snort+ntop 的安装
安装snort:
先说下一共要安装的包:
mysql mysql-bench mysql-server mysql-devel mysqlclient10 php-mysql
httpd gcc pcre-devel php-gd gd mod_ssl glib2-devel gcc-c++
我下面没有说的,就是我已经安装好了。
先装好mysql:
[root@station203 Server]# rpm -ivh perl-DBI-1.52-1.fc6.i386.rpm
[root@station203 Server]# rpm -ivh mysql-5.0.22-2.1.0.1.i386.rpm
[root@station203 Server]# rpm -ivh perl-DBD-MySQL-3.0007-1.fc6.i386.rpm
[root@station203 Server]# rpm -ivh mysql-server-5.0.22-2.1.0.1.i386.rpm
[root@station203 ~]# service mysqld start
下载地址:
http://www.snort.org/dl/snort-2.8.4.1.tar.gz
这是rpm包的:
http://www.snort.org/dl/binaries/linux/snort-2.8.4.1-1.RH5.i386.rpm
http://www.snort.org/dl/binaries/linux/snort-mysql-2.8.4.1-1.RH5.i386.rpm
[root@station203 ~]# rpm -ivh snort-2.8.4.1-1.RH5.i386.rpm
Preparing... ########################################### [100%]
1:snort ########################################### [100%]
[root@station203 ~]# rpm -ivh snort-mysql-2.8.4.1-1.RH5.i386.rpm
Preparing... ########################################### [100%]
1:snort-mysql ########################################### [100%]
修改snort的配置文件:
[root@station203 ~]# vim /etc/snort/snort.conf
var HOME_NET 192.168.1.0/24
output database: log, mysql, user=root password=jasonyy dbname=snort host=localhost
## 上面两句有模版,修改成上面这样就可以了。
## 下面的这是一段注释,把前面的# 去掉就可以了。
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
http://internetsecurityguru.com/snortinit/snort ##这是一个snort的启动脚本,可以放在/etc/init.d下面。然后用
chkconfig --add snort;chkconfig snort on。
## 注意这个脚本我做了点小小的修改,他是用源代码安装的snort,而我偷懒是rpm安装的,所以要修改里面的路径。
[root@station203 ~]# mysqladmin -u root password ‘*****’
## 把mysql的root密码修改成snort配置文件里设置的那个密码。
[root@station203 ~]# mysql -u root -p
Enter password:
## 输入密码,登陆mysql,创建snort的数据库
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3 to server version: 5.0.22
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> create database snort;
Query OK, 1 row affected (0.00 sec)
mysql> source /usr/share/snort-2.8.4.1/schemas/create_mysql
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
mysql> connect snort
Connection id: 6
Current database: snort
mysql> grant create, insert, select ,delete,update on snort.* to snort;
Query OK, 0 rows affected (0.01 sec)
mysql> grant create, insert, select ,delete,update on snort.* to snort@localhost;
Query OK, 0 rows affected (0.00 sec)
mysql> set password for 'snort'@'localhost' = password('123');
Query OK, 0 rows affected (0.00 sec)
mysql> set password for 'snort'@'%' = password('123');
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> source /usr/share/snort-2.8.4.1/schemas/create_mysql
Query OK, 0 rows affected (0.01 sec)
Query OK, 1 row affected (0.00 sec)
Query OK, 0 rows affected (0.00 sec)
Query OK, 0 rows affected (0.01 sec)
Query OK, 0 rows affected (0.00 sec)
Query OK, 0 rows affected (0.00 sec)
Query OK, 0 rows affected (0.00 sec)
Query OK, 0 rows affected (0.01 sec)
Query OK, 0 rows affected (0.00 sec)
Query OK, 0 rows affected (0.00 sec)
Query OK, 0 rows affected (0.01 sec)
Query OK, 0 rows affected (0.00 sec)
Query OK, 0 rows affected (0.00 sec)
Query OK, 0 rows affected (0.01 sec)
Query OK, 0 rows affected (0.00 sec)
Query OK, 0 rows affected (0.00 sec)
Query OK, 1 row affected (0.01 sec)
Query OK, 1 row affected (0.00 sec)
Query OK, 1 row affected (0.00 sec)
Query OK, 0 rows affected (0.00 sec)
Query OK, 1 row affected (0.00 sec)
Query OK, 1 row affected (0.00 sec)
## 这样snort数据库里面就已经导入了数据的表了(应该是16个)
mysql> quit
Bye
## 到这里,snort数据库就建立好了
[root@station203 httpd]# rpm -ivh /mnt/cdrom/Server/php-common-5.1.6-15.el5.i386.rpm
[root@station203 httpd]# rpm -ivh /mnt/cdrom/Server/php-cli-5.1.6-15.el5.i386.rpm
[root@station203 httpd]# rpm -ivh /mnt/cdrom/Server/php-5.1.6-15.el5.i386.rpm
[root@station203 httpd]# rpm -ivh /mnt/cdrom/Server/php-pdo-5.1.6-15.el5.i386.rpm
[root@station203 httpd]# rpm -ivh /mnt/cdrom/Server/php-mysql-5.1.6-15.el5.i386.rpm
## 安装PHP
[root@station203 ~]# rpm -ivh /mnt/cdrom/Server/httpd-2.2.3-11.el5.i386.rpm
## 安装好apache,配置用户认证。
[root@station203 html]# htpasswd -c /etc/httpd/conf/htpasswd admin ## 创建一个http认证用户admin
New password:
Re-type new password:
Adding password for user admin
[root@station203 html]# vim /etc/httpd/conf/httpd.conf
<Directory "/var/www/html/acid">
AuthType Basic
AuthName "abc"
AuthUserFile /etc/httpd/conf/htpasswd
Require user admin
AllowOverride None
</Directory>
AddType application/x-tar .tgz
AddType application/x-httpd-php .php
AddType image/x-icon .ico
## 添加这些内容
[root@station203 httpd]# chown apache.apache /etc/httpd/conf/htpasswd
[root@station203 httpd]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
安装配置ACID/base:
下载下列包:
http://down1.chinaunix.net/distfiles/acid-0.9.6b23.tar.gz
http://down1.chinaunix.net/distfiles/adodb465.tgz
http://down1.chinaunix.net/distfiles/jpgraph-2.1.1.tar.gz
http://easynews.dl.sourceforge.net/sourceforge/secureideas/base-1.2.6.tar.gz(这个是acid的新版本名称)
http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz ## 规则包
## 最新的规则包可以去这里下:http://www.snort.org
[root@station203 ~]# tar zxvf snortrules-pr-2.4.tar.gz
[root@station203 ~]# cp rules/* /etc/snort/rules
[root@station203 ~]# cp base-1.2.6.tar.gz adodb465.tgz jpgraph-2.1.1.tar.gz /var/www/html/;cd /var/www/html
[root@station203 html]# tar zxvf base-1.2.6.tar.gz
[root@station203 html]# tar zxvf adodb465.tgz
[root@station203 html]# tar zxvf jpgraph-2.1.1.tar.gz
[root@station203 html]# mv jpgraph-2.1.1 jpgraph
[root@station203 html]# mv base-1.2.6 base
[root@station203 html]# cp base/base_conf.php. etc/base_conf.php
[root@station203 html]# vim base/base_conf.php
$DBlib_path = "/var/www/html/adodb";
$alert_dbname = 'snort';
$alert_host = 'localhost';
$alert_port = '';
$alert_user = 'snort';
$alert_password = 'jasonyy';
/* Archive DB connection parameters */
$archive_exists = 0; # Set this to 1 if you have an archive DB
$archive_dbname = 'snort';
$archive_host = 'localhost';
$archive_port = '';
$archive_user = 'snort';
$archive_password = 'jasonyy';
$ChartLib_path = "/var/www/html/jpgraph/src";
## 把上面这些内容都改好
[root@station203 html]# service snort start
[root@station203 html]# service mysqld start
[root@station203 html]# service httpd start
用浏览器打开:http://192.168.1.203/base
输入用户名,密码(http用户)。
出现图11
点setup page -> 再点 setup BASE AG 按钮,出现图22就OK
在返回http://192.168.1.203/base
可以看到类似图33的样子
测试IDS(入侵检测系统)
# 利用nmap,nessus,CIS或者X-scan对系统进行扫描,产生告警纪录。
# http://yourhost/acid 察看纪录。
# 至此,一个功能强大的IDS配置完毕。各位可以利用web界面远程登陆,监控主机所处局域网,同时安装 phpMyAdmin或webmin对
mysql数据库进行操控。
安装ntop
[root@station203 ~]# wget http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt
[root@station203 ~]# rpm --import RPM-GPG-KEY.dag.txt
[root@station203 ~]# vim /etc/yum.repos.d/ntop.repo
[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag/
## 我是rhel5,上面这行改成baseurl=http://apt.sw.be/redhat/el5/en/i386/dag/,你们根据自己情况改
gpgcheck=1
enabled=1
[root@station203 ~]# yum install ntop -y
..............省略..................
ntop i386 3.3.8-1.el5.rf dag 3.8 M
Installing for dependencies:
perl-rrdtool i386 1.2.30-1.el5.rf dag 49 k
rrdtool i386 1.2.30-1.el5.rf dag 951 k
..............省略..................
## 我这里郁闷状上了这三个包,你们可能不一样。
[root@station203 ~]# vim /etc/ntop.conf
--interface eth0 ## 把网卡设置成sniffing模式
--https-server 3000
--https-server 3001 ## 这两行去掉注释就可以了
[root@station203 ~]# /usr/bin/ntop @/etc/ntop.conf -A
Processing file /etc/ntop.conf for parameters...
Mon May 25 12:07:36 2009 NOTE: Interface merge enabled by default
Mon May 25 12:07:36 2009 Initializing gdbm databases
NOTE: --use-syslog, no facility specified, using default value. Did you forget the =?
ntop startup - waiting for user response!
Please enter the password for the admin user:
Please enter the password again:
## -A 设定admin密码,ntop会内建admin管理者帐号于ntop中
[root@station203 ~]# vim /etc/ntop.conf ## 现在在回去编辑下
--daemon ## 还是去掉注释
[root@station203 ~]# chkconfig ntop on
[root@station203 ~]# service ntop start
## 这里我启动失败了,但是有命令方式启动ntop又正常。很奇怪,google了半天,原来是yum安装ntop的一个bug。。。。
## 解决方法:
[root@station203 rules]# vim /etc/init.d/ntop
start () {
echo -n $"Starting $prog: "
daemon $prog @/etc/ntop.conf -d -L ## 原来的样子是这样: daemon $prog -d -L @/etc/ntop.conf
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/\$prog
return $RETVAL
}
[root@station203 ~]# service ntop start
## 这样就OK了。
## 测试,浏览器打开https://192.168.1.203:3001/或者http://192.168.1.203:3000
都OK,现在就可以用ntop检测网络上所有的封包