zoukankan      html  css  js  c++  java

  • 在ubuntu下安装snort

    在这儿我只是做一个备份,全都来自如何在Ubuntu上安装Snort入侵检测系统

     -----------这个安装完了有很多问题,最终还是在windows下面安装snort的,很方便,大家可以试一试---------------

    Snort作为一款优秀的开源主机入侵检测系统,在windows和Linux平台上均可安装运行。Ubuntu作为一个以桌面应用为主的Linux操作系统,同样也可以安装Snort。

    安装Snort过程

    [安装LAMP,Snort和一些软件库]

    由于 Ubuntu 是 Debian 系的 Linux,安装软件非常简单,而且 Ubuntu 在中国科技大学有镜像,在教育网和科技网下载速度非常快(2~6M/s),就省掉了出国下载安装包的麻烦,只需要一个命令即可在几十秒钟内安装好所有软 件。这里使用 Ubuntu 默认命令行软件包管理器 apt 来进行安装。

    $ sudo apt-get install libpcap0.8-dev libmysqlclient15-dev mysql-client-5.0 mysql-server-5.0 bison flex apache2 libapache2-mod-php5 php5-gd php5-mysql libphp-adodb php-pear pcregrep snort snort-rules-default

    需要注意的是在安装 MySQL 数据库时会弹出设置 MySQL 根用户口令的界面,临时设置其为“test”。

    [在 MySQL 数据库中为 Snort 建立数据库]

    Ubuntu 软件仓库中有一个默认的软件包 snort-mysql 提供辅助功能,用软件包管理器下载安装这个软件包。

    $ sudo apt-get install snort-mysql

    安装好之后查看帮助文档:

    $ less /usr/share/doc/snort-mysql/README-database.Debian

    根据帮助文档中的指令,在 MySQL 中建立 Snort 的数据库用户和数据库。所使用的命令如下:

    $ mysql –u root –p

    在提示符处输入上面设置的口令 test

    mysql> CREATE DATABASE snort;
    mysql> grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort@localhost;
    mysql> grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort;
    mysql> SET PASSWORD FOR snort@localhost=PASSWORD('snort-db');
    mysql> exit

    以上命令的功能是在 MySQL 数据库中建立一个 snort 数据库,并建立一个 snort 用户来管理这个数据库,设置 snort 用户的口令为 snort-db。

    然后根据 README-database.Debian 中的指示建立 snort 数据库的结构。

    $ cd /usr/share/doc/snort-mysql
    $ zcat create_mysql.gz | mysql -u snort -D snort -psnort-db

    这样就为 snort 在 MySQL 中建立了数据库的结构,其中包括各个 snort 需要使用的表。

    [设置 snort 把 log 文件输出到 MySQL 数据库中]

    修改 Snort 的配置文件:/etc/snort/snort.conf

    $ sudo vim /etc/snort/snort.conf

    在配置文件中将 HOME_NET 有关项注释掉,然后将 HOME_NET 设置为本机 IP 所在网络,将 EXTERNAL_NET 相关项注释掉,设置其为非本机网络,如下所示:

    #var HOME_NET any
    var HOME_NET 192.168.0.0/16
    #var EXTERNAL_NET any
    var EXTERNAL_NET !$HOME_NET

    将 output database 相关项注释掉,将日志输出设置到 MySQL 数据库中,如下所示:

    output database: log, mysql, user=snort password=snort-db dbname=snort host=localhost
    #output database: log, mysql

    这样,snort 就不再向 /var/log/snort 目录下的文件写记录了,转而将记录存放在 MySQL 的snort数据库中。这时候可以测试一下 Snort 工作是否正常:

    $ sudo snort -c /etc/snort/snort.conf

    如果出现一个用 ASCII 字符画出的小猪,那么 Snort 工作就正常了,可以使用 Ctrl-C 退出;如果 Snort 异常退出,就需要查明以上配置的正确性了。

    [测试 Web 服务器 Apache 和 PHP 是否工作正常]

    配置 apache 的 php 模块,添加 msql 和 gd 的扩展。

    $ sudo vim /etc/php5/apache2/php.ini
    extension=msql.so
    extension=gd.so

    重新启动 apache

    $ /etc/init.d/apache2 restart

    在/var/www/目录下新建一个文本文件test.php

    $ sudo vim /var/www/test.php

    输入内容:

    <?php
    phpinfo();
    ?>

    然后在浏览器中输入 http://localhost/test.php,如果配置正确的话,就会出现 PHP INFO 的经典界面,就标志着 LAMP 工作正常。

    [安装和配置 acid-base]

    安装 acid-base 很简单,使用 Ubuntu 软件包管理器下载安装即可:

    $ sudo apt-get install acidbase

    安装过程中需要输入 acidbase 选择使用的数据库,这里选 MySQL,根用户口令 test,和 acid-base 的口令(貌似也可以跳过不设置)。

    将acidbase从安装目录中拷贝到www目录中,也可以直接在apache中建立一个虚拟目录指向安装目录,这里拷贝过来主要是为了安全性考虑。

    sudo cp –R /usr/share/acidbase/ /var/www/

    因为 acidbase 目录下的 base_conf.php 原本是一个符号链接指向 /etc/acidbase/ 下的base_conf.php,为了保证权限可控制,我们要删除这个链接并新建 base_conf.php 文件。

    $ rm base_conf.php
    $ touch base_conf.php

    暂时将 /var/www/acidbase/ 目录权限改为所有人可写,主要是为了配置 acidbase 所用。

    $ sudo chmod 757 acidbase/

    现在就可以开始配置 acid-base 了,在浏览器地址栏中输入 http://localhost/acidbase,就会转入安装界面,然后就点击 continue 一步步地进行安装:

    选择语言为 english,adodb 的路径为:/usr/share/php/adodb;选择数据库为 MySQL,数据库名为 snort,数据库主机为 localhost,数据库用户名为 snort 的口令为 snort-db;设置 acidbase 系统管理员用户名和口令,设置系统管理员用户名为 admin,口令为 test。然后一路继续下去,就能安装完成了。

    安装完成后就可以进入登录界面,输入用户名和口令,进入 acidbase 系统。

    这里需要将 acidbase 目录的权限改回去以确保安全性,然后在后台启动 snort,就表明 snort 入侵检测系统的安装完成并正常启动了:

    $ sudo chmod 775 acidbase/
    $ sudo snort -c /etc/snort/snort.conf -i eth0 –D

    [检查入侵检测系统工作状况,更改入侵检测规则]

    正常情况下在一个不安全的网络中,登录 acidbase 后一会儿就能发现网络攻击。如果没有发现网络攻击,可以添加更严格的规则使得正常的网络连接也可能被报攻击,以测试 Snort IDS 的工作正确性,比如在 /etc/snort/rules/web-misc.rules 的最后添加下面的话:

    $ sudo vi /etc/snort/rules/web-misc.rules
    alert tcp any :1024 -> $HTTP_SERVER 500:

    这一行的意思是:对从任何地址小于 1024 端口向本机 500 以上端口发送的 tcp 数据包都报警。杀死 Snort 的后台进程并重新启动,就应该能检测到正常的包也被当作攻击了。

    $ sudo kill `pgrep snort`
    $ sudo snort –c /etc/snort/snort.conf –i eth0 -D

    总结

    使用Ubuntu安装Snort入侵检测系统和网页控制台是相当容易的,因为 Ubuntu 提供了很方便的软件包安装功能,只是有时候定制性能太差,需要用户手动去寻找软件包的安装位置。

    在安装snort-mysql的时候软件源中不能发现这个软件,所以跟新了一下软件源,下面是我的软件源列表

    deb http://mirrors.ustc.edu.cn/ubuntu/ trusty main universe restricted multiverse
    deb-src http://mirrors.ustc.edu.cn/ubuntu/ trusty main universe restricted multiverse #Added by software-properties
    deb http://security.ubuntu.com/ubuntu/ trusty-security restricted universe main multiverse



    deb http://kr.archive.ubuntu.com/ubuntu precise main universe
    deb http://th.archive.ubuntu.com/ubuntu precise main universe
    #deb http://mirror.lupaworld.com/ubuntu precise main universe
    deb http://kambing.vlsm.org/ubuntu precise main universe
    #deb http://ubuntu.mithril-linux.org/archives precise main universe
    deb http://mirror.in.th/ubuntu precise main universe
    deb http://mirror.rootguide.org/ubuntu precise main universe

    平常情况下我的软件源

    # deb cdrom:[Ubuntu 14.04 LTS _Trusty Tahr_ - Release i386 (20140417)]/ trusty main restricted

    # See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
    # newer versions of the distribution.
    deb http://mirrors.aliyun.com/ubuntu/ trusty main restricted
    deb-src http://mirrors.aliyun.com/ubuntu/ trusty main restricted

    ## Major bug fix updates produced after the final release of the
    ## distribution.
    deb http://mirrors.aliyun.com/ubuntu/ trusty-updates main restricted
    deb-src http://mirrors.aliyun.com/ubuntu/ trusty-updates main restricted

    ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
    ## team. Also, please note that software in universe WILL NOT receive any
    ## review or updates from the Ubuntu security team.
    deb http://mirrors.aliyun.com/ubuntu/ trusty universe
    deb-src http://mirrors.aliyun.com/ubuntu/ trusty universe
    deb http://mirrors.aliyun.com/ubuntu/ trusty-updates universe
    deb-src http://mirrors.aliyun.com/ubuntu/ trusty-updates universe

    ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
    ## team, and may not be under a free licence. Please satisfy yourself as to
    ## your rights to use the software. Also, please note that software in
    ## multiverse WILL NOT receive any review or updates from the Ubuntu
    ## security team.
    deb http://mirrors.aliyun.com/ubuntu/ trusty multiverse
    deb-src http://mirrors.aliyun.com/ubuntu/ trusty multiverse
    deb http://mirrors.aliyun.com/ubuntu/ trusty-updates multiverse
    deb-src http://mirrors.aliyun.com/ubuntu/ trusty-updates multiverse

    ## N.B. software from this repository may not have been tested as
    ## extensively as that contained in the main release, although it includes
    ## newer versions of some applications which may provide useful features.
    ## Also, please note that software in backports WILL NOT receive any review
    ## or updates from the Ubuntu security team.
    deb http://mirrors.aliyun.com/ubuntu/ trusty-backports main restricted universe multiverse
    deb-src http://mirrors.aliyun.com/ubuntu/ trusty-backports main restricted universe multiverse

    deb http://mirrors.aliyun.com/ubuntu/ trusty-security main restricted
    deb-src http://mirrors.aliyun.com/ubuntu/ trusty-security main restricted
    deb http://mirrors.aliyun.com/ubuntu/ trusty-security universe
    deb-src http://mirrors.aliyun.com/ubuntu/ trusty-security universe
    deb http://mirrors.aliyun.com/ubuntu/ trusty-security multiverse
    deb-src http://mirrors.aliyun.com/ubuntu/ trusty-security multiverse

    ## Uncomment the following two lines to add software from Canonical's
    ## 'partner' repository.
    ## This software is not part of Ubuntu, but is offered by Canonical and the
    ## respective vendors as a service to Ubuntu users.
    # deb http://archive.canonical.com/ubuntu trusty partner
    # deb-src http://archive.canonical.com/ubuntu trusty partner

    ## This software is not part of Ubuntu, but is offered by third-party
    ## developers who want to ship their latest software.
    deb http://extras.ubuntu.com/ubuntu trusty main
    deb-src http://extras.ubuntu.com/ubuntu trusty main

    ---------------------------------------------------------

    #这是为了装libnss3-tools换的软件源

    # deb cdrom:[Ubuntu 14.04 LTS _Trusty Tahr_ - Release i386 (20140417)]/ trusty main restricted

    # See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
    # newer versions of the distribution.
    deb http://mirrors.ustc.edu.cn/ubuntu/ trusty main restricted
    deb-src http://mirrors.ustc.edu.cn/ubuntu/ trusty main restricted

    ## Major bug fix updates produced after the final release of the
    ## distribution.
    deb http://mirrors.ustc.edu.cn/ubuntu/ trusty-updates main restricted
    deb-src http://mirrors.ustc.edu.cn/ubuntu/ trusty-updates main restricted

    ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
    ## team. Also, please note that software in universe WILL NOT receive any
    ## review or updates from the Ubuntu security team.
    deb http://mirrors.ustc.edu.cn/ubuntu/ trusty universe
    deb-src http://mirrors.ustc.edu.cn/ubuntu/ trusty universe
    deb http://mirrors.ustc.edu.cn/ubuntu/ trusty-updates universe
    deb-src http://mirrors.ustc.edu.cn/ubuntu/ trusty-updates universe

    ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
    ## team, and may not be under a free licence. Please satisfy yourself as to
    ## your rights to use the software. Also, please note that software in
    ## multiverse WILL NOT receive any review or updates from the Ubuntu
    ## security team.
    deb http://mirrors.ustc.edu.cn/ubuntu/ trusty multiverse
    deb-src http://mirrors.ustc.edu.cn/ubuntu/ trusty multiverse
    deb http://mirrors.ustc.edu.cn/ubuntu/ trusty-updates multiverse
    deb-src http://mirrors.ustc.edu.cn/ubuntu/ trusty-updates multiverse

    ## N.B. software from this repository may not have been tested as
    ## extensively as that contained in the main release, although it includes
    ## newer versions of some applications which may provide useful features.
    ## Also, please note that software in backports WILL NOT receive any review
    ## or updates from the Ubuntu security team.
    deb http://mirrors.ustc.edu.cn/ubuntu/ trusty-backports main restricted universe multiverse
    deb-src http://mirrors.ustc.edu.cn/ubuntu/ trusty-backports main restricted universe multiverse

    deb http://mirrors.ustc.edu.cn/ubuntu/ trusty-security main restricted
    deb-src http://mirrors.ustc.edu.cn/ubuntu/ trusty-security main restricted
    deb http://mirrors.ustc.edu.cn/ubuntu/ trusty-security universe
    deb-src http://mirrors.ustc.edu.cn/ubuntu/ trusty-security universe
    deb http://mirrors.ustc.edu.cn/ubuntu/ trusty-security multiverse
    deb-src http://mirrors.ustc.edu.cn/ubuntu/ trusty-security multiverse

    ## Uncomment the following two lines to add software from Canonical's
    ## 'partner' repository.
    ## This software is not part of Ubuntu, but is offered by Canonical and the
    ## respective vendors as a service to Ubuntu users.
    # deb http://archive.canonical.com/ubuntu trusty partner
    # deb-src http://archive.canonical.com/ubuntu trusty partner

    ## This software is not part of Ubuntu, but is offered by third-party
    ## developers who want to ship their latest software.
    deb http://extras.ubuntu.com/ubuntu trusty main
    deb-src http://extras.ubuntu.com/ubuntu trusty main

    snort -dev -l ./log 将检测出来的包信息输出到当前文件夹下面的log文件中
  • 相关阅读:
    zoj 3632 Watermelon Full of Water
    将字符串切割成数组 componentsSeparatedByString
    paip.C#.NET多线程访问 toolStripStatusLabel
    EBS后台取消死锁检查代码和取消死锁会话步骤经验
    Java泛型深入题目
    Win7下BootCamp蓝屏问题解决方案二
    一步步开发 Spring MVC 应用
    批处理获取U盘、可移动硬盘的盘符
    一种松耦合的分层插件系统的设计和实现
    分享一个开源的批量修改VC工程属性的小工具
  • 原文地址:https://www.cnblogs.com/chenbuer/p/4194795.html
Copyright © 2011-2022 走看看