為什么,要寫這篇論文?
是因為,目前科研的我,正值研三,致力於網絡安全、大數據、機器學習、人工智能、區域鏈研究領域!
論文方向的需要,同時不局限於真實物理環境機器實驗室的攻防環境、也不局限於真實物理機器環境實驗室的大數據集群平台。在此,為了需要的博友們,能在自己虛擬機里(我這里是CentOS6.5)來搭建部署snort+barnyard2+base的入侵檢測系統。分享與交流是進步的階梯!
同時,本人還嘗試過在Ubuntu14.04里搭建這入侵檢測系統的環境。同時,還嘗試過在win7\win10里搭建這入侵檢測系統的環境。
同時,也歡迎做報警數據方向的煙酒僧留言評論加好友交流。歡迎指正!謝謝。
基於CentOS6.5下snort+barnyard2+base的入侵檢測系統的搭建(圖文詳解)(博主推薦)
告誡:大家能在Linux環境下,就盡量別安裝在windows里。
我的系統情況是
base和acid的關系
在Ubuntu和CentOS里,用base居多。
在windows里,用acid居多。但是,我這篇博客,acid和base都演示。(反而我更喜歡用base)
Apache的安裝
Windows 7操作系統下Apache的安裝與配置(圖文詳解)
Mysql的安裝
MySQL Server類型之MySQL客戶端工具的下載、安裝和使用(博主推薦)
winpcap的安裝
這里不多說,太簡單了。
PHP的安裝
Windows 7操作系統下PHP 7的安裝與配置(圖文詳解)
Snort的安裝
下載下來,隨便先放在哪里,因為,我們最后默認是安裝在C:\Snort。
其實啊,Snort是個命令行軟件,所以,不要感覺到畏懼。
win+r 輸入cmd,然后輸入路徑cd c:\snort\bin
由於snort 是基於linux設計的,所以在 c:\snort\ect\snort.con 文件是要用
notepad++修改成window 的格式才能工作的。
可以用“snort -?”可以查看相關的命令
c:\Snort\bin>snort -? ,,_ -*> Snort! <*- o" )~ Version 2.8.6-ODBC-MySQL-FlexRESP-WIN32 GRE (Build 38) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-t eam Copyright (C) 1998-2010 Sourcefire, Inc., et al. Using PCRE version: 7.4 2007-09-21 Using ZLIB version: 1.2.3 USAGE: snort [-options] <filter options> snort /SERVICE /INSTALL [-options] <filter options> snort /SERVICE /UNINSTALL snort /SERVICE /SHOW Options: -A Set alert mode: fast, full, console, test or none (alert file alerts only) -b Log packets in tcpdump format (much faster!) -B <mask> Obfuscated IP addresses in alerts and packet dumps using CIDR mask -c <rules> Use Rules File <rules> -C Print out payloads with character data only (no hex) -d Dump the Application Layer -e Display the second layer header info -E Log alert messages to NT Eventlog. (Win32 only) -f Turn off fflush() calls after binary log writes -F <bpf> Read BPF filters from file <bpf> -G <0xid> Log Identifier (to uniquely id events for multiple snorts) -h <hn> Home network = <hn> -H Make hash tables deterministic. -i <if> Listen on interface <if> -I Add Interface name to alert output -k <mode> Checksum mode (all,noip,notcp,noudp,noicmp,none) -K <mode> Logging mode (pcap[default],ascii,none) -l <ld> Log to directory <ld> -L <file> Log to this tcpdump file -n <cnt> Exit after receiving <cnt> packets -N Turn off logging (alerts still work) -O Obfuscate the logged IP addresses -p Disable promiscuous mode sniffing -P <snap> Set explicit snaplen of packet (default: 1514) -q Quiet. Don't show banner and status report -r <tf> Read and process tcpdump file <tf> -R <id> Include 'id' in snort_intf<id>.pid file name -s Log alert messages to syslog -S <n=v> Set rules file variable n equal to value v -T Test and report on the current Snort configuration -U Use UTC for timestamps -v Be verbose -V Show version number -W Lists available interfaces. (Win32 only) -X Dump the raw packet data starting at the link layer -x Exit if Snort configuration problems occur -y Include year in timestamp in the alert and log files -Z <file> Set the performonitor preprocessor file path and name -? Show this information <Filter Options> are standard BPF options, as seen in TCPDump Longname options and their corresponding single char version --logid <0xid> Same as -G (即snort -G) --perfmon-file <file> Same as -Z (即snort -Z) --pid-path <dir> Specify the directory for the Snort PID file --snaplen <snap> Same as -P (即snort -P) --help Same as -? (即snort -?) --version Same as -V (即snort -V) --alert-before-pass Process alert, drop, sdrop, or reject before pass, default is pass before alert, drop,... --treat-drop-as-alert Converts drop, sdrop, and reject rules into alert rules during startup --process-all-events Process all queued events (drop, alert,...),default stops after 1st action group --dynamic-engine-lib <file> Load a dynamic detection engine --dynamic-engine-lib-dir <path> Load all dynamic engines from directory --dynamic-detection-lib <file> Load a dynamic rules library --dynamic-detection-lib-dir <path> Load all dynamic rules libraries from directory --dump-dynamic-rules <path> Creates stub rule files of all loaded rules l ibraries --dynamic-preprocessor-lib <file> Load a dynamic preprocessor library --dynamic-preprocessor-lib-dir <path> Load all dynamic preprocessor libraries from directory --pcap-single <tf> Same as -r. (即snort -r) --pcap-file <file> file that contains a list of pcaps to read -read mode is implied. --pcap-list "<list>" a space separated list of pcaps to read - read mode is implied. --pcap-loop <count> this option will read the pcaps specified on command line continuously. for <count> times. A value of 0 will read until Snort is terminated. --pcap-reset if reading multiple pcaps, reset snort to post-configuration state before reading next pcap. --pcap-show print a line saying what pcap is currently being read. --exit-check <count> Signal termination after <count> callbacks from pcap_dispatch(), showing the time it takes from signaling until pcap_close() is called. --conf-error-out Same as -x (即snort -x) --enable-mpls-multicast Allow multicast MPLS --enable-mpls-overlapping-ip Handle overlapping IPs within MPLS clouds --max-mpls-labelchain-len Specify the max MPLS label chain --mpls-payload-type Specify the protocol (ipv4, ipv6, ethernet) that is encapsulated by MPLS --require-rule-sid Require that all snort rules have SID specified. c:\Snort\bin>
snort所需mysql的配置
建立Snort運行必需的Snort庫和Snort_archive庫:
C:\Users\Administrator>mysql -uroot -p Enter password: **** Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 28 to server version: 5.0.22-community-nt Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> create database snort; Query OK, 1 row affected (0.00 sec) mysql> create database snort_archive; Query OK, 1 row affected (0.04 sec) mysql>
然后,注意,這里的
CREATE TABLE signature ( sig_id INT UNSIGNED NOT NULL AUTO_INCREMENT, sig_name VARCHAR(255) NOT NULL, sig_class_id INT UNSIGNED NOT NULL, sig_priority INT UNSIGNED, sig_rev INT UNSIGNED, sig_sid INT UNSIGNED, sig_gid INT UNSIGNED, PRIMARY KEY (sig_id), INDEX sign_idx (sig_name(20)), INDEX sig_class_id_idx (sig_class_id));
大家,自行根據自己的安裝目錄去。
C:\Users\Administrator>cd /d D:\ D:\>cd D:\SoftWare\MySQL Server\MySQL Server 5.0\bin D:\SoftWare\MySQL Server\MySQL Server 5.0\bin>mysql -D snort -u root -p < c:\Snort\schemas\create_mysql Enter password: **** D:\SoftWare\MySQL Server\MySQL Server 5.0\bin>mysql -D snort_archive -u root -p < c:\Snort\schemas\create_mysql Enter password: **** D:\SoftWare\MySQL Server\MySQL Server 5.0\bin>
執行完create_mysql腳本后,用戶可以通過在mysql提示符下運行sql語句show tables來驗證配置的正確性。
D:\SoftWare\MySQL Server\MySQL Server 5.0\bin>mysql -u root -p Enter password: **** Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 31 to server version: 5.0.22-community-nt Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> show databases; +-----------------------+ | Database | +-----------------------+ | information_schema | | elsa_web | | mysql | | securityonion_db | | snort | | snort_archive | | syslog | | test | | weka | | wholedatabasesanddata | +-----------------------+ 11 rows in set (0.00 sec) mysql> use snort; Database changed mysql> show tables; +------------------+ | Tables_in_snort | +------------------+ | data | | detail | | encoding | | event | | icmphdr | | iphdr | | opt | | reference | | reference_system | | schema | | sensor | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +------------------+ 16 rows in set (0.00 sec) mysql> use snort_archive; Database changed mysql> show tables; +-------------------------+ | Tables_in_snort_archive | +-------------------------+ | data | | detail | | encoding | | event | | icmphdr | | iphdr | | opt | | reference | | reference_system | | schema | | sensor | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +-------------------------+ 16 rows in set (0.00 sec) mysql>
然后,
必需在Apache服務器主機(暫定為localhost)上建立ACID和Snort用戶,並為它們分配相關權限和訪問密碼,使ACID能正常訪問后台數據庫mysql中Snort相關的數據文件。
mysql> grant usage on *.* to "acid"@"localhost" identified by "acid"; Query OK, 0 rows affected (0.01 sec) mysql> grant usage on *.* to "snort"@"localhost" identified by "snort"; Query OK, 0 rows affected (0.00 sec)
mysql> grant select,insert,update,delete,create,alter on snort .* to "snort"@"localhost"; Query OK, 0 rows affected (0.00 sec) mysql> grant select,insert,update,delete,create,alter on snort .* to "acid"@"localhost"; Query OK, 0 rows affected (0.00 sec) mysql> grant select,insert,update,delete,create,alter on snort_archive .* to "acid"@"localhost"; Query OK, 0 rows affected (0.00 sec) mysql> grant select,insert,update,delete,create,alter on snort_archive .* to "snort"@"localhost"; Query OK, 0 rows affected (0.00 sec) mysql>
然后,接着
mysql> set password for "snort"@"localhost"=password('snort'); Query OK, 0 rows affected (0.00 sec) mysql> set password for "acid"@"localhost"=password('acid'); Query OK, 0 rows affected (0.00 sec) mysql>
至此,配置完成!
snort配置文件snort.conf的配置
首先,來認識下snort.conf
答:
snort.conf是封包的簽章檔案,里邊定義了掃描的規則、規則存放的目錄
classification.config和
reference.config是兩個被主配置文件snort.conf引用的配置文件。
classification.config文件包括了關於snort規則分類的信息。
reference.config文件中羅列了一些關於報警信息的參考網站的URL,這些參考將在snort規則中引用。
它們通常存放在於snort.conf相同的目錄中。
在snort.conf文件中將指定這些文件的目錄。如果它們的存放位置發生了改變,也可以通過將主配置文件snort.conf中的相對路徑改為絕對路徑來進行調整:
改為
注意:由於snort軟件的配置文件snort.conf默認的路徑針對的是LINUX,在windows下面必須要改路徑,而且是絕對路徑。
錯誤:ERROR:c:\snort\etc\snort.conf<45> Unknow rule type:ipvar
解決辦法:把文件中的ipvar改為var,改好后保存一下。
注意:現在,這個錯誤已經沒了。現在的snort配置文件,都是var了。
錯誤:ERROR: c:\snort\etc\snort.conf(247) Could not stat dynamic module path "/usr/local/lib/snort_dynamicpreprocessor/": No such file or directory.
解決辦法:由於snort軟件的配置文件snort.conf默認的路徑針對的是LINUX,在windows下面必須要改路徑,而且是絕對路徑。
注意:“dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor”中
一定不要在最后加上一個反斜杠“\”,這是snort的一個bug。
然后,
改為
然后,
注意:snort\lib下面新建一個snort_dynamicrules文件夾,不然還會報錯。
改為
然后,
設置Snort輸出alert到mysql server
改為
修改路徑變量
改為
然后,這個保持默認就好
然后,
改為
preprocessor http_inspect: global iis_unicode_map C:\Snort\etc\unicode.map 1252 compress_depth 65535 decompress_depth 65535
因為在windows下unicode.map這個文件在etc文件夾下。
配置好后,保存。
Snort下的snort2860規則庫包的安裝和配置
因為,我的snort版本是2.8.6,所以得要下載對應的規則包。
別問能科學上網,這個大家自行去解決。又不難。
http://val.bmstu.ru/unix/snort/
這是因為windows下安裝好snort后默認是沒有規則庫,需要自己下載。
復制里面的doc、rules、so_rules到c:\Snort下
這里有些資料說,如http://www.cnblogs.com/kathmi/archive/2010/08/09/1795405.html
- snortrules-snapshot-2860.tar.gz(規則庫,解壓到Snort的安裝目錄,如果提示重復文件,可以選擇不覆蓋)
其實,我覺得,就只需要將snortrules-snapshot-2860.tar.gz里的doc、rules、so_rules到c:\Snort下即可。
為什么呢。首先rules本來是空的,so_rules是沒有的,至於嘛,doc更別提了。
最后目錄結構為
配置動態規則
acid的安裝和配置(其實,我更傾向於在windows里使用base)
ACID是一種通過Web界面來分析察看Snort數據的工具。它是用PHP編寫的,與Snort和MySQL數據庫一同工作。
修改acid_conf.php文件為下列格式
然后,
或者
$alert_dbname = "snort"; $alert_host = "localhost"; $alert_port = "3306"; $alert_user = "snort"; $alert_password = "snort"; $archive_dbname = "snort_archive"; $archive_host = "localhost"; $archive_port = "3306"; $archive_user = "acid"; $archive_password = "acid";
然后,
配置完成后要重新啟動apache。
base的安裝與配置
進行重命名,改為base-1.4.5,為base。
大家,然后,這里也可以跟acid一樣,手動去這個配置文件里去修改配置。(但是呢。我這里界面化來配置,更加的形象)
1、用windows里的谷歌瀏覽器或者火狐瀏覽器或者IE瀏覽器都行。,打開http://localhost/base/setup/index.php
2.選擇顯示語言,設置adodb路徑
3.配置數據庫
4.設置admin用戶和密碼(這里應該是設置admin的用戶和密碼,我這里是admin)
5.點擊“Createe BASE AG”
adodb的安裝與配置(搭配PHP 7)
注意:我這里的PHP是7版本,所以,得找對應版本才是。
http://adodb.org/dokuwiki/doku.php?id=v5:php7_status
我這里為了方便,進行改名,將adodb5重新命名為adodb。
證明,能讀取到。
jpgraph的安裝與配置
我這里,為了方便,改名,將jpgraph-2.1.4重命名為
證明,能讀取到。
這里,大家也可以去看一些質量比較好的論文,如
基於Snort的混合入侵檢測系統的研究與實現_李文龍(2011年)
歡迎大家,加入我的微信公眾號:大數據躺過的坑 人工智能躺過的坑
同時,大家可以關注我的個人博客:
http://www.cnblogs.com/zlslch/ 和 http://www.cnblogs.com/lchzls/ http://www.cnblogs.com/sunnyDream/
詳情請見:http://www.cnblogs.com/zlslch/p/7473861.html
人生苦短,我願分享。本公眾號將秉持活到老學到老學習無休止的交流分享開源精神,匯聚於互聯網和個人學習工作的精華干貨知識,一切來於互聯網,反饋回互聯網。
目前研究領域:大數據、機器學習、深度學習、人工智能、數據挖掘、數據分析。 語言涉及:Java、Scala、Python、Shell、Linux等 。同時還涉及平常所使用的手機、電腦和互聯網上的使用技巧、問題和實用軟件。 只要你一直關注和呆在群里,每天必須有收獲
對應本平台的討論和答疑QQ群:大數據和人工智能躺過的坑(總群)(161156071)
