入侵检测试验报告

1、入侵检测实验报告一实验环境搭建1安装winpcap（有时会提示重启计算机。）使网卡处于混杂模式,按向导提示完成即可能够抓取数据包。2安装snort采用默认安装完成即可安装完成使用下列命令行验证是否成功表）C:SnortbinAsnort.exe-W（也可以看到所有网卡的Interface列LibnetHT网上部居叵取站SnurtXbin<»R>208712012005-10-052003-12-03SnortTejan73,72894.208DescriptIon-*>Snopt*Uersion2.DyMartinh±n的目录SSnort、Jbin>

2、3rort.cxcxDeuiceNPF_Qenei*1cDlalupAdajpter(GenericdialupadaptersDcviceSNPF<ft015172E-8E34-4ft3F-B58D-5DD30E7ADE47)<UHwa«Acceleratedftdaptcr>Explorer千一（323.1日4句角字节-IfllX|<.90蹲VTlXJOf时全提示苻3Tin*snort看到那个狂奔的小猪了吗？看到了，就表示snort安装成功3安装和设置mysql设置数据库实例流程:lySQLServerInstanceConfigurationYizard

3、MySQLServerInstanceConfigurationConfiguretheMySQLServer5.0serverinstance.Fleaseselectaservertype.ThiswillinfluencememorydiskandCPJusage.CDeveloperMachineThisisadevelopmentmachine,andmanyotherapplicationswillberunonit.MySQLServershouldonlyuseaminimalamountofmemory.GServerMachineSeveralserverapplicati

4、onswillberunningonthisrrachine.Choosethisoptionforweb/applicationservers.MySQLwilllavemediummemoryusage.CDedicatedMySQLServerMachineThismachineisdedicatedtoruntheMySQLDatabaseServer.Nootherservers,suchasawebormailserver；willberun.MySQLwill一义，utilizeuptoallavailablememory.<Back|Next>|CancelySQL

5、ServerInstanceConfigurationYizardMySQLServerInstanceConfigurationConfiguretheMySQLServer5.0serverinstance.Fleaseselectthedatabaseusage.f*MultifunctionalDatabaseGeneralpurposedatabases.ThiswilloptimizetheserverfortheuseofthefasttransactionalInnoDBstorageengineandthehighspeedMylSAMstorageengine.Transa

6、ctionalDatabaseOnlyOptimizedforapplicationserversandtransactionalwebapplications.ThiswillmakeInnoDBthemainstorageengine.NotethattheMylSAMenginecanstillbeused.CNon-TransactionalDatabaseOnlyjSuitedforsimplewebapplications,monitoringorloggingapplicationsJ/aswellasanalysisprograms.Onlythenon-transac:ion

7、alMylSAMstorageenginewillbeactivated.<Back|Next>CancelI7SQLServerInstanceConfigurationYizardMySQLServerInstanceConfigurationConfiguretheMySQLServer5.0serverinstance.Fleasesetthenetworkingoptions.7EnableTCP/IPNetworkingEnablethistoallowTCP/IPconnections.Whendisabled,onlylocal能；jconnectionsthrou

8、ghnamedpipesareallowed.PortNumber:3306ZJFleasesettheserverSQLmode.7EnableStrictModeThisoptionforcestheservertobehavemorelikeatraditionaldatabaseserver.Risrecommendedtoenablethisoption.<BackNext>CancelySQLServerInstanceConfigurationYizardMySQLServerInstanceConfigurationConfiguretheMySQLServer5.

9、0serverinstance.Fleaseselectthedefaultcharacterset.CStandardCharacterSetMakesLatin1thedefaultcharset.ThischaractersetissuitedforEnglishandotherWestEuropeanlanguages.6BestSupportForMultilingualismMakeUTF8thedefaultcharacterset.Thisisthere:ommendedcharactersetforstoringtextinmanydifferentlanguages.CMa

10、nualSelectedDefaultCharacterSet/CollationPleasespecifythecharactersettouse.CharacterSet:|utf8f<Back|Next>|CancellySQLServerInstanceConfigurationYizardMySQLServerInstanceConfigurationConfiguretheMySQLServer5.0serverinstance.FleasesettheWindowsoptions.pInstallAsWindowsServiceThisistherecommended

11、waytoruntheMySQLserveronWindows.ServiceName:|MySQL5pLaunchtheMySQLServerajtomatically|7IncludeBinDirectoryinWindowsPATHmu>.Checkthisoptiontoincludethedirectorycontainingtheserver/clientexecutablesintheWindowsPATHvariablesotheycanbecalledfromthecommandline.<BackINext>Cancel建立snort运行必须的snort库

12、和snort_archive库C:ProgramFilesMySQLMySQLServer5.0bin>mysql-uroot-pEnterpassword:（你安装时设定的密码，这里使用mysql这个密码）mysql>createdatabasesnort;mysql>createdatabasesnort_archive;使用C:Snortschemas目录下的create_mysql脚本建立Snort运行必须的数据表c:mysqlbinmysql-Dsnort-uroot-p<snortschemascreate_mysqlc:mysqlbinmysql-Dsno

13、rt_archive-uroot-pp命令进入snort数据库后，使用showsnortschemascreate_mysql附：使用mysql-Dsnort-uroottables命令可以查看已创建的表建立acid和snort用户,在root用户下建立mysql>grantusageon*.*to"acid""localhost"identifiedby"acidtest"mysql>grantusageon*.*to"snort""localhost"identifiedby&q

14、uot;snorttest"为acid用户和snort用户分配相关权限mysql>grantselect,insert,update,delete,create,alteronsnort.*to"snort""localhost"mysql>grantselect,insert,update,delete,create,alteronsnort.*to"acid""localhost"mysql>grantselect,insert,update,delete,create,altero

15、nsnort_archive.*to"acid""localhost"mysql>grantselect,insert,update,delete,create,alteronsnort_archive.*to"snort""localhost"4测试snort启动snortc:snortbin>snort-c"c:snortetcsnort.conf"-l"c:snortlogs"-i2-d5安装虚拟机安装成功如下设置虚拟机内IP为192,168.10.3主机I

16、P为192,168.10.2Ping通表示虚拟机和主机能够正常通信配置病毒以任我行病毒为例打开netsys输入虚拟机IP配置服务端，生成服务端后放置到虚拟机中，运行服务端通过即可客户端控制虚拟机三通过wireshark抓包分析特征tMU&HLMiluit1.明£tIsnur<m1MlijnttftiHiifilpNoTmffScKPnztlertgS-Fr*c1a.OOQQWL31STTM7W72UZEIZl,(M科:，513匚1屯§eq-lAck-1Mln-靠期152Ltn-S270,008aMi1Q7.1AR.IG.J1«3!.I&B.1

17、0.1TB111laijg>vmJk-prap-iPA.£«h?"LMk-，Mwi1113133L20yO.D11S23I&ICH.IK.2710-1W.1&?mw弓92rtaeq*>-THiszmus-S<00>m"FkIpr叩4>(>SKq<K4CLOWa.*431a.i111ULW197IBB.101TCP£eq-%4*kYQrf1rJ63FLen-145Q.DfSITJdmJ瓯151TCP111I邪20>fa!|Wfc：-prip1：F*i.«7K1MQ=

18、1;0Ack7llZ1E>1打L79t>d.14QM2132.1GA.1D.1192.1&B.10.2TCPIMVTWik-priapi>工朝2口F"&1订5cq-U2AeUIS37技22Len-SJ7弧)39W51找J&JOC1找JM.MiJTCPWJ>6M*.rrpi-jpl(<»JA/*“4"1*Ln“LEWao.djsnsicu®.工效,?&10ri(U.19,255INBhS斗士Nineqi.eryNB1ETX11£-49vMq必而巾1弓1-J.*丸El10.1(Mrl9g

19、,2S(MBftS汽向制电qirtryNBJSK116-J?<(M>ido.波睛*1Mg瓠”4MBAS卑q*y醺J£ZUli-49<CP0>LL口.UQ71E+a£Q:c«ifi3tlfiachSdfec>3rDrOe/Ht:s1砒SmcnrdquciryAfCIekdwai-L1LSLdidJinaQuer>Aiia.14sailTflXQ；JG4门为1，。；。；口”1仃；3VIEaENQ目ucr/CHIUO.6357&Xla1D4.1W.510.104.1»,255职er。ft?Nineq*产yNBJGZX

20、UU*必13O.bWhio.iD4.iw.a61制HA玉02aq”T陶片张oo争H弧都弊外16LM1"T口皆NahPqy4y、/1耳/1”-4虹基展itrrm>13106bytn口冲，讨把的席力.1Q&bytg匚3t«!(副gbiti>»Eihtrrr11.sc:v*ire_e-.aJtftafOCi.0c:e*:a?:Ba)Post;co®palirL-29-59,&+(bSnTOsM:J9:59:fi-i!1TiTterrwt：PtM证el”广35£,货0OJLlb

21、fl.ldOON:£192.Id.2)hTrism5TlcintantrfllProracDlBSrcMrr:#p尸叩tJ5$目"StPort:l'W?D(ll?fl?-0)BSY：l.昵上：1nl两：5anC52tftiTeE)Dl»Oi"；iunn-nnQiriD04U巾W0*n%LBwn.il3。力塞z*J<-5T*-rJ30101浦SJn-4H3I-1a111ckdlT>Id1A4-141LSoflT£7At1A1.-FZ4DToJlHTAJCN$9811K4MLJIrxrL5E0-rrbA70f421954OUOc

22、g5tn40oo$0姓g01Weadd配3112f*IH10S7334、金日:0004DODO-CIO00200031“於iinsc"的*ILJi岁66fiq通过分析每一条宿主机与虚拟机的包特征编制规则四将特征写入规则文件二IU.I&rfll.rulr*二字枳3,2,1一1-1;A，三4二4't,I1'耳，LJ11-L.U,3.14-11Ifr11*I比16C11.rulet,vL.Lt如口沙口£，1Qdlill!U4ti4Htp.9LOCALATTLEEiThlefileinientlonalLyMemnot©沏ewith®Untur&am