snort

Snort是一個網絡***檢測系統,它可以分析網絡上的數據包,用以決定一個系統是否被遠程***了。多數Linux發行版本都有Snort程序,因此通過urpmi、apt-get、yum等安裝Snort是一件很輕鬆的事情。Snort可以將其收集的信息寫到多種不同的存儲位置以便於日後的分析。此外,Snort可被用作一個簡單的數據包記錄器、嗅探器,當然它主要是一個成熟的NDIS(網絡***檢測系統)。


實驗環境

centos6.8_x64

snort_master    192.168.1.101

windows_slave  192.168.1.102

測試 windows_slave ping 192.168.1.101 -t 不斷髮ping包


實驗軟件

adodb519.tar.gz

base-1.4.5.tar.gz

barnyard2-1.9.tar.gz

daq-2.0.4.tar.gz

libdnet-1.12.tgz

snort-2.9.7.0.tar.gz

snortrules-snapshot-2983.tar.gz


軟件安裝

yum install -y httpd mysql-server

yum install -y mcrypt libmcrypt libmcrypt-devel libpcap libpcap-devel

yum install -y gcc flex bison zlib libpcap tcpdump gcc-c++ pcre* zlib* libdnet libdnet-devel

yum install -y php php-mysql php-mbstring php-mcrypt mysql-devel php-gd php-pear

sed -i.bak  "s/#ServerName www.example.com:80/ServerName *:80/g" /etc/httpd/conf/httpd.conf   sed.bak爲修改備份

ll  /etc/httpd/conf/httpd.conf

httpd.conf      httpd.conf.bak  


tar zxvf libdnet-1.12.tgz

cd libdnet-1.12

./configure && make && make install

 

tar zxvf daq-2.0.4.tar.gz
cd daq-2.0.4

./configure && make && make install

 

tar zxvf barnyard2-1.9.tar.gz

service mysqld start

mysqladmin  -uroot password  mysqlroot密碼

mysql -uroot -pmysqlroot密碼

create database snort;

grant create,select,update,insert,delete on snort.* to snort@localhost identified by 'snort';

mysql  -usnort  -psnort

mysql>

mysql -usnort -psnort -Dsnort < /root/barnyard2-1.9/schemas/create_mysql


cd  barnyard2-1.9

./configure  --with-mysql --with-mysql-libraries=/usr/lib64/mysql/

make &&  make install

mkdir -pv /var/log/barnyard2

mkdir -pv /var/log/snort

mkdir -pv /etc/snort

touch  /var/log/snort/barnyard2.waldo

cp -pv /root/barnyard2-1.9/etc/barnyard2.conf /etc/snort/


cp -pv  /etc/snort/barnyard2.conf /etc/snort/barnyard2.conf.bak

vim  /etc/snort/barnyard2.conf

config logdir:/var/log/barnyard2

config hostname:      localhost

config interface:       eth0  監聽網卡

config waldo_file:/var/log/snort/barnyard2.waldo

output database: log, mysql, user=snort password=snort dbname=snort host=localhost


tar zxvf  snort-2.9.7.0.tar.gz

cd snort-2.9.7.0

./configure  && make && make install


mkdir -pv  /etc/snort

mkdir -pv  /var/log/snort

mkdir -pv  /usr/local/lib/snort_dynamicrules

mkdir -pv  /etc/snort/rules

mkdir -pv  /etc/snort/so_rules
mkdir -pv  /etc/snort/preproc_rules

touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules

cp -pv  /root/snort-2.9.7.0/etc/gen-msg.map  /etc/snort/

cp -pv  /root/snort-2.9.7.0/etc/threshold.conf /etc/snort/

cp -pv  /root/snort-2.9.7.0/etc/classification.config /etc/snort/

cp -pv  /root/snort-2.9.7.0/etc/reference.config /etc/snort/

cp -pv  /root/snort-2.9.7.0/etc/unicode.map /etc/snort/

cp -pv  /root/snort-2.9.7.0/etc/snort.conf /etc/snort/


vim /etc/snort/snort.conf       

var RULE_PATH  /etc/snort/rules/

var SO_RULE_PATH /etc/snort/so_rules

var PREPROC_RULE_PATH /etc/snort/preproc_rules

var WHITE_LIST_PATH  /etc/snort/rules

var BLACK_LIST_PATH  /etc/snort/rules

config logdir: /var/log/snort

# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types

output unified2: filename snort.log,limit 128


tar zxvf snortrules-snapshot-2983.tar.gz  -C  /etc/snort/

cp  -pv  /etc/snort/etc/sid-msg.map  /etc/snort/

 

snort -T -i eth0  -c /etc/snort/snort.conf  &

21.jpg

Snort successfully validated the configuration!
Snort exiting

 

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log  -w /var/log/snort/barnyard2.waldo  &

11.jpg


barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D     &

snort -c /etc/snort/snort.conf -i eth0  -D  &

killall -9 snort   

killall -9 barnyard2   殺死進程


tar zxvf adodb519.tar.gz

tar zxvf base-1.4.5.tar.gz

mv /root/adodb5 /var/www/html/adodb

mv /root/base-1.4.5 /var/www/html/base

chown -R apache:apache /var/www/html/

chmod 755 /var/www/html/adodb/

touch /var/www/html/test.html

echo welcome to server > /var/www/html/test.html   建立apache測試頁


sed -i  's/#AddType application/AddType application/g' /etc/httpd/conf/httpd.conf   配置apahce/php 結合

sed -i  '765 aAddType application/x-httpd-php .php' /etc/httpd/conf/httpd.conf 

765行插入AddType application/x-httpd-php .php配置   a爲插入配置內容 


netstat -tuplna | grep mysql

tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      28424/mysqld  

 

netstat -tuplna | grep httpd

tcp        0      0 :::80                       :::*                        LISTEN      28460/httpd


ps -ef | grep snort

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D

snort -c /etc/snort/snort.conf -i eth0 -D


service mysqld restart

service httpd restart

chkconfig --level 35 httpd on

chkconfig --level 35 mysqld on


cp -pv /etc/snort/rules/local.rules /etc/snort/rules/local.rules.bak    添加測試規則

echo "alert icmp any any -> any any (msg: "IcmP Packet detected";sid:1000001;)" >> /etc/snort/rules/local.rules

cat /etc/snort/rules/local.rules | grep alert

alert icmp any any -> any any (msg: IcmP Packet detected;sid:1000001;)


touch /var/www/html/test.php      php測試頁,測試完畢最好即可刪除

echo "<?php phpinfo(); ?>" >  /var/www/html/test.php


curl http://localhost/index.html

welcome to server


http://serverip/test.php

11.jpg


http://serviceip/base/setup/index.php

21.jpg


22.jpg


23.jpg


24.jpg


25.jpg


27.jpg


28.jpg


cp -pv /etc/rc.d/rc.local  /etc/rc.d/rc.local.bak   設置服務開機啓動

echo "snort -T -i eth0  -c /etc/snort/snort.conf  &" >> /etc/rc.d/rc.local

echo "barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log  -w /var/log/snort/barnyard2.waldo  &" >> /etc/rc.d/rc.local

echo "barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D &"   >> /etc/rc.d/rc.local

echo "snort -c /etc/snort/snort.conf -i eth0 -D &" >> /etc/rc.d/rc.local


cat /etc/rc.d/rc.local

snort -T -i eth0  -c /etc/snort/snort.conf  &

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log  -w /var/log/snort/barnyard2.waldo  &

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D &

snort -c /etc/snort/snort.conf -i eth0 -D &

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章