|
依照http://www./bbs/showthread.php?t=180397文 先根据BOOK安装libpcap-0.9.3库,这也是根据snort中install文档的要求 第一步:Snort安装 1,安装snort,configure用了prefix,sysconfdir,--with-mysql三个选项 2,添加用户和组 groupadd -g 52 snort useradd -d /dev/null -c "Snort IDS" -g snort -s /bin/false -u 52 snort 3,mkdir /etc/snort //在etc下建立snort目录 mkdir /etc/snort/rules //在etc下建立snort规则目录 mkdir /var/log/snort //建立snort日志目录 cp etc/* /etc/snort //拷贝配置文件到etc下,那些Makefile相关的不要 (cp rules/* /etc/snort/rules) //拷贝规则到etc下,没有rules目录啊,郁闷。。。 4,更改var HOME_NET 10.2.2.0/24 //为你工作的网段 更改“var RULE_PATH ../rules” to “var RULE_PATH /etc/snort/rules” 把下面一行前面的#去掉,并改为下面的样式: output database: log, mysql, user=snort password=snort dbname=snort host=localhost //将snort日志写入mysql的数据库snort,用户 5,建立数据库和数据库用户snort mysql> create database snort; >Query OK, 1 row affected (0.01 sec) mysql> grant INSERT,SELECT on root.* to snort@localhost; >Query OK, 0 rows affected (0.02 sec) mysql> SET PASSWORD FOR snort@localhost=PASSWORD(‘snort‘); >Query OK, 0 rows affected (0.25 sec) mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost; >Query OK, 0 rows affected (0.02 sec) mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort; >Query OK, 0 rows affected (0.02 sec) 导入数据库信息 mysql -u root -p < ./schemas/create_mysql snort ,成功后查看数据库情况,确认,OK; snort安装完毕。 再根据linuxsir上的一遍snort用户手册试了试,http://www./bbs/showthread.php?t=134093&highlight=snort 能够抓包,但应该还不能做NIDS吧,我没有规则库,没有rules啊 第二步:BASE部分 1,下载JPGraph,BASE,ADOBO,在自己的机器上整了个下午,都没下载到,真烦透了,后来还是在兄弟机器上下回来的,下的都是最新的 把他们全解压到我的apache服务器目录下,分别为adodb,base,jpgraph, cd /srv/www/htdocs/;chmod 777 base; 把base目录改成可写 cd base;cp base_conf.php.dist base_conf.php 拷贝php文件 浏览http://localhost/base/,提示: Error loading the DB Abstraction library: from "/adodb.inc.php" Check the DB abstraction library variable $DBlib_path in base_conf.php 修改base目录下的base_conf.php中的$DBlib_path =‘/srv/www/htdocs/adodb‘搞定; 再试,出现连接DB的出现信息,再次修改base_conf.php总的$alert_dbname,$alert_password 信息,再试,出来了BASE的画面了,提示: The underlying database snort@localhost appears to be incomplete/invalid. The database version is valid, but the BASE DB structure (table: acid_ag)is not present. Use the Setup page to configure and optimize the DB 还没设置好数据库,点击setup,再点击Creat BASE AG,成功创建BASE所需要的数据库表 ,再回到BASE主页,OK; 第三步,启动snort的IDS模式, snort -c /etc/snort/snort.conf -g snort 出现错误: Var ‘RULE_PATH‘ defined, value len = 16 chars, value = /etc/snort/rules ERROR: /etc/snort/snort.conf(182) => Unknown rule type: dynamicpreprocessor Fatal Error, Quitting.. 应该是我没有规则库的缘故吧,因为我的rules目录下一个文件都没有啊 我下载了snortrules-pr-2.4.tar.gz,这应该是2.4的规则,应该没问题吧,解压,放到我的/etc/snort/rules下面去,再试 问题依旧,看了看,应该还是在snort.conf的182行有问题, 搜索,在http://cache.baidu.com/c?word=error%3B%3A%2Cetc%2Csnort%2Csnort%3B%2E%3Bconf%2C182%2Cunknown%2Crule%2Ctype%3B%3A%2Cdynamicpreprocessor&url=http%3A//www%2Ec%2Darticle%2Ecom/get/Linux%2Dc924/snort%2Da3389119%5F1%2Ehtml&b=55&a=17&user=baidu文章中说这是在2.6中新出现的问题,必须在安装snort的时候加上 --enable-dynamicplugin,不然只有哭的份了,好晕。。。 只好重新安装了,搜到这篇文章http://www./bbs/viewthread.php?tid=188&page=1&sid=h1QMh8xs,根据其中的configure选项重新安装得了 采用: ./configure --with-mysql --enable-rulestate --enable-flexresp --with-libpcre-includes=/usr/include --with-libpcap-libraries=/usr/lib --with-libpcap-includes=/usr/include --with-libpcre-libraries=/usr/lib --enable-dynamicplugin --enable-inline --enable-ipfw --enable-react --prefix=/usr 出错,提示我要libnet库的支持:configure: error: "libnet 1.0.x could not be found. please download and install the library from http://www./libnet/" 下载libnet-1.1.2.1.tgz,这个包不是源码编译的,郁闷了,只能把解压后的include和lib,bin下的文件拷贝到我的usr目录去,再再配置选项中加入libnet的路径信息,再试 还是不行,再搜索http://www./pconline/network/html/2004825/258200412947_1.htm,原来调用libnet是因为`--enable-flexresp‘ 的缘故,取消,再试 晕啊,还是不行,郁闷,把其他全删掉,只留三个 --with-mysql --with-dynamicplugin --prefix=/usr ,再试,这回还不行,就要去杀人了。。。 果然搞定,:),刚才顺便改了BASE的语言选项,在base_conf.php中,$BASE_Language=‘simplified_chinese‘,但我打开页面,没有?倒了,改回english才有页面,这不是欺负人吗 make && make install完毕,再试 snort -c /etc/snort/snort.conf -g snort 了,又出现: Rule application order: ->activation->dynamic->pass->drop->alert->log Log directory = /var/log/snort Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... ERROR: Failed to load /usr/local/lib/snort_dynamicengine/libsf_engine.so: /usr/local/lib/snort_dynamicengine/libsf_engine.so: cannot open shared object file: No such file or directory Fatal Error, Quitting. 这回查看了/usr/lib目录下,有所需要的东西了,就是改目录了, vi /etc/snort/snort.conf 改好了,再试,启动成功,就是仍然提示: Not Using PCAP_FRAMES ,跟在嗅探模式下一样,没招了,在linuxsir下发贴求助了 下载了nmap装在系统中,扫描自己,又下载了X-scan(4年没有玩这个东东了)了扫描了0.3一番,当然是在开snort的情况下,在打开/base/,这些信息还是记录下来了啊,感觉还不错。 06-10-30: 查看网页BASE的时候,图片统计功能说缺少 Image_Graph库,下载了Image_Graph-0.7.2.tgz 解压后,把文件夹放置在htdocs/Image下,但浏览器里装不了,搜索了一下 pear install Image_Color downloading Image_Color-1.0.2.tgz ... Starting to download Image_Color-1.0.2.tgz (7,724 bytes) .....done: 7,724 bytes install ok: Image_Color 1.0.2 root:/srv/www/htdocs# pear install Log downloading Log-1.9.9.tgz ... Starting to download Log-1.9.9.tgz (39,028 bytes) ..........done: 39,028 bytes Optional dependencies: package `DB‘ version >= 1.3 is recommended to utilize some features. package `MDB2‘ version >= 2.0.0RC1 is recommended to utilize some features. install ok: Log 1.9.9 pear install Image_Canvas No release with state equal to: ‘stable‘ found for ‘Image_Canvas‘ pear install Image_Graph No release with state equal to: ‘stable‘ found for ‘Image_Graph‘ root:/srv/www/htdocs# pear install /home/ftp/pub/Image_Graph-0.7.2.tgz requires package `Image_Canvas‘ >= 0.3.0 Image_Graph: Dependencies failed 先下载Image_Canvas-0.3.0.tgz pear install /home/ftp/pub/Image_Canvas-0.3.0.tgz install ok: Image_Canvas 0.3.0 pear install /home/ftp/pub/Image_Graph-0.7.2.tgz Optional dependencies: package `Numbers_Roman‘ is recommended to utilize some features. package `Numbers_Words‘ is recommended to utilize some features. install ok: Image_Graph 0.7.2 pear install Numbers_Roman downloading Numbers_Roman-0.2.0.tgz ... Starting to download Numbers_Roman-0.2.0.tgz (3,753 bytes) ....done: 3,753 bytes install ok: Numbers_Roman 0.2.0 pear install http://pear./get/Numbers_Words-0.13.1.tgz downloading Numbers_Words-0.13.1.tgz ... Starting to download Numbers_Words-0.13.1.tgz (44,185 bytes) ............done: 44,185 bytes install ok: Numbers_Words 0.13.1 pear install /home/ftp/pub/Image_Graph-0.7.2.tgz Image_Graph already installed root:/srv/www/htdocs# pear list Installed packages: =================== Package Version State Archive_Tar 1.1 stable Console_Getopt 1.2 stable HTML_Template_IT 1.1 stable Image_Canvas 0.3.0 alpha Image_Color 1.0.2 stable Image_Graph 0.7.2 alpha Log 1.9.9 stable Net_UserAgent_Detect 2.0.1 stable Numbers_Roman 0.2.0 stable Numbers_Words 0.13.1 beta PEAR 1.3.5 stable XML_RPC 1.2.2 stable 安装好了 关于Not Using PCAP_FRAMES 的问题,用google搜索到了答案,它仅仅是运行snort的时候启动不启动PCAP_FRAMES,启动了能够提高performance, 而要启动要提高只要设置环境变量就OK了, export PCAP_FRAMES=max 从文章http://www./docs/snort_htmanuals/htmanual_2.4/rc1/node27.html获得答案 |
|
|
