Linux系统安装IDS(snort工具)

第一步：预装daq所需程序

snort使用数据采集器(daq)监听防火墙数据包队列，所以按照daq。需预装的程序有：flex、bison、libcap。

sudo apt-get install flex
sudo apt-get install bison
sudo aptitude install libpcap-dev

第二步：安装daq

wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz

tar xvfz daq-2.0.6.tar.gz
                      
cd daq-2.0.6
./configure && make && sudo make install

第三步：安装snort所需程序

aptitude install libpcre3-dev
aptitude install libdumbnet-dev
aptitude install zlib1g-dev

第四步：安装snort

wget https://www.snort.org/downloads/snort/snort-2.9.12.tar.gz  

tar xvfz snort-2.9.12.tar.gz
                      
cd snort-2.9.12
./configure --enable-sourcefire && make && sudo make install

第五步：运行 snort 会要求你安装响应包，安装即可

//运行snort -V

//提示安装下面包

apt-get install snort
apt-get install snort-mysql
apt-get install snort-pgsql
//此时snort已经可以运行，看到一只小猪

,,_ -*> Snort! <*-
o" )~ Version 2.9.2 IPv6 GRE (Build 78)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2011 Sourcefire, Inc., et al.
Using libpcap version 1.1.1
Using PCRE version: 8.12 2011-01-15
Using ZLIB version: 1.2.3.4

//-----------------

//安装一些依赖包，为后面的图形化做准备

安装apache

apt-get install apache2

安装mysql

apt-get install mysql-server

安装php

apt-get install php5

 第六步：为snort创建一个数据库，和一个用户

$ mysql –u root –p

mysql> CREATE DATABASE snort;
mysql> grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort@localhost;
mysql> grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort;
mysql> SET PASSWORD FOR snort@localhost=PASSWORD('yourpassword');
mysql> exit

 第七步：修改snor配置文件

snort的配置文件在/etc/snort/snort.conf

打开该文件将 HOME_NET 有关项注释掉，然后将 HOME_NET 设置为本机 IP 所在网络，将 EXTERNAL_NET 相关项注释掉，设置其为非本机网络，如下所示：

其中需要修改的内容如下所示：
45行 ipvar HOME_NET any > ipvar HOME_NET 192.168.x.x 你的的IP网段,写成CIDR格式，可以添加多个网段
举例：ipvar HOME_NET [192.168.0.0/16,172.16.0.0/16]

ipvar EXTERNAL_NET any > ipvar EXTERNAL_NET!$HOME_NET

 第八步：试运行

snort -T -i eth0 -u snort -g snort -c /etc/snort/snort.conf


若出现如下错误
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! WARNING: The database output plugins are considered deprecated as
!!          of Snort 2.9.2 and will be removed in Snort 2.9.3.
!!          The recommended approach to logging is to use unified2 with
!!          barnyard2 or similar.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
database: must enter database name in configuration file


解法：
搞了好长时间，发现snort.conf配置文件549行左右有一条
include database.conf
注释掉

第九步：运行snort，snort会监测eth0端口

snort

结果如下

参考网址：

snort官网

centos平台基于snort、barnyard2以及base的IDS（入侵检测系统）的搭建与测试及所遇问题汇总

linux入侵检测系统snort安装配置

Snort 用户手册

在 Ubuntu 15.04 中如何安装和使用 Snort