神马文学网Snort2.6+BASE
来源:百度文库 编辑:神马文学网 时间:2024/04/19 15:45:09
依照http://www.linuxsir.org/bbs/showthread.php?t=180397文
先根据BOOK安装libpcap-0.9.3库,这也是根据snort中install文档的要求
第一步:Snort安装
1,安装snort,configure用了prefix,sysconfdir,--with-mysql三个选项
2,添加用户和组
groupadd -g 52 snort
useradd -d /dev/null -c "Snort IDS" -g snort -s /bin/false -u 52 snort
3,mkdir /etc/snort //在etc下建立snort目录
mkdir /etc/snort/rules //在etc下建立snort规则目录
mkdir /var/log/snort //建立snort日志目录
cp etc/* /etc/snort //拷贝配置文件到etc下,那些Makefile相关的不要
(cp rules/* /etc/snort/rules) //拷贝规则到etc下,没有rules目录啊,郁闷。。。
4,更改var HOME_NET 10.2.2.0/24 //为你工作的网段
更改“var RULE_PATH ../rules” to “var RULE_PATH /etc/snort/rules”
把下面一行前面的#去掉,并改为下面的样式:
output database: log, mysql, user=snort password=snort dbname=snort host=localhost //将snort日志写入mysql的数据库snort,用户
5,建立数据库和数据库用户snort
mysql> create database snort;
>Query OK, 1 row affected (0.01 sec)
mysql> grant INSERT,SELECT on root.* to snort@localhost;
>Query OK, 0 rows affected (0.02 sec)
mysql> SET PASSWORD FOR snort@localhost=PASSWORD(‘snort‘);
>Query OK, 0 rows affected (0.25 sec)
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
>Query OK, 0 rows affected (0.02 sec)
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
>Query OK, 0 rows affected (0.02 sec)
导入数据库信息
mysql -u root -p < ./schemas/create_mysql snort ,成功后查看数据库情况,确认,OK;
snort安装完毕。
再根据linuxsir上的一遍snort用户手册试了试,http://www.linuxsir.org/bbs/showthread.php?t=134093&highlight=snort
能够抓包,但应该还不能做NIDS吧,我没有规则库,没有rules啊
第二步:BASE部分
1,下载JPGraph,BASE,ADOBO,在自己的机器上整了个下午,都没下载到,真烦透了,后来还是在兄弟机器上下回来的,下的都是最新的
把他们全解压到我的apache服务器目录下,分别为adodb,base,jpgraph,
cd /srv/www/htdocs/;chmod 777 base; 把base目录改成可写
cd base;cp base_conf.php.dist base_conf.php 拷贝php文件
浏览http://localhost/base/,提示:
Error loading the DB Abstraction library: from "/adodb.inc.php"
Check the DB abstraction library variable $DBlib_path in base_conf.php
修改base目录下的base_conf.php中的$DBlib_path =‘/srv/www/htdocs/adodb‘搞定;
再试,出现连接DB的出现信息,再次修改base_conf.php总的$alert_dbname,$alert_password 信息,再试,出来了BASE的画面了,提示:
The underlying database snort@localhost appears to be incomplete/invalid.
The database version is valid, but the BASE DB structure (table: acid_ag)is not present. Use the Setup page to configure and optimize the DB
还没设置好数据库,点击setup,再点击Creat BASE AG,成功创建BASE所需要的数据库表 ,再回到BASE主页,OK;
第三步,启动snort的IDS模式,
snort -c /etc/snort/snort.conf -g snort 出现错误:
Var ‘RULE_PATH‘ defined, value len = 16 chars, value = /etc/snort/rules
ERROR: /etc/snort/snort.conf(182) => Unknown rule type: dynamicpreprocessor
Fatal Error, Quitting.. 应该是我没有规则库的缘故吧,因为我的rules目录下一个文件都没有啊
我下载了snortrules-pr-2.4.tar.gz,这应该是2.4的规则,应该没问题吧,解压,放到我的/etc/snort/rules下面去,再试
问题依旧,看了看,应该还是在snort.conf的182行有问题,
搜索,在http://cache.baidu.com/c?word=error%3B%3A%2Cetc%2Csnort%2Csnort%3B%2E%3Bconf%2C182%2Cunknown%2Crule%2Ctype%3B%3A%2Cdynamicpreprocessor&url=http%3A//www%2Ec%2Darticle%2Ecom/get/Linux%2Dc924/snort%2Da3389119%5F1%2Ehtml&b=55&a=17&user=baidu文章中说这是在2.6中新出现的问题,必须在安装snort的时候加上 --enable-dynamicplugin,不然只有哭的份了,好晕。。。
只好重新安装了,搜到这篇文章http://www.linuxdoc.cn/bbs/viewthread.php?tid=188&page=1&sid=h1QMh8xs,根据其中的configure选项重新安装得了
采用:
./configure --with-mysql --enable-rulestate --enable-flexresp --with-libpcre-includes=/usr/include --with-libpcap-libraries=/usr/lib --with-libpcap-includes=/usr/include --with-libpcre-libraries=/usr/lib --enable-dynamicplugin --enable-inline --enable-ipfw --enable-react --prefix=/usr
出错,提示我要libnet库的支持:configure: error: "libnet 1.0.x could not be found. please download and install the library from http://www.packetfactory.net/libnet/"
下载libnet-1.1.2.1.tgz,这个包不是源码编译的,郁闷了,只能把解压后的include和lib,bin下的文件拷贝到我的usr目录去,再再配置选项中加入libnet的路径信息,再试
还是不行,再搜索http://www.3our.cn/pconline/network/html/2004825/258200412947_1.htm,原来调用libnet是因为`--enable-flexresp‘ 的缘故,取消,再试
晕啊,还是不行,郁闷,把其他全删掉,只留三个 --with-mysql --with-dynamicplugin --prefix=/usr ,再试,这回还不行,就要去杀人了。。。
果然搞定,:),刚才顺便改了BASE的语言选项,在base_conf.php中,$BASE_Language=‘simplified_chinese‘,但我打开页面,没有?倒了,改回english才有页面,这不是欺负人吗
make && make install完毕,再试 snort -c /etc/snort/snort.conf -g snort 了,又出现:
Rule application order: ->activation->dynamic->pass->drop->alert->log
Log directory = /var/log/snort
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... ERROR: Failed to load /usr/local/lib/snort_dynamicengine/libsf_engine.so: /usr/local/lib/snort_dynamicengine/libsf_engine.so: cannot open shared object file: No such file or directory
Fatal Error, Quitting.
这回查看了/usr/lib目录下,有所需要的东西了,就是改目录了,
vi /etc/snort/snort.conf 改好了,再试,启动成功,就是仍然提示:
Not Using PCAP_FRAMES ,跟在嗅探模式下一样,没招了,在linuxsir下发贴求助了
下载了nmap装在系统中,扫描自己,又下载了X-scan(4年没有玩这个东东了)了扫描了0.3一番,当然是在开snort的情况下,在打开/base/,这些信息还是记录下来了啊,感觉还不错。
06-10-30:
查看网页BASE的时候,图片统计功能说缺少 Image_Graph库,下载了Image_Graph-0.7.2.tgz
解压后,把文件夹放置在htdocs/Image下,但浏览器里装不了,搜索了一下
pear install Image_Color
downloading Image_Color-1.0.2.tgz ...
Starting to download Image_Color-1.0.2.tgz (7,724 bytes)
.....done: 7,724 bytes
install ok: Image_Color 1.0.2
root:/srv/www/htdocs# pear install Log
downloading Log-1.9.9.tgz ...
Starting to download Log-1.9.9.tgz (39,028 bytes)
..........done: 39,028 bytes
Optional dependencies:
package `DB‘ version >= 1.3 is recommended to utilize some features.
package `MDB2‘ version >= 2.0.0RC1 is recommended to utilize some features.
install ok: Log 1.9.9
pear install Image_Canvas
No release with state equal to: ‘stable‘ found for ‘Image_Canvas‘
pear install Image_Graph
No release with state equal to: ‘stable‘ found for ‘Image_Graph‘
root:/srv/www/htdocs# pear install /home/ftp/pub/Image_Graph-0.7.2.tgz
requires package `Image_Canvas‘ >= 0.3.0
Image_Graph: Dependencies failed
先下载Image_Canvas-0.3.0.tgz
pear install /home/ftp/pub/Image_Canvas-0.3.0.tgz
install ok: Image_Canvas 0.3.0
pear install /home/ftp/pub/Image_Graph-0.7.2.tgz
Optional dependencies:
package `Numbers_Roman‘ is recommended to utilize some features.
package `Numbers_Words‘ is recommended to utilize some features.
install ok: Image_Graph 0.7.2
pear install Numbers_Roman
downloading Numbers_Roman-0.2.0.tgz ...
Starting to download Numbers_Roman-0.2.0.tgz (3,753 bytes)
....done: 3,753 bytes
install ok: Numbers_Roman 0.2.0
pear install http://pear.php.net/get/Numbers_Words-0.13.1.tgz
downloading Numbers_Words-0.13.1.tgz ...
Starting to download Numbers_Words-0.13.1.tgz (44,185 bytes)
............done: 44,185 bytes
install ok: Numbers_Words 0.13.1
pear install /home/ftp/pub/Image_Graph-0.7.2.tgz
Image_Graph already installed
root:/srv/www/htdocs# pear list
Installed packages:
===================
Package Version State
Archive_Tar 1.1 stable
Console_Getopt 1.2 stable
HTML_Template_IT 1.1 stable
Image_Canvas 0.3.0 alpha
Image_Color 1.0.2 stable
Image_Graph 0.7.2 alpha
Log 1.9.9 stable
Net_UserAgent_Detect 2.0.1 stable
Numbers_Roman 0.2.0 stable
Numbers_Words 0.13.1 beta
PEAR 1.3.5 stable
XML_RPC 1.2.2 stable
安装好了
关于Not Using PCAP_FRAMES 的问题,用google搜索到了答案,它仅仅是运行snort的时候启动不启动PCAP_FRAMES,启动了能够提高performance,
而要启动要提高只要设置环境变量就OK了,
export PCAP_FRAMES=max
从文章http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/rc1/node27.html获得答案
先根据BOOK安装libpcap-0.9.3库,这也是根据snort中install文档的要求
第一步:Snort安装
1,安装snort,configure用了prefix,sysconfdir,--with-mysql三个选项
2,添加用户和组
groupadd -g 52 snort
useradd -d /dev/null -c "Snort IDS" -g snort -s /bin/false -u 52 snort
3,mkdir /etc/snort //在etc下建立snort目录
mkdir /etc/snort/rules //在etc下建立snort规则目录
mkdir /var/log/snort //建立snort日志目录
cp etc/* /etc/snort //拷贝配置文件到etc下,那些Makefile相关的不要
(cp rules/* /etc/snort/rules) //拷贝规则到etc下,没有rules目录啊,郁闷。。。
4,更改var HOME_NET 10.2.2.0/24 //为你工作的网段
更改“var RULE_PATH ../rules” to “var RULE_PATH /etc/snort/rules”
把下面一行前面的#去掉,并改为下面的样式:
output database: log, mysql, user=snort password=snort dbname=snort host=localhost //将snort日志写入mysql的数据库snort,用户
5,建立数据库和数据库用户snort
mysql> create database snort;
>Query OK, 1 row affected (0.01 sec)
mysql> grant INSERT,SELECT on root.* to snort@localhost;
>Query OK, 0 rows affected (0.02 sec)
mysql> SET PASSWORD FOR snort@localhost=PASSWORD(‘snort‘);
>Query OK, 0 rows affected (0.25 sec)
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
>Query OK, 0 rows affected (0.02 sec)
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
>Query OK, 0 rows affected (0.02 sec)
导入数据库信息
mysql -u root -p < ./schemas/create_mysql snort ,成功后查看数据库情况,确认,OK;
snort安装完毕。
再根据linuxsir上的一遍snort用户手册试了试,http://www.linuxsir.org/bbs/showthread.php?t=134093&highlight=snort
能够抓包,但应该还不能做NIDS吧,我没有规则库,没有rules啊
第二步:BASE部分
1,下载JPGraph,BASE,ADOBO,在自己的机器上整了个下午,都没下载到,真烦透了,后来还是在兄弟机器上下回来的,下的都是最新的
把他们全解压到我的apache服务器目录下,分别为adodb,base,jpgraph,
cd /srv/www/htdocs/;chmod 777 base; 把base目录改成可写
cd base;cp base_conf.php.dist base_conf.php 拷贝php文件
浏览http://localhost/base/,提示:
Error loading the DB Abstraction library: from "/adodb.inc.php"
Check the DB abstraction library variable $DBlib_path in base_conf.php
修改base目录下的base_conf.php中的$DBlib_path =‘/srv/www/htdocs/adodb‘搞定;
再试,出现连接DB的出现信息,再次修改base_conf.php总的$alert_dbname,$alert_password 信息,再试,出来了BASE的画面了,提示:
The underlying database snort@localhost appears to be incomplete/invalid.
The database version is valid, but the BASE DB structure (table: acid_ag)is not present. Use the Setup page to configure and optimize the DB
还没设置好数据库,点击setup,再点击Creat BASE AG,成功创建BASE所需要的数据库表 ,再回到BASE主页,OK;
第三步,启动snort的IDS模式,
snort -c /etc/snort/snort.conf -g snort 出现错误:
Var ‘RULE_PATH‘ defined, value len = 16 chars, value = /etc/snort/rules
ERROR: /etc/snort/snort.conf(182) => Unknown rule type: dynamicpreprocessor
Fatal Error, Quitting.. 应该是我没有规则库的缘故吧,因为我的rules目录下一个文件都没有啊
我下载了snortrules-pr-2.4.tar.gz,这应该是2.4的规则,应该没问题吧,解压,放到我的/etc/snort/rules下面去,再试
问题依旧,看了看,应该还是在snort.conf的182行有问题,
搜索,在http://cache.baidu.com/c?word=error%3B%3A%2Cetc%2Csnort%2Csnort%3B%2E%3Bconf%2C182%2Cunknown%2Crule%2Ctype%3B%3A%2Cdynamicpreprocessor&url=http%3A//www%2Ec%2Darticle%2Ecom/get/Linux%2Dc924/snort%2Da3389119%5F1%2Ehtml&b=55&a=17&user=baidu文章中说这是在2.6中新出现的问题,必须在安装snort的时候加上 --enable-dynamicplugin,不然只有哭的份了,好晕。。。
只好重新安装了,搜到这篇文章http://www.linuxdoc.cn/bbs/viewthread.php?tid=188&page=1&sid=h1QMh8xs,根据其中的configure选项重新安装得了
采用:
./configure --with-mysql --enable-rulestate --enable-flexresp --with-libpcre-includes=/usr/include --with-libpcap-libraries=/usr/lib --with-libpcap-includes=/usr/include --with-libpcre-libraries=/usr/lib --enable-dynamicplugin --enable-inline --enable-ipfw --enable-react --prefix=/usr
出错,提示我要libnet库的支持:configure: error: "libnet 1.0.x could not be found. please download and install the library from http://www.packetfactory.net/libnet/"
下载libnet-1.1.2.1.tgz,这个包不是源码编译的,郁闷了,只能把解压后的include和lib,bin下的文件拷贝到我的usr目录去,再再配置选项中加入libnet的路径信息,再试
还是不行,再搜索http://www.3our.cn/pconline/network/html/2004825/258200412947_1.htm,原来调用libnet是因为`--enable-flexresp‘ 的缘故,取消,再试
晕啊,还是不行,郁闷,把其他全删掉,只留三个 --with-mysql --with-dynamicplugin --prefix=/usr ,再试,这回还不行,就要去杀人了。。。
果然搞定,:),刚才顺便改了BASE的语言选项,在base_conf.php中,$BASE_Language=‘simplified_chinese‘,但我打开页面,没有?倒了,改回english才有页面,这不是欺负人吗
make && make install完毕,再试 snort -c /etc/snort/snort.conf -g snort 了,又出现:
Rule application order: ->activation->dynamic->pass->drop->alert->log
Log directory = /var/log/snort
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... ERROR: Failed to load /usr/local/lib/snort_dynamicengine/libsf_engine.so: /usr/local/lib/snort_dynamicengine/libsf_engine.so: cannot open shared object file: No such file or directory
Fatal Error, Quitting.
这回查看了/usr/lib目录下,有所需要的东西了,就是改目录了,
vi /etc/snort/snort.conf 改好了,再试,启动成功,就是仍然提示:
Not Using PCAP_FRAMES ,跟在嗅探模式下一样,没招了,在linuxsir下发贴求助了
下载了nmap装在系统中,扫描自己,又下载了X-scan(4年没有玩这个东东了)了扫描了0.3一番,当然是在开snort的情况下,在打开/base/,这些信息还是记录下来了啊,感觉还不错。
06-10-30:
查看网页BASE的时候,图片统计功能说缺少 Image_Graph库,下载了Image_Graph-0.7.2.tgz
解压后,把文件夹放置在htdocs/Image下,但浏览器里装不了,搜索了一下
pear install Image_Color
downloading Image_Color-1.0.2.tgz ...
Starting to download Image_Color-1.0.2.tgz (7,724 bytes)
.....done: 7,724 bytes
install ok: Image_Color 1.0.2
root:/srv/www/htdocs# pear install Log
downloading Log-1.9.9.tgz ...
Starting to download Log-1.9.9.tgz (39,028 bytes)
..........done: 39,028 bytes
Optional dependencies:
package `DB‘ version >= 1.3 is recommended to utilize some features.
package `MDB2‘ version >= 2.0.0RC1 is recommended to utilize some features.
install ok: Log 1.9.9
pear install Image_Canvas
No release with state equal to: ‘stable‘ found for ‘Image_Canvas‘
pear install Image_Graph
No release with state equal to: ‘stable‘ found for ‘Image_Graph‘
root:/srv/www/htdocs# pear install /home/ftp/pub/Image_Graph-0.7.2.tgz
requires package `Image_Canvas‘ >= 0.3.0
Image_Graph: Dependencies failed
先下载Image_Canvas-0.3.0.tgz
pear install /home/ftp/pub/Image_Canvas-0.3.0.tgz
install ok: Image_Canvas 0.3.0
pear install /home/ftp/pub/Image_Graph-0.7.2.tgz
Optional dependencies:
package `Numbers_Roman‘ is recommended to utilize some features.
package `Numbers_Words‘ is recommended to utilize some features.
install ok: Image_Graph 0.7.2
pear install Numbers_Roman
downloading Numbers_Roman-0.2.0.tgz ...
Starting to download Numbers_Roman-0.2.0.tgz (3,753 bytes)
....done: 3,753 bytes
install ok: Numbers_Roman 0.2.0
pear install http://pear.php.net/get/Numbers_Words-0.13.1.tgz
downloading Numbers_Words-0.13.1.tgz ...
Starting to download Numbers_Words-0.13.1.tgz (44,185 bytes)
............done: 44,185 bytes
install ok: Numbers_Words 0.13.1
pear install /home/ftp/pub/Image_Graph-0.7.2.tgz
Image_Graph already installed
root:/srv/www/htdocs# pear list
Installed packages:
===================
Package Version State
Archive_Tar 1.1 stable
Console_Getopt 1.2 stable
HTML_Template_IT 1.1 stable
Image_Canvas 0.3.0 alpha
Image_Color 1.0.2 stable
Image_Graph 0.7.2 alpha
Log 1.9.9 stable
Net_UserAgent_Detect 2.0.1 stable
Numbers_Roman 0.2.0 stable
Numbers_Words 0.13.1 beta
PEAR 1.3.5 stable
XML_RPC 1.2.2 stable
安装好了
关于Not Using PCAP_FRAMES 的问题,用google搜索到了答案,它仅仅是运行snort的时候启动不启动PCAP_FRAMES,启动了能够提高performance,
而要启动要提高只要设置环境变量就OK了,
export PCAP_FRAMES=max
从文章http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/rc1/node27.html获得答案
Snort2.6+BASE
Google Home Base
base HTML元素
[集线器][10base-tethernet][电脑]集线器(10base-tethern...
Development resources - MozillaZine Knowledge Base
东拉西扯:Google Base是个大家伙
东拉西扯:Google Base是个大家伙
翻译文章:RSS与GOOGLE BASE
Google Base:未来的信息标准
JavaScript的Base对象与Body对象
Google Base服务问世 可免费发布各类信息
RSS and Google Base: Google Feeds Off The Web
Fox Electronics Introduces New OCXO for Wimax Base Station Applications
Google Base与Semantic Web(语义网)的关系
Windows CE Base Team Blog : Debug messages an...
Suspect in U.S. Army base shooting faces 13 charges
U.S., Japan vow to resolve Okinawa military base row
Google Base服务问世 可免费发布各类信息-搜索引擎
S60 LBS开发研讨--Location Base Services 开发指南 - De...
Knowledge Base ? 小B的CENTOS 安装SUN 1.6 JDK
Bugaboo Cameleon Stroller with Sand Base and Sand Top
穆罕默德- 尤努斯:穷人的银行家 - HC System Knowledge Base
牛师兄找工作的故事(顶级咨询 顶级投行) - SAP Knowledge Base
Death toll of U.S. Army base shooting spree may rise: doctor