入侵偵測系統(IDS) - Snort

OS：CentOS 5.5
Requirements：

libpcap = 1.0.0

gcc  gcc-c++  pcre-devel

flex  daq  libdnet

mysql  mysql-server  mysql-devel

Interfaces：

WAN Interface
IP：192.168.173.105/24
GW：192.168.173.1
LAN Interface
IP：192.168.211.1/24
GW：192.168.173.105

1. 安裝相依套件
yum  install  pcre-devel  gcc  gcc-c++  flex
yum  install  mysql-devel  mysql  mysql-server

2. 設置資料庫管理者帳號
/etc/init.d/mysqld  restart
chkconfig  mysqld  on
mysqladmin  -u  root  password  '管理者密碼'

3. 下載libdnet
tar  -zxvf  libdnet-1.12.tgz
cd  libdnet-1.12
./configure
make
make  install

4. 更新libpcap
yum  erace  libpcap
tar  -zxvf  libpcap-1.1.1.tar.gz
cd  libpcap-1.0.0
./configure
make
make  install

5. 下載DAQ
tar  -zxvf  daq-0.5.tar.gz
cd  daq-0.5
./configure
make
make  install

6. 下載Snort以及Snort Rules
下載snort rules需註冊為snort會員才可下載
tar  -zxvf  snort-2.9.0.5.tar.gz
cd  snort-2.9.0.5
./configure  --with-mysql  --enable-dynamicplugin  --enable-ipv6  --enable-gre  --enable-mpls  --enable-targetbased  --enable-decoder-preprocessor-rules  --enable-ppm  --enable-perfprofiling  --enable-zlib  --enable-active-response  --enable-normalizer  --enable-reload  --enable-react  --enable-flexresp3
make
make  install

7. 配置Snort
groupadd  snort
useradd  -g  snort  snort  -s  /sbin/nologin
mkdir  /etc/snort
cp  -r  etc/*  /etc/snort
mkdir  /var/log/snort
vi  /etc/snort/snort.conf

# Setup the network addresses you are protecting

ipvar HOME_NET 192.168.211.0/24 (定義受保護的網段)

# Set up the external network addresses. Leave as "any" in most situations

ipvar EXTERNAL_NET !192.168.211.0/24 (定義監控的網段)

8. 配置Snort Rules
tar  -zxvf  snortrules-snapshot-2904.tar.gz  -C  /etc/snort/
ln  -s  /etc/snort/so_rules/precompiled/Centos-5-4/i386/2.9.0.4  /usr/local/lib/snort_dynamicrules
vi  /etc/snort/snort.conf
# Path to your rules files (this can be a relative path)
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\rules
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules

9. 測試Configuration是否配置無誤
snort  -T  -c  /etc/snort/snort.conf

10. 將Snort偵測到的事件存入資料庫
vi  /etc/snort/snort.conf
# database
output database: log, mysql, user=snort password=自訂使用者密碼 dbname=snortdb host=localhost
mysql  -u  root  -p
mysql> create  database  snortdb；
mysql> use  snortdb
mysql> grant  all  on  snortdb.*  to  snort@localhost  identified  by  '自訂使用者密碼'；
mysql> flush  privileges；
mysql> quit
cd  snort-2.9.0.5/schemas
mysql  -u  root  -p  snortdb  <  create_mysql

11. 測試Snort加入資料庫是否正常
snort  -T  -c  /etc/snort/snort.conf

12. 以Deamon方式啟動Snort
/usr/local/bin/snort  -d  -A  full  -i  eth0  -c  /etc/snort/snort.conf  -l  /var/log/snort  -D
-d     Data
-A     Alert
-i      Interface
-c     Configuration
-l      Log file
-D    Deamon

13. 設定開機啟動
vi  /etc/rc.local
snort  -d  -A  full  -i  eth0  -c  /etc/snort/snort.conf  -l  /var/log/snort  -D

參考文章：
http://www.snort.org/
http://zh.wikipedia.org/wiki/Snort
https://forums.snort.org/forums/snort-newbies/topics/daq_static-library-not-found
http://forum.icst.org.tw/phpbb/viewtopic.php?f=11&t=19216