最近要用snort,查看了网上很多资料,碰到了很多问题,费了九牛二虎之力才将snort安装配置好,下面把我的安装过程和其中的一些问题写下来,希望能给大家一点点帮助和启发,如有问题请指正。
snort 是一个免费的基于 libpcap 的轻量级网络入侵检测系统。它能够跨系统平台操作,自带轻量级的入侵检测工具可以用于监视小型的 TCP/IP 网络,在进行网络监视时 snort 能够把网络数据和规则进行模式匹配,从而检测出可能的入侵企图,同时它也可以使用 SPADE插件, 使用统计学方法对网络数据进行异常检测,这些强大的检测功能为网络管理员对于入侵行为做出适当的反击提供了足够的信息。
首先需要下载libpcap,mysql,apache,php,adodb,snort,base这些软件
libpcap是unix/Linux平台下捕获网络数据包的函数库;
mysql是数据库,存放捕获的数据;
apache web服务器;
PHP 网页脚本语言;
adodb为PHP提供数据库的支持;(ADOdb is a database abstraction library for PHP)
base是基本的分析和安全引擎,它以ACID项目的代码为基础,提供web前端,查询和分析来自snort入侵检测系统的报警;(BASE is the Basic Analysis and Security Engine. It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system)
apache和PHP的安装就是为base服务的。
安装zlib和libpcap
tar -zxvf zlib-1.2.3.tar.gz
cd zlib-1.2.3
./configure
make
make install
cd ..
tar -zxvf libpcap-0.9.5.tar.gz
cd libpcap-0.9.5
./configure
make
make install
cd ..
安装MYSQL
shell> groupadd mysql
shell> useradd -g mysql mysql
shell> tar -zxvf mysql-VERSION.tar.gz
shell> cd mysql-VERSION
shell> ./configure --prefix=/usr/local/mysql
shell> make
shell> make install
shell> cp support-files/my-medium.cnf /etc/my.cnf (mysql配置文件)
shell> cd /usr/local/mysql
shell> bin/mysql_install_db --user=mysql (建立数据库)
注:如出现resolvip错误,解析不了localhost,是因为/etc/hosts文件为空,设置这个文件,例如:127.0.0.1 localhost.localdomain localhost
shell> chown -R mysql .
shell> chgrp -R mysql .
shell> bin/mysqld_safe --user=mysql & (启动测试)
注:如出现mysql.sock找不到查看/etc/my.cnf文件,默认生成mysql.sock文件在/tmp/mysql.sock,但有时会在 /var/lib/mysql/mysql.sock,对/etc/my.cnf文件编辑,改变路径,或者用下面命令:ln -s /var/lib/mysql/mysql.sock /tmp/
shell> cp /usr/local/mysql/share/mysql/mysql.server /etc/rc.d/init.d/mysqld (添加mysql开机自启动 )
shell> /usr/local/mysql/bin/mysqladmin -u root password 111 (添加一个root用户,密码111)
注:如果出现/usr/local/mysql/libexec/mysqld: File './mysql-bin.index' not found这是权限问题,用chown命令修改用户
安装Apache
tar -zvxf httpd-2.2.3.tar.gz
cd httpd-2.2.3
./configure --prefix=/usr/local/apache --enable-so
make
make install
安装PHP
tar zxvf php-5.2.tar.gz
cd php-5.2
./configure --prefix=/usr/local/php5 --with-apxs2=/usr/local/apache/bin/apxs --with-config-file-path=/usr/local/php5/etc --enable-sockets --with-mysql=/usr/local/mysql --with-zlib --with-gd
make
make install
cp ./php.ini-dist /usr/local/php5/etc/php.ini
修改httpd.conf
vi /usr/local/apache/conf/httpd.conf 加载php模块,去掉注释“#”,如没有此行,请加上。
LoadModule php5_module modules/libphp5.so
加上此两行
AddType application/x-httpd-php .php .phtml
AddType application/x-httpd-php-source .phps
# /usr/local/apache/bin/apachctl start (启动apache)
在apache/htdocs下新建test.php 文件内容为
运行 进行测试php
注意如出现权限错误,则用chmod 改变文件权限
安装Snort
mkdir /usr/local/snort
mkdir /var/log/snort
tar -zxvf snort-2.6.1.tar.gz
cd snort-2.6.1
./configure --prefix=/usr/local/snort --with-mysql=/usr/local/mysql/
make
make install
cd /usr/local/snort
tar -zxvf snortrules-snapshot-CURRENT.tar.gz (安装snort规则)
cp /usr/local/src/snort-2.6.1/etc/snort.conf /usr/local/snort/
cp /usr/local/src/snort-2.6.1/etc/*.config /usr/local/snort/
/usr/local/mysql/bin/mysql -u root -p (进入mysql)
create database snort;
create database snort_archive;
use snort;
source /usr/local/src/snort-2.6.1/schemas/create_mysql;
use snort_archive;
source /usr/local/src/snort-2.6.1/schemas/create_mysql;
创建2个数据库snort和snort_archive,使用create_mysql文件创建数据库中的列表
修改snort.conf
var HOME_NET 10.1.1.0/24 (ip地址根据自己的情况设定)
var RULE_PATH ./rules 修改为 var RULE_PATH /usr/local/snort/rules
根据自己的路径配置 dynamic loaded libraries,一般不用改
改变记录日志数据库:output database: alert, mysql, user=root password=your_password dbname=snort host=localhostcd
安装ADODB
[root@fedora schemas]# cd /usr/local/
# tar zxvf adodb493a.gz
安裝BASE
#cd /usr/local/src/snortinstall
#cp base-1.1.2.tar.gz /usr/local/apache2/htdocs/
#cd /usr/local/apache2/htdocs
#tar –xvzf base-1.1.2.tar.gz
cp base_conf.php.dist base_conf.php
edit the “base_conf.php” file and insert the following perimeters
$BASE_urlpath = "/base";
$DBlib_path = "/usr/local/adodb ";
$DBtype = "mysql";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "root";
$alert_password = "password_of_root_mysql";
/* Archive DB connection parameters
*/$archive_exists = 0; # 如有archive数据库,设为1
注意都是双引号
运行snort
# /usr/local/snort/bin/snort -dev -c /usr/local/snort/etc/snort.conf
运行即可
阅读(7223) | 评论(11) | 转发(0) |