引言:
在1998年,Martin Roesch先生用C语言开发了开放源代码(Open Source)的入侵检测系统Snort.直至今天,Snort已发展成为一个多平台(Multi-Platform),实时(Real-Time)流量分析,网络IP数据包(Pocket)记录等特性的强大的网络入侵检测/防御系统(Network Intrusion Detection/Prevention System),即NIDS/NIPS.Snort符合通用公共许可(GPL――GUN General Pubic License),在网上可以通过免费下载获得Snort.snort基于libpcap。
snort系统组成:snort由三个重要的子系统构成:数据包解码器,检测引擎,日志与报警系统。
Snort有三种工作模式:嗅探器、数据包记录器、网络入侵检测系统。嗅探器模式仅仅是从网络上读取数据包并作为连续不断的流显示在终端上。数据包记录器模式把数据包记录到硬盘上。网路入侵检测模式是最复杂的,而且是可配置的。我们可以让snort分析网络数据流以匹配用户定义的一些规则,并根据检测结果采取一定的动作。
下面我们做一下在readhat5上安装snort,个人认为,这项工作比较麻烦,在初次安装时确实是费了好长时间。现在把他整理下来,以便后来做个参考,还有就是给那些感兴趣的人提供一些材料。
我的主机名称是localhost.example.com
# cat /etc/sysconfig/network | grep HOSTNAME
HOSTNAME=localhost.example.com
本机IP地址为192.168.0.131
要用到的源代码包,及一些包的下载路径
jpegsrc.v6b.tar.gz
http://download.chinaunix.net/down.php?id=10021&ResourceID=5095&site=1
pcre-8.01.tar.bz2
ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
snort-2.8.0.1.tar.gz
http://www.hacker-soft.net/down.php?id=9438&url=1
snortrules-pr-2.4.tar.gz
http://download.chinaunix.net/download.php?id=19532&ResourceID=9733
base-1.2.6.tar.gz
http://sourceforge.net/projects/secureideas/files/
Image_Color-1.0.3.tgz.gz
Image_Canvas-0.3.1.tgz.gz
Image_Graph-0.7.2.tgz.gz
adodb509a.tgz.gz
base-1.2.6.tar.gz
1,首先主机上安装了以下包,有些是为了解决依赖关系的,建议大家用yum安装,不然解决依赖关系将是令人烦心的事。
libdbi-drivers-0.8.1a-1.2.2.i386.rpm
libdbi-dbd-mysql-0.8.1a-1.2.2.i386.rpm
libdbi-0.8.1-2.1.i386.rpm
perl-DBI-1.52-2.el5.i386.rp
mysql-5.0.77-3.el5.i386.rpm
libtool-ltdl-1.5.22-6.1.i386.rpm
php-pdo-5.1.6-23.2.el5_3.i386.rpm
php-mysql-5.1.6-23.2.el5_3.i386.rpm
perl-DBD-MySQL-3.0007-2.el5.i386.rpm
php-common-5.1.6-23.2.el5_3.i386.rpm
mysql-connector-odbc-3.51.26r1127-1.el5.i386.rpm
unixODBC-2.2.11-7.1.i386.rpm
mysql-test-5.0.77-3.el5.i386.rpm
mysql-server-5.0.77-3.el5.i386.rpm
mysql-bench-5.0.77-3.el5.i386.rpm
mysql-devel-5.0.77-3.el5.i386.rpm
libdbi-dbd-mysql-0.8.1a-1.2.2.i386.rpm
php-gd-5.1.6-23.2.el5_3.i386.rpm
php-pear-1.4.9-6.el5.noarch.rpm
php-devel-5.1.6-23.2.el5_3.i386.rpm
php-5.1.6-23.2.el5_3.i386.rpm
httpd-2.2.3-31.el5.i386.rpm
php-cli-5.1.6-23.2.el5_3.i386.rpm
libpcap-devel-0.9.4-14.el5.i386.rpm
pcre-devel-6.6-2.el5_1.7.i386.rpm
安装过以上的包后我们的Apache+Php+Mysql结构已经基本完成了。
2,下面我们测试一下,编辑/etc/httpd/conf/httpd.conf
在里面加入以下内容
AddType application/x-httpd-php .php
创建文件/var/www/html/test.php
在里面输入下面的内容
#/var/www/html/test.php
<?php
$link=mysql_connect('localhost','root','123456');
if(!$link) echo "wrong!";
else echo "Hello Welcome to you!";
mysql_close();
?>
然后启动我们的服务
# service httpd start
加到自动启动队列
# chkconfig httpd on
# service mysqld start
# chkconfig mysqld on
在浏览器中输入 http://192.168.0.131/test.php
我们可以看到下面的内容
说明我们的Apache+Php+Mysql结构已经OK了
3,我们需要一个snort的脚本,内容如下:
#vim /etc/init.d/snort
给脚本权限并且让它自动执行
# chmod 755 /etc/init.d/snort
# chkconfig snort on
4,下面编译安装jpegsrc
# tar zxvf jpegsrc.v6b.tar.gz
# cd jpeg-6b/
# mkdir -pv /usr/local/jpeg/{bin,lib,include,man,man/man1}
# ./configure --prefix=/usr/local/jpeg --enable-shared --enable-static
#make
#make install
编译安装pcre
#tar jxvf pcre-8.01.tar.bz2
#cd pcre-8.01
#./configure
#make
#make install
再编译安装snort
# tar -zxf snort-2.8.0.1.tar.gz
# cd snort-2.8.0.1
# ./configure --with-mysql --enable-dynamicplugin
# make
# make install
5,创建snort日志和规则目录
# mkdir -pv /var/log/snort
# mkdir -pv /etc/snort/rules
建立snort用户和组
# groupadd snort
# useradd -g snort snort -s /sbin/nologin、
将所有已经编译生成的配置文件拷贝到/etc/snort目录下:
#cp etc/* /etc/snort/(这里要注意路径)
将规则包snortrules-pr-2.4.tar.gz放到刚创建的规则目录下解压
#tar �Czxvf snortrules-pr-2.4.tar.gz �CC /etc/snort/rules(这里昨晚以后尽量检查一下)
6,编辑snort的配置文件
# cp /etc/snort/snort.conf snort.conf.bak(留个备份)
编辑/etc/snort/snort.conf作如下修改
#vim /etc/snort/snort.conf
var EXTERNAL_NET 192.168.0.0/24
var RULE_PATH /etc/snort/rules(指定规则文件的位置)
output database: log, mysql, user=root password=123456 dbname=snort host=localhost
7,在mysql中建立snort的数据库
# mysqladmin -u root password '123456'
# mysql -uroot -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.0.77 Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> SET PASSWORD FOR root@localhost=PASSWORD('123456');
Query OK, 0 rows affected (0.00 sec)
mysql> create database snort;
Query OK, 1 row affected (0.04 sec)
mysql> grant INSERT,SELECT on root.* to snort@localhost;
Query OK, 0 rows affected (0.00 sec)
mysql> SET PASSWORD FOR snort@localhost=PASSWORD('123456');
Query OK, 0 rows affected (0.00 sec)
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
Query OK, 0 rows affected (0.01 sec)
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
Query OK, 0 rows affected (0.01 sec)
mysql> quit
Bye
8,将预先定义好的默认的snort所需要的表批量导入mysql的snort数据库中
# mysql -u root -p < /usr/local/snort-2.8.0.1/schemas/create_mysql snort
Enter password:
[root@station4 ~]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 6
Server version: 5.0.77 Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> use snort;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+------------------+
| Tables_in_snort |
+------------------+
| data |
| detail |
| encoding |
| event |
| icmphdr |
| iphdr |
| opt |
| reference |
| reference_system |
| schema |
| sensor |
| sig_class |
| sig_reference |
| signature |
| tcphdr |
| udphdr |
+------------------+
16 rows in set (0.00 sec)
mysql> \q
9,安装配置base和Image
# pear install Image_Color-1.0.3.tgz.gz
install ok: channel://pear.php.net/Image_Color-1.0.3
# pear install Image_Canvas-0.3.1.tgz.gz
install ok: channel://pear.php.net/Image_Canvas-0.3.1
# pear install Image_Graph-0.7.2.tgz.gz
pear/Image_Graph can optionally use package "pear/Numbers_Roman"
pear/Image_Graph can optionally use package "pear/Numbers_Words"
install ok: channel://pear.php.net/Image_Graph-0.7.2
10,为我们的安装做准备
将adodb509a.tgz.gz解压到/var/www/
#tar zxvf adodb509a.tgz.gz �CC /var/www/
将base-1.2.6.tar.gz解压到/var/www/html/
#tar zxvf base-1.2.6.tar.gz �CC /var/www/html/
将解压得到的base-1.2.6重命名
# mv base-1.2.6 base
11.建立和修改配置文件:
# cd /var/www/html/base/
# cp base_conf.php.dist base_conf.php
# vi base_conf.php 对下面的内容进行配置和修改
$BASE_urlpath = "/base";
$DBlib_path = "/var/www/adodb5/ ";
$DBtype = "mysql";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "123456";
/* Archive DB connection parameters */
$archive_exists = 0; # Set this to 1 if you have an archive DB
12,编辑/etc/snort/rules/web-misc.rules
将下面的内容注释掉(97,98,452)
97 #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ///cgi-bin access"; flow:to_server,established; uricontent:"///cgi-bin"; nocase; rawbytes; reference:nessus,11032 ; classtype:attempted-recon; sid:1143; rev:7;)
98 #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /cgi-bin/// access"; flow:to_server,established; uricontent:"/cgi-bin///"; nocase; rawbytes; reference:nessus,110 32; classtype:attempted-recon; sid:1144; rev:7;)
452 #alert tcp $EXTERNAL_NET any -> $HOME_NET 8090 (msg:"WEB-MISC TrackerCam ComGetLogFile.php3 l og information disclosure"; flow:to_server,established; content:"/ComGetLogFile.php3"; nocase ; pcre:"fn=Eye\d{4}_\d{2}.log/Rmsi"; reference:bugtraq,12592; reference:cve,2005-0481; classt ype:web-application-activity; sid:3545; rev:2;)
启动我们的snort
# service snort start
Starting snort service: 31582
[ OK ]
在浏览器中输入
http://192.168.0.131/base
将会看到下面的页面
我们点击Setup page就可以进行安装了,点击Setup page将出现下面的界面
我们点击Create BASE AG 就创建成功了,我们在浏览器上再次输入 http://192.168.0.131/base/将会看到
说明已经监控到我们主机的信息了。这样我们就可以就行设置了,例如我们点击Search,可以看到下面的内容,在这里面我们就能按需要设置了
更加详细的设置,还需自己研究啊!!! 睡觉啦 嘿嘿