Chinaunix首页 | 论坛 | 博客
  • 博客访问: 343176
  • 博文数量: 64
  • 博客积分: 2301
  • 博客等级: 大尉
  • 技术积分: 570
  • 用 户 组: 普通用户
  • 注册时间: 2009-03-25 11:48
文章分类

全部博文(64)

文章存档

2013年(5)

2012年(6)

2011年(36)

2010年(7)

2009年(10)

分类: LINUX

2011-05-20 07:28:19



  Libpcap snort)
centos5.5安装
安装时将apache 和mysql服务安装上
yum -y install mysql-bench mysql-devel php-mysql gcc pcre-devel php-gd gd glib2-devel gcc-c++ libpcap-devel
cd /root
mkdir  snort
cd snort
wget )
wget )
tar -xzvf snort-2.9.0.5.tar.gz
cd snort-2.9.0.5
./configure --with-mysql --enable-dynamicplugin
(if buliding for CentOs64 bit use the following instead ->./configure --with-mysql-libraries=/usr/lib64/mysql/ --enable-dynamicplugin)
###########################################################################################################################
ERROR!  dnet header not found, go get it from or use the --with-dnet-* options, if you have it installed in an unusual place
wget  
tar -xzvf libdnet-1.12.tgz 
cd libdnet-1.12.tgz 
./configure
make
make install
ERROR!  daq_static library not found, go get it from  .
 cd /root/snort/ 
 tar -xzvf daq-0.5.tar.gz 
 cd daq-0.5.tar  ./configure 
 make 
 make install
 如果出现报错ERROR! Libpcap library version >= 1.0.0 not found. Get it from
 yum erase  libpcap-old
###################################################################################################################################
make
make install
groupadd snort
useradd -g snort snort -s /sbin/nologin
mkdir /etc/snort
mkdir /etc/snort/rules
mkdir /etc/snort/so_rules
mkdir /var/log/snort
chown snort:snort /var/log/snort
cd etc(make sure you do not cd to /etc)
cp * /etc/snort
tar -xzvf snortrules-snapshot-2902.tar.gz
cd ./rules
cp *  /etc/snort/rules
cp  ../so_rules/precompiled/Centos-5-4/i386/2.9.0.2/*  /etc/snort/so_rules
wget
vi /etc/snort/snort.conf
修改如下
 RULE_PATH ../rules     /etc/snort/rules
 SO_RULE_PATH ../so_rules        /etc/snort/so_rules
 在output部分添加如下
 output unified2:filename snort.log,limit 128
 
 配置数据库
 echo "set password for -uroot -p
 echo "create database snort;"|mysql -u root -p
 mysql -u root -p -D snort <./schemas/create_mysql
 echo "grant create,insert on root.* to -uroot -p
 echo "set password for );"| mysql -uroot -p
 echo "grant create,insert,select,delete,update on snort.* to -uroot -p
 
 install and configure base(basic analysis and security engine and adodb)
 use the following commmand to install php_pear and some additional supporting files to allow for
 graphing within base to function properly:
 #yum -y install php-pear_number_roman php-pear_numbers_words php-pear_image_color php-pear_canvas
 php-pear_image_graph
 wget
php go-pear.phar

pear install Numbers_Roman
pear install Numbers_Words
pear install Image_Color
pear install Image_Canvas
pear install Image_Canvas
pear install Image_Graph
wget
wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download
install adodb
cd /var/www
tar -xzvf  adodb511.tgz
mv   adodb5 adodb
install   and config base
cd /var/www/html/
tar -xzvf base-1.4.5.tar.gz
cd base-1.4.5
cp base_conf.php.dist  base_conf.ph
chown pigg.games base_conf.php
edit "base_config.php" and insert the following parameters
$BASE_urlpath='/base';
$DBlib_path='/var/www/adodb';
$DBtype='mysql';
$alert_dbname='snort';
$alert_host='localhost';
$alert_port='';
$alert_user='snort';
$alert_password='password created in mysql section above for snort user';
/*archive db connnection parameters */
$archive_exists=0;#set this to 1 if you have an archive db
/* access your sensor at the following address: */
address of sensor>/base
click on "setup page" then click on "create base ag".
securing the base directory:
mkdir /var/www/passwords
htpasswd -c /var/www/passwords/passwords base
password:123456
edit the httpd.conf

            AuthType Basic
            AuthName "SnortIDS"
            AuthUserFile /var/www/passwords/passwords
            Require user  base

 
Installing  Barnyard2
barnyard2 improves the efficicency of snort by reducing the load on the main detection engine by allowing
barnyard2 to handle the inserting of events into the mysql database.
wget
tar -xzvf firnsy-barnyard2-v2-1.9-12-g01f5581.tar.gz
cd firnsy-barnyard2-01f5581
./configure --with-mysql
(if building for centos 64 bit use the following instead -> ./configure --with-mysql-libraries=/usr/lib64/mysql/)
make
make install
cp etc/barnyard2.conf /etc/snort/      
mkdir /var/log/barnyard2
chmod 666  /var/log/barnyard2
touch  /var/log/snort/barnyard2.waldo
chown snort:snort /var/log/snort/barnyard2.waldo
Edit /etc/snort/barnyard2.conf and modify the following lines.
#config hostname:thor
#config interface:eth0
#output database:log,mysql,user=root password=test dbname=db host=localhost
Remove the#sign from the lines above and change to the below:
config hostname:localhost
config interface:eth0(if using multiple interfaces this should be eth1)
output database:log,mysql,user=snort password='password created in mysql section above for snort user' dbname=snort host=localhost
testing snort:
you can lauch snort from the commmand line to make sure that it loads properly. Enter the following command:
/usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth0
(如果出现报错:/usr/local/bin/snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory
 ln -s   /usr/local/lib/libdnet.1  /usr/lib/libdnet.1)
/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D
setting up snort $barnyard2 to start automatically:
edit /etc/rc.loacl
#ifconfig eth0 up
/usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth0
/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D
/etc/rc.local start
阅读(4920) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~