- 操作系統: Windows 7 (service pack 1)
- 所需軟件:
- 虛擬機:VirtualBox
- 網絡數據包截取驅動程序:WinPcap 4.1.3 (WinPcap_4_1_3.exe)
- Windows版本的Snort安裝包:Snort 2.8.6 for Win32 (Snort_2_8_6_Installer.exe)
- 官方認證Snort規則庫:snortrules-snapshot-2860.tar.gz
- 數據庫組件及分析平台:AppServ 8.6.0 (appserv-win32-8.6.0.exe)
- WEB前端:Basic Analysis and Security Engine 1.4.5 (base-1.4.5.tar.gz)
由於我們建立的是測試環境,所有的組件安裝都在一台機器上完成。
安裝前的准備
- 安裝虛擬機virtualbox,過程比較簡單,此處略過。
-
導入虛擬電腦
打開virtualbox,點擊左上角管理,然后選擇導入虛擬電腦
選擇需要導入的虛擬電腦文件進行導入
最好重新初始化網卡地址
部署過程
WinPcap安裝過程非常簡單,此處略過。
Snort的安裝和配置
snort軟件安裝包
點擊同意進到下一步
默認就好,點擊next
點擊Next
默認安裝到c盤,此處我們不需要改變,點擊Next
安裝完成,點擊close
提示snort安裝成功
安裝規則包
安裝規則包之前,rules目錄是空的
如果出現是否合並文件夾,一律選是
選擇是
安裝規則包之后的snort根目錄結構
用編輯器打開配置文件snort.conf
按圖修改,或者拷貝下面內容把相應行覆蓋
var RULE_PATH c:\snort\rules var SO_RULE_PATH c:\snort\so_rules var PREPROC_RULE_PATH c:\snort\preproc_rules 
按圖修改,或者拷貝下面內容把相應行覆蓋
# path to dynamic preprocessor libraries dynamicpreprocessor directory c:\snort\lib\snort_dynamicpreprocessor # path to base preprocessor engine dynamicengine c:\snort\lib\snort_dynamicengine\sf_engine.dll 
按圖修改,或者拷貝下面內容把相應行覆蓋
preprocessor http_inspect: global iis_unicode_map c:\snort\etc\unicode.map 1252 
按圖修改,或者拷貝下面內容把相應行覆蓋
output database: alert, mysql, user=snort password=snort dbname=snortdb host=localhost
按圖修改,或者拷貝下面內容把相應行覆蓋
include $RULE_PATH/snmp.rules include $RULE_PATH/icmp.rules include $RULE_PATH/tftp.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/shellcode.rules include $RULE_PATH/policy.rules include $RULE_PATH/info.rules include $RULE_PATH/icmp-info.rules include $RULE_PATH/virus.rules include $RULE_PATH/chat.rules include $RULE_PATH/multimedia.rules include $RULE_PATH/p2p.rules include $RULE_PATH/spyware-put.rules include $RULE_PATH/specific-threats.rules include $RULE_PATH/voip.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/bad-traffic.rules # decoder and preprocessor event rules include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules # dynamic library rules include $SO_RULE_PATH/bad-traffic.rules include $SO_RULE_PATH/chat.rules include $SO_RULE_PATH/dos.rules include $SO_RULE_PATH/exploit.rules include $SO_RULE_PATH/imap.rules include $SO_RULE_PATH/misc.rules include $SO_RULE_PATH/multimedia.rules include $SO_RULE_PATH/netbios.rules include $SO_RULE_PATH/nntp.rules include $SO_RULE_PATH/p2p.rules include $SO_RULE_PATH/smtp.rules include $SO_RULE_PATH/sql.rules include $SO_RULE_PATH/web-activex.rules include $SO_RULE_PATH/web-client.rules include $SO_RULE_PATH/web-misc.rules AppServ安裝和配置
AppServ安裝包
點Next
點I Agree
默認安裝到C盤,不需要改,點Next
全部選上,點Next
點確定
勾上I agree...,然后點Install
安裝成功,點close
默認就好,不需要改變,點Next
設置八位數密碼,字符集默認就好,點Install
點Finish
如果彈出安全警報,則點允許訪問
此時,打開firefox瀏覽器,在地址欄輸入localhost應該能夠看到圖中信息,如果不能顯示圖中信息,則表明AppServ安裝有問題,或者沒有運行Appche服務
在MySql中創建snortdb和snortarc,以及所需數據表
打開cmd,按照截圖所示,以root用戶連接到mysql,下面命令都是在mysql輸入,注意兩個source命令后面沒有分號
mysql> create database snortdb; mysql> create database snortarc; mysql> use snortdb; mysql> source c:\snort\schemas\create_mysql mysql> use snortarc; mysql> source c:\snort\schemas\create_mysql mysql> grant usage on *.* to "snort"@"localhost" identified by "snort"; mysql> grant select,insert,update,delete,create,alter on snortdb .* to "snort"@"localhost"; mysql> grant select,insert,update,delete,create,alter on snortarc .* to "snort"@"localhost"; mysql> set password for "snort"@"localhost"=password('snort'); 配置base
按圖操作
按圖操作
按圖操作
按圖操作
按圖操作
按圖操作
按圖操作
按圖操作
按圖操作
按圖操作
在命令行輸入以下命令,使snort工作在網絡監測系統模式,並在另一台主機用nmap掃描該主機,則可以在base界面看到統計信息,如下圖所示。
c:\snort\bin\snort -i1 -dev -c c:\snort\etc\snort.conf -l c:\snort\log 
在同網段另一台主機使用nmap掃描該主機
base顯示的snort統計信息
如果運行snort出現以下錯誤,則按圖中步驟進行操作:
如果運行snort出現圖中所示錯誤,則按圖操作
至此,windows環境下的snort+base入侵檢測系統搭建完畢!
作者:afternone
鏈接:https://www.jianshu.com/p/d8ca2e8c0858
來源:簡書
簡書著作權歸作者所有,任何形式的轉載都請聯系作者獲得授權並注明出處。