既然大家都謙虛, 那我就來說一下我的實作過程筆記吧!
hardware cpu:p4 2.xG ram:1G hd:夠大
os:rh enterprise as 4
1. 安裝mysql 5.0.15.......用來儲存snort log
解tar完後, 按照文件指示的方法安裝
#cd mysql-5.0.15
#./configure --prefix=/usr/local/mysql
#make
#make install
加一下mysql group & user
#groupadd mysql
#useradd -g mysql mysql
copy my.conf
#cp support-files/my-medium.cnf /etc/my.cnf
#cp support-files/mysql.server /etc/init.d/mysqld
#ln -s /etc/init.d/mysqld /etc/rc.d/rc2.d/S98mysqld
建立DB
#/usr/local/mysql/bin/mysql_install_db --user=mysql
大致上mysql就應該能跑了
#/etc/init.d/mysqld start
2. 安裝snort所需要的lib......libnet libipq libpcre
大致上都是照著一班步驟安裝(libpcre libnet<--注意:要用1.0.X版)
#./configure --prefix=/usr/local
#make;make install
libipq
download iptables
#make
#make install-devel
3. 所需要的lib安裝完以後可能需要更新kernel header
download kernel source
#ln -s linux-2.6.9 linux (假設所在目錄是/usr/src)
#mv /usr/include/linux /usr/include/linux.org
#ln -s /usr/src/linux/include/linux /usr/include/linux
4. 好了終於要安裝主角snort
snort從2.3.0 rc1開始整合了ips功能(inline mode)
download snort 2.4.3-tar.gz
#tar zxf snort-2.4.3-tar.gz
#cd snort-2.4.3
#./configure --prefix=/usr/local/snort --with-mysql=/usr/local/mysql --enable-inline --with-libpcre-includes=/usr/local/include --with-libpcre-libraries=/usr/local/lib --with-libnet-includes=/usr/local --with-libnet-libraries=/usr/local
#make
#make install
#cd etc;cp * /etc/snort
downlaod rules
#tar zxf snortrules-xx.xx.xx
#cd /usr/local/snort/bin
#ldd snort-----------看看有什麼lib沒連結到, 修改完ld.so.conf
#ldconfig
加個snort user
#groupadd snort
#useradd -g snort snort
替snort建一個log目錄.......當然這也是可以設定的
#mkdir /var/log/snort
#chown snort.snort /var/log/snort
修改一下/etc/snort/snort.conf的一些參數 RULE_PATH output.....etc視你的環境決定
使用mysql在/etc/snort/snort.conf中加入
output database: log, mysql, user=snort password=snort dbname=snort host=localhost
當然mysql也要作一些手腳
mysql
mysql> SET PASSWORD FOR root@localhost=PASSWORD('password');
>Query OK, 0 rows affected (0.25 sec)
mysql> create database snort;
>Query OK, 1 row affected (0.01 sec)
mysql> grant INSERT,SELECT on root.* to snort@localhost;
>Query OK, 0 rows affected (0.02 sec)
mysql> SET PASSWORD FOR snort@localhost=PASSWORD('password_from_snort.conf');
>Query OK, 0 rows affected (0.25 sec)
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
>Query OK, 0 rows affected (0.02 sec)
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
>Query OK, 0 rows affected (0.02 sec)
mysql> exit
mysql -u root -p < ~/snort-2.4.3/schemas/create_mysql snort
5. 準備啟動snort啦
首先load module ip_queue......很重要, 因為snort會從iptables queue讀封包進來(kernel space->user space)然後告訴iptables drop封包
#modprobe ip_queue<-------如果沒有的話可能要重新build kernel
#/usr/local/snort/bin/snort -QDc /etc/snort/snort.conf -l /var/log/snort 終於啟動了
#tail -f /var/log/messages 看一下有沒有初使化成功
6. 設定iptables
我們要將特定的traffic交給snort看看是不是有入侵行為
ex:
#iptables -A INPUT -p tcp --dport 80 -j QUEUE
snort在inline mode時只會處理action為drop的rule, 所以假如還需要ids就必須要在跑另一隻snort
如此大致上一個snort ips就算完成了, 以後還能用db的資料去作關聯分析去分析攻擊者的行為,或是調整誤判行為......重要!!!要不然user可是會抓狂喔
只是筆記,沒有嚴謹的步驟也沒有多次的校驗,如有錯誤請大家批評指教
[ianchang999 在 2005-10-26 11:59 PM 作了最後編輯]
|
