一、运行环境
1.
平台:
Fedora 8 (IP Address: 192.168.221.133)
2.
所需软件:
报警
+
数据库:
snort-2.8.3.2tar.gz
snortrules-snapshot-2.6.tar.gz
mysql-5.0.77-linux-i686-icc-glibc23.tar.gz
create_mysql(script)
客户端显示:
apache_2.2.11.tar.gz
mod_ssl-2.8.16-1.3.29.tar.gz
php-5.2.0.tar.gz
acid-0.9.6b23.tar.gz
adodb507.tgz
jpgraph-2.3.4tar.gz
辅助管理工具:
webmin-1.220-1.noarch.rpm
Net_SSLeay.pm-1.30.tar.gz
snort-1.0.wbm(snort's webmin plugin)
3.
软件下载地址
snort-2.8.3.2tar.gz(http://www.snort.org)
snortrules-snapshot-2.6.tar.gz(http://www.snort.org)
mysql-5.0.77-linux-i686-icc-glibc23.tar.gz (http://www.mysql.com)
create_mysql script (http://cvs.sourceforge.net/viewcvs.py/snort/snort/contrib/)
apache2.2.11.tar.gz(http://www.apache.org)
php-5.2.0.tar.gz(http://www.php.net)
acid-0.9.6b23.tar.gz(http://acidlab.sourceforge.net)
adodb507.tgz(http://adodb.sourceforge.net/)
jpgraph-2.3.4tar.gz(http://www.aditus.nu/jpgraph/index.php)
webmin-1.220-1.noarch.rpm(http://www.webmin.com/)
Net_SSLeay.pm-1.30.tar.gz(http://symlabs.com/Net_SSLeay/)
snort-1.0.wbm (http://www.snort.org/dl/contrib/front_ends/webmin_plugin/)
二、安装
1.
准备
ssh root
登录
Fedora8
,将上述所需文件拷贝至
/home/wd/snort
相关
2.
安装
mysql
# groupadd mysql
# useradd -g mysql -d /usr/local/mysql/data -M mysql
# tar -zxvf mysql-5.0.27.tar.gz
# cd mysql-5.0.27
./configure --prefix=/usr/local/mysql \
指定安装目录
> --sysconfdir=/etc \
配置文件的路径
> --localstatedir=/usr/local/mysql/data \
数据库存放的路径
> --enable-assembler \
使用一些字符函数的汇编版本
> --with-mysqld-ldflags=-all-static \
以纯静态方式编译服务端
> --with-charset=gb2312 \
添加
gb2312
字符支持
> --with-extra-charsets=all
添加所有字符支持
# cd /usr/local/mysql
# chown -R root .
# chown -R mysql data
# chgrp -R mysql .
# scripts/mysql_install_db --user=mysql
# /usr/local/mysql/support-files/mysql.server start
3.
创建
snort
数据库
# /usr/local/mysql/bin/mysql
mysql>;
mysql>;set password for 'root'@'localhost'=password('123456');
mysql>;create database snort;
# /usr/local/mysql/bin/mysql -u root -p
mysql>;connect snort;
mysql>;source /usr/local/snort/schemas/create_mysql; //
指定
create_mysql
脚本的路径
mysql>;grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;
mysql>;grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost;
mysql>;connect mysql;
mysql>;set password for 'snort'@'localhost'=password('123456');
mysql>;set password for 'snort'@'%'=password('123456');
mysql>;flush privileges;
(别忘了以逗号结束)
mysql>; show tables;
将会有这些:
+------------------+
| Tables_in_snort |
+------------------+
| data
| detail
| encoding
| event
| flags
| icmphdr
| iphdr
| opt
| protocols
| reference
| reference_system
| schema
| sensor
| services
| sig_class
| sig_reference
| signature
| tcphdr
| udphdr
+------------------+
19 rows in set (0.00 sec)
mysql>;exit
4.
安装并启动
snort
# cd/home/wd/snort
相关
# tar -vxzf snort-2.8.3.2 tar.gz
# mv snort-2.8.3.2 /usr/local/snort
# cd /usr/local/snort
# ./configure --with-mysql=/usr/local/mysql
# make
# make install
# mkdir /var/snort
# mkdir /var/log/snort (
存放
snort
日志
)
# mkdir /etc/snort(
存放
rules)
# cd /home/wd/snort
相关
# tar -vxzf snortrules-pr-2.6.tar.gz
# mv rules /etc/snort
# mv doc /etc/snort
修改
/etc/snort/rules/snort.conf:
(1)
将
var RULE_PATH ../rules
一行注释掉
(2)
增加
output database: log, mysql, user=snort password=123456 dbname=snort host=localhost
(3)
修改
include
部分
include $RULE_PATH/bad-traffic.rules ->; include bad-traffic.rules
(and so on...)
启动
snort(example):
# snort -d -D -c /etc/snort/rules/snort.conf
补充:在安装
snort
的时候,会出现
libpcap/libpcre header not found
的问题下载
libpcap
,
libpcre
,
libnet
安装,如果出现其他的问题根据提示,
google
,
baidu
一般都可以找到。
5.
安装
apache
# cd /home/wd/snort/
相关
#tar -zvxf httpd-2.2.11.tar.gz
#cd httpd-2.2.11
#./configure --prefix=/usr/local/apache --enable-so
#make
#make install
安装完之后可以用命令
/usr/local/apache/bin/apachectl start
启动一下
apache
在网页地址栏输入
127.0.0.1
如果安装成功可以看到
It works
字样。
6.
安装
PHP
# cd /home/wd/snort
相关
# tar -vxzf php-5.2.tar.gz
# cd php-5.2.0
# ./configure \
--prefix=/usr/local/php \
--with-mysql=/usr/local/mysql \
--with-apxs=/usr/local/apache/bin/apxs \
--with-gd
--with-zlib
--enable-sockets
# make
# make install
#cp ./php.ini-dist /usr/local/php5/etc/php.ini
我在安装
php
时出现
cannot restorte segment prot...after reloc :Permission denied
goole
后,修改了
/etc/sysconfig
文件和
/etc/sysconfig
并用
chcon -t texrel_shlib_t
上面没有权限的文件
.so
把问题解决了。
7.
安装
acid+adodb+jpgraph
#
把
acid-0.9.6b23.tar.gz
、
adodb507.tgz
、
jpgraph-2.3.4tar.gz
放到网页根目录,我这里是默认的。
# cp a*.* /usr/local/apache/htdocs
# cp jpgraph-1.11.tar.gz /usr/local/apache/htdocs
# tar zxvf adodb330.tgz
# tar zxvf jpgraph-1.11.tar.gz
# mv jpgraph-1.11 jpgraph
# tar zxvf acid-0.9.6b23.tar.gz
# cd acid
# vi acid_conf.php
#
把
“$DBlib_path = "";”
改成
“$DBlib_path = "/usr/local/apache/htdocs/adodb"”
# $alert_dbname = "snort_log"; //
改成
snort
$alert_host = "localhost";
$alert_port = "";
$alert_user = "root";
$alert_password = "123456"; //
改成你的数据库密码
/* Archive DB connection parameters */
$archive_dbname = "snort_archive"; //
改成
snort
$archive_host = "localhost";
$archive_port = "";
$archive_user = "root";
$archive_password = "123456";” //
改成你的数据库密码
#
把
“$ChartLib_path = "";”
改成
“$ChartLib_path = "/usr/local/apache/htdocs/jpgraph/src";”
#
修改完毕后,保存退出。
写一个
snort
规则
# cd /usr/local/
# vi snort.sh
#!/bin/sh
snort -d -h 192.168.0.0/24 -l /var/log/snort -c /etc/snort/snort.conf -i eth0 -A full
#
保存退出。
# chmod 755 snort.sh
启动服务
# /usr/local/mysql/support-files/mysql.server start
# cd /usr/local/mysql/
# vi mysql_start.sh
(编写启动脚本)
#!/bin/sh
/usr/local/mysql/bin/mysqld_safe --user=mysql &
#
保存退出。
# chmod 755 mysql_start.sh
# cp mysql_start.sh /usr/sbin/
# ./mysql_start.sh
(启动
mysql
)
# /usr/local/snort/bin/snort start(
启动
snort)
8.
修改
selinux
配置及
apache
配置
# vi /etc/selinux/config
SELINUX=disabled
(
否则会导致
libphp4.so segment fault)
注:不要忘记配置
firewall
允许
https.
9.
配置自启动并重启计算机
# vi /etc/rc.d/rc.local
#start mysqld
/usr/local/mysql/support-files/mysql.server start
#start httpd
/usr/local/apache/bin/apachectl startssl
#start snort
/usr/local/bin/snort -d -D -c /etc/snort/rules/snort.conf
# reboot
10.
测试连接
acid
和初始化
https://127.0.0.1/acid
Click "Setup page" to "Create ACID AG"
有时由于操作系统的版本的不同软件安装的默认路径不同,会产生文件不存在或是权限不够的问题,找到文件修改文件位置,改变文件位置,不能的话就创建链接,我安装时出现这些问题就是
goole
,然后用这些方法解决的。
到现在为止
,Snort+mysql+Apachephp+ACID
已经可以正常工作了。
11.
辅助管理工具
(
图形界面管理
snort):
(1)
安装
Net_SSL(Redhat9 is broken)
# cd /home
# tar -vxzf Net_SSLeay.pm-1.21.tar.gz
# cd Net_SSLeay.pm-1.21
# ./Makefile.PL
# make install
(2)
安装
webmin
# cd /home
# rpm -ivh webmin-1.30.noarch.rpm
(3)
测试连接,并安装
snort module
https://127.0.0.1:10000,
使用
root+
密码登录
Webmin Configuration ->; SSL Encryption ->;
生成新的
SSL key
Webmin Configuration ->; Webmin Modules ->;
安装
snort-1.0.wbm
Servers ->; Snort IDS Admin ->;
进行配置:
Full path to snort executable ->;
/usr/local/snort/bin/snort -d -D -c /etc/snort/rules/snort.conf
Full path to snort configuration file ->;
/etc/snort/rules/snort.conf
Full path to snort rule files directory ->;
/etc/snort/rules
Full path to snort PID file ->;
/var/run/snort_eth0.pid
(4)save
之后就可以打开
snort
的配置界面。
12.
限定
apache
只允许
https
连接
修改
/usr/local/apache/conf/httpd.conf
如下
<IfDefine SSL>;
#Listen 80
Listen 443
</IfDefine>;
13.
给
Apache
加简单的访问控制
(1)
创建一个授权用户并设置密码
# /usr/local/apache/bin/htpasswd -c /usr/local/apache/conf/auth.users linghood
New password: ******
Re-type new password: ******
Adding password for user linghood
(2)
修改
/usr/local/apache/conf/httpd.conf
文件如下
<Directory />;
# Options FollowSymLinks
# AllowOverride None
AuthType Basic
AuthName "IDS"
AuthUserFile /usr/local/apache/conf/auth.users
Require valid-user
</Directory>;
<Directory "/var/www/html">;
# Options Indexes FollowSymLinks MultiViews
# AllowOverride None
# Order allow,deny
# Allow from all
AuthType Basic
AuthName "IDS"
AuthUserFile /usr/local/apache/conf/auth.users
Require valid-user
</Directory>;
两天总算没有浪费,查了很多资料,软件总算安上了,环境可以用了,虽然还有很多地方不够完善。