IDS入侵检测系统(snort)刚刚出炉滴
第一部分 IDS入侵检测系统简单介绍
IDS依照一定的安全策略,通过软件或者硬件,对网络、系统的运行状况进行监控,尽可能发现各种攻击企图、攻击行为和结果,以此保证网络系统资源的机密性、完整性和可靠性。一般来说IDS是作为防火墙的补充,处于防火前之后,可对网络进行实时监测,并记录。
snort作为一个轻量级的入侵监测系统,具有一下几个特点:
(1)占用资源少,对网络性能影响小;
(2)支持系统广泛,可以跨平台使用;
(3)snort有三种主要的模式:信息报嗅探器、信息报记录器和成熟的入侵检测系统
(4)采用误用检测模型,首先建立入侵行为特征库,然后在检测过程中,将收集到的数据包和特征码进行比较,得出是否入侵的结论;
(5)它是用C语言写的开放源代码。
snort的体系结构
(1)数据收集:snort使用libpcap收集数据
(2)数据分析:包含包解码和探测引擎两部分。包解码为探测引擎准备数据,探测引擎按照启动时加载的规则,对每个数据进行分析。
(3)日志记录/告警记录:日志和告警时两个不同的子系统。日志将包解码收集到的信息记录下来,默认情况下,写到/var/log/snort文件夹中,告警日志会记录到/var/log/snort/alert 文件中。
简单的画个原理图,表示数据流向
第二部分 系统搭建
一、搭建LAMP架构
这个比较简单,而且这篇文章内容表较多,所以这里就不做说明了
二、安装snort需要的一些软件
1、libpcap是linux平台下的网络数据包捕获的含书包,大多数网络监控软件都是以它作为基础
在安装libpcap前,还要安装两个软件
[root@localhost soft]# wget ftp://ftp.gnu.org/gnu/bison/bison-2.4.1.tar.bz2
[root@localhost soft]# tar xf bison-2.4.1.tar.bz2
[root@localhost soft]# cd bison-2.4.1
[root@localhost bison-2.4.1]# ./configure && make && make install
[root@localhost soft]# wget http://nchc.dl.sourceforge.net/project/flex/flex/flex-2.5.35/flex-2.5.35.tar.bz2
[root@localhost soft]# tar xf flex-2.5.35.tar.bz2
[root@localhost flex-2.5.35]# ./configure && make && make install
接下来就是安装libpcap了
[root@localhost soft]# wget http://www.tcpdump.org/release/libpcap-1.2.1.tar.gz
[root@localhost soft]# tar xf libpcap-1.2.1.tar.gz
[root@localhost soft]# cd libpcap-1.2.1
[root@localhost libpcap-1.2.1]# ./configure --prefix=/usr/local/libpcap
[root@localhost libpcap-1.2.1]# make
[root@localhost libpcap-1.2.1]# make install
2、daq,snort编译时会用到该库
[root@localhost soft]# wget http://www.snort.org/dl/snort-current/daq-0.6.2.tar.gz
[root@localhost soft]# tar xf daq-0.6.2.tar.gz
[root@localhost soft]# cd daq-0.6.2
[root@localhost daq-0.6.2]# ./configure && make && make install
3、libdnet 通用网络安全开发包
[root@localhost soft]# wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
[root@localhost soft]# tar xf libdnet-1.12.tgz
[root@localhost soft]# cd libdnet-1.12
[root@localhost libdnet-1.12]# ./configure && make && make install
4、snort的安装
[root@localhost soft]# wget http://www.procyonlabs.com/mirrors/snort/snort-2.9.2.1.tar.gz
[root@localhost soft]# tar xf snort-2.9.2.1.tar.gz
[root@localhost soft]# cd snort-2.9.2.1
[root@localhost snort-2.9.2.1]# ./configure --with-mysql=/usr/local/mysql --with-libpcap-includes=/usr/local/libpcap/include --with-libpcap-libraries=/usr/local/libpcap/lib
[root@localhost snort-2.9.2.1]# make
[root@localhost snort-2.9.2.1]# make install
三、snort的相关配置
[root@localhost snort-2.9.2.1]# mkdir /etc/snort ------snort的主配置文件目录
[root@localhost snort-2.9.2.1]# mkdir /var/log/snort -------------snort的日志文件目录
[root@localhost snort-2.9.2.1]# groupadd snort ---------创建snort用户组
[root@localhost snort-2.9.2.1]# useradd -g snort -s /sbin/nologin snort
------------创建snort用户
[root@localhost soft]# tar xf snortrules-snapshot-2920.tar.gz -C /etc/snort/
[root@localhost soft]# cd /etc/snort/
[root@localhost snort]# ls
etc preproc_rules rules so_rules
[root@localhost snort]# cp etc/* /etc/snort/
[root@localhost snort]# chown snort.snort /var/log/snort----------修改相关目录的属主和属组
[root@localhost snort]# touch /var/log/snort/alert
[root@localhost snort]# chown snort.snort /var/log/snort/alert
[root@localhost snort]# chmod 600 /var/log/snort/alert
---------------防止其他用户修改
[root@localhost snort]# mkdir /usr/local/lib/snort_dynamicrules
[root@localhost snort]# cp /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.2.0/*.so /usr/local/lib/snort_dynamicrules/ -------------库文件
[root@localhost RHEL-6-0]# cp x86-64/2.9.2.0/*.so /usr/local/lib/snort_dynamicrules/
[root@localhost snort_dynamicrules]# vi /etc/snort/snort.conf#修改下面这几行
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
output unified2: filename snort.log, limit 128
四、mysql数据库的修改
[root@localhost snort_dynamicrules]# mysql ------我这里的数据暂时没有密码
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 470
Server version: 5.1.36-debug-log Source distribution
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create database snort; --------------创建snort数据库
mysql> grant all privileges on snort.* to snort@'localhost' with grant option ; -------------给snort用户授权
Query OK, 0 rows affected (0.12 sec)
mysql> set password for snort@localhost = password('aixocm'); --------这也是一种修改mysql用户密码的方式哦
Query OK, 0 rows affected (0.00 sec)
mysql> exit
Bye
[root@localhost snort_dynamicrules]# cd /soft/snort
snort-2.9.2.1/ snortrules-snapshot-2920.tar.gz
snort-2.9.2.1.tar.gz
[root@localhost snort_dynamicrules]# cd /soft/snort-2.9.2.1
[root@localhost snort-2.9.2.1]# cd schemas/
[root@localhost schemas]# ls
create_db2 create_mysql create_postgresql Makefile.am
create_mssql create_oracle.sql Makefile Makefile.in
[root@localhost schemas]# mysql < create_mysql snort
[root@localhost schemas]# mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 472
Server version: 5.1.36-debug-log Source distribution
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| bbs |
| itop |
| mysql |
| snort |
| test |
+--------------------+
6 rows in set (0.00 sec)
mysql> use snort;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+------------------+
| Tables_in_snort |
+------------------+
| data |
| detail |
| encoding |
| event |
| icmphdr |
| iphdr |
| opt |
| reference |
| reference_system |
| schema |
| sensor |
| sig_class |
| sig_reference |
| signature |
| tcphdr |
| udphdr |
+------------------+
16 rows in set (0.00 sec)
五、base和adodb的安装
[root@localhost lib]# wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
[root@localhost lib]# tar xf base-1.4.5.tar.gz -C /var/www/-----------/var/www是apache的DocumentRoot
[root@localhost lib]# cd /var/www/
[root@localhost www]# mv base-1.4.5 base
[root@localhost www]# wget http://nchc.dl.sourceforge.net/project/adodb/adodb-php5-only/adodb-511-for-php5/adodb511.zip
[root@localhost www]# unzip adodb511.zip
[root@localhost www]# mv adodb5 adodb
[root@localhost www]# chown daemon.daemon /var/www/base -R
六、base的页面安装部分
浏览器访问 http://127.0.0.1/base/setup/index.php
点击Continue
选择简体中文,下面输入adodb的路径/var/www/adodb 然后点击Continue
填入相关的mysql信息,点击continue
设置管理账号密码,点击continue
点击create base AG
可以看到红色部分表示成功,继续下一步点击 Now continue tostep 5...
然后就可以看到我们的base界面了
七、页面配置完成后,还需要安装一下图标的插件,这个时候就要求php必须得支持gd了
如果想让BASE起作用还得需要安装一些插件,必须联网才能安装
[root@localhost www]# pear install image_Canvas-alpha
WARNING: "pear/Image_Color" is deprecated in favor of "pear/Image_Color2"
downloading Image_Canvas-0.3.5.tgz ...
Starting to download Image_Canvas-0.3.5.tgz (54,486 bytes)
.............done: 54,486 bytes
downloading Image_Color-1.0.4.tgz ...
Starting to download Image_Color-1.0.4.tgz (9,501 bytes)
...done: 9,501 bytes
install ok: channel://pear.php.net/Image_Color-1.0.4
install ok: channel://pear.php.net/Image_Canvas-0.3.5
[root@localhost www]# pear install image_Graph-0.8.0
Did not download optional dependencies: pear/Numbers_Words, use --alldeps to download automatically
pear/Image_Graph can optionally use package "pear/Numbers_Words"
downloading Image_Graph-0.8.0.tgz ...
Starting to download Image_Graph-0.8.0.tgz (367,646 bytes)
...........................................................................done: 367,646 bytes
install ok: channel://pear.php.net/Image_Graph-0.8.0
[root@localhost www]# pear install Numbers_Roman
downloading Numbers_Roman-1.0.2.tgz ...
Starting to download Numbers_Roman-1.0.2.tgz (6,210 bytes)
.....done: 6,210 bytes
install ok: channel://pear.php.net/Numbers_Roman-1.0.2
八、测试snort
再次修改snort的配置文件
[root@localhost lib]# vi /etc/snort/snort.conf
将 511 # output database: alert, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>
512 # output database: log, <db_type>, user=<username> password =<password> test dbname=<name> host=<hostname>
这地方一定要注意,如果你跟我使用的是一样的版本,请你务必按照我的格式改,改版本存有bug,每一项后面都要加","而且之间不能有空格!要不然会报
Error:
Fatal Error, Quitting..
改为
514 output database: alert, mysql, user=snort ,password=123456,dbname=snort, host=localhost
515 output database: log, mysql, user=snort,password=123456,dbname=snort, host=localhost
将 110 var WHITE_LIST_PATH /etc/snort/rules
111 var BLACK_LIST_PATH /etc/snort/rules
488 whitelist $WHITE_LIST_PATH/white_list.rules, \
489 blacklist $BLACK_LIST_PATH/black_list.rules
这四行注释掉,即在每行前面加#
将下面三行的# 去掉
接下来就是测试snort
[root@localhost snort]# snort -c /etc/snort/snort.conf
如果你可以看到这只小猪,那么就证明你成功了,呵呵
在这一步完成后,snort不会自己退出,需要使用ctrl+c自己终止退出。
再次打开浏览器http://127.0.0.1/base/base_main.php
我这里已经检测到数据了,但是数据不够,接下来我们需要更多的测试。
九、入侵测试
我推荐使用windows下的一个扫描工具X-way
点击确定
扫描完成后,再次打开页面http://127.0.0.1/base/base_main.php
鼠标点击,我圈中的那个100%查看详细的入侵记录