Snort搭建

最近搭建Snort，踩了不少坑，终于找到了一篇靠谱的文章，CentOS6.6基于snort+barnyard2+base的 入侵检测系统的搭建，感谢这位作者的分享，以下是我按照文章步骤进行实验的笔记。

一、准备工作

二、安装配置LMAP

1、安装apache

yum install -y httpd

• 配置文件路径：/etc/httpd/conf/httpd.conf
• web目录：/var/www/html
• Apache模块路径：/usr/sbin/apachectl

2、安装php及插件

yum install -y php php-mysql php-mbstring php-mcrypt php-gd mcrypt libmcrypt libmcrypt-devel php --version #查看php版本

• php的配置文件:/etc/php.ini

3、安装pear

yum install -y php-pear pear upgrade pear pear channel-update pear.php.net pear install mail pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman pear install mail_mime

4、安装mysql

yum install -y mysql mysql-server mysql-devel mysql --version #查看mysql版本

• mysql数据目录：/var/lib/mysql
• mysql配置文件：/etc/my.cnf
• mysqldump文件位置：/usr/bin/mysqldump

5、安装adodb

tar -zxvf adodb5.20.9.tar.gz -C /var/www/html
mv /var/www/html/adodb5 /var/www/html/adodb #重命名

6、安装base

tar -zxvf base-1.4.5.tar.gz -C /var/www/html
mv /var/www/html/base-1.4.5 /var/www/html/base

7、修改php.ini

vi /etc/php.ini error_reporting = E_ALL & ~E_NOTICE

8、修改权限

chown -R apache:apache /var/www/html
chmod 755 /var/www/html/adodb

9、配置mysql

tar -zxvf barnyard2-1.9.tar.gz service mysqld start #启动mysql mysql -u root #使用root登录，默认不用密码 use mysql update user set password=password('') where user='root'; #设置用户root的登录密码 create database snort; grant create,select,update,insert,delete on snort.* to snort@localhost identified by ''; #创建名为snort、密码为的数据库用户并赋予名为snort数据库权限 exit #退出 mysql -u snort -p -Dsnort < /root/Desktop/snort/barnyard2-1.9/schemas/create_mysql #根据特定的格式创建数据库表 #进入mysql验证表是否创建成功 mysql -u root -p  #密码 use snort; show tables; #查看snort数据库中表是否创建成功，成功如图

10、配置base

service mysqld start #启动mysql service httpd start #启动apache chkconfig iptables off #关闭防火墙

三、安装配置Snort和barnyard2

1、安装依赖包

yum install –y gcc flex bison zlib libpcap tcpdump gcc-c++ pcre* zlib* libdnet libdnet-devel

2、安装libdnet

tar -zxvf libdnet-1.12.tgz cd libdnet-1.12 ./configure make make install

3、安装libpcap

tar -zxvf libpcap-1.0.0.tar.gz cd libpcap-1.0.0 ./configure make make install

4、安装DAQ

tar -zxvf daq-2.0.4.tar.gz cd daq-2.0.4 ./configure make make install

5、安装Snort

tar -zxvf snort-2.9.7.0.tar.gz cd snort-2.9.7.0 ./configure make make install

6、配置Snort

mkdir /etc/snort mkdir /var/log/snort #存放日志文件 mkdir /usr/local/lib/snort_dynamicrules mkdir /etc/snort/rules #存放规则 touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules #黑白名单 cp /root/Desktop/snort/snort-2.9.7.0/etc/gen-msg.map threshold.conf classification.config reference.config unicode.map snort.conf /etc/snort/ #编辑配置文件 vi /etc/snort/snort.conf #修改路径 var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules #设置log目录 config logdir:/var/log/snort #配置输出插件 output unified2:filename snort.log，limit 128

7、配置默认规则

tar -zxvf snortrules-snapshot-2970.tar.gz -C /etc/snort/ cp /etc/snort/etc/sid-msg.map /etc/snort/

8、测试Snort

snort -T -i eth1 -c /etc/snort/snort.conf

9、安装barnyard2

#之前解压过barnyard2，所以直接cd到解压后的目录 cd root/Desktop/snort/barnyard2-1.9 ./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql/ make make install

10、配置barnyard2

mkdir /var/log/barnyard2 touch /var/log/snort/barnyard2.waldo cp /root/Desktop/snort/barnyard2-1.9/etc/barnyard2.conf /etc/snort #修改配置文件 vi /etc/snort/barnyard2.conf config logdir:/var/log/barnyard2 config hostname:localhost config interface:eth0 config waldo_file:/var/log/snort/barnyard.waldo output database: log, mysql, user=snort password= dbname=snort host=localhost

11、测试barnyard2

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo

四、测试IDS

1、添加规则

vi /etc/snort/rules/local.rules #添加一条检查ping包的规则 alert icmp any any -> any any (msg: "IcmP Packet detected";sid:;)

第四个any：目标端口，any表示任意

Msg字符：告警名称

2.启动IDS

service mysqld start service httpd start chkconfig iptables off barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D snort -c /etc/snort/snort.conf -i eth0 –D #-D选项用来让命令转入后台运行

3.测试IDS

tail /var/log/snort/alert #查看告警日志

手动停止IDS命令：

killall -9 snort barnyard2

参考：