Linux系統安裝IDS(snort工具)

 

 

 

 

第一步：預裝daq所需程序

snort使用數據采集器(daq)監聽防火牆數據包隊列，所以按照daq。需預裝的程序有：flex、bison、libcap。

sudo apt-get install flex
sudo apt-get install bison
sudo aptitude install libpcap-dev

第二步：安裝daq

wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz

tar xvfz daq-2.0.6.tar.gz
                      
cd daq-2.0.6
./configure && make && sudo make install

第三步：安裝snort所需程序

aptitude install libpcre3-dev
aptitude install libdumbnet-dev
aptitude install zlib1g-dev

第四步：安裝snort

wget https://www.snort.org/downloads/snort/snort-2.9.12.tar.gz  

tar xvfz snort-2.9.12.tar.gz
                      
cd snort-2.9.12
./configure --enable-sourcefire && make && sudo make install

第五步：運行 snort 會要求你安裝響應包，安裝即可

//運行snort -V

//提示安裝下面包

apt-get install snort
apt-get install snort-mysql
apt-get install snort-pgsql
//此時snort已經可以運行，看到一只小豬

,,_ -*> Snort! <*-
o" )~ Version 2.9.2 IPv6 GRE (Build 78)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2011 Sourcefire, Inc., et al.
Using libpcap version 1.1.1
Using PCRE version: 8.12 2011-01-15
Using ZLIB version: 1.2.3.4

//-----------------

//安裝一些依賴包，為后面的圖形化做准備

安裝apache

apt-get install apache2

安裝mysql

apt-get install mysql-server

安裝php

apt-get install php5

 第六步：為snort創建一個數據庫，和一個用戶

$ mysql –u root –p

mysql> CREATE DATABASE snort;
mysql> grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort@localhost;
mysql> grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort;
mysql> SET PASSWORD FOR snort@localhost=PASSWORD('yourpassword');
mysql> exit

 第七步：修改snor配置文件

snort的配置文件在/etc/snort/snort.conf

打開該文件將 HOME_NET 有關項注釋掉，然后將 HOME_NET 設置為本機 IP 所在網絡，將 EXTERNAL_NET 相關項注釋掉，設置其為非本機網絡，如下所示：

其中需要修改的內容如下所示：
45行 ipvar HOME_NET any > ipvar HOME_NET 192.168.x.x 你的的IP網段,寫成CIDR格式，可以添加多個網段
舉例：ipvar HOME_NET [192.168.0.0/16,172.16.0.0/16]

ipvar EXTERNAL_NET any > ipvar EXTERNAL_NET!$HOME_NET

 第八步：試運行

snort -T -i eth0 -u snort -g snort -c /etc/snort/snort.conf


若出現如下錯誤
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! WARNING: The database output plugins are considered deprecated as
!!          of Snort 2.9.2 and will be removed in Snort 2.9.3.
!!          The recommended approach to logging is to use unified2 with
!!          barnyard2 or similar.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
database: must enter database name in configuration file


解法：
搞了好長時間，發現snort.conf配置文件549行左右有一條
include database.conf
注釋掉

第九步：運行snort，snort會監測eth0端口

snort

結果如下

參考網址：

snort官網

centos平台基於snort、barnyard2以及base的IDS（入侵檢測系統）的搭建與測試及所遇問題匯總

linux入侵檢測系統snort安裝配置

Snort 用戶手冊

在 Ubuntu 15.04 中如何安裝和使用 Snort