博威---云架构决胜云计算

 找回密码
 注册

QQ登录

只需一步,快速开始

搜索
查看: 3108|回复: 2

Snort IDS 专题

[复制链接]
发表于 2010-1-19 02:04:57 | 显示全部楼层 |阅读模式
Snort IDS 专题最近在学习snort, 刚好有些资料要和大家分享,如果大家有什么好的资料也一起拿过来分享吧, 也请大家尽量不要做无关的回复,谢谢。

  1。[原创][Snort IDS系列之]使用Oinkmaster 自动更新Snort Rules
     欢迎大家拍砖,第一次这么认真写文档。主要讨论如何在linux下自动更新snort rules, windows 下应该也差不多的,欢迎交流。
   http://www.netexpert.cn/viewthread.php?tid=2444&fpage=1

  2。  [电子书]Snort安装,使用手册
   http://www.netexpert.cn/viewthread.php?tid=2257&fpage=2

  3。[电子档]Snort 2.1 Intrusion Detection Second Editon
   非常全面的介绍了snort 相关的知识,包括原理,安装,配置,自动升级,各种插件,总之能够让你了解snort的方方面面,内容也写的广泛深入,喜欢snort的朋友一定不要错过喔.

   http://www.netexpert.cn/viewthread.php?tid=2408&fpage=1

  4。 [Snort IDS]Intrusion Detection Systems with Snort
  
  另一本介绍snort 的好书,这是能在网上找到的几本不可多得的snort的好书之一。
  http://www.netexpert.cn/viewthread.php?tid=2457&fpage=1
 楼主| 发表于 2010-1-19 02:05:28 | 显示全部楼层
5. [转贴]Snort+Guardian的安装   
文章标题          Snort+Guardian的安装           
张贴者:        garfield (enthusiast)
张贴日期        01/18/05 07:59 PM
原文出自:http://www.linuxforum.net/docnew ... =new&Number=941


Snort 是一个开源的轻量级入侵监测系统,可以监测网络上的异常情况,给出报告;
Guardian是基于Snort+IPTables的一个主动防火墙,它分析Snort的日志文件,根据一定的判据自动将某些恶意的IP自动加入IPTables的输入链,将其数据包丢弃。
我自使用Snort+Guardian以来,每天可以看到很多的恶意行为被终止,心里很是高兴!

推荐大家使用!

安装步骤:
1)安装Snort:
*现在Snort & Guardian,目前下载地址为:
http://www.snort.org/dl/snort-2.3.0RC2.tar.gz
http://www.snort.org/dl/contrib/ ... guardian-1.6.tar.gz

*将上述文件拷贝至/tmp
*tar zxvf *.tgz
*cd snort-2.3.0RC2
*./configure
*make
*make install
*mkdir /etc/snort
*cd /etc/snort
*wget http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz
* tar zxvf snortrules-snapshot-CURRENT.tar.gz
*mkdir /var/log/snort
*cd /etc
*vi snort.conf
修改后一些关键设置如下:
var HOME_NET yournetwork
var RULE_PATH /etc/snort/rules
preprocessor http_inspect: global \
iis_unicode_map /etc/snort/rules/unicode.map 1252
include /etc/snort/rules/reference.config
include /etc/snort/rules/classification.config

如:yournetwork 220.8.0.0/16

同时,可以选择将类似
include $RULE_PATH/local.rules
等,前面的#号去掉,设置自己的规则集

* /usr/local/bin/snort -D -l /var/log/snort -c /etc/snort.conf

* 将上一条命令写入/etc/rc.d/rc.local

2)安装guardian---需要perl支持
* cd /tmp
* tar zxvf guardian-1.6.tar.gz
* cd guardian-1.6
* echo > /etc/guardian.ignore
* cp guardian.pl /usr/local/bin/.
* cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
* cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
* cp guardian.conf /etc/.
* vi /etc/guardian.conf
如下:
HostGatewayByte 1
# guardian的日志文件
LogFile /var/log/guardian.log

#guardian从何处读取snort的日志
AlertFile /var/log/snort/alert

#将你需要忽略的IP放在此文件中
IgnoreFile /etc/guardian.ignore

# 封锁IP的最长时间,99999999为没有时限
TimeLimit 86400

* /usr/bin/perl /usr/local/bin/guardian.pl -c /etc/guardian.conf
* 将上一条命令加入 /etc/rc.d/rc.local

至此,完成设置

注意:
1)snort的规则文件经常更新,可以使用如下脚本自动更新:
#!/bin/sh
cd /etc/snort
wget http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz
tar zxvf snortrules-snapshot-CURRENT.tar.gz
exit 0

*将上述脚本存为snortupdate,并放置到/etc/cron.daily/下,可以每天更新一次;

2)guardian有时会自动退出,可以使用如下脚本解决:
#!/bin/sh
/usr/local/bin/killguardian
/usr/local/bin/guardian.pl -c /etc/guardian.conf
exit 0

将上述脚本存为restartguardian,放置到/usr/local/bin

同时,crontab -e,加入如下一句:
* */6 * * * /usr/local/bin/restartguardian

意思为:每6小时重新启动guardian


脚本:killguardian
#!/usr/bin/perl
#杀死当前guardian.pl进程,需要安装perl module Proc:rocessTable
#访问http://www.cpan.org可以获得上述module
use Proc:rocessTable;

$t = new Proc:rocessTable;

foreach $p (@{$t->table})
{

kill 9, $p->pid if $p->cmndline =~ 'guardian.pl';

}
 楼主| 发表于 2010-1-19 02:06:27 | 显示全部楼层
8.[转贴] 在RedHat9上构建小型入侵检测系统  

2005-09-15 15:32更新 来源:赛迪网

构建小型的入侵检测系统(RedHat9)


Snort+Apache+PHP4+MySQL+Acid


一.系统平台


Redhat9.0发行版, 安装gcc 及相关库文件,建议不要安装


Apache,PHP,MySQL,我们将用源码编译安装。基于安全方面的


考虑,可以设置一下iptables只允许SSH和WWW访问。


二.软件


MySQL4.0.12 http://mysql.secsup.org


Snort2.0.0 http://www.snort.org


Apache2.0.45 http://www.apache.org


PHP4.3.1 http://www.php.net


ADODBv3.30 http://phplens.com


Acid0.9.6b23 http://acidlab.sourceforge.net


Zlib1.1.4 http://flow.dl.sourceforge.net


JPGraph1.11 http://jpgraph.techuk.com


LibPcap0.7.2 http://www.tcpdump.org


建议到这个站点下载http://ftp.cdut.edu.cn/pub/linux/NEW/


也可以到http://www.rpmfind.com下载相关的xx.src.rpm编译安装。如若安装了rpm包,可以强行将其反安装


rpm -e -nodeps xx.xx


三.安装(建议将所有的包文件考到同一目录)


1.安装zlib1.1.4


tar -xzvf zlib-xx.tar.gz


cd zlib-xx


./configure;make test


make install


cd ..


2.安装LibPcap0.7.2


tar -xzvf libpcap.tar.gz


cd libpcap-xx


./configure


make


make install


cd ..


3.安装MySQL4.0.12


3.1创建mysql组和mysql用户


groupadd mysql


useradd -g mysql mysql


修改/root下的.bash_profile的这一行:


PATH=?$PATH:?$HOME/bin 为


PATH=?$PATH:?$HOME/bin:/usr/local/mysql/bin


3.2安装mysql


tar -xzvf mysql-xx.tar.gz


cd mysql-xx


./configure --prefix=/usr/local/mysql


make


make install


cd scripts


./mysql_install_db


chown -R root /usr/local/mysql


chown -R mysql /usr/local/mysql/var


chgrp -R mysql /usr/local/mysql


cd ../support-files/my-medium.cnf /etc/my.cnf


向/etc/ld.so.conf中加入两行:/usr/local/mysql/lib/mysql


/usr/local/lib


载入库,执行


ldconfig -v


3.3测试mysql是否工作:


cd /usr/local/mysql/bin/


./mysqld_safe --user=mysql&


#ps -ef |grep mysql


看mysql_safe是否工作


3.4设置mysql为自启动:


将mysql安装目录下的support-files目录中的


mysql.server文件拷到/etc/init.d目录


cp mysql.server /etc/init.d/mysql


chmod 755 /etc/init.d/mysql


创建硬链接:


cd /etc/rc3.d(文本方式启动)


ln -s /etc/init.d/mysql S85mysql


ln -s /etc/init.d/mysql K85mysql


cd /etc/rc5.d (图形方式启动)


ln -s /etc/init.d/mysql S85mysql


ln -s /etc/init.d/mysql K85mysql


4.安装Apache2.0.45和PHP4.3.1


tar -zxvf httpd-2.0.xx.tar.gz


cd httpd_2.xx.xx


./configure --prefix=/www --enable-so


注:apache根目录为 /www


make


make install


cd ..


tar -zxvf php-4.3.x.tar.gz


cd php-4.3.x


./configure --prefix=/www/php --with-apxs2=/www/bin/apxs --with-config- filepath=/www/php --enable-sockets --with-mysql=/usr/local/mysql --with-zlibdir=/


usr/local --with- gd


注意:这些为一行,中间不要有回车。


cp php.ini-dist /www/php/php.ini


编辑httpd.conf(/www/conf):


加入两行


LoadModule php4_module modules/libphp4.so


AddType application/x-httpd-php .php


httpd.conf中相关内容如下:


#


# LoadModule foo_module modules/mod_foo.so


LoadModule php4_module modules/libphp4.so


# AddType allows you to tweak mime.types without actually editing it, or ?$


# make certain files to be certain types.


#


AddType application/x-tar .tgz


AddType image/x- icon .ico


AddType application/x-httpd-php .php


设置Apache为自启动:


cp /www/bin/apachectl /etc/init.d/httpd


cd /etc/rc3.d


ln -s /etc/init.d/httpd S85httpd


ln -s /etc/init.d/httpd K85httpd


cd /etc/rc5.d


ln -s /etc/init.d/httpd S85httpd


ln -s /etc/init.d/httpd K85httpd


测试一下 PHP:


cd /etc/init.d


./httpd start


在/www/htdocs下建立文件 test.php


cd /www/htdocs


vi test.php


加入


lt;?php


hpinfo();


?>


用浏览器访问http://IP_address/test.php,成功的话,出现一些


系统,apache,php信息


5.安装 Snort2.0


5.1建立snort配置文件和日志目录


mkdir /etc/snort


mkdir /var/log/snort


tar -zxvf snort-2.x.x.tar.gz


cd snort-2.x.x


./configure --with-mysql=/usr/local/mysql


make


make install


5.2安装规则和配置文件


cd rules (在snort安装目录下)


cp * /etc/snort


cd ../etc


cp snort.conf /etc/snort


cp *.config /etc/snort


5.3修改snort.conf(/etc/snort/snort.conf)


var HOME_NET 10.2.2.0/24 (修改为你的内部网网络地址,我的是


192.168.0.0/24)


var RULE_PATH ../rules 修改为 var RULE_PATH /etc/snort/


改变记录日志数据库:


output database: log, mysql, user=root password=your_password


dbname=snort host=localhost


5.4设置snort为自启动:


在snort安装目录下


cd /contrib


cp S99snort /etc/init.d/snort


vi /etc/init.d/snort


修改snort如下:


CONFIG=/etc/snort/snort.conf


#SNORT_GID=nogroup (注释掉)


#8194;$SNORT_PATH/snort -c ?$CONFIG -i ?$IFACE ?$OPTIONS


(去掉原文件中的 -g ?$SNORT_GID )


chmod 755 /etc/init.d/snort


cd /etc/rc3.d


ln -s /etc/init.d/snort S99snort


ln -s /etc/init.d/snort K99snort


cd /etc/rc5.d


ln -s /etc/init.d/snort S99snort


ln -s /etc/init.d/snort K99snort


四.在mysql中建立数据库


/usr/local/mysql/bin/mysql


mysql>SET PASSWORD FOR root@localhost=PASSWORD('your_password');


mysql>create database snort;


mysql>grant INSERT,SELECT on root.* to snort@localhost;


mysql>quit;


进入snort安装目录:/usr/local/mysql/bin/mysql -p <./contrib/create_mysql snort


gt;Enter password:


安装DB表:(在contrib目录)


zcat snortdb-extra.gz | /usr/local/mysql/bin/mysql -p snort


进入mysql数据库,看看snort数据库中的表:


/usr/local/mysql/bin/mysql -p


gt;Enter password:


mysql>show databases;


+------------+


| Database


+------------+


| mysql


| snort


| test


+------------+


3 rows in set (0.00 sec)


mysql>use snort;


mysql>show tables; 将会有这些:


+------------------+


| Tables_in_snort |


+------------------+


| data


| detail


| encoding


| event


| flags


| icmphdr


| iphdr


| opt


| protocols


| reference


| reference_system


schema


| sensor


| services


| sig_class


| sig_reference


| signature


| tcphdr


| udphdr


+------------------+


19 rows in set (0.00 sec)


mysql>exit


五.安装配置Web接口


安装JPGraph1.11


cp jpgraph-1.11.tar.gz /www/htdocs


cd /www/htdocs


tar -xzvf jpgraph-1.xx.tar.gz


rm -rf jpgrap-1.xx.tar.gz


cd jpgraph-1.11


rm -rf README


rm -rf QPL.txt


安装ADODB:


cp adodb330.tgz /www/htdocs/


cd /www/htdocs


tar -xzvf adodb330.tgz


rm -rf adodb330.tgz


安装配置Acid:


cp acid-0.0.6b23.tar.gz /www/htdocs


cd /www/htdocs


tar -xvzf acid-0.9.6b23.tar.gz


rm -rf acid-0.9.6b23.tar.gz


cd /www/htodcs/acid/


编辑acid_conf.php,修改相关配置如下:


#8194;$DBlib_path = "/www/htdocs/adodb";


/* The type of underlying alert database


*


* MySQL : "mysql"


* PostgresSQL : "postgres"


* MS SQL Server : "mssql"


*/


#8194;$DBtype = "mysql";


/* Alert DB connection parameters


* - ?$alert_dbname : MySQL database name of Snort alert DB


* - ?$alert_host : host on which the DB is stored


* - ?$alert_port : port on which to access the DB


* - ?$alert_user : login to the database with this user


* - ?$alert_password : password of the DB user


*


* This information can be gleaned from the Snort database


* output plugin configuration.


*/


#8194;$alert_dbname = "snort";


#8194;$alert_host = "localhost";


#8194;$alert_port = "";


#8194;$alert_user = "root";


#8194;$alert_password = "Your_Password";


/* Archive DB connection parameters */


#8194;$archive_dbname = "snort";


#8194;$archive_host = "localhost";


#8194;$archive_port = "";


#8194;$archive_user = "root";


#8194;$archive_password = "Your_Password ";


And a little further down


#8194;$ChartLib_path = "/www/htdocs/jpgraph-1.11/src";


/* File format of charts ('png', 'jpeg', 'gif') */


#8194;$chart_file_format = "png";


进入web界面:


http://yourhost/acid/acid_main.php


点"Setup Page"链接 ->Create Acid AG


访问http://yourhost/acid将会看到ACID界面。


六.测试系统


重启系统或者直接启动相关后台程序:


/etc/init.d/mysql restart


/etc/init.d/snort start


/etc/init.d/httpd start


利用nmap,nessus,CIS或者X-scan对系统进行扫描,


产生告警纪录。


http://yourhost/acid 察看纪录。


至此,一个功能强大的IDS配置完毕。各位可以利用web界面


远程登陆,监控主机所处局域网,同时安装phpMyAdmin对mysql


数据库进行操控。
您需要登录后才可以回帖 登录 | 注册

本版积分规则

小黑屋|手机版|Archiver|boway Inc. ( 冀ICP备10011147号 )

GMT+8, 2024-11-24 09:17 , Processed in 0.088367 second(s), 17 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表