Centos 5.2 Snort Iptables 联动配置详解

在Centos 5.2环境下
wget http://ftp.netbsd.org/pub/NetBSD/packages/distfiles/snort-2.3.2.tar.gz
wget http://www.li.facens.br/~ricardo/redes/guardian-1.6.tar.gz
tar -xvf snort-2.3.2.tar.gz
tar -xvf guardian-1.6.tar.gz
cd snort-2.3.2
./configure ;make;make install
在configure后
checking for pcap_datalink in -lpcap... no

   ERROR! Libpcap library/headers not found, go get it from
   http://www.tcpdump.org
   or use the --with-libpcap-* options, if you have it installed
   in unusual place
执行yum -y install libpcap libpcap-devel
出现checking for pcre.h... no

   ERROR! Libpcre header not found, go get it from
   http://www.pcre.org
执行yum -y install pcre pcre-devel
mkdir /etc/snort
cd /etc/snort
wget http://ftp.iasi.roedu.net/pub/packages/snort/pub-bin/downloads.cgi/Download/vrt_os/snortrules-snapshot-2.3.tar.gz

snort的配置

1、先把snort的配置文件snort.conf、reference.conf、classification.conf、unicode.map以及ruels文件拷贝到/etc/ 和/etc/snort/rules 下

创建一个snort配置文件夹，放置rules等
mkdir /etc/snort
cd /usr/local/src/snort-2.3.2
cp -r rules /etc/snort/
cd etc/
cp snort.conf /etc/
cp reference.config /etc/snort/reference.config
cp classification.config /etc/snort/classification.config
cp unicode.map /etc/snort/unicode.map

编辑
vi /etc/snort.conf
109 var RULE_PATH ../rules
109 var RULE_PATH /etc/snort/rules

577 include classification.config
577 include /etc/snort/classification.config

585 include reference.config
585 include /etc/snort/reference.config

    300 preprocessor http_inspect: global \
    301     iis_unicode_map unicode.map 1252

300 preprocessor http_inspect: global \
301     iis_unicode_map /etc/snort/unicode.map 1252

建立日志文件夹
mkdir /var/log/snort

3、测试一下吧

# snort -dev -i eth0 -c /etc/snort.conf

 

guardian 的安装
进入到guardian的源码目录
cd /usr/local/src/guardian-1.6
复制生成配置文件及脚本文件
建立将你需要忽略的IP放在此文件中
echo > /etc/guardian.ignore
cp guardian.pl /usr/local/bin/
cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
cp guardian.conf /etc/guardian.conf

配置一下guardian
vi /etc/guardian.conf

13 HostGatewayByte 1
guardian的日志文件
16 LogFile         /var/log/guardian.log
guardian从何处读取snort的日志
21 AlertFile       /var/adm/secure
21 AlertFile       /var/log/snort/alert
将你需要忽略的IP放在此文件中
24 IgnoreFile      /etc/guardian.ignore
封锁IP的最长时间，99999999为没有时限，86400表示一天
28 TimeLimit       86400

snort与guardian联动测试过程
在/etc/snort/rules下创建一个规则文件
vi /etc/snort/rules/my.rules
alert tcp any any -> any 112 (msg:"TCP Traffic";)
把my.rules规则添加到snort.conf中
vi /etc/snort.conf
在文件的末尾处添加
692 include $RULE_PATH/my.rules

测试，为了更加清楚的观察到实验的现象首先清除snort的的日志文件
cd /var/log/snort
rm -rf *

接下来我们开始测试咯
snort -i eth0 -l /var/log/snort -c /etc/snort.conf
perl /usr/local/bin/guardian.pl -c /etc/guardian.conf
为了能实时的观察现象
tail -f alert /* snort 告警日志在/var/log/snort目录下
tail -f /var/log/guardian.log /*guardian告警日志在/var/log目录下

snort服务脚步
vi /etc/init.d/snort
********************
#!/bin/sh
#
# chkconfig: 2345 98 82
# description: Starts and stops the snort intrusion detection system
#
# config: /etc/snort.conf
# processname: snort

# Source function library
. /etc/rc.d/init.d/functions

BASE=snort
DAEMON="-D"
INTERFACE="-i eth0"
CONF="/etc/snort.conf"

# Check that $BASE exists.
[ -f /usr/local/bin/$BASE ] || exit 0

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

RETVAL=0
# See how we were called.
case "$1" in
start)
        if [ -n "`/sbin/pidof $BASE`" ]; then
                echo -n $"$BASE: already running"
                echo ""
                exit $RETVAL
        fi
        echo -n "Starting snort service: "
        /usr/local/bin/$BASE $INTERFACE -c $CONF $DAEMON
        sleep 1
        action "" /sbin/pidof $BASE
        RETVAL=$?
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/snort
        ;;
stop)
        echo -n "Shutting down snort service: "
        killproc $BASE
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/snort
        ;;
restart|reload)
        $0 stop
        $0 start
        RETVAL=$?
        ;;
status)
        status $BASE
        RETVAL=$?
        ;;
*)
        echo "Usage: snort {start|stop|restart|reload|status}"
        exit 1
esac

exit $RETVAL

chmod +x /etc/init.d/snort
chkconfig –add snort

* /usr/bin/perl /usr/local/bin/guardian.pl -c /etc/guardian.conf
* 将上一条命令加入 /etc/rc.d/rc.local
至此，完成设置
guardian有时会自动退出，可以使用如下脚本解决：
#!/bin/sh
/usr/local/bin/killguardian
/usr/local/bin/guardian.pl -c /etc/guardian.conf
exit 0
将上述脚本存为restartguardian,放置到/usr/local/bin
同时，crontab -e，加入如下一句：
* */6 * * * /usr/local/bin/restartguardian
意思为：每6小时重新启动guardian
perl -MCPAN -e shell
install Proc::ProcessTable
脚本：killguardian
#!/usr/bin/perl
#杀死当前guardian.pl进程，需要安装perl module Proc::ProcessTable
       #访问http://www.cpan.org可以获得上述module
use Proc::ProcessTable;
$t = new Proc::ProcessTable;
foreach $p (@{$t->table})
{
kill 9, $p->pid if $p->cmndline =~ 'guardian.pl';
}