创建日期:2005年3月31日
更新日期:2005年4月3日
本文用到的软件
Snort 2.3.2 网站:http://www.snort.org 下载
guardian 1.6 网站:http://www.snort.org 下载
snortsnarf 050314 网站:http://www.silicondefense.... 下载
可能用到的软件
LIBPCAP 0.8.3 网站:http://www.tcpdump.org 下载
PCRE 5.0 网站:http://www.pcre.org 下载
1.安装
由于我的redhat9.0中没有libcap、pcre,编译snort的时候会出错,先装libpcap和pcre
# wget http://www.tcpdump.org/rel...
# tar zxvf libpcap-0.8.3.tar.gz
# cd libpcap-0.8.3
# ./configure
# make
# make install
# wget http://nchc.dl.sourceforge...
# tar jxvf pcre-5.0.tar.bz2
# cd pcre-5.0
# ./configure
# make
# make check
# make install
安装snort
# wget http://www.snort.org/dl/cu...
# tar zxvf snort-2.3.2.tar.gz
# cd snort-2.3.2
# ./configure
# make
# make install
# mkdir -p /etc/snort/rules
# cp etc/*.conf /etc/snort
# cp etc/unicode.map /etc/snort
# cp -R rules/* /etc/snort/rules 修改/etc/snort/snort.conf
# vi /etc/snort/snort.conf
var HOME_NET 192.168.1.0/24
var RULE_PATH /etc/snort/rules
preprocessor http_inspect: global
iis_unicode_map /etc/snort/unicode.map 1252
include /etc/snort/classification.config
include /etc/snort/reference.config
创建/var/log/snort目录
# mkdir /var/log/snort
测试执行是否正常
# /usr/local/bin/snort -v
启动
# /usr/local/bin/snort -c /etc/snort/snort.conf -D
注:-D (以daemon方式启动,就是背景执行)
-c (指定snort依snort.conf设定档的内容执行)
想要开机自动运行,将上一条命令加入/etc/rc.d/rc.local
plugins
guardian
# wget http://www.snort.org/dl/co...
# tar zxvf guardian-1.6.tar.gz
# cd guardian-1.6
# echo > /etc/snort/guardian.ignore
# cp guardian.pl /usr/local/bin/
# cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
# cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
# cp guardian.conf /etc/snort
# touch /var/log/snort/guardian.log
# chmod 644 /var/log/snort/guardian.log
# vi /etc/guardian.conf
# guardian的日志文件
LogFile /var/log/snort/guardian.log
#guardian从何处读取snort的日志
AlertFile /var/log/snort/alert
#将你需要忽略的IP放在此文件中
IgnoreFile /etc/snort/guardian.ignore
# 封锁IP的最长时间,99999999为没有时限
TimeLimit 86400
编辑/usr/local/bin/guardian_unblock.sh,这个文件有错(guardian-1.6.tar.gz包里的iptables_unblock.sh就是写错的)
把
/sbin/ipchains -D INPUT -s $source -i $interface -j DROP
改成
/sbin/iptables -D INPUT -s $source -i $interface -j DROP
启动
# /usr/bin/perl /usr/local/bin/guardian.pl -c /etc/snort/guardian.conf
如果想自启动,将上一条命令加入/etc/rc.d/rc.local,但是在我的RD9下不行,不知道为什么。
snortsam(计划中)
SnortSnarf
# wget http://www.snort.org/dl/co...
# tar zxvf SnortSnarf-050314.1.tar.gz
# cd SnortSnarf-050314.1
# mkdir /var/www/snort
# cp cgi/* /var/www/snort
# cp -R include /var/www/snort
# cp snortsnarf.pl /var/www/snort
# vi /var/www/snort/snortsnarf.sh (此脚本还有点问题)
#!/bin/bash
cd /var/www/snort
perl snortsnarf.pl -cgidir /var/www/snort -d /var/www/snort -homenet 192.168.1.5 -color='yes' -rulesfile snort.conf -rulesdir /etc/snort/rules /var/log/snort/alert /var/log/snort/portscan.log
运行此脚本提示出错,找不到Time/ParseDate.pm模块,先装此模块
# wget
# tar zxvf Time-modules-2003.1126.tar.gz
# cd Time-modules-2003.1126
# perl Makefile.PL
# make
# make test
# make install
然后重新运行/var/www/snort/snortsnarf.sh
说明:
1.这个程序一定要先进入该档案所在目录,方可执行,所以先要cd /var/www/snort
2. 192.168.1.5是自己主机ip,也就是localhost,不过要用ip地址
每个参数的意义如下:
-cgidir是apache中运行perl的目录
-d是输出成网页的目录,如此你就可以用http://your.domain/snort即可看到输出数据了
-homenet是自己的主机ip
-color设定颜色,只有yes及no,我当然是用yes啦!!
-rulesfile是设定组态档的名称,不用加路径,路径是下一个设定的
-rulesdir上一个参数已经说明了
/var/log/snort/alert及 /var/log/snort/portscan.log是snort的输出档,作为snortsnarf
分析使用,我使用两个,可以加上snort的相关输出档,也可以三个以上
如果要snort输出好几个档案,那就要在snort.conf中设定,但实在太多了,请大家自个试试吧,预设是关掉的,这样才不会太多.
如果想固定时间做成输出分析,加入到/etc/crontab中即可
测试
http://192.168.1.5/snort
更新日期:2005年4月3日
本文用到的软件
Snort 2.3.2 网站:http://www.snort.org 下载
guardian 1.6 网站:http://www.snort.org 下载
snortsnarf 050314 网站:http://www.silicondefense.... 下载
可能用到的软件
LIBPCAP 0.8.3 网站:http://www.tcpdump.org 下载
PCRE 5.0 网站:http://www.pcre.org 下载
1.安装
由于我的redhat9.0中没有libcap、pcre,编译snort的时候会出错,先装libpcap和pcre
# wget http://www.tcpdump.org/rel...
# tar zxvf libpcap-0.8.3.tar.gz
# cd libpcap-0.8.3
# ./configure
# make
# make install
# wget http://nchc.dl.sourceforge...
# tar jxvf pcre-5.0.tar.bz2
# cd pcre-5.0
# ./configure
# make
# make check
# make install
安装snort
# wget http://www.snort.org/dl/cu...
# tar zxvf snort-2.3.2.tar.gz
# cd snort-2.3.2
# ./configure
# make
# make install
# mkdir -p /etc/snort/rules
# cp etc/*.conf /etc/snort
# cp etc/unicode.map /etc/snort
# cp -R rules/* /etc/snort/rules 修改/etc/snort/snort.conf
# vi /etc/snort/snort.conf
var HOME_NET 192.168.1.0/24
var RULE_PATH /etc/snort/rules
preprocessor http_inspect: global
iis_unicode_map /etc/snort/unicode.map 1252
include /etc/snort/classification.config
include /etc/snort/reference.config
创建/var/log/snort目录
# mkdir /var/log/snort
测试执行是否正常
# /usr/local/bin/snort -v
启动
# /usr/local/bin/snort -c /etc/snort/snort.conf -D
注:-D (以daemon方式启动,就是背景执行)
-c (指定snort依snort.conf设定档的内容执行)
想要开机自动运行,将上一条命令加入/etc/rc.d/rc.local
plugins
guardian
# wget http://www.snort.org/dl/co...
# tar zxvf guardian-1.6.tar.gz
# cd guardian-1.6
# echo > /etc/snort/guardian.ignore
# cp guardian.pl /usr/local/bin/
# cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
# cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
# cp guardian.conf /etc/snort
# touch /var/log/snort/guardian.log
# chmod 644 /var/log/snort/guardian.log
# vi /etc/guardian.conf
# guardian的日志文件
LogFile /var/log/snort/guardian.log
#guardian从何处读取snort的日志
AlertFile /var/log/snort/alert
#将你需要忽略的IP放在此文件中
IgnoreFile /etc/snort/guardian.ignore
# 封锁IP的最长时间,99999999为没有时限
TimeLimit 86400
编辑/usr/local/bin/guardian_unblock.sh,这个文件有错(guardian-1.6.tar.gz包里的iptables_unblock.sh就是写错的)
把
/sbin/ipchains -D INPUT -s $source -i $interface -j DROP
改成
/sbin/iptables -D INPUT -s $source -i $interface -j DROP
启动
# /usr/bin/perl /usr/local/bin/guardian.pl -c /etc/snort/guardian.conf
如果想自启动,将上一条命令加入/etc/rc.d/rc.local,但是在我的RD9下不行,不知道为什么。
snortsam(计划中)
SnortSnarf
# wget http://www.snort.org/dl/co...
# tar zxvf SnortSnarf-050314.1.tar.gz
# cd SnortSnarf-050314.1
# mkdir /var/www/snort
# cp cgi/* /var/www/snort
# cp -R include /var/www/snort
# cp snortsnarf.pl /var/www/snort
# vi /var/www/snort/snortsnarf.sh (此脚本还有点问题)
#!/bin/bash
cd /var/www/snort
perl snortsnarf.pl -cgidir /var/www/snort -d /var/www/snort -homenet 192.168.1.5 -color='yes' -rulesfile snort.conf -rulesdir /etc/snort/rules /var/log/snort/alert /var/log/snort/portscan.log
运行此脚本提示出错,找不到Time/ParseDate.pm模块,先装此模块
# wget
# tar zxvf Time-modules-2003.1126.tar.gz
# cd Time-modules-2003.1126
# perl Makefile.PL
# make
# make test
# make install
然后重新运行/var/www/snort/snortsnarf.sh
说明:
1.这个程序一定要先进入该档案所在目录,方可执行,所以先要cd /var/www/snort
2. 192.168.1.5是自己主机ip,也就是localhost,不过要用ip地址
每个参数的意义如下:
-cgidir是apache中运行perl的目录
-d是输出成网页的目录,如此你就可以用http://your.domain/snort即可看到输出数据了
-homenet是自己的主机ip
-color设定颜色,只有yes及no,我当然是用yes啦!!
-rulesfile是设定组态档的名称,不用加路径,路径是下一个设定的
-rulesdir上一个参数已经说明了
/var/log/snort/alert及 /var/log/snort/portscan.log是snort的输出档,作为snortsnarf
分析使用,我使用两个,可以加上snort的相关输出档,也可以三个以上
如果要snort输出好几个档案,那就要在snort.conf中设定,但实在太多了,请大家自个试试吧,预设是关掉的,这样才不会太多.
如果想固定时间做成输出分析,加入到/etc/crontab中即可
测试
http://192.168.1.5/snort
Squid 2.5安装笔记
redhat as 4.0下编译2.6.11.6内核笔记
