- 论坛徽章:
- 0
|
2005年5月7日加入acid部分
2005年3月31日成稿
参考了很多文章,就不一一列出了
1.准备
我的系统中已经装好了apache,mysql,php,编译php的时候记得加上--with-gd,要是没有请重新编译。
先装libpng
# wget http://jaist.dl.sourceforge.net/sourceforge/libpng/libpng-1.2.8.tar.bz2
# tar jxvf libpng-1.2.8.tar.bz2
# cd libpng-1.2.8
# cp scripts/makefile.std makefile
# make
# make test
# make install
# wget http://cn2.php.net/get/php-4.3.11.tar.bz2/from/cn.php.net/mirror
# tar -jxvf php-4.3.11.tar.bz2
# cd php-4.3.11
# ./configure \
--prefix=/usr/local/php \
--with-mysql=/usr/local/mysql \
--with-apxs2=/usr/local/apache/bin/apxs \
--with-zlib-dir=/usr/local --with-gd
# make
# make install
2.安装
由于我的redhat9.0中没有libcap、pcre,编译snort的时候会出错,先装libpcap和pcre
# wget http://www.tcpdump.org/release/libpcap-0.8.3.tar.gz
# tar zxvf libpcap-0.8.3.tar.gz
# cd libpcap-0.8.3
# ./configure
# make
# make install
# wget http://switch.dl.sourceforge.net/sourceforge/pcre/pcre-5.0.tar.bz2
# tar jxvf pcre-5.0.tar.bz2
# cd pcre-5.0
# ./configure
# make
# make check
# make install
安装snort
用acid太占资源了,建议只安装snort,guardian,snortsnarf即可,安装时只需去掉mysql与acid。
# wget http://www.snort.org/dl/current/snort-2.3.3.tar.gz
# tar zxvf snort-2.3.3.tar.gz
# cd snort-2.3.3
# ./configure --with-mysql=/usr/local/mysql
# make
# make install
注:如果不打算安装acid,编译的时候请去掉--with-mysql=/usr/local/mysql
# mkdir -p /etc/snort/rules
# cp etc/*.conf /etc/snort
# cp etc/*.config /etc/snort
# cp etc/unicode.map /etc/snort
# cp -R rules/* /etc/snort/rules
建立snort数据库
# mysql
mysql>; SET PASSWORD FOR root@localhost=PASSWORD('password');
mysql>; create database snort;
mysql>; grant INSERT,SELECT on root.* to snort@localhost;
mysql>; SET PASSWORD FOR snort@localhost=PASSWORD('12345');
mysql>; grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
mysql>; grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
mysql>; exit
建立表
由于新版的snorts中没有nortdb-extra.gz了,只好下一个旧版的snort2.2.0的,为了方便我把它放到了我的免费空间里了
# wget http://anstan.go.nease.net/snort/snortdb-extra.gz
# mysql -u root -p < schemas/create_mysql snort
Enter password: the mysql root password
# zcat snortdb-extra.gz |mysql -p snort
Enter password: the mysql root password
进入mysql数据库,看看snort数据库中的表:
# mysql -p
>;Enter password:
mysql>; SHOW DATABASES;
(你看到如下)
Version 8 – From RPM Page 13 of 19 Updated 10/10/2004 1:38 PM
+------------+
| Database
+------------+
| mysql
| Snort
| test
+------------+
3 rows in set (0.00 sec)
mysql>; use Snort
mysql>; SHOW TABLES;
+------------------+
| Tables_in_Snort
+------------------+
| data
| detail
| encoding
| event
| flags
| icmphdr
| iphdr
| opt
| protocols
| reference
| reference_system
| schema
| sensor
| services
| sig_class
| sig_reference
| signature
| tcphdr
| udphdr
+------------------+
19 rows in set (0.00 sec)
修改/etc/snort/snort.conf
# vi /etc/snort/snort.conf
var HOME_NET 192.168.1.0/24
var RULE_PATH /etc/snort/rules
#如果不打算用acid,请不要取消对下面这行的注释
output database: log, mysql, user=snort password=12345 dbname=snort host=localhost
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
创建/var/log/snort目录
# mkdir /var/log/snort
测试执行是否正常
# /usr/local/bin/snort -v
启动
# /usr/local/bin/snort -c /etc/snort/snort.conf -D
注:-D (以daemon方式启动,就是背景执行)
-c (指定snort依snort.conf设定档的内容执行)
自启动
# wget -P /etc/rc.d/rc.local http://anstan.go.nease.net/snort/snort
# chmod 755 /etc/rc.d/init.d/snort
# chkconfig --level 2345 snort on
3.plugins
3.1.guardian
# wget http://www.snort.org/dl/contrib/other_tools/guardian/guardian-1.6.tar.gz
# tar zxvf guardian-1.6.tar.gz
# cd guardian-1.6
# echo >; /etc/snort/guardian.ignore
# cp guardian.pl /usr/local/bin/
# cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
# cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
# cp guardian.conf /etc/snort
# touch /var/log/snort/guardian.log
# chmod 644 /var/log/snort/guardian.log
# vi /etc/snort/guardian.conf
# guardian的日志文件
LogFile /var/log/snort/guardian.log
#guardian从何处读取snort的日志
AlertFile /var/log/snort/alert
#将你需要忽略的IP放在此文件中
IgnoreFile /etc/snort/guardian.ignore
# 封锁IP的最长时间,99999999为没有时限
TimeLimit 86400
编辑/usr/local/bin/guardian_unblock.sh,这个文件有错(guardian-1.6.tar.gz包里的iptables_unblock.sh就是写错的)
把
/sbin/ipchains -D INPUT -s $source -i $interface -j DROP
改成
/sbin/iptables -D INPUT -s $source -i $interface -j DROP
启动
# /usr/bin/perl /usr/local/bin/guardian.pl -c /etc/snort/guardian.conf
如果想自启动,将上一条命令加入/etc/rc.d/rc.local,但是在我的RD9下不行,不知道为什么。
3.2.snortsam (计划中)
# wget http://www.snortsam.net/files/snortsam-v2_multi-threaded/snortsam-src-2.31.tar.gz
3.3.SnortSnarf
# wget http://www.snort.org/dl/contrib/data_analysis/snortsnarf/SnortSnarf-050314.1.tar.gz
# tar zxvf SnortSnarf-050314.1.tar.gz
# cd SnortSnarf-050314.1
# mkdir /var/www/snort/snortsnarf
# cp cgi/* /var/www/snort/snortsnarf
# cp -R include /var/www/snort/snortsnarf
# cp snortsnarf.pl /var/www/snort/snortsnarf
如果没有Time/ParseDate.pm模块,先装此模块
# wget http://search.cpan.org/CPAN/authors/id/M/MU/MUIR/modules/Time-modules-2003.1126.tar.gz
# tar zxvf Time-modules-2003.1126.tar.gz
# cd Time-modules-2003.1126
# perl Makefile.PL
# make
# make test
# make install
或者通过CPAN安装
# perl -MCPAN -e shell
cpan>; install Time: arseDate
分析snort日志
# cd /var/www/snort/snortsnarf
# perl snortsnarf.pl /var/log/snort/alert -d /var/www/snort/snortsnarf
Using an array as a reference is deprecated at include/SnortSnarf/HTMLMemStorage.pm line 290.
Using an array as a reference is deprecated at include/SnortSnarf/HTMLAnomMemStorage.pm line 266.
上面的警告(perl的警告)信息虽然不影响运行,但看起来确实不爽,作者说未来的版本将解决这个问题。我们可以修改snortsnarf.pl,把第一行的-w去掉,这样警告信息就没了。
注意: 一定要先进入该档案所在目录,所以先要cd /var/www/snort/snortsnarf,为什么?不知道
测试
http://192.168.1.100/snort/snortsnarf
如果你装了acid,还可以从其数据库中读取数据
# cd /var/www/snort/snortsnarf
# perl snortsnarf.pl snort:12345@snort@localhost -d /var/www/snort/snortsnarf
could not load module "SnortDBInput", looked for it in file called "SnortDBInput.pm"; could be an error in that file; try 'perl -c' on that file
Can't locate object method "new" via package "SnortDBInput" at snortsnarf.pl line 188.
要先装几个模块
(# export LANG=C)
# perl -MCPAN -e shell
cpan>; install DBI: BD
redhat9下通过cpan安装DBD::mysql不成功(make test时通不过),只好下载源码,自己编译了
# wget http://search.cpan.org/CPAN/authors/id/C/CA/CAPTTOFU/DBD-mysql-2.9007.tar.gz
# tar zxvf DBD-mysql-2.9007.tar.gz
# cd DBD-mysql-2.9007
# perl Makefile.PL
# make
# make install
cpan>; install DBD::mysql
再执行一次上面的命令,成功,太高兴了
说明:snort:12345@snort@localhost是按照用户名,密码,数据库名,主机名,端口号排列的。
如果想固定时间做成输出分析,加入到/etc/crontab中即可。
测试
http://192.168.1.5/snort/snortsnarf
3.4.Barnyard (计划中)
4.安装配置Acid
把acid-0.9.6b23.tar.gz、adodb330.tgz、jpgraph-1.17.tar.gz放到网页根目录
# wget http://jaist.dl.sourceforge.net/sourceforge/adodb/adodb462.tgz
# wget http://members.chello.se/jpgraph/jpgdownloads/jpgraph-1.17.tar.gz
# wget http://www.andrew.cmu.edu/user/rdanyliw/snort/acid-0.9.6b23.tar.gz
# mkdir /var/www/snort (/var/www是网页根目录)
# tar zxvf adodb462.tgz -C /var/www/snort
# tar zxvf jpgraph-1.17.tar.gz -C /var/www/snort
# mv /var/www/snort/jpgraph-1.17 /var/www/snort/jpgraph
# rm /var/www/snort/jpgraph/README
# rm /var/www/snort/jpgraph/QPL.txt
# tar zxvf acid-0.9.6b23.tar.gz -C /var/www/snort
# vi /var/www/snort/acid/acid_conf.php
$DBlib_path = "../adodb";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "12345";
$archive_dbname = "snort";
$archive_host = "localhost";
$archive_port = "";
$archive_user = "snort";
$archive_password = "12345";
$ChartLib_path = "../jpgraph/src";
测试IDS
http://192.168.1.100/snort/acid/acid_main.php,点"Setup Page"链接 ->;Create Acid AG
http://192.168.1.100/snort/acid 会看到ACID界面
利用nmap,nessus,CIS或者X-scan对系统进行扫描,产生纪录
http://192.168.1.100/snort/acid 察看纪录
# mkdir /var/passwords
# /usr/local/apache/bin/htpasswd -c /var/passwords/snort snort
# vi /usr/local/apache/conf/httpd.conf (添加如下几行)
<Directory "/var/www/snort">;
AuthType Basic
AuthName "SnortIDS"
AuthUserFile /var/passwords/snort
Require user snort
</Directory>;
5.snort启动脚本
# vi /etc/rc.d/init.d/snort
=================================================================
#!/bin/bash
# $Id$
# /etc/rc.d/init.d/snort : start or stop the SNORT Intrusion Database System
#
# Written by Lukasz Szmit <ptashek@scg.gliwice.pl>;
# modified by anstan <heracai@126.com>;
#
# Comments to support chkconfig on RedHat Linux
# chkconfig: 2345 99 20
# description: snort is very good
# set config file & path to snort executable
SNORT_PATH=/usr/local/bin
CONFIG=/etc/snort/snort.conf
# set interface
IFACE=eth0
# set GID/Group Name
#SNORT_GID= nogroup
# other options
OPTIONS="-D"
# End of configuration
test -x $SNORT_PATH/snort || exit 0
case "$1" in
start)
echo "Starting Intrusion Database System: SNORT"
#$SNORT_PATH/snort -c $CONFIG -i $IFACE -g $SNORT_GID $OPTIONS
$SNORT_PATH/snort -c $CONFIG -i $IFACE $OPTIONS
if [ "`pidof $SNORT_PATH/snort`" ]; then
echo "SNORT is up and running!"
else
exit 0
fi
echo -n "."
;;
stop)
echo "Stoping Intrusion Database System: SNORT"
if [ "`pidof $SNORT_PATH/snort`" ] ; then
kill -TERM `pidof $SNORT_PATH/snort`
# Wait until the timeout
count=120
numdots=0
while ([ $count != 0 ]) do
let count=$count-1
if [ "`pidof $SNORT_PATH/snort`" ] ; then
echo -n .
let numdots=$numdots+1
sleep 1
else
count=0
fi
done
# If it's not dead yet, kill it.
if [ "`pidof $SNORT_PATH/snort`" ] ; then
echo " TIMEOUT!"
kill -KILL `$SNORT_PATH/snort`
else
case $numdots in
0) echo "." ;;
1) echo ;;
*) echo " done." ;;
esac
fi
else
echo "SNORT is not running!";
fi
;;
restart)
$0 stop
$0 start
;;
*)
echo 'Usage: /etc/init.d/snort {start|stop|restart}'
exit 1
;;
esac
exit 0
;; |
|
免费注册
发表于 2005-05-09 20:27
发表于 2005-05-09 22:18
