Linux snort+base搭建IDS入侵检测系统
2014-06-13 11:37
141 查看
Snort是美国Sourcefire公司开发的发布在GPL v2下的IDS(Intrusion Detection System)软件
Snort
有
三种工作模式:嗅探器、数据包记录器、网络入侵检测系统模式。嗅探器模式仅仅是从网络上读取数据包并作为连续不断的流显示在终端上。数据包记录器模式把数
据包记录到硬盘上。网路入侵检测模式分析网络数据流以匹配用户定义的一些规则,并根据检测结果采取一定的动作。网络入侵检测系统模式是最复杂的,而且是可
配置的。
Snort可以用来监测各种数据包如端口扫描等之外,还提供了以XML形式或数据库形式记录日志的各种插件。
Snort
作为常见的支持分布式的网络入侵检测系统(NIDS),能够进行实时网络流量分析并记录各类攻击行为和相关网络数据包。BASE(Basic
Analysis and Security
Engine)是基于PHP的广泛使用的一种高效Snort分析查询系统。虽然这两者配合安装配置有些复杂,但是因为其比较灵活,扩展性好,只要配置使用
得当,也适合用来构建校园网入侵检测平台。
Snort
支持多种操作系统(Windows/Linux/Solaris等),源代码和安装包可以从http://www.snort.org获取,由于
Snort版本一直都在持续更新,以下介绍以2.8.5
版本为例。综合性能和功能考虑,不建议在Windows下安装Snort。可以选择的Linux发行版本,推荐CentOS、Fedora、
Redhat。虽然Snort都有rpm 包提供,安装比较方便,不过从源代码编译会更加灵活和便于进行优化。
Snort的一些功能:
- 实时通讯分析和信息包记录
- 包装有效载荷检查
- 协议分析和内容查询匹配
- 探测缓冲溢出、秘密端口扫描、CGI攻击、SMB探测、操作系统侵入尝试
- 对系统日志、指定文件、Unix socket或通过Samba的WinPopus 进行实时警
Snort有三种主要模式:信息包嗅探器、信息包记录器或成熟的侵入探测系统。遵循开发/自由软件最重要的惯例,Snort支持各种形式的插件、扩充和定制,包括数据库或是XML记录、小帧探测和统计的异常探测等。
信息包有效载荷探测是Snort最有用的一个特点,这就意味着很多额外种类的敌对行为可以被探测到。
下载地址:
1.在http://www.snort.org/ 注册就可以下载到snortrules-snapshot
2.
在http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/rules/
可以下载到一个第三方的rules
文件rules.tar.gz,这个系列更新也比较频繁,snortrules-snapshot-2.8.tar.gz 是在51cto上下载的。
3.BASE
可以从http://sourceforge.net/projects/secureideas/
获取版本或者用软件SnortCenter是一个基于Web的snort探针和规则管理系统,用于远程修改snort探针的配置,起动、停止探针,编辑、
分发snort特征码规则。http://users.telenet.be/larc/download/
4.Adodb 可以从http://sourceforge.net/projects/adodb/ 下载.ADODB 是Active Data Objects Data Base 的简称,它是一种PHP 存取数据库的中间函式组件
5.[root@localhost centos6]# rpm -ivh snort-2.8.5.1-1.fc13.i686.rpm //安装snort包出现依赖关系系
warning: snort-2.8.5.1-1.fc13.i686.rpm: Header V3 RSA/SHA256 Signature, key ID e8e40fde: NOKEY
error: Failed dependencies:
libgnutls.so.26 is needed by snort-2.8.5.1-1.fc13.i686
libpcap >= 0.4 is needed by snort-2.8.5.1-1.fc13.i686
libpcap.so.1 is needed by snort-2.8.5.1-1.fc13.i686
libprelude.so.2 is needed by snort-2.8.5.1-1.fc13.i686
[root@localhost centos6]# rpm -q libpcap//查询libpcap没装
package libpcap is not installed
[root@localhost centos6]# yum -y install libpcap//安装libpcap包
[root@localhost centos6]# rpm -ivh snort-2.8.5.1-1.fc13.i686.rpm//在次安装snort出现两个依赖
warning: snort-2.8.5.1-1.fc13.i686.rpm: Header V3 RSA/SHA256 Signature, key ID e8e40fde: NOKEY
error: Failed dependencies:
libgnutls.so.26 is needed by snort-2.8.5.1-1.fc13.i686
libprelude.so.2 is needed by snort-2.8.5.1-1.fc13.i686
[root@localhost centos6]# yum -y install libgnutls26//安装libgnutls26包
Loaded plugins: fastestmirror
Determining fastest mirrors
* base: centos.ustc.edu.cn
* extras: centos.ustc.edu.cn
* updates: centos.ustc.edu.cn
Setting up Install Process
No package libgnutls26 available.
Error: Nothing to do
[root@localhost centos6]# yum -y install gnutls//安装gnutls包
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.ustc.edu.cn
* extras: centos.ustc.edu.cn
* updates: centos.ustc.edu.cn
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package gnutls.i686 0:2.8.5-4.el6_2.2 set to be updated
--> Processing Dependency: libtasn1.so.3(LIBTASN1_0_3) for package: gnutls-2.8.5-4.el6_2.2.i686
--> Processing Dependency: libtasn1.so.3 for package: gnutls-2.8.5-4.el6_2.2.i686
--> Running transaction check
---> Package libtasn1.i686 0:2.3-3.el6_2.1 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
===============================================================
Package Arch Version Repository Size
=====================================================
Installing:
gnutls i686 2.8.5-4.el6_2.2 base 336 k
Installing for dependencies:
libtasn1 i686 2.3-3.el6_2.1 base 239 k
Transaction Summary
===============================================================
Install 2 Package(s)
Upgrade 0 Package(s)
Total download size: 575 k
Installed size: 1.4 M
Downloading Packages:
(1/2): gnutls-2.8.5-4.el6_2.2.i686.rpm | 336 kB 00:00
(2/2): libtasn1-2.3-3.el6_2.1.i686.rpm | 239 kB 00:00
--------------------------------------------------------------------------------
Total 1.7 MB/s | 575 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
Installing : libtasn1-2.3-3.el6_2.1.i686 1/2
Installing : gnutls-2.8.5-4.el6_2.2.i686 2/2
Installed:
gnutls.i686 0:2.8.5-4.el6_2.2
Dependency Installed:
libtasn1.i686 0:2.3-3.el6_2.1
Complete!//完成安装。
[root@localhost centos6]# ls//显示当前目录
libprelude-1.0.0-3.fc13.i686.rpm
adodb517.zip snort-2.8.5.1-1.fc13.i686.rpm
base-1.4.5.tar.gz snortcenter-v1.0-RC1.tar.gz
daq-1.1.1_rc-1.RHEL6.i386.rpm snortrules-snapshot-2.8.tar.gz
libprelude-0.9.24.1-2.fc12.i686.rpm
[root@localhost centos6]# rpm -ivh snort-2.8.5.1-1.fc13.i686.rpm//安装snort出现依赖
warning: snort-2.8.5.1-1.fc13.i686.rpm: Header V3 RSA/SHA256 Signature, key ID e8e40fde: NOKEY
error: Failed dependencies:
libprelude.so.2 is needed by snort-2.8.5.1-1.fc13.i686
[root@localhost centos6]# rpm -ivh libprelude-1.0.0-3.fc13.i686.rpm //安装依赖包
warning: libprelude-1.0.0-3.fc13.i686.rpm: Header V3 RSA/SHA256 Signature, key ID e8e40fde: NOKEY
Preparing... ########################################### [100%]
1:libprelude ########################################### [100%]
[root@localhost centos6]# ls//查看当前目录
adodb4992.tgz libprelude-1.0.0-3.fc13.i686.rpm
adodb517.zip snort-2.8.5.1-1.fc13.i686.rpm
base-1.4.5.tar.gz snortcenter-v1.0-RC1.tar.gz
daq-1.1.1_rc-1.RHEL6.i386.rpm snortrules-snapshot-2.8.tar.gz
[root@localhost centos6]# rpm -ivh daq-1.1.1_rc-1.RHEL6.i386.rpm //安装daq包
[root@localhost centos6]# rpm -ivh snort-mysql-2.8.5.1-1.fc13.i686.rpm /
/安装snort-mysql软件包支持mysql数据库,在设置/etc/snort/snort.conf配置output database
参数的时候启动snort -c /etc/snort/snort.conf时候会出错
database: 'mysql' support is not compiled into this build of snort
ERROR: If this build of snort was obtained as a binary distribution (e.g., rpm,
or Windows), then check for alternate builds that contains the necessary
'mysql' support.
If this build of snort was compiled by you, then re-run the
the ./configure script using the '--with-mysql' switch.
For non-standard installations of a database, the '--with-mysql=DIR'
syntax may need to be used to specify the base directory of the DB install.
See the database documentation for cursory details (doc/README.database).
and the URL to the most recent database plugin documentation.
Fatal Error, Quitting..
[root@localhost centos6]# rpm -ivh snort-2.8.5.1-1.fc13.i686.rpm //最后成功安装snort
warning: snort-2.8.5.1-1.fc13.i686.rpm: Header V3 RSA/SHA256 Signature, key ID e8e40fde: NOKEY
Preparing... ########################################### [100%]
1:snort ########################################### [100%]
[root@localhost centos6]# cp -rf snortrules-snapshot-2.8.tar.gz /etc/snort/rules
//拷贝snortrules到/etc/snort/rules目录下
[root@localhost centos6]# cd /etc/snort/rules //切换到snort目录
[root@localhost rules]# tar -zxvf snortrules-snapshot-2.8.tar.gz
//解压tar.gz包。如果启动不了拷贝rules到/etc/rules里去。
[root@localhost snort]# service snortd start//启动snortd服务失败
Starting snort: [FAILED]
[root@localhost ~]# cat /var/log/messages //查看messages错误
14 02:47:53 localhost snort[2351]: Ports:
Jul 14 02:47:53 localhost snort[2351]: #01122
Jul 14 02:47:53 localhost snort[2351]:
Jul 14 02:47:53 localhost snort[2351]:
FATAL ERROR: /etc/snort/snort.conf(616) Unknown preprocessor: "dcerpc2".
//提示的错误找到snort.conf文件注释掉
# DCE/RPC 2 //注释掉下面两个dcerpc2.
#----------------------------------------
# See doc/README.dcerpc2 for explanations of what the
# preprocessor does and how to configure it.
#
#preprocessor dcerpc2
#preprocessor dcerpc2_server: default
[root@localhost ~]# service snortd start//最后启动成功
Starting snort: [ OK ]
[root@localhost ~]# snort -V//查看snort版本提示成功。
,,_ -*> Snort! <*-
o" )~ Version 2.8.5.1 (Build 114)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2009 Sourcefire, Inc., et al.
Using PCRE version: 7.8 2008-09-05
[root@localhost ~]# service snortd restart//重启成功
Stopping snort: www.2cto.com [ OK ]
Starting snort: [ OK ]
[root@localhost ~]# service snortd status//查看snortd服务状态。
snort (pid 1677) is running...
[root@localhost centos6]# yum -y install mysql mysql-server httpd php php-mysql php-gd
//安装mysql httpd php,如果不安装php-mysql会出现500内部服务器错误。
[root@localhost centos6]# mysqladmin -uroot password 123456//修改mysqladmin密码为123456
[root@localhost centos6]# cp -rf adodb517.zip base-1.4.5.tar.gz /var/www/html//
拷贝adodb和base到/var/www/html目录下
[root@localhost centos6]# cd /var/www/html//切换到/var/www/html目录下
[root@localhost html]# ls//查看目录内容
adodb517.zip base-1.4.5.tar.gz
[root@localhost html]# unzip adodb517.zip |tar -zxvf base-1.4.5.tar.gz //解压adodb和base包
[root@localhost html]# rm -rf adodb517.zip base-1.4.5.tar.gz //删除包
[root@localhost html]# ls//显示当前目录
adodb5 base-1.4.5
[root@localhost html]# mv adodb5 adodb//修改名字为adodb
[root@localhost html]# cp -rf base-1.4.5/* . //拷贝base目录所有内容到当前目录
[root@localhost html]# rm -rf base-1.4.5/ //删除base-1.4.5文件夹。
[root@localhost html]# rpm -ql snort//查看snort rpm包的路径。
/usr/share/doc/snort-2.8.5.1/create_mysql//创建mysql数据库文件create_mysql.
[root@localhost centos6]# mysql -uroot -p123456//进入mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.1.61 Source distribution
Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;//查看当前数据库
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| test |
+--------------------+
3rows in set (0.00 sec)
mysql> create database snort;//创建snort数据库
mysql> create database snortarchive;//创建归档数据库。
Query OK, 1 row affected (0.00 sec)
mysql> use snort//进入snort数据库
Database changed
mysql> source /usr/share/doc/snort-2.8.5.1/create_mysql//创建数据库成功如下
Query OK, 0 rows affected (0.00 sec)
......
Query OK, 1 row affected (0.00 sec)//导入成功提示
mysql>grant all privileges on snort.* to snort@'localhost' identified by "snort";//给snort授权。
mysql> use snortarchive;//重新导入snortarchive数据库。
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> source /usr/share/doc/snort-2.8.5.1/create_mysql
//导入数据库。
6.
打开ie8浏览器浏览http://ip/setup/index.php 出现config writeable no 错误直接chmod 777
/var/www/html就可以了默认为755只有读执行的权限所以错误。最后修改回来权限即可最好加上-R 参数
Please set the 'error_reporting' variable to at least 'E_ALL & ~E_NOTICE' in your php.ini!
error_reporting = E_ALL填写一些数据库信息如下:创建base管理员账号和密码如下:自动创建数据库如下:软件没有主动在/var/www/html目录下创建base_conf.php配置文件,只要自己创建一个base_conf.php复制以下内容,或者直接修改/var/www/html的权限即可自己创建。 成功安装base如下:
配置文件/etc/snort/snort.conf参考
[root@localhost snort]# cat snort.conf
var HOME_NET any
var EXTERNAL_NET any
portvar SHELLCODE_PORTS !80
portvar ORACLE_PORTS 1521
portvar FTP_PORTS 21
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.
188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /etc/snort/rules
var PREPROC_RULE_PATH ../preproc_rules
dynamicengine /usr/lib/snort/dynamicengine/libsf_engine.so
preprocessor frag3_global: max_frags 65536
track_udp no
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
preprocessor rpc_decode: 111 32771
preprocessor bo
encrypted_traffic yes \
normalize \
def_max_param_len 100 \
cmd_validity MODE < char ASBCZ > \
chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
data_chan
preprocessor ftp_telnet_protocol: ftp client default \
bounce yes \
preprocessor smtp: \
inspection_type stateful \
normalize_cmds { EXPN VRFY RCPT } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 255 { EXPN VRFY }
preprocessor sfportscan: proto { all } \
sense_level { low }
preprocessor ssh: server_ports { 22 } \
max_encrypted_packets 20 \
enable_srvoverflow enable_protomismatch
ports { 53 } \
preprocessor ssl: noinspect_encrypted, trustservers
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/local.rules /* 可以灵活控制加载的入侵检测规则类别
*/include threshold.conf threshold.conf 实际上是定义了例外规则的一张列表,
您可以通过修改这个文件来消除误报或者不关注的网络行为带来的大量告警信息。
只要Snort源源不断地把入侵检测信息送入数据库,
您就可以通过http://server ip来查看了解当前以及长期的网络入侵记录。
启动Snort监测并把信息输出到Mysql数据库里
直接:snort -b -d -c /etc/snort/snort.conf -l /var/log/snort -D 好用出数据
# database:
{
output alert_syslog: LOG_AUTH LOG_ALERT
}
[root@localhost snort]# export PCAP_FRAMES=max//设置环境变量
安装gd后出现问题如下显示不了图形。
error loading the Graphing library:Check your Pear::Image_Graph installation! http://pear.veggerby.dk/. Without this library no graphing operations can be performed.
Make sure PEAR libraries can be found by php at all:
pear config-show | grep "PEAR directory"PEAR directory php_dir /usr/share/pear
[root@localhost snort]# yum -y install php-pear//安装php-pear
[root@localhost snort]# pear config-show|grep "PEAR directory"
Binary file (standard input) matches
PHP
Warning: PHP Startup: Unable to load dynamic library
'/usr/lib/php/modules/msql.so' - /usr/lib/php/modules/msql.so: cannot
open shared object file:
No such file or directory in Unknown on line 0
PHP Warning: Unknown: It is not safe to rely on the system's timezone settings.
You are *required* to use the date.timezone setting or the date_default_timezone_set()
function. In case you used any of those methods and you are still getting this warning,
you most likely misspelled the timezone identifier.
We selected 'Asia/Chongqing' for 'CST/8.0/no DST' instead in Unknown on line 0
1.yum install php-pear
4./etc/init.d/httpd restart//重启apache.
5.vi /etc/rc.local写入snort -c /etc/snort/snort.conf&//放在后台运行。
6.利用chkconfig来设置开启启动mysqld ,httpd,snortd//
7.最后把/var/www/html的权限修改一下chmod 755 -R /var/www/html,
然后把/var/www/html/setup目录删除或者重命名或者移动保存即可。
最后测试base
windows平台利用nmap来扫描主机
C:\Documents and Settings\Administrator>nmap -sS 192.168.40.39 -O -v//扫描主机
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-17 16:56 中国标准时间
Scanning 192.168.40.39 [1 port]
Initiating Parallel DNS resolution of 1 host. at 16:56
Initiating SYN Stealth Scan at 16:56
Discovered open port 80/tcp on 192.168.40.39
Discovered open port 3306/tcp on 192.168.40.39
Initiating OS detection (try #1) against 192.168.40.39
Host is up (0.00s latency).
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0C:29:C8:62:CC (VMware)
Running: Linux 2.6.X
Uptime guess: 0.003 days (since Tue Jul 17 16:52:28 2012)
TCP Sequence Prediction: Difficulty=195 (Good luck!)
OS detection performed. Please report any incorrect results at http://nmap.org/ Nmap done: 1 IP address (1 host up) scanned in 2.16 seconds
在利用一次nmap扫描工具如下: 全部警告为122了。
Snort
有
三种工作模式:嗅探器、数据包记录器、网络入侵检测系统模式。嗅探器模式仅仅是从网络上读取数据包并作为连续不断的流显示在终端上。数据包记录器模式把数
据包记录到硬盘上。网路入侵检测模式分析网络数据流以匹配用户定义的一些规则,并根据检测结果采取一定的动作。网络入侵检测系统模式是最复杂的,而且是可
配置的。
Snort可以用来监测各种数据包如端口扫描等之外,还提供了以XML形式或数据库形式记录日志的各种插件。
Snort
作为常见的支持分布式的网络入侵检测系统(NIDS),能够进行实时网络流量分析并记录各类攻击行为和相关网络数据包。BASE(Basic
Analysis and Security
Engine)是基于PHP的广泛使用的一种高效Snort分析查询系统。虽然这两者配合安装配置有些复杂,但是因为其比较灵活,扩展性好,只要配置使用
得当,也适合用来构建校园网入侵检测平台。
Snort
支持多种操作系统(Windows/Linux/Solaris等),源代码和安装包可以从http://www.snort.org获取,由于
Snort版本一直都在持续更新,以下介绍以2.8.5
版本为例。综合性能和功能考虑,不建议在Windows下安装Snort。可以选择的Linux发行版本,推荐CentOS、Fedora、
Redhat。虽然Snort都有rpm 包提供,安装比较方便,不过从源代码编译会更加灵活和便于进行优化。
Snort的一些功能:
- 实时通讯分析和信息包记录
- 包装有效载荷检查
- 协议分析和内容查询匹配
- 探测缓冲溢出、秘密端口扫描、CGI攻击、SMB探测、操作系统侵入尝试
- 对系统日志、指定文件、Unix socket或通过Samba的WinPopus 进行实时警
Snort有三种主要模式:信息包嗅探器、信息包记录器或成熟的侵入探测系统。遵循开发/自由软件最重要的惯例,Snort支持各种形式的插件、扩充和定制,包括数据库或是XML记录、小帧探测和统计的异常探测等。
信息包有效载荷探测是Snort最有用的一个特点,这就意味着很多额外种类的敌对行为可以被探测到。
下载地址:
1.在http://www.snort.org/ 注册就可以下载到snortrules-snapshot
2.
在http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/rules/
可以下载到一个第三方的rules
文件rules.tar.gz,这个系列更新也比较频繁,snortrules-snapshot-2.8.tar.gz 是在51cto上下载的。
3.BASE
可以从http://sourceforge.net/projects/secureideas/
获取版本或者用软件SnortCenter是一个基于Web的snort探针和规则管理系统,用于远程修改snort探针的配置,起动、停止探针,编辑、
分发snort特征码规则。http://users.telenet.be/larc/download/
4.Adodb 可以从http://sourceforge.net/projects/adodb/ 下载.ADODB 是Active Data Objects Data Base 的简称,它是一种PHP 存取数据库的中间函式组件
5.[root@localhost centos6]# rpm -ivh snort-2.8.5.1-1.fc13.i686.rpm //安装snort包出现依赖关系系
warning: snort-2.8.5.1-1.fc13.i686.rpm: Header V3 RSA/SHA256 Signature, key ID e8e40fde: NOKEY
error: Failed dependencies:
libgnutls.so.26 is needed by snort-2.8.5.1-1.fc13.i686
libpcap >= 0.4 is needed by snort-2.8.5.1-1.fc13.i686
libpcap.so.1 is needed by snort-2.8.5.1-1.fc13.i686
libprelude.so.2 is needed by snort-2.8.5.1-1.fc13.i686
[root@localhost centos6]# rpm -q libpcap//查询libpcap没装
package libpcap is not installed
[root@localhost centos6]# yum -y install libpcap//安装libpcap包
[root@localhost centos6]# rpm -ivh snort-2.8.5.1-1.fc13.i686.rpm//在次安装snort出现两个依赖
warning: snort-2.8.5.1-1.fc13.i686.rpm: Header V3 RSA/SHA256 Signature, key ID e8e40fde: NOKEY
error: Failed dependencies:
libgnutls.so.26 is needed by snort-2.8.5.1-1.fc13.i686
libprelude.so.2 is needed by snort-2.8.5.1-1.fc13.i686
[root@localhost centos6]# yum -y install libgnutls26//安装libgnutls26包
Loaded plugins: fastestmirror
Determining fastest mirrors
* base: centos.ustc.edu.cn
* extras: centos.ustc.edu.cn
* updates: centos.ustc.edu.cn
Setting up Install Process
No package libgnutls26 available.
Error: Nothing to do
[root@localhost centos6]# yum -y install gnutls//安装gnutls包
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.ustc.edu.cn
* extras: centos.ustc.edu.cn
* updates: centos.ustc.edu.cn
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package gnutls.i686 0:2.8.5-4.el6_2.2 set to be updated
--> Processing Dependency: libtasn1.so.3(LIBTASN1_0_3) for package: gnutls-2.8.5-4.el6_2.2.i686
--> Processing Dependency: libtasn1.so.3 for package: gnutls-2.8.5-4.el6_2.2.i686
--> Running transaction check
---> Package libtasn1.i686 0:2.3-3.el6_2.1 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
===============================================================
Package Arch Version Repository Size
=====================================================
Installing:
gnutls i686 2.8.5-4.el6_2.2 base 336 k
Installing for dependencies:
libtasn1 i686 2.3-3.el6_2.1 base 239 k
Transaction Summary
===============================================================
Install 2 Package(s)
Upgrade 0 Package(s)
Total download size: 575 k
Installed size: 1.4 M
Downloading Packages:
(1/2): gnutls-2.8.5-4.el6_2.2.i686.rpm | 336 kB 00:00
(2/2): libtasn1-2.3-3.el6_2.1.i686.rpm | 239 kB 00:00
--------------------------------------------------------------------------------
Total 1.7 MB/s | 575 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
Installing : libtasn1-2.3-3.el6_2.1.i686 1/2
Installing : gnutls-2.8.5-4.el6_2.2.i686 2/2
Installed:
gnutls.i686 0:2.8.5-4.el6_2.2
Dependency Installed:
libtasn1.i686 0:2.3-3.el6_2.1
Complete!//完成安装。
[root@localhost centos6]# ls//显示当前目录
libprelude-1.0.0-3.fc13.i686.rpm
adodb517.zip snort-2.8.5.1-1.fc13.i686.rpm
base-1.4.5.tar.gz snortcenter-v1.0-RC1.tar.gz
daq-1.1.1_rc-1.RHEL6.i386.rpm snortrules-snapshot-2.8.tar.gz
libprelude-0.9.24.1-2.fc12.i686.rpm
[root@localhost centos6]# rpm -ivh snort-2.8.5.1-1.fc13.i686.rpm//安装snort出现依赖
warning: snort-2.8.5.1-1.fc13.i686.rpm: Header V3 RSA/SHA256 Signature, key ID e8e40fde: NOKEY
error: Failed dependencies:
libprelude.so.2 is needed by snort-2.8.5.1-1.fc13.i686
[root@localhost centos6]# rpm -ivh libprelude-1.0.0-3.fc13.i686.rpm //安装依赖包
warning: libprelude-1.0.0-3.fc13.i686.rpm: Header V3 RSA/SHA256 Signature, key ID e8e40fde: NOKEY
Preparing... ########################################### [100%]
1:libprelude ########################################### [100%]
[root@localhost centos6]# ls//查看当前目录
adodb4992.tgz libprelude-1.0.0-3.fc13.i686.rpm
adodb517.zip snort-2.8.5.1-1.fc13.i686.rpm
base-1.4.5.tar.gz snortcenter-v1.0-RC1.tar.gz
daq-1.1.1_rc-1.RHEL6.i386.rpm snortrules-snapshot-2.8.tar.gz
[root@localhost centos6]# rpm -ivh daq-1.1.1_rc-1.RHEL6.i386.rpm //安装daq包
[root@localhost centos6]# rpm -ivh snort-mysql-2.8.5.1-1.fc13.i686.rpm /
/安装snort-mysql软件包支持mysql数据库,在设置/etc/snort/snort.conf配置output database
参数的时候启动snort -c /etc/snort/snort.conf时候会出错
database: 'mysql' support is not compiled into this build of snort
ERROR: If this build of snort was obtained as a binary distribution (e.g., rpm,
or Windows), then check for alternate builds that contains the necessary
'mysql' support.
If this build of snort was compiled by you, then re-run the
the ./configure script using the '--with-mysql' switch.
For non-standard installations of a database, the '--with-mysql=DIR'
syntax may need to be used to specify the base directory of the DB install.
See the database documentation for cursory details (doc/README.database).
and the URL to the most recent database plugin documentation.
Fatal Error, Quitting..
[root@localhost centos6]# rpm -ivh snort-2.8.5.1-1.fc13.i686.rpm //最后成功安装snort
warning: snort-2.8.5.1-1.fc13.i686.rpm: Header V3 RSA/SHA256 Signature, key ID e8e40fde: NOKEY
Preparing... ########################################### [100%]
1:snort ########################################### [100%]
[root@localhost centos6]# cp -rf snortrules-snapshot-2.8.tar.gz /etc/snort/rules
//拷贝snortrules到/etc/snort/rules目录下
[root@localhost centos6]# cd /etc/snort/rules //切换到snort目录
[root@localhost rules]# tar -zxvf snortrules-snapshot-2.8.tar.gz
//解压tar.gz包。如果启动不了拷贝rules到/etc/rules里去。
[root@localhost snort]# service snortd start//启动snortd服务失败
Starting snort: [FAILED]
[root@localhost ~]# cat /var/log/messages //查看messages错误
14 02:47:53 localhost snort[2351]: Ports:
Jul 14 02:47:53 localhost snort[2351]: #01122
Jul 14 02:47:53 localhost snort[2351]:
Jul 14 02:47:53 localhost snort[2351]:
FATAL ERROR: /etc/snort/snort.conf(616) Unknown preprocessor: "dcerpc2".
//提示的错误找到snort.conf文件注释掉
# DCE/RPC 2 //注释掉下面两个dcerpc2.
#----------------------------------------
# See doc/README.dcerpc2 for explanations of what the
# preprocessor does and how to configure it.
#
#preprocessor dcerpc2
#preprocessor dcerpc2_server: default
[root@localhost ~]# service snortd start//最后启动成功
Starting snort: [ OK ]
[root@localhost ~]# snort -V//查看snort版本提示成功。
,,_ -*> Snort! <*-
o" )~ Version 2.8.5.1 (Build 114)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2009 Sourcefire, Inc., et al.
Using PCRE version: 7.8 2008-09-05
[root@localhost ~]# service snortd restart//重启成功
Stopping snort: www.2cto.com [ OK ]
Starting snort: [ OK ]
[root@localhost ~]# service snortd status//查看snortd服务状态。
snort (pid 1677) is running...
[root@localhost centos6]# yum -y install mysql mysql-server httpd php php-mysql php-gd
//安装mysql httpd php,如果不安装php-mysql会出现500内部服务器错误。
[root@localhost centos6]# mysqladmin -uroot password 123456//修改mysqladmin密码为123456
[root@localhost centos6]# cp -rf adodb517.zip base-1.4.5.tar.gz /var/www/html//
拷贝adodb和base到/var/www/html目录下
[root@localhost centos6]# cd /var/www/html//切换到/var/www/html目录下
[root@localhost html]# ls//查看目录内容
adodb517.zip base-1.4.5.tar.gz
[root@localhost html]# unzip adodb517.zip |tar -zxvf base-1.4.5.tar.gz //解压adodb和base包
[root@localhost html]# rm -rf adodb517.zip base-1.4.5.tar.gz //删除包
[root@localhost html]# ls//显示当前目录
adodb5 base-1.4.5
[root@localhost html]# mv adodb5 adodb//修改名字为adodb
[root@localhost html]# cp -rf base-1.4.5/* . //拷贝base目录所有内容到当前目录
[root@localhost html]# rm -rf base-1.4.5/ //删除base-1.4.5文件夹。
[root@localhost html]# rpm -ql snort//查看snort rpm包的路径。
/usr/share/doc/snort-2.8.5.1/create_mysql//创建mysql数据库文件create_mysql.
[root@localhost centos6]# mysql -uroot -p123456//进入mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.1.61 Source distribution
Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;//查看当前数据库
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| test |
+--------------------+
3rows in set (0.00 sec)
mysql> create database snort;//创建snort数据库
mysql> create database snortarchive;//创建归档数据库。
Query OK, 1 row affected (0.00 sec)
mysql> use snort//进入snort数据库
Database changed
mysql> source /usr/share/doc/snort-2.8.5.1/create_mysql//创建数据库成功如下
Query OK, 0 rows affected (0.00 sec)
......
Query OK, 1 row affected (0.00 sec)//导入成功提示
mysql>grant all privileges on snort.* to snort@'localhost' identified by "snort";//给snort授权。
mysql> use snortarchive;//重新导入snortarchive数据库。
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> source /usr/share/doc/snort-2.8.5.1/create_mysql
//导入数据库。
6.
打开ie8浏览器浏览http://ip/setup/index.php 出现config writeable no 错误直接chmod 777
/var/www/html就可以了默认为755只有读执行的权限所以错误。最后修改回来权限即可最好加上-R 参数
Please set the 'error_reporting' variable to at least 'E_ALL & ~E_NOTICE' in your php.ini!
error_reporting = E_ALL填写一些数据库信息如下:创建base管理员账号和密码如下:自动创建数据库如下:软件没有主动在/var/www/html目录下创建base_conf.php配置文件,只要自己创建一个base_conf.php复制以下内容,或者直接修改/var/www/html的权限即可自己创建。 成功安装base如下:
配置文件/etc/snort/snort.conf参考
[root@localhost snort]# cat snort.conf
var HOME_NET any
var EXTERNAL_NET any
portvar SHELLCODE_PORTS !80
portvar ORACLE_PORTS 1521
portvar FTP_PORTS 21
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.
188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /etc/snort/rules
var PREPROC_RULE_PATH ../preproc_rules
dynamicengine /usr/lib/snort/dynamicengine/libsf_engine.so
preprocessor frag3_global: max_frags 65536
track_udp no
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
preprocessor rpc_decode: 111 32771
preprocessor bo
encrypted_traffic yes \
normalize \
def_max_param_len 100 \
cmd_validity MODE < char ASBCZ > \
chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
data_chan
preprocessor ftp_telnet_protocol: ftp client default \
bounce yes \
preprocessor smtp: \
inspection_type stateful \
normalize_cmds { EXPN VRFY RCPT } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 255 { EXPN VRFY }
preprocessor sfportscan: proto { all } \
sense_level { low }
preprocessor ssh: server_ports { 22 } \
max_encrypted_packets 20 \
enable_srvoverflow enable_protomismatch
ports { 53 } \
preprocessor ssl: noinspect_encrypted, trustservers
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/local.rules /* 可以灵活控制加载的入侵检测规则类别
*/include threshold.conf threshold.conf 实际上是定义了例外规则的一张列表,
您可以通过修改这个文件来消除误报或者不关注的网络行为带来的大量告警信息。
只要Snort源源不断地把入侵检测信息送入数据库,
您就可以通过http://server ip来查看了解当前以及长期的网络入侵记录。
启动Snort监测并把信息输出到Mysql数据库里
直接:snort -b -d -c /etc/snort/snort.conf -l /var/log/snort -D 好用出数据
# database:
{
output alert_syslog: LOG_AUTH LOG_ALERT
}
[root@localhost snort]# export PCAP_FRAMES=max//设置环境变量
安装gd后出现问题如下显示不了图形。
error loading the Graphing library:Check your Pear::Image_Graph installation! http://pear.veggerby.dk/. Without this library no graphing operations can be performed.
Make sure PEAR libraries can be found by php at all:
pear config-show | grep "PEAR directory"PEAR directory php_dir /usr/share/pear
[root@localhost snort]# yum -y install php-pear//安装php-pear
[root@localhost snort]# pear config-show|grep "PEAR directory"
Binary file (standard input) matches
PHP
Warning: PHP Startup: Unable to load dynamic library
'/usr/lib/php/modules/msql.so' - /usr/lib/php/modules/msql.so: cannot
open shared object file:
No such file or directory in Unknown on line 0
PHP Warning: Unknown: It is not safe to rely on the system's timezone settings.
You are *required* to use the date.timezone setting or the date_default_timezone_set()
function. In case you used any of those methods and you are still getting this warning,
you most likely misspelled the timezone identifier.
We selected 'Asia/Chongqing' for 'CST/8.0/no DST' instead in Unknown on line 0
1.yum install php-pear
4./etc/init.d/httpd restart//重启apache.
5.vi /etc/rc.local写入snort -c /etc/snort/snort.conf&//放在后台运行。
6.利用chkconfig来设置开启启动mysqld ,httpd,snortd//
7.最后把/var/www/html的权限修改一下chmod 755 -R /var/www/html,
然后把/var/www/html/setup目录删除或者重命名或者移动保存即可。
最后测试base
windows平台利用nmap来扫描主机
C:\Documents and Settings\Administrator>nmap -sS 192.168.40.39 -O -v//扫描主机
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-17 16:56 中国标准时间
Scanning 192.168.40.39 [1 port]
Initiating Parallel DNS resolution of 1 host. at 16:56
Initiating SYN Stealth Scan at 16:56
Discovered open port 80/tcp on 192.168.40.39
Discovered open port 3306/tcp on 192.168.40.39
Initiating OS detection (try #1) against 192.168.40.39
Host is up (0.00s latency).
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0C:29:C8:62:CC (VMware)
Running: Linux 2.6.X
Uptime guess: 0.003 days (since Tue Jul 17 16:52:28 2012)
TCP Sequence Prediction: Difficulty=195 (Good luck!)
OS detection performed. Please report any incorrect results at http://nmap.org/ Nmap done: 1 IP address (1 host up) scanned in 2.16 seconds
在利用一次nmap扫描工具如下: 全部警告为122了。
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- IDS入侵检测系统搭建( linux )
- Snort搭建安全的Linux入侵检测系统服务器
- 搭建一个只在光盘或U盘上跑的小型LINUX系统
- Linux系统下SVN服务器的搭建过程详解 ZT
- 菜鸟学Linux十:Sendmail服务器的搭建之在Linux和Windows系统上邮件收发的应用
- Vmware环境下Linux与ARM开发板的NFS系统搭建
- 搭建linux下网络安装系统平台
- 新兴公司一块主板搭建12节点Linux群集系统
- 安得倚天抽宝剑——搭建自己的Linux实验系统(二)
- linux集群系统的搭建
- LINUX开发总结(系统搭建)
- linux系统下apache+subversion搭建版本控制服务器
- Linux系统下SVN服务器的搭建过程详解
- Linux系统下搭建文件服务器
- Linux系统下搭建域名服务器
- Linux系统下SVN服务器的搭建过程详解
- linux下搭建带有方病毒和反垃圾邮件的sendmail邮件系统
- 嵌入式Linux系统搭建[转]
- 利用Linux系统搭建个人网站
- 安得倚天抽宝剑——搭建自己的Linux实验系统(一)