本文详细介绍如何在Fedora 10上部署Snort入侵检测系统,包括安装MySQL数据库、Apache服务器、PHP环境以及配置Acid前端展示。此外还介绍了辅助管理工具Webmin的安装与配置。
一、运行环境
1.平台:
Fedora 10 (IP Address: 192.168.221.133)
2.所需软件:
报警+数据库:
snort-2.8.3.2tar.gz <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
1.平台:
Fedora 10 (IP Address: 192.168.221.133)
2.所需软件:
报警+数据库:
snort-2.8.3.2tar.gz <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
snortrules-snapshot-2.6.tar.gz
mysql-5.0.77-linux-i686-icc-glibc23.tar.gz
create_mysql(script)
客户端显示:
apache_2.2.11.tar.gz
mod_ssl-2.8.16-1.3.29.tar.gz
php-5.2.0.tar.gz
acid-0.9.6b23.tar.gz
adodb507.tgz
jpgraph-2.3.4tar.gz
辅助管理工具:
webmin-1.220-1.noarch.rpm
Net_SSLeay.pm-1.30.tar.gz
snort-1.0.wbm(snort's webmin plugin)
3.软件下载地址
snort-2.8.3.2tar.gz(http://www.snort.org)
snortrules-snapshot-2.6.tar.gz(http://www.snort.org)
mysql-5.0.77-linux-i686-icc-glibc23.tar.gz (http://www.mysql.com)
create_mysql script (http://cvs.sourceforge.net/viewcvs.py/snort/snort/contrib/)
apache2.2.11.tar.gz(http://www.apache.org)
php-5.2.0.tar.gz(http://www.php.net)
acid-0.9.6b23.tar.gz(http://acidlab.sourceforge.net)
adodb507.tgz(http://adodb.sourceforge.net/)
jpgraph-2.3.4tar.gz(http://www.aditus.nu/jpgraph/index.php)
webmin-1.220-1.noarch.rpm(http://www.webmin.com/)
Net_SSLeay.pm-1.30.tar.gz(http://symlabs.com/Net_SSLeay/)
snort-1.0.wbm (http://www.snort.org/dl/contrib/front_ends/webmin_plugin/)
create_mysql(script)
客户端显示:
apache_2.2.11.tar.gz
mod_ssl-2.8.16-1.3.29.tar.gz
php-5.2.0.tar.gz
acid-0.9.6b23.tar.gz
adodb507.tgz
jpgraph-2.3.4tar.gz
辅助管理工具:
webmin-1.220-1.noarch.rpm
Net_SSLeay.pm-1.30.tar.gz
snort-1.0.wbm(snort's webmin plugin)
3.软件下载地址
snort-2.8.3.2tar.gz(http://www.snort.org)
snortrules-snapshot-2.6.tar.gz(http://www.snort.org)
mysql-5.0.77-linux-i686-icc-glibc23.tar.gz (http://www.mysql.com)
create_mysql script (http://cvs.sourceforge.net/viewcvs.py/snort/snort/contrib/)
apache2.2.11.tar.gz(http://www.apache.org)
php-5.2.0.tar.gz(http://www.php.net)
acid-0.9.6b23.tar.gz(http://acidlab.sourceforge.net)
adodb507.tgz(http://adodb.sourceforge.net/)
jpgraph-2.3.4tar.gz(http://www.aditus.nu/jpgraph/index.php)
webmin-1.220-1.noarch.rpm(http://www.webmin.com/)
Net_SSLeay.pm-1.30.tar.gz(http://symlabs.com/Net_SSLeay/)
snort-1.0.wbm (http://www.snort.org/dl/contrib/front_ends/webmin_plugin/)
二、安装
1.准备
ssh root登录Fedora10,将上述所需文件拷贝至/home/wd/snort相关
2.安装mysql
1.准备
ssh root登录Fedora10,将上述所需文件拷贝至/home/wd/snort相关
2.安装mysql
# groupadd mysql
# useradd -g mysql -d /usr/local/mysql/data -M mysql
# tar -zxvf mysql-5.0.27.tar.gz
# cd mysql-5.0.27
./configure --prefix=/usr/local/mysql \ 指定安装目录
> --sysconfdir=/etc \ 配置文件的路径
> --localstatedir=/usr/local/mysql/data \ 数据库存放的路径
> --enable-assembler \ 使用一些字符函数的汇编版本
> --with-mysqld-ldflags=-all-static \ 以纯静态方式编译服务端
> --with-charset=gb2312 \ 添加gb2312字符支持
> --with-extra-charsets=all 添加所有字符支持
# cd /usr/local/mysql
# chown -R root .
# chown -R mysql data
# chgrp -R mysql .
# scripts/mysql_install_db --user=mysql
# /usr/local/mysql/support-files/mysql.server start
3. 创建snort数据库
# /usr/local/mysql/bin/mysql
mysql>;
mysql>;set password for 'root'@'localhost'=password('123456');
mysql>;create database snort;
# /usr/local/mysql/bin/mysql -u root -p
mysql>;connect snort;
mysql>;source /usr/local/snort/schemas/create_mysql; // 指定create_mysql脚本的路径
mysql>;grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;
mysql>;grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost;
mysql>;connect mysql;
mysql>;set password for 'snort'@'localhost'=password('123456');
mysql>;set password for 'snort'@'%'=password('123456');
mysql>;flush privileges;
(别忘了以逗号结束)
# cd /usr/local/mysql
# chown -R root .
# chown -R mysql data
# chgrp -R mysql .
# scripts/mysql_install_db --user=mysql
# /usr/local/mysql/support-files/mysql.server start
3. 创建snort数据库
# /usr/local/mysql/bin/mysql
mysql>;
mysql>;set password for 'root'@'localhost'=password('123456');
mysql>;create database snort;
# /usr/local/mysql/bin/mysql -u root -p
mysql>;connect snort;
mysql>;source /usr/local/snort/schemas/create_mysql; // 指定create_mysql脚本的路径
mysql>;grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;
mysql>;grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost;
mysql>;connect mysql;
mysql>;set password for 'snort'@'localhost'=password('123456');
mysql>;set password for 'snort'@'%'=password('123456');
mysql>;flush privileges;
(别忘了以逗号结束)
mysql>; show tables; 将会有这些:
+------------------+
| Tables_in_snort |
+------------------+
| data
| detail
| encoding
| event
| flags
| icmphdr
| iphdr
| opt
| protocols
| reference
| reference_system
| schema
| sensor
| services
| sig_class
| sig_reference
| signature
| tcphdr
| udphdr
+------------------+
19 rows in set (0.00 sec)
mysql>;exit
4.安装并启动 snort
# cd/home/wd/snort相关
# tar -vxzf snort-2.8.3.2 tar.gz
# mv snort-2.8.3.2 /usr/local/snort
# cd /usr/local/snort
# ./configure --with-mysql=/usr/local/mysql
# make
# make install
# mkdir /var/snort
# mkdir /var/log/snort ( 存放snort日志 )
# mkdir /etc/snort(存放 rules)
# cd /home/wd/snort相关
# tar -vxzf snortrules-pr-2.6.tar.gz
# mv rules /etc/snort
# mv doc /etc/snort
修改 /etc/snort/rules/snort.conf:
(1)将var RULE_PATH ../rules一行注释掉
(2)增加 output database: log, mysql, user=snort password=123456 dbname=snort host=localhost
(3)修改include部分
include $RULE_PATH/bad-traffic.rules ->; include bad-traffic.rules
(and so on...)
启动 snort(example):
# snort -d -D -c /etc/snort/rules/snort.conf
补充:在安装snort的时候,会出现libpcap/libpcre header not found的问题下载libpcap,libpcre,libnet安装,如果出现其他的问题根据提示,google,baidu一般都可以找到。
5. 安装 apache
# cd /home/wd/snort/相关
4.安装并启动 snort
# cd/home/wd/snort相关
# tar -vxzf snort-2.8.3.2 tar.gz
# mv snort-2.8.3.2 /usr/local/snort
# cd /usr/local/snort
# ./configure --with-mysql=/usr/local/mysql
# make
# make install
# mkdir /var/snort
# mkdir /var/log/snort ( 存放snort日志 )
# mkdir /etc/snort(存放 rules)
# cd /home/wd/snort相关
# tar -vxzf snortrules-pr-2.6.tar.gz
# mv rules /etc/snort
# mv doc /etc/snort
修改 /etc/snort/rules/snort.conf:
(1)将var RULE_PATH ../rules一行注释掉
(2)增加 output database: log, mysql, user=snort password=123456 dbname=snort host=localhost
(3)修改include部分
include $RULE_PATH/bad-traffic.rules ->; include bad-traffic.rules
(and so on...)
启动 snort(example):
# snort -d -D -c /etc/snort/rules/snort.conf
补充:在安装snort的时候,会出现libpcap/libpcre header not found的问题下载libpcap,libpcre,libnet安装,如果出现其他的问题根据提示,google,baidu一般都可以找到。
5. 安装 apache
# cd /home/wd/snort/相关
#tar -zvxf httpd-2.2.11.tar.gz
#cd httpd-2.2.11
#./configure --prefix=/usr/local/apache --enable-so
#make
#make install
安装完之后可以用命令/usr/local/apache/bin/apachectl start 启动一下apache
在网页地址栏输入127.0.0.1如果安装成功可以看到It works字样。
6. 安装 PHP
# cd /home/wd/snort相关
# tar -vxzf php-5.2.tar.gz
# cd php-5.2.0
# ./configure \
--prefix=/usr/local/php \
--with-mysql=/usr/local/mysql \
--with-apxs=/usr/local/apache/bin/apxs \
--with-gd
--with-zlib
--enable-sockets
# make
# make install
6. 安装 PHP
# cd /home/wd/snort相关
# tar -vxzf php-5.2.tar.gz
# cd php-5.2.0
# ./configure \
--prefix=/usr/local/php \
--with-mysql=/usr/local/mysql \
--with-apxs=/usr/local/apache/bin/apxs \
--with-gd
--with-zlib
--enable-sockets
# make
# make install
#cp ./php.ini-dist /usr/local/php5/etc/php.ini
我在安装php时出现cannot restorte segment prot...after reloc :Permission denied
goole后,修改了/etc/sysconfig文件和/etc/sysconfig
并用chcon -t texrel_shlib_t 上面没有权限的文件.so 把问题解决了。
7.安装acid+adodb+jpgraph
# 把acid-0.9.6b23.tar.gz、adodb507.tgz、jpgraph-2.3.4tar.gz放到网页根目录,我这里是默认的。
# cp a*.* /usr/local/apache/htdocs
# cp jpgraph-1.11.tar.gz /usr/local/apache/htdocs
# tar zxvf adodb330.tgz
# tar zxvf jpgraph-1.11.tar.gz
# mv jpgraph-1.11 jpgraph
# tar zxvf acid-0.9.6b23.tar.gz
# cd acid
# vi acid_conf.php
# 把“$DBlib_path = "";” 改成“$DBlib_path = "/usr/local/apache/htdocs/adodb"”
# $alert_dbname = "snort_log"; //改成snort
$alert_host = "localhost";
$alert_port = "";
$alert_user = "root";
$alert_password = "123456"; //改成你的数据库密码
/* Archive DB connection parameters */
$archive_dbname = "snort_archive"; //改成snort
$archive_host = "localhost";
$archive_port = "";
$archive_user = "root";
$archive_password = "123456";” //改成你的数据库密码
# 把“$ChartLib_path = "";” 改成“$ChartLib_path = "/usr/local/apache/htdocs/jpgraph/src";”
# 修改完毕后,保存退出。
写一个snort规则
# cd /usr/local/
# vi snort.sh
#!/bin/sh
snort -d -h 192.168.0.0/24 -l /var/log/snort -c /etc/snort/snort.conf -i eth0 -A full
# 保存退出。
# chmod 755 snort.sh
启动服务
# /usr/local/mysql/support-files/mysql.server start
# cd /usr/local/mysql/
# vi mysql_start.sh (编写启动脚本)
#!/bin/sh
/usr/local/mysql/bin/mysqld_safe --user=mysql &
# 保存退出。
# chmod 755 mysql_start.sh
# cp mysql_start.sh /usr/sbin/
# ./mysql_start.sh (启动mysql)
# /usr/local/snort/bin/snort start(启动snort)
8. 修改selinux配置及apache配置
# vi /etc/selinux/config
SELINUX=disabled
(否则会导致 libphp4.so segment fault)
注:不要忘记配置firewall允许 https.
9.配置自启动并重启计算机
# vi /etc/rc.d/rc.local
#start mysqld
/usr/local/mysql/support-files/mysql.server start
#start httpd
/usr/local/apache/bin/apachectl startssl
#start snort
/usr/local/bin/snort -d -D -c /etc/snort/rules/snort.conf
# reboot
10.测试连接acid和初始化
https://127.0.0.1/acid
Click "Setup page" to "Create ACID AG"
到现在为止,Snort+mysql+Apachephp+ACID已经可以正常工作了。
11.辅助管理工具(图形界面管理 snort):
(1) 安装 Net_SSL(Redhat9 is broken)
# cd /home
# tar -vxzf Net_SSLeay.pm-1.21.tar.gz
# cd Net_SSLeay.pm-1.21
# ./Makefile.PL
# make install
(2)安装 webmin
# cd /home
# rpm -ivh webmin-1.30.noarch.rpm
(3)测试连接,并安装 snort module
https://127.0.0.1:10000,使用root+密码登录
Webmin Configuration ->; SSL Encryption ->; 生成新的 SSL key
Webmin Configuration ->; Webmin Modules ->; 安装 snort-1.0.wbm
Servers ->; Snort IDS Admin ->; 进行配置:
Full path to snort executable ->;
/usr/local/snort/bin/snort -d -D -c /etc/snort/rules/snort.conf
Full path to snort configuration file ->;
/etc/snort/rules/snort.conf
Full path to snort rule files directory ->;
/etc/snort/rules
Full path to snort PID file ->;
/var/run/snort_eth0.pid
(4)save之后就可以打开snort的配置界面。
12.限定apache只允许https连接
修改/usr/local/apache/conf/httpd.conf如下
<IfDefine SSL>;
#Listen 80
Listen 443
</IfDefine>;
13.给Apache加简单的访问控制
(1)创建一个授权用户并设置密码
# /usr/local/apache/bin/htpasswd -c /usr/local/apache/conf/auth.users linghood
New password: ******
Re-type new password: ******
Adding password for user linghood
(2)修改/usr/local/apache/conf/httpd.conf文件如下
<Directory />;
# Options FollowSymLinks
# AllowOverride None
AuthType Basic
AuthName "IDS"
AuthUserFile /usr/local/apache/conf/auth.users
Require valid-user
</Directory>;
<Directory "/var/www/html">;
# Options Indexes FollowSymLinks MultiViews
# AllowOverride None
# Order allow,deny
# Allow from all
AuthType Basic
AuthName "IDS"
AuthUserFile /usr/local/apache/conf/auth.users
Require valid-user
</Directory>;
两天总算没有浪费,查了很多资料,软件总算安上了,环境可以用了,虽然还有很多地方不够完善。
转载于:https://blog.51cto.com/tzsky/237274
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
