。。。。。。。。。。。。。。。。。。。。。。
分类: 网络与安全
2007-02-09 14:29:18
 |
|
|
|
|
|
|
|
|
|
|
|
|
|
用Snort+ACID构建入侵检测系统(IDS)
1.Snort简介
Snort 是一个强大的轻量级的网络入侵检测系统。它具有实时数据流量分析和日志IP 网络数据包的能力,能够进行协议分析,对内容进行搜索/匹配。它能够检测各种不同的攻击方式,对攻击进行实时报警。
2. 平台
# uname -a
FreeBSD 6.1-RELEASE /usr/obj/usr/src/sys/GENERIC i386
FreeBSD是financeWEB和KABU服务器使用最多的操作系统(还有一部分使用的linux操作系统),现在以FreeBSD操作系统为例,进行构建。
3. 所需要的软件(省略,下面会有介绍)
4. 安装FreeBSD 6.1(省略)
5. 安装最新的ports
login:root
password
1)Install cvsup-without-gui
#pkg_add -r cvsup-without-gui
2)安全设置
ee /etc/rc.conf
增加以下行:
sendmail_enable="NONE"
inetd_enable="NO"
ntpdate_flags="ntp6.space.net"
ntpdate_enable="YES"
ifconfig_fxp0="inet 10.5.3.199 netmask 255.255.255.0"
defaultrouter="10.5.3.50"
保存
ee /etc/ssh/sshd_config
只容许ssh协议2
#Protocol 2 -> Protocol 2
#PermitRootLogin no -> PermitRootLogin no
保存
ee /etc/ttys
拒绝单用户模式登录
console none unknown off secure -> console none unknown off insecure
保存
重启网络
/etc/netstart
3)安装最新的ports树
cp /usr/share/examples/cvsup/ports-supfile /etc/
cp /usr/share/examples/cvsup/stable-supfile /etc/
ee /etc/ports-supfile
*default host=CHANGE_THIS.FreeBSD.org -> *default host=cvsup5.FreeBSD.org
保存
ee /etc/stable-supfile
*default host=CHANGE_THIS.FreeBSD.org -> *default host=cvsup5.FreeBSD.org
在*default release=cvs tag=RELENG_6行上面增加:
*default release=cvs tag=RELENG_6_1
保存
mkdir /root/scripts
cd /root/scripts
ee ports-update.sh
#!/bin/sh
# updating port
echo "Beginning Ports Update"
/usr/local/bin/cvsup -g -L 2 /etc/ports-supfile
echo "Ports Update Complete"
保存
ee src-update.sh
#!/bin/sh
# updating source
echo "Beginning Source Update"
/usr/local/bin/cvsup -g -L 2 /etc/stable-supfile
echo "Source Update Complete"
保存
chmod +x *.sh
chmod 640 /etc/ports-supfile
chmod 640 /etc/stable-supfile
4)重建ports树并重新编译核心
/root/scripts/src-update.sh
cd /usr/src/sys/i386/conf
这时候你可以根据需要,修改文件:GENERIC,更改核心设备的设置等
cp GENERIC CUSTOM
vi CUSTOM
保存
5)为FreeBSD打最新的补丁:
mkdir /usr/patches
cd /usr/patches
fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:14/bzip2.patch
fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:14/bzip2.patch.asc
cd /usr/src
patch < /usr/patches/bzip2.patch
一路“回车”
6)打完补丁,开始重新编译系统:
# make buildworld
# make buildkernel KERNCONF=CUSTOM
# make installkernel KERNCONF=CUSTOM
# reboot
7)重启到loader时,输入boot -s,进入单用户模式:
# mergemaster -p
# make installworld
# mergemaster
# reboot
8)升级ports数:
sh /root/scripts/ports-update.sh
9)好了,系统更新已经完毕,现在让我们开始IDS旅行吧!!
FreeBSD下安装软件最好的方法莫过于使用ports,简单的不能再简单了,而且安装的内容一样都不差,只需在相应的目录打:make install,这样freebsd自己去寻找并安装软件所需的库和各种支持文件。
我们上面已经有了一个软件列表:
Idled
Stunnel
Snort
Libpcap
MySQL (Server for the DB station)
Modphp 4
Adodb
Gd
Phplot
Apache13
ACID
我们只需要知道各个软件在ports下的哪个目录就行,其余的事情交给freebsd吧。
10)安装Idled
1. cd /usr/ports/sysutils/idled
2. make install clean
3. cd /usr/local/etc
4. cp idled.cf.template idled.cf
5. ee idled.d
#!/bin/sh
result_ps=`ps auxwww | grep idled | sed '/grep/d'`
if [ $result_ps -eq "" ]
then
/usr/local/libexec/idled -f /usr/local/etc/idled.cf
else
exit 0
fi
chmod 755 /etc/rc.d/idled.d
/etc/rc.d/inled.d
ps auxww | grep idled.d
11)安装ntp
pkg_add -r ntp
ee /etc/rc.conf
添加行:
ntpd_enable="YES"
保存
12)安装apache-modssl
cd /usr/ports/www/apache13-modssl
make
make certificate VIEW=1
make install clean
13)安装MySQL
cd /usr/ports/databases/mysql41-server/
make install clean
[可选]
cd /usr/ports/databases/mysql40-client/
make install clean
ee /etc/rc.conf
添加:
mysql_enable="YES"
安装完毕,初始化数据库权限表和用户表:
/usr/local/bin/mysql_install_dbcle
注:
如果以前安装了mysql,想覆盖安装:
make deinstall
make clean
rm /usr/local/bin/mysql*
rm /usr/bin/mysql*
make FORCE_PKG_REGISTER=yes reinstall
强制重新安装。
更改存放数据库文件夹的权限和所有人:
chown -R mysql /var/db/mysql/
chgrp -R mysql /var/db/mysql/
cp /usr/local/share/mysql/my-large.cnf /etc/my.cnf
启动数据库:
/usr/local/bin/mysqld_safe -user=mysql &
更改数据库用户root的密码:
/usr/local/bin/mysqladmin -u root password 123456
检测是否可以连接mysql服务器端。
/usr/local/bin/mysql -uroot -p123456
cd /usr/ports/security/snort/
make
cd /usr/ports/security/snort/work/snort-2.4.5/schemas
建一个库,名字叫snort,给root的权限为在本地可以select、insert数据库snort中的表:
echo “CEATE DATABASE snort; “| mysql –u root –p123456
mysql –u root –p123456
mysql> grant INSERT, SELECT on snort.* to snort@localhost identified by "123456";
Query OK, 0 rows affected (0.01sec)
mysql>exit
cd /usr/ports/security/snort/work/snort-2.4.5/schemas
/usr/local/bin/mysql -uroot -p123456 < ./create_mysql snort
12)安装APACHE, ACID, etc for SNORT
cd /usr/ports/www/apache13
make install clean
13)PHPMod安装:
cd /usr/ports/lang/php4
ee Makefile
CONFIGURE_ARGS= --enable-versioning \
--enable-memory-limit \
--with-layout=GNU \
--disable-all \
--with-pcre \
--enable-bcmath \
--enable-session \
--with-gd \
--with-mysql \
--with-zlib-dir=/usr \
--enable-sockets \\
保存
安装ADODB and Graphics Libraries
cd /usr/ports/databases/adodb && make install clean
cd /usr/ports/graphics/gd && make install clean
cd /usr/ports/graphics/phplot && make install clean
cd /usr/ports/lang/php4
install make clean
14)安装和配置ACID
acid可以分析snort截获的TCP, UDP, ICMP packets.
cd /usr/ports/security/snort
cd /usr/ports/security/acid && make install clean
会弹出一个对话框,选择perl,回车继续。
cd /usr/ports/security/acid && make install clean
chmod 644 /usr/local/www/acid/acid_conf.php
ee /usr/local/www/acid/acid_graph_form.php
ADD
After the line with
ADD
保存
ee /usr/local/www/acid/acid_conf.php
$DBlib_path = "/usr/local/share/adodb"; //删除原来的行,12行左右
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "3306";
$alert_user = "snort";
$alert_password = "123456";
修改:
$ChartLib_path = "/usr/local/share/jpgraph"
$portscan_file = "/var/log/snort/portscan.log"
保存
15)配置apache
mkdir /usr/local/etc/apache/conf
htpasswd –c /usr/local/etc/apache/conf/passwordAcid admin
htpasswd /usr/local/etc/apache/conf/passwordAcid IDS01
vi /usr/local/etc/apache/httpd.conf
检查是否有:
LoadModule php4_module libexec/apache/libphp4.so
AddModule mod_php4.c
修改:
DocumentRoot "/usr/local/www/"
AuthType Basic
AuthName "Snort Main Console WELCOME…….."
AuthUserFile /usr/local/etc/apache/conf/passwordAcid
require valid-user
Options Indexes FollowSymLinks MultiViews
添加:
AddType application/x-httpd-php /php
AddType application/x-httpd-php-source .phps
16)配置host表
ee /etc/hosts
127.0.0.1 localhost localhost.my.domain -> 127.0.0.1 localhost database database.domain.com
vi /etc/resolv.conf
添加:
search localhost
nameserver 10.5.1.1
保存
17)安装snort2.6.0
cd /usr/ports/net/libpcap && make install clean
fetch http://www.snort.org/dl/current/snort-2.6.0.tar.gz
tar zxvf snort-2.6.0.tar.gz
cd snort-2.6.0
./configure --with-mysql --enable-rulestate --enable-flexresp --with-libnet-includes=/usr/local/include --with-libnet-libraries=/usr/local/lib --enable-dynamicplugin --enable-inline --enable-ipfw --enable-react --prefix=/usr/local/snort2.6
make && make install
安装完成
vi /usr/local/etc/snort.conf
var HOME_NET any -> var HOME_NET 10.5.3.0/24
添加:
output database: log, mysql, user=root password=123456 dbname=snort host=localhost
打开所有的rules:
include $RULE_PATH/local.rules
...
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
修改rules的路径:
var RULE_PATH /usr/local/etc/snort_rules/
安装完成
编写启动脚本:
mkdir /root/script
ifconfig查看网卡---lnc0为当前网卡名称
vi lnc0.sh
#!/bin/sh
case "$1" in
start)
if test -x /usr/local/bin/snort
then
#网卡进入混杂模式
ifconfig lnc0 promisc
#启动snort为daemon
/usr/local/bin/snort -c /usr/local/etc/snort.conf -i lnc0 -u root -D > /dev/null & echo -n
echo 'Snort has been started .........'
echo ""
fi
;;
stop)
/usr/bin/killall snort >/dev/null 2>&1 && echo -n 'Snort has been stopped....'
echo ""
;;
*)
echo "Usage: `basename $0` {start|stop}"
echo ""
exit 64
;;
esac
vi stop.IDS01.sh
#!/bin/sh
echo "Stopping SIDS01.................."
./lnc0.sh stop
echo "please waiting..."
sleep 3
/usr/local/sbin/apachectl stop
sleep 3
/usr/local/etc/rc.d/mysql-server stop
vi start.IDS01.sh
#!/bin/sh
#This script will start the MySQL server and Apache services
echo “I will first try to close all MySQL services and Apache services just in
echo “Starting MySQL services”
/usr/local/etc/rc.d/mysql-server start
echo “Staring Apache services”
/usr/local/sbin/apachectl start
sleep 2
/usr/local/libexec/idled -f /usr/local/etc/idled.cf
./lnc0.sh start
echo "Please waiting for 5-10s...,system is chang netcard's mode now."
sleep 2
#/usr/local/bin/snort -d -h 10.5.3.0/24 -l /var/log/snortlogs -c /usr/local/etc/snort.conf -s -D
/usr/local/bin/snort -c /usr/local/etc/snort.conf -i lnc0 -u root -D > /dev/null & echo -n
chmod 755 /root/scripts/*.sh
18)下载rules:
fetch
mkdir /usr/local/etc/snort_rules
mv snortrules-pr-2.4.tar.gz /usr/local/etc/snort_rules
cd /usr/local/etc/snort_rules
tar zxvf snortrules-pr-2.4.tar.gz
chmod -R 0755 chmod -R 0755 /usr/local/etc/snort_rules
19)启动idled、apache、mysql和snort,并使网卡进入混杂模式
/root/scripts/start.IDS01.sh
20)遇到的问题:
1:mod_unique_id.so的问题:
解决方法:
vi /etc/rc.conf
添加:
hostname database
保存
vi /etc/hosts
127.0.0.1 localhost database database.domain.com
10.5.3.145 localhost database
保存
hostname database
/etc/netstart
此时:
# ping database
PING localhost (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=1.903 ms
解析为本机即可...
2:snort无法启动的问题:
/usr/local/bin/snort -c /usr/local/etc/snort.conf
检查snort的配置文件是否有问题,如果有,及时修改配置文件
3:acid无法读出数据,页面显示正常但是没有数据:
首先检查snort是否已经通过create_mysql建立了表;
如果有表,执行:
grant all on snort.* to root@localhost identified by "123456";
grant all on snort.* to snort@localhost identified by "123456";
grant all on snort.* to snort_log@localhost identified by "123456";
flush privileges;
quit
应该可以了。
如果连表都没有建立,请回到snort的解压缩后的原始目录:
cd /usr/ports/security/snort/snort-2.6.0/schemas
chmod 755 create_mysql
mysql -uroot -p123456 snort < ./create_mysql
mysql -uroot -p123456 snort < /usr/local/www/acid/create_acid_tbls_mysql.sql
21)附录:
如果想独立安装软件,也可以,但是port安装更快捷,更顺利一些罢了:
安装顺序:
apache 1.3.37 -> mysql 4.1.21 -> jpegsrc v6b -> jpgraph 1.20.4a -> zlib 1.2.3 -> libpng 1.2.8 -> gd 2.0.9 -> openssl 0.9.7c -> mod_ssl-2.8.28-1.3.37 -> ADODB Library for PHP4 -> php 4.4.3 -> phplot for ACID v. [0.9.6b9 - 0.9.6b21] -> JPGraph (for ACID v. >= 0.9.6b22) -> snort 2.6.0
以下是我整理的一些可能用到的资料。如下:
apache 1.3.37
fetch
tar zxvf apache_1.3.37.tar.gz
cd apache_1.3.37
./configure
acid
fetch
php:
fetch
tar jxvf php-4.4.3.tar.bz2
cd php-4.4.3
./configure --enable-versioning --enable-memory-limit --with-layout=GNU --with-config-file-scan-dir=/usr/local/etc/php --disable-all --with-pcre --enable-bcmath --enable-session --with-gd --with-mysql --with-zlib-dir=/usr --enable-sockets --enable-fastcgi --with-apxs=/usr/local/sbin/apxs --with-regex=php --with-openssl=/usr --with-openssl-dir=/usr --prefix=/usr/local && make && make install
