為什么,要寫這篇論文?
是因為,目前科研的我,正值研三,致力於網絡安全、大數據、機器學習研究領域!
論文方向的需要,同時不局限於真實物理環境機器實驗室的攻防環境、也不局限於真實物理機器環境實驗室的大數據集群平台。在此,為了需要的博友們,能在自己虛擬機里(我這里是CentOS6.5)來搭建部署snort+barnyard2+base的入侵檢測系統。分享與交流是進步的階梯!
同時,本人還嘗試過在Ubuntu14.04里搭建這入侵檢測系統的環境。同時,還嘗試過在win7\win10里搭建這入侵檢測系統的環境。
同時,也歡迎做報警數據方向的煙酒僧留言評論加好友交流。歡迎指正!謝謝。
base和acid的關系
同時,
最佳安全工具100款
http://www.92to.com/bangong/2016/04-08/2996883.html
用於分析Snort 警報的網頁形式的引擎 Basic Analysis and Security Engine (BASE)可免費獲得。
原來,這里面也有base。
VMware下OSSIM 5.2.0的下載、安裝和初步使用(圖文詳解)
在Ubuntu和CentOS里,用base居多。
在windows里,用acid居多。但是,我這篇博客,acid和base都演示。(反而我更喜歡用base)
見
基於Windows7下snort+apache+php 7 + acid(或者base) + adodb + jpgraph的入侵檢測系統的搭建(圖文詳解)(博主推薦)
一、准備工作
安裝CentOS-6.5-x86_64-bin-DVD1.iso(用CentOS7后面配置base會報錯),給系統設置IP和dns讓系統可以聯網.
DEVICE=eth0 HWADDR=00:0C:29:24:8E:4D TYPE=Ethernet UUID=a1dedb65-2774-4a50-873c-fb5724179247 ONBOOT=yes NM_CONTROLLED=yes BOOTPROTO=static DEFROUTE=yes PEERDNS=yes PEERROUTES=yes IPV4_FAILURE_FATAL=yes IPV6INIT=no NAME="System eth0" IPADDR=192.168.80.68 BCAST=192.168.80.255 GATEWAY=192.168.80.2 NETMASK=255.255.255.0 DNS1=192.168.80.2 DNS2=119.29.29.29
注意,以下操作,都是在root用戶下進行。
1. 安裝wget
[root@datatest ~]# yum install wget -y
2. 更換源
更換成阿里雲源,更新系統、下載軟件速度快
[root@datatest ~]# mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
[root@datatest ~]# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
[root@datatest ~]# yum clean all
[root@datatest ~]# yum makecache
3.更新系統
[root@datatest ~]# yum -y update
4.安裝epel源
[root@datatest ~]# yum install -y epel-release
5.下載安裝文件
把網盤里的安裝文件下載到CentOS里備用(可以利用附件中的FTPServer.exe傳輸),這里放到/root
相關文件下載:http://pan.baidu.com/s/1mgzYhO8(感謝這位貢獻者)
二、安裝配置LMAP
1.安裝LMAP組件
[root@datatest ~]# yum install -y httpd mysql-server php php-mysql php-mbstring php-mcrypt mysql-devel php-gd
2.安裝php插件
[root@datatest ~]# yum install -y mcrypt libmcrypt libmcrypt-devel
3.安裝pear插件
[root@datatest ~]# yum install -y php-pear
[root@datatest ~]# pear upgrade pear
[root@datatest ~]# pear channel-update pear.php.net
[root@datatest ~]# pear install mail
[root@datatest ~]# pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman
[root@datatest ~]# pear install mail_mime
4.安裝adodb
[root@datatest ~]# tar zxvf adodb519.tar.gz -C /var/www/html
[root@datatest ~]# mv /var/www/html/adodb5 /var/www/html/adodb
5.安裝base
[root@datatest ~]# tar zxvf base-1.4.5.tar.gz -C /var/www/html
[root@datatest ~]# mv /var/www/html/base-1.4.5 /var/www/html/base
6.修改php.ini
[root@datatest ~]# vi /etc/php.ini
error_reporting = E_ALL & ~E_NOTICE
7.設置html目錄權限
[root@datatest ~]# chown -R apache:apache /var/www/html
8.設置adodb權限
[root@datatest ~]# chmod 755 /var/www/html/adodb
9.配置mysql
解壓barnyard2(這里因為,后面我們要用里面的文件創mysql表)
[root@datatest ~]# tar zxvf barnyard2-1.9.tar.gz
啟動mysql
[root@datatest ~]# service mysqld start
設置root密碼為root
[root@datatest ~]# mysqladmin -u root -p password root
以root登陸mysql
[root@datatest ~]# mysql -uroot -proot
創建名為snort的數據庫
[root@datatest ~]# create database snort;
創建名為snort、密碼為snort的數據庫用戶並賦予名為snort數據庫權限
> grant create,select,update,insert,delete on snort.* to snort@localhost identified by 'snort';
> exit
創建數據庫表
[root@datatest ~]# mysql -usnort -p -Dsnort < /root/barnyard2-1.9/schemas/create_mysql
10.配置base
#service mysqld start 啟動mysql
#service httpd start 啟動apache
#service iptables stop 關閉防火牆
用Centos里的瀏覽器或者windows里的瀏覽器。都可以,打開http://192.168.80.68/base/setup/index.php(IP換成你自己的)
1.點擊Continuue(如下,我CentOS里的瀏覽器和windows里的瀏覽器,都截圖給大家展示)
2.選擇顯示語言,設置adodb路徑
3.配置數據庫
4.設置admin用戶和密碼(這里應該是設置admin的用戶和密碼,我這里是admin)
5.點擊“Createe BASE AG”
6.成功的話會有紅色successfilly created字樣,如下圖(Centos7沒有,原因未知),點擊“step 5”
7.安裝成功
三、安裝配置snort+barnyard2
1.安裝依賴包
[root@datatest ~]# yum install -y gcc flex bison zlib libpcap tcpdump gcc-c++ pcre* zlib* libdnet libdnet-devel
2.安裝libdnet(這里必須是這個版本)
[root@datatest ~]# tar zxvf libdnet-1.12.tgz
[root@datatest ~]# cd libdnet-1.12
[root@datatest ~]# ./configure && make && make install
3.安裝libpcap
[root@datatest ~]# wget http://www.tcpdump.org/release/libpcap-1.0.0.tar.gz
[root@datatest ~]# tar zxvf libpcap-1.0.0.tar.gz
[root@datatest ~]# cd libpcap-1.0.0
[root@datatest ~]# ./configure && make && make install
4.安裝DAQ
[root@datatest ~]# tar zxvf daq-2.0.4.tar.gz
[root@datatest ~]# cd daq-2.0.4
[root@datatest ~]# ./configure && make && make install
5.安裝snort
[root@datatest ~]# tar zxvf snort-2.9.7.0.tar.gz
[root@datatest ~]# cd snort-2.9.7.0
[root@datatest ~]# ./configure && make && make install
6.配置snort
創建需要的文件和目錄
[root@datatest ~]# mkdir /etc/snort
[root@datatest ~]# mkdir /var/log/snort
[root@datatest ~]# mkdir /usr/local/lib/snort_dynamicrules
[root@datatest ~]# mkdir /etc/snort/rules
[root@datatest ~]# touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules
[root@datatest ~]# cp /root/snort-2.9.7.0/etc/gen-msg.map /root/snort-2.9.7.0/etc/threshold.conf /root/snort-2.9.7.0/etc/classification.config /root/snort-2.9.7.0/etc/reference.config /root/snort-2.9.7.0/etc/unicode.map /root/snort-2.9.7.0/etc/snort.conf /etc/snort/ cp: overwrite `/etc/snort/gen-msg.map'? y cp: overwrite `/etc/snort/threshold.conf'? y cp: overwrite `/etc/snort/classification.config'? y cp: overwrite `/etc/snort/reference.config'? y cp: overwrite `/etc/snort/unicode.map'? y
編輯配置文件
[root@datatest ~]# vi /etc/snort/snort.conf
修改路徑變量
var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules
設置log目錄
config logdir:/var/log/snort
配置輸出插件
output unified2:filename snort.log,limit 128
#output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
改為
7.配置默認規則
[root@datatest ~]# tar zxvf snortrules-snapshot-2970.tar.gz -C /etc/snort/
如果沒有,用snortrules-snapshot-2980.tar.gz 或者 snortrules-snapshot-2990.tar.gz。
然后,執行
cp /etc/snort/etc/sid-msg.map /etc/snort/
8.測試snort
[root@datatest ~]# snort -T -i eth0 -c /etc/snort/snort.conf
因為,之前,我配置的是eth0網卡。
參數解釋:
-T 指定啟動模式:測試
-i 指定網絡接口
-c 指定配置文件
如果出現“success”的字樣說明配置好了。
按ctrl+c終止snort測試就好。
9.安裝barnyard2
[root@datatest ~]# cd /root/barnyard2-1.9
[root@datatest ~]# ./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql/
然后,執行
[root@datatest ~]# make && make install
10.配置barnyard2
創建需要的文件和目錄
[root@datatest ~]# mkdir /var/log/barnyard2
[root@datatest ~]# touch /var/log/snort/barnyard2.waldo
[root@datatest ~]# cp /root/barnyard2-1.9/etc/barnyard2.conf /etc/snort
修改配置文件
[root@datatest ~]# vi /etc/snort/barnyard2.conf
[root@datatest ~]# config logdir:/var/log/barnyard2
config hostname:localhost
config interface:eth0
config waldo_file:/var/log/snort/barnyard2.waldo
output database: log, mysql, user=snort password=snort dbname=snort host=localhost
11.測試barnyard2
[root@datatest ~]# barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo
參數解釋:
-c 指定配置文件
-d 指定log目錄
-f 指定log文件
-w 指定waldo文件
如果出現“Waiting for new spool file”字樣則表示barnyard2配置成功
按ctrl+c終止測試
這是頭小豬,哈哈哈!!!
四、測試IDS是否正常工作
1.添加測試規則
[root@datatest ~]# vi /etc/snort/rules/local.rules
# Copyright 2001-2013 Sourcefire, Inc. All Rights Reserved. # # This file contains (i) proprietary rules that were created, tested and certified by # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by # Sourcefire and other third parties (the "GPL Rules") that are distributed under the # GNU General Public License (GPL), v2. # # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a # list of third party owners and their respective copyrights. # # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer # to the VRT Certified Rules License Agreement (v2.0). # #------------- # LOCAL RULES #-------------
這是個測試規則的配置文件。
添加一條檢查ping包的規則
alert icmp any any -> any any (msg: "IcmP Packet detected";sid:1000001;)
規則注解:
alert 觸發規則后做出的動作
icmp 協議類型
第一個any 源IP(網段),any表示任意
第二個any 源端口,any表示任意
-> 表示方向
第三個any 目標IP(網段),any表示任意
第四個any 目標端口,any表示任意
Msg字符 告警名稱
Sid id號,個人編寫的規則使用1,000,000以上
ID: 報警序號
特征: 報警名稱 對應Msg字段
2.配置IDS啟動腳本
配置啟動腳本(如果大家不會自己寫這個idsctl腳本的話)
[root@datatest ~]# cp idsctl /sbin
[root@datatest ~]# chmod 755 /sbin/idsct
3.啟動IDS
#service mysqld start 啟動mysql
#service httpd start 啟動apache
#service iptables stop 關閉防火牆
使用腳本啟動ids(都可以的)(因為前面,我扔到了/sbin下了,所以在任何路徑下都可以執行了)
[root@datatest ~]# idsctl start
這個地方啟動有點慢,大概一分鍾吧。
或者手動運行ids(2條命令先后運行,腳本啟動失效可選)(都可以)
[root@datatest ~]# barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D
[root@datatest ~]# snort -c /etc/snort/snort.conf -i eth0 -D
(-D選項用來讓命令轉入后台運行,其他選項意義上文已有解釋)
idsctl腳本內容是
核心是:
#!/bin/bash ########################################################### # runing shell script For IDS # description: IDS by CentOS 6.6,snort-2.9.7.0,barnyard2-1.9 # Edit by qiubibi # QQ Group:187553731 # Versions : 1.0 ########################################################### intface=eth0 case "$1" in stat) sn=`ps -ef | grep snort | grep -v grep |awk '{print $2}'` if [ "${sn}" = "" ] then echo snortt is not runing else echo snort is running fi ;; start) echo "Starting snort" barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D 1>/dev/null snort -c /etc/snort/snort.conf -i $intface -D 1>/dev/null ;; stop) echo "Stopping snort" killall -9 snort barnyard2 ;; restart) echo "Stopping snort" killall -9 snort barnyard2 echo "Starting snort" barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D 1>/dev/null snort -c /etc/snort/snort.conf -i $intface -D 1>/dev/null ;; help) cat <<HELP stop -- stops snort service start -- starts snort service stat -- displays status of snort service restart -- stops and restarts snort HELP ;; *) echo "Usage: $0 {start|stop|restart|stat|help}" exit 1 ;; esac exit 0
4、測試IDS
向IDS的IP發送ping包,base的頁面會出現ICMP告警。
由
變成
[root@datatest ~]# mysql -uroot -proot Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 21 Server version: 5.1.73 Source distribution Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | snort | | test | +--------------------+ 4 rows in set (0.00 sec) mysql> use mysql; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> select host,user from user; +-----------+-------+ | host | user | +-----------+-------+ | 127.0.0.1 | root | | datatest | | | datatest | root | | localhost | | | localhost | root | | localhost | snort | +-----------+-------+ 6 rows in set (0.03 sec) mysql> update user set host = '%' where user ='snort'; Query OK, 1 row affected (0.03 sec) Rows matched: 1 Changed: 1 Warnings: 0 mysql> flush privileges; Query OK, 0 rows affected (0.45 sec) mysql> select host,user from user; +-----------+-------+ | host | user | +-----------+-------+ | % | snort | | 127.0.0.1 | root | | datatest | | | datatest | root | | localhost | | | localhost | root | +-----------+-------+ 6 rows in set (0.00 sec) mysql>
mysql> exit;
Bye
[root@datatest ~]#
然后,大家還要授權,參考我寫的下面這篇博客
http://www.cnblogs.com/zlslch/p/6700695.html
mysql> select user,host,password from mysql.user; +-------+-----------+-------------------------------------------+ | user | host | password | +-------+-----------+-------------------------------------------+ | root | localhost | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B | | root | datatest | | | root | 127.0.0.1 | | | | localhost | | | | datatest | | | snort | % | *EF3DA5F1B03B180B177A126A8B2E739A0A1FAC16 | +-------+-----------+-------------------------------------------+ 6 rows in set (0.00 sec) mysql> GRANT ALL PRIVILEGES ON *.* to 'snort'@'datatest' IDENTIFIED BY 'snort' WITH GRANT OPTION; Query OK, 0 rows affected (0.06 sec) mysql> flush privileges; Query OK, 0 rows affected (0.03 sec) mysql> select user,host,password from mysql.user; +-------+-----------+-------------------------------------------+ | user | host | password | +-------+-----------+-------------------------------------------+ | root | localhost | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B | | root | datatest | | | root | 127.0.0.1 | | | | localhost | | | | datatest | | | snort | % | *EF3DA5F1B03B180B177A126A8B2E739A0A1FAC16 | | snort | datatest | *EF3DA5F1B03B180B177A126A8B2E739A0A1FAC16 | +-------+-----------+-------------------------------------------+ 7 rows in set (0.00 sec) mysql>
然后
mysql> GRANT ALL PRIVILEGES ON *.* to 'snort'@'%' IDENTIFIED BY 'snort' WITH GRANT OPTION; Query OK, 0 rows affected (0.01 sec) mysql> flush privileges; Query OK, 0 rows affected (0.00 sec) mysql> select user,host,password from mysql.user; +-------+-----------+-------------------------------------------+ | user | host | password | +-------+-----------+-------------------------------------------+ | root | localhost | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B | | root | datatest | | | root | 127.0.0.1 | | | | localhost | | | | datatest | | | snort | % | *EF3DA5F1B03B180B177A126A8B2E739A0A1FAC16 | | snort | datatest | *EF3DA5F1B03B180B177A126A8B2E739A0A1FAC16 | +-------+-----------+-------------------------------------------+ 7 rows in set (0.00 sec) mysql>
因為我的是,如下
也許大家,這里
解決辦法
+-------+-----------+-------------------------------------------+
| root | localhost | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
| root | datatest | |
| root | 127.0.0.1 | |
| | localhost | |
| | datatest | |
| snort | % | *EF3DA5F1B03B180B177A126A8B2E739A0A1FAC16 |
| snort | datatest | *EF3DA5F1B03B180B177A126A8B2E739A0A1FAC16 |
+-------+-----------+-------------------------------------------+
7 rows in set (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON *.* to 'snort'@'localhost' IDENTIFIED BY 'snort' WITH GRANT OPTION; Query OK, 0 rows affected (0.00 sec) mysql> flush privileges; Query OK, 0 rows affected (0.00 sec) mysql> select user,host,password from mysql.user; +-------+-----------+-------------------------------------------+ | user | host | password | +-------+-----------+-------------------------------------------+ | root | localhost | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B | | root | datatest | | | root | 127.0.0.1 | | | | localhost | | | | datatest | | | snort | % | *EF3DA5F1B03B180B177A126A8B2E739A0A1FAC16 | | snort | datatest | *EF3DA5F1B03B180B177A126A8B2E739A0A1FAC16 | | snort | localhost | *EF3DA5F1B03B180B177A126A8B2E739A0A1FAC16 | +-------+-----------+-------------------------------------------+ 8 rows in set (0.00 sec) mysql>
測試下。成功!
MySQL客戶端的展示
推薦大家用:
或者
一個一個打開來看看
數據庫里面存儲的IP都是數字型的。
5.停止IDS
使用腳本停止IDS(因為前面,我扔到了/sbin下了,所以在任何路徑下都可以執行了)
[root@datatest ~]# idsctl stop
手動停止IDS(都可以)
[root@datatest ~]# killall -9 snort barnyard2
6、停止base
因為,我們安裝的時候,把base放在/var/www/html,即apache服務。
[root@datatest ~]# service httpd stop
即可,就是停止了base。
下次用時,開啟再訪問
http://192.168.80.68/base/base_main.php
注意:
這里個非常不好用的規則,事實上,也許是最差的規則,但是它可以很好的檢測Snort是否正常工作,並可以產生告警:
alert ip any any -> any any (msg: "IP Packet detected";)
你可以在你第一次安裝Snort的時候在snort.conf的末尾加上這條規則,這個規則可以使每當捕獲一個IP包都產生告警信息,如果你就這樣離開的話,你的硬盤空間很快就會被填滿。這個規則之所以不可用,是因為它不信任任何信息。難道你用一個永久規則的目的就是為了檢測Snort是否在工作嗎?它應該是用來在你安裝完Snort后做測試,以確定其工作正常,然后就去掉這條規則。
當然,若是真實物理機器搭建的入侵檢測系統環境,一般是不建議頻繁開啟關閉的。這個道理,跟打架玩大數據集群,是一樣的!
OK,就寫這么多吧!歡迎交流。想玩大數據的朋友,請移步,見我下面的博客。
大數據領域兩大最主流集群管理工具Ambari和Cloudera Manger
CentOS6.5下Ambari安裝搭建部署大數據集群(圖文分五大步詳解)(博主強烈推薦)
CentOS6.5下Cloudera安裝搭建部署大數據集群(圖文分五大步詳解)(博主強烈推薦)
關於在真實物理機器上用cloudermanger或ambari搭建大數據集群注意事項總結、經驗和感悟心得(圖文詳解)
Ubuntu14.04下Cloudera安裝搭建部署大數據集群(圖文分五大步詳解)(博主強烈推薦)(在線或離線)
Ubuntu14.04下Ambari安裝搭建部署大數據集群(圖文分五大步詳解)(博主強烈推薦)
參考
http://www.secbox.cn/skill/8796.html (感謝!)
基於CentOS平台的Snort+Barnyard安裝步驟(感謝!)
同時,大家可以關注我的個人博客:
http://www.cnblogs.com/zlslch/ 和 http://www.cnblogs.com/lchzls/ http://www.cnblogs.com/sunnyDream/
詳情請見:http://www.cnblogs.com/zlslch/p/7473861.html
人生苦短,我願分享。本公眾號將秉持活到老學到老學習無休止的交流分享開源精神,匯聚於互聯網和個人學習工作的精華干貨知識,一切來於互聯網,反饋回互聯網。
目前研究領域:大數據、機器學習、深度學習、人工智能、數據挖掘、數據分析。 語言涉及:Java、Scala、Python、Shell、Linux等 。同時還涉及平常所使用的手機、電腦和互聯網上的使用技巧、問題和實用軟件。 只要你一直關注和呆在群里,每天必須有收獲
對應本平台的討論和答疑QQ群:大數據和人工智能躺過的坑(總群)(161156071)
