爲公司信息安全要求,上週配置了一臺網絡***檢測系統(NIDS),今天把安裝過程記錄下來,供自己和其它朋友們以後參考。
關於本NIDS成功安裝及本文的形成,我參考了很多網上的相關文檔,具體文檔略,不過非常感謝各位前輩們的無私奉獻。
一、安裝環境
操作系統:Red Hat Enterprise Linux 5.4
數據庫:MySQL:mysql-5.1.46
Web服務器:Apache:httpd-2.2.15
WEB語言:PHP:php-5.2.13
二、安裝MySQL
軟件包mysql-5.1.46.tar.gz
下載地址http://dev.mysql.com/downloads/mysql/
# tar -zxvf mysql-5.1.46.tar.gz //解壓縮
# cd mysql-5.1.46 //進入解壓縮後的文件目錄
# ./configure --prefix=/usr/local/mysql \ //設定安裝目錄
--enable-thread-safe-client \ //編譯線程安全版的客戶端庫
--without-debug \ //關閉debug功能
# make //編譯
# make install //安裝
# /usr/local/mysql/bin/mysql_install_db //初始化授權表
# chown –R root /usr/local/mysql //文件屬性改爲root用戶
# chgrp –R root /usr/local/mysql //文件屬性改爲root用戶所屬組
# /usr/local/mysql/bin/mysqld_safe --user=root & //啓動MySQL
# /usr/local/mysql/bin/mysqladmin –u root password ‘123456’ //修改root用戶的密碼爲123456
注:如果接下來在安裝Snort後進行配置測試時提示無法找到以下文件:libmysqlclient.so.16和mysql.sock
請按照以下方法解決:
1、libmysqlclient.so.16:
方法1 # vi /etc/ ld.so.conf 向此文件添加以下兩行內容
/usr/local/mysql/lib/mysql
/usr/local/lib
保存ld.so.conf退出
# ldconfig
方法2 # ln –s /usr/local/mysql/lib/mysql/libmysqlclient.so.16 /usr/local/lib/libmysqlclient.so.16
2、mysql.sock:
ln –s /var/lib/mysql/mysql.sock /tmp/mysql.sock
三、安裝Apache
軟件包httpd-2.2.15.tar.gz
下載地址http://httpd.apache.org/download.cgi
# tar -zxvf httpd-2.2.15.tar.gz
# cd httpd-2.2.15
# ./configure --prefix=/usr/local/apache --enable-module=most --enable-shared=max –enable-so
# make
# make install
# /usr/local/apache/bin/apachectl start //啓動MySQL
四、安裝PHP
軟件包php-5.2.13.tar.gz
下載地址http://www.php.net/downloads.php
# tar -zxvf php-5.2.13.tar.gz
# cd php-5.2.13
# ./configure –prefix=/usr/local/php \
–with-mysql=/usr/local/mysql --with-apxs2=/usr/local/apache/bin/apxs --with-zlib --with-gd --enable-sockets –disable-debug
# make
# make install
# cp php.ini-dist /usr/local/php/lib/php.ini
五、配置Apache服務的httpd.conf文件及測試
1、編輯/usr/local/apache/conf/httpd.conf文件
在DirectoryIndex後添加index.php
在AddType application後面添加以下兩行
AddType application/x-httpd-php .php
AddType applicatoin/x-httpd-php-source .phps
2、重啓apache
# /usr/local/apache/bin/apachectl restart
3、測試
寫個index.php文件放入主頁所在目錄
內容如下:
<?
phpinfo();
?>
在瀏覽器中輸入http://服務器IP/
如果有php的信息,則說明apache+php+mysql配置成功了,注意 gd和mysql的支持信息
六、安裝snort
1、安裝pcre
軟件包pcre-8.02.tar.gz
下載地址http://sourceforge.net/projects/pcre/files/
# tar –zxvf pcre-8.02.tar.gz
# cd pcre-8.02
# ./configure
# make
# make install
2、安裝snort
軟件包snort-2.4.5.tar.gz
下載地址http://down1.chinaunix.net/distfiles/snort-2.4.5.tar.gz
# tar -zxvf snort-2.4.5.tar.gz
# cd snort-2.4.5
# ./configure --with-mysql
# make
# make install
# mkdir /etc/snort //建立snort目錄
# cd etc
# cp * /etc/snort //拷貝配置文件
3、安裝snort rules
軟件包snortrules-pr-2.4.tar.gz
下載地址http://down1.chinaunix.net/distfiles/snortrules-pr-2.4.tar.gz
# tar -zxvf snortrules-pr-2.4.tar.gz
# cd rules
# mkdir /etc/snort/rules //建立snort規則目錄
# mkdir /var/log/snort //建立snort日誌目錄
# cp * /etc/snort/rules //拷貝規則
4、編輯/etc/snort/snort.conf文件
更改var HOME_NET 192.168.6.0/24 //你的實際工作網段
更改”var RULE_PATH ../rules” 爲 “var RULE_PATH /etc/snort/rules”
把下面一行前面的#去掉,並改爲
output database: log,mysql, user=root password=mysql密碼 dbname=snort host=localhost
把以下11行前面的#號都刪除
# include ?$RULE_PATH/web-attacks.rules
# include ?$RULE_PATH/backdoor.rules
# include ?$RULE_PATH/shellcode.rules
# include ?$RULE_PATH/policy.rules
# include ?$RULE_PATH/porn.rules
# include ?$RULE_PATH/info.rules
# include ?$RULE_PATH/icmp-info.rules
include ?$RULE_PATH/virus.rules
# include ?$RULE_PATH/chat.rules
# include ?$RULE_PATH/multimedia.rules
# include ?$RULE_PATH/p2p.rules
保存退出
七、建立snort數據庫及檢查數據庫和數據結構
1、建立snort數據庫
mysql> create database snort;
mysql> grant INSERT,SELECT on snort.* to root@localhost;
mysql> exit
# mysql –u root -p < /usr/local/snort-2.4.5/schemas /create_mysql snort //爲snort建立數據表
2、檢查數據庫和數據結構
# mysql -u root -p
Enter password: //輸入root密碼
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.1.46 Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| snort |
| test |
+--------------------+
4 rows in set (0.02 sec)
mysql> use snort;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+------------------+
| Tables_in_snort |
+------------------+
| data |
| detail |
| encoding |
| event |
| icmphdr |
| iphdr |
| opt |
| reference |
| reference_system |
| schema |
| sensor |
| sig_class |
| sig_reference |
| signature |
| tcphdr |
| udphdr |
+------------------+
16 rows in set (0.00 sec)
看到上面的表就成功了
八、安裝配置和測試acid
1、軟件包acid-0.9.6b23.tar.gz
下載地址http://acidlab.sourceforge.net/
軟件包adodb511.tgz
下載地址http://sourceforge.net/projects/adodb/files/
軟件包jpgraph-1.16.tar.gz
下載地址http://sourceforge.net/projects/jpgraph/files/
2、安裝acid及相關支持文件
把acid-0.9.6b23.tar.gz,adodb511.tgz,jpgraph-1.16.tar.gz放入網站根目錄下,我這裏是/usr/local/apache/htdocs
# cd /usr/local/apache/htdocs
# tar -zxvf jpgraph-1.16.tar.gz
# tar -zxvf adodb511.tgz
# mv jpgraph-1.16 jpgraph
# mv adodb5 adodb
# tar -zxvf acid-0.9.6b23.tar.gz
3、編輯/usr/local/apache/htdocs/acid/acid_conf.php
把“?$DBlib_path = ";” 改成“?$DBlib_path = "/usr/local/apache/htdocs/adodb”
?$alert_dbname = "snort";
?$alert_host = "localhost";
?$alert_port = "";
?$alert_user = "root";
?$alert_password = "test"; //改成你的數據庫密碼
?$archive_dbname = "snort";
?$archive_host = "localhost";
?$archive_port = "";
?$archive_user = "root";
?$archive_password = "test” //改成你的數據庫密碼
把“?$ChartLib_path = ";” 改成“?$ChartLib_path = "/usr/local/apache/htdocs/jpgraph/src";”
保存退出
4、配置測試
重啓apache
# /usr/local/apache/bin/apachectl restart
運行snort把數據寫入mysql
# snort -c /etc/snort/snort.conf
在瀏覽器中輸入
http://你的主機地址/acid/acid_main.php,點"Setup Page"鏈接 ->Create Acid AG
然後再訪問http://你的主機地址/acid/ ACID界面出現
用一些掃描工具對主機進行掃描,將產生警告記錄,訪問acid,可查看記錄
RHEL5.4下Apache+php+MySQL+Snort+acid配置完成,帖幾張圖片秀一下
