Centos-6.2-安装snort-入侵检测系统

Centos6.2安装snort入侵检测系统Snort有三种工作模式：嗅探器、数据包记录器、网络入侵检测系统模式。嗅探器模式仅仅是从网络上读取数据包并作为连续不断的流显示在终端上。数据包记录器模式把数据包记录到硬盘上。网路入侵检测模式分析网络数据流以匹配用户定义的一些规则，并根据检测结果采取一定的动作。网络入侵检测系统模式是最复杂的，而且是可配置的。Snort可以用来监测各种数据包如端口扫描等之外，还提供了以XML形式或数据库形式记录日志的各种插件。Snort作为常见的支持分布式的网络入侵检测系统(NIDS)，能够进行实时网络流量分析并记录各类攻击行为和相关网络数据包。BASE(BasicAnalysisandSecurityEngine)是基于PHP的广泛使用的一种高效Snort分析查询系统。虽然这两者配合安装配置有些复杂，但是因为其比较灵活，扩展性好，只要配置使用得当，也适合用来构建校园网入侵检测平台。Snort支持多种操作系统(Windows/Linux/Solaris等)，源代码和安装包可以从

获取，由于Snort版本一直都在持续更新，以下介绍以2.8.5版本为例。综合性能和功能考虑，不建议在Windows下安装Snort。可以选择的Linux发行版本，推荐CentOS、Fedora、Redhat。虽然Snort都有rpm包提供，安装比较方便，不过从源代码编译会更加灵活和便于进行优化。Snort的一些功能：

-实时通讯分析和信息包记录

-包装有效载荷检查

-协议分析和内容查询匹配

-探测缓冲溢出、秘密端口扫描、CGI攻击、SMB探测、操作系统侵入尝试

-对系统日志、指定文件、Unixsocket或通过Samba的WinPopus进行实时警

Snort有三种主要模式：信息包嗅探器、信息包记录器或成熟的侵入探测系统。遵循开发/自由软件最重要的惯例，Snort支持各种形式的插件、扩充和定制，包括数据库或是XML记录、小帧探测和统计的异常探测等。

信息包有效载荷探测是Snort最有用的一个特点，这就意味着很多额外种类的敌对行为可以被探测到。

下载地址：

1.在/

注册就可以下载到snortrules-snapshot2.在

/cgi-bin/viewcvs.cgi/rules/

可以下载到一个第三方的rules文件rules.tar.gz，这个系列更新也比较频繁,snortrules-snapshot-2.8.tar.gz是在51cto上下载的。3.BASE可以从/projects/secureideas/

获取版本或者用软件SnortCenter是一个基于Web的snort探针和规则管理系统，用于远程修改snort探针的配置，起动、停止探针，编辑、分发snort特征码规则。http://users.telenet.be/larc/download/4.Adodb可以从

/projects/adodb/

下载.ADODB是ActiveDataObjectsDataBase的简称，它是一种PHP存取数据库的中间函式组件

5.[root@localhostcentos6]#rpm-ivhsnort--1.RHEL6.i386.rpm//安装snort包出现依赖关系系

warning:snort-mysql--1.RHEL6.i386.rpm:HeaderV3RSA/SHA256Signature,keyIDe8e40fde:NOKEY

error:Faileddependencies:

libgnutls.so.26isneededbysnort--1.RHEL6.i386

libpcap>=0.4isneededbysnort--1.RHEL6.i386

libpcap.so.1isneededbysnort--1.RHEL6.i386

libprelude.so.2isneededbysnort--1.RHEL6.i386

[root@localhostcentos6]#rpm-qa|greplibpcap//查询libpcap没装

packagelibpcapisnotinstalled

[root@localhostcentos6]#yum-yinstalllibpcap//安装libpcap包[root@localhostcentos6]#rpm-ivhsnort--1.RHEL6.i386.rpm//在次安装snort出现两个依赖

warning:snort--1.RHEL6.i386:HeaderV3RSA/SHA256Signature,keyIDe8e40fde:NOKEY

error:Faileddependencies:

libgnutls.so.26isneededbysnort--1.RHEL6.i386

libprelude.so.2isneededbysnort--1.RHEL6.i386[root@localhostcentos6]#yum-yinstalllibgnutls26//安装libgnutls26包

Loadedplugins:fastestmirror

Determiningfastestmirrors

*base:

*extras:

*updates:

SettingupInstallProcess

Nopackagelibgnutls26available.

Error:Nothingtodo

//上面安装libgnutls26没有yum包

[root@localhostcentos6]#yum-yinstallgnutls//安装gnutls包

Loadedplugins:fastestmirror

Loadingmirrorspeedsfromcachedhostfile

*base:

*extras:

*updates:

SettingupInstallProcess

ResolvingDependencies

-->Runningtransactioncheck

>Packagegnutls.i6860:2.8.5-4.el6_2.2settobeupdated

-->ProcessingDependency:libtasn1.so.3(LIBTASN1_0_3)forpackage:gnutls-2.8.5-4.el6_2.2.i686

-->ProcessingDependency:libtasn1.so.3forpackage:gnutls-2.8.5-4.el6_2.2.i686

-->Runningtransactioncheck

>Packagelibtasn1.i6860:2.3-3.el6_2.1settobeupdated

-->FinishedDependencyResolutionDependenciesResolved================================================================================

Package

Arch

Version

Repository

Size

================================================================================

Installing:

gnutls

i686

2.8.5-4.el6_2.2

base

336k

Installingfordependencies:

libtasn1

i686

2.3-3.el6_2.1

base

239kTransactionSummary

================================================================================

Install

2Package(s)

Upgrade

0Package(s)Totaldownloadsize:575k

Installedsize:1.4M

DownloadingPackages:

(1/2):gnutls-2.8.5-4.el6_2.2.i686.rpm

|336kB

00:00

(2/2):libtasn1-2.3-3.el6_2.1.i686.rpm

|239kB

00:00

Total

1.7MB/s|575kB

00:00

Runningrpm_check_debug

RunningTransactionTest

TransactionTestSucceeded

RunningTransaction

Warning:RPMDBalteredoutsideofyum.

Installing

:libtasn1-2.3-3.el6_2.1.i686

1/2

Installing

:gnutls-2.8.5-4.el6_2.2.i686

2/2Installed:

gnutls.i6860:2.8.5-4.el6_2.2

DependencyInstalled:

libtasn1.i6860:2.3-3.el6_2.1

Complete!//完成安装。[root@localhostcentos6]#ls//显示当前目录

libprelude-1.0.0-3.fc13.i686.rpm

adodb517.zip

snort--1.RHEL6.i386.rpm

base-1.4.5.tar.gz

snortcenter-v1.0-RC1.tar.gz

daq-1.1.1_rc-1.RHEL6.i386.rpm

snortrules-snapshot-2923.tar.gz

snort-mysql--1.RHEL6.i386.rpm

libdnet-devel-1.11-1.2.el6.rf.i686.rpm

libprelude--2.fc12.i686.rpm

[root@localhostcentos6]#rpm-ivhsnort--1.RHEL6.i386.rpm//安装snort出现依赖

warning:snort--1.RHEL6.i386.rpm:HeaderV3RSA/SHA256Signature,keyIDe8e40fde:NOKEY

error:Faileddependencies:

libprelude.so.2isneededbysnort--1.RHEL6.i386.rpm

[root@localhostcentos6]#rpm-ivhlibprelude-1.0.0-3.fc13.i686.rpm//安装依赖包

warning:libprelude-1.0.0-3.fc13.i686.rpm:HeaderV3RSA/SHA256Signature,keyIDe8e40fde:NOKEY

Preparing...

###########################################[100%]

1:libprelude

###########################################[100%][root@localhostcentos6]#ls//查看当前目录

libprelude-1.0.0-3.fc13.i686.rpm

adodb517.zip

snort--1.RHEL6.i386.rpm

base-1.4.5.tar.gz

snortcenter-v1.0-RC1.tar.gz

daq-1.1.1_rc-1.RHEL6.i386.rpm

snortrules-snapshot-2923.tar.gz

snort-mysql--1.RHEL6.i386.rpm

libdnet-devel-1.11-1.2.el6.rf.i686.rpm

libprelude--2.fc12.i686.rpm[root@localhostcentos6]#rpm-ivhdaq-1.1.1_rc-1.RHEL6.i386.rpm

//安装daq包[root@localhostcentos6]#rpm-ivhsnort-mysql--1.RHEL6.i386.rpm//安装snort-mysql软件包支持mysql数据库,在设置/etc/snort/snort.conf配置outputdatabase参数的时候启动snort-c/etc/snort/snort.conf时候会出错database:'mysql'supportisnotcompiledintothisbuildofsnortERROR:Ifthisbuildofsnortwasobtainedasabinarydistribution(e.g.,rpm,

orWindows),thencheckforalternatebuildsthatcontainsthenecessary

'mysql'support.Ifthisbuildofsnortwascompiledbyyou,thenre-runthe

the./configurescriptusingthe'--with-mysql'switch.

Fornon-standardinstallationsofadatabase,the'--with-mysql=DIR'

syntaxmayneedtobeusedtospecifythebasedirectoryoftheDBinstall.Seethedatabasedocumentationforcursorydetails(doc/README.database).

andtheURLtothemostrecentdatabaseplugindocumentation.

FatalError,Quitting..

[root@localhostcentos6]#rpm-ivhsnort--1.RHEL6.i386.rpm//最后成功安装snort

warning:snort--1.RHEL6.i386.rpm:HeaderV3RSA/SHA256Signature,keyIDe8e40fde:NOKEY

Preparing...

###########################################[100%]

1:snort

###########################################[100%][root@localhostcentos6]#cp-rfsnortrules-snapshot-2.8.tar.gz/etc/snort/rules//拷贝snortrules到/etc/snort/rules目录下

[root@localhostcentos6]#cd/etc/snort/rules//切换到snort目录[root@localhostrules]#tar-zxvfsnortrules-snapshot-2.8.tar.gz//解压tar.gz包。如果启动不了拷贝rules到/etc/rules里去。[root@localhostsnort]#servicesnortdstart//启动snortd服务失败

Startingsnort:

[FAILED]

[root@localhost~]#cat/var/log/messages//查看messages错误

1402:47:53localhostsnort[2351]:

Ports:

Jul1402:47:53localhostsnort[2351]:#01122

Jul1402:47:53localhostsnort[2351]:

Jul1402:47:53localhostsnort[2351]:FATALERROR:/etc/snort/snort.conf(616)Unknownpreprocessor:"dcerpc2".//提示的错误找到snort.conf文件注释掉#DCE/RPC2//注释掉下面两个dcerpc2.

#

#Seedoc/README.dcerpc2forexplanationsofwhatthe

#preprocessordoesandhowtoconfigureit.

#

#preprocessordcerpc2

#preprocessordcerpc2_server:default

[root@localhost~]#servicesnortdstart//最后启动成功

Startingsnort:

[

OK

][root@localhost~]#snort-V//查看snort版本提示成功。

,,_

-*>Snort!<*-

o"

)~

Version(Build114)

''''

ByMartinRoesch&TheSnortTeam:

/snort/snort-team

Copyright(C)1998-2009Sourcefire,Inc.,etal.

UsingPCREversion:7.82008-09-05

[root@localhost~]#servicesnortdrestart//重启成功

Stoppingsnort:

[

OK

]

Startingsnort:

[

OK

]

[root@localhost~]#servicesnortdstatus//查看snortd服务状态。

snort(pid1677)isrunning...

[root@localhostcentos6]#yum-yinstallmysqlmysql-serverhttpdphpphp-mysqlphp-gd//安装mysqlhttpdphp,如果不安装php-mysql会出现500内部服务器错误。

[root@localhostcentos6]#mysqladmin-urootpassword123456//修改mysqladmin密码为123456

[root@localhostcentos6]#cp-rfadodb517.zipbase-1.4.5.tar.gz/var/www/html//拷贝adodb和base到/var/www/html目录下[root@localhostcentos6]#cd/var/www/html//切换到/var/www/html目录下[root@localhosthtml]#ls//查看目录内容

adodb517.zip

base-1.4.5.tar.gz[root@localhosthtml]#unzipadodb517.zip|tar-zxvfbase-1.4.5.tar.gz//解压adodb和base包[root@localhosthtml]#rm-rfadodb517.zipbase-1.4.5.tar.gz//删除包[root@localhosthtml]#ls//显示当前目录

adodb5

base-1.4.5

[root@localhosthtml]#mvadodb5adodb//修改名字为adodb[root@localhosthtml]#cp-rfbase-1.4.5/*.//拷贝base目录所有内容到当前目录[root@localhosthtml]#rm-rfbase-1.4.5/

//删除base-1.4.5文件夹。[root@localhosthtml]#rpm-qlsnort//查看snortrpm包的路径。/usr/share/doc/snort-/create_mysql//创建mysql数据库文件create_mysql.[root@localhostcentos6]#mysql-uroot-p123456//进入mysqlWelcometotheMySQLmonitor.

Commandsendwith;or\g.

YourMySQLconnectionidis3

Serverversion:5.1.61SourcedistributionCopyright(c)2000,2011,Oracleand/oritsaffiliates.Allrightsreserved.OracleisaregisteredtrademarkofOracleCorporationand/orits

affiliates.Othernamesmaybetrademarksoftheirrespective

owners.Type'help;'or'\h'forhelp.Type'\c'toclearthecurrentinputstatement.mysql>showdatabases;//查看当前数据库

++

|Database

|

++

|information_schema|

|mysql

|

|test

|

++

3rowsinset(0.00sec)mysql>createdatabasesnort；//创建snort数据库

mysql>createdatabasesnortarchive;//创建归档数据库。

QueryOK,1rowaffected(0.00sec)mysql>usesnort//进入snort数据库

Databasechanged

mysql>source/usr/share/doc/snort-/create_mysql//创建数据库成功如下QueryOK,0rowsaffected(0.00sec)

QueryOK,1rowaffected(0.00sec)//导入成功提示

mysql>grantallprivilegesonsnort.*to

snort@'localhost'

identifiedby"snort";//给snort授权。mysql>usesnortarchive;//重新导入snortarchive数据库。

Readingtableinformationforcompletionoftableandcolumnnames

Youcanturnoffthisfeaturetogetaquickerstartupwith-ADatabasechanged

mysql>source/usr/share/doc/snort-/create_mysql

//导入数据库。6.打开ie8浏览器浏览http://ip/setup/index.php

出现configwriteableno错误直接chmod777/var/www/html就可以了默认为755只有读执行的权限所以错误。最后修改回来权限即可最好加上-R参数。

YourPHPLoggingLevelistoohightohandletherunningofBASE!

Pleasesetthe'error_reporting'variabletoatleast'E_ALL&~E_NOTICE'inyourphp.ini!

修改/etc/php.ini文件

error_reporting

=

E_ALL

改为:error_reporting=E_ALL&~E_NOTICE

填写adodb路径如下：填写一些数据库信息如下：创建base管理员账号和密码如下：自动创建数据库如下：

软件没有主动在/var/www/html目录下创建base_conf.php配置文件，只要自己创建一个base_conf.php复制以下内容，或者直接修改/var/www/html的权限即可自己创建。下图提示没有权限创建base_conf.php文件

成功安装base如下：

配置文件/etc/snort/snort.conf参考[root@localhostsnort]#catsnort.confvarHOME_NETanyvarEXTERNAL_NETany

varDNS_SERVERS$HOME_NETvarSMTP_SERVERS$HOME_NETvarHTTP_SERVERS$HOME_NETvarSQL_SERVERS$HOME_NETvarTELNET_SERVERS$HOME_NETvarFTP_SERVERS$HOME_NETvarSNMP_SERVERS$HOME_NETportvarHTTP_PORTS80

portvarSHELLCODE_PORTS!80portvarORACLE_PORTS1521portvarFTP_PORTS21varAIM_SERVERS[/23,/23,/24,/24,/24,/24,/24,/24,/24,/24,/24,/24]varRULE_PATH/etc/snort/rulesvarPREPROC_RULE_PATH../preproc_rules

dynamicpreprocessordirectory/usr/lib/snort/dynamicpreprocessor/

dynamicengine/usr/lib/snort/dynamicengine/libsf_engine.so

preprocessorfrag3_global:max_frags65536

preprocessorfrag3_engine:policyfirstdetect_anomaliesoverlap_limit10preprocessorstream5_global:max_tcp8192,track_tcpyes,\

track_udpno

preprocessorstream5_tcp:policyfirst,use_static_footprint_sizes

preprocessorhttp_inspect:global\

iis_unicode_mapunicode.map1252preprocessorhttp_inspect_server:serverdefault\

profileallports{8080808180}oversize_dir_length500

preprocessorrpc_decode:11132771preprocessorbo

preprocessorftp_telnet:global\

encrypted_trafficyes\

inspection_typestatefulpreprocessorftp_telnet_protocol:telnet\

normalize\

ayt_attack_thresh200preprocessorftp_telnet_protocol:ftpserverdefault\

def_max_param_len100\

alt_max_param_len200{CWD}\

cmd_validityMODE<charASBCZ>\

cmd_validityMDTM<[datennnnnnnnnnnnnn[.n[n[n]]]]string>\

chk_str_fmt{USERPASSRNFRRNTOSITEMKD}\

telnet_cmdsyes\

data_chanpreprocessorftp_telnet_protocol:ftpclientdefault\

max_resp_len256\

bounceyes\

telnet_cmdsyes

preprocessorsmtp:\

ports{25587691}\

inspection_typestateful\

normalizecmds\

normalize_cmds{EXPNVRFYRCPT}\

alt_max_command_line_len260{MAIL}\

alt_max_command_line_len300{RCPT}\

alt_max_command_line_len500{HELPHELOETRN}\

alt_max_command_line_len255{EXPNVRFY}preprocessorsfportscan:proto

{all}\

memcap{10000000}\

sense_level{low}preprocessorssh:server_ports{22}\

max_client_bytes19600\

max_encrypted_packets20\

enable_respoverflowenable_ssh1crc32\

enable_srvoverflowenable_protomismatch

preprocessordns:\

ports{53}\

enable_rdata_overflow

preprocessorssl:noinspect_encrypted,trustservers

outputdatabase:log,mysql,user=rootpassword=123456dbname=snorthost=localhost

includeclassification.configincludereference.configinclude$RULE_PATH/local.rules

include$RULE_PATH/bad-traffic.rules

include$RULE_PATH/exploit.rules

include$RULE_PATH/scan.rules

include$RULE_PATH/finger.rules

include$RULE_PATH/ftp.rules

include$RULE_PATH/telnet.rules

include$RULE_PATH/rpc.rules

include$RULE_PATH/rservices.rules

include$RULE_PATH/dos.rules

include$RULE_PATH/ddos.rules

include$RULE_PATH/dns.rules

include$RULE_PATH/tftp.rulesinclude$RULE_PATH/web-cgi.rules

include$RULE_PATH/web-coldfusion.rules

include$RULE_PATH/web-iis.rules

include$RULE_PATH/web-frontpage.rules

include$RULE_PATH/web-misc.rules

include$RULE_PATH/web-client.rules

include$RULE_PATH/web-php.rulesinclude$RULE_PATH/sql.rules

include$RULE_PATH/x11.rules

include$RULE_PATH/icmp.rules

include$RULE_PATH/netbios.rules

include$RULE_PATH/misc.rules

include$RULE_PATH/attack-responses.rules

include$RULE_PATH/oracle.rules

include$RULE_PATH/mysql.rules

include$RULE_PATH/snmp.rulesinclude$RULE_PATH/smtp.rules

include$RULE_PATH/imap.rules

include$RULE_PATH/pop2.rules

include$RULE_PATH/pop3.rulesinclude$RULE_PATH/nntp.rules

include$RULE_PATH/other-ids.rules

include$RULE_PATH/experimental.rules

编辑/etc/snort/snort.conf，开启下面两项，也可以使用snortrules配置文件中的/etc/snort.conf文件修改varRULE_PATH，varPREPROC_RULE_PATH，outputdatabase:log,mysql,user=rootpassword=123456dbname=snorthost=，

include$RULE_PATH/local.rules

/*可以灵活控制加载的入侵检测规则类别*/includethreshold.conf

threshold.conf实际上是定义了例外规则的一张列表，您可以通过修改这个文件来消除误报或者不关注的网络行为带来的大量告警信息。只要Snort源源不断地把入侵检测信息送入数据库，您就可以通过http://server

ip来查看了解当前以及长期的网络入侵记录。启动Snort监测并把信息输出到Mysql数据库里

使用以下命令指定监测网卡和配置文件以及参数#PCAP_FRAMES=maxsnort-ieth0-c/etc/snort.conf-d-e

snortd实质上=snort-Afast-b-d-D-ieth0-usnort-gsnort-c/etc/snort/snort.conf-l/var/log/snort

直接：snort-b-d-c/etc/snort/snort.conf-l/var/log/snort-D

好用出数据

修改内容：具体情况分析修改，有些时候路径是正确的所以就不需要修改了。outputdatabase:log,mysql,user=snortpassword=123456dbname=snorthost=localhost#Thisexamplewillcreatearuletypethatwilllogtosyslogandamysql//这里去掉井号即可。

#database:

ruletyperedalert

{

typealert

outputalert_syslog:LOG_AUTHLOG_ALERT

outputdatabase:log,mysql,user=snortdbname=snorthost=localhost

}[root@localhostsnort]#exportPCAP_FRAMES=max//设置环境变量安装gd后出现问题如下显示不了图形。errorloadingtheGraphinglibrary:CheckyourPear::Image_Graphinstallation!

Image_Graphcanbefoundhere:at

http://pear.veggerby.dk/.Withoutthislibrarynographingoperationscanbeperformed.MakesurePEARlibrariescanbefoundbyphpatall:pearconfig-show|grep"PEARdirectory"PEARdirectory

php_dir

/usr/share/pear

Thispathmustbepartoftheincludepathofphp(cf./etc/php.ini):php-i|grep"include_path"include_path=>.:/usr/share/pear:/usr/share/php=>.:/usr/share/pear:/usr/share/php

[root@localhostsnort]#yum-yinstallphp-pear//安装php-pear[root@localhostsnort]#pearconfig-show|grep"PEARdirectory"

PHPWarning:

PHPStartup:Unabletoloaddynamiclibrary'/usr/lib/php/modules/msql.so'-/usr/lib/php/modules/msql.so:cannotopensharedobjectfile:NosuchfileordirectoryinUnknownonline0

Binaryfile(standardinput)matches

[root@localhostsnort]#php-i|grep"include_path"

PHPWarning:

PHPStartup:Unabletoloaddynamiclibrary'/usr/lib/php/modules/msql.so'-/usr/lib/php/modules/msql.so:cannotopensharedobjectfile:NosuchfileordirectoryinUnknownonline0

include_path=>.:/usr/share/pear:/usr/share/php=>.:/usr/share/pear:/usr/share/php

PHPWarning:

Unknown:Itisnotsafetorelyonthesystem'stimezonesettings.Youare*required*tousethedate.timezonesettingorthedate_default_timezone_set()function.Incaseyouusedanyofthosemethodsandyouarestillgettingthiswarning