Snort是一个轻便的网络入侵检测系统,可以完成实时流量分析和对网络上的IP包登录进行测试等功能,能完成协议分析,内容查找/匹配,能用来探测多种攻击和嗅探.
前提:Apache要支持PHP,这样我们才能在浏览器上通过acid分析日志.
需要软件包:
1.acid-0.96b23.tar.gz
2.adodb465.tgz
3.Apache2.tar.gz
4.jpgraph-1.19.tar.gz
5.pcre-6.1.tar.tar
6.php44.tar.gz
7.snort-2.3.3.tar.gz
注:安装还需要zlib和libpcap包,由于RHEL4系统已装,故不需安装.
说明:由于acid需要gd库支持,所以Apache+php用源码编译安装,mysql由RHEL4系统自带安装.
前期准备:安装好开发工具,编译器(特别注意要安装libpng包,编译PHP时要用到),把所有软件包放入/home/snort目录下.
一.安装Apache+php
这里安装的是Apache2.0.54+php4.4.0
先检查系统内有没有安装apache,php,如有,先卸载.
开始安装:
1.apache:
# cd /home/snort
# tar zxvf Apache2.tar.gz
# cd httpd-2.0.54
# ./configure --prefix=/usr/local/apache --enable-so
# make
# make install
编辑/usr/local/apache/conf/httpd.conf文件
把DocumentRoot "/usr/local/apache/htdocs" 改为DocumentRoot "你自己想放主页的地方" 我这里改的是/home/www
保存文件并退出.
开启apache服务
# /usr/local/apache/bin/apachectl start
随便写个网页放在主页目录里,测试一下~~~
2.php:
# cd /home/snort
# tar zxvf php44.tar.gz
# cd php-4.4.0
# ./configure --prefix=/usr/local/php --with-apxs2=/usr/local/apache/bin/apxs --with-mysql --with-zlib --with-jpeg --with-gd --with-png --enable-track-vars --enable-sockets --disable-debug
# make
# make install
# cp php.ini-dist /usr/local/lib/php.ini
编辑/usr/local/lib/php.ini文件
把register_globals = Off改为register_globals = On
保存退出
编辑/usr/local/apache/conf/httpd.conf文件
在DirectoryIndex index.html index.html.var后面加上index.php
在AddType application/x-gzip .gz .tgz
后面加上两行
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
检查有没有LoadModule php4_module modules/libphp4.so这行
没有的话自己加上
写个index.php文件放入主页所在目录
内容如下:
<?
phpinfo();
?>
重启apache
# /usr/local/apache/bin/apachectl restart
在浏览器中输入http://localhost/
看看有没有php的信息,特别注意gd和mysql的支持
如果有,apache+php+mysql成功了.
二.安装snort
1.pcre:
# cd /home/snort
# tar zxvf pcre-6.1.tar.tar
# cd pcre-6.1
# ./configure
# make
# make install
2.snort:
# cd /home/snort
# tar zxvf snort-2.3.3.tar.gz
# cd snort-2.3.3
# ./configure --with-mysql
# make
# make install
# cd rules
# mkdir /etc/snort //建立snort目录
# mkdir /etc/snort/rules //建立snort规则目录
# mkdir /var/log/snort //建立snort日志目录
# cp * /etc/snort/rules //拷贝规则
# cd ../etc
# cp * /etc/snort //拷贝配置文件
编辑/etc/snort/snort.conf文件
更改var HOME_NET 10.2.2.0/24 //为你工作的网段
更改“var RULE_PATH ../rules” to “var RULE_PATH /etc/snort/rules”
把下面一行前面的#去掉,并改为
output database: log, mysql, user=root password=你自己的mysql密码 dbname=snort host=localhost
把
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules前面的#号都删除。
保存退出
3.建立snort数据库
# mysql
mysql> SET PASSWORD FOR root@localhost=PASSWORD('test'); //这里我用test,原有密码的就不用改了.
mysql> create database snort;
mysql> grant INSERT,SELECT on root.* to snort@localhost;
mysql> exit
# mysql -u root -p < /home/snort/snort-2.3.3/schemas/create_mysql snort //为snort建立数据表
4.检查数据库和数据结构:
# mysql -p
Enter password: //输入root密码
mysql> show databases;
+----------+
| Database |
+----------+
| mysql |
| snort |
| test |
+----------+
3 rows in set (0.03 sec)
mysql> use snort
Database changed
mysql> show tables;
+------------------+
| Tables_in_snort |
+------------------+
| data |
| detail |
| encoding |
| event |
| icmphdr |
| iphdr |
| opt |
| reference |
| reference_system |
| schema |
| sensor |
| sig_class |
| sig_reference |
| signature |
| tcphdr |
| udphdr |
+------------------+
16 rows in set (0.03 sec)
exit;
看到上面的表就成功了.
三.安装配置acid
把acid-0.96b23.tar.gz,adodb465.tgz,jpgraph-1.19.tar.gz放入网站根目录下,我这是/home/www
# cd /home/www
# tar zxvf jpgraph-1.19.tar.gz
# tar zxvf adodb465.tgz
# mv jpgraph-1.19 jpgraph
# tar zxvf acid-0.9.6b23.tar.gz
编辑/home/www/acid/acid_conf.php
把“ $DBlib_path = ";” 改成“ $DBlib_path = "/home/www/adodb”
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "root";
$alert_password = "test"; //改成你的数据库密码
$archive_dbname = "snort";
$archive_host = "localhost";
$archive_port = "";
$archive_user = "root";
$archive_password = "test” //改成你的数据库密码
把“ $ChartLib_path = ";” 改成“ $ChartLib_path = "/home/www/jpgraph/src";”
保存退出
四.配置测试
重启apache
# /usr/local/apache/bin/apachectl restart
运行snort把数据写入mysql
# snort -c /etc/snort/snort.conf
在web服务器中输入
http://你的主机地址/acid/acid_main.php,点"Setup Page"链接 ->Create Acid AG
然后再访问
http://你的主机地址/acid/
ACID界面出现.
用一些扫描工具对主机进行扫描,将产生警告记录.
访问acid,可查看记录.
apache+php+mysql+snort+acid配置完成.