Snort***檢測安裝配置

硬件基本環境:

系統：CentOS release 5.2_x86_64

CPU: Intel(R) Xeon(TM) CPU 2.80_X3

內存：2G

snort有三種工做模式介紹：

嗅探器: 就是把抓取的信息顯示到屏幕上，功能跟tcpdump樣

數據包記錄：在嗅探的模式上增長了，把抓取信息記錄到文件或者數據庫等等

網絡***檢測系統：使用了-c snort.conf啓動參數，在數據包記錄上增長了規則匹配 新版的snort-3.0rc1 包含了新的工做模式結合iptables自動定義防火牆規則。

這裏選用了網絡***檢測系統模式

須要用到的軟件包：

adodb507.tgz

base-1.4.1.tar.gz

mysql-5.0.77.tar.gz

httpd-2.0.63.tar.gz

php-5.2.9.tar.gz

snort-2.8.3.2.tar.gz

oinkmaster-2.0.tar.gz

libpcap-1.0.0.tar.gz

pcre-7.8.tar.gz

設定時間：

#yum install ntp

#crontab –e

0 23 * * * root /usr/sbin/ntpdate 210.72.145.44 > /dev/null 2>&

安裝mysql、perl-DBD-mysql perl-DBI、apache、PHP （略）

#vi /usr/local/apache/conf/vhost.conf

NameVirtualHost *:80

<VirtualHost *:80>

<Directory "/home/web/">

DirectoryIndex index.htm index.html index.php

Options None

AllowOverride none

Order allow,deny

Allow from all

</Directory>

ServerName wgcsnort.com

ServerAdmin wangguanchao@51iker.com

DocumentRoot /home/web/

php_admin_value open_basedir "/tmp/php/:/home/web/"

ErrorLog "/var/log/apache-error.log"

CustomLog "/var/log/apache-access.log" combined

</VirtualHost>

安裝snort

先安裝libnet iptables-devel libpcap libpcap-devel pcre pcre-devel

#yum install libnet   ->這兩個能夠不裝

#yum install libnet-devel

#yum install iptables-devel

#yum install libpcap

#yum install libpcap-devel 或者源碼最新包

./configure --prefix=/usr/local/libpcap

make && make install

#yum install pcre

#yum install pcre-devel 或者源碼最新包

./configure --prefix=/usr/local/pcre

make && make install

添加用戶：

#useradd -s /bin/false -M -c "snort user" snort

# tar -zxf snort-2.8.3.2.tar.gz

#cd snort-2.8.3.2

./configure --prefix=/usr/local/snort --with-mysql --enable-dynamicplugin --with-mysql-libraries=/usr/lib64/mysql/ --with-libpcre-includes=/usr/local/pcre/include/ --with-libpcre-libraries=/usr/local/pcre/lib/ --with-libpcap-includes=/usr/local/libpcap/include/ --with-libpcap-libraries=/usr/local/libpcap/lib/

--enable-flexresp2   可選參數

--enable-react

--enable-prelude

--enable-rulestate

--enable-timestats

--enable-perfprofiling

#make

#make instll

安裝rules 規則文件並配置snort
#tar -zxf snortrules-snapshot-CURRENT.tar.gz
裏面會有4個目錄 etc rules doc so_rules

#mkdir -pv /etc/snort
#mv rules /etc/snort
#mv doc /etc/snort
#cp -R etc/ /etc/snort/

修改主配置文件

vi /etc/snort/etc/snort.conf

var HOME_NET any -> var HOME_NET 192.168.9.0/24 監控的範圍

output database: log, mysql, user=snort password=*********** dbname=snort host=localhost       鏈接數據庫

var EXTERNAL_NET !$HOME_NET

var RULE_PATH /etc/snort/rules     規則存放位置

include threshold.conf          定義了例外規則的一張列表

建立數據庫

#mysqladmin -u root -p create snort

grant all on snort.* to root@localhost;

grant create,insert,select,delete,update on snort.* to snort@localhost identified by '*********';

flush privileges;

#cd snort-2.8.3.2/schemas

#mysql -usnort -pmatchalatte snort < create_mysql

安裝 ADODB

tar -zxf adodb507.tgz

mv adodb5/ /home/web/adodb

安裝BASE

tar –zxf base-1.4.1.tar.gz

mv base-php4/ base

base數據繪圖的相關插件:

Image_Canvas-0.3.1.tgz

Image_Graph-0.7.2.tgz

Mail_Mime-1.5.2.tgz

Numbers_Roman-1.0.2.tgz

Image_Color2-0.1.4.tgz

Mail-1.2.0b1.tgz

Mail_mimeDecode-1.5.0.tgz

Numbers_Words-0.15.0.tgz

安裝

#/usr/local/php/bin/pear install *.tar

# ls /home/web/ 有這兩個目錄

adodb base

配置base web頁面

cd /home/web/base

cp base_conf.php.dist base_conf.php

vi base_conf.php

所須要修改的內容包括：
$BASE_urlpath = "/base";
$DBlib_path = "/home/web/adodb/ ";
$DBtype = "mysql";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "*****";
$archive_exists = 0; # Set this to 1 if you have an archive DB

http://192.168.9.12/base/ 登錄繼續配置

 

登錄頁面建立表後再次vi base_conf.php

$Use_Auth_System = 0; 改成$Use_Auth_System = 1;

配置snort-rules定時自動更新

#tar -zxf oinkmaster-2.0.tar.gz

#cd oinkmaster-2.0

#mkdir /etc/snort/back

#chown -R snort:snort /etc/snort/rules/ /etc/snort/back/

#cp oinkmaster.pl /usr/local/bin/

#chmod 755 /usr/local/bin/oinkmaster.pl

#cp oinkmaster.1 /usr/share/man/man1

#cp oinkmaster.conf /usr/local/etc/

#contrib/makesidex.pl /etc/snort/rules > autodisable.conf 生成sid號庫

#mv makesidex.pl autodisable.conf /etc/snort/

#vi /usr/local/etc/oinkmaster.conf 修改配置文件

url=http://www.snort.org/pub-bin/oinkmaster.cgi/e6c4dd45b4df82d549590f8c1b19614461c2154e/snortrules-snapshot-CURRENT.tar.gz

這串字符是在snort註冊賬號後取得的 ，就別用我這個了本身去申請一個

e6c4dd45b4df82d549590f8c1b19614461c2154e

url = http://www.bleedingsnort.com/bleeding.rules.tar.gz

 

編寫更新腳本

vi oinkweek.sh

#!/bin/bash

/usr/local/bin/oinkmaster.pl \

-C /usr/local/etc/oinkmaster.conf \

-C /etc/snort/autodisable.conf -o /etc/snort/rules \

-b /etc/snort/backup 2>&1

#| mail -s "oinkmaster" anywgchao@sina.com

定製計劃任務週日更新規則庫

# crontab -u snort -e

0 5 * * 0 /etc/snort/oinkweek.sh

編寫snort啓動腳本

vi snort

#!/bin/sh

# chkconfig: 345 99 98

# description: Snort NIDS DAEMON

# processname: snort

# Source function library

. /etc/rc.d/init.d/functions

SNORT_PATH=/usr/local/snort/bin/snort

SNORTDIR=/etc/snort

SNORTUSER=snort

SNORTGROUP=snort

INTERFACES="eth0"

[ -f "${SNORT_PATH}" ] || exit 0

. /etc/sysconfig/network

start ()

{ for INT in ${INTERFACES}

do

PIDFILE="/var/run/snort_${INT}.pid"

SNORTCONFIG="${SNORTDIR}/etc/snort.conf"

if [ -f "${PIDFILE}" ]; then

        SPROC=$(cat ${PIDFILE})

        SNORTPID=$(ps -p ${SPROC} | grep -v PID)

        if [ -z "${SNORTPID}" ]; then

                echo "Removing stale PID file"

                rm ${PIDFILE}

        else

                echo "Snort is still running ,Skipping"

        fi

fi

ifconfig ${INT} up

echo $"Starting snort service: "

$SNORT_PATH -dD -I -i ${INT} -u ${SNORTUSER} -g ${SNORTGROUP} -c ${SNORTCONFIG}

done

}

stop ()

{

for INT in ${INTERFACES}

do

PIDFILE="/var/run/snort_${INT}.pid"

if [ -f "${PIDFILE}" ]; then

        SPROC=$(cat ${PIDFILE})

        echo "Stopping snort pid ${SPROC}"

        kill ${SPROC}

        rm ${PIDFILE}

        else

        echo "Snort is not running"

fi

done

}

case "$1" in

start)

        start

        ;;

stop)

        stop

        ;;

restart)

        stop

        sleep 2

        start

        ;;

*)

        echo    $"Usage: snort {start|stop|restart}"

        exit 1

esac

放到了 /etc/init.d/snort

#chmod +x snort

chkconfig --add snort

chkconfig –level 3 snort on

設定日誌存放位置權限

#chown -R snort:snort /var/log/snort/*

測試：

nmap.exe -T4 -A -sS 218.246.18.12

備份snort 數據庫腳本

#!/bin/sh

#----------------snort mysql-------------------

#date 2009/3/27

#----------------------------------------------

Backdir="/home/mysqlback"

Date=$(date -I)

Dumpfile=mysql-${Date}.sql

Gzdumpfile=${Backdir}/${Date}.tar.gz

Mysqldump_path=/usr/bin/mysqldump

DBuser=root

DBpwd=matchalatte

if [ ! -d "${Backdir}" ]; then

mkdir -p ${Backdir}

fi

${Mysqldump_path} -u $DBuser -p$DBpwd snort --opt --flush-logs --default-character-set=utf8 --extended-insert=false --trigger

s -R --hex-blob --delete-master-logs -r ${Dumpfile}

if [ $? = 0 ]; then

rm -f ${Gzdumpfile}

tar -czf ${Gzdumpfile} ${Dumpfile}

rm -f ${Dumpfile}

fi

find ${Backdir} -mtime +31 | xargs rm -f {} \;

放到了/usr/local/bin/mysqlbackup.sh

自定義規則文件

vi exmple-zwcm.rules

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection - Paranoid"; flow:to_server,established;uricontent:".php";pcre:"/(\%27)|(\’)|(\-\-)|(%23)|(#)/i"; classtype:Web-application-attack; sid:1000005; rev:5;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection - Paranoid"; flow:to_server,established;uricontent:".php";pcre:"/((\%3D)|(=))[^\n]*((\%27)|(\’)|(\-\-)|(\%3B)|(;))/i";classtype:Web-application-attack; sid:1000006; rev:5;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection - Paranoid"; flow:to_server,established;uricontent:".php";pcre:"/\w*((\%27)|(\’))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/i";classtype:Web-application-attack; sid:1000007; rev:5;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection - Paranoid"; flow:to_server,established;uricontent:".php";pcre:"/((\%27)|(\’))union/i";classtype:Web-application-attack; sid:1000008; rev:5;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection - Paranoid"; flow:to_server,established;uricontent:".php";pcre:"/((\%27)|(\’))select/i";classtype:Web-application-attack; sid:1000009; rev:5;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection - Paranoid"; flow:to_server,established;uricontent:".php";pcre:"/((\%27)|(\’))insert/i";classtype:Web-application-attack; sid:1000010; rev:5;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"XSS Cross-site scripting attempt"; flow:to_server,established;uricontent:".php";pcre:"/((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/i";classtype:Web-application-attack; sid:1000011; rev:5;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"XSS Cross-site scripting attempt"; flow:to_server,established;uricontent:".php";pcre:"/((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/i";classtype:Web-application-attack; sid:1000012; rev:5;)

保存後放到snort規則目錄，而後編輯/etc/snort/etc/snort.conf 加上

include $RULE_PATH/exmple-zwcm.rules

重啓就能夠了

本身也不懂***方法，只能寫照着網上的常規***寫這幾個了，若是有熟悉***的，能夠貢獻點規則

最後再補上點
vi web-misc.rules 搜索robots.txt行關閉 配置關閉WEB-MISC robots.txt access 報錯信息
vi web-misc.rules 配置關閉WEB-MISC IBM Lotus Domino Web Server Accept-Language header buffer overflow attempt 報錯信息

;$BASE_Language = 'simplified_chinese'; 不要設置成中文 瀏覽器裏沒法顯示頁面
$BASE_Language = 'english';

Apche 配置文件加上   作完端口映射後外網就不通了因此換爲內網地址，包括ssh
Listen 192.168.9.12:80
登錄地址改成：
http://192.168.9.12/base/