1、php5.3 for windows有好几个安装或zip版本,包括nts(Non Thread Safe )或ts(Thread Safe )的,应该下载ts。TS也分VC9或VC6,应该下载VC6的。然后又分zip和msi,我选择的是zip。如果搞错版本和文件,按网上其他人写的配置过程就会找不到一些dll文件。
  LoadModule php5_module "D:/PHP5/php5apache2_2.dll"
  AddType application/x-httpd-php .php .phtml
     function ProtocolFieldCriteria(&$db, &$cs, $export_name, $element_cnt, $field_list = Array() )
$tdb =& $db;
$cs =& $cs;

      $this->BaseCriteria($tdb, $cs, $export_name);

      $this->element_cnt = $element_cnt;
      $this->criteria_cnt = 0;
      $this->valid_field_list = $field_list;

9、运行snort,可能会抓不到数据包,可以运行snort -W 检查有几个网卡设备,然后运行命令时加上 -ix的参数,如-i2。

#   http://www.snort.org     Snort Ruleset
#     Contact: [email protected]
# Step #1: Set the network variables:

var HOME_NET any

# Set up the external network addresses as well.  A good start may be "any"

# List of DNS servers on your network

# List of SMTP servers on your network

# List of web servers on your network

# List of sql servers on your network

# List of telnet servers on your network

# List of snmp servers on your network

portvar HTTP_PORTS 80


portvar ORACLE_PORTS 1521

var AIM_SERVERS [,,,,,,,,,,,]

var RULE_PATH d:\snort\rules
var PREPROC_RULE_PATH ../preproc_rules

# Step #2: Configure dynamic loaded libraries
dynamicpreprocessor directory d:/snort/lib/snort_dynamicpreprocessor/

# Step #3: Configure preprocessors

preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies

preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
                              track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length 500

preprocessor rpc_decode: 111 32771

preprocessor bo

preprocessor ftp_telnet: global \
   encrypted_traffic yes \
   inspection_type stateful

preprocessor ftp_telnet_protocol: telnet \
   normalize \
   ayt_attack_thresh 200

preprocessor ftp_telnet_protocol: ftp server default \
   def_max_param_len 100 \
   alt_max_param_len 200 { CWD } \
   cmd_validity MODE < char ASBCZ > \
   cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
   chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
   telnet_cmds yes \

preprocessor ftp_telnet_protocol: ftp client default \
   max_resp_len 256 \
   bounce yes \
   telnet_cmds yes

preprocessor smtp: \
  ports { 25 587 691 } \
  inspection_type stateful \
  normalize cmds \
  normalize_cmds { EXPN VRFY RCPT } \
  alt_max_command_line_len 260 { MAIL } \
  alt_max_command_line_len 300 { RCPT } \
  alt_max_command_line_len 500 { HELP HELO ETRN } \
  alt_max_command_line_len 255 { EXPN VRFY }

preprocessor sfportscan: proto  { all } \
                         memcap { 10000000 } \
                         sense_level { low }

preprocessor dcerpc2
preprocessor dcerpc2_server: default

preprocessor dns: \
    ports { 53 } \

preprocessor ssl: noinspect_encrypted, trustservers

# Step #4: Configure output plugins
output database: alert, mysql, user=root password=111222 dbname=snort host=localhost encoding=ascii detail=full
# output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128
include d:\snort\etc\classification.config
include d:\snort\etc\reference.config

# Step #5: Configure snort with config statements

# Step #6: Customize your rule set

include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules


D:\>snort\bin\snort -c snort\etc\snort.conf -l d:\snort\log -i2
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!Initializing Output Plugins!
Var '_ADDRESS' redefined
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file snort\etc\snort.conf
PortVar 'HTTP_PORTS' defined :  [ 80 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1521 ]
Frag3 global config:
    Max frags: 65536
    Fragment memory cap: 4194304 bytes
Frag3 engine config:
    Target-based policy: FIRST
    Fragment timeout: 60 seconds
    Fragment min_ttl:   1
    Fragment ttl_limit (not used): 5
    Fragment Problems: 1
Stream5 global config:
    Track TCP sessions: ACTIVE
    Max TCP sessions: 8192
    Memcap (for reassembly packet storage): 8388608
    Track UDP sessions: INACTIVE
    Track ICMP sessions: INACTIVE
    Log info if session memory consumption exceeds 1048576
Stream5 TCP Policy config:
    Reassembly Policy: FIRST
    Timeout: 30 seconds
    Min ttl:  1
    Maximum number of bytes to queue per session: 1048576
    Maximum number of segs to queue per session: 2621
        Static Flushpoint Sizes: YES
    Reassembly Ports:
      21 client (Footprint)
      23 client (Footprint)
      25 client (Footprint)
      42 client (Footprint)
      53 client (Footprint)
      80 client (Footprint)
      110 client (Footprint)
      111 client (Footprint)
      135 client (Footprint)
      136 client (Footprint)
      137 client (Footprint)
      139 client (Footprint)
      143 client (Footprint)
      445 client (Footprint)
      513 client (Footprint)
      514 client (Footprint)
      1433 client (Footprint)
      1521 client (Footprint)
      2401 client (Footprint)
      3306 client (Footprint)
HttpInspect Config:
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: snort\etc\unicode.map
      IIS Unicode Map Codepage: 1252
      Server profile: All
      Ports: 80 8080 8180
      Server Flow Depth: 300
      Client Flow Depth: 300
      Max Chunk Length: 500000
      Max Header Field Length: 0
      Max Number Header Fields: 0
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 500
      Only inspect URI: NO
      Normalize HTTP Headers: NO
      Normalize HTTP Cookies: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: YES
      Base36: OFF
      UTF 8: OFF
      IIS Unicode: YES alert: YES
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: YES
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      Non-RFC Compliant Characters: NONE
      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
Portscan Detection Config:
    Detect Protocols:  TCP UDP ICMP IP
    Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
    Sensitivity Level: Low
    Memcap (in bytes): 10000000
    Number of Nodes:   36900

Tagged Packet Limit: 256
Loading all dynamic preprocessor libs from d:/snort/lib/snort_dynamicpreprocesso
  Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_dce2.dll... done
  Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_dcerpc.dll... done
  Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_dns.dll... done
  Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_ftptelnet.dll... done
  Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_smtp.dll... done
  Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_ssh.dll... done
  Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_ssl.dll... done
  Finished Loading all dynamic preprocessor libs from d:/snort/lib/snort_dynamic
FTPTelnet Config:
      Inspection Type: stateful
      Check for Encrypted Traffic: YES alert: YES
      Continue to check encrypted data: NO
      Ports: 23
      Are You There Threshold: 200
      Normalize: YES
      Detect Anomalies: NO
      FTP Server: default
        Ports: 21
        Check for Telnet Cmds: YES alert: YES
        Identify open data channels: YES
      FTP Client: default
        Check for Bounce Attacks: YES alert: YES
        Check for Telnet Cmds: YES alert: YES
        Max Response Length: 256
SMTP Config:
    Ports: 25 587 691
    Inspection Type: Stateful
    Normalize: EXPN RCPT VRFY
    Ignore Data: No
    Ignore TLS Data: No
    Ignore SMTP Alerts: No
    Max Command Line Length: Unlimited
    Max Specific Command Line Length:
       ETRN:500 EXPN:255 HELO:500 HELP:500 MAIL:260
       RCPT:300 VRFY:255
    Max Header Line Length: Unlimited
    Max Response Line Length: Unlimited
    X-Link2State Alert: Yes
    Drop on X-Link2State Alert: No
    Alert on commands: None
DCE/RPC 2 Preprocessor Configuration
  Global Configuration
    DCE/RPC Defragmentation: Enabled
    Memcap: 102400 KB
    Events: none
  Server Default Configuration
    Policy: WinXP
    Detect ports
      SMB: 139 445
      TCP: 135
      UDP: 135
      RPC over HTTP server: 593
      RPC over HTTP proxy: None
    Autodetect ports
      SMB: None
      TCP: 1025-65535
      UDP: 1025-65535
      RPC over HTTP server: 1025-65535
      RPC over HTTP proxy: None
    Maximum SMB command chaining: 3 commands
DNS config:
    DNS Client rdata txt Overflow Alert: ACTIVE
    Obsolete DNS RR Types Alert: INACTIVE
    Experimental DNS RR Types Alert: INACTIVE
    Ports: 53
SSLPP config:
    Encrypted packets: not inspected
      443      465      563      636      989
      992      993      994      995
    Server side data is trusted

Initializing rule chains...
d:\snort\rules/scan.rules(30): GID 1 SID 616 in rule: "alert tcp $EXTERNAL_NET a
ny -> $HOME_NET 113 (msg:"SCAN ident version request"; flow:to_server,establishe
d; content:"VERSION|0A|"; depth:16; reference:arachnids,303; classtype:attempted
-recon; sid:616; rev:4;" duplicates previous rule. Ignoring old rule.
608 Snort rules read
    607 detection rules
    0 decoder rules
    0 preprocessor rules
607 Option Chains linked into 163 Chain Headers
0 Dynamic rules

+-------------------[Rule Port Counts]---------------------------------------
|             tcp     udp    icmp      ip
|     src      42       5       0       0
|     dst     346     104       0       0
|     any      43      42      16      10
|      nc       9       4       3       8
|     s+d       0       0       0       0

| memory-cap : 1048576 bytes
| none
| gen-id=1      sig-id=2523       type=Both      tracking=dst count=10  seconds=
| gen-id=1      sig-id=13948      type=Threshold tracking=src count=200 seconds=
| none
Rule application order: activation->dynamic->pass->drop->alert->log
Log directory = d:\snort\log
Verifying Preprocessor Configurations!
Warning: flowbits key 'mspub_header' is set but not ever checked.
Warning: flowbits key 'swf_file.request' is checked but not ever set.
Warning: flowbits key 'pdf_file.request' is checked but not ever set.
6 out of 512 flowbits in use.

Initializing Network Interface \Device\NPF_{00129D26-BF62-4020-B633-2E8F2DAF621C}
Decoding Ethernet on interface \Device\NPF_{00129D26-BF62-4020-B633-2E8F2DAF621C}
database: compiled support for ( mysql odbc )
database: configured to use mysql
database:          user = root
database: password is set
database: database name = snort
database:          host = localhost
database: data encoding = ascii
database: detail level  = full
database:   sensor name = SERVERNEW:\Device\NPF_{00129D26-BF62-4020-B633-2E8F2DAF621C}
database:     sensor id = 3
database: schema version = 107
database: using the "alert" facility
fpBuildServicePortGroups: adding protocol-ordinal=6 as service=ftp
fpBuildServicePortGroups: adding protocol-ordinal=7 as service=telnet
fpBuildServicePortGroups: adding protocol-ordinal=33 as service=rtsp
fpBuildServicePortGroups: adding protocol-ordinal=17 as service=finger
fpBuildServicePortGroups: adding protocol-ordinal=5 as service=http
fpBuildServicePortGroups: adding protocol-ordinal=26 as service=sunrpc
fpBuildServicePortGroups: adding protocol-ordinal=15 as service=dns
fpBuildServicePortGroups: adding protocol-ordinal=8 as service=smtp
fpBuildServicePortGroups: adding protocol-ordinal=32 as service=ssl
fpBuildServicePortGroups: adding protocol-ordinal=5 as service=http
fpBuildServicePortGroups: adding protocol-ordinal=7 as service=telnet
fpBuildServicePortGroups: adding protocol-ordinal=15 as service=dns
fpBuildServicePortGroups: adding protocol-ordinal=23 as service=tftp
fpBuildServicePortGroups: adding protocol-ordinal=26 as service=sunrpc
fpBuildServicePortGroups: adding protocol-ordinal=11 as service=netbios-dgm
fpBuildServicePortGroups: adding protocol-ordinal=11 as service=netbios-dgm
fpBuildServicePortGroups: adding protocol-ordinal=15 as service=dns
fpBuildServicePortGroups: adding protocol-ordinal=26 as service=sunrpc

[ Port and Service Based Pattern Matching Memory ]
+-[AC-BNFA Search Info Summary]------------------------------
| Instances        : 175
| Patterns         : 7289
| Pattern Chars    : 33855
| Num States       : 17360
| Num Match States : 4146
| Memory           :   798.98Kbytes
|   Patterns       :   203.73K
|   Match Lists    :   183.63K
|   Transitions    :   369.93K

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version GRE (Build 38)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           Copyright (C) 1998-2009 Sourcefire, Inc., et al.
           Using PCRE version: 7.4 2007-09-21

           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 2>
           Preprocessor Object: SF_SSH  Version 1.1  <Build 1>
           Preprocessor Object: SF_SMTP  Version 1.1  <Build 7>
           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 11>
           Preprocessor Object: SF_DNS  Version 1.1  <Build 2>
           Preprocessor Object: SF_DCERPC  Version 1.1  <Build 4>
           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 1>
Using PCAP_FRAMES = max

