Snort2.3.3安装笔记_Unix系统

Snort2.3.3安装笔记

发表于：2007-07-04来源：作者：点击数：标签：

2005年5月7日加入acid部分
2005年3月31日成稿
参考了很多文章，就不一一列出了

1.准备
我的系统中已经装好了apache，mysql，php，编译php的时候记得加上--with-gd，要是没有请重新编译。
先装libpng
# wget http://jaist.dl.sourceforge.net/sourceforge/libpng/libpng-1.2.8.tar.bz2
# tar jxvf libpng-1.2.8.tar.bz2
# cd libpng-1.2.8
# cp scripts/makefile.std makefile
# make
# make test
# make install

# wget http://cn2.php.net/get/php-4.3.11.tar.bz2/from/cn.php.net/mirror
# tar -jxvf php-4.3.11.tar.bz2
# cd php-4.3.11
# ./configure \
--prefix=/usr/local/php \
--with-mysql=/usr/local/mysql \
--with-apxs2=/usr/local/apache/bin/apxs \
--with-zlib-dir=/usr/local --with-gd
# make
# make install

2.安装
由于我的redhat9.0中没有libcap、pcre，编译snort的时候会出错，先装libpcap和pcre
# wget http://www.tcpdump.org/release/libpcap-0.8.3.tar.gz
# tar zxvf libpcap-0.8.3.tar.gz
# cd libpcap-0.8.3
# ./configure
# make
# make install

# wget http://switch.dl.sourceforge.net/sourceforge/pcre/pcre-5.0.tar.bz2
# tar jxvf pcre-5.0.tar.bz2
# cd pcre-5.0
# ./configure
# make
# make check
# make install

安装snort
用acid太占资源了，建议只安装snort,guardian,snortsnarf即可，安装时只需去掉mysql与acid。
# wget http://www.snort.org/dl/current/snort-2.3.3.tar.gz
# tar zxvf snort-2.3.3.tar.gz
# cd snort-2.3.3
# ./configure --with-mysql=/usr/local/mysql
# make
# make install

注：如果不打算安装acid，编译的时候请去掉--with-mysql=/usr/local/mysql

# mkdir -p /etc/snort/ort/ort/rules
# cp etc/*.conf /etc/snort
# cp etc/*.config /etc/snort
# cp etc/unicode.map /etc/snort
# cp -R rules/* /etc/snort/rules

建立snort数据库
# mysql
mysql> SET PASSWORD FOR root@localhost=PASSWD'''passr''');
mysql> create database snort;
mysql> grant INSERT,SELECT on root.* to snort@localhost;
mysql> SET PASSWORD FOR snort@localhost=PASSWD'''14''');
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
mysql> exit

建立表
由于新版的snorts中没有nortdb-extra.gz了，只好下一个旧版的snort2.2.0的，为了方便我把它放到了我的免费空间里了
# wget http://anstan.go.nease.net/snort/snortdb-extra.gz
# mysql -u root -p < schemas/create_mysql snort
Enter password: the mysql root password
# zcat snortdb-extra.gz |mysql -p snort
Enter password: the mysql root password

进入mysql数据库，看看snort数据库中的表：
# mysql -p
>Enter password:
mysql> SHOW DATABASES;
(你看到如下)
Version 8 – From RPM Page 13 of 19 Updated 10/10/2004 1:38 PM
+------------+
| Database
+------------+
| mysql
| Snort
| test
+------------+
3 rows in set (0.00 sec)
mysql> use Snort
mysql> SHOW TABLES;
+------------------+
| Tables_in_Snort
+------------------+
| data
| ail
sp;encoding
| event
| flags
| icmphdr
| iphdr
| opt
| protocols
| reference
| reference_system
| schema
| sensor
| services
| sig_class
| sig_reference
| signature
| tcphdr
| udphdr
+------------------+
19 rows in set (0.00 sec)

修改/etc/snort/snort.conf
# vi /etc/snort/snort.conf
var HOME_NET 192.168.1.0/24
var RULE_PATH /etc/snort/rules
#如果不打算用acid，请不要取消对下面这行的注释
output database: log, mysql, user=snort password=12345 dbname=snort host=localhost
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules

创建/var/log/snort目录
# mkdir /var/log/snort

测试执行是否正常
# /usr/local/bin/snort -v

启动
# /usr/local/bin/snort -c /etc/snort/snort.conf -D
注：-D (以daemon方式启动，就是背景执行)
-c (指定snort依snort.conf设定档的内容执行)

自启动
# wget -P /etc/rc.d/rc.local http://anstan.go.nease.net/snort/snort ;
# chmod 755 /etc/rc.d/init.d/snort
# chkconfig --level 2345 snort on

3.plugins

3.1.guardian
# wget http://www.snort.org/dl/contrib/other_tools/guardian/guardian-1.6.tar.gz
# tar zxvf guardian-1.6.tar.gz
# cd guardian-1.6
# echo > /etc/snort/guardian.ignore
# cp guardian.pl /usr/local/bin/
# cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
# cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
# cp guardian.conf /etc/snort

# touch /var/log/snort/guardian.log
# chmod 644 /var/log/snort/guardian.log
# vi /etc/snort/guardian.conf
# guardian的日志文件
LogFile /var/log/snort/guardian.log
#guardian从何处读取snort的日志
AlertFile /var/log/snort/alert
#将你需要忽略的IP放在此文件中
IgnoreFile /etc/snort/guardian.ignore
# 封锁IP的最长时间，99999999为没有时限
TimeLimit 86400

编辑/usr/local/bin/guardian_unblock.sh，这个文件有错（guardian-1.6.tar.gz包里的iptables_unblock.sh就是写错的）
把
/sbin/ipchains -D INPUT -s $source -i $interface -j DROP
改成
/sbin/iptables -D INPUT -s $source -i $interface -j DROP

启动
# /usr/bin/perl /usr/local/bin/guardian.pl -c /etc/snort/guardian.conf
如果想自启动，将上一条命令加入/etc/rc.d/rc.local，但是在我的RD9下不行，不知道为什么。

3.2.snortsam (计划中)
# wget http://www.snortsam.net/files/snortsam-v2_multi-threaded/snortsam-src-2.31.tar.gz

3.3.SnortSnarf
# wget http://www.snort.org/dl/contrib/data_analysis/snortsnarf/SnortSnarf-050314.1.tar.gz
# tar zxvf SnortSnarf-050314.1.tar.gz
# cd SnortSnarf-050314.1
# mkdir /var/www/snort/snortsnarf
# cp cgi/* /var/www/snort/snortsnarf
# cp -R include /var/www/snort/snortsnarf
# cp snortsnarf.pl /var/www/snort/snortsnarf

如果没有Time/ParseDate.pm模块，先装此模块
# wget http://search.cpan.org/CPAN/authors/id/M/MU/MUIR/modules/Time-modules-2003.1126.tar.gz
# tar zxvf Time-modules-2003.1126.tar.gz
# cd Time-modules-2003.1126
# perl Makefile.PL
# make
# make test
# make install

或者通过CPAN安装
# perl -MCPAN -e shell
cpan> install Time::ParseDate

分析snort日志
# cd /var/www/snort/snortsnarf
# perl snortsnarf.pl /var/log/snort/alert -d /var/www/snort/snortsnarf
Using an array as a reference is deprecated at include/SnortSnarf/HTMLMemStorage.pm line 290.
Using an array as a reference is deprecated at include/SnortSnarf/HTMLAnomMemStorage.pm line 266.
上面的警告（perl的警告）信息虽然不影响运行，但看起来确实不爽，作者说未来的版本将解决这个问题。我们可以修改snortsnarf.pl，把第一行的-w去掉，这样警告信息就没了。
注意：一定要先进入该档案所在目录，所以先要cd /var/www/snort/snortsnarf，为什么？不知道

测试
http://192.168.1.100/snort/snortsnarf

如果你装了acid，还可以从其数据库中读取数据
# cd /var/www/snort/snortsnarf
# perl snortsnarf.pl snort:12345@snort@localhost -d /var/www/snort/snortsnarf
could not load module "SnortDBInput", looked for it in file called "SnortDBInput.pm"; could be an error in that file; try&np'''perl&nbs-''' on that file要先装几个模块
(# export LANG=C)
# perl -MCPAN -e shell
cpan> install DBI::DBD
redhat9下通过cpan安装DBD::mysql不成功(make test时通不过)，只好下载源码，自己编译了
# wget http://search.cpan.org/CPAN/authors/id/C/CA/CAPTTOFU/DBD-mysql-2.9007.tar.gz
# tar zxvf DBD-mysql-2.9007.tar.gz
# cd DBD-mysql-2.9007
# perl Makefile.PL
# make
# make install
cpan> install DBD::mysql
再执行一次上面的命令，成功，太高兴了
说明：snort:12345@snort@localhost是按照用户名，密码，数据库名，主机名，端口号排列的。
如果想固定时间做成输出分析,加入到/etc/crontab中即可。

测试
http://192.168.1.5/snort/snortsnarf

3.4.Barnyard (计划中)

4.安装配置Acid
把acid-0.9.6b23.tar.gz、adodb330.tgz、jpgraph-1.17.tar.gz放到网页根目录
# wget http://jaist.dl.sourceforge.net/sourceforge/adodb/adodb462.tgz
# wget http://members.chello.se/jpgraph/jpgdownloads/jpgraph-1.17.tar.gz
# wget http://www.andrew.cmu.edu/user/rdanyliw/snort/acid-0.9.6b23.tar.gz
# mkdir /var/www/snort (/var/www是网页根目录)
# tar zxvf adodb462.tgz -C /var/www/snort
# tar zxvf jpgraph-1.17.tar.gz -C /var/www/snort
# mv /var/www/snort/jpgraph-1.17 /var/www/snort/jpgraph
# rm /var/www/snort/jpgraph/README
# rm /var/www/snort/jpgraph/QPL.txt
# tar zxvf acid-0.9.6b23.tar.gz -C /var/www/snort

# vi /var/www/snort/acid/acid_conf.php
$DBlib_path = "../adodb";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "12345";
$archive_dbname = "snort";
$archive_host = "localhost";
$archive_port = "";
$archive_user = "snort";
$archive_password = "12345";
$ChartLib_path = "../jpgraph/src";

测试IDS
http://192.168.1.100/snort/acid/acid_main.php，点"Setup Page"链接 ->Create Acid AG
http://192.168.1.100/snort/acid 会看到ACID界面

利用nmap,nessus,CIS或者X-scan对系统进行扫描，产生纪录
http://192.168.1.100/snort/acid 察看纪录

# mkdir /var/passwords
# /usr/local/apache/bin/htpasswd -c /var/passwords/snort snort
# vi /usr/local/apache/conf/httpd.conf (添加如下几行)
<Directory "/var/www/snort">
AuthType Basic
AuthName "SnortIDS"
AuthUserFile /var/passwords/snort
Require user snort
</Directory>

5.snort启动脚本
# vi /etc/rc.d/init.d/snort
=================================================================
#!/bin/bash
# $Id$
# /etc/rc.d/init.d/snort : start or stop the SNORT Intrusion Database System
#
# Written by Lukasz Szmit <ptashek@scg.gliwice.pl>
# modified by anstan <heracai@126.com>
#
# Comments to support chkconfig on RedHat Linux
# chkconfig: 2345 99 20
# description: snort is very good

# set config file & path to snort executable
SNORT_PATH=/usr/local/bin
CONFIG=/etc/snort/snort.conf

# set interface
IFACE=eth0

# set GID/Group Name
#SNORT_GID= nogroup

# other options
OPTIONS="-D"

# End of configuration

test -x $SNORT_PATH/snort || exit 0

case "$1" in
start)
echo "Starting Intrusion Database System: SNORT"
#$SNORT_PATH/snort -c $CONFIG -i $IFACE -g $SNORT_GID $OPTIONS
$SNORT_PATH/snort -c $CONFIG -i $IFACE $OPTIONS
if [ "`pidof $SNORT_PATH/snort`" ]; then
echo "SNORT is up and running!"
else
exit 0
fi
echo -n "."
;;

stop)
echo "Stoping Intrusion Database System: SNORT"
if [ "`pidof $SNORT_PATH/snort`" ] ; then

kill -TERM `pidof $SNORT_PATH/snort`

# Wait until the timeout
count=120
numdots=0
while ([ $count != 0 ]) do
let count=$count-1
if [ "`pidof $SNORT_PATH/snort`" ] ; then
echo -n .
let numdots=$numdots+1
sleep 1
else
count=0
fi
done

# If&nbsi'''s not dead yet, kill it.

if [ "`pidof $SNORT_PATH/snort`" ] ; then
echo " TIMEOUT!"
kill -KILL `$SNORT_PATH/snort`
else
case $numdots in
0) echo "." ;;
1) echo ;;
*) echo " done." ;;
esac
fi
else
echo "SNORT is not running!";
fi
;;
restart)
$0 stop
$0 start
;;
*)
echo&np'''Usage: /etc/init.d/snort {start|stop|restt'''
exit 1
;;
esac
exit 0
;;

原文转自：http://www.ltesting.net

软件测试 > 测试开发技术 > 软件测试环境搭建 > Unix系统 >