snort+acid免费的系统.docx
《snort+acid免费的系统.docx》由会员分享,可在线阅读,更多相关《snort+acid免费的系统.docx(27页珍藏版)》请在冰豆网上搜索。
![snort+acid免费的系统.docx](https://file1.bdocx.com/fileroot1/2023-2/2/a43ad82b-2bdc-4fc8-b0f4-4c5d8c2113d3/a43ad82b-2bdc-4fc8-b0f4-4c5d8c2113d31.gif)
snort+acid免费的系统
snort+acid
【简 介】
Snort是个轻便的网络入侵检测系统,能完成实时流量分析和对网络上的IP包登录进行测试等功能,能完成协议分析,内容查找/匹配,能用来探测多种攻击和嗅探(如缓冲区溢出、秘密断口扫描、CGI攻击、SMB嗅探、拇纹采集尝试等)。
前提:
Apache要支持PHP,这样我们才能在浏览器上通过acid分析日志,喜欢看文本日志的除外more /var/log/snort/alert
需要的软件包:
①httpd-2.0.52.tar.gz,http:
//httpd.apache.org/download.cgi
②mysql-standard-4.1.9-pc-linux-gnu-i686.tar.gz,
③php-4.3.10.tar.gz,
④snort+acid+adodb+jpgraph+libpcap+pcre这些包我已打包好放我网站里了,地址:
apache+mysql+php这里不介绍了,不清晰的到我那拿PDF的吧。
(这里说明一下,最新的snort-2.3.3.tar.gz的contrib目录里非常多重要文件都没有,所以按照参考教程又下了一个snort-2.0.0.tar.gz)
一、准备工作
# 把所有tar包放到/usr/local/src/下。
# tar zxvf libpcap-0.7.2.tar.gz
# cd libpcap-0.7.2
# ./configure
# make
# make install
# cd ..
# tar zxvf pcre-5.0.tar.gz
# ./configure
# make
# make install
# 我这里没有安装zlib,因为我的系统里有,如果你要安装新的zlib包,请先卸载自带的包。
二、安装snort
我们还是要编译snort-2.3.3.tar.gz,因为非常多规则都是最新的,至于contrib目录里的文件我们用snort-2.0.0.tar.gz这个。
# tar zxvf snort-2.3.3.tar.gz
# tar zxvf snort-2.0.0.tar.gz
# cd snort-2.3.3
# ./configure --with-mysql=/usr/local/mysql
# make
# make install
# cd rules
# mkdir /etc/snort
# mkdir /var/log/snort
# cp * /etc/snort
# cd ../etc
# cp snort.conf /etc/snort
# cp *.config /etc/snort
# cd
# vi /etc/snort/snort.conf
# 把“# var HOME_NET 10.1.1.0/24”改成“var HOME_NET 192.168.0.0/24”你自己LAN内的地址,把前面的#号去掉。
# 把“var RULE_PATH ../rules”改成“var RULE_PATH /etc/snort”
# 把“# output database:
log, mysql, user=root password=test dbname=db host=localhost”改成“output database:
log, mysql, user=root password=123456 dbname=snort host=localhost”密码改成你自己的,把前面的#号去掉。
# 把“
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules”前面的#号删除。
# 修改完毕后,保存退出。
三、建立snort数据库
# /usr/local/mysql/bin/mysql -uroot -p123456
# create database snort;
# grant INSERT,SELECT on root.* to snort@localhost;
# exit
# 这时我们进入snort2.0的contrib的目录
# cd /usr/local/src/snort-2.0.0/contrib/
# /usr/local/mysql/bin/mysql -uroot -p123456 < create_mysql snort
# zcat snortdb-extra.gz | /usr/local/mysql/bin/mysql -p123456 snort
# 这里我加-uroot会报错,等半根烟的功夫。
# 进入mysql数据库,看看snort数据库中的表:
# /usr/local/mysql/bin/mysql -uroot -p123456
mysql>show databases;
+------------+
| Database
+------------+
| mysql
| snort
| test
+------------+
3 rows in set (0.00 sec)
mysql>use snort;
mysql>show tables; 将会有这些:
+------------------+
| Tables_in_snort |
+------------------+
| data
| detail
| encoding
| event
| flags
| icmphdr
| iphdr
| opt
| protocols
| reference
| reference_system
| schema
| sensor
| services
| sig_class
| sig_reference
| signature
| tcphdr
| udphdr
+------------------+
19 rows in set (0.00 sec)
mysql>exit
四、安装设置Acid
# 把acid-0.9.6b23.tar.gz、adodb330.tgz、jpgraph-1.11.tar.gz放到网页根目录,我这里是默认的。
# cp a*.* /usr/local/apache/htdocs
# cp jpgraph-1.11.tar.gz /usr/local/apache/htdocs
# tar zxvf adodb330.tgz
# tar zxvf jpgraph-1.11.tar.gz
# mv jpgraph-1.11 jpgraph
# tar zxvf acid-0.9.6b23.tar.gz
# cd acid
# vi acid_conf.php
# 把“$DBlib_path = "";” 改成“$DBlib_path = "/usr/local/apache/htdocs/adodb"”
# $alert_dbname = "snort_log"; //改成snort
$alert_host = "localhost";
$alert_port = "";
$alert_user = "root";
$alert_password = "mypassword"; //改成你的数据库密码
/* Archive DB connection parameters */
$archive_dbname = "snort_archive"; //改成snort
$archive_host = "localhost";
$archive_port = "";
$archive_user = "root";
$archive_password = "mypassword";” //改成你的数据库密码
# 把“$ChartLib_path = "";” 改成“$ChartLib_path = "/usr/local/apache/htdocs/jpgraph/src";”
# 修改完毕后,保存退出。
五、写一个snort规则
# cd /usr/local/
# vi snort.sh
#!
/bin/sh
snort -d -h 192.168.0.0/24 -l /var/log/snort -c /etc/snort/snort.conf -i eth0 -A full
# 保存退出。
# chmod 755 snort.sh
六,启动服务
# /usr/local/apache/bin/apachectl start
# cd /usr/local/mysql/
# vi mysql_start.sh
#!
/bin/sh
/usr/local/mysql/bin/mysqld_safe --user=mysql &
# 保存退出。
# chmod 755 mysql_start.sh
# cp mysql_start.sh /usr/sbin/
# ./mysql_start.sh
# /usr/local/snort.sh
# service named start
七、进入web界面:
# http:
//yourhost/acid/acid_main.php,点"Setup Page"链接 ->Create Acid AG
# 访问http:
//yourhost/acid将会看到ACID界面。
八、测试IDS
# 利用nmap,nessus,CIS或X-scan对系统进行扫描,产生告警纪录。
# http:
//yourhost/acid 察看纪录。
# 至此,一个功能强大的IDS设置完毕。
各位能利用web界面远程登陆,监视主机所处局域网,同时安装 phpMyAdmin或webmin对mysql数据库进行操控。
参考:
《构建小型的入侵检测系统》及搜索引擎的帖子和《Snort(入侵检测系统)中文手册》
增加目录验证功能
在httpd.conf尾部加:
Options Indexes FollowSymLinks
allowoverride authconfig
order allow,deny
allow from all
# touch /usr/bin/apache/users_passwd.txt
# cd /usr/bin/apache/
# bin/htpasswd -bc users_passwd.txt squall 123456
# bin/htpasswd -b users_passwd.txt sqlunix 123456
在acid目录里vi .htaccess
AuthName "please input your username and password:
"
AuthType basic
AuthUserFile /usr/local/apache/users_passwd.txtrequire
valid-user
SnortCenter是个基于Web的snort探针和规则管理系统,用于远程修改snort探针的设置,起动、停止探针,编辑、分发snort特征码规则。
下载地址:
http:
//users.pandora.be/larc/download/
# cp snortcenter-v1.0-RC1.tar.gz /usr/local/apache/htdocs
# tar zxvf snortcenter-v1.0-RC1.tar.gz
# mv www sc
# vi sc/
# 改以下内容:
$DBlib_path = "/usr/local/apache/htdocs/adodb/";
$curl_path = "/usr/bin";
$DBtype = "mysql";
$DB_dbname = "snortcenter"; # $DB_dbname :
MySQL database name of
SnortCenter DB
$DB_host = "localhost"; # $DB_host :
host on which the DB is
stored
$DB_user = "root"; # $DB_user :
login to the database w
ith this user
$DB_password = "123456"; # $DB_password :
password of the
DB user
$DB_port = ""; # $DB_port :
port on which to access
the DB (blank is default)
(数据库密码改成你自己的)
# 修改好后,保存退出。
# 然后创建snortcenter的数据库
# mysql -uroot -p123456
# create database snortcenter;
# quit;
# 在浏览器上键入http:
//192.168.0.11/sc,他会自动创建数据表,然后再次登入会让你输入用户名和密码,初始是admin,change.
# 然后我们安装snortcenter-agent-v1.0-RC1.tar.gz
# cp snortcenter-agent-v1.0-RC1.tar.gz /opt
# cd /opt
# tar zxvf snortcenter-agent-v1.0-RC1.tar.gz
# cd sensor
# ./setup.sh,回答几个问题即完成安装,默认端口2525。
# cp /etc/snort.conf /etc/snort.eth0.conf
# 具体如图:
# 如要卸载到/etc/snort/目录下,有一个uninstall文件,./uninstall即可卸载。
就是
六,启动服务
#/usr/local/apache/bin/apachectlstart
#cd/usr/local/mysql/
#vimysql_start.sh
#!
/bin/sh
/usr/local/mysql/bin/mysqld_safe--user=mysql&
#保存退出。
#chmod755mysql_start.sh
#cpmysql_start.sh/usr/sbin/
#./mysql_start.sh
#/usr/local/snort.sh
#servicenamedstart
当我执行到./mysql_start.sh的时候
系统告诉我,有一个进程已存在
Amysqldprocessalreadyexists
servicenamedstart也执行不了
当我打开web界面的时候反映
Error(p)connectingtoDB:
snort_log@localhost
ChecktheDBconnectionvariablesinacid_conf.php
=$alert_dbname:
MySQLdatabasenamewherethealertsarestored
=$alert_host:
hostwherethedatabaseisstored
=$alert_port:
portwherethedatabaseisstored
=$alert_user:
usernameintothedatabase
=$alert_password:
passwordfortheusername
DatabaseERROR:
Unknowndatabase’snort_log’
squall1回复于:
2005-05-0923:
41:
57
“当我执行到./mysql_start.sh的时候,系统告诉我,有一个进程已存在,Amysqldprocessalreadyexists”
[color=green:
f7336b7ab9]
啊,是的,得先重起一下数据库,可用命令/usr/local/mysql/bin/mysqladmin-uroot-p123456shutdown
#cd/usr/local/mysql
#vimysql_stop.sh
[code:
1:
f7336b7ab9]
#!
/bin/sh
/usr/local/mysql/bin/mysqladmin-uroot-p123456shutdown
[/code:
1:
f7336b7ab9]
#chmod755mysql_stop.sh
#cpmysql_stop.sh/usr/sbin/
[/color:
f7336b7ab9]
“servicenamedstart也执行不了”
[color=green:
f7336b7ab9]
我使用的是LINUX系统。
[/color:
f7336b7ab9]
“当我打开web界面的时候反映
Error(p)connectingtoDB:
snort_log@localhost
ChecktheDBconnectionvariablesinacid_conf.php
=$alert_dbname:
MySQLdatabasenamewherethealertsarestored
=$alert_host:
hostwherethedatabaseisstored
=$alert_port:
portwherethedatabaseisstored
=$alert_user:
usernameintothedatabase
=$alert_password:
passwordfortheusername
DatabaseERROR:
Unknowndatabase’snort_log’”
[color=green:
f7336b7ab9]
你看这条信息,DatabaseERROR:
Unknowndatabase’snort_log’,你的当前数据库里没有snort_log,你要更改acid_conf.php。
[code:
1:
f7336b7ab9]
#$alert_dbname="snort_log";//改成snort
$alert_host="localhost";
$alert_port="";
$alert_user="root";
$alert_password="mypassword";//改成你的数据库密码
/*ArchiveDBconnectionparameters*/
$archive_dbname="snort_archive";//改成snort
$archive_host="localhost";
$archive_port="";
$archive_user="root";
$archive_password="mypassword";”//改成你的数据库密码
[/code:
1:
f7336b7ab9]
[/color:
f7336b7ab9]
我上午的acid已成功了
我接着往下设置的时候
2.增加snort页面启动管理功能
SnortCenter是个基于Web的snort探针和规则管理系统,用于远程修改snort探针的设置,起动、停止探针,编辑、分发snort特征码规则。
下载地址:
http:
//users.pandora.be/larc/download/
#cpsnortcenter-v1.0-RC1.tar.gz/usr/local/apache/htdocs
#tarzxvfsnortcenter-v1.0-RC1.tar.gz
#mvwwwsc
#visc/config.php
#改以下内容:
$DBlib_path="/usr/local/apache/htdocs/adodb/";
$curl_path="/usr/bin";
$DBtype="mysql";
$DB_dbname="snortcenter";#$DB_dbname:
MySQLdatabasenameof
SnortCenterDB
$DB_host="localhost";#$DB_host:
hostonwhichtheDBis
stored
$DB_user="