当前位置: 代码迷 >> 综合 >> IDS入侵检测系统(snort)刚出炉滴
  详细解决方案

IDS入侵检测系统(snort)刚出炉滴

热度:46   发布时间:2023-12-08 21:39:49.0

第一部分 IDS入侵检测系统简单介绍

IDS依照一定的安全策略,通过软件或者硬件,对网络、系统的运行状况进行监控,尽可能发现各种攻击企图、攻击行为和结果,以此保证网络系统资源的机密性、完整性和可靠性。一般来说IDS是作为防火墙的补充,处于防火前之后,可对网络进行实时监测,并记录。

snort作为一个轻量级的入侵监测系统,具有一下几个特点:

(1)占用资源少,对网络性能影响小;

(2)支持系统广泛,可以跨平台使用;

(3)snort有三种主要的模式:信息报嗅探器、信息报记录器和成熟的入侵检测系统

(4)采用误用检测模型,首先建立入侵行为特征库,然后在检测过程中,将收集到的数据包和特征码进行比较,得出是否入侵的结论;

(5)它是用C语言写的开放源代码。

snort的体系结构

(1)数据收集:snort使用libpcap收集数据

(2)数据分析:包含包解码和探测引擎两部分。包解码为探测引擎准备数据,探测引擎按照启动时加载的规则,对每个数据进行分析。

(3)日志记录/告警记录:日志和告警时两个不同的子系统。日志将包解码收集到的信息记录下来,默认情况下,写到/var/log/snort文件夹中,告警日志会记录到/var/log/snort/alert 文件中。

简单的画个原理图,表示数据流向


第二部分  系统搭建

一、搭建LAMP架构

这个比较简单,而且这篇文章内容表较多,所以这里就不做说明了

二、安装snort需要的一些软件

1、libpcap是linux平台下的网络数据包捕获的含书包,大多数网络监控软件都是以它作为基础

在安装libpcap前,还要安装两个软件

[root@localhost soft]# wget ftp://ftp.gnu.org/gnu/bison/bison-2.4.1.tar.bz2

[root@localhost soft]# tar xf bison-2.4.1.tar.bz2

[root@localhost soft]# cd bison-2.4.1
[root@localhost bison-2.4.1]# ./configure && make && make install


[root@localhost soft]# wget http://nchc.dl.sourceforge.net/project/flex/flex/flex-2.5.35/flex-2.5.35.tar.bz2

[root@localhost soft]# tar xf flex-2.5.35.tar.bz2

[root@localhost flex-2.5.35]# ./configure && make && make install


接下来就是安装libpcap了

[root@localhost soft]#  wget http://www.tcpdump.org/release/libpcap-1.2.1.tar.gz

[root@localhost soft]# tar xf libpcap-1.2.1.tar.gz 
[root@localhost soft]# cd libpcap-1.2.1
[root@localhost libpcap-1.2.1]# ./configure --prefix=/usr/local/libpcap 

[root@localhost libpcap-1.2.1]# make

[root@localhost libpcap-1.2.1]# make install


2、daq,snort编译时会用到该库

[root@localhost soft]# wget http://www.snort.org/dl/snort-current/daq-0.6.2.tar.gz

[root@localhost soft]# tar xf daq-0.6.2.tar.gz 
[root@localhost soft]# cd daq-0.6.2

[root@localhost daq-0.6.2]# ./configure  && make && make install


3、libdnet  通用网络安全开发包

[root@localhost soft]# wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz

[root@localhost soft]# tar xf libdnet-1.12.tgz 
[root@localhost soft]# cd libdnet-1.12

[root@localhost libdnet-1.12]# ./configure && make && make install

4、snort的安装

[root@localhost soft]# wget http://www.procyonlabs.com/mirrors/snort/snort-2.9.2.1.tar.gz

[root@localhost soft]# tar xf snort-2.9.2.1.tar.gz 
[root@localhost soft]# cd snort-2.9.2.1

[root@localhost snort-2.9.2.1]# ./configure --with-mysql=/usr/local/mysql --with-libpcap-includes=/usr/local/libpcap/include --with-libpcap-libraries=/usr/local/libpcap/lib

[root@localhost snort-2.9.2.1]# make

[root@localhost snort-2.9.2.1]# make install

三、snort的相关配置

[root@localhost snort-2.9.2.1]# mkdir /etc/snort  ------snort的主配置文件目录
[root@localhost snort-2.9.2.1]# mkdir /var/log/snort  -------------snort的日志文件目录
[root@localhost snort-2.9.2.1]# groupadd snort  ---------创建snort用户组
[root@localhost snort-2.9.2.1]# useradd -g snort -s /sbin/nologin  snort   ------------创建snort用户

[root@localhost soft]# tar xf snortrules-snapshot-2920.tar.gz -C /etc/snort/
[root@localhost soft]# cd /etc/snort/
[root@localhost snort]# ls
etc  preproc_rules  rules  so_rules
[root@localhost snort]# cp etc/* /etc/snort/

[root@localhost snort]# chown snort.snort /var/log/snort----------修改相关目录的属主和属组
[root@localhost snort]# touch /var/log/snort/alert
[root@localhost snort]# chown snort.snort /var/log/snort/alert 
[root@localhost snort]# chmod 600 /var/log/snort/alert ---------------防止其他用户修改

[root@localhost snort]# mkdir /usr/local/lib/snort_dynamicrules
[root@localhost snort]# cp /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.2.0/*.so  /usr/local/lib/snort_dynamicrules/  -------------库文件

[root@localhost RHEL-6-0]# cp x86-64/2.9.2.0/*.so /usr/local/lib/snort_dynamicrules/


[root@localhost snort_dynamicrules]# vi /etc/snort/snort.conf#修改下面这几行

var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules

output unified2: filename snort.log, limit 128


四、mysql数据库的修改

[root@localhost snort_dynamicrules]# mysql   ------我这里的数据暂时没有密码
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 470
Server version: 5.1.36-debug-log Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> create database snort;        --------------创建snort数据库

mysql> grant all privileges on snort.* to snort@'localhost' with grant option ; -------------给snort用户授权
Query OK, 0 rows affected (0.12 sec)


mysql> set password for snort@localhost = password('aixocm');  --------这也是一种修改mysql用户密码的方式哦
Query OK, 0 rows affected (0.00 sec)


mysql> exit
Bye
[root@localhost snort_dynamicrules]# cd /soft/snort
snort-2.9.2.1/                   snortrules-snapshot-2920.tar.gz
snort-2.9.2.1.tar.gz             
[root@localhost snort_dynamicrules]# cd /soft/snort-2.9.2.1

[root@localhost snort-2.9.2.1]# cd schemas/
[root@localhost schemas]# ls
create_db2    create_mysql       create_postgresql  Makefile.am
create_mssql  create_oracle.sql  Makefile           Makefile.in
[root@localhost schemas]# mysql < create_mysql snort
[root@localhost schemas]# mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 472
Server version: 5.1.36-debug-log Source distribution


Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.


Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.


Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.


mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| bbs                |
| itop               |
| mysql              |
| snort              |
| test               |
+--------------------+
6 rows in set (0.00 sec)


mysql> use snort;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A


Database changed
mysql> show tables;
+------------------+
| Tables_in_snort  |
+------------------+
| data             |
| detail           |
| encoding         |
| event            |
| icmphdr          |
| iphdr            |
| opt              |
| reference        |
| reference_system |
| schema           |
| sensor           |
| sig_class        |
| sig_reference    |
| signature        |
| tcphdr           |
| udphdr           |
+------------------+
16 rows in set (0.00 sec)

五、base和adodb的安装

[root@localhost lib]# wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz

[root@localhost lib]# tar xf base-1.4.5.tar.gz -C /var/www/-----------/var/www是apache的DocumentRoot

[root@localhost lib]# cd /var/www/
[root@localhost www]# mv base-1.4.5 base

[root@localhost www]# wget http://nchc.dl.sourceforge.net/project/adodb/adodb-php5-only/adodb-511-for-php5/adodb511.zip

[root@localhost www]# unzip adodb511.zip

[root@localhost www]# mv adodb5 adodb

[root@localhost www]# chown daemon.daemon /var/www/base -R

六、base的页面安装部分

浏览器访问 http://127.0.0.1/base/setup/index.php


点击Continue


选择简体中文,下面输入adodb的路径/var/www/adodb 然后点击Continue


填入相关的mysql信息,点击continue


设置管理账号密码,点击continue


点击create base AG


可以看到红色部分表示成功,继续下一步点击 Now continue tostep 5...

然后就可以看到我们的base界面了





七、页面配置完成后,还需要安装一下图标的插件,这个时候就要求php必须得支持gd了

如果想让BASE起作用还得需要安装一些插件,必须联网才能安装

[root@localhost www]# pear install image_Canvas-alpha

WARNING: "pear/Image_Color" is deprecated in favor of "pear/Image_Color2"
downloading Image_Canvas-0.3.5.tgz ...
Starting to download Image_Canvas-0.3.5.tgz (54,486 bytes)
.............done: 54,486 bytes
downloading Image_Color-1.0.4.tgz ...
Starting to download Image_Color-1.0.4.tgz (9,501 bytes)
...done: 9,501 bytes
install ok: channel://pear.php.net/Image_Color-1.0.4
install ok: channel://pear.php.net/Image_Canvas-0.3.5


[root@localhost www]# pear install image_Graph-0.8.0

Did not download optional dependencies: pear/Numbers_Words, use --alldeps to download automatically
pear/Image_Graph can optionally use package "pear/Numbers_Words"
downloading Image_Graph-0.8.0.tgz ...
Starting to download Image_Graph-0.8.0.tgz (367,646 bytes)
...........................................................................done: 367,646 bytes
install ok: channel://pear.php.net/Image_Graph-0.8.0


[root@localhost www]# pear install Numbers_Roman
downloading Numbers_Roman-1.0.2.tgz ...
Starting to download Numbers_Roman-1.0.2.tgz (6,210 bytes)
.....done: 6,210 bytes
install ok: channel://pear.php.net/Numbers_Roman-1.0.2

八、测试snort

再次修改snort的配置文件

[root@localhost lib]# vi /etc/snort/snort.conf

将 511 # output database: alert, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>
    512 # output database: log, <db_type>, user=<username> password =<password> test dbname=<name> host=<hostname>

这地方一定要注意,如果你跟我使用的是一样的版本,请你务必按照我的格式改,改版本存有bug,每一项后面都要加","而且之间不能有空格!要不然会报

Error: 

Fatal Error, Quitting..

改为

514  output database: alert, mysql, user=snort ,password=123456,dbname=snort, host=localhost    

515  output database: log, mysql, user=snort,password=123456,dbname=snort, host=localhost


将 110 var WHITE_LIST_PATH /etc/snort/rules
    111 var BLACK_LIST_PATH /etc/snort/rules

    488    whitelist $WHITE_LIST_PATH/white_list.rules, \
    489    blacklist $BLACK_LIST_PATH/black_list.rules

这四行注释掉,即在每行前面加#

将下面三行的# 去掉


接下来就是测试snort

[root@localhost snort]# snort -c /etc/snort/snort.conf


如果你可以看到这只小猪,那么就证明你成功了,呵呵

在这一步完成后,snort不会自己退出,需要使用ctrl+c自己终止退出。

再次打开浏览器http://127.0.0.1/base/base_main.php


我这里已经检测到数据了,但是数据不够,接下来我们需要更多的测试。

九、入侵测试

我推荐使用windows下的一个扫描工具X-way


点击确定

扫描完成后,再次打开页面http://127.0.0.1/base/base_main.php


鼠标点击,我圈中的那个100%查看详细的入侵记录