第1章 系统环境说明
1.1 部署环境说明
1.1.1 准备环境
[root@snort ~]# cat /etc/redhat-release CentOS Linux release 7.4.1708 (Core) [root@snort ~]# uname -r 3.10.0-693.el7.x86_64
1.1.2 程序版本
软件 |
版本 |
snort |
2.9.11.1 |
daq |
2.0.6 |
barnyard2 |
2-1.13 |
base |
1.4.5 |
adodb |
5.20.13 |
mysql |
5.7.23 |
1.2 参考文档
1.2.1 部署搭建文档
https://blog.csdn.net/u013816144/article/details/53729153
1.2.2 规则编写文档
https://blog.csdn.net/qq_28210869/article/details/78886604
第2章 环境初始化
2.1 修改主机名
hostnamectl set-hostname snort # 后面会用到主机名 echo "/server/scripts/autoStart.sh" >> /etc/rc.local
2.2 关闭防火墙及SELinux
systemctl stop firewalld systemctl disable firewalld setenforce 0 vim /etc/selinux/config SELINUX=disabled
2.3 部署MySQL
第3章 部署IDS
3.1 部署Snort
3.1.1 创建snort用户
useradd -s /sbin/nologin -M snort
3.1.2 安装依赖程序
yum install -y gcc gcc-c++ flex bison zlib* libxml2 libpcap* pcre* tcpdump git libtool curl man make
3.1.3 编译安装libdnet
cd /server/tools/ tar xf libdnet-libdnet-1.12.tar.gz cd libdnet-libdnet-1.12/ ./configure && make && make install
3.1.4 编译安装daq
cd /server/tools/ tar xf daq-2.0.6.tar.gz cd daq-2.0.6/ ./configure && make && make install
3.1.5 编译安装snort
cd /server/tools/ tar xf snort-2.9.11.1.tar.gz cd snort-2.9.11.1/ ./configure --enable-sourcefire make && make install
3.1.6 复制配置文件及检测规则
mkdir -p /etc/snort cp /server/tools/snort-2.9.11.1/etc/* /etc/snort/ tar xf /server/tools/snortrules-snapshot-29111.tar.gz -C /etc/snort/
3.1.7 创建配置文件依赖项
mkdir -p /var/log/snort /usr/local/lib/snort_dynamicrules touch /etc/snort/rules/{white_list.rules,black_list.rules}
3.1.8 编辑配置文件
vim /etc/snort/snort.conf 45 ipvar HOME_NET [192.168.10.0/24,192.168.1.0/24] # 设置嗅探的服务器网络地址,使用CIDR格式 48 ipvar EXTERNAL_NET !$HOME_NET 104 var RULE_PATH /etc/snort/rules 105 var SO_RULE_PATH /etc/snort/so_rules 106 var PREPROC_RULE_PATH /etc/snort/preproc_rules 113 var WHITE_LIST_PATH /etc/snort/rules 114 var BLACK_LIST_PATH /etc/snort/rules 186 config logdir: /var/log/snort 521 output unified2: filename snort.log, limit 128
3.1.9 设置相关目录权限
chown -R snort.snort /var/log/snort/ /etc/snort/ /usr/local/lib/snort_dynamicrules chown -R 755 /usr/local/lib/snort_dynamicrules
3.1.10 编写测试规则
vim /etc/snort/rules/local.rules alert icmp any any -> $HOME_NET any (msg:”Ping”;sid:1000001;rev:1;)
3.1.11 测试snort安装是否成功
snort -T -i eth0 -u snort -g snort -c /etc/snort/snort.conf
- 成功标志:
3.1.12 设置snort开机自启动
echo "snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D" >> /server/scripts/autoStart.sh
- snort参数详解:
- -T:指定启动模式:测试
- -i:指定网络接口
- -u:指定运行用户
- -g:指定运行时用户组
- -c: 指定配置文件
- -q:以静默方式运行
- -D:后台以Daemon方式运行
3.2 部署barnyard2
3.2.1 安装依赖程序
yum install -y php-mysql php-adodb php-pear php-gd libtool php-imap php-ldap php-mbstring php-odbc php-pear php-xml php-pecl-apc mysql-devel httpd php php-mcrypt mcrypt libmcrypt-devel
3.2.2 编译安装barnyard2
cd /server/tools/ tar xf barnyard2-2-1.13.tar.gz cd /server/tools/barnyard2-2-1.13/ ./autogen.sh ./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql make && make install
3.2.3 创建配置文件依赖项
mkdir -p /var/log/barnyard2 touch /var/log/snort/barnyard2.waldo cp /etc/snort/etc/sid-msg.map /etc/snort cp /server/tools/barnyard2-2-1.13/etc/barnyard2.conf /etc/snort/
3.2.4 编辑配置文件
vim /etc/snort/barnyard2.conf 54 config logdir: /var/log/snort # 日志文件路径 70 config hostname: snort # 主机名称 71 config interface: eth0 # 监听的网卡接口 141 config waldo_file: /var/log/snort/barnyard2.waldo # waldo文件路径 354 output database: log,mysql,user=snort password=snort dbname=snort host=localhost # user:数据库用户名 # password:数据库用户密码 # dbname:连接的数据库名称 # host:数据库IP地址
3.2.5 配置相关目录权限
chown -R snort.snort /etc/snort /var/log/snort /var/log/barnyard2
3.2.6 导入数据库文件
cp /server/tools/barnyard2-2-1.13/schemas/create_mysql /tmp/ mysql -uroot -p mysql> create database snort; mysql> grant all on snort.* to snort@'localhost' identified by 'snort'; mysql> use snort; mysql> source /tmp/create_mysql; mysql> flush privileges;
3.2.7 联合测试
snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -g snort -u snort
- 成功标志:
3.2.8 设置snort开机自启动
echo "barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -g snort -u snort -D" >> /server/scripts/autoStart.sh
- barnyard2参数详解:
- -c:指定配置文件
- -d:指定log目录
- -f:指定log文件
- -w:指定waldo文件
- -u:指定运行用户
- -g:指定运行时用户组
- -D:后台以Daemon方式运行
3.3 部署adodb和base
3.3.1 安装依赖程序
pear channel-update pear.php.net pear install mail Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman mail_mime
3.3.2 部署adodb
cd /server/tools/ unzip adodb-5.20.13.zip mv adodb5/ /var/www/html/adodb
3.3.3 部署base
cd /server/tools/ tar xf base-1.4.5.tar.gz mv base-1.4.5 /var/www/html/base
3.3.4 配置php.ini
vim /etc/php.ini 104 error_reporting = E_ALL & ~E_NOTICE
3.3.5 设置相关目录权限
chown -R apache.apache /var/www/html/ chmod 755 /var/www/html/adodb/
3.3.6 启动apache
systemctl enable httpd systemctl start httpd
3.4 配置base
3.5 测试结果

我的微信
如果有技术上的问题可以扫一扫我的微信