centos下安装
安装时将apache 和mysql服务安装上
yum -y install mysql-bench mysql-devel php-mysql gcc pcre-devel php-gd gd glib2-devel gcc-c++ libpcap-devel
cd /root
mkdir snort
cd snort
wget http://www.snort.org/downloads/867(snort-2.9.0.5.tar.gz)
wget http://www.snort.org/downloads/860(daq-0.5.tar.gz)
tar -xzvf snort-2.9.0.5.tar.gz
cd snort-2.9.0.5
./configure --with-mysql --enable-dynamicplugin
(if buliding for CentOs64 bit use the following instead ->./configure --with-mysql-libraries=/usr/lib64/mysql/ --enable-dynamicplugin)
###########################################################################################################################
ERROR! dnet header not found, go get it from http://code.google.com/p/libdnet/ or use the --with-dnet-* options, if you have
it installed in an unusual place
wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
tar -xzvf libdnet-1.12.tgz
cd libdnet-1.12.tgz
./configure
make
make install
ERROR! daq_static library not found, go get it from http://www.snort.org/.
cd /root/snort/
tar -xzvf daq-0.5.tar.gz
cd daq-0.5.tar ./configure
make
make install
如果出现报错ERROR! Libpcap library version >= 1.0.0 not found. Get it from http://www.tcpdump.org
yum erase libpcap-old
###################################################################################################################################
make
make install
groupadd snort
useradd -g snort snort -s /sbin/nologin
mkdir /etc/snort
mkdir /etc/snort/rules
mkdir /etc/snort/so_rules
mkdir /var/log/snort
chown snort:snort /var/log/snort
cd etc(make sure you do not cd to /etc)
cp * /etc/snort
tar -xzvf snortrules-snapshot-2902.tar.gz
cd ./rules
cp * /etc/snort/rules
cp ../so_rules/precompiled/Centos-5-4/i386/2.9.0.2/* /etc/snort/so_rules
wget https://www.snort.org/downloads/893
vi /etc/snort/snort.conf
修改如下
RULE_PATH ../rules /etc/snort/rules
SO_RULE_PATH ../so_rules /etc/snort/so_rules
在output部分添加如下
output unified2:filename snort.log,limit 128
配置数据库
echo "set password for [email protected]=password(‘123456‘);"|mysql -uroot -p
echo "create database snort;"|mysql -u root -p
mysql -u root -p -D snort <./schemas/create_mysql
echo "grant create,insert on root.* to [email protected];"|mysql -uroot -p
echo "set password for [email protected]=password(‘123456‘);"| mysql -uroot -p
echo "grant create,insert,select,delete,update on snort.* to [email protected]"|mysql -uroot -p
install and configure base(basic analysis and security engine and adodb)
use the following commmand to install php_pear and some additional supporting files to allow for
graphing within base to function properly:
#yum -y install php-pear_number_roman php-pear_numbers_words php-pear_image_color php-pear_canvas
php-pear_image_graph
wget http://pear.php.net/go-pear.phar
php go-pear.phar
http://pear.php.net/manual/en/installation.php
pear install Numbers_Roman
pear install Numbers_Words
pear install Image_Color
pear install Image_Canvas
pear install Image_Canvas
pear install Image_Graph
wget http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-511-for-php5/adodb511.zip/download
wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download
install adodb
cd /var/www
tar -xzvf adodb511.tgz
mv adodb5 adodb
install and config base
cd /var/www/html/
tar -xzvf base-1.4.5.tar.gz
cd base-1.4.5
cp base_conf.php.dist base_conf.ph
chown pigg.games base_conf.php
edit "base_config.php" and insert the following parameters
$BASE_urlpath=‘/base‘;
$DBlib_path=‘/var/www/adodb‘;
$DBtype=‘mysql‘;
$alert_dbname=‘snort‘;
$alert_host=‘localhost‘;
$alert_port=‘‘;
$alert_user=‘snort‘;
$alert_password=‘password created in mysql section above for snort user‘;
/*archive db connnection parameters */
$archive_exists=0;#set this to 1 if you have an archive db
/* access your sensor at the following address: */
https://<ip address of sensor>/base
click on "setup page" then click on "create base ag".
securing the base directory:
mkdir /var/www/passwords
htpasswd -c /var/www/passwords/passwords base
password:123456
edit the httpd.conf
<Directory "/var/www/html/base">
AuthType Basic
AuthName "SnortIDS"
AuthUserFile /var/www/passwords/passwords
Require user base
</Directory>
Installing Barnyard2
barnyard2 improves the efficicency of snort by reducing the load on the main detection engine by allowing
barnyard2 to handle the inserting of events into the mysql database.
wget https://download.github.com/firnsy-barnyard2-v2-1.9-12-g01f5581.tar.gz
tar -xzvf firnsy-barnyard2-v2-1.9-12-g01f5581.tar.gz
cd firnsy-barnyard2-01f5581
./configure --with-mysql
(if building for centos 64 bit use the following instead -> ./configure --with-mysql-libraries=/usr/lib64/mysql/)
make
make install
cp etc/barnyard2.conf /etc/snort/
mkdir /var/log/barnyard2
chmod 666 /var/log/barnyard2
touch /var/log/snort/barnyard2.waldo
chown snort:snort /var/log/snort/barnyard2.waldo
Edit /etc/snort/barnyard2.conf and modify the following lines.
#config hostname:thor
#config interface:eth0
#output database:log,mysql,user=root password=test dbname=db host=localhost
Remove the#sign from the lines above and change to the below:
config hostname:localhost
config interface:eth0(if using multiple interfaces this should be eth1)
output database:log,mysql,user=snort password=‘password created in mysql section above for snort user‘ dbname=snort host=localhost
testing snort:
you can lauch snort from the commmand line to make sure that it loads properly. Enter the following command:
/usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth0
(如果出现报错:/usr/local/bin/snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory
ln -s /usr/local/lib/libdnet.1 /usr/lib/libdnet.1
ln -s /usr/local/lib64/libdnet.1 /usr/lib/libdnet.1)
/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D
setting up snort $barnyard2 to start automatically:
ERROR: parser.c(5161) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such file or directory.
Quick solution :
mkdir /usr/local/lib/snort_dynamicrules
cd /usr/local/lib/snort_dynamicrules
copy all .so of rules or the ones that snort wants (depends on your configuration)
ERROR: OpenAlertFile() => fopen() alert file /var/log/snort/alert: No such file or directory
Quick solution:
mkdir /var/log/snort
vim /var/log/snort/alert
OK
edit /etc/rc.loacl
#ifconfig eth0 up
/usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth0
/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D
/etc/rc.local start