Chinaunix首页 | 论坛 | 博客
  • 博客访问: 245343
  • 博文数量: 188
  • 博客积分: 0
  • 博客等级: 民兵
  • 技术积分: -30
  • 用 户 组: 普通用户
  • 注册时间: 2017-03-29 11:17
文章分类
文章存档

2013年(8)

2012年(5)

2011年(13)

2010年(26)

2009年(63)

2008年(20)

2007年(32)

2006年(21)

分类: LINUX

2011-07-29 11:03:24

一、snort介绍
  Snort是被设计用来填补昂贵的、探测繁重的网络侵入情况的系统留下的空缺。Snort是一个免费的、跨平台的软件包,用作监视小型TCP/IP网的嗅探器、日志记录、侵入探测器。它可以运行在

linux/UNIX
Win32系统上,你只需要几分钟就可以安装好并可以开始使用它。
    Snort的一些功能:
    - 实时通讯分析和信息包记录
    - 包装有效载荷检查
    - 协议分析和内容查询匹配
    - 探测缓冲溢出、秘密端口扫描、CGI攻击、SMB探测、操作系统侵入尝试
    - 对系统日志、指定文件、Unix socket或通过SambaWinPopus 进行实时报警
     Snort有三种主要模式:信息包嗅探器、信息包记录器或成熟的侵入探测系统。遵循开发/自由软件最重要的惯例,Snort支持各种形式的插件、扩充和定制,包括数据库或是XML记录、小帧探测

和统计的异常探测等。
  信息包有效载荷探测是Snort最有用的一个特点,这就意味着很多额外种类的敌对行为可以被探测到。

 



二、     安装mysqlapachePHPsnort需要的软件。

1.  配置 Lamp环境

2.  下载安装软件

wget

wget

wget  http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz

 

Snort   

daq

base  http://sourceforge.net/projects/secureideas/  

3.  安装snort所需软件环境组件

 

yum install gcc gcc-c++ kernel-devel patch make vim ssh libxml2 libxml2-devel

yum install pcre pcre-devel php php-common php-gd gd php-cli php-mysql flex bison php-pear-Numbers-Roman php-pear-Numbers-Words php-pear-Image-Color php-pear-Image-Canvas php-pear-Image-Graph libpcap libpcap-devel glib2-devel

三、     安装配置snort

1.  安装libpcap

tar -xzf libpcap-1.0.0.tar.gz

cd libpcap-1.0.0

./configure --prefix=/usr

make

make install

2.  安装libdnet:

cd libdnet-1.12

./configure

make

make install

  1. 安装 daq:

tar -xf daq-0.5.tar

cd daq-0.5.tar

./configure         <– Make sure you installed libpcap = 1.0.0 (as mentioned above) otherwise this will fail

make

make install

  1. 安装snort:

tar -xf snort-2.9.0.5.tar

cd snort-2.9.0.5

./configure --with-mysql=/usr/local/mysql --enable-dynamicplugin --enable-gre --enable-mpls --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response --enable-normalizer --enable-reload --enable-react --enable-flexresp3

make

make install

groupadd snort

useradd -g snort snort -s /sbin/nologin

mkdir /etc/snort

mkdir /etc/snort/rules

mkdir /etc/snort/so_rules

mkdir /var/log/snort

chown snort:snort /var/log/snort

cd /root/Snort/snort-2.9.0.3/etc

cp * /etc/snort/

修改/etc/snort/snort.conf

RULE_PATHSO_RULE_PATH改为绝对路径

var RULE_PATH /etc/snort/rules

var SO_RULE_PATH /etc/snort/so_rule

配置数据库

output database: log, mysql, user=snort password=snort dbname=snort host=localhost

增加一行

output unified2: filename snort.log, limit 128

  1. 安装snortrules

/ 注册就可以下载到snortrules

wget /reg-rules/snortrules-snapshot-2902.tar.gz/a2dec5e394b80d5337fe9ed57151787139a2fe28 -O snortrules-snapshot-2902.tar.gz

mkdir snortrules

cd snortrules

   tar -zxf snortrules-snapshot-2902.tar.gz

cp rules/* /etc/snort/rules

cp so_rules/* /etc/snort/so_rules

cp preproc_rules/* /etc/snort/preproc_rules

mkdir /usr/local/lib/snort_dynamicrules

cp /etc/snort/so_rules/precompiled/Centos-5-4/x86-64/2.9.0.3/*.so /usr/local/lib/snort_dynamicrules


 

  1. 安装 barnyard2

tar -xzf barnyard2-1.9.tar.gz

cd barnyard2-1.9

./configure --with-mysql=/usr/local/mysql  --enable-gre --with-mysql-libraries=/usr/lib64/mysql/   ;64位设置

make

make install

cp etc/baryard2.conf /etc/snort/

mkdir /var/log/barnyard2

chmod 666 /var/log/barnyard2

touch /var/log/snort/barnyard2.waldo

chown snort.snort /var/log/snort/barnyard2.waldo

vi /etc/snort/barnyard2.conf修改以下内容

config hostname: localhost

config interface: eth0

outdatabase:

output database: log, mysql, user=snort password=snort dbname=snort host=localhost

 

7.  创建snort数据库

mysql> create database snort;
Query OK, 1 row affected (0.03 sec)

mysql> create database snort_archive;
Query OK, 1 row affected (0.00 sec)

mysql> use snort;
Database changed
mysql> source snort-2.9.0.5/schemas/create_mysql;
Query OK, 0 rows affected (0.01 sec)
Query OK, 1 row affected (0.00 sec)
Query OK, 1 row affected (0.00 sec)

mysql> use snort_archive ;
Database changed
mysql> source snort-2.9.0.5/schemas/create_mysql;
Query OK, 0 rows affected (0.00 sec)

Query OK, 1 row affected (0.00 sec)

mysql>
6.
赋权限给snort
mysql>grant all privileges on snort.* to snort@'localhost' identified by "snort";

mysql>flush privileges

  1. 安装 ADOdb and base:

cd /var/www/html

cp adodb512.zip /var/www/html/

cp base-1.4.5.tar.gz /var/www/html/

unzip adodb512.zip

tar -xzf base-1.4.5.tar.gz

mv base-1.4.5 base

chown -R root:root base

chmod 777 base

vim /etc/php.ini and set the following line to be: error_reporting  =  E_ALL & ~E_NOTICE

service httpd restart

 

配置snortadobe

cp  base/ base_conf.php.dist base/ base_conf.php

修改以下内容

$BASE_urlpath = "/base";

$DBlib_path = "/var/www/adodb/ ";

$DBtype = "mysql";

$alert_dbname = "snort";

$alert_host = "localhost";

$alert_port = "";

$alert_user = "snort";

$alert_password = "snort";

/* Archive DB connection parameters */

$archive_exists = 0; # Set this to 1 if you have an archive DB!

9.    初始化base

初始化base

10.  启动服务

 

10.1设置环境变量
export PCAP_FRAMES=max

/usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth0

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo –D

将以上内容写入/etc/rc.local

10.2 启动脚本

wget http://internetsecurityguru.com/snortinit/snort

wget http://internetsecurityguru.com/snortinit/barnyard

 

 

 

 

 

 

Installation References:

  • /assets/159/Snort_2.9.0.3_FC14_Base.pdf
  • /assets/145/Install_Snort_2.8.6_on_CentOS_5.5.pdf

Snort can run in one of 3 modes:

  1. Sniffer Mode: Captures packets on the wire and dumps them to your screen (console)
    1. Command (shows only TCP and IP headers): ./snort -v
    2. Command (shows data as well): ./snort -vd

Command (shows data link layer headers as well): ./snort -vde

  1. Packet Logger Mode: Captures packets and logs them to a disk file
    1. Command: ./snort -dev -l /var/log/snort/
    2. Command (log in binary mode – faster): ./snort -dev -l /var/log/snort -b
    3. Command (to replay saved data): ./snort -dvr /var/log/snort/packet.log
      1. NOTE: You can also use something like tcpdump or Ethereal to replay saved file
  2. Network Intrusion Detection System (NIDS) Mode:

Additional Notes:

I tried these steps to install Snort via yum, worked fine, but had issues with rules after that (since the version provided by yum and version of rules don’t match):

  1. Verify requirements are met:
    1. libpcap installed
    2. PCRE installed
    3. libnet installed
    4. Barnyard installed
  2. Once that is done we will add the Atomic Rocket Turtle Repo so that we can use yum to install snort

wget 

wget

rpm –import RPM-GPG-KEY.art.txt

wget

sh atomic.sh

  1. yum install snort snort-mysql

 

阅读(3637) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~