snort入侵检测

1. install package

snort-2.8.5.3.tar.gz
base-1.4.5.tar.gz
snortrules-snapshot-CURRENT.tar.gz
adodb4991.tgz

php-pear-Image_Graph-0.7.2-1.noarch.rpm
php-pear-Image_Canvas-0.3.1-1.noarch.rpm
php-pear-Image_Color-1.0.2-2mdv2008.0.noarch.rpm
php-pear-Numbers_Roman-1.0.2-3mdv2010.0.noarch.rpm

2. install process
<1>
# groupadd IDS
# useradd -G IDS snort

# for i in mysql mysql-bench mysql-server mysql-devel php php-mysql php-pear httpd gcc pcre-devel php-gd gd mod_ssl glib2-devel gcc-c++ bison libpcap pcre tcpdump flex libpcap-devel libtool;do yum install -y $i;done

<2>
# mkdir /root/ids_packages
cp snort-2.8.5.3.tar.gz
   base-1.4.5.tar.gz
   snortrules-snapshot-CURRENT.tar.gz
   adodb4991.tgz

   php-pear-Image_Graph-0.7.2-1.noarch.rpm
   php-pear-Image_Canvas-0.3.1-1.noarch.rpm
   php-pear-Image_Color-1.0.2-2mdv2008.0.noarch.rpm
   php-pear-Numbers_Roman-1.0.2-3mdv2010.0.noarch.rpm
into /root/ids_packages

<3>
# cd /root/ids_packages
# tar xvf snort-2.8.5.3.tar.gz
# cd snort-2.8.5.3
# ./configure --with-mysql --enable-dynamicplugin
# make
# make install
# mkdir /etc/snort
# cp -ar etc/* /etc/snort
# cd /etc/snort

<4>
# cd /root/ids_packages
# tar xvf snortrules-snapshot-CURRENT.tar.gz
# cp -ar rules /etc/snort

<5>
# cd /etc/snort
# vi /etc/snort

change line 26 to  "var HOME_NET 192.168.0.0/24"
change line 53 to  "var EXTERNAL_NET any"
change line 120 to "var RULE_PATH /etc/snort/rules"
change line 121 to "var PREPROC_RULE_PATH /etc/snort/preproc_rules"

<6>
# cp -ar /root/ids_packages/snort-2.8.5.3/preproc_rules /etc/snort
# ls /etc/snort/
attribute_table.dtd    Makefile.am       rules           unicode.map
classification.config  Makefile.in       sid-msg.map
gen-msg.map            preproc_rules     snort.conf
Makefile               reference.config  threshold.conf

<7>
# vi /etc/snort/snort.conf
change line 291 to  "preprocessor frag3_global"
change line 292 to  "preprocessor frag3_engine"
change line 302-305 to
    302 preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
    303                               track_udp yes,track_icmp no
    304 preprocessor stream5_tcp: policy first, use_static_footprint_sizes
    305 preprocessor stream5_udp: ignore_any_rules

<8>
change line696 to  "output database: log, mysql, user=snort password=123456 dbname=snort host=localhost"

3. config Mysql
# service mysql start
# chkconfig mysqld on
<1>
# mysql
mysql> set password for root@localhost=PASSWORD('uplooking');
mysql> create database snort;
mysql> grant insert,select on root.* to snort@localhost;
mysql> set password for snort@localhost=PASSWORD('123456');
mysql> grant create,insert,select,delete,update on snort.* to snort@localhost;
mysql> grant create,insert,select,delete,update on snort.* to snort;
mysql> flush privileges;
mysql> exit;
Bye

<2>
# mysql -D snort -u root -p < /root/ids_packages/snort-2.8.5.3/schemas/create_mysql

<3>
# mysql -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 18
Server version: 5.0.45 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| snort              |
| test               |
+--------------------+
4 rows in set (0.00 sec)

mysql> use snort;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+------------------+
| Tables_in_snort  |
+------------------+
| acid_ag          |
| acid_ag_alert    |
| acid_event       |
| acid_ip_cache    |
| base_roles       |
| base_users       |
| data             |
| detail           |
| encoding         |
| event            |
| icmphdr          |
| iphdr            |
| opt              |
| reference        |
| reference_system |
| schema           |
| sensor           |
| sig_class        |
| sig_reference    |
| signature        |
| tcphdr           |
| udphdr           |
+------------------+
22 rows in set (0.00 sec)

mysql>

4. build /etc/init.d/snort
# vi /etc/init.d/snort
#!/bin/sh
#
# chkconfig: 2345 99 82
# description: Starts and stops the snort intrusion detection system
#
# config: /etc/snort/snort.conf
# processname: snort

# Source function library
. /etc/rc.d/init.d/functions

BASE=snort
DAEMON="-D"
INTERFACE="-i eth0"
CONF="/etc/snort/snort.conf"

# Check that $BASE exists.
[ -f /usr/local/bin/$BASE ] || exit 0

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

RETVAL=0
# See how we were called.
case "$1" in
  start)
        if [ -n "`/sbin/pidof $BASE`" ]; then
                echo -n $"$BASE: already running"
                echo ""
                exit $RETVAL
        fi
        echo -n "Starting snort service: "
        /usr/local/bin/$BASE $INTERFACE -c $CONF $DAEMON
        sleep 1
        action "" /sbin/pidof $BASE
        RETVAL=$?
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/snort
        ;;
  stop)
        echo -n "Shutting down snort service: "
        killproc $BASE
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/snort
        ;;
  restart|reload)
        $0 stop
        $0 start
        RETVAL=$?
        ;;
  status)
        status $BASE
        RETVAL=$?
        ;;
  *)
        echo "Usage: snort {start|stop|restart|reload|status}"
        exit 1
esac

exit $RETVAL

5. mkdir /var/log/snort
# mkdir /var/log/snort
#chown -R snort.snort /var/log/snort

6. start snort
<1>
# service snort start
Starting snort service:  1775                     [  OK  ]

<2>
check snort.conf
#snort -c /etc/snort/snort.conf

7. install BASE
<1>
# rpm -ivh php-pear-Image_Graph-0.7.2-1.noarch.rpm --nodeps
# rpm -ivh php-pear-Image_Canvas-0.3.1-1.noarch.rpm --nodeps
# rpm -ivh php-pear-Image_Color-1.0.2-2mdv2008.0.noarch.rpm
# rpm -ivh php-pear-Numbers_Roman-1.0.2-3mdv2010.0.noarch.rpm --nodeps

<2>
# cd /root/ids_packages
# tar xvf base-1.4.5.tar.gz -C /var/www/html/base
# cd /var/www/html/base
# cp base_conf.php.dist base_conf.php
# vi base_conf.php
change line 50 to  "$BASE_urlpath = '/base';"
change line 80 to  "$DBlib_path = '/var/www/adodb';
change line 90 to  "$DBtype = 'mysql';"
change line 102-106 to
    $alert_dbname   = 'snort';
    $alert_host     = 'localhost';
    $alert_port     = '';
    $alert_user     = 'snort';
    $alert_password = '123456';

<3>
# cd /root/ids_packages
# tar xvf adodb4991.tgz -C /var/www/

<4>
# service httpd restart
# chkconfig httpd on

8. Use snort
IE or Firefox input:http://local-IP/base
Press "setup page"
  Successfully created 'acid_ag'
  Successfully created 'acid_ag_alert'
  Successfully created 'acid_ip_cache'
  Successfully created 'acid_event'
  Successfully created 'base_roles'
  Successfully INSERTED Admin role
  Successfully INSERTED Authenticated User role
  Successfully INSERTED Anonymous User role
  Successfully INSERTED Alert Group Editor role
  Successfully created 'base_users'

Now,Flush index------over