- 论坛徽章:
- 0
|
入侵检测就是一个监视计算机系统或者网络上发生的事件,然后对其进行安全分析的过程。大多数的入侵检测系统都可以被归入到基于网络、基于主机以及分布式三类。基于网络的入侵检测系统能够监视网络数据发现入侵或者攻击的蛛丝马迹;基于主机的入侵检测系统能够监视针对主机的活动(用户的命令、登录/退出过程,使用的数据等等),以此来判断入侵企图;分布式IDS通过分布于各个节点的传感器或者代理对整个网络和主机环境进行监视,中心监视平台收集来自各个节点的信息监视这个网络流动的数据和入侵企图。
各种入侵检测系统使用的检测方法可以分为两类:基于特征码的检测方法和异常检测。使用基于特征码检测方法的系统从网络获得数据,然后从中发现以知的攻击特征。例如:在某些URL中包含一些奇怪的Unicode编码字符就是针对IIS Unicode缺陷的攻击特征。此外各种模式匹配技术的应用,提高了这种检测方法的精确性。使用异常检测的系统能够把获得的数据与一个基准进行比较,检测这些数据是否异常。
snort是一个基于libpcap的轻量级网络入侵检测系统。它运行在一个“传感器(sensor)”主机上,监听网络数据。这台机器可能是一台简陋的运行FreeBSD系统的Pentium100 PC,并且至少有一个网卡。不过建议使用最好的机器作为进行入侵检测的主机。snort能够把网络数据和规则集进行模式匹配,从而检测可能的入侵企图;或者使用SPADE插件,使用统计学方法对网络数据进行异常检测。
snort使用一种易于扩展的模块化体系结构,感兴趣的开发人员可以加入自己编写的模块来扩展snort的功能。这些模块包括:HTTP解码插件、TCP数据流重组插件、端口扫描检测插件、FLEXRESP插件以及各种日志输入插件等。
snort还是一个自由、简洁、快速、易于扩展的入侵检测系统,已经被移植到了各种UNIX平台和WinY2K上。同时,它也是目前安全领域中,最活跃的开放源码工程之一。snort还是昂贵的商业入侵检测系统最好的替代产品之一。
上面的文字来自internet对入侵检测和snort的定义;下文是在RHEL5上构建基于snort的入侵检测系统的详细步骤:
该实验的参考文档有以下几篇,其中主要参考的是在Chinaunix上一篇名为《Redhat as4 下Snort+base+mysql+php+apache with gd and Image_Graph 安装与配置》的文章除此之外其他的文章有:
http://linux.chinaunix.net/bbs/v ... ht=snort&page=1
http://www.snort.org/docs/setup_guides/Snort_Base_Minimal.pdf
http://bbs.chinaunix.net/viewthr ... &highlight=zqli
其实我本人对snort并没有非常深入的了解,只是在看过相关文档之后希望能够亲自操作一次。但是
网上提供给我参考的文档我大概看过。我认为主要问题有两个:
第一,所使用的操作系统版本比较旧(很多系统在使用的系统版本基于Red Hat 9.0),在当前生产环境上部署的话很容易出现各种兼容性问题。
第二,在操作的过程中使用了大量的opoensource软件包而替换了很多系统自带的软件,在生产环境中这样的操作也会带来支持以及管理方面的困难。
第三,《Redhat as4 下Snort+base+mysql+php+apache with gd and Image_Graph 安装与配置》存在一些错误,我相信如果新手百分百按照该文档操作还是会出现一些问题。
因此我这一次的操作主要是使用当前比较新的RHEL5.1系统平台安装snort,并且在安装过程中尽量保留系统自带软件,同时指出源文在操作中的一些小错误。
在实验过程中出现的问题和snort的具体使用方法,希望高手能够给予提示和指导
实验环境:
主机名称:localhost.localdomain IP:192.168.1.150 Kernel:2.6.18-53.el5xen
在该主机上部署RHEL5.1+Snort+Apache+MySql+Php+Gd with Gd & Image_Graph,在部署之前我系统安装的包组有:
%packages
@mysql @development-libs @editors @system-tools @gnome-software-development @text-internet
@x-software-development @virtualization @legacy-network-server @dns-server @gnome-desktop
@dialup @core @base @ftp-server @network-server @games @java @smb-server @base-x
@chinese-support @graphics @web-server @printing @mail-server @server-cfg @sound-and-video
@sql-server @admin-tools @news-server @development-tools @graphical-internet
现在检查和安装相关软件包,确保mysql和php的下列软件包已经安装:
[root@localhost Server]# rpm -qa | grep mysql
libdbi-dbd-mysql-0.8.1a-1.2.2
php-mysql-5.1.6-15.el5
mysql-server-5.0.22-2.1.0.1
mysql-connector-odbc-3.51.12-2.2
mysql-test-5.0.22-2.1.0.1
mysql-5.0.22-2.1.0.1
mysql-bench-5.0.22-2.1.0.1
mysql-devel-5.0.22-2.1.0.1
[root@localhost Server]# rpm -qa | grep php
php-cli-5.1.6-15.el5
php-ldap-5.1.6-15.el5
php-pdo-5.1.6-15.el5
php-pear-1.4.9-4
php-common-5.1.6-15.el5
php-mysql-5.1.6-15.el5
php-devel-5.1.6-15.el5
php-5.1.6-15.el5
php-gd-5.1.6-15.el5
其实通过上述的操作,一个基本的Apache+Php+Mysql结构已经完成。可以进行一个简单的测试:
[root@localhost ~]# echo "AddType application/x-httpd-php .php" >> /etc/httpd/conf/httpd.conf
[root@localhost ~]# chkconfig httpd on
[root@localhost ~]# service httpd start
[root@localhost ~]# chkconfig mysqld on
[root@localhost ~]# service mysqld start
[root@localhost ~]# echo "" >> /var/www/html/test.php
此时可以运行一个浏览器去访问http://192.168.1.150/test.php页面。如果配置成功,页面能够正常显示
我所需要的opensource软件包包括:
[root@localhost Server]# mount -o username=jerrywjl //192.168.1.254/sd /mnt
Password:
[root@localhost Server]# cd /mnt/soft/Linux/
[root@localhost Linux]# cp snort-2.8.0.1.tar.gz /usr/local/ --snort源码包
[root@localhost Linux]# cp snortrules-pr-2.4.tar.gz /usr/local/ --snort规则
[root@localhost Linux]# cp snort /etc/init.d/ --下载获得的snort脚本
该脚本的内容:
[root@localhost local]# cat /etc/init.d/snort
#!/bin/sh
#
# chkconfig: 2345 99 82
# description: Starts and stops the snort intrusion detection system
#
# config: /etc/snort/snort.conf
# processname: snort
# Source function library
. /etc/rc.d/init.d/functions
BASE=snort
DAEMON="-D"
INTERFACE="-i eth0"
CONF="/etc/snort/snort.conf"
# Check that $BASE exists.
[ -f /usr/local/bin/$BASE ] || exit 0
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
RETVAL=0
# See how we were called.
case "$1" in
start)
if [ -n "`/sbin/pidof $BASE`" ]; then
echo -n $"$BASE: already running"
echo ""
exit $RETVAL
fi
echo -n "Starting snort service: "
/usr/local/bin/$BASE $INTERFACE -c $CONF $DAEMON
sleep 1
action "" /sbin/pidof $BASE
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/snort
;;
stop)
echo -n "Shutting down snort service: "
killproc $BASE
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/snort
;;
restart|reload)
$0 stop
$0 start
RETVAL=$?
;;
status)
status $BASE
RETVAL=$?
;;
*)
echo "Usage: snort {start|stop|restart|reload|status}"
exit 1
esac
exit $RETVAL
并定义该脚本可执行以及自启动:
[root@localhost ~]# chmod 755 /etc/init.d/snort
[root@localhost ~]# chkconfig snort on
然后继续:
[root@localhost Linux]# cp Image_Canvas-0.3.1.tgz /usr/local/
[root@localhost Linux]# cp Image_Color-1.0.2.tgz /usr/local/
[root@localhost Linux]# cp Image_Graph-0.7.0.tar /usr/local/
[root@localhost Linux]# cp adodb480.tgz /usr/local/
[root@localhost Linux]# cp adodb480.tgz /var/www/
[root@localhost Linux]# cp base-1.2.6.tar.gz /var/www/html/
[root@localhost Linux]# cp base-1.2.6.tar.gz /usr/local/
[root@localhost Linux]# cp jpegsrc.v6b.tar.gz /usr/local/
首先编译jpegsrv.v6b.tar.gz:
[root@localhost local]# tar -zxf jpegsrc.v6b.tar.gz
[root@localhost local]# cd jpeg-6b/
[root@localhost jpeg-6b]# mkdir -p /usr/local/jpeg/{bin,lib,include,man,man/man1}
[root@localhost jpeg-6b]# ./configure --prefix=/usr/local/jpeg --enable-shared --enable-static
[root@localhost jpeg-6b]# make
[root@localhost jpeg-6b]# make install
之后编译安装snort:
[root@localhost ~]# cd /usr/local/
[root@localhost local]# tar -zxf snort-2.8.0.1.tar.gz
[root@localhost local]# cd snort-2.8.0.1
[root@localhost snort-2.8.0.1]# ./configure --with-mysql --enable-dynamicplugin
[root@localhost snort-2.8.0.1]# make
[root@localhost snort-2.8.0.1]# make install
[root@localhost snort-2.8.0.1]# mkdir -p /etc/snort/rules /var/log/snort 建立snort规则目录和日志目录
[root@localhost snort-2.8.0.1]# groupadd snort --建立snort用户和组
[root@localhost snort-2.8.0.1]# useradd -g snort snort -s /sbin/nologin
执行./configure编译环境检查很可能会出错,因为需要安装下面的软件包:
libpcap-devel-0.9.4-11.el5.i386.rpm
pcre-devel-6.6-1.1.i386.rpm
最后将所有已经编译生成的配置文件拷贝到/etc/snort目录下:
[root@localhost snort-2.8.0.1]# cp etc/* /etc/snort/
以及将所有的规则解压,并拷贝到已经指定的规则目录:
[root@localhost local]# tar -zxf snortrules-pr-2.4.tar.gz
[root@localhost local]# cp rules/* /etc/snort/rules/
现在可以修改snort配置文件:
[root@localhost ~]# cp /etc/snort/snort.conf snort.conf.bak
[root@localhost ~]# vi /etc/snort/snort.conf
所修改的内容包括:
a.将原来的var EXTERNAL_NET any修改为var EXTERNAL_NET 192.168.1.0/24
b.指定规则文件位置,将原来的var RULE_PATH ../rules修改为var RULE_PATH /etc/snort/rules
c.修改output database为:
output database: log, mysql, user=root password=123456 dbname=snort host=localhost
(我待会会在mysql中定义这些内容)
d.定义stream:
我在实验过程中于这个地方栽了跟头,按照网上的文章《Redhat as4 下Snort+base+mysql+php+apache with gd and Image_Graph 安装与配置》所描述的,如果:
After the line that says
“preprocessor stream4_reassemble”
add a line that looks like
preprocessor stream4_reassemble: both,ports 21 23 25 53 80 110 111 139 143 445 513 1433
并且不对其他内容修改,snort服务是起不来的,因为在后面有说明,stream4和stream5是不能共存的。(当时就是忽略了这点):
# Stream5 is a target-based stream engine for Snort. Its functionality
# replaces that of Stream4. Consequently, BOTH Stream4 and Stream5
# cannot be used simultaneously. Comment out the stream4 configurations
# above to use Stream5.
所以这里干脆什么都不改,直接使用stream5就是了。
完成之后为snort在mysql中建立数据库:
[root@localhost ~]# mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2 to server version: 5.0.22
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
以下是定义数据库snort的基本参数和针对管理用户授权:
mysql> SET PASSWORD FOR root@localhost=PASSWORD('123456');
Query OK, 0 rows affected (0.07 sec)
mysql> create database snort;
Query OK, 1 row affected (0.05 sec)
mysql> grant INSERT,SELECT on root.* to snort@localhost;
Query OK, 0 rows affected (0.05 sec)
mysql> SET PASSWORD FOR snort@localhost=PASSWORD('123456'); --源文在这里有错
Query OK, 0 rows affected (0.00 sec)
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
Query OK, 0 rows affected (0.00 sec)
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
Query OK, 0 rows affected (0.00 sec)
mysql> quit
Bye
将预先定义好的默认的snort所需要的表批量导入mysql的snort数据库中:
[root@localhost ~]# mysql -u root -p use snort;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+------------------+
| Tables_in_snort |
+------------------+
| data |
| detail |
| encoding |
| event |
| icmphdr |
| iphdr |
| opt |
| reference |
| reference_system |
| schema |
| sensor |
| sig_class |
| sig_reference |
| signature |
| tcphdr |
| udphdr |
+------------------+
16 rows in set (0.00 sec)
mysql>
最后安装配置base和Image
[root@localhost local]# pear install Image_Color-1.0.2.tgz
install ok: channel://pear.php.net/Image_Color-1.0.2
[root@localhost local]# pear install Image_Canvas-0.3.1.tgz
install ok: channel://pear.php.net/Image_Canvas-0.3.1
[root@localhost local]# pear install Image_Graph-0.7.0.tar
pear/Image_Graph can optionally use package "pear/Numbers_Roman"
pear/Image_Graph can optionally use package "pear/Numbers_Words"
install ok: channel://pear.php.net/Image_Graph-0.7.0
[root@localhost ~]# cd /var/www/
[root@localhost www]# tar -zxf adodb480.tgz
[root@localhost www]# rm -fr adodb480.tgz
[root@localhost www]# cd /var/www/html/
[root@localhost html]# tar -zxf base-1.2.6.tar.gz
[root@localhost html]# mv base-1.2.6 base
[root@localhost html]# rm -fr base-1.2.6.tar.gz
[root@localhost html]# cd base/
建立和修改配置文件:
[root@localhost ~]# cd /var/www/html/base/
[root@localhost base]# cp base_conf.php.dist base_conf.php
[root@localhost base]# vi base_conf.php
所需要修改的内容包括:
$BASE_urlpath = "/base";
$DBlib_path = "/var/www/adodb/ ";
$DBtype = "mysql";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "123456";
/* Archive DB connection parameters */
$archive_exists = 0; # Set this to 1 if you have an archive DB
这个修改当然是要和在snort数据库中设定的内容对应。
最后启动snort:
通常第一次启动会失败:
[root@localhost ~]# service snort start
Starting snort service:
[FAILED]
[root@localhost ~]# tail -f /var/log/messages
Mar 5 21:34:06 localhost snort[647]: Alert if memcap exceeded DISABLED
Mar 5 21:34:06 localhost snort[647]:
Mar 5 21:34:06 localhost snort[647]: DNS config:
Mar 5 21:34:06 localhost snort[647]: DNS Client rdata txt Overflow Alert: ACTIVE
Mar 5 21:34:06 localhost snort[647]: Obsolete DNS RR Types Alert: INACTIVE
Mar 5 21:34:06 localhost snort[647]: Experimental DNS RR Types Alert: INACTIVE
Mar 5 21:34:06 localhost snort[647]: Ports:
Mar 5 21:34:06 localhost snort[647]: 53
Mar 5 21:34:06 localhost snort[647]:
Mar 5 21:34:07 localhost snort[647]: FATAL ERROR: (/etc/snort/rules/web-misc.rules)97 => Cannot use 'rawbytes' and 'http_uri' as modifiers for the same "content" nor use 'rawbytes' with "uricontent".
因此按照提示修改/etc/snort/rules/web-misc.rules文件,将出错的行注释:
[root@localhost ~]# vi /etc/snort/rules/web-misc.rules
注释的内容为:
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ///cgi-bin access"; flow:to_server,established; uricontent:"///cgi-bin"; nocase; rawbytes; reference:nessus,11032; classtype:attempted-recon; sid:1143; rev:7;)
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /cgi-bin/// access"; flow:to_server,established; uricontent:"/cgi-bin///"; nocase; rawbytes; reference:nessus,11032; classtype:attempted-recon; sid:1144; rev:7;)
再启动一次:
[root@localhost ~]# service snort start
Starting snort service:
[FAILED]
[root@localhost ~]# tail -f /var/log/messages
Mar 5 21:42:37 localhost snort[707]: Alert if memcap exceeded DISABLED
Mar 5 21:42:37 localhost snort[707]:
Mar 5 21:42:37 localhost snort[707]: DNS config:
Mar 5 21:42:37 localhost snort[707]: DNS Client rdata txt Overflow Alert: ACTIVE
Mar 5 21:42:37 localhost snort[707]: Obsolete DNS RR Types Alert: INACTIVE
Mar 5 21:42:37 localhost snort[707]: Experimental DNS RR Types Alert: INACTIVE
Mar 5 21:42:37 localhost snort[707]: Ports:
Mar 5 21:42:37 localhost snort[707]: 53
Mar 5 21:42:37 localhost snort[707]:
Mar 5 21:42:38 localhost snort[707]: FATAL ERROR: ERROR /etc/snort/rules/web-misc.rules Line 452 => unable to parse pcre regex "fn=Eye\d{4}_\d{2}.log/Rmsi
因此按照提示修改/etc/snort/rules/web-misc.rules文件,接着注释出错的内容:
[root@localhost ~]# vi /etc/snort/rules/web-misc.rules
注释的内容为:
#alert tcp $EXTERNAL_NET any -> $HOME_NET 8090 (msg:"WEB-MISC TrackerCam ComGetLogFile.php3 directory traversal attempt"; flow:to_server,established; content:"/ComGetLogFile.php3"; distance:0; nocase; pcre:"/fn=\x2e\x2e(\x2f|\x5c)/Rmsi"; reference:bugtraq,12592; reference:cve,2005-0481; classtype:web-application-attack; sid:3544; rev:2;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 8090 (msg:"WEB-MISC TrackerCam ComGetLogFile.php3 log information disclosure"; flow:to_server,established; content:"/ComGetLogFile.php3"; nocase; pcre:"fn=Eye\d{4}_\d{2}.log/Rmsi"; reference:bugtraq,12592; reference:cve,2005-0481; classtype:web-application-activity; sid:3545; rev:2;)
第三次启动:
[root@localhost ~]# service snort start
Starting snort service: 735
[ OK ]
[root@localhost ~]# tail -f /var/log/messages
Mar 5 21:46:29 localhost snort[735]: | Pattern Chars : 97521
Mar 5 21:46:29 localhost snort[735]: | Num States : 52738
Mar 5 21:46:29 localhost snort[735]: | Num Match States : 7558
Mar 5 21:46:29 localhost snort[735]: | Memory : 1.40Mbytes
Mar 5 21:46:29 localhost snort[735]: | Patterns : 0.31M
Mar 5 21:46:29 localhost snort[735]: | Match Lists : 0.30M
Mar 5 21:46:29 localhost snort[735]: | Transitions : 0.77M
Mar 5 21:46:29 localhost snort[735]: +-------------------------------------------------
Mar 5 21:46:29 localhost snort[735]: Snort initialization completed successfully (pid=735)
Mar 5 21:46:29 localhost snort[735]: Not Using PCAP_FRAMES
方法有点笨,但是毕竟启动起来了。
现在可以通过浏览器进行访问测试:
http://192.168.1.150/base
访问之后页面将自动跳转到:http://192.168.1.150/base/base_main.php
然后出现首页:
Basic Analysis and Security Engine (BASE)
The underlying database snort@localhost appears to be incomplete/invalid.
The database version is valid, but the BASE DB structure (table: acid_ag)is not present. Use the Setup page to configure and optimize the DB.
点击setup page进行安装即可。
在安装之后,当点击administration之后,会出现一个出错提示页面:
Database ERROR:Database ERROR:Table 'snort.base_users' doesn't exist
这个问题主要因为不同的base版本差异的影响,为了解决该问题。我重新建立base配置文件:
首先将/var/www/html/base/base_conf.php移动到其他位置,之后提示访问http://192.168.1.150/base/setup按照提示重新建立配置文件,内容包括定义数据库名称、管理员、密码等。
完成之后会提示base_conf.php文件出错,但是同时又会给出一个完整base_conf.php文件内容,并提示将该内容拷贝到/var/www/html/base/base_conf.php中。
这时再次访问http://192.168.1.150所有页面都能够正确显示
提供给大家参考的是我的base_conf.php脚本内容:
[root@localhost base]# vi base_conf.php
** Built upon work by Roman Danyliw ,
**
** Purpose: Vanilla Config file
********************************************************************************
** Authors:
********************************************************************************
** Kevin Johnson 'http://isc.sans.org/port_details.php?port=',
'portsdb' => 'http://www.portsdb.org/bin/portsdb.cgi?portnumber=',
'tantalo' => 'http://ports.tantalo.net/?q=',
'sstats' => 'http://www.securitystats.com/tools/portsearch.php?type=port&select=any&Submit=Submit&input=');
/* Signature references */
$external_sig_link = array('bugtraq' => array('http://www.securityfocus.com/bid/', ''),
'snort' => array('http://www.snort.org/pub-bin/sigs.cgi?sid=', ''),
'cve' => array('http://cve.mitre.org/cgi-bin/cvename.cgi?name=', ''),
'arachnids' => array('http://www.whitehats.com/info/ids', ''),
'mcafee' => array('http://vil.nai.com/vil/content/v_', '.htm'),
'icat' => array('http://icat.nist.gov/icat.cfm?cvename=CAN-', ''),
'nessus' => array('http://www.nessus.org/plugins/index.php?view=single&id=', ''),
'url' => array('http://', ''),
'local' => array('signatures/', '.txt'));
/* Email Alert action
*
* - action_email_from : email address to use in the FROM field of the mail message
* - action_email_subject : subject to use for the mail message
* - action_email_msg : additional text to include in the body of the mail message
* - action_email_mode : specifies how the alert information should be enclosed
* 0 : alerts should be in the body of the message
* 1 : alerts should be enclosed in an attachment
*/
$action_email_from = 'BASE Alert ';
$action_email_subject = 'BASE Incident Report';
$action_email_msg = '';
$action_email_mode = 0;
/* Custom (user) PHP session handlers
*
* - use_user_session : sets whether user PHP session can be used (configured
* with the session.save_handler variable in php.ini)
* 0 : no
* 1 : yes (assuming that 'user_session_path' and 'user_session_function'
* are configured correctly)
* - user_session_path : file to include that implements the custom PHP session
* handler
* - user_session_function : function to invoke in the custom session
* implementation that will register the session handler
* functions
*/
$use_user_session = 0;
$user_session_path = '';
$user_session_function = '';
/*
The below line should not be changed!
*/
$BASE_path = dirname(__FILE__);
// _BASE_INC is a variable set to prevent direct access to certain include files....
define( '_BASE_INC', 1 );
// Include for languages
include("$BASE_path/languages/$BASE_Language.lang.php");
?>
"base_conf.php" [New] 364L, 13299C written
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/12909/showart_1274108.html |
|
免费注册
发表于 2008-10-06 19:27