实验环境

centos6.8_x64

snort_master    192.168.1.101

windows_slave  192.168.1.102

测试 windows_slave ping 192.168.1.101 -t 不断发ping包


实验软件

adodb519.tar.gz

base-1.4.5.tar.gz

barnyard2-1.9.tar.gz

daq-2.0.4.tar.gz

libdnet-1.12.tgz

snort-2.9.7.0.tar.gz

snortrules-snapshot-2983.tar.gz


软件安装

yum install -y httpd mysql-server

yum install -y mcrypt libmcrypt libmcrypt-devel libpcap libpcap-devel

yum install -y gcc flex bison zlib libpcap tcpdump gcc-c++ pcre* zlib* libdnet libdnet-devel

yum install -y php php-mysql php-mbstring php-mcrypt mysql-devel php-gd php-pear

sed -i.bak  "s/#ServerName www.example.com:80/ServerName *:80/g" /etc/httpd/conf/httpd.conf   sed.bak为修改备份

ll  /etc/httpd/conf/httpd.conf

httpd.conf      httpd.conf.bak  


tar zxvf libdnet-1.12.tgz

cd libdnet-1.12

./configure && make && make install


tar zxvf daq-2.0.4.tar.gz

cd daq-2.0.4

./configure && make && make install


tar zxvf barnyard2-1.9.tar.gz

service mysqld start

mysqladmin  -uroot password  mysqlroot验证

mysql -uroot -pmysqlroot验证

create database snort;

grant create,select,update,insert,delete on snort.* to snort@localhost identified by 'snort';

mysql  -usnort  -psnort

mysql>

mysql -usnort -psnort -Dsnort < /root/barnyard2-1.9/schemas/create_mysql


cd  barnyard2-1.9

./configure  --with-mysql --with-mysql-libraries=/usr/lib64/mysql/

make &&  make install

mkdir -pv /var/log/barnyard2

mkdir -pv /var/log/snort

mkdir -pv /etc/snort

touch  /var/log/snort/barnyard2.waldo

cp -pv /root/barnyard2-1.9/etc/barnyard2.conf /etc/snort/


cp -pv  /etc/snort/barnyard2.conf /etc/snort/barnyard2.conf.bak

vim  /etc/snort/barnyard2.conf

config logdir:/var/log/barnyard2

config hostname:      localhost

config interface:       eth0  监听网卡

config waldo_file:/var/log/snort/barnyard2.waldo

output database: log, mysql, user=snort password=snort dbname=snort host=localhost


tar zxvf  snort-2.9.7.0.tar.gz

cd snort-2.9.7.0

./configure  && make && make install


mkdir -pv  /etc/snort

mkdir -pv  /var/log/snort

mkdir -pv  /usr/local/lib/snort_dynamicrules

mkdir -pv  /etc/snort/rules

mkdir -pv  /etc/snort/so_rules

mkdir -pv  /etc/snort/preproc_rules

touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules

cp -pv  /root/snort-2.9.7.0/etc/gen-msg.map  /etc/snort/

cp -pv  /root/snort-2.9.7.0/etc/threshold.conf /etc/snort/

cp -pv  /root/snort-2.9.7.0/etc/classification.config /etc/snort/

cp -pv  /root/snort-2.9.7.0/etc/reference.config /etc/snort/

cp -pv  /root/snort-2.9.7.0/etc/unicode.map /etc/snort/

cp -pv  /root/snort-2.9.7.0/etc/snort.conf /etc/snort/


vim /etc/snort/snort.conf       

var RULE_PATH  /etc/snort/rules/

var SO_RULE_PATH /etc/snort/so_rules

var PREPROC_RULE_PATH /etc/snort/preproc_rules

var WHITE_LIST_PATH  /etc/snort/rules

var BLACK_LIST_PATH  /etc/snort/rules

config logdir: /var/log/snort

# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types

output unified2: filename snort.log,limit 128


tar zxvf snortrules-snapshot-2983.tar.gz  -C  /etc/snort/

cp  -pv  /etc/snort/etc/sid-msg.map  /etc/snort/


snort -T -i eth0  -c /etc/snort/snort.conf  &

snort防入侵检测_snort

Snort successfully validated the configuration!
Snort exiting


barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log  -w /var/log/snort/barnyard2.waldo  &

snort防入侵检测_snort_02


barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D     &

snort -c /etc/snort/snort.conf -i eth0  -D  &

killall -9 snort   

killall -9 barnyard2   杀死进程


tar zxvf adodb519.tar.gz

tar zxvf base-1.4.5.tar.gz

mv /root/adodb5 /var/www/html/adodb

mv /root/base-1.4.5 /var/www/html/base

chown -R apache:apache /var/www/html/

chmod 755 /var/www/html/adodb/

touch /var/www/html/test.html

echo welcome to server > /var/www/html/test.html   建立apache测试页


sed -i  's/#AddType application/AddType application/g' /etc/httpd/conf/httpd.conf   配置apahce/php 结合

sed -i  '765 aAddType application/x-httpd-php .php' /etc/httpd/conf/httpd.conf 

765行插入AddType application/x-httpd-php .php配置   a为插入配置内容 


barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D

snort -c /etc/snort/snort.conf -i eth0 -D


service mysqld restart &&  service httpd restart

chkconfig --level 35 httpd on

chkconfig --level 35 mysqld on


cp -pv /etc/snort/rules/local.rules /etc/snort/rules/local.rules.bak    添加测试规则

echo "alert icmp any any -> any any (msg: "IcmP Packet detected";sid:1000001;)" >> /etc/snort/rules/local.rules

cat /etc/snort/rules/local.rules | grep alert

alert icmp any any -> any any (msg: IcmP Packet detected;sid:1000001;)


touch /var/www/html/test.php      php测试页,测试完毕最好即可删除

echo "<?php phpinfo(); ?>" >  /var/www/html/test.php


netstat -tuplna | grep LISTEN

tcp        0     0  0.0.0.0:3306         0.0.0.0:*         LISTEN      28424/mysqld  

tcp        0      0  :::80           :::*             LISTEN      28460/httpd


curl ​​http://localhost/index.html​

welcome to server


​http://serverip/test.php​​​

snort防入侵检测_snort_03


​http://serviceip/base/setup/index.php​

snort防入侵检测_snort_04


snort防入侵检测_snort_05


snort防入侵检测_snort_06


snort防入侵检测_snort_07


snort防入侵检测_snort_08


snort防入侵检测_snort_09


snort防入侵检测_snort_10


cp -pv /etc/rc.d/rc.local  /etc/rc.d/rc.local.bak   设置服务开机启动

echo "snort -T -i eth0  -c /etc/snort/snort.conf  &" >> /etc/rc.d/rc.local

echo "barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log  -w /var/log/snort/barnyard2.waldo  &" >> /etc/rc.d/rc.local

echo "barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D &"   >> /etc/rc.d/rc.local

echo "snort -c /etc/snort/snort.conf -i eth0 -D &" >> /etc/rc.d/rc.local


cat /etc/rc.d/rc.local

snort -T -i eth0  -c /etc/snort/snort.conf  &

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log  -w /var/log/snort/barnyard2.waldo  &

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D &

snort -c /etc/snort/snort.conf -i eth0 -D &