Snort入侵检测安装配置

硬件基本环境:

系统：CentOS release 5.2_x86_64

CPU: Intel(R) Xeon(TM) CPU 2.80_X3

内存：2G

snort有三种工作模式介绍：

嗅探器: 就是把抓取的信息显示到屏幕上，功能跟tcpdump样

数据包记录：在嗅探的模式上增加了，把抓取信息记录到文件或者数据库等等

网络入侵检测系统：使用了-c snort.conf启动参数，在数据包记录上增加了规则匹配 新版的snort-3.0rc1 包含了新的工作模式结合iptables自动定义防火墙规则。

这里选用了网络入侵检测系统模式

需要用到的软件包：

adodb507.tgz

base-1.4.1.tar.gz

mysql-5.0.77.tar.gz

httpd-2.0.63.tar.gz

php-5.2.9.tar.gz

snort-2.8.3.2.tar.gz

oinkmaster-2.0.tar.gz

libpcap-1.0.0.tar.gz

pcre-7.8.tar.gz

设定时间：

#yum install ntp

#crontab –e

0 23 * * * root /usr/sbin/ntpdate 210.72.145.44 > /dev/null 2>&

安装mysql、perl-DBD-mysql perl-DBI、apache、PHP （略）

#vi /usr/local/apache/conf/vhost.conf

NameVirtualHost *:80

<VirtualHost *:80>

<Directory "/home/web/">

DirectoryIndex index.htm index.html index.php

Options None

AllowOverride none

Order allow,deny

Allow from all

</Directory>

ServerName wgcsnort.com

ServerAdmin [email protected]

DocumentRoot /home/web/

php_admin_value open_basedir "/tmp/php/:/home/web/"

ErrorLog "/var/log/apache-error.log"

CustomLog "/var/log/apache-access.log" combined

</VirtualHost>

安装snort

先安装libnet iptables-devel libpcap libpcap-devel pcre pcre-devel

#yum install libnet   ->这两个可以不装

#yum install libnet-devel

#yum install iptables-devel

#yum install libpcap

#yum install libpcap-devel 或者源码最新包

./configure --prefix=/usr/local/libpcap

make && make install

#yum install pcre

#yum install pcre-devel 或者源码最新包

./configure --prefix=/usr/local/pcre

make && make install

添加用户：

#useradd -s /bin/false -M -c "snort user" snort

# tar -zxf snort-2.8.3.2.tar.gz

#cd snort-2.8.3.2

./configure --prefix=/usr/local/snort --with-mysql --enable-dynamicplugin --with-mysql-libraries=/usr/lib64/mysql/ --with-libpcre-includes=/usr/local/pcre/include/ --with-libpcre-libraries=/usr/local/pcre/lib/ --with-libpcap-includes=/usr/local/libpcap/include/ --with-libpcap-libraries=/usr/local/libpcap/lib/

--enable-flexresp2   可选参数

--enable-react

--enable-prelude

--enable-rulestate

--enable-timestats

--enable-perfprofiling

#make

#make instll

安装rules 规则文件并配置snort
#tar -zxf snortrules-snapshot-CURRENT.tar.gz
里面会有4个目录 etc rules doc so_rules

#mkdir -pv /etc/snort
#mv rules /etc/snort
#mv doc /etc/snort
#cp -R etc/ /etc/snort/

修改主配置文件

vi /etc/snort/etc/snort.conf

var HOME_NET any -> var HOME_NET 192.168.9.0/24 监控的范围

output database: log, mysql, user=snort password=*********** dbname=snort host=localhost       连接数据库

var EXTERNAL_NET !$HOME_NET

var RULE_PATH /etc/snort/rules     规则存放位置

include threshold.conf          定义了例外规则的一张列表

创建数据库

#mysqladmin -u root -p create snort

grant all on snort.* to root@localhost;

grant create,insert,select,delete,update on snort.* to snort@localhost identified by '*********';

flush privileges;

#cd snort-2.8.3.2/schemas

#mysql -usnort -pmatchalatte snort < create_mysql

安装 ADODB

tar -zxf adodb507.tgz

mv adodb5/ /home/web/adodb

安�bBASE

tar –zxf base-1.4.1.tar.gz

mv base-php4/ base

base数据绘图的相关插件:

Image_Canvas-0.3.1.tgz

Image_Graph-0.7.2.tgz

Mail_Mime-1.5.2.tgz

Numbers_Roman-1.0.2.tgz

Image_Color2-0.1.4.tgz

Mail-1.2.0b1.tgz

Mail_mimeDecode-1.5.0.tgz

Numbers_Words-0.15.0.tgz

安装

#/usr/local/php/bin/pear install *.tar

# ls /home/web/ 有这两个目录

adodb base

配置base web页面

cd /home/web/base

cp base_conf.php.dist base_conf.php

vi base_conf.php

所需要修改的内容包括：
$BASE_urlpath = "/base";
$DBlib_path = "/home/web/adodb/ ";
$DBtype = "mysql";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "*****";
$archive_exists = 0; # Set this to 1 if you have an archive DB

http://192.168.9.12/base/ 登陆继续配置

 

登陆页面创建表后再次vi base_conf.php

$Use_Auth_System = 0; 改为$Use_Auth_System = 1;

配置snort-rules定时自动更新

#tar -zxf oinkmaster-2.0.tar.gz

#cd oinkmaster-2.0

#mkdir /etc/snort/back

#chown -R snort:snort /etc/snort/rules/ /etc/snort/back/

#cp oinkmaster.pl /usr/local/bin/

#chmod 755 /usr/local/bin/oinkmaster.pl

#cp oinkmaster.1 /usr/share/man/man1

#cp oinkmaster.conf /usr/local/etc/

#contrib/makesidex.pl /etc/snort/rules > autodisable.conf 生成sid号库

#mv makesidex.pl autodisable.conf /etc/snort/

#vi /usr/local/etc/oinkmaster.conf 修改配置文件

url=http://www.snort.org/pub-bin/oinkmaster.cgi/e6c4dd45b4df82d549590f8c1b19614461c2154e/snortrules-snapshot-CURRENT.tar.gz

这串字符是在snort注册帐号后取得的 ，就别用我这个了自己去申请一个

e6c4dd45b4df82d549590f8c1b19614461c2154e

url = http://www.bleedingsnort.com/bleeding.rules.tar.gz

 

编写更新脚本

vi oinkweek.sh

#!/bin/bash

/usr/local/bin/oinkmaster.pl \

-C /usr/local/etc/oinkmaster.conf \

-C /etc/snort/autodisable.conf -o /etc/snort/rules \

-b /etc/snort/backup 2>&1

#| mail -s "oinkmaster" [email protected]

定制计划任务周日更新规则库

# crontab -u snort -e

0 5 * * 0 /etc/snort/oinkweek.sh

编写snort启动脚本

vi snort

#!/bin/sh

# chkconfig: 345 99 98

# description: Snort NIDS DAEMON

# processname: snort

# Source function library

. /etc/rc.d/init.d/functions

SNORT_PATH=/usr/local/snort/bin/snort

SNORTDIR=/etc/snort

SNORTUSER=snort

SNORTGROUP=snort

INTERFACES="eth0"

[ -f "${SNORT_PATH}" ] || exit 0

. /etc/sysconfig/network

start ()

{ for INT in ${INTERFACES}

do

PIDFILE="/var/run/snort_${INT}.pid"

SNORTCONFIG="${SNORTDIR}/etc/snort.conf"

if [ -f "${PIDFILE}" ]; then

        SPROC=$(cat ${PIDFILE})

        SNORTPID=$(ps -p ${SPROC} | grep -v PID)

        if [ -z "${SNORTPID}" ]; then

                echo "Removing stale PID file"

                rm ${PIDFILE}

        else

                echo "Snort is still running ,Skipping"

        fi

fi

ifconfig ${INT} up

echo $"Starting snort service: "

$SNORT_PATH -dD -I -i ${INT} -u ${SNORTUSER} -g ${SNORTGROUP} -c ${SNORTCONFIG}

done

}

stop ()

{

for INT in ${INTERFACES}

do

PIDFILE="/var/run/snort_${INT}.pid"

if [ -f "${PIDFILE}" ]; then

        SPROC=$(cat ${PIDFILE})

        echo "Stopping snort pid ${SPROC}"

        kill ${SPROC}

        rm ${PIDFILE}

        else

        echo "Snort is not running"

fi

done

}

case "$1" in

start)

        start

        ;;

stop)

        stop

        ;;

restart)

        stop

        sleep 2

        start

        ;;

*)

        echo    $"Usage: snort {start|stop|restart}"

        exit 1

esac

放到了 /etc/init.d/snort

#chmod +x snort

chkconfig --add snort

chkconfig –level 3 snort on

设定日志存放位置权限

#chown -R snort:snort /var/log/snort/*

测试：

nmap.exe -T4 -A -sS 218.246.18.12

备份snort 数据库脚本

#!/bin/sh

#----------------snort mysql-------------------

#date 2009/3/27

#----------------------------------------------

Backdir="/home/mysqlback"

Date=$(date -I)

Dumpfile=mysql-${Date}.sql

Gzdumpfile=${Backdir}/${Date}.tar.gz

Mysqldump_path=/usr/bin/mysqldump

DBuser=root

DBpwd=matchalatte

if [ ! -d "${Backdir}" ]; then

mkdir -p ${Backdir}

fi

${Mysqldump_path} -u $DBuser -p$DBpwd snort --opt --flush-logs --default-character-set=utf8 --extended-insert=false --trigger

s -R --hex-blob --delete-master-logs -r ${Dumpfile}

if [ $? = 0 ]; then

rm -f ${Gzdumpfile}

tar -czf ${Gzdumpfile} ${Dumpfile}

rm -f ${Dumpfile}

fi

find ${Backdir} -mtime +31 | xargs rm -f {} \;

放到了/usr/local/bin/mysqlbackup.sh

自定义规则文件

vi exmple-zwcm.rules

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection - Paranoid"; flow:to_server,established;uricontent:".php";pcre:"/(\%27)|(\’)|(\-\-)|(%23)|(#)/i"; classtype:Web-application-attack; sid:1000005; rev:5;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection - Paranoid"; flow:to_server,established;uricontent:".php";pcre:"/((\%3D)|(=))[^\n]*((\%27)|(\’)|(\-\-)|(\%3B)|(;))/i";classtype:Web-application-attack; sid:1000006; rev:5;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection - Paranoid"; flow:to_server,established;uricontent:".php";pcre:"/\w*((\%27)|(\’))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/i";classtype:Web-application-attack; sid:1000007; rev:5;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection - Paranoid"; flow:to_server,established;uricontent:".php";pcre:"/((\%27)|(\’))union/i";classtype:Web-application-attack; sid:1000008; rev:5;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection - Paranoid"; flow:to_server,established;uricontent:".php";pcre:"/((\%27)|(\’))select/i";classtype:Web-application-attack; sid:1000009; rev:5;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection - Paranoid"; flow:to_server,established;uricontent:".php";pcre:"/((\%27)|(\’))insert/i";classtype:Web-application-attack; sid:1000010; rev:5;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"XSS Cross-site scripting attempt"; flow:to_server,established;uricontent:".php";pcre:"/((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/i";classtype:Web-application-attack; sid:1000011; rev:5;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"XSS Cross-site scripting attempt"; flow:to_server,established;uricontent:".php";pcre:"/((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/i";classtype:Web-application-attack; sid:1000012; rev:5;)

保存后放到snort规则目录，然后编辑/etc/snort/etc/snort.conf 加上

include $RULE_PATH/exmple-zwcm.rules

重启就可以了

自己也不懂入侵方法，只能写照着网上的常规入侵写这几个了，如果有熟悉渗透的，可以贡献点规则

最后再补上点
vi web-misc.rules 搜索robots.txt行关闭 配置关闭WEB-MISC robots.txt access 报错信息
vi web-misc.rules 配置关闭WEB-MISC IBM Lotus Domino Web Server Accept-Language header buffer overflow attempt 报错信息

;$BASE_Language = 'simplified_chinese'; 不要设置成中文 浏览器里无法显示页面
$BASE_Language = 'english';

Apche 配置文件加上   做完端口映射后外网就不通了所以换为内网地址，包括ssh
Listen 192.168.9.12:80
登陆地址改为：
http://192.168.9.12/base/