centos6.7下snort2.9.9.0+base+barnyard2的安装
2024-05-25 21:46:48
0x01 YUM源准备
阿里云Linux安装镜像源地址:http://mirrors.aliyun.com/
第一步:备份原镜像文件
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak
第二步:下载CentOS-Base.repo 到/etc/yum.repos.d/
CentOS 5
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-5.repo
CentOS 6
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo第三步:运行yum makecache生成缓存并更新yum
yum clean all
yum makecache
yum -y update0x02开始安装我们的IDS
0x02.1依赖包部分
使用PUT 上传我们的所需要的安装包,以下是本次安装涉及到的安装包。
- snortrules-snapshot-2990.tar.gz----snort规则库
- snort-2.9.9.0.tar.gz-----snort主程序
- libpcap-1.8.1.tar.gz
- libdnet-1.12.tgz
- daq-2.0.6.tar.gz
- base-1.4.5.tar.gz
- barnyard2-1.9.tar.gz
- adodb-5.20.9.zip
一共八个安装包,上传至服务器。
开始安装依赖包
yum install -y epel-release
yum install -y gcc gcc-c++ flex bison zlib* libxml2 libpcap* pcre* tcpdump git libtool curl man make第一步:先开始安装libdnet
cd centos6.7-snort
tar zxvf libdnet-1.12.tgz
cd libdnet-1.12
./configure
make && make install第二步:安装libpcap
tar -zxvf libpcap-1.8.1.tar.gz
cd libpcap-1.8.1
./configure
make && make install第三步:安装daq
tar zxvf daq-2.0.6.tar.gz
cd daq-2.0.6
./configure
make && make install0x02.2开始安装snort
与上文相同。
tar zxvf snort-2.9.9.0.tar.gz cd snort-2.9.9.0./configure make && make install安装完成后,配置snort
第一步:先创建配置文件目录,复制配置文件
mkdir /etc/snort
cp /root/centos6.7-snort/snort-2.9.9.0/etc/* /etc/snort/第二步:复制规则库至配置文件目录
cd /etc/snort/
cd /root/centos6.7-snort
tar zxvf snortrules-snapshot-2990.tar.gz
mv so_rules/ /etc/snort/
mv rules/ /etc/snort/
mv preproc_rules/ /etc/snort/
mv etc/ /etc/snort/
cd /etc/snort/
touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules第二步中的touch文件的作用是什么呢?这个是因为snort在启动时会检查这两个文件,要是大家想搞清楚,可以先不touch,先运行一下snort,看看他的报错信息,然后看看配置文件,就知道为什么这里要创建这两个文件了
第三步:创建snort运行用户
groupadd -g 4000 snort
useradd snort -u 4000 -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort
chown -R snort:snort /etc/snort/*
chown -R snort:snort /var/log/snort第四步:配置snort.conf文件
(一)、修改rules的路径
var RULE_PATH ../rules ---> var RULE_PATH /etc/snort/rules
var SO_RULE_PATH ../so_rules ---> var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH ../preproc_rules ---> var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH ../rules ---> var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH ../rules ---> var BLACK_LIST_PATH /etc/snort/rules(二)、修改log目录
# config logdir: ---> config logdir:/var/log/snort(三)、修改输出配置
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types ---> output unified2: filename snort.log, limit 128第五步:创建链接文件,并赋予权限
cd /usr/bin/
ln -s /usr/local/bin/snort snort
mkdir /usr/local/lib/snort_dynamicrules
chown snort:snort /usr/local/lib/snort_dynamicrules/
chown -R snort:snort /usr/local/lib/snort_dynamicrules/
chmod -R 755 /usr/local/lib/snort_dynamicrules/第六步:创建测试数据规则
vi /etc/snort/rules/local.rules
alert icmp any any -> $HOME_NET any (msg:”Ping”;sid:1000003;rev:1;)以上就是snort的安装过程和配置过程,安装完成后,大家可以使用以下命令来确认是否安装成功
snort -u snort -g snort -c /etc/snort/snort.conf -i eth0 -A console0x02.2barnyard2部分
由于barnyard2的主要功能是将snort的事件写入数据库,所以我们这一块分两部分,一个是数据库的安装配置,还有一个就是barnyard2的安装配置。
0x02.2.1安装数据库
第一步:安装数据库,并设置数据库的状态和密码
yum -y install mysql-server mysql-devel php-mysql php-adodb php-pear php-gd libtool php-imap php-ldap php-mbstring php-odbc php-pear php-xml php-pecl-apcchkconfig --levels 235 mysqld onservice mysqld start
/usr/bin/mysqladmin -u root password 'root'第二步:创建数据库及操作用户
create database snort;
create user 'snort'@'localhost' identified by 'snort';
grant create,select,update,insert,delete on snort.* to snort@localhost identified by 'snort';
set password for snort@localhost=password('snort');
source /root/centos6.7-snort/barnyard2-1.9/schemas/create_mysql;
flush privileges;上面命令中的source就是barnyard2自带的一个mysql的脚本,大家可以在源码包的schemas中找到。
0x02.2.2安装barnyard2
第一步:开始安装barnyard2,并复制配置文件
./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql
make && make install
mkdir /var/log/barnyard2
touch /var/log/snort/barnyard2.waldo
chown -R snort:snort /var/log/snort/barnyard2.waldo
cp /root/centos6.7-snort/barnyard2-1.9/etc/barnyard2.conf /etc/snort/第二步:修改配置文件
#config logdir: /tmp ---> config logdir: /var/log/barnyard2
#config hostname: thor ---> config hostname: localhost
#config interface: eth0 ---> config interface: eth0
#config waldo_file: /tmp/waldo ---> config waldo_file: /var/log/snort/barnyard2.waldo
# output database: log, mysql, user=root password=test dbname=db host=localhost --->
output database: log, mysql, user=snort password=snort dbname=snort host=localhost
以上就是我们barnyard2的安装部分
0x03联合运行snort和barnyard2
这里需要有一个地方注意,就是我们最好先运行barnyard2,然后再运行snort,因为barnyard2会先监听有没有新数据产生。
第一步:先运行barnyard2
barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -g snort -u snort第二步:运行snort
snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D0x03.1查看barnyard2结果
[root@snort centos6.7-snort]# barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -g snort -u snort
Running in Continuous mode--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
ERROR: Unable to open SID file '/etc/snort/sid-msg.map' (No such file or directory)
Log directory = /var/log/barnyard2
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = localhost
database: user = snort
database: database name = snort
database: sensor name = localhost:eth0
database: sensor id = 1
database: sensor cid = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility--== Initialization Complete ==--______ -*> Barnyard2 <*-/ ,,_ \ Version 2.1.9 (Build 263)|o" )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php+ '''' + (C) Copyright 2008-2010 SecurixLive.Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html(C) Copyright 1998-2007 Sourcefire Inc., et al.WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/barnyard2.waldo'
Opened spool file '/var/log/snort/snort.log.1500636770'
07/21-19:32:50.946642 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.109.1.233 -> 192.170.40.52
Waiting for new data
Closing spool file '/var/log/snort/snort.log.1500636770'. Read 2 records
Opened spool file '/var/log/snort/snort.log.1500636807'
07/21-19:33:27.973221 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.109.1.233 -> 192.170.40.52
Waiting for new data
07/21-19:33:28.960111 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.109.1.233 -> 192.170.40.52
07/21-19:33:29.967876 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.109.1.233 -> 192.170.40.52
07/21-19:33:30.899934 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.81.229.151 -> 192.170.40.52
07/21-19:33:30.957175 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.109.1.233 -> 192.170.40.52
07/21-19:33:31.965832 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.109.1.233 -> 192.170.40.52
07/21-19:33:32.958331 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.109.1.233 -> 192.170.40.52
07/21-19:33:33.965026 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.109.1.233 -> 192.170.40.52
07/21-19:33:34.956528 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.109.1.233 -> 192.170.40.52
07/21-19:33:35.965217 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.109.1.233 -> 192.170.40.52
07/21-19:33:36.901655 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 222.72.118.69 -> 192.170.40.52
07/21-19:33:36.971852 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.109.1.233 -> 192.170.40.52
07/21-19:33:37.978949 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.109.1.233 -> 192.170.40.52
07/21-19:33:38.859376 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {UDP} 157.56.106.184:3544 -> 192.170.40.30:55941
07/21-19:33:38.986988 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.109.1.233 -> 192.170.40.52
0x03.2查看数据库的情况
[root@snort centos6.7-snort]# barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -g snort -u snort
Running in Continuous mode--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
ERROR: Unable to open SID file '/etc/snort/sid-msg.map' (No such file or directory)
Log directory = /var/log/barnyard2
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = localhost
database: user = snort
database: database name = snort
database: sensor name = localhost:eth0
database: sensor id = 1
database: sensor cid = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility--== Initialization Complete ==--______ -*> Barnyard2 <*-/ ,,_ \ Version 2.1.9 (Build 263)|o" )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php+ '''' + (C) Copyright 2008-2010 SecurixLive.Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html(C) Copyright 1998-2007 Sourcefire Inc., et al.WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/barnyard2.waldo'
Opened spool file '/var/log/snort/snort.log.1500636770'
07/21-19:32:50.946642 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.109.1.233 -> 192.170.40.52
Waiting for new data
Closing spool file '/var/log/snort/snort.log.1500636770'. Read 2 records
Opened spool file '/var/log/snort/snort.log.1500636807'
07/21-19:33:27.973221 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.109.1.233 -> 192.170.40.52
Waiting for new data
07/21-19:33:28.960111 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.109.1.233 -> 192.170.40.52
07/21-19:33:29.967876 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.109.1.233 -> 192.170.40.52
07/21-19:33:30.899934 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.81.229.151 -> 192.170.40.52
07/21-19:33:30.957175 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.109.1.233 -> 192.170.40.52
07/21-19:33:31.965832 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.109.1.233 -> 192.170.40.52
07/21-19:33:32.958331 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.109.1.233 -> 192.170.40.52
07/21-19:33:33.965026 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.109.1.233 -> 192.170.40.52
07/21-19:33:34.956528 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.109.1.233 -> 192.170.40.52
07/21-19:33:35.965217 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.109.1.233 -> 192.170.40.52
07/21-19:33:36.901655 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 222.72.118.69 -> 192.170.40.52
07/21-19:33:36.971852 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.109.1.233 -> 192.170.40.52
07/21-19:33:37.978949 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.109.1.233 -> 192.170.40.52
07/21-19:33:38.859376 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {UDP} 157.56.106.184:3544 -> 192.170.40.30:55941
07/21-19:33:38.986988 [**] [1:1000003:1] Snort Alert [1:1000003:0] [**] [Classification ID: (null)] [Priority ID: 0] {ICMP} 218.109.1.233 -> 192.170.40.52mysql> use snort;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -ADatabase changed
mysql> select * from e
edit encoding encoding.encoding_type encoding_type event.cid event.signature exit
ego encoding.encoding_text encoding_text event event.sid event.timestamp
mysql> select * from event;
+-----+-----+-----------+---------------------+
| sid | cid | signature | timestamp |
+-----+-----+-----------+---------------------+
| 1 | 1 | 1 | 2017-07-21 19:32:50 |
| 1 | 2 | 1 | 2017-07-21 19:33:27 |
| 1 | 3 | 1 | 2017-07-21 19:33:28 |
| 1 | 4 | 1 | 2017-07-21 19:33:29 |
| 1 | 5 | 1 | 2017-07-21 19:33:30 |
| 1 | 6 | 1 | 2017-07-21 19:33:30 |
| 1 | 7 | 1 | 2017-07-21 19:33:31 |
| 1 | 8 | 1 | 2017-07-21 19:33:32 |
| 1 | 9 | 1 | 2017-07-21 19:33:33 |
| 1 | 10 | 1 | 2017-07-21 19:33:34 |
| 1 | 11 | 1 | 2017-07-21 19:33:35 |
| 1 | 12 | 1 | 2017-07-21 19:33:36 |
| 1 | 13 | 1 | 2017-07-21 19:33:36 |
| 1 | 14 | 1 | 2017-07-21 19:33:37 |
| 1 | 15 | 1 | 2017-07-21 19:33:38 |
| 1 | 16 | 1 | 2017-07-21 19:33:38 |
| 1 | 17 | 1 | 2017-07-21 19:33:39 |
| 1 | 18 | 1 | 2017-07-21 19:33:40 |
+-----+-----+-----------+---------------------+程序运行成功,现在开始安装web页面base。
0x04安装base
第一步:先安装LMAP环境
yum install -y httpd mysql-server php php-mysql php-mbstring php-mcrypt mysql-devel php-gd第二步:安装pear插件
yum install -y php-pear
pear upgrade pear
pear channel-update pear.php.net
pear install mail
pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman
pear install mail_mime第三步:安装adodb
unzip adodb-5.20.9.zip
mv ./adodb5 /var/www/html/第四步:安装base
tar zxvf base-1.4.5.tar.gz
mv base-1.4.5 /var/www/html/base第五步:配置PHP错误信息,并赋予权限
vi /etc/php.ini
修改error_reporting 为 E_ALL & ~E_NOTICE chown -R apache:apache /var/www/html
chmod 755 /var/www/html
第六步:开启服务,并关闭防火墙
service mysqld restart
service httpd resatrt
service iptables stop第七步:关闭selinux(这步不做很可能造成无法打开页面)
setenforce 0
vi /etc/selinux/config
将SELINUX=enforcing改为SELINUX=disabled第八步:打开base页面,并进行配置
安装完成
centos6.7下snort2.9.9.0+base+barnyard2的安装相关推荐
- VMware下OSSIM 5.2.0的下载、安装和初步使用(图文详解)
入门阶段不建议选用最新的版本. 采用OSSIM 4.11 到 OSSIM5.0.3 之间任何版本做实验,sensor的状态都会是"V". 建议,入门,采用OSSIM5.0.0 ...
- 基于CentOS6.5下snort+barnyard2+base的入侵检测系统的搭建(图文详解)(博主推荐)...
为什么,要写这篇论文? 是因为,目前科研的我,正值研三,致力于网络安全.大数据.机器学习研究领域! 论文方向的需要,同时不局限于真实物理环境机器实验室的攻防环境.也不局限于真实物理机器环境实验室的大数 ...
- [IDS]CentOS6.6下搭建基于snort+barnyard2+base的入侵检测系统,超详细!!!
最详细的CentOS6.6下搭建基于snort+barnyard2+base的入侵检测系统 免责声明 一.如果因为使用本文档照成损失(系统崩溃.数据丢失等),作者不承担任何责任. 二.本文档只是个人使 ...
- 【Zabbix】CentOS6.9系统下部署Zabbix-server 3.0
[Zabbix]CentOS6.9系统下部署Zabbix-server 3.0 目录 安装Zabbix 关闭selinux 删除旧版本MySQL5.1数据库 安装MySQL 5.6数据库 安装PHP ...
- centOS6.5下openfoam-2.4.0安装及并行实现
在华为云进行openfoam并行测试,采用nfs共享进行openfoam-2.4.0的安装并行. 系统为centOS6.5,只支持openfoam-2.4.0以下版本的源代码编译. 参考: https ...
- centos6.8下安装部署LNMP(备注:nginx1.8.0+php5.6.10+mysql5.6.12)
在平时运维工作中,经常需要用到LNMP应用框架. 以下对LNMP环境部署记录下: 1)前期准备:为了安装顺利,建议先使用yum安装依赖库 [root@opd ~]#yum install -y mak ...
- Centos6.3下利用open***部署远程×××服务
Centos6.3下利用open***部署远程×××服务 open***是一款在LINUX网关服务器使用的开源的×××软件,顾名思义,其实就是用来打通一条安全的虚拟专用通道,实现用户远程办公,获取内网 ...
- Linux(Centos6.5)下安装Vertica9.2.1数据库教程
Linux(Centos6.5)下安装Vertica9.2.1数据库教程 一. 安装Vertica 1. 安装依赖或环境 [root@localhost ~]# yum install gdb –y ...
- snort-2.9.7.0源码安装过程
2015/02/15,centos6.5-64-minimal,初始205个包 [root@localhost snort]# yum install wget [root@localhost sno ...
最新文章
- FPGA之道(68)原语的使用
- java decompiler_Java Decompiler(Java反编译工具)
- 写个函数用来对二维数组排序
- 杜克大学医学院禁止公开场合说中文?涉事负责人被勒令下台...
- 非科班生如何浑水摸鱼在省级大数据竞赛中获奖
- [Oracle]使用非滚动游标
- 信息学奥赛一本通 2057:【例3.9 】星期几
- Matlab自适应均线_基于MATLAB的自回归移动平均模型(ARMA)在股票预测中的应用
- Java比较器-学习
- 被称为最好最易理解的MATLAB入门教程
- MediaCoder参数设置教程
- 平板 电脑 android 2.2,最新版:360 Tablet Guardian安卓版(适用于Android平板电脑)v 3. 2. 2中文正式安装版...
- FANUC机器人_KAREL编程入门学习(1)
- echarts 饼状图渐变色
- python 千位分隔符_千位分隔符的完整攻略
- java虚拟机之java堆
- torch.bmm()函数解读
- 用网线连接电脑传输文件
- iso 国家名称列表
- 是时候复习一下响应式设计了