分类: LINUX
2011-07-29 11:03:24
一、snort介绍
Snort是被设计用来填补昂贵的、探测繁重的网络侵入情况的系统留下的空缺。Snort是一个免费的、跨平台的软件包,用作监视小型TCP/IP网的嗅探器、日志记录、侵入探测器。它可以运行在
linux/UNIX和Win32系统上,你只需要几分钟就可以安装好并可以开始使用它。
Snort的一些功能:
- 实时通讯分析和信息包记录
- 包装有效载荷检查
- 协议分析和内容查询匹配
- 探测缓冲溢出、秘密端口扫描、CGI攻击、SMB探测、操作系统侵入尝试
- 对系统日志、指定文件、Unix socket或通过Samba的WinPopus 进行实时报警
Snort有三种主要模式:信息包嗅探器、信息包记录器或成熟的侵入探测系统。遵循开发/自由软件最重要的惯例,Snort支持各种形式的插件、扩充和定制,包括数据库或是XML记录、小帧探测
和统计的异常探测等。
信息包有效载荷探测是Snort最有用的一个特点,这就意味着很多额外种类的敌对行为可以被探测到。
二、 安装mysql、apache、PHP及snort需要的软件。
1. 配置 Lamp环境
2. 下载安装软件
wget
wget
wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
Snort
daq
base http://sourceforge.net/projects/secureideas/
3. 安装snort所需软件环境组件
yum install gcc gcc-c++ kernel-devel patch make vim ssh libxml2 libxml2-devel
yum install pcre pcre-devel php php-common php-gd gd php-cli php-mysql flex bison php-pear-Numbers-Roman php-pear-Numbers-Words php-pear-Image-Color php-pear-Image-Canvas php-pear-Image-Graph libpcap libpcap-devel glib2-devel
三、 安装配置snort
1. 安装libpcap
tar -xzf libpcap-1.0.0.tar.gz
cd libpcap-1.0.0
./configure --prefix=/usr
make
make install
2. 安装libdnet:
cd libdnet-1.12
./configure
make
make install
tar -xf daq-0.5.tar
cd daq-0.5.tar
./configure <– Make sure you installed libpcap = 1.0.0 (as mentioned above) otherwise this will fail
make
make install
tar -xf snort-2.9.0.5.tar
cd snort-2.9.0.5
./configure --with-mysql=/usr/local/mysql --enable-dynamicplugin --enable-gre --enable-mpls --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response --enable-normalizer --enable-reload --enable-react --enable-flexresp3
make
make install
groupadd snort
useradd -g snort snort -s /sbin/nologin
mkdir /etc/snort
mkdir /etc/snort/rules
mkdir /etc/snort/so_rules
mkdir /var/log/snort
chown snort:snort /var/log/snort
cd /root/Snort/snort-2.9.0.3/etc
cp * /etc/snort/
修改/etc/snort/snort.conf
将RULE_PATH和SO_RULE_PATH改为绝对路径
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rule
配置数据库
output database: log, mysql, user=snort password=snort dbname=snort host=localhost
增加一行
output unified2: filename snort.log, limit 128
在/ 注册就可以下载到snortrules
wget /reg-rules/snortrules-snapshot-2902.tar.gz/a2dec5e394b80d5337fe9ed57151787139a2fe28 -O snortrules-snapshot-2902.tar.gz
mkdir snortrules
cd snortrules
tar -zxf snortrules-snapshot-2902.tar.gz
cp rules/* /etc/snort/rules
cp so_rules/* /etc/snort/so_rules
cp preproc_rules/* /etc/snort/preproc_rules
mkdir /usr/local/lib/snort_dynamicrules
cp /etc/snort/so_rules/precompiled/Centos-5-4/x86-64/2.9.0.3/*.so /usr/local/lib/snort_dynamicrules
tar -xzf barnyard2-1.9.tar.gz
cd barnyard2-1.9
./configure --with-mysql=/usr/local/mysql --enable-gre --with-mysql-libraries=/usr/lib64/mysql/ ;64位设置
make
make install
cp etc/baryard2.conf /etc/snort/
mkdir /var/log/barnyard2
chmod 666 /var/log/barnyard2
touch /var/log/snort/barnyard2.waldo
chown snort.snort /var/log/snort/barnyard2.waldo
vi /etc/snort/barnyard2.conf修改以下内容
config hostname: localhost
config interface: eth0
outdatabase:
output database: log, mysql, user=snort password=snort dbname=snort host=localhost
7. 创建snort数据库
mysql> create database snort;
Query OK, 1 row affected (0.03 sec)
mysql> create database snort_archive;
Query OK, 1 row affected (0.00 sec)
mysql> use snort;
Database changed
mysql> source snort-2.9.0.5/schemas/create_mysql;
Query OK, 0 rows affected (0.01 sec)
Query OK, 1 row affected (0.00 sec)
Query OK, 1 row affected (0.00 sec)
mysql> use snort_archive ;
Database changed
mysql> source snort-2.9.0.5/schemas/create_mysql;
Query OK, 0 rows affected (0.00 sec)
Query OK, 1 row affected (0.00 sec)
mysql>
6.赋权限给snort
mysql>grant all privileges on snort.* to snort@'localhost' identified by "snort";
mysql>flush privileges
cd /var/www/html
cp adodb512.zip /var/www/html/
cp base-1.4.5.tar.gz /var/www/html/
unzip adodb512.zip
tar -xzf base-1.4.5.tar.gz
mv base-1.4.5 base
chown -R root:root base
chmod 777 base
vim /etc/php.ini and set the following line to be: error_reporting = E_ALL & ~E_NOTICE
service httpd restart
配置snort和adobe
cp base/ base_conf.php.dist base/ base_conf.php
修改以下内容
$BASE_urlpath = "/base";
$DBlib_path = "/var/www/adodb/ ";
$DBtype = "mysql";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "snort";
/* Archive DB connection parameters */
$archive_exists = 0; # Set this to 1 if you have an archive DB!
9. 初始化base
初始化base
10. 启动服务
10.1设置环境变量
export PCAP_FRAMES=max
/usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth0
barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo –D
将以上内容写入/etc/rc.local
10.2 启动脚本
wget http://internetsecurityguru.com/snortinit/snort
wget http://internetsecurityguru.com/snortinit/barnyard
Installation References:
Snort can run in one of 3 modes:
Command (shows data link layer headers as well): ./snort -vde
Additional Notes:
I tried these steps to install Snort via yum, worked fine, but had issues with rules after that (since the version provided by yum and version of rules don’t match):
wget
wget
rpm –import RPM-GPG-KEY.art.txt
wget
sh atomic.sh
