snort是一个免费的基于libpcap的轻量级网络入侵检测系统。它能够跨系统平台操作,自带轻量级的入侵检测工具可以用于监视小型的TCP/IP网络,在进行网络监视时snort能够把网络数据和规则进行模式匹配,从而检测出可能的入侵企图,同时它也可以使用SPADE插件,使用统计学方法对网络数据进行异常检测,这些强大的检测功能为网络管理员对于入侵行为做出适当的反击提供了足够的信息。
首先需要下载mysql,apache,php,libpcap,adodb,snort,base等软件。
libpcap是unix/Linux平台下捕获网络数据包的函数库;
mysql是数据库,存放捕获的数据;
apache是web服务器;
php是网页脚本语言;
adodb为PHP提供数据库的支持(ADOdb is a database abstraction library for PHP);
base是基本的分析和安全引擎,它以ACID项目的代码为基础,提供web前端,查询和分析来自snort入侵检测系统的报警(BASE is the Basic Analysis and Security Engine. It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system);apache和php的安装就是为base服务的。
安装mysql
groupadd mysql
useradd -g mysql mysql
tar -zxvf mysql-VERSION.tar.gz
ln -s mysql-VERSION /usr/local/mysql
cd /usr/local/mysql
chown -R mysql.mysql .
bin/mysql_install_db �Cuser=mysql
chown -R root .
chown -R mysql data
bin/mysqld_safe �Cuser=mysql &
/usr/local/mysql/bin/mysqladmin -u root password root
安装apache
tar -zvxf httpd-2.2.3.tar.gz
cd httpd-2.2.3
./configure �Cprefix=/usr/local/apache �Csysconfdir=/etc �Cenable-modules=so
make
make install
安装php
tar zxvf jpegsrc-6b.tar.gz
cd jpeg-6b
./configure
make
mkdir -p /usr/local/man/man1
make install
make install-lib
tar zxvf freetype-2.1.10.tar.gz
cd freetype-2.1.10
./configure
make
make install
tar zxvf zlib-1.2.3.tar.gz
cd zlib-1.2.3
./configure
make
make install
tar zxvf libpng-1.2.8-config.tar.gz
cd libpng-1.2.8-config
cp scripts/makefile.gcmmx makefile
make
make install
tar zxvf gd-2.0.33.tar.gz
cd gd-2.0.33
./configure
make
make install
cp gd.h /usr/local/lib/
tar zxvf libxml2-2.6.22.tar.gz
cd libxml2-2.6.22
./configure
make
make install
tar zxvf libxml2-2.6.22.tar.gz
cd libxml2-2.6.22
./configure
make
make install
tar zxvf php-5.2.tar.gz
cd php-5.2
./configure �Cprefix=/usr/local/php �Cwith-apxs2=/usr/local/apache/bin/apxs �Cwith-config-file-path=/etc �Cenable-sockets �Cwith-mysql=/usr/local/mysql �Cwith-gd �Cwith-ttf �Cwith-zlib-dir �Cwith-png-dir �Cwith-jpeg-dir
make
make install
cp ./php.ini-dist /usr/local/php5/etc/php.ini
vi /etc/httpd.conf
=============================
+LoadModule php5_module modules/libphp5.so
+AddType application/x-httpd-php .php .phtml
+AddType application/x-httpd-php-source .phps
=============================
启动apache
#/usr/local/apache/bin/apachctl start
安装libpcap
tar -zxvf libpcap-0.9.5.tar.gz
cd libpcap-0.9.5
./configure
make
make install
安装pcre
tar jxvf pcre-7.8.tar.bz2
cd pcre-7.8
./configure
make
make install
安装snort
tar zxvf snort-2.6.1.tar.gz
cd snort-2.6.1
./configure �Cprefix=/usr/local/snort �Cwith-mysql=/usr/local/mysql/
make
make install
cd /usr/local/snort
tar zxvf snortrules-snapshot-CURRENT.tar.gz
cp /usr/local/src/snort-2.6.1/etc/snort.conf /usr/local/snort/etc/
cp /usr/local/src/snort-2.6.1/etc/*.config /usr/local/snort/etc/
/usr/local/mysql/bin/mysql -u root -p
create database snort;
create database snort_archive;
use snort;
source /usr/local/src/snort-2.6.1/schemas/create_mysql;
use snort_archive;
source /usr/local/src/snort-2.6.1/schemas/create_mysql;
mkdir /var/log/snort
vi snort.conf
=============================
var HOME_NET 10.1.1.0/24
var RULE_PATH /usr/local/snort/rules
dynamicpreprocessor file /usr/local/snort/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so
dynamicpreprocessor file /usr/local/snort/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
dynamicpreprocessor file /usr/local/snort/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
dynamicpreprocessor file /usr/local/snort/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
dynamicpreprocessor file /usr/local/snort/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so
output database: alert, mysql, user=root password=your_password dbname=snort host=localhost
=============================
安装adodb
mv adodb493a.gz /usr/local/
cd /usr/local/
tar zxvf adodb493a.gz
安装base
cp base-1.1.2.tar.gz /usr/local/apache/htdocs/
cd /usr/local/apache/htdocs
tar zxvf base-1.1.2.tar.gz
cp base_conf.php.dist base_conf.php
vi base_conf.php
=================================
$BASE_urlpath = “/base”;
$DBlib_path = “/usr/local/adodb”;
$DBtype = “mysql”;
$alert_dbname = “snort”;
$alert_host = “localhost”;
$alert_port = “”;
$alert_user = “root”;
$alert_password = “root”;
=================================
/usr/local/php/bin/pear install Image_Color-1.0.2.tgz
/usr/local/php/bin/pear install Image_Canvas-0.3.0.tgz
/usr/local/php/bin/pear install Numbers_Roman-1.0.1.tgz
/usr/local/php/bin/pear install Numbers_Words-0.15.0.tgz
/usr/local/php/bin/pear install Image_Graph-0.7.2.tgz
启动snort
/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf