snort 入侵检测

Snort 入侵检测系统
系统环境:RHEL6 x86_64 selinux and iptables disabled
软件下载:http://www.snort.org
1. Snort 安装
yum install -y gcc mysql mysql-server mysql-devel flex bsion pcre-devel libpcap-devel
rpm -ivh libdnet-1.12-6.el6.x86_64.rpm libdnet-devel-1.12-6.el6.x86_64.rpm
tar zxf daq-0.5.tar.gz
cd daq-0.5
./configure
make
make install
tar zxf snort-2.9.0.5.tar.gz
cd snort-2.9.0.5
./configure --enable-ipv6 --enable-gre --enable-mpls --enable-targetbased --enable-decoder-
preprocessor-rules --enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response --enable-
normalizer --enable-reload --enable-react --enable-flexresp3
make
make install
2. Snort 配置
mkdir /etc/snort
mkdir /var/log/snort
cd /etc/snort
tar zxf snortrules-snapshot-2905.tar.gz -C /etc/ snort
cp etc/* /etc/snort
useradd -u 600 snort
chown snort:snort /var/log/snort
touch /var/log/snort/alert
chown snort:snort /var/log/snort/alert
chmod 600 /var/log/snort/alert
mkdir /usr/local/lib/snort_dynamicrules
cp /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.0.5/*.so /usr/local/lib/snort_dynamicrules
cat /etc/snort/so_rules/*.rules >> /etc/snort/rules/so-rules.rules
vi /etc/snort/snort.conf #修改如下行
var RULE_PATH /etc/snort/rules
#设置规则路径
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
output unified2: filename snort.log, limit 128
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
include $PREPROC_RULE_PATH/sensitive-data.rules
#去掉文件前的注释
ln -s /usr/local/bin/snort /usr/sbin/snort
cp /root/snort-2.9.0.5/rpm/snortd /etc/init.d/
cp /root/snort-2.9.0.5/rpm/snort.sysconfig /etc/sysconfig/snort
chmod +x /etc/init.d/snortd
vi /etc/sysconfig/snort
#ALERTMODE=fast
#DUMP_APP=1
#BINARY_LOG=1
#注释以下行
chkconfig snortd on
service snortd start
3. Mysql 配置
service mysqld start
mysql> create database snort;
mysql> grant all on snort.* to snort@localhost identified by ‘snort’;
mysql> flush privileges;
mysql snort < /root/snort-2.9.0.5/schemas/create_mysql
4. Barnyard 安装配置
tar zxf barnyard2-1.9.tar.gz
cd barnyard2-1.9
./configure --with-mysql --with-mysql-includes=/usr/include/mysql/ --with-mysql-
libraries
=/usr/lib64/mysql/
make
make install
cp etc/barnyard2.conf /etc/snort/
vi /etc/snort/barnyard2.conf #修改如下行
config hostname: localhost
config interface: eth0
output database: log, mysql, user=snort password=snort dbname=snort
host=localhost
cp rpm/barnyard2.config /etc/sysconfig/barnyard2
vi /etc/sysconfig/barnyard2
LOG_FILE="snort.log"
CONF=/etc/snort/barnyard2.conf
cp rpm/barnyard2 /etc/init.d
vi /etc/init.d/barnyard2 #修改如下行
WALDO_FILE="$SNORTDIR/barnyard2.waldo"
BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR -d $SNORTDIR -w $WALDO_FILE -f
$LOG_FILE -X $PIDFILE $EXTRA_ARGS"
chmod 755 /etc/init.d/barnyard2
ln -s /usr/local/bin/barnyard2 /usr/sbin/
touch /var/log/snort/barnyard2.waldo
mkdir /var/log/barnyard2
service barnyard2 start
chkconfig barntard2 on
5. Base 安装配置
yum install -y httpd php php-mysql php-pear php-gd
pear install --alldeps Image_Graph-0.8.0 Image_Canvas-0.3.3 Numbers_Words-
0.16.2
tar zxf base-1.4.5.tar.gz -C /usr/var/html
unzip adodb-511.tgz -d /var/www/html
cd /var/www/html
mv base-1.4.5 base
chown apache.apache base -R
vi /etc/php.ini
error_reporting = E_ALL & ~E_NOTICE
service httpd start
访问:
http://localhost/base
注:使用nmap 扫描工具扫描Snort 主机,查看Base 前端是否检测到异常。