Snort and base

發佈日期: 作者:

snort
(http://www.snort.org/)

………………………………

1安裝snort

主要有以下兩方法 

用原始檔案安裝

tar -zxvf snort-< version >.tar.gz
cd snort-< version >
./configure --prefix=/usr/local/snort --with-mysql=< mysql path >
make
make install

用yum安裝
yum install snort
yum install snort-mysql

ps:
在用原始檔案裝時可能會需要以下套件,可先用yum裝好 
yum install gcc gcc-c++ make libpcap libpcap-devel pcre-devel bison flex zlib zlib-devel mysql-server mysql-deve
ps:
snort2.9.4 on centos6 64位元版會需要以下兩套件,但yum沒有
libdnet(http://libdnet.sourceforge.net)
 #tar zxvf libdnet-1.12.tgz
 #./configure
 #make
 #make install
DAQ(http://www.snort.org/snort-downloads)
 #tar zxvf libdnet-1.12.tgz
 #./configure
 #make
 #make install

2下載rules
以snort帳號進入my account
進入Oinkcodes即有下載的指示

…………………………………..

編輯snort.conf
ps:snort預設讀取/etc/snort/snort.conf
ps:snort.conf範本可在原始目錄的etc中找到

指定監控範圍
var HOME_NET < range >
可以為any,ip,網段
ps:若要指定多個值時,各值以逗點隔開即可

指定rule位置
var RULE_PATH < path>

指定要使用的rule類型
include $RULE_PATH/.rules
可以為pop3,virus,…等,視rules檔中的內容而定

指定擷取封包的介面
INTERFACE=eth0
ps:若要指定多個介面,各介面以空白隔開即可

…………………………………

設定mysql

1.1.先建立資料庫

mysql> create database snortdb;
mysql> grant all on snortdb.* to snortuser@localhost;
mysql> set password for snortuser@localhost=password('snortpassword');
mysql> flush privileges;
mysql> use snortdb;

1.2.匯入資料表
mysql> source /root/snort-< version >/schemas/create_mysql;

2.編輯snort.conf的輸出組態如下
database: log, mysql, user=snortuser password=snortpassword dbname=snortdb host=localhost

…………………………………

測試snort.conf
snort -T -c < snort.conf位置>
snort-mysql -T -c < snort.conf位置>
ex:
snort -T -c /usr/local/snort/etc/snort.conf
snort-mysql -T -c /etc/snort/snort.conf

啟動
snort-mysql -c /etc/snort/snort.conf snort -D
-D是背景執行,預設ALERT記錄送到/var/log/snort/alert

ps
若/var/log/snort/alert內有訊息表示成功
若資料表siginature內有顯示訊息表示輸入進database成功

………………………

安裝base(Basic Analysis and Security Engine)
http://base.secureideas.net/

1
安裝相關元件
1.1
需有php-pear
pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman
1.2
下載adodb5後解壓縮

2
安裝base
2.1
下載base後解壓縮到網頁目錄,並進入該目錄
2.2
mv base_conf.php.dist base_conf.php
2.3
進入base_conf.php後設定以下
$BASE_urlpath= “/base”;
$DBlib_path= “/var/www/adodb5”;
$DBtype= “mysql”;
$alert_dbname= “snort”;
$alert_host= “localhost”;
$alert_port= “”;
$alert_user= “snort”;
$alert_password= “password”;
2.4
開啟base網頁依指示完成最後程序