snort在centos4下安装

agg230

                                               

       
        文件:Snort_Install.pdf
        大小:402KB
        下载:
下载
       
               
               
安装环境 centos4
完全按照这篇文章(官方网站上DOWN下来的)来就可以  我就不续貂了
下面还是一篇  两篇文章互有所长
转自http://www.lankalinux.com/?q=node/88
Intrusion detection system with Snort
         
        
        
        
      
      
        
   
   
This document is reviewed by M.B.G.Suranga De Silva on 18-07-2007
This document describes the procedure to come up with an intrusion
detecting system with snort. The system is developed on Fedora Core 5
operating system. The public IP of the machine is 192.168.0.4/24 and
the private IP is 10.0.0.4/8.
Before installing snort the following packages have to be installed. The “yum” command can be used to install the packages.
#su
# yum install mysql
# yum install mysql-bench
# yum install mysql-server
# yum install mysql-devel
# yum install mysqlclient10
# yum install php-mysql
# yum install httpd
# yum install gcc
# yum install pcre-devel
# yum install php-gd
# yum install gd
# yum install mod_ssl
# yum install glib2-devel
# yum install gcc-c++
After the installation httpd and mysqld daemons have to be started.
#service httpd start
#service mysqld start
To test whether php is properly working with apache the following
web page can be downloaded and placed in the /var/www/html directory.
# cd /var/www/html
# wget
http://www.internetsecurityguru.com/index.php.txt
# mv index.php.txt index.php
Then try to access that page from a web browser using the URL
http://192.168.0.4
. If there are no errors a page with radio buttons, submit buttons and text should appear.
Then snort can be installed. Note that the installation has to be done as the “root” user.
As the first step create a separate directory for the installation.
# cd /root
# mkdir snortinstall
# cd snortinstall
# wget
http://www.snort.org/dl/current/snort-2.6.1.5.tar.gz
# tar -xzf snort-2.6.1.5.tar.gz
# cd  snort-2.6.1.5
# ./configure –with-mysql –enable-dynamicplugin
# make
# make install
After that a group and a user named “snort” has to be added.
# groupadd snort
# useradd -g snort snort -s /sbin/nologin
After that the “snort” directories have to be created in the /etc and /var/log directories.
# mkdir /etc/snort
# mkdir /etc/snort/rules
# mkdir /var/log/snort
Then move to the “etc” directory which is in the snort-2.6.1.5 directory.
#cd etc/
Then copy the content of the “etc” directory to the /etc/snort directory.
# cp * /etc/snort
Then download the rules that have to be applied to snort.
Move to the snortinstall directory.
# cd /root/snortinstall
# wget  
http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr...
# tar -xzf snortrules-pr-2.4.tar.gz
Then copy the rules to the /etc/snort/rules directory.
# cd rules
# cp * /etc/snort/rules
Then the snort.conf file has to be edited. It is located in the “/etc/snort” directory. The following changes have to be done.
var HOME_NET 10.0.0.0/8
var EXTERNAL_NET !$HOME_NET
The “var RULE_PATH ../rules” has to be changed into
var RULE_PATH /etc/snort/rules
After the line “preprocessor straem4_reassemble” add the following line.
preprocessor stream4_reassemble:both,ports 21 23 25 53 80 110 111 139 143 445 513 1433
output database: log, mysql, user=snort password=test dbname=snort host=localhost
Then snort has to be added to the init.d directory where it can be used when the system starts up.
# cd /etc/init.d
# wget
http://internetsecurityguru.com/snortinit/snort
In the nort file change network to which you want sniffing.
# chmod 755 snort
# chkconfig snort on
Then a MySQL database has to be created to be used by snort.
# mysql -u root
mysql> create database snort;
mysql> grant insert, select on root.* to snort@localhost;
mysql> set password for snort@localhost=password('test');
Note that the password has to be the same password which is mentioned in the snort.conf  file.
mysql> grant create,insert,select,delete,update on snort.* to snort@localhost;
mysql> grant create,insert,select,delete,update on snort.* to snort;
mysql> exit
The following command has to be used to create the tables in the snort database.
# mysql -u root
After executing that command tables have to appear in the snort
database. Some of the tables are “data, detail, encoding, event” etc.
Then “Base” and ADODB has to be downloaded and installed.
# cd /root/snortinstall
# pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman
# wget
http://easynews.dl.sourceforge.net/sourceforge/adodb/adodb480.tgz
# wget
http://easynews.dl.sourceforge.net/sourceforge/secureideas/base-1.2.6.ta...
Following commands have to be executed in order to install ADODB.
# cd /var/www
# tar -xvzf  /root/snortinstall/adodb480.tgz
To install and configure BASE following commands have to be executed.
# cd /var/www/html
# tar /root/snortinstall/base-1.2.6.tar.gz
Then rename the base directory.
# mv base-1.2.6 base
After that base has to be configured.
# cp base_conf.php.dist base_conf.php
Then edit the file and add the following parameters.
# vim base_conf.php
$BASE_urlpath = "/base";
$DBlib_path = '/var/www/adodb';
$DBtype = 'mysql';
$alert_dbname   = 'snort';
$alert_host     = 'localhost';
$alert_port     = '';
$alert_user     = 'snort';
$alert_password = 'test';
$archive_exists   = 0;
The alert_password has to contain the same value which is mentioned in the snort.conf file.
Then in the browser access the base using the URL
https://192.168.0.4/base
Then execute the command
#chkconfig snort on
Then start the snort.
#/etc/init.d/snort start
If the start process gives errors such as “ERROR:
(/etc/snort/rules/web-misc.rules)97 => Cannot use 'rawbytes' and
'http_uri' as modifiers for the same "content" nor use 'rawbytes' with
"uricontent" just comment out the lines in the web-misc.rules file
which are producing errors.
Then access the base using the web browser.
http://192.168.0.4/base
The user name will be “base” and the password will be “test”. There
the “setup page” link has to be accessed. In the directed page access
the “main page” link.
Then a password can be given to the base directory. The password will be included in a seperate directory called “passwords”.
# mkdir /var/www/passwords
After that create passwords.
# /usr/bin/htpasswd -c /var/www/passwords/passwords base
This command will require a password for the user.
When accessing the the base directory the user name will be “base” and the password will be the newly generated password.
After that the the httpd.conf file which resides in the “/etc/httpd/conf/” directory has to be edited.
below the section
“
Options FollowSymLinks
AllowedOverride None
add the following section.
“
AuthType Basic
AuthName “SnortIDS”
AuthUserFile /var/www/passwords/passwords
Require user base
After adding this part the user will be required to enter a user
name and a password when accessing the URL “https://192.168.0.4/base”.
The user name will be “base” and the password will be the new password
generated with the htpasswd command.
After editing the configuration file httpd has to be restarted.
# service httpd restart
Then the ntop packages are installed. ntop-3.2-2.fc5.rf.i386.rpm is used in this system. It can be downloaded from the
http://dries.ulyssis.org/rpm/packages/ntop/info.html
site.
# rpm -ivh  ntop-3.2-2.fc5.rf.i386.rpm
After the installation ntop has to be configured. The configuration
file “ntop.conf” resides in the “/etc” directory. There the interface
which is used for sniffing has to be mentioned. Since the machine's
eth1 which is having the IP address 192.168.0.4 is used as the public
interface it is mentioned in the file.
--interface eth0
After that the “https-server” and the “daemon” lines have to be uncommented.
--https-server 3001
--daemon
After making the changes to the ntop configuration file a password has to be given.
# /usr/bin/ntop @/etc/ntop.conf -A
This will ask the user to enter a password.
After specifying the password start the ntop service.
# service ntop start
The ntop system can be checked by accessing the following URL.
https://192.168.0.4:3001
To check the system “nessus” can be used. It is installed in the
192.168.0.211 machine which has Fedora Core 5 as the operating system.
Nessus can be downloaded from “http://www.nessus.org/download/”
site. Nessus-3.0.6-fc5.i386.rpm is used in this system. Install the
nessus software using the following command.
# rpm -ivh Nessus-3.0.6-fc5.i386.rpm
After installing nessus can be invoked from the command line.
#nessus -q -T xml 127.0.0.1 root ceylonlinux /root/targetfile /root/results.xml
When nessus tries to access the system the intrusion will be displayed in the base web page.
   
               
               
               
               

本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u/19540/showart_355256.html