安装snort:

先说下一共要安装的包:
mysql mysql-bench mysql-server mysql-devel mysqlclient10 php-mysql
httpd gcc pcre-devel php-gd gd mod_ssl glib2-devel gcc-c++
我下面没有说的,就是我已经安装好了。

先装好mysql:
[root@station203 Server]# rpm -ivh perl-DBI-1.52-1.fc6.i386.rpm
[root@station203 Server]# rpm -ivh mysql-5.0.22-2.1.0.1.i386.rpm
[root@station203 Server]# rpm -ivh perl-DBD-MySQL-3.0007-1.fc6.i386.rpm
[root@station203 Server]# rpm -ivh mysql-server-5.0.22-2.1.0.1.i386.rpm
[root@station203 ~]# service mysqld start 




下载地址:
http://www.snort.org/dl/snort-2.8.4.1.tar.gz



这是rpm包的:
http://www.snort.org/dl/binaries/linux/snort-2.8.4.1-1.RH5.i386.rpm
http://www.snort.org/dl/binaries/linux/snort-mysql-2.8.4.1-1.RH5.i386.rpm


[root@station203 ~]# rpm -ivh snort-2.8.4.1-1.RH5.i386.rpm
Preparing...                ########################################### [100%]
   1:snort                  ########################################### [100%]
[root@station203 ~]# rpm -ivh snort-mysql-2.8.4.1-1.RH5.i386.rpm
Preparing...                ########################################### [100%]
   1:snort-mysql            ########################################### [100%]


修改snort的配置文件:
[root@station203 ~]# vim /etc/snort/snort.conf
 var HOME_NET 192.168.1.0/24            
 output database: log, mysql, user=root password=jasonyy dbname=snort host=localhost
## 上面两句有模版,修改成上面这样就可以了。

## 下面的这是一段注释,把前面的# 去掉就可以了。
 include $RULE_PATH/web-attacks.rules
 include $RULE_PATH/backdoor.rules
 include $RULE_PATH/shellcode.rules
 include $RULE_PATH/policy.rules
 include $RULE_PATH/porn.rules
 include $RULE_PATH/info.rules
 include $RULE_PATH/icmp-info.rules
 include $RULE_PATH/virus.rules
 include $RULE_PATH/chat.rules
 include $RULE_PATH/multimedia.rules
 include $RULE_PATH/p2p.rules

http://internetsecurityguru.com/snortinit/snort        ##这是一个snort的启动脚本,可以放在/etc/init.d下面。然后用

chkconfig --add snort;chkconfig snort on。
## 注意这个脚本我做了点小小的修改,他是用源代码安装的snort,而我偷懒是rpm安装的,所以要修改里面的路径。


[root@station203 ~]# mysqladmin -u root password ‘*****’
## 把mysql的root密码修改成snort配置文件里设置的那个密码。

[root@station203 ~]# mysql -u root -p
Enter password:
## 输入密码,登陆mysql,创建snort的数据库

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3 to server version: 5.0.22

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> create database snort;
Query OK, 1 row affected (0.00 sec)

mysql> source /usr/share/snort-2.8.4.1/schemas/create_mysql
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
ERROR 1046 (3D000): No database selected
mysql> connect snort
Connection id:    6
Current database: snort

mysql> grant create, insert, select ,delete,update on snort.* to snort;
Query OK, 0 rows affected (0.01 sec)

mysql> grant create, insert, select ,delete,update on snort.* to snort@localhost;
Query OK, 0 rows affected (0.00 sec)

mysql> set password for 'snort'@'localhost' = password('123');
Query OK, 0 rows affected (0.00 sec)

mysql> set password for 'snort'@'%' = password('123');
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> source /usr/share/snort-2.8.4.1/schemas/create_mysql
Query OK, 0 rows affected (0.01 sec)

Query OK, 1 row affected (0.00 sec)

Query OK, 0 rows affected (0.00 sec)

Query OK, 0 rows affected (0.01 sec)

Query OK, 0 rows affected (0.00 sec)

Query OK, 0 rows affected (0.00 sec)

Query OK, 0 rows affected (0.00 sec)

Query OK, 0 rows affected (0.01 sec)

Query OK, 0 rows affected (0.00 sec)

Query OK, 0 rows affected (0.00 sec)

Query OK, 0 rows affected (0.01 sec)

Query OK, 0 rows affected (0.00 sec)

Query OK, 0 rows affected (0.00 sec)

Query OK, 0 rows affected (0.01 sec)

Query OK, 0 rows affected (0.00 sec)

Query OK, 0 rows affected (0.00 sec)

Query OK, 1 row affected (0.01 sec)

Query OK, 1 row affected (0.00 sec)

Query OK, 1 row affected (0.00 sec)

Query OK, 0 rows affected (0.00 sec)

Query OK, 1 row affected (0.00 sec)

Query OK, 1 row affected (0.00 sec)
## 这样snort数据库里面就已经导入了数据的表了(应该是16个)

mysql> quit
Bye


## 到这里,snort数据库就建立好了




[root@station203 httpd]# rpm -ivh /mnt/cdrom/Server/php-common-5.1.6-15.el5.i386.rpm
[root@station203 httpd]# rpm -ivh /mnt/cdrom/Server/php-cli-5.1.6-15.el5.i386.rpm
[root@station203 httpd]# rpm -ivh /mnt/cdrom/Server/php-5.1.6-15.el5.i386.rpm
[root@station203 httpd]# rpm -ivh /mnt/cdrom/Server/php-pdo-5.1.6-15.el5.i386.rpm
[root@station203 httpd]# rpm -ivh /mnt/cdrom/Server/php-mysql-5.1.6-15.el5.i386.rpm
## 安装PHP


[root@station203 ~]# rpm -ivh /mnt/cdrom/Server/httpd-2.2.3-11.el5.i386.rpm
## 安装好apache,配置用户认证。

[root@station203 html]# htpasswd -c /etc/httpd/conf/htpasswd admin         ## 创建一个http认证用户admin
New password:
Re-type new password:
Adding password for user admin

[root@station203 html]# vim /etc/httpd/conf/httpd.conf

<Directory "/var/www/html/acid">
        AuthType Basic
        AuthName "abc"
        AuthUserFile /etc/httpd/conf/htpasswd
        Require user admin
        AllowOverride None
</Directory>

AddType application/x-tar .tgz
AddType application/x-httpd-php .php
AddType p_w_picpath/x-icon .ico

## 添加这些内容
[root@station203 httpd]# chown apache.apache /etc/httpd/conf/htpasswd
[root@station203 httpd]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]




安装配置ACID/base:
下载下列包:
http://down1.chinaunix.net/distfiles/acid-0.9.6b23.tar.gz
http://down1.chinaunix.net/distfiles/adodb465.tgz
http://down1.chinaunix.net/distfiles/jpgraph-2.1.1.tar.gz
http://easynews.dl.sourceforge.net/sourceforge/secureideas/base-1.2.6.tar.gz(这个是acid的新版本名称)
http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz    ## 规则包

## 最新的规则包可以去这里下:http://www.snort.org

[root@station203 ~]# tar zxvf snortrules-pr-2.4.tar.gz
[root@station203 ~]# cp rules/* /etc/snort/rules
[root@station203 ~]# cp base-1.2.6.tar.gz adodb465.tgz jpgraph-2.1.1.tar.gz /var/www/html/;cd /var/www/html
[root@station203 html]# tar zxvf base-1.2.6.tar.gz
[root@station203 html]# tar zxvf adodb465.tgz
[root@station203 html]# tar zxvf jpgraph-2.1.1.tar.gz
[root@station203 html]# mv jpgraph-2.1.1 jpgraph
[root@station203 html]# mv base-1.2.6 base



[root@station203 html]# cp base/base_conf.php. etc/base_conf.php
[root@station203 html]# vim base/base_conf.php
$DBlib_path = "/var/www/html/adodb";
$alert_dbname   = 'snort';
$alert_host     = 'localhost';
$alert_port     = '';
$alert_user     = 'snort';
$alert_password = 'jasonyy';

/* Archive DB connection parameters */
$archive_exists   = 0; # Set this to 1 if you have an archive DB
$archive_dbname   = 'snort';
$archive_host     = 'localhost';
$archive_port     = '';
$archive_user     = 'snort';
$archive_password = 'jasonyy';

$ChartLib_path = "/var/www/html/jpgraph/src";

## 把上面这些内容都改好

[root@station203 html]# service snort start
[root@station203 html]# service mysqld start
[root@station203 html]# service httpd start


用浏览器打开:http://192.168.1.203/base
输入用户名,密码(http用户)。
出现图11


点setup page -> 再点 setup BASE AG 按钮,出现图22就OK


在返回http://192.168.1.203/base
可以看到类似图33的样子

测试IDS(入侵检测系统)
# 利用nmap,nessus,CIS或者X-scan对系统进行扫描,产生告警纪录。
# http://yourhost/acid 察看纪录。
# 至此,一个功能强大的IDS配置完毕。各位可以利用web界面远程登陆,监控主机所处局域网,同时安装  phpMyAdmin或webmin对

mysql数据库进行操控。



安装ntop

[root@station203 ~]# wget http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt
[root@station203 ~]# rpm --import RPM-GPG-KEY.dag.txt
[root@station203 ~]# vim /etc/yum.repos.d/ntop.repo
[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag/
## 我是rhel5,上面这行改成baseurl=http://apt.sw.be/redhat/el5/en/i386/dag/,你们根据自己情况改
gpgcheck=1
enabled=1



[root@station203 ~]# yum install ntop -y

..............省略..................
 ntop                    i386       3.3.8-1.el5.rf   dag               3.8 M
Installing for dependencies:
 perl-rrdtool            i386       1.2.30-1.el5.rf  dag                49 k
 rrdtool                 i386       1.2.30-1.el5.rf  dag               951 k
..............省略..................


## 我这里郁闷状上了这三个包,你们可能不一样。


[root@station203 ~]# vim /etc/ntop.conf
--interface eth0                                       ## 把网卡设置成sniffing模式
--https-server 3000   
--https-server 3001                        ## 这两行去掉注释就可以了


[root@station203 ~]# /usr/bin/ntop @/etc/ntop.conf -A
   Processing file /etc/ntop.conf for parameters...
Mon May 25 12:07:36 2009  NOTE: Interface merge enabled by default
Mon May 25 12:07:36 2009  Initializing gdbm databases
NOTE: --use-syslog, no facility specified, using default value.  Did you forget the =?


ntop startup - waiting for user response!


Please enter the password for the admin user:
Please enter the password again:
## -A 设定admin密码,ntop会内建admin管理者帐号于ntop中


[root@station203 ~]# vim /etc/ntop.conf                ## 现在在回去编辑下
--daemon                            ## 还是去掉注释

[root@station203 ~]# chkconfig ntop on
[root@station203 ~]# service ntop start

## 这里我启动失败了,但是有命令方式启动ntop又正常。很奇怪,google了半天,原来是yum安装ntop的一个bug。。。。
## 解决方法:
[root@station203 rules]# vim /etc/init.d/ntop
start () {
    echo -n $"Starting $prog: "
    daemon $prog @/etc/ntop.conf -d -L            ## 原来的样子是这样: daemon $prog -d -L @/etc/ntop.conf
    RETVAL=$?
    echo
    [ $RETVAL -eq 0 ] && touch /var/lock/subsys/\$prog
    return $RETVAL
}

[root@station203 ~]# service ntop start
## 这样就OK了。


## 测试,浏览器打开https://192.168.1.203:3001/或者http://192.168.1.203:3000

都OK,现在就可以用ntop检测网络上所有的封包