2008年4月25日 星期五

Snort安裝步驟

安裝目的:Snort為IDS,我安裝的目的是拿來偵測公司網路環境內的異常行為,這些異常可能源自Hacker, Virus, Trojan, User
OS: Linux RedHat FC 8
Software: Snort v2.8.1 + Barnyard v0.2.0 + BASE v1.3.9

★Start the Apache service
# chkconfig httpd on
# service httpd start
然後以瀏覽器開啟http://yourhostip/

★更新相關套件
# yum –y install mysql mysql-bench mysql-server mysql-devel mysqlclient10 php-mysql httpd gcc pcre-devel php-gd gd mod_ssl glib2-devel gcc-c++ libpcap-devel php php-pear yum-utils
若要全系統套件更新,請輸入yum -y update,會非常多

★Create the installation folder
# cd /root
# mkdir snortinstall
# cd snortinstall

★Snort install
# wget http://snort.org/dl/current/snort-2.8.1.tar.gz
# tar -zxvf snort-2.8.1.tar.gz# cd snort-2.8.1
# ./configure --with-mysql --enable-dynamicplugin
# make
# make install
# mkdir /etc/snort
# mkdir /etc/snort/rules
# mkdir /var/log/snort
# cd /root/snortinstall/snort-2.8.1/etc/
# cp * /etc/snort
# groupadd snort
# useradd -g snort snort –s /sbin/nologin
# cd /root/snortinstall
連上http://www.sonrt.org,註冊
註冊完成,方可download:Sourcefire VRT Certified Rules (registered user release)
點選下載snortrules-snapshot-2.8.tar.gz
下載後,將檔案傳送到Snort Server的/root/snortinstall
# tar -zxvf snortrules-snapshot-2.8.tar.gz
# cd /root/snortinstall/rules
# cp * /etc/snort/rules
# vi /etc/snort/snort.conf
修改以下:
var HOME_NET 10.0.0.0/8 (HOME_NET:內部網段)
var EXTERNAL_NET !$HOME_NET (EXTERNAL_NET:外部網段,此設定非內即外)
var RULE_PATH /etc/snort/rules
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
存檔
# cd /etc/rc.d/init.d
# wget http://internetsecurityguru.com/snortinit/snort
# chmod 755 snort
# chkconfig snort on

★Set up MySQL
chkconfig mysqld on
service mysqld start
# mysql
mysql> set password for root@localhost=password(snort);
mysql> create database snort;
mysql> grant insert,select on root.* to snort@localhost;
mysql> set password for snort@localhost=password('snort');
mysql> grant create,insert,select,delete,update on snort.* to snort@localhost;
mysql> grant create,insert,select,delete,update on snort.* to snort;
mysql> exit

★barnyard install
# cd /root/snortinstall
# wget http://snort.org/dl/barnyard/barnyard-0.2.0.tar.gz
# tar –zxvf barnyard-0.2.0.tar.gz # cd barnyard-0.2.0
# ./configure --enable-mysql
# make
# make install
# cd /root/snortinstall/barnyard-0.2.0/etc/
# cp barnyard.conf /etc/snort
# vi /etc/snort/barnyard.conf
修改以下:
config daemonconfig hostname: ATT1IDS
config interface: eth0
output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user root, password snort
output log_acid_db: mysql, database snort, server localhost, user root, password snort, detail full
存檔,並啟動snort測試
# snort –c /etc/snort/snort.conf
停在Not Using PCAP_FRAMES不動,表示運作正常,這時按Ctrl+c中斷
# ls -l /var/log/snort
應該會有兩個檔案,類似:
snort.alert.1209025984
snort.log.1209025984
# cd /etc/rc.d/init.d
# wget http://www.internetsecurityguru.com/barnyard
# chmod 755 barnyard
# chkconfig barnyard on
# service barnyard start

★BASE install
# pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman
# cd /root/snortinstall
# wget http://easynews.dl.sourceforge.net/sourceforge/adodb/adodb504a.tgz
# wget http://nchc.dl.sourceforge.net/sourceforge/secureideas/base-1.3.9.tar.gz
# cd /var/www
# tar -zxvf /root/snortinstall/adodb504a.tgz
# mv adodb5 adodb
# cd /var/www/html
# tar -zxvf /root/snortinstall/base-1.3.9.tar.gz
# mv base-1.3.9 base
# cd /var/www/html/base
# cp base_conf.php.dist base_conf.php
# vi base_conf.php
修改以下:
$BASE_urlpath = "/base";
$DBlib_path = "/var/www/adodb/ ";
$DBtype = "mysql";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "password_from_snort_conf";
/* Archive DB connection parameters */
$archive_exists = 0; # Set this to 1 if you have an archive DB
存檔
# service snort start
開啟IE測試https://YourHostIP/base
Click the “setup page” link
Click the "Create BASE AG" button
成功的話會跑出一堆紅色成功訊息
Goto the "Main page"檢視
Snort安裝完成!

★Securing the BASE directory:
# mkdir /var/www/passwords
# /usr/bin/htpasswd -c /var/www/passwords/passwords admin
這是建立一個帳號admin,然後會讓你輸入password
# vi /etc/httpd/conf/httpd.conf
找到下面這段:
<>
Options FollowSymLinks
AllowOverride None

新增For /var/www/html/base的設定:

AuthType Basic
AuthName "SnortIDS"
AuthUserFile /var/www/passwords/passwords
Require user admin

存檔,然後重啟Apache
# service httpd restart

★設定e-mail通知Alarm(可選擇不作)
# vi /etc/aliases
修改以下(要輸入管理者的信箱):
# Person who should get root's mail
root: me@mydomain.com
存檔並執行newaliases
# newaliases(vi /usr/share/logwatch/default.conf/logwatch.conf 修改信件寄送等級)

★NTOP install(尚待測試)
# yum install ntop

★兩張網卡設定
sniffing interface: eth0
management interface: eth1

# vi /etc/sysconfig/network-scripts/ifcfg-eth0
修改以下:
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:0D:60:A8:9D:1D
ONBOOT=yes
TYPE=Ethernet

#vi /etc/sysconfig/network-scripts/ifcfg-eth1
修改以下:
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=none
HWADDR=00:04:75:83:fe:62
TYPE=Ethernet
HOSTNAME=ATT1IDS.att.amkor.com
IPADDR=10.1.1.50
NETMASK=255.255.255.0
USERCTL=no
PEERDNS=yes
GATEWAY=10.1.1.254
IPV6INIT=no

沒有留言: