i |grep "include_path"
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php/modules/msql.so' - /usr/lib/php/modules/msql.so: cannot open shared object file: No such file or directory in Unknown on line 0
include_path => .:/usr/share/pear:/usr/share/php => .:/usr/share/pear:/usr/share/php
PHP Warning:  Unknown: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Asia/Chongqing' for 'CST/8.0/no DST' instead in Unknown on line 0


解决方法:
1.yum install php-pear
2.下载Canvas-0.3.0.tar.gz,  Image_Color-1.0.2.tar.gz,   Image_Graph-0.7.2.tar.gz

3利用pear install Canvas-0.3.0.tar.gz //安装即可

pear install Image_Color-1.0.2.tar.gz   

pear install Image_Graph-0.7.2.tar.gz


4./etc/init.d/httpd restart//重启apache.

 5.vi /etc/rc.local写入snort -c /etc/snort/snort.conf&//放在后台运行。

6.利用chkconfig来设置开启启动mysqld ,httpd,snortd//

7.最后把/var/www/html的权限修改一下chmod 755 -R /var/www/html,然后把/var/www/html/setup目录删除或者重命名或者移动保存即可。

最后测试base

windows平台利用nmap来扫描主机

C:\Documents and Settings\Administrator>nmap -sS 192.168.40.39 -O -v//扫描主机

Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-17 16:56 中国标准时间
Initiating ARP Ping Scan at 16:56
Scanning 192.168.40.39 [1 port]
Completed ARP Ping Scan at 16:56, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:56
Completed Parallel DNS resolution of 1 host. at 16:56, 0.00s elapsed
Initiating SYN Stealth Scan at 16:56
Scanning 192.168.40.39 [1000 ports]
Discovered open port 80/tcp on 192.168.40.39
Discovered open port 22/tcp on 192.168.40.39
Discovered open port 3306/tcp on 192.168.40.39
Completed SYN Stealth Scan at 16:56, 0.08s elapsed (1000 total ports)
Initiating OS detection (try #1) against 192.168.40.39
Nmap scan report for 192.168.40.39
Host is up (0.00s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 00:0C:29:C8:62:CC (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.24 - 2.6.35
Uptime guess: 0.003 days (since Tue Jul 17 16:52:28 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=195 (Good luck!)
IP ID Sequence Generation: All zeros

Read data files from: C:\Program Files\Nmap
OS detection performed. Please report any incorrect results at http://nmap.org/
ubmit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.16 seconds
           Raw packets sent: 1020 (45.626KB) | Rcvd: 2030 (82.632KB)

全部警号为98

 在利用一次nmap扫描工具如下:

 全部警告为122了。

 

 




本文转自zh888 51CTO博客,原文链接:http://blog.51cto.com/zh888/932686,如需转载请自行联系原作者

你可能感兴趣的:(snort+base搭建IDS入侵检测系统)