Snort是一个网络入侵检测系统,它可以分析网络上的数据包,用以决定一个系统是否被远程攻击了。多数Linux发行版本都有Snort程序,因此通过urpmi、apt-get、yum等安装Snort是一件很轻松的事情。Snort可以将其收集的信息写到多种不同的存储位置以便于日后的分析。此外,Snort可被用作一个简单的数据包记录器、嗅探器,当然它主要是一个成熟的NDIS(网络入侵检测系统)。
实验环境 centos-5.5
需要软件包
zlib-1.2.3.tar.gz (zlib-1.2.3-3.i386.rpm)
libpcap-1.0.0.tar.gz (libpcap-0.9.4-14.el5.i386.rpm)
libxml2-2.6.19.tar.gz (libxml2-2.6.26-2.1.2.8.i386.rpm)
libpng-1.2.40.tar.gz (libpng-1.2.10-7.1.el5_3.2.i386.rpm)
gd-2.0.33.tar.gz (gd-2.0.33-9.4.el5_1.1.i386.rpm)
mysql-5.0.22.tar.gz
DBD-mysql-3.0008.tar.gz
httpd-2.2.14.tar.gz
php-5.2.13.tar.gz
pcre-8.00.tar.gz (pcre-6.6-2.el5_1.7.i386.rpm)
snort-2.8.3.1.tar.gz
snortrules-snapshot-2.8.tar.gz
snortrules-snapshot-CURRENT.tar.gz
jpgraph-3.0.6.tar.bz2
adodb498.tgz
acid-0.9.6b23.tar.gz
snort的一些库文件可以再光盘里找到,也可以使用yum安装
yum install -y zlib* libpcap* libxml2* libpng* gd* perl-DBI*
安装mysql
tar zxf mysql-5.0.56.tar.gz 解压mysql
cd mysql-5.0.56 进入目录mysql-5.0.56
groupadd mysql 增加mysql组群
useradd -g mysql mysql 增加mysql用户
./configure --prefix=/usr/local/mysql
make
make install
cd /usr/local/mysql/
/usr/local/mysql/bin/mysql_install_db --user=mysql 初始化数据库
chmod -R root . 改变目录权限
chown -R mysql var
chgrp -R mysql .
后台运行MYSQL
/usr/local/mysql/bin/mysqld_safe --user=mysql &
Starting mysqld daemon with databases from /usr/local/mysql/var 后台启动mysql成功
验证mysql
ps -e | grep mysqld
22157 pts/0 00:00:00 mysqld_safe
22177 pts/0 00:00:00 mysqld
netstat -tuplna | grep mysqld
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 22177/mysqld
bin/mysqladmin -uroot password 123456 mysql设置密码
bin/mysql -uroot -p 123456
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.0.56 Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql>
修改ld.so.conf文件
vi /etc/ld.so.conf
在文件中加入两行:
/usr/local/mysql/lib/mysql
/usr/local/lib
修改后
include ld.so.conf.d/*.conf
/usr/local/mysql/lib/mysql
/usr/local/lib
使用ldconfig,使其生效
安装DBD-mysql
tar zxf DBD-mysql-3.0002.tar.gz
cd DBD-mysql-3.0002
export LANG=C
perl Makefile.PL \
> --libs="-L/usr/local/mysql/lib/mysql -lmysqlclient -lz" \
> --cflags=-I/usr/local/mysql/include/mysql \
> --testhost=127.0.0.1 \
> --mysql_config=/usr/local/mysql/bin/mysql_conf
make
make install
安装snort
tar zxf snort-2.8.4.1.tar.gz
cd snort-2.8.4.1
snort调用mysql
./configure --with-mysql=/usr/local/mysql
make make install
mkdir /etc/snort 创建配置文件目录
mkdir /var/log/snort 创建日志目录
安装snort规则
cp snortrules-snapshot-2.8.tar.gz /usr/local/src/
tar zxf snortrules-snapshot-2860.tar.gz
mv rules/ /etc/snort
cp * /etc/snort/
ll /etc/snort
修改/etc/snort/snort.conf文件
# var HOME_NET 10.1.1.0/24
修改为
var HOME_NET 192.168.5.0/24
找到
# such as: c:\snort\rules
var RULE_PATH ../rules
修改为
# such as: c:\snort\rules
var RULE_PATH /etc/snort/rules
var PREPROC_RULE_PATH ../preproc_rules
找到
# output database: log, mysql, user=root password=test dbname=db host=localhost
修改为
output database: log, mysql, user=root password=123456 dbname=snort host=localhost
/usr/local/mysql/bin/mysql -uroot -p 输入密码进入数据库
mysql> SET PASSWORD FOR root@localhost=PASSWORD('123456');
mysql> create database snort;
mysql> connect snort;
mysql> source /usr/local/src/snort-2.8.4.1/schemas/create_mysql;
mysql>show tables;
执行下列命令:
mysql>grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;
Query OK, 0 rows affected (0.00 sec)
mysql>grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost;
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges; 刷新
Query OK, 0 rows affected (0.01 sec)
启动snort
snort -c /etc/snort/snort.conf
如果出现这个提示,证明snort安装成功
安装apache
tar zxf httpd-2.2.15.tar.gz
cd httpd-2.2.15
./configure --prefix=/usr/local/apache --enable-module=ssl --enable-module=so
make make install
/usr/local/apache/bin/apachectl start
netstat -tnl
Active Internet connections (only servers)
tcp 0 0 :::80 :::* LISTEN tcp 0 0 :::22 :::* LISTEN
安装PHP
tar zxf php-5.2.13.tar.gz
cd php-5.2.13
./configure \
>--prefix=/usr/local/php \
>--with-mysql=/usr/local/mysql \
>--with-apxs2=/usr/local/apache/bin/apxs \
> --with-gd \
>--with-zlib
make make install
cp php.ini-dist /usr/local/bin/php.ini 复制配置文件
修改apachect,配置文件
vi /usr/local/apache/conf/httpd.conf
找到
#AddType application/x-gzip .tgz
修改为
AddType application/x-gzip .tgz
AddType application/x-httpd-php .php
/usr/local/apache/bin/apachectl start 重启Apache 服务
cd /usr/local/apache/htdocs/ php测试页
touch index.php
vi /usr/local/apache/htdocs/index.php
vi index.php
写入一些内容
<?
echo "where to use PHP test page!";
mysql_connect ("localhost","root","123456"); root 为数据库用户 123456为数据库密码
mysql_query ("create database test01;");
?>
在浏览器中输入http://服务器IP地址/index.php
/usr/local/mysql/bin/mysql -uroot -p
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| snort |
| test |
| test01 |
+--------------------+
5 rows in set (0.00 sec
安装 acid+adodb+jpgraph
tar zxf acid-0.9.6b23.tar.gz
tar zxf adodb511.tgz
tar zxf jpgraph-3.0.7.tar.gz
mv acid /usr/local/apache/htdocs/
mv adodb5 /usr/local/apache/htdocs/adodb
mv jpgraph-3.0.7 /usr/local/apache/htdocs/jpgraph
cd /usr/local/apache/htdocs/
vi acid/acid_conf.php
找到
$DBlib_path = "";
更改为
$DBlib_path = "/usr/local/apache/htdocs/adodb";
找到
*/
$alert_dbname = "snort_log";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "root";
$alert_password = "mypassword";
/* Archive DB connection parameters */
$archive_dbname = "snort_archive";
$archive_host = "localhost";
$archive_port = "";
$archive_user = "root";
更改为
*/
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "root";
$alert_password = "123456";
/* Archive DB connection parameters */
$archive_dbname = "snort";
$archive_host = "localhost";
$archive_port = "";
$archive_user = "root";
$archive_password = "123456";
找到
$ChartLib_path = "";
更改为
$ChartLib_path = " /usr/local/apache/htdocs/jpgraph/src";
snort -d -D -c /etc/snort/snort.conf
打开浏览器输入http://你的ip地址/acid/acid_main.php,选择setup page
本文转自 mailfile 51CTO博客,原文链接:http://blog.51cto.com/mailfile/1206533,如需转载请自行联系原作者
