- 论坛徽章:
- 0
|
作者:ggse
非商业转载请注明作者及文章出处ggse.cublog.cn
商业转载请联系作者本人,谢谢!
--------------------------------------------------------------------
本文讲述了如何在Redhat9.0下安装和简单使用snort2.6.0的方法
本文使用的软件包,都是免费的,到2006年7月25止的最新版本。可按文件名google一下,下载。
本文从安装操作系统开始将起,对于没有使用过linux的人,也可以看懂,模仿整个安装过程并正确使用snort的各种功能。
--------------------------------------------------------------------
安装RedHat 9.0:
注意选择中文(简体)为默认语言,支持英文English(USA)。
注意选择安装linux下的开发工具(gcc等编程环境)。
配置linux的网络参数,以便下载各种软件包,推荐使用firefox浏览器。
安装小企鹅输入法fcitx。 //如果默认语言不是中文,则安装过程会很难!!!
//其实系统自带有中文输入, 可以不装小企鹅
下载fcitx-3.2.1-bin.tar.bz2 //不特别说明,所有软件包都下载到/root目录下
#tar jxvf fcitx-3.2.1-bin.tar.bz2
#cd fcitx-3.2.1-bin
#./fcitx.install
#cd /usr/bin
#ln -sf fcitx chinput
再重启X就可以了,系统启动X window时就自动启动小企鹅输入法了。
snort有三种工作模式:sniff(嗅探)、log(数据包记录)、ids(网络入侵检测)。
sniff(嗅探)模式:就是令网卡进入混乱工作模式,将网络上所有网卡能够听到数据包连续不断地显示在终端上。
log(数据包记录)模式:把数据包记录到硬盘上。
ids(网络入侵检测)模式:比较复杂,snort分析网络数据流以匹配用户定义的一些规则,如果匹配某条规则就给出相应的alert。
安装snort-2.6.0前,需要安装pcre-6.7.tar.bz2
#tar jxvf pcre-6.7.tar.bz2
#cd pcre-6.7
#./configure
#make
#make install
#tar zxvf snort-2.6.0.tar.gz
#cd snort-2.6.0
#./configure
#make
#make install
此时snort已经安装到/usr/local/bin/snort,如果想使用指定的路径可--prefix=/your/path
#snort
可以看到
---------------------------------------------------------------------
,,_ -*> Snort!
Options:
-A Set alert mode: fast, full, console, or none (alert file alerts only)
"unsock" enables UNIX socket logging (experimental).
-b Log packets in tcpdump format (much faster!)
-B Obvuscated IP addresses in alerts and packet dumps using CIDR mask
-c Use Rules File
-C Print out payloads with character data only (no hex)
-d Dump the Application Layer
-D Run Snort in background (daemon) mode
-e Display the second layer header info
-f Turn off fflush() calls after binary log writes
-F Read BPF filters from file
-g Run snort gid as group (or gid) after initialization
-G Log Identifier (to uniquely id events for multiple snorts)
-h Home network =
-i Listen on interface
-I Add Interface name to alert output
-k Checksum mode (all,noip,notcp,noudp,noicmp,none)
-K Logging mode (pcap[default],ascii,none)
-l Log to directory
-L Log to this tcpdump file
-M Log messages to syslog (not alerts)
-m Set umask =
-n Exit after receiving packets
-N Turn off logging (alerts still work)
-o Change the rule testing order to Pass|Alert|Log
-O Obfuscate the logged IP addresses
-p Disable promiscuous mode sniffing
-P Set explicit snaplen of packet (default: 1514)
-q Quiet. Don't show banner and status report
-r Read and process tcpdump file
-R Include 'id' in snort_intf.pid file name
-s Log alert messages to syslog
-S Set rules file variable n equal to value v
-t Chroots process to after initialization
-T Test and report on the current Snort configuration
-u Run snort uid as user (or uid) after initialization
-U Use UTC for timestamps
-v Be verbose
-V Show version number
-w Dump 802.11 management and control frames
-X Dump the raw packet data starting at the link layer
-y Include year in timestamp in the alert and log files
-Z Set the performonitor preprocessor file path and name
-z Set assurance mode, match on established sesions (for TCP)
-? Show this information
are standard BPF options, as seen in TCPDump
Longname options and their corresponding single char version
--logid Same as -G
--perfmon-file Same as -Z
--pid-path Specify the path for the Snort PID file
--snaplen Same as -P
--help Same as -?
--alert-before-pass Process alert, drop, sdrop, or reject before pass, default is pass before alert, drop,...
--treat-drop-as-alert Converts drop, sdrop, and reject rules into alert rules during startup
--process-all-events Process all queued events (drop, alert,...), default stops after 1st action group
--create-pidfile Create PID file, even when not in Daemon mode
Uh, you need to tell me to do something...
: No such file or directory
--------------------------------------------------------------------
获取更详细的命令帮助,可使用#man snort 输出参见http://www.cublog.cn/u/21953/showart.php?id=144460
这里简单介绍几条常用命令的使用:
1、sniff(嗅探)模式:
#snort -v //在终端打印包头信息
可见如下
Running in packet dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
Verifying Preprocessor Configurations!
***
*** interface device lookup found: eth1
***
Initializing Network Interface eth1
Decoding Ethernet on interface eth1
--== Initialization Complete ==--
,,_ -*> Snort! *.*.*.*:137
UDP TTL:64 TOS:0x0 ID:18573 IpLen:20 DgmLen:78
Len: 50
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
.
.
.
.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
*** Caught Term-Signal
===============================================================================
Snort received 116 packets
Analyzed: 115(99.138%)
Dropped: 0(0.000%)
Outstanding: 1(0.862%)
===============================================================================
Breakdown by protocol:
TCP: 0 (0.000%)
UDP: 56 (48.696%)
ICMP: 0 (0.000%)
ARP: 29 (25.217%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
FRAG: 0 (0.000%)
OTHER: 30 (26.087%)
DISCARD: 0 (0.000%)
===============================================================================
Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0
===============================================================================
Snort exiting
其他选项如:
-d 打印包的数据信息
-e 打印包的链路信息
可于-v结合使用如:-vd -ve -vde
其他相关命令:
-C 只打印数据包中数据的可打印字符(不是十六进制方式)
-i if 指定监听网络接口if
-n cnt 处理cnt个数据包后退出
-O 在ASCII输出模式中隐藏IP地址。这个选项把向屏幕和日志文件输出的IP地址变为"xxx.xxx.xxx.xxx"
-p 关闭混杂模式监听
-P snap 设置数据包的截取长度到snap(默认为1514)
-q 安静执行,不打印banner及初始化信息
-V 显示版本号后退出
-X 从数据链路层开始输出原始数据包,此选项覆盖-d选项
以上几条命令不产生日志文件
2、log(数据包记录)
要想保存日志可使用-l
如#snort -l /var/log/snort
执行后可在/var/log/snort产生文件snort.log.1153619468
其他相关命令:
-b 以tcpdump的格式记录二进制数据包,所有的数据包都以其原始的二进制状态写入到tcpdump格式的记录文件中
-L file 设置二进制记录文件的文件名为file(若未指定,则为snort.log.时间戳)
-r tf 读取和处理tcpdump格式的数据文件tcpdump-file(也就是日志文件如#snort -r /var/log/snort/snort.log.1153619468)
-U 把所到的时间戳转成UTC
-y 把年信息写进报警和记录文件中
-B mask 把所有home-net的IP地址转换成mask,在二进制记录中隐藏IP地址
//用“-h”选项指定home-net
-h hn 设置home-net为hn。其格式是网络地址前缀加CIDR块描述,如192.168.1.0/24。
3、ids(网络入侵检测)
默认的功能可能无法满足你的要求,因此你可以把一些其它功能加入到你的snort二进制代码中。configure脚本提供了一些选项。通过这些选项,你可以在编译时,将一些额外的功能编译到二进制目标中。下面对这些选项做一个简要的介绍:
--enable-smbalerts
使SMB报警代码生效。不过,这项功能有安全隐患,需要谨慎使用。
--enable-flexresp
把灵活反应(Flexible Response)代码编译连接到snort二进制目标文件。它能够使snort在IP层主动断开恶意连接,需要LibNet库.
--with-postgresql=DIR
提供PostgreSQL数据库支持。
--with-libpcap-includes=DIR
指定libpcap库头文件的位置。
--with-libpcap-libraries=DIR
指定libpcap静态库的位置。
--with-mysql=DIR
指定mysql数据库的路径。
--with-oracle=DIR
指定oracle数据库的位置。
--with-openssl=DIR
指定openssl的位置。
--with-odbc=DIR
提供ODBC数据库支持
--with-oracle=DIR
提供Oracle数据库支持
--with-snmp
提供SNMP协议支持,通过snortSnmp插件,snort能够向网络管理系统(Network Management System)发出snmp报警,需要ucd-snmp软件包的支持。
--enable-idmef
把IDMEF XML插件连接到snort二进制代码中,需要libidmef、libxml2和libntp库。
这些库的位置由--with-libxml2-includes=DIR、--with-libxml2-libraries=DIR、--with- libntp-libraries=DIR、--with-libidmef-includes=DIR和--with-libidmef- libraries=DIR等功能选项指定。
下面来讲使用mysql数据库的snort安装方法
先建用户mysql:mysql
#groupadd mysql
#adduser -g mysql mysql
安装mysql-5.1.11-beta-linux-i686-glibc23.tar.gz
#tar zxvf mysql-5.1.11-beta-linux-i686-glibc23.tar.gz
#cp -r mysql-5.1.11-beta-linux-i686-glibc23 /usr/local
#cd /usr/local
#ln -s mysql-5.1.11-beta-linux-i686-glibc23 mysql
#chown -R root mysql-5.1.11-beta-linux-i686-glibc23
#chown -R mysql mysql-5.1.11-beta-linux-i686-glibc23
#chgrp -R mysql mysql-5.1.11-beta-linux-i686-glibc23
#cd mysql
#scripts/mysql_install_db --user=mysql
#bin/mysqld_safe & //启动mysql
输入命令#ps -e可见
。
。
。
3088 pts/0 00:00:00 mysqld_safe
3127 pts/0 00:00:00 mysqld
。
。
。
#cp /usr/local/mysql/support-files/my-medium.cnf /etc/my.cnf
在/etc/ld.so.conf中加入:
/usr/local/mysql/lib/mysql
/usr/local/lib
可知mysql已成功安装
如果启动mysql后,马上就关闭或其他异常可查看文件
/usr/local/mysql/data/localhost.localdomain.err
方便使用mysql,不要每次都输入#cd /usr/local/mysql,可以做一个链结
#cd
#ln -s /usr/local/mysql/bin mysql
这样要使用mysql,只需
#cd mysql
#./mysql
为root设置密码#./mysqladmin password XXXXXX //XXXXXX为密码
当设置密码后,要使用/usr/local/mysql/bin的某些命令,需要输入密码
创建snort数据库:
#mysql/mysqld_safe &
#mysql/mysql -p
Enter password:
mysql>create database snort;
+--------------------+
| Database |
+--------------------+
| information_schema |
| cluster |
| mysql |
| snort |
| test |
+--------------------+
5 rows in set (0.10 sec)
mysql> use snort;
Database changed
新开终端导入snortdb-extra.gz
# zcat snortdb-extra.gz | /usr/local/mysql/bin/mysql -p123456 snort
mysql>show tables;
+------------------+
| Tables_in_snort |
+------------------+
| flags |
| protocols |
| services |
+------------------+
3 rows in set (0.00 sec)
mysql> 输入如下语句建立各种表
CREATE TABLE `schema` ( vseq INT UNSIGNED NOT NULL,
ctime DATETIME NOT NULL,
PRIMARY KEY (vseq));
INSERT INTO `schema` (vseq, ctime) VALUES ('107', now());
CREATE TABLE event ( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
signature INT UNSIGNED NOT NULL,
timestamp DATETIME NOT NULL,
PRIMARY KEY (sid,cid),
INDEX sig (signature),
INDEX time (timestamp));
CREATE TABLE signature ( sig_id INT UNSIGNED NOT NULL AUTO_INCREMENT,
sig_name VARCHAR(255) NOT NULL,
sig_class_id INT UNSIGNED NOT NULL,
sig_priority INT UNSIGNED,
sig_rev INT UNSIGNED,
sig_sid INT UNSIGNED,
sig_gid INT UNSIGNED,
PRIMARY KEY (sig_id),
INDEX sign_idx (sig_name(20)),
INDEX sig_class_id_idx (sig_class_id));
CREATE TABLE sig_reference (sig_id INT UNSIGNED NOT NULL,
ref_seq INT UNSIGNED NOT NULL,
ref_id INT UNSIGNED NOT NULL,
PRIMARY KEY(sig_id, ref_seq));
CREATE TABLE reference ( ref_id INT UNSIGNED NOT NULL AUTO_INCREMENT,
ref_system_id INT UNSIGNED NOT NULL,
ref_tag TEXT NOT NULL,
PRIMARY KEY (ref_id));
CREATE TABLE reference_system ( ref_system_id INT UNSIGNED NOT NULL AUTO_INCREMENT,
ref_system_name VARCHAR(20),
PRIMARY KEY (ref_system_id));
CREATE TABLE sig_class ( sig_class_id INT UNSIGNED NOT NULL AUTO_INCREMENT,
sig_class_name VARCHAR(60) NOT NULL,
PRIMARY KEY (sig_class_id),
INDEX (sig_class_id),
INDEX (sig_class_name));
CREATE TABLE sensor ( sid INT UNSIGNED NOT NULL AUTO_INCREMENT,
hostname TEXT,
interface TEXT,
filter TEXT,
detail TINYINT,
encoding TINYINT,
last_cid INT UNSIGNED NOT NULL,
PRIMARY KEY (sid));
CREATE TABLE iphdr ( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
ip_src INT UNSIGNED NOT NULL,
ip_dst INT UNSIGNED NOT NULL,
ip_ver TINYINT UNSIGNED,
ip_hlen TINYINT UNSIGNED,
ip_tos TINYINT UNSIGNED,
ip_len SMALLINT UNSIGNED,
ip_id SMALLINT UNSIGNED,
ip_flags TINYINT UNSIGNED,
ip_off SMALLINT UNSIGNED,
ip_ttl TINYINT UNSIGNED,
ip_proto TINYINT UNSIGNED NOT NULL,
ip_csum SMALLINT UNSIGNED,
PRIMARY KEY (sid,cid),
INDEX ip_src (ip_src),
INDEX ip_dst (ip_dst));
CREATE TABLE tcphdr( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
tcp_sport SMALLINT UNSIGNED NOT NULL,
tcp_dport SMALLINT UNSIGNED NOT NULL,
tcp_seq INT UNSIGNED,
tcp_ack INT UNSIGNED,
tcp_off TINYINT UNSIGNED,
tcp_res TINYINT UNSIGNED,
tcp_flags TINYINT UNSIGNED NOT NULL,
tcp_win SMALLINT UNSIGNED,
tcp_csum SMALLINT UNSIGNED,
tcp_urp SMALLINT UNSIGNED,
PRIMARY KEY (sid,cid),
INDEX tcp_sport (tcp_sport),
INDEX tcp_dport (tcp_dport),
INDEX tcp_flags (tcp_flags));
CREATE TABLE udphdr( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
udp_sport SMALLINT UNSIGNED NOT NULL,
udp_dport SMALLINT UNSIGNED NOT NULL,
udp_len SMALLINT UNSIGNED,
udp_csum SMALLINT UNSIGNED,
PRIMARY KEY (sid,cid),
INDEX udp_sport (udp_sport),
INDEX udp_dport (udp_dport));
CREATE TABLE icmphdr( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
icmp_type TINYINT UNSIGNED NOT NULL,
icmp_code TINYINT UNSIGNED NOT NULL,
icmp_csum SMALLINT UNSIGNED,
icmp_id SMALLINT UNSIGNED,
icmp_seq SMALLINT UNSIGNED,
PRIMARY KEY (sid,cid),
INDEX icmp_type (icmp_type));
CREATE TABLE opt ( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
optid INT UNSIGNED NOT NULL,
opt_proto TINYINT UNSIGNED NOT NULL,
opt_code TINYINT UNSIGNED NOT NULL,
opt_len SMALLINT,
opt_data TEXT,
PRIMARY KEY (sid,cid,optid));
CREATE TABLE data ( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
data_payload TEXT,
PRIMARY KEY (sid,cid));
CREATE TABLE encoding(encoding_type TINYINT UNSIGNED NOT NULL,
encoding_text TEXT NOT NULL,
PRIMARY KEY (encoding_type));
INSERT INTO encoding (encoding_type, encoding_text) VALUES (0, 'hex');
INSERT INTO encoding (encoding_type, encoding_text) VALUES (1, 'base64');
INSERT INTO encoding (encoding_type, encoding_text) VALUES (2, 'ascii');
CREATE TABLE detail (detail_type TINYINT UNSIGNED NOT NULL,
detail_text TEXT NOT NULL,
PRIMARY KEY (detail_type));
INSERT INTO detail (detail_type, detail_text) VALUES (0, 'fast');
INSERT INTO detail (detail_type, detail_text) VALUES (1, 'full');
mysql>show tables;
+------------------+
| Tables_in_snort |
+------------------+
| data |
| detail |
| encoding |
| event |
| flags |
| icmphdr |
| iphdr |
| opt |
| protocols |
| reference |
| reference_system |
| schema |
| sensor |
| services |
| sig_class |
| sig_reference |
| signature |
| tcphdr |
| udphdr |
+------------------+
19 rows in set (0.00 sec)
mysql> \q
Bye
安装支持mysql的snort
#cd snort-2.6.0
#./configure --with-mysql=/usr/local/mysql --enable-dynamicplugin
#make
#make install
#mkdir -p /etc/snort
#cd etc
#cp snort.conf /etc/snort
#cp *.config /etc/snort
#cp *.map /etc/snort
#cd
#tar zxvf snortrules-snapshot-CURRENT.tar.gz //注意此处的CURRENT对应着2.6.0版本的snort
#cp -r rules /etc/snort
修改配置文件/etc/snort/snort.conf
# var HOME_NET 10.1.1.0/24 改为 var HOME_NET XXX.XXX.XXX.XXX
var RULE_PATH ../rules 改为 var RULE_PATH /etc/snort/rules
# output database: log, mysql, user=root password=test dbname=db host=localhost改为
output database: log, mysql, user=root password=XXXXXX dbname=snort host=localhost
#include $RULE_PATH/XXXXXX 改为include $RULE_PATH/XXXXXX
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so用#注释掉
并注释掉其他关于preprocessor而引起出错的行,这个问题还不知道时怎么回事,可能是conf解释器有错,相关讨论见:
http://www.snort.org/archive-1-2779.html
http://www.snort.org/archive-1-2743.html
http://www.snort.org/archive-1-2674.html
保存退出,到此snort的安装就结束了。
#mysql/mysqld_safe &
#snort -c /etc/snort/snort.conf //刚启动时,会出现计算机反应延迟
即可对网络入侵按/etc/snort/rules下规则进行简单监听,并将相关信息写入mysql数据库snort,配合其他选项可以实现强大的功能。
为了更好的监听snort所捕获到的入侵警报可配和使用ACID,简单介绍安装方法如下:
安装Apache:
#tar -zxvf httpd-2.2.0.tar.gz
#cd httpd-2.2.0
#mkdir -p /www
#./configure --prefix=/www --enable-modules=so
#make
#make install
安装php:
1安装jpeg6
#mkdir -p /usr/local/jpeg6
#mkdir -p /usr/local/jpeg6/bin
#mkdir -p /usr/local/jpeg6/lib
#mkdir -p /usr/local/jpeg6/include
#mkdir -p /usr/local/jpeg6/man
#mkdir -p /usr/local/jpeg6/man/man1
#tar -zvxf jpegsrc.v6b.tar.gz
# cd jpeg-6b
# ./configure --prefix=/usr/local/jpeg6/ --enable-shared --enable-static
#make
#make install
2安装libpng
#tar -zvxf libpng-1.2.8.tar.gz
#cd libpng-1.2.8
#cp scripts/makefile.std makefile
#make
#make install
3安装freetype
#tar -zvxf freetype-2.1.10.tar.gz
#cd freetype-2.1.10
#mkdir -p /usr/local/freetype
#./configure --prefix=/usr/local/freetype
#make
#make install
4安装zlib
#tar -zxvf zlib-1.2.3.tar.gz
#cd zlib.1.2.3
#./configure
#make
#make install
5安装Curl库
#tar -zxf curl-7.15.0.tar.gz
#mkdir -p /usr/local/curl
#./configure --prefix=/usr/local/curl
#make
#make install
6安装GD库
#tar -zvxf gd-2.0.33.tar.gz
#mkdir -p /usr/local/gd2
#cd gd-2.0.33
#./configure --prefix=/usr/local/gd2 --with-jpeg=/usr/local/jpeg6/ --with-png=/usr/local/lib/ --with-zlib=/usr/local/lib/
# make; make install
7安装libxml2
#tar -zxf libxml2-2.6.26.tar.gz
#cd libxml2-2.6.26
#mkdir -p /usr/local/libxml2
#./configure --prefix=/usr/local/libxml2
#make
#make install
8安装php5
#tar -zvxf php-5.1.4.tar.gz
#mkdir -p /usr/local/php
#cd php-5.1.4
#./configure --prefix=/usr/local/php --with-apxs2=/usr/local/apache/bin/apxs --with-mysql=/usr/local/mysql/ --with-curl=/usr/local/curl --with-libxml-dir=/usr/local/libxml2 --with-gd=/usr/local/gd2/ --with-jpeg-dir=/usr/local/jpeg6/ --with-zlib-dir=/usr/local/lib/ --with-png=/usr/local/lib/ --with-freetype-dir=/usr/local/freetype/
#make
#make install
#cp php.ini-dist /www/php/lib/php.ini
修改/www/conf/httpd.conf
在AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
下加入如下两行:
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
在/www/htdocs目录下新建文件info.php(内容为)
启动apache
#/www/bin/apachectl restart
浏览http://127.0.0.1/info.php查看配置是否正确
安装ACID:
#tar zxvf jpgraph-1.20.4a.tar.gz
#tar zxvf adodb490.tgz
#tar zxvf acid-0.9.6b23.tar.gz
#cp -r adodb /www/htdocs
#cp -r acid /www/htdocs
#cp -r jpgraph-1.20.4 /www/htdocs
修改/www/htdocs/acid/acid_conf.php如下:
$DBlib_path = "/www/htdocs/adodb";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "root";
$alert_password = "XXXXXX";
$archive_dbname = "snort";
$archive_host = "localhost";
$archive_port = "";
$archive_user = "root";
$archive_password = "XXXXXX";
$ChartLib_path = "/www/htdocs/jpgraph-1.20.4/src";
保存退出
访问http://yourhost/acid/acid_main.php,点"Setup Page"链接 ->Create Acid AG,返回主业面即可进行监控入侵警告了。
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/21953/showart_143707.html |
|
免费注册
发表于 2006-07-21 13:04