最近在win2003server下配snort2.8.4.1+php5.3+apache2.2+mysql5+adodb509a+base1.4.4+jpgraph+winpcap402,(也尝试用了acid0.9.6b23)
按照网上的提示配置,走了不少弯路,终于能运行起来。
用到的各个软件目前网上都能下载到,我也是刚下载的,所以需要的人自己去下即可。
安装顺序没有明确的先后,大致是
1,snort
2,winpcap
3,mysql5
4,apache2.2
5,php5.3
6,adodb, base, jpgraph
其中遇到过的问题有
1、php5.3 for windows有好几个安装或zip版本,包括nts(Non Thread Safe )或ts(Thread Safe )的,应该下载ts。TS也分VC9或VC6,应该下载VC6的。然后又分zip和msi,我选择的是zip。如果搞错版本和文件,按网上其他人写的配置过程就会找不到一些dll文件。
2、apache2.2配php5好像有另一种写法,但还是用常见的写法比较合适,即
LoadModule php5_module "D:/PHP5/php5apache2_2.dll"
AddType application/x-httpd-php .php .phtml
3、snort本身不带rules,需要到他的网站用email注册并激活账号,就可以下载snortrules-snapshot-CURRENT.tar.gz。
4、mysql我用的是msi安装包,安装时会提示输入root的密码。我用的是sqlyog管理mysql,建立snort对应的数据表。有的帖子说要建立snort账号并授权,我懒得建立。
5、adodb解压到php5目录下,好像不用改它的配置
6、解压base到apache2\htdocs下,直接从ie里浏览,它会提示你一步步的配置,或者直接修改它的配置base_conf.php,里面有写adodb的路径,mysql的参数等,还可以设置界面语言简体中文。acid是很早以前的版本,已经不再更新,base是基于acid修改的,功能更好些,不过代码有问题,需要修改includes\base_state_citems.inc.php,在294行的ProtocolFieldCriteria类里,增加一个构造函数
function ProtocolFieldCriteria(&$db, &$cs, $export_name, $element_cnt, $field_list = Array() )
{
$tdb =& $db;
$cs =& $cs;
$this->BaseCriteria($tdb, $cs, $export_name);
$this->element_cnt = $element_cnt;
$this->criteria_cnt = 0;
$this->valid_field_list = $field_list;
}
7、snort安装时会提示你使用什么数据库,默认支持mysql,可选mssql或oracle。但如果选择后两种,好像需要你本机安装有相应的驱动,否则启动snort会报错找不到某些dll。
8、浏览base里图形页面,会报jpgragh临时目录没设置的问题,还没修改。好像是要建立csimcache目录。
9、运行snort,可能会抓不到数据包,可以运行snort -W 检查有几个网卡设备,然后运行命令时加上 -ix的参数,如-i2。
10、运行snort前,还需要在windows环境变量中加PCAP_FRAMES值为max
以上是已经解决的问题,但运行起snort后,用-v参数,能看见有数据包被抓获,但就是写入不到数据库里面,改成log输出也没有内容,很是奇怪
下面是snort配置,和屏幕输出
#--------------------------------------------------
# http://www.snort.org Snort 2.8.4.1 Ruleset
# Contact:
[email protected]
#--------------------------------------------------
###################################################
# Step #1: Set the network variables:
#
var HOME_NET any
# Set up the external network addresses as well. A good start may be "any"
var EXTERNAL_NET any
# List of DNS servers on your network
var DNS_SERVERS $HOME_NET
# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET
# List of web servers on your network
var HTTP_SERVERS $HOME_NET
# List of sql servers on your network
var SQL_SERVERS $HOME_NET
# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET
# List of snmp servers on your network
var SNMP_SERVERS $HOME_NET
portvar HTTP_PORTS 80
portvar SHELLCODE_PORTS !80
portvar ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH d:\snort\rules
var PREPROC_RULE_PATH ../preproc_rules
###################################################
# Step #2: Configure dynamic loaded libraries
#
dynamicpreprocessor directory d:/snort/lib/snort_dynamicpreprocessor/
###################################################
# Step #3: Configure preprocessors
#
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor ftp_telnet: global \
encrypted_traffic yes \
inspection_type stateful
preprocessor ftp_telnet_protocol: telnet \
normalize \
ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default \
def_max_param_len 100 \
alt_max_param_len 200 { CWD } \
cmd_validity MODE < char ASBCZ > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
telnet_cmds yes \
data_chan
preprocessor ftp_telnet_protocol: ftp client default \
max_resp_len 256 \
bounce yes \
telnet_cmds yes
preprocessor smtp: \
ports { 25 587 691 } \
inspection_type stateful \
normalize cmds \
normalize_cmds { EXPN VRFY RCPT } \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 500 { HELP HELO ETRN } \
alt_max_command_line_len 255 { EXPN VRFY }
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
preprocessor dcerpc2
preprocessor dcerpc2_server: default
preprocessor dns: \
ports { 53 } \
enable_rdata_overflow
preprocessor ssl: noinspect_encrypted, trustservers
####################################################################
# Step #4: Configure output plugins
#
output database: alert, mysql, user=root password=111222 dbname=snort host=localhost encoding=ascii detail=full
# output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128
include d:\snort\etc\classification.config
include d:\snort\etc\reference.config
####################################################################
# Step #5: Configure snort with config statements
#
####################################################################
# Step #6: Customize your rule set
#
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
输出
D:\>snort\bin\snort -c snort\etc\snort.conf -l d:\snort\log -i2
Running in IDS mode
--== Initializing Snort ==--
Initializing Output Plugins!Initializing Output Plugins!
Var '_ADDRESS' redefined
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file snort\etc\snort.conf
PortVar 'HTTP_PORTS' defined : [ 80 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined : [ 1521 ]
Frag3 global config:
Max frags: 65536
Fragment memory cap: 4194304 bytes
Frag3 engine config:
Target-based policy: FIRST
Fragment timeout: 60 seconds
Fragment min_ttl: 1
Fragment ttl_limit (not used): 5
Fragment Problems: 1
Stream5 global config:
Track TCP sessions: ACTIVE
Max TCP sessions: 8192
Memcap (for reassembly packet storage): 8388608
Track UDP sessions: INACTIVE
Track ICMP sessions: INACTIVE
Log info if session memory consumption exceeds 1048576
Stream5 TCP Policy config:
Reassembly Policy: FIRST
Timeout: 30 seconds
Min ttl: 1
Maximum number of bytes to queue per session: 1048576
Maximum number of segs to queue per session: 2621
Options:
Static Flushpoint Sizes: YES
Reassembly Ports:
21 client (Footprint)
23 client (Footprint)
25 client (Footprint)
42 client (Footprint)
53 client (Footprint)
80 client (Footprint)
110 client (Footprint)
111 client (Footprint)
135 client (Footprint)
136 client (Footprint)
137 client (Footprint)
139 client (Footprint)
143 client (Footprint)
445 client (Footprint)
513 client (Footprint)
514 client (Footprint)
1433 client (Footprint)
1521 client (Footprint)
2401 client (Footprint)
3306 client (Footprint)
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: snort\etc\unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Server profile: All
Ports: 80 8080 8180
Server Flow Depth: 300
Client Flow Depth: 300
Max Chunk Length: 500000
Max Header Field Length: 0
Max Number Header Fields: 0
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Normalize HTTP Headers: NO
Normalize HTTP Cookies: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900
Tagged Packet Limit: 256
Loading all dynamic preprocessor libs from d:/snort/lib/snort_dynamicpreprocesso
r/...
Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_dce2.dll... done
Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_dcerpc.dll... done
Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_dns.dll... done
Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_ftptelnet.dll... done
Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_smtp.dll... done
Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_ssh.dll... done
Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_ssl.dll... done
Finished Loading all dynamic preprocessor libs from d:/snort/lib/snort_dynamic
preprocessor/
FTPTelnet Config:
GLOBAL CONFIG
Inspection Type: stateful
Check for Encrypted Traffic: YES alert: YES
Continue to check encrypted data: NO
TELNET CONFIG:
Ports: 23
Are You There Threshold: 200
Normalize: YES
Detect Anomalies: NO
FTP CONFIG:
FTP Server: default
Ports: 21
Check for Telnet Cmds: YES alert: YES
Identify open data channels: YES
FTP Client: default
Check for Bounce Attacks: YES alert: YES
Check for Telnet Cmds: YES alert: YES
Max Response Length: 256
SMTP Config:
Ports: 25 587 691
Inspection Type: Stateful
Normalize: EXPN RCPT VRFY
Ignore Data: No
Ignore TLS Data: No
Ignore SMTP Alerts: No
Max Command Line Length: Unlimited
Max Specific Command Line Length:
ETRN:500 EXPN:255 HELO:500 HELP:500 MAIL:260
RCPT:300 VRFY:255
Max Header Line Length: Unlimited
Max Response Line Length: Unlimited
X-Link2State Alert: Yes
Drop on X-Link2State Alert: No
Alert on commands: None
DCE/RPC 2 Preprocessor Configuration
Global Configuration
DCE/RPC Defragmentation: Enabled
Memcap: 102400 KB
Events: none
Server Default Configuration
Policy: WinXP
Detect ports
SMB: 139 445
TCP: 135
UDP: 135
RPC over HTTP server: 593
RPC over HTTP proxy: None
Autodetect ports
SMB: None
TCP: 1025-65535
UDP: 1025-65535
RPC over HTTP server: 1025-65535
RPC over HTTP proxy: None
Maximum SMB command chaining: 3 commands
DNS config:
DNS Client rdata txt Overflow Alert: ACTIVE
Obsolete DNS RR Types Alert: INACTIVE
Experimental DNS RR Types Alert: INACTIVE
Ports: 53
SSLPP config:
Encrypted packets: not inspected
Ports:
443 465 563 636 989
992 993 994 995
Server side data is trusted
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
d:\snort\rules/scan.rules(30): GID 1 SID 616 in rule: "alert tcp $EXTERNAL_NET a
ny -> $HOME_NET 113 (msg:"SCAN ident version request"; flow:to_server,establishe
d; content:"VERSION|0A|"; depth:16; reference:arachnids,303; classtype:attempted
-recon; sid:616; rev:4;" duplicates previous rule. Ignoring old rule.
608 Snort rules read
607 detection rules
0 decoder rules
0 preprocessor rules
607 Option Chains linked into 163 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
+-------------------[Rule Port Counts]---------------------------------------
| tcp udp icmp ip
| src 42 5 0 0
| dst 346 104 0 0
| any 43 42 16 10
| nc 9 4 3 8
| s+d 0 0 0 0
+----------------------------------------------------------------------------
+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=
10
| gen-id=1 sig-id=13948 type=Threshold tracking=src count=200 seconds=
30
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->alert->log
Log directory = d:\snort\log
Verifying Preprocessor Configurations!
Warning: flowbits key 'mspub_header' is set but not ever checked.
Warning: flowbits key 'swf_file.request' is checked but not ever set.
Warning: flowbits key 'pdf_file.request' is checked but not ever set.
6 out of 512 flowbits in use.
Initializing Network Interface \Device\NPF_{00129D26-BF62-4020-B633-2E8F2DAF621C}
Decoding Ethernet on interface \Device\NPF_{00129D26-BF62-4020-B633-2E8F2DAF621C}
database: compiled support for ( mysql odbc )
database: configured to use mysql
database: user = root
database: password is set
database: database name = snort
database: host = localhost
database: data encoding = ascii
database: detail level = full
database: sensor name = SERVERNEW:\Device\NPF_{00129D26-BF62-4020-B633-2E8F2DAF621C}
database: sensor id = 3
database: schema version = 107
database: using the "alert" facility
fpBuildServicePortGroups: adding protocol-ordinal=6 as service=ftp
fpBuildServicePortGroups: adding protocol-ordinal=7 as service=telnet
fpBuildServicePortGroups: adding protocol-ordinal=33 as service=rtsp
fpBuildServicePortGroups: adding protocol-ordinal=17 as service=finger
fpBuildServicePortGroups: adding protocol-ordinal=5 as service=http
fpBuildServicePortGroups: adding protocol-ordinal=26 as service=sunrpc
fpBuildServicePortGroups: adding protocol-ordinal=15 as service=dns
fpBuildServicePortGroups: adding protocol-ordinal=8 as service=smtp
fpBuildServicePortGroups: adding protocol-ordinal=32 as service=ssl
fpBuildServicePortGroups: adding protocol-ordinal=5 as service=http
fpBuildServicePortGroups: adding protocol-ordinal=7 as service=telnet
fpBuildServicePortGroups: adding protocol-ordinal=15 as service=dns
fpBuildServicePortGroups: adding protocol-ordinal=23 as service=tftp
fpBuildServicePortGroups: adding protocol-ordinal=26 as service=sunrpc
fpBuildServicePortGroups: adding protocol-ordinal=11 as service=netbios-dgm
fpBuildServicePortGroups: adding protocol-ordinal=11 as service=netbios-dgm
fpBuildServicePortGroups: adding protocol-ordinal=15 as service=dns
fpBuildServicePortGroups: adding protocol-ordinal=26 as service=sunrpc
[ Port and Service Based Pattern Matching Memory ]
+-[AC-BNFA Search Info Summary]------------------------------
| Instances : 175
| Patterns : 7289
| Pattern Chars : 33855
| Num States : 17360
| Num Match States : 4146
| Memory : 798.98Kbytes
| Patterns : 203.73K
| Match Lists : 183.63K
| Transitions : 369.93K
+-------------------------------------------------
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.8.4.1-ODBC-MySQL-FlexRESP-WIN32 GRE (Build 38)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
Copyright (C) 1998-2009 Sourcefire, Inc., et al.
Using PCRE version: 7.4 2007-09-21
Preprocessor Object: SF_SSLPP Version 1.1 <Build 2>
Preprocessor Object: SF_SSH Version 1.1 <Build 1>
Preprocessor Object: SF_SMTP Version 1.1 <Build 7>
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 11>
Preprocessor Object: SF_DNS Version 1.1 <Build 2>
Preprocessor Object: SF_DCERPC Version 1.1 <Build 4>
Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 1>
Using PCAP_FRAMES = max