为公司信息安全要求,上周配置了一台网络入侵检测系统(NIDS),今天把安装过程记录下来,供自己和其它朋友们以后参考。关于本NIDS成功安装及本文的形成,我参考了很多网上的相关文档,具体文档略,不过非常感谢各位前辈们的无私奉献。
一、安装环境操作系统:Red Hat Enterprise Linux 5.4数据库:MySQL:mysql-5.1.46Web服务器:Apache:httpd-2.2.15WEB语言:PHP:php-5.2.13
二、安装MySQL软件包mysql-5.1.46.tar.gz下载地址http://dev.mysql.com/downloads/mysql/# tar -zxvf mysql-5.1.46.tar.gz //解压缩# cd mysql-5.1.46 //进入解压缩后的文件目录# ./configure --prefix=/usr/local/mysql \ //设定安装目录--enable-thread-safe-client \ //编译线程安全版的客户端库--without-debug \ //关闭debug功能# make //编译# make install //安装# /usr/local/mysql/bin/mysql_install_db //初始化授权表# chown –R root /usr/local/mysql //文件属性改为root用户# chgrp –R root /usr/local/mysql //文件属性改为root用户所属组# /usr/local/mysql/bin/mysqld_safe --user=root & //启动MySQL# /usr/local/mysql/bin/mysqladmin –u root password ‘123456’ //修改root用户的密码为123456注:如果接下来在安装Snort后进行配置测试时提示无法找到以下文件:libmysqlclient.so.16和mysql.sock请按照以下方法解决:1、libmysqlclient.so.16:方法1 # vi /etc/ ld.so.conf 向此文件添加以下两行内容/usr/local/mysql/lib/mysql/usr/local/lib保存ld.so.conf退出# ldconfig方法2 # ln –s /usr/local/mysql/lib/mysql/libmysqlclient.so.16 /usr/local/lib/libmysqlclient.so.162、mysql.sock:ln –s /var/lib/mysql/mysql.sock /tmp/mysql.sock
三、安装Apache软件包httpd-2.2.15.tar.gz下载地址http://httpd.apache.org/download.cgi# tar -zxvf httpd-2.2.15.tar.gz# cd httpd-2.2.15# ./configure --prefix=/usr/local/apache --enable-module=most --enable-shared=max –enable-so# make# make install# /usr/local/apache/bin/apachectl start //启动MySQL
四、安装PHP软件包php-5.2.13.tar.gz下载地址http://www.php.net/downloads.php# tar -zxvf php-5.2.13.tar.gz# cd php-5.2.13# ./configure –prefix=/usr/local/php \–with-mysql=/usr/local/mysql --with-apxs2=/usr/local/apache/bin/apxs --with-zlib --with-gd --enable-sockets –disable-debug# make# make install# cp php.ini-dist /usr/local/php/lib/php.ini
五、配置Apache服务的httpd.conf文件及测试1、编辑/usr/local/apache/conf/httpd.conf文件在DirectoryIndex后添加index.php在AddType application后面添加以下两行AddType application/x-httpd-php .phpAddType applicatoin/x-httpd-php-source .phps2、重启apache# /usr/local/apache/bin/apachectl restart3、测试写个index.php文件放入主页所在目录内容如下:<?phpinfo();?>在浏览器中输入http://服务器IP/如果有php的信息,则说明apache+php+mysql配置成功了,注意 gd和mysql的支持信息
六、安装snort1、安装pcre软件包pcre-8.02.tar.gz下载地址http://sourceforge.net/projects/pcre/files/# tar –zxvf pcre-8.02.tar.gz# cd pcre-8.02# ./configure# make# make install2、安装snort软件包snort-2.4.5.tar.gz下载地址http://down1.chinaunix.net/distfiles/snort-2.4.5.tar.gz# tar -zxvf snort-2.4.5.tar.gz# cd snort-2.4.5# ./configure --with-mysql# make# make install# mkdir /etc/snort //建立snort目录# cd etc# cp * /etc/snort //拷贝配置文件3、安装snort rules软件包snortrules-pr-2.4.tar.gz下载地址http://down1.chinaunix.net/distfiles/snortrules-pr-2.4.tar.gz# tar -zxvf snortrules-pr-2.4.tar.gz# cd rules# mkdir /etc/snort/rules //建立snort规则目录# mkdir /var/log/snort //建立snort日志目录# cp * /etc/snort/rules //拷贝规则4、编辑/etc/snort/snort.conf文件更改var HOME_NET 192.168.6.0/24 //你的实际工作网段更改”var RULE_PATH ../rules” 为 “var RULE_PATH /etc/snort/rules”把下面一行前面的#去掉,并改为output database: log,mysql, user=root password=mysql密码 dbname=snort host=localhost把以下11行前面的#号都删除# include ?$RULE_PATH/web-attacks.rules# include ?$RULE_PATH/backdoor.rules# include ?$RULE_PATH/shellcode.rules# include ?$RULE_PATH/policy.rules# include ?$RULE_PATH/porn.rules# include ?$RULE_PATH/info.rules# include ?$RULE_PATH/icmp-info.rulesinclude ?$RULE_PATH/virus.rules# include ?$RULE_PATH/chat.rules# include ?$RULE_PATH/multimedia.rules# include ?$RULE_PATH/p2p.rules保存退出
七、建立snort数据库及检查数据库和数据结构1、建立snort数据库mysql> create database snort;mysql> grant INSERT,SELECT on snort.* to root@localhost;mysql> exit# mysql –u root -p < /usr/local/snort-2.4.5/schemas /create_mysql snort //为snort建立数据表2、检查数据库和数据结构# mysql -u root -pEnter password: //mysql> exit;看到上面的表就成功了
八、安装配置和测试acid1、软件包acid-0.9.6b23.tar.gz下载地址http://acidlab.sourceforge.net/软件包adodb511.tgz下载地址http://sourceforge.net/projects/adodb/files/软件包jpgraph-1.16.tar.gz下载地址http://sourceforge.net/projects/jpgraph/files/2、安装acid及相关支持文件把acid-0.9.6b23.tar.gz,adodb511.tgz,jpgraph-1.16.tar.gz放入网站根目录下,我这里是/usr/local/apache/htdocs# cd /usr/local/apache/htdocs# tar -zxvf jpgraph-1.16.tar.gz# tar -zxvf adodb511.tgz# mv jpgraph-1.16 jpgraph# mv adodb5 adodb# tar -zxvf acid-0.9.6b23.tar.gz3、编辑/usr/local/apache/htdocs/acid/acid_conf.php把“?$DBlib_path = ";” 改成“?$DBlib_path = "/usr/local/apache/htdocs/adodb”?$alert_dbname = "snort";?$alert_host = "localhost";?$alert_port = "";?$alert_user = "root";?$alert_password = "test"; //改成你的数据库密码?$archive_dbname = "snort";?$archive_host = "localhost";?$archive_port = "";?$archive_user = "root";?$archive_password = "test” //改成你的数据库密码把“?$ChartLib_path = ";” 改成“?$ChartLib_path = "/usr/local/apache/htdocs/jpgraph/src";”保存退出4、配置测试重启apache# /usr/local/apache/bin/apachectl restart运行snort把数据写入mysql# snort -c /etc/snort/snort.conf在浏览器中输入http://你的主机地址/acid/acid_main.php,点"Setup Page"链接 ->Create Acid AG然后再访问http://你的主机地址/acid/ ACID界面出现用一些扫描工具对主机进行扫描,将产生警告记录,访问acid,可查看记录 RHEL5.4下Apache+php+MySQL+Snort+acid配置完成,帖几张图片秀一下
本文出自 “Michael的博客” 博客,请务必保留此出处http://winos.blog.51cto.com/937089/317
用barnyard2测试
barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2
同时用snort测试
snort -u root -g root -c /etc/snort/snort.conf -i eth1
所有都下载完和安装完后
mkdir /etc/snort/
mkdir /var/log/snort/
cp /root/Downloads/snort-2.9.6.2/etc/* /etc/snort
把acid和adodb的tar文件放到/var/www/html内,然后全部解压,为了解决adodb出错问题,把adodb解压后胡文件放进acid文件夹内
barnyard2 设置
cp /root/Downloads/barnyard2-2-1.9/etc/barnyard2.conf /etc/snort/
在里面增加一行:
output database: log, mysql,user=root dbname=snort password=xxxx host=localhost
用barnyard2测试
barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2
同时用snort测试
snort -u root -g root -c /etc/snort/snort.conf -i eth1
用barnyard2测试
barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2
同时用snort测试
snort -u root -g root -c /etc/snort/snort.conf -i eth1
所有都下载完和安装完后
mkdir /etc/snort/
mkdir /var/log/snort/
cp /root/Downloads/snort-2.9.6.2/etc/* /etc/snort
把acid和adodb的tar文件放到/var/www/html内,然后全部解压,为了解决adodb出错问题,把adodb解压后胡文件放进acid文件夹内
barnyard2 设置
cp /root/Downloads/barnyard2-2-1.9/etc/barnyard2.conf /etc/snort/
在里面增加一行:
output database: log, mysql,user=root dbname=snort password=xxxx host=localhost
用barnyard2测试
barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2
同时用snort测试
snort -u root -g root -c /etc/snort/snort.conf -i eth1
把snortrules-snapshot-2962.tar.gz 放在/etc/snort
再 tar -xf snortrules-snapshot-2962.tar.gz即可
snort output设置
在/etc/snort.conf里面增加一行
output unified2: filename snort.u2, limit 128
就可以在运行snort -u root -g root -c /etc/snort/snort.conf -i eth1之后在/var/log/snort看到snort.u2.xxxxx的文件
还要在snort.conf里设置
config logdir:/var/log/snort
stun:
先yum install openssl
在~/Download/stun-5.0.3/src make cert
client和server的 stun.pem要相同,可以在client scp root@server:/usr/local/etc/stun/stun.pem
client
CAfile=/usr/local/etc/stun/stun.pem
cert=/usr/local/etc/stun/stun.pem
[mysqld]
client=yes
accept=127.0.0.1:3306
connect=server:22443
运行stun
server
CAfile=/usr/local/etc/stun/stun.pem
cert=/usr/local/etc/stun/stun.pem
[mysqld]
client=no
accept=22443
connect=localhost:3306
运行stun
把snortrules-snapshot-2962.tar.gz 放在/etc/snort
再 tar -xf snortrules-snapshot-2962.tar.gz即可
还要在编辑/etc/snort/snort.conf
dynamicdetection directory /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.6.2
/etc/snort/barnyard2.conf
config hostname:127.0.0.1
config interface:eth1
mysql.h
barnyard问题可以这样解决
于barnyard2的源文件内
./configure --with-mysql=/usr/lib64/mysql/
adodb.inc.php
解决方法:
把acid和adodb的tar文件放到/var/www/html内,然后全部解压,为了解决adodb出错问题,把adodb解压后胡文件放进acid文件夹内
vim acid_conf.php
设置成这样:
$DBlib_path = "./";
没有评论:
发表评论