系统环境:rh as3+apache+php+snort+base 所需snort相关软件包: adodb462.tgz base-1.2.6.tar.gz Image_Canvas-0.3.0.tar.gz //Image_Color-1.0.2.tar.gz Image_Graph-0.7.2.tar.gz libpcap-0.9.5.tar.gz pcre-6.7.tar.gz snort-2.6.0.tar.gz snortrules-pr-2.4.tar.gz
下载软件: wget http://download.sso.cn/security/ids/snort_base/adodb462.tgz wget http://download.sso.cn/security/ids/snort_base/base-1.2.6.tar.gz wget http://download.sso.cn/security/ids/snort_base/Image_Canvas-0.3.0.tar.gz wget http://download.sso.cn/security/ids/snort_base/Image_Color-1.0.2.tar.gz wget http://download.sso.cn/security/ids/snort_base/Image_Graph-0.7.2.tar.gz wget http://download.sso.cn/security/ids/snort_base/install.txt wget http://download.sso.cn/security/ids/snort_base/libpcap-0.9.5.tar.gz wget http://download.sso.cn/security/ids/snort_base/pcre-6.7.tar.gz wget http://download.sso.cn/security/ids/snort_base/snort-2.6.0.tar.gz wget http://download.sso.cn/security/ids/snort_base/snortrules-pr-2.4.tar.gz
软件安装路径: snort: /usr/local/snort rules: /usr/local/snort/rules snort.conf /usr/local/snort/conf/snort.conf adodb: /usr/local/snort/adodb base: /usr/local/snort/base libpcap: /usr/local/snort/libpcap pcre /usr/local/snort/pcre
1 配置apache+php+mysql环境
2 安装snort前提组件libpcap-0.9.5.tar.gz和pcre-6.7.tar.gz
tar zxvf libpcap-0.9.5.tar.gz cd libpcap-0.9.5 ./configure --prefix=/usr/local/snort/libpcap make make install
tar zxvf pcre-6.7.tar.gz cd pcre-6.7 ./configure --prefix=/usr/local/snort/pcre make make install
3 安装snort-2.6.0.tar.gz并加载plugin groupadd snort useradd -g snort -s /sbin/nologin
建立日志文件目录和配置文件目录: mkdir /var/log/snort mkdir /usr/local/snort/conf
tar zxvf snort-2.6.0.tar.gz cd snort-2.6.0 ./configure --prefix=/usr/local/snort --with-mysql \ --with-libpcap-includes=/usr/local/snort/libpcap/include \ --with-libpcap-libraries=/usr/local/snort/libpcap/lib \ --with-libpcre-includes=/usr/local/snort/pcre/include \ --with-libpcre-libraries=/usr/local/snort/pcre/lib \ --enable-dynamicplugin make make install
4 配置snort并加载rules cp etc/classification.config /usr/local/snort/conf cp etc/reference.config /usr/local/snort/conf cp etc/snort.conf /usr/local/snort/conf cp etc/unicode.map /usr/local/snort/conf 我查看过snort.conf文件,好象只用如上几个配置文件就可以了,如果有错误,可以使用: cp etc/* /usr/local/snort/conf
创建snort数据库,并导入数据 mysql -uroot -prootpassword -e "create database snrot" mysql -uroot -prootpassword -e "grant all on snort.* to snort@localhost identified by 'snort'" mysql -usnort -psnort
tar zxvf snortrules-pr-2.4.tar.gz mv rules /usr/local/snort/
启动snort /usr/local/snort/bin/snort -c /usr/local/snort/conf/snort.conf -i eth0 -g snort -D 如果实现开机自动启动,把上面的语句添加到/etc/rc.local
5 安装adodb和base tar zxvf base-1.2.6.tar.gz mv base-1.2.6 /usr/local/snort/base
tar zxvf adodb462.tgz mv adodb /usr/local/snort/
6 配置base_conf.php cd /usr/local/base cp base_conf.php.dist base_conf.php 修改 “base_conf.php” $BASE_urlpath = "/base"; $DBlib_path = "../adodb "; $DBtype = "mysql"; $alert_dbname = 'snort'; $alert_host = 'localhost'; $alert_port = ''; $alert_user = 'snort'; $alert_password = 'snort';
7 配置apache 在httpd.conf文件中加入如下: Alias /base /usr/local/snort/base 这样您就可以在 http://ip/base
参考文档 http://download.sso.cn/security/ids/snort_base/snort_base_SSL.pdf http://download.sso.cn/security/ids/snort_base/snort-barnyard.pdf http://download.sso.cn/security/ids/snort_base/Snortman.htm http://www.snort.org/docs/faq.html http://www.snort.org/docs/