RHEL5入侵检测系统（IDS）snort的安装与配置,建议用BASE做控制台

 开始安装

# yum install zlib*            //RHEL5自带,无需安装

# yum install libpcap*             //RHEL5自带,无需安装

# yum install -y *mysql*

# yum install -y *httpd*

# yum install -y *php*

# vim /etc/php.ini           //在里面加上如下内容

extension=msql.so

extension=gd.so

//测试PHP工作与否,在/var/www/html/test.php中输入如下内容//

<?

Phpinfo ()

?>                         //启动HTTPD服务后,在IE中输入http://[your ip]/test.php,以显示内容为正常,且需注意gd和mysql模块都已enable

# rpm -ivh /data/IDS/snort-2.8.6         //安装RMP包的SNORT

# tar zxvf /data/IDS/snortrules-snapshot-2860.tar.gz -C /etc/snort/        //解压snort rule,需注意rule的版本和snort版本好要一致,否则杯具

# /etc/snort/snort.conf               //修改snort.conf文件

var HOME_NET 10.0.0.0/16      //需要监控的网段

var RULE_PATH ./rules 修改为 var RULE_PATH /etc/snort/rule

output database: log, mysql, user=snort password=your_password

dbname=snort host=localhost         //改变记录日志数据库：

# mysql -u root –p        //进入MYSQL创建数据库和表,之前可以先设置好密码./usr/bin/mysqladmin –u root password 123456

mysql> show databases;

mysql> create database snort;

Query OK, 1 row affected (0.00 sec)

mysql>grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort@localhost;
mysql>grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort;
mysql>SET PASSWORD FOR snort@localhost=PASSWORD(’123456’);
mysql> exit

mysql> use snort        //再次进入mysql

Database changed

mysql> source /usr/share/snort-2.8.6/schemas/create_mysql       //创建SCHEMA表

mysql> show tables;

+------------------+

| Tables_in_snort |

+------------------+

| data |

| detail |

| encoding |

| event |

| icmphdr |

| iphdr |

| opt |

| reference |

| reference_system |

| schema |

| sensor |

| sig_class |

| sig_reference |

| signature |

| tcphdr |

| udphdr |

+------------------+

16 rows in set (0.01 sec)

# Snort -c /etc/snort/snort.conf     //如果出现一个用 ASCII 字符画出的小猪，那么 Snort 工作就正常了，可以使用 Ctrl-C 退出；如果 Snort 异常退出，就需要查明以上配置的正确性了。

# cp /data/IDS/adodb5 /var/www/html/ –r         //这个 adodb5已经解压好了,所以直接复制过去

# tar zxvf /data/IDS/jpgraph-3.0.7.tar.gz -C /var/www/html/jpgraph/          //解压安装绘图补助工具

# rm /var/www/html/jpgraph/README

# tar zxvf /data/IDS/acid-0.9.6b23.tar.gz -C /var/www/html/        //acid是入侵检测控制台

# vim /var/www/html/acid/acid_conf.php          //编辑acid_conf.php,修改相关配置如下

$DBlib_path = "/var/www/html/adodb5";

$alert_dbname = "snort";

$alert_host = "localhost";

$alert_port = "";

$alert_user = "snort";

$alert_password = "123456";

/* Archive DB connection parameters */

$archive_dbname = "snort";

$archive_host = "localhost";

$archive_port = "";

$archive_user = "snort";

$archive_password = "123456";

And a little further down

$ChartLib_path = "/var/www/html/jpgraph/src/";

/* File format of charts ('png', 'jpeg', 'gif') */

$chart_file_format = "png";

http://yourhost/acid/acid_main.php           //进入web界面：

点"Setup Page"链接 ->Create Acid AG

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Q1 ## 这次出现关于” Database ERROR:Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)” 报错

解决方法： 修改/etc/my.conf:

[mysqld]

datadir=/usr/local/mysql/data

socket=/var/lib/mysql/mysql.sock

[mysql.server]

user=mysql

basedir=/usr/local/mysql

If there is not currently a section called [client], add one at the bottom of the file and copy the socket= line under the [mysqld] section such as:

[client]

socket=/var/lib/mysql/mysql.sock         ##

Q2 ##     在WEB页面中的Create ACID AG按钮无效的问题,本人用一个笨办法解决,就是再安装一个BASE(Basic Analysis and Security Engine),让base来创建ACID_AG的表,然后再点击Create ACID AG按钮. (至于为什么ACID无法创建…本人在网上看了N多,搜了N多….都没找到直接解决的回答(有可能是因为么用snort的源码包来编译安装的原因..所以只能杯具了…##

补充内容:

在snort.conf和acid_conf_php配置文件里，的MYSQL用户名都要是snort

还是用BASE-1.4.5，修改BASE文件夹下面的权限777. ; 需要将base_conf_php.dist 复制成 base_conf_php 来用作base的配置文件

需用BASE的网页进行数据库初始化,在IE里输入http:// [ your ip ] /base-1.4.5会自动进入配置文件,然后填入相关内容即可.