Snort2.3.3安装笔记
来源:互联网 发布:alexnet tensorflow 编辑:程序博客网 时间:2024/05/17 07:30
1.准备
我的系统中已经装好了apache,mysql,php,编译php的时候记得加上--with-gd,要是没有请重新编译。
先装libpng
# wget http://jaist.dl.sourceforge.net/ ... ibpng-1.2.8.tar.bz2
# tar jxvf libpng-1.2.8.tar.bz2
# cd libpng-1.2.8
# cp scripts/makefile.std makefile
# make
# make test
# make install
# wget http://cn2.php.net/get/php-4.3.11.tar.bz2/from/cn.php.net/mirror
# tar -jxvf php-4.3.11.tar.bz2
# cd php-4.3.11
# ./configure
--prefix=/usr/local/php
--with-mysql=/usr/local/mysql
--with-apxs2=/usr/local/apache/bin/apxs
--with-zlib-dir=/usr/local --with-gd
# make
# make install
2.安装
由于我的redhat9.0中没有libcap、pcre,编译snort的时候会出错,先装libpcap和pcre
# wget http://www.tcpdump.org/release/libpcap-0.8.3.tar.gz
# tar zxvf libpcap-0.8.3.tar.gz
# cd libpcap-0.8.3
# ./configure
# make
# make install
# wget http://switch.dl.sourceforge.net ... re/pcre-5.0.tar.bz2
# tar jxvf pcre-5.0.tar.bz2
# cd pcre-5.0
# ./configure
# make
# make check
# make install
安装snort
用acid太占资源了,建议只安装snort,guardian,snortsnarf即可,安装时只需去掉mysql与acid。
# wget http://www.snort.org/dl/current/snort-2.3.3.tar.gz
# tar zxvf snort-2.3.3.tar.gz
# cd snort-2.3.3
# ./configure --with-mysql=/usr/local/mysql
# make
# make install
注:如果不打算安装acid,编译的时候请去掉--with-mysql=/usr/local/mysql
# mkdir -p /etc/snort/rules
# cp etc/*.conf /etc/snort
# cp etc/*.config /etc/snort
# cp etc/unicode.map /etc/snort
# cp -R rules/* /etc/snort/rules
建立snort数据库
# mysql
mysql>; SET PASSWORD FOR root@localhost=PASSWORD('password');
mysql>; create database snort;
mysql>; grant INSERT,SELECT on root.* to snort@localhost;
mysql>; SET PASSWORD FOR snort@localhost=PASSWORD('12345');
mysql>; grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
mysql>; grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
mysql>; exit
建立表
由于新版的snorts中没有nortdb-extra.gz了,只好下一个旧版的snort2.2.0的,为了方便我把它放到了我的免费空间里了
# wget http://anstan.go.nease.net/snort/snortdb-extra.gz
# mysql -u root -p < schemas/create_mysql snort
Enter password: the mysql root password
# zcat snortdb-extra.gz |mysql -p snort
Enter password: the mysql root password
进入mysql数据库,看看snort数据库中的表:
# mysql -p
>;Enter password:
mysql>; SHOW DATABASES;
(你看到如下)
Version 8 – From RPM Page 13 of 19 Updated 10/10/2004 1:38 PM
+------------+
| Database
+------------+
| mysql
| Snort
| test
+------------+
3 rows in set (0.00 sec)
mysql>; use Snort
mysql>; SHOW TABLES;
+------------------+
| Tables_in_Snort
+------------------+
| data
| detail
| encoding
| event
| flags
| icmphdr
| iphdr
| opt
| protocols
| reference
| reference_system
| schema
| sensor
| services
| sig_class
| sig_reference
| signature
| tcphdr
| udphdr
+------------------+
19 rows in set (0.00 sec)
修改/etc/snort/snort.conf
# vi /etc/snort/snort.conf
var HOME_NET 192.168.1.0/24
var RULE_PATH /etc/snort/rules
#如果不打算用acid,请不要取消对下面这行的注释
output database: log, mysql, user=snort password=12345 dbname=snort host=localhost
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
创建/var/log/snort目录
# mkdir /var/log/snort
测试执行是否正常
# /usr/local/bin/snort -v
启动
# /usr/local/bin/snort -c /etc/snort/snort.conf -D
注:-D (以daemon方式启动,就是背景执行)
-c (指定snort依snort.conf设定档的内容执行)
自启动
# wget -P /etc/rc.d/rc.local http://anstan.go.nease.net/snort/snort
# chmod 755 /etc/rc.d/init.d/snort
# chkconfig --level 2345 snort on
3.plugins
3.1.guardian
# wget http://www.snort.org/dl/contrib/ ... guardian-1.6.tar.gz
# tar zxvf guardian-1.6.tar.gz
# cd guardian-1.6
# echo >; /etc/snort/guardian.ignore
# cp guardian.pl /usr/local/bin/
# cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
# cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
# cp guardian.conf /etc/snort
# touch /var/log/snort/guardian.log
# chmod 644 /var/log/snort/guardian.log
# vi /etc/snort/guardian.conf
# guardian的日志文件
LogFile /var/log/snort/guardian.log
#guardian从何处读取snort的日志
AlertFile /var/log/snort/alert
#将你需要忽略的IP放在此文件中
IgnoreFile /etc/snort/guardian.ignore
# 封锁IP的最长时间,99999999为没有时限
TimeLimit 86400
编辑/usr/local/bin/guardian_unblock.sh,这个文件有错(guardian-1.6.tar.gz包里的iptables_unblock.sh就是写错的)
把
/sbin/ipchains -D INPUT -s $source -i $interface -j DROP
改成
/sbin/iptables -D INPUT -s $source -i $interface -j DROP
启动
# /usr/bin/perl /usr/local/bin/guardian.pl -c /etc/snort/guardian.conf
如果想自启动,将上一条命令加入/etc/rc.d/rc.local,但是在我的RD9下不行,不知道为什么。
3.2.snortsam (计划中)
# wget http://www.snortsam.net/files/sn ... sam-src-2.31.tar.gz
3.3.SnortSnarf
# wget http://www.snort.org/dl/contrib/ ... arf-050314.1.tar.gz
# tar zxvf SnortSnarf-050314.1.tar.gz
# cd SnortSnarf-050314.1
# mkdir /var/www/snort/snortsnarf
# cp cgi/* /var/www/snort/snortsnarf
# cp -R include /var/www/snort/snortsnarf
# cp snortsnarf.pl /var/www/snort/snortsnarf
如果没有Time/ParseDate.pm模块,先装此模块
# wget http://search.cpan.org/CPAN/auth ... es-2003.1126.tar.gz
# tar zxvf Time-modules-2003.1126.tar.gz
# cd Time-modules-2003.1126
# perl Makefile.PL
# make
# make test
# make install
或者通过CPAN安装
# perl -MCPAN -e shell
cpan>; install Time:arseDate
分析snort日志
# cd /var/www/snort/snortsnarf
# perl snortsnarf.pl /var/log/snort/alert -d /var/www/snort/snortsnarf
Using an array as a reference is deprecated at include/SnortSnarf/HTMLMemStorage.pm line 290.
Using an array as a reference is deprecated at include/SnortSnarf/HTMLAnomMemStorage.pm line 266.
上面的警告(perl的警告)信息虽然不影响运行,但看起来确实不爽,作者说未来的版本将解决这个问题。我们可以修改snortsnarf.pl,把第一行的-w去掉,这样警告信息就没了。
注意: 一定要先进入该档案所在目录,所以先要cd /var/www/snort/snortsnarf,为什么?不知道
测试
http://192.168.1.100/snort/snortsnarf
如果你装了acid,还可以从其数据库中读取数据
# cd /var/www/snort/snortsnarf
# perl snortsnarf.pl snort:12345@snort@localhost -d /var/www/snort/snortsnarf
could not load module "SnortDBInput", looked for it in file called "SnortDBInput.pm"; could be an error in that file; try 'perl -c' on that file
Can't locate object method "new" via package "SnortDBInput" at snortsnarf.pl line 188.
要先装几个模块
(# export LANG=C)
# perl -MCPAN -e shell
cpan>; install DBI:BD
redhat9下通过cpan安装DBD::mysql不成功(make test时通不过),只好下载源码;
我的系统中已经装好了apache,mysql,php,编译php的时候记得加上--with-gd,要是没有请重新编译。
先装libpng
# wget http://jaist.dl.sourceforge.net/ ... ibpng-1.2.8.tar.bz2
# tar jxvf libpng-1.2.8.tar.bz2
# cd libpng-1.2.8
# cp scripts/makefile.std makefile
# make
# make test
# make install
# wget http://cn2.php.net/get/php-4.3.11.tar.bz2/from/cn.php.net/mirror
# tar -jxvf php-4.3.11.tar.bz2
# cd php-4.3.11
# ./configure
--prefix=/usr/local/php
--with-mysql=/usr/local/mysql
--with-apxs2=/usr/local/apache/bin/apxs
--with-zlib-dir=/usr/local --with-gd
# make
# make install
2.安装
由于我的redhat9.0中没有libcap、pcre,编译snort的时候会出错,先装libpcap和pcre
# wget http://www.tcpdump.org/release/libpcap-0.8.3.tar.gz
# tar zxvf libpcap-0.8.3.tar.gz
# cd libpcap-0.8.3
# ./configure
# make
# make install
# wget http://switch.dl.sourceforge.net ... re/pcre-5.0.tar.bz2
# tar jxvf pcre-5.0.tar.bz2
# cd pcre-5.0
# ./configure
# make
# make check
# make install
安装snort
用acid太占资源了,建议只安装snort,guardian,snortsnarf即可,安装时只需去掉mysql与acid。
# wget http://www.snort.org/dl/current/snort-2.3.3.tar.gz
# tar zxvf snort-2.3.3.tar.gz
# cd snort-2.3.3
# ./configure --with-mysql=/usr/local/mysql
# make
# make install
注:如果不打算安装acid,编译的时候请去掉--with-mysql=/usr/local/mysql
# mkdir -p /etc/snort/rules
# cp etc/*.conf /etc/snort
# cp etc/*.config /etc/snort
# cp etc/unicode.map /etc/snort
# cp -R rules/* /etc/snort/rules
建立snort数据库
# mysql
mysql>; SET PASSWORD FOR root@localhost=PASSWORD('password');
mysql>; create database snort;
mysql>; grant INSERT,SELECT on root.* to snort@localhost;
mysql>; SET PASSWORD FOR snort@localhost=PASSWORD('12345');
mysql>; grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
mysql>; grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
mysql>; exit
建立表
由于新版的snorts中没有nortdb-extra.gz了,只好下一个旧版的snort2.2.0的,为了方便我把它放到了我的免费空间里了
# wget http://anstan.go.nease.net/snort/snortdb-extra.gz
# mysql -u root -p < schemas/create_mysql snort
Enter password: the mysql root password
# zcat snortdb-extra.gz |mysql -p snort
Enter password: the mysql root password
进入mysql数据库,看看snort数据库中的表:
# mysql -p
>;Enter password:
mysql>; SHOW DATABASES;
(你看到如下)
Version 8 – From RPM Page 13 of 19 Updated 10/10/2004 1:38 PM
+------------+
| Database
+------------+
| mysql
| Snort
| test
+------------+
3 rows in set (0.00 sec)
mysql>; use Snort
mysql>; SHOW TABLES;
+------------------+
| Tables_in_Snort
+------------------+
| data
| detail
| encoding
| event
| flags
| icmphdr
| iphdr
| opt
| protocols
| reference
| reference_system
| schema
| sensor
| services
| sig_class
| sig_reference
| signature
| tcphdr
| udphdr
+------------------+
19 rows in set (0.00 sec)
修改/etc/snort/snort.conf
# vi /etc/snort/snort.conf
var HOME_NET 192.168.1.0/24
var RULE_PATH /etc/snort/rules
#如果不打算用acid,请不要取消对下面这行的注释
output database: log, mysql, user=snort password=12345 dbname=snort host=localhost
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
创建/var/log/snort目录
# mkdir /var/log/snort
测试执行是否正常
# /usr/local/bin/snort -v
启动
# /usr/local/bin/snort -c /etc/snort/snort.conf -D
注:-D (以daemon方式启动,就是背景执行)
-c (指定snort依snort.conf设定档的内容执行)
自启动
# wget -P /etc/rc.d/rc.local http://anstan.go.nease.net/snort/snort
# chmod 755 /etc/rc.d/init.d/snort
# chkconfig --level 2345 snort on
3.plugins
3.1.guardian
# wget http://www.snort.org/dl/contrib/ ... guardian-1.6.tar.gz
# tar zxvf guardian-1.6.tar.gz
# cd guardian-1.6
# echo >; /etc/snort/guardian.ignore
# cp guardian.pl /usr/local/bin/
# cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
# cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
# cp guardian.conf /etc/snort
# touch /var/log/snort/guardian.log
# chmod 644 /var/log/snort/guardian.log
# vi /etc/snort/guardian.conf
# guardian的日志文件
LogFile /var/log/snort/guardian.log
#guardian从何处读取snort的日志
AlertFile /var/log/snort/alert
#将你需要忽略的IP放在此文件中
IgnoreFile /etc/snort/guardian.ignore
# 封锁IP的最长时间,99999999为没有时限
TimeLimit 86400
编辑/usr/local/bin/guardian_unblock.sh,这个文件有错(guardian-1.6.tar.gz包里的iptables_unblock.sh就是写错的)
把
/sbin/ipchains -D INPUT -s $source -i $interface -j DROP
改成
/sbin/iptables -D INPUT -s $source -i $interface -j DROP
启动
# /usr/bin/perl /usr/local/bin/guardian.pl -c /etc/snort/guardian.conf
如果想自启动,将上一条命令加入/etc/rc.d/rc.local,但是在我的RD9下不行,不知道为什么。
3.2.snortsam (计划中)
# wget http://www.snortsam.net/files/sn ... sam-src-2.31.tar.gz
3.3.SnortSnarf
# wget http://www.snort.org/dl/contrib/ ... arf-050314.1.tar.gz
# tar zxvf SnortSnarf-050314.1.tar.gz
# cd SnortSnarf-050314.1
# mkdir /var/www/snort/snortsnarf
# cp cgi/* /var/www/snort/snortsnarf
# cp -R include /var/www/snort/snortsnarf
# cp snortsnarf.pl /var/www/snort/snortsnarf
如果没有Time/ParseDate.pm模块,先装此模块
# wget http://search.cpan.org/CPAN/auth ... es-2003.1126.tar.gz
# tar zxvf Time-modules-2003.1126.tar.gz
# cd Time-modules-2003.1126
# perl Makefile.PL
# make
# make test
# make install
或者通过CPAN安装
# perl -MCPAN -e shell
cpan>; install Time:arseDate
分析snort日志
# cd /var/www/snort/snortsnarf
# perl snortsnarf.pl /var/log/snort/alert -d /var/www/snort/snortsnarf
Using an array as a reference is deprecated at include/SnortSnarf/HTMLMemStorage.pm line 290.
Using an array as a reference is deprecated at include/SnortSnarf/HTMLAnomMemStorage.pm line 266.
上面的警告(perl的警告)信息虽然不影响运行,但看起来确实不爽,作者说未来的版本将解决这个问题。我们可以修改snortsnarf.pl,把第一行的-w去掉,这样警告信息就没了。
注意: 一定要先进入该档案所在目录,所以先要cd /var/www/snort/snortsnarf,为什么?不知道
测试
http://192.168.1.100/snort/snortsnarf
如果你装了acid,还可以从其数据库中读取数据
# cd /var/www/snort/snortsnarf
# perl snortsnarf.pl snort:12345@snort@localhost -d /var/www/snort/snortsnarf
could not load module "SnortDBInput", looked for it in file called "SnortDBInput.pm"; could be an error in that file; try 'perl -c' on that file
Can't locate object method "new" via package "SnortDBInput" at snortsnarf.pl line 188.
要先装几个模块
(# export LANG=C)
# perl -MCPAN -e shell
cpan>; install DBI:BD
redhat9下通过cpan安装DBD::mysql不成功(make test时通不过),只好下载源码;
- Snort2.3.3安装笔记
- centos6.7下snort2.9.9.0+base+barnyard2的安装
- windows下编译Snort2.8.5.2
- snort2.9预处理模块中文手册剪切
- 安装笔记3.3机器
- snort2.9源码预处理流转到detect模块分析(着重http模块)
- the gdb of the process of httpinspect to detect in snort2.9
- 安装笔记
- confluence 3.3.1 linux安装笔记
- (笔记) Openssl 成功安装笔记。
- mysql安装笔记
- pvpgn安装笔记
- openwebmail安装笔记
- Bugzilla 的安装笔记
- E17安装笔记
- MySQL笔记:MySQL安装
- Apache安装笔记(转贴)
- Nutch 安装使用笔记
- Linux的shell编程(下)
- 一个分组查询的SQL 常用算法(附源码可直接执行)
- 4.25雨
- DVD-Video 解谜 - IFO文件 - VMG specific tables
- Vi编辑器的使用
- Snort2.3.3安装笔记
- 以www.guolairen.com的赢在校园频道看运营互联网中CTO/CIO角色的转换思路
- 一段javascript的页面搜索代码
- 协同办公软件(OA)上线的成本计算
- 用Struts的iterate标签如何显示Map的键值
- .dll 文件反编译的工具软件
- Oracle SQLCODE/SQLERRM
- struts开发实践—读写xml实例
- 一个分组查询的SQL 常用算法(附源码可直接执行)
