一、运行环境
1.平台:
Fedora Core 4 (IP Address: 192.168.1.101)
2.所需软件:
报警+数据库:
snort-2.4.0.tar.gz
snortrules-pr-2.4.tar.gz (snortrules for v2.4 unregistered user release)
mysql-standard-4.1.13-pc-linux-gnu-i686.tar.gz
create_mysql(script)
客户端显示:
apache_1.3.29.tar.gz
mod_ssl-2.8.16-1.3.29.tar.gz
php-4.4.0.tar.gz
acid-0.9.6b23.tar.gz
adodb465.tgz
jpgraph-1.19.tar.gz
辅助管理工具:
webmin-1.220-1.noarch.rpm
Net_SSLeay.pm-1.21.tar.gz
snort-1.0.wbm(snort's webmin plugin)
3.软件下载地址
snort-2.4.0.tar.gz(
[url]http://www.snort.org[/url] )
snortrules-pr-2.4.tar.gz(
[url]http://www.snort.org[/url] )
mysql-standard-4.1.13-pc-linux-gnu-i686.tar.gz(
[url]http://www.mysql.com[/url] )
create_mysql script(
[url]http://cvs.sourceforge.net/viewcvs.py/snort/snort/contrib/[/url] )
apache_1.3.29.tar.gz(
[url]http://www.apache.org[/url] )
mod_ssl-2.8.16-1.3.29.tar.gz(
[url]http://www.modssl.org[/url] )
php-4.4.0.tar.gz(
[url]http://www.php.net[/url] )
acid-0.9.6b23.tar.gz(
[url]http://acidlab.sourceforge.net[/url] )
adodb465.tgz(
[url]http://adodb.sourceforge.net/[/url] )
jpgraph-1.19.tar.gz(
[url]http://www.aditus.nu/jpgraph/index.php[/url] )
webmin-1.220-1.noarch.rpm(
[url]http://www.webmin.com/[/url] )
Net_SSLeay.pm-1.21.tar.gz(
[url]http://symlabs.com/Net_SSLeay/[/url] )
snort-1.0.wbm (
[url]http://www.snort.org/dl/contrib/front_ends/webmin_plugin/[/url] )
二、安装
1.准备
ssh root登录FC4,将上述所需文件拷贝至/home
2.安装mysql
# groupadd mysql
# useradd -g mysql mysql
# cd /home
# tar -vxzf mysql-standard-4.1.14-pc-linux-gnu-i686.tar.gz
# mv mysql-standard-4.1.14-pc-linux-gnu-i686 /usr/local/mysql
# cd /usr/local/mysql
# chown -R root .
# chown -R mysql data
# chgrp -R mysql .
# scripts/mysql_install_db --user=mysql
# /usr/local/mysql/support-files/mysql.server start
3.创建snort数据库
# /usr/local/mysql/bin/mysql
mysql>
mysql>set password for
'root'@'localhost'=password('linghood' );
mysql>create database snort;
# /usr/local/mysql/bin/mysql -u root -p
mysql>connect snort;
mysql>source /home/create_mysql; //指定create_mysql脚本的路径
mysql>grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;
mysql>grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to
snort@localhost ;
mysql>connect mysql;
mysql>set password for
'snort'@'localhost'=password('linghoodids' );
mysql>set password for
'snort'@'%'=password('linghoodids' );
mysql>flush privileges;
4.安装并启动snort
# cd/home
# tar -vxzf snort-2.4.0.tar.gz
# mv snort-2.4.0 /usr/local/snort
# cd /usr/local/snort
# ./configure --with-mysql=/usr/local/mysql
# make
# make install
# mkdir /var/snort
# mkdir /var/log/snort
# mkdir /etc/snort(存放rules)
# cd /home
# tar -vxzf snortrules-pr-2.4.tar.gz
# mv rules /etc/snort
# mv doc /etc/snort
修改/etc/snort/rules/snort.conf:
(1)将var RULE_PATH ../rules一行注释掉
(2)增加output database: log, mysql, user=snort password=linghoodids dbname=snort host=localhost
(3)修改include部分
include $RULE_PATH/bad-traffic.rules -> include bad-traffic.rules
(and so on...)
启动snort(example):
# snort -d -D -c /etc/snort/rules/snort.conf
5.安装apache+mod_ssl
# cd /home
# tar -vxzf apache_1.3.29.tar.gz
# tar -vxzf mod_ssl-2.8.16-1.3.29.tar.gz
# cd mod_ssl-2.8.16-1.3.29
# ./configure --with-apache=../apache_1.3.29
# cd ../apache_1.3.29
# SSL_BASE=SYSTEM \
./configure \
--prefix=/usr/local/apache \
--enable-module=ssl \
--enable-module=so \
--enable-module=rewrite
# make
# make certificate
# make install
6.安装PHP
# cd /home
# tar -vxzf php-4.4.0.tar.gz
# cd php-4.4.0
# CFLAGS="-DEAPI -fPIC" \
./configure \
--prefix=/usr/local/php \
--with-mysql=/usr/local/mysql \
--with-apxs=/usr/local/apache/bin/apxs \
--with-gd
--with-zlib
--enable-sockets
# make
# make install
注:mod_ssl uses Apache's EAPI, so you need compile PHP with -DEAPI.
7.安装acid+adodb+jpgraph
解压acid-0.9.6b23.tar.gz,adodb465.tgz,gd-2.0.33.tar.gz,jpgraph-1.19.tar.gz
并拷贝到/var/www/html(去掉目录名中的版本号)
# vi /var/www/html/acid/acid_conf.php
修改以下内容:
$DBlib_path="../adodb";
$alert_dbname="snort";
$alert_user="snort";
$alert_password="linghoodids";
$Chartlib_path="../jpgraph/src";
8.修改selinux配置及apache配置
# vi /etc/selinux/config
SELINUX=disabled
(否则会导致libphp4.so segment fault)
# vi /usr/local/apache/conf/httpd.conf
ServerName 192.168.1.101
DocumentRoot "/var/www/html"
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
##
## SSL Virtual Host Context
##
# General setup for the virtual host
DocumentRoot "/var/www/html"
ServerName 192.168.1.101
注:不要忘记配置firewall允许https.
9.配置自启动并重启计算机
# vi /etc/rc.d/rc.local
#start mysqld
/usr/local/mysql/support-files/mysql.server start
#start httpd
/usr/local/apache/bin/apachectl startssl
#start snort
/usr/local/bin/snort -d -D -c /etc/snort/rules/snort.conf
# reboot
10.测试连接acid和初始化
[url]https://192.168.1.101/acid[/url] or
[url]http://192.168.1.101/acid[/url]
Click "Setup page" to "Create ACID AG"
到现在为止,Snort+mysql+Apache(with mod_ssl)+php+ACID已经可以正常工作了。
11.辅助管理工具(图形界面管理snort)
(1) 安装Net_SSL(Redhat9 is broken)
# cd /home
# tar -vxzf Net_SSLeay.pm-1.21.tar.gz
# cd Net_SSLeay.pm-1.21
# ./Makefile.PL
# make install
(2)安装webmin
# cd /home
# rpm -ivh webmin-1.220-1.noarch.rpm
(3)测试连接,并安装snort module
[url]https://127.0.0.1:10000[/url] ,使用root+密码登录
Webmin Configuration -> SSL Encryption -> 生成新的SSL key
Webmin Configuration -> Webmin Modules -> 安装snort-1.0.wbm
Servers -> Snort IDS Admin -> 进行配置:
Full path to snort executable ->
/usr/local/bin/snort -d -D -c /etc/snort/rules/snort.conf
Full path to snort configuration file ->
/etc/snort/rules/snort.conf
Full path to snort rule files directory ->
/etc/snort/rules
Full path to snort PID file ->
/var/run/snort_eth0.pid
(4)save之后就可以打开snort的配置界面。
12.限定apache只允许https连接
修改/usr/local/apache/conf/httpd.conf如下
#Listen 80
Listen 443
13.给Apache加简单的访问控制
(1)创建一个授权用户并设置密码
# /usr/local/apache/bin/htpasswd -c /usr/local/apache/conf/auth.users linghood
New password: ******
Re-type new password: ******
Adding password for user linghood
(2)修改/usr/local/apache/conf/httpd.conf文件如下
# Options FollowSymLinks
# AllowOverride None
AuthType Basic
AuthName "IDS"
AuthUserFile /usr/local/apache/conf/auth.users
Require valid-user
# Options Indexes FollowSymLinks MultiViews
# AllowOverride None
# Order allow,deny
# Allow from all
AuthType Basic
AuthName "IDS"
AuthUserFile /usr/local/apache/conf/auth.users
Require valid-user