snort ***檢測
snort ***檢測系統
系統環境:rhel6 x86_64 selinux and iptables disabled
1. snort 安裝
yum install -y gcc mysql mysql-server mysql-devel flex bsion pcre-devel libpcap-devel
rpm -ivh libdnet-1.12-6.el6.x86_64.rpm libdnet-devel-1.12-6.el6.x86_64.rpm
tar zxf daq-0.5.tar.gz
cd daq-0.5
./configure
make
make install
tar zxf snort-2.9.0.5.tar.gz
cd snort-2.9.0.5
./configure --enable-ipv6 --enable-gre --enable-mpls --enable-targetbased --enable-decoder-
preprocessor-rules --enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response --enable-
normalizer --enable-reload --enable-react --enable-flexresp3
make
make install
2. snort 配置
mkdir /etc/snort
mkdir /var/log/snort
cd /etc/snort
tar zxf snortrules-snapshot-2905.tar.gz -c /etc/ snort
cp etc/* /etc/snort
useradd -u 600 snort
chown snort:snort /var/log/snort
touch /var/log/snort/alert
chown snort:snort /var/log/snort/alert
chmod 600 /var/log/snort/alert
mkdir /usr/local/lib/snort_dynamicrules
cp /etc/snort/so_rules/precompiled/rhel-6-0/x86-64/2.9.0.5/*.so /usr/local/lib/snort_dynamicrules
cat /etc/snort/so_rules/*.rules >> /etc/snort/rules/so-rules.rules
vi /etc/snort/snort.conf #修改如下行
var rule_path /etc/snort/rules
#設定規則路徑
var so_rule_path /etc/snort/so_rules
var preproc_rule_path /etc/snort/preproc_rules
output unified2: filename snort.log, limit 128
include $preproc_rule_path/preprocessor.rules
include $preproc_rule_path/decoder.rules
include $preproc_rule_path/sensitive-data.rules
#去掉檔案前的注釋
ln -s /usr/local/bin/snort /usr/sbin/snort
cp /root/snort-2.9.0.5/rpm/snortd /etc/init.d/
cp /root/snort-2.9.0.5/rpm/snort.sysconfig /etc/sysconfig/snort
chmod +x /etc/init.d/snortd
vi /etc/sysconfig/snort
#alertmode=fast
#binary_log=1
#注釋以下行
chkconfig snortd on
service snortd start
3. mysql 配置
service mysqld start
mysql> create database snort;
mysql> grant all on snort.* to snort@localhost identified by 『snort』;
mysql> flush privileges;
mysql snort < /root/snort-2.9.0.5/schemas/create_mysql
4. barnyard 安裝配置
tar zxf barnyard2-1.9.tar.gz
cd barnyard2-1.9
./configure --with-mysql --with-mysql-includes=/usr/include/mysql/ --with-mysql-
libraries
=/usr/lib64/mysql/
make
make install
cp etc/barnyard2.conf /etc/snort/
vi /etc/snort/barnyard2.conf #修改如下行
config hostname: localhost
config inte***ce: eth0
output database: log, mysql, user=snort password=snort dbname=snort
host=localhost
cp rpm/barnyard2.config /etc/sysconfig/barnyard2
vi /etc/sysconfig/barnyard2
log_file="snort.log"
conf=/etc/snort/barnyard2.conf
cp rpm/barnyard2 /etc/init.d
vi /etc/init.d/barnyard2 #修改如下行
waldo_file="$snortdir/barnyard2.waldo"
barnyard_opts="-d -c $conf -d $snortdir -d $snortdir -w $waldo_file -f
$log_file -x $pidfile $extra_args"
chmod 755 /etc/init.d/barnyard2
ln -s /usr/local/bin/barnyard2 /usr/sbin/
touch /var/log/snort/barnyard2.waldo
mkdir /var/log/barnyard2
service barnyard2 start
chkconfig barntard2 on
5. base 安裝配置
訪問:http://localhost/base
注:使用nmap 掃瞄工具掃瞄snort 主機,檢視base 前端是否檢測到異常。
snort規則檢測引擎初探
目前的產品開發過程中,涉及到了對應用層協議型別的檢測。考慮到要構建高效的規則匹配引擎,於是再次研究了snort的規則引擎。主要目的還是開闊下設計思路和借鑑一些方法。良好的規則設計是今後配置規則和擴充套件的基礎。snort 採用資料結構 ruletreenodes rtn 和 opttreenodes...
開源入侵檢測系統 Snort
snort是乙個基於 libpcap的輕量級網路入侵檢測系統,它執行在乙個 感測器 sensor 主機上,監聽網路資料。snort能夠把網路資料和規則集進行模式匹配,從而檢測可能的入侵企圖 或者使用spade statistical packet anomaly detection engine 外...
Windos平台入侵檢測配置 Snort
整理不少,已出錐形。使用到的工具 apache php mysql 配置前面有 因為我是在虛擬機器上做的測試 就1個c盤 圖就不截了 1 安裝winpcap 4 1 2.zip 2 安裝snort 我安裝到c snort cd c snort bin snort.exe w 檢視網絡卡 應該是看不到...