logo

Navigation:First_Community->Computer->Virus Goto:New TopicSettingSearch
构建小型的入侵检测系统(RedHat9)
Posted by: imac Date: March 29, 2008 02:44AM

CopyRight owned by the original author.--(www.MegaEntry.com)

一.系统平台Redhat9.0发行版, 安装gcc 及相关库文件,建议不要安装Apache,PHP,MySQL,我们将用源码编译安装。基于安全方面的考虑,可以设置一下iptables只允许SSH和WWW访问。二.软件MySQL4.0.12 http://mysql.secsup.org

MegaEntry - Social networking and discussion site!

Snort2.0.0 http://www.snort.orgApache2.0.45 http://www.apache.orgPHP4.3.1 http://www.php.netADODBv3.30 http://phplens.comAcid0.9.6b23 http://acidlab.sourceforge.netZlib1.1.4 http://flow.dl.sourceforge.net

MegaEntry - Social networking and discussion site!

JPGraph1.11 http://jpgraph.techuk.comLibPcap0.7.2 http://www.tcpdump.org

建议到这个站点下载http://ftp.cdut.edu.cn/pub/linux/NEW/也可以到http://www.rpmfind.com下载相关的xx....若安装了rpm包,可以强行将其反安装rpm -e -nodeps xx.xx

MegaEntry - Social networking and discussion site!

三.安装(建议将所有的包文件考到同一目录)1.安装zlib1.1.4tar -xzvf zlib-xx.tar.gzcd zlib-xx./configure;make testmake install

CopyRight owned by the original author.--(www.MegaEntry.com)

cd ..2.安装LibPcap0.7.2tar -xzvf libpcap.tar.gzcd libpcap-xx./configuremake

MegaEntry - Social networking and discussion site!

make installcd ..3.安装MySQL4.0.123.1创建mysql组和mysql用户groupadd mysqluseradd -g mysql mysql

MegaEntry - Social networking and discussion site!

修改/root下的.bash_profile的这一行:PATH=$PATH:$HOME/bin 为PATH=$PATH:$HOME/bin:/usr/local/mysql/bin3.2安装mysqltar -xzvf mysql-xx.tar.gzcd mysql-xx

CopyRight owned by the original author.--(www.MegaEntry.com)

./configure --prefix=/usr/local/mysqlmakemake installcd scripts./mysql_install_dbchown -R root /usr/local/mysql

CopyRight owned by the original author.--(www.MegaEntry.com)

chown -R mysql /usr/local/mysql/varchgrp -R mysql /usr/local/mysqlcd ../support-files/my-medium.cnf /etc/my.cnf向/etc/ld.so.conf中加入两行:/usr/local/mysql/lib/mysql/usr/local/lib载入库,执行

MegaEntry - Social networking and discussion site!

ldconfig -v3.3测试mysql是否工作:cd /usr/local/mysql/bin/./mysqld_safe --user=mysql&#ps -ef |grep mysql看mysql_safe是否工作

MegaEntry - Social networking and discussion site!

3.4设置mysql为自启动:将mysql安装目录下的support-files目录中的mysql.server文件拷到/etc/init.d目录cp mysql.server /etc/init.d/mysqlchmod 755 /etc/init.d/mysql创建硬链接:

CopyRight owned by the original author.--(www.MegaEntry.com)

cd /etc/rc3.d(文本方式启动)ln -s /etc/init.d/mysql S85mysqlln -s /etc/init.d/mysql K85mysqlcd /etc/rc5.d (图形方式启动)ln -s /etc/init.d/mysql S85mysqlln -s /etc/init.d/mysql K85mysql

MegaEntry - Social networking and discussion site!

4.安装Apache2.0.45和PHP4.3.1tar -zxvf httpd-2.0.xx.tar.gzcd httpd_2.xx.xx./configure --prefix=/www --enable-so注:apache根目录为 /wwwmake

CopyRight owned by the original author.--(www.MegaEntry.com)

make install

cd ..tar -zxvf php-4.3.x.tar.gzcd php-4.3.x./configure --prefix=/www/php --with-apxs2=/www/bin/apxs --with-config- filepath=/www/php --enable-sockets --with-mysql=/usr/local/mysql --with-zlibdir=/usr/local --with- gd

CopyRight owned by the original author.--(www.MegaEntry.com)

注意:这些为一行,中间不要有回车。cp php.ini-dist /www/php/php.ini编辑httpd.conf(/www/conf):加入两行LoadModule php4_module modules/libphp4.soAddType application/x-httpd-php .php

CopyRight owned by the original author.--(www.MegaEntry.com)

httpd.conf中相关内容如下:## LoadModule foo_module modules/mod_foo.soLoadModule php4_module modules/libphp4.so# AddType allows you to tweak mime.types without actually editing it, or $# make certain files to be certain types.

MegaEntry - Social networking and discussion site!

#AddType application/x-tar .tgzAddType image/x- icon .icoAddType application/x-httpd-php .php

设置Apache为自启动:cp /www/bin/apachectl /etc/init.d/httpd

MegaEntry - Social networking and discussion site!

cd /etc/rc3.dln -s /etc/init.d/httpd S85httpdln -s /etc/init.d/httpd K85httpdcd /etc/rc5.dln -s /etc/init.d/httpd S85httpdln -s /etc/init.d/httpd K85httpd

MegaEntry - Social networking and discussion site!

测试一下 PHP:cd /etc/init.d./httpd start在/www/htdocs下建立文件 test.phpcd /www/htdocsvi test.php

MegaEntry - Social networking and discussion site!

加入<?phpphpinfo();?>用浏览器访问http://IP_address/test.php,成功的话,出现一些系统,apache,php信息

CopyRight owned by the original author.--(www.MegaEntry.com)

5.安装 Snort2.05.1建立snort配置文件和日志目录mkdir /etc/snortmkdir /var/log/snorttar -zxvf snort-2.x.x.tar.gzcd snort-2.x.x

MegaEntry - Social networking and discussion site!

./configure --with-mysql=/usr/local/mysqlmakemake install5.2安装规则和配置文件cd rules (在snort安装目录下)cp * /etc/snort

MegaEntry - Social networking and discussion site!

cd ../etccp snort.conf /etc/snortcp *.config /etc/snort5.3修改snort.conf(/etc/snort/snort.conf)var HOME_NET 10.2.2.0/24 (修改为你的内部网网络地址,我的是192.168.0.0/24)

CopyRight owned by the original author.--(www.MegaEntry.com)

var RULE_PATH ../rules 修改为 var RULE_PATH /etc/snort/改变记录日志数据库:output database: log, mysql, user=root password=your_passworddbname=snort host=localhost

5.4设置snort为自启动:在snort安装目录下

MegaEntry - Social networking and discussion site!

cd /contribcp S99snort /etc/init.d/snortvi /etc/init.d/snort修改snort如下:CONFIG=/etc/snort/snort.conf#SNORT_GID=nogroup (注释掉)

MegaEntry - Social networking and discussion site!

$SNORT_PATH/snort -c $CONFIG -i $IFACE $OPTIONS(去掉原文件中的 -g $SNORT_GID )chmod 755 /etc/init.d/snortcd /etc/rc3.dln -s /etc/init.d/snort S99snortln -s /etc/init.d/snort K99snort

CopyRight owned by the original author.--(www.MegaEntry.com)

cd /etc/rc5.dln -s /etc/init.d/snort S99snortln -s /etc/init.d/snort K99snort

四.在mysql中建立数据库/usr/local/mysql/bin/mysql

CopyRight owned by the original author.--(www.MegaEntry.com)

mysql>SET PASSWORD FOR root@localhost=PASSWORD( 'your_password ');mysql>create database snort;mysql>grant INSERT,SELECT on root.* to snort@localhost;mysql>quit;进入snort安装目录:/usr/local/mysql/bin/mysql -p <./contrib/create_mysql snort>Enter password:

MegaEntry - Social networking and discussion site!

安装DB表:(在contrib目录)zcat snortdb-extra.gz | /usr/local/mysql/bin/mysql -p snort进入mysql数据库,看看snort数据库中的表:/usr/local/mysql/bin/mysql -p>Enter password:mysql>show databases;

CopyRight owned by the original author.--(www.MegaEntry.com)

+------------+| Database+------------+| mysql| snort| test

CopyRight owned by the original author.--(www.MegaEntry.com)

+------------+3 rows in set (0.00 sec)

mysql>use snort;mysql>show tables; 将会有这些:+------------------+| Tables_in_snort |

MegaEntry - Social networking and discussion site!

+------------------+| data| detail| encoding| event| flags

MegaEntry - Social networking and discussion site!

| icmphdr| iphdr| opt| protocols| reference| reference_system

CopyRight owned by the original author.--(www.MegaEntry.com)

| schema| sensor| services| sig_class| sig_reference| signature

MegaEntry - Social networking and discussion site!

| tcphdr| udphdr+------------------+19 rows in set (0.00 sec)

mysql>exit

五.安装配置Web接口

MegaEntry - Social networking and discussion site!

安装JPGraph1.11cp jpgraph-1.11.tar.gz /www/htdocscd /www/htdocstar -xzvf jpgraph-1.xx.tar.gzrm -rf jpgrap-1.xx.tar.gzcd jpgraph-1.11

CopyRight owned by the original author.--(www.MegaEntry.com)

rm -rf READMErm -rf QPL.txt安装ADODB:cp adodb330.tgz /www/htdocs/cd /www/htdocstar -xzvf adodb330.tgz

CopyRight owned by the original author.--(www.MegaEntry.com)

rm -rf adodb330.tgz

安装配置Acid:cp acid-0.0.6b23.tar.gz /www/htdocscd /www/htdocstar -xvzf acid-0.9.6b23.tar.gzrm -rf acid-0.9.6b23.tar.gz

MegaEntry - Social networking and discussion site!

cd /www/htodcs/acid/编辑acid_conf.php,修改相关配置如下:$DBlib_path = "/www/htdocs/adodb ";/* The type of underlying alert database** MySQL : "mysql "

MegaEntry - Social networking and discussion site!

* PostgresSQL : "postgres "* MS SQL Server : "mssql "*/$DBtype = "mysql ";/* Alert DB connection parameters* - $alert_dbname : MySQL database name of Snort alert DB

MegaEntry - Social networking and discussion site!

* - $alert_host : host on which the DB is stored* - $alert_port : port on which to access the DB* - $alert_user : login to the database with this user* - $alert_password : password of the DB user** This information can be gleaned from the Snort database

MegaEntry - Social networking and discussion site!

* output plugin configuration.*/$alert_dbname = "snort ";$alert_host = "localhost ";$alert_port = " ";$alert_user = "root ";

CopyRight owned by the original author.--(www.MegaEntry.com)

$alert_password = "Your_Password ";/* Archive DB connection parameters */$archive_dbname = "snort ";$archive_host = "localhost ";$archive_port = " ";$archive_user = "root ";

MegaEntry - Social networking and discussion site!

$archive_password = "Your_Password ";And a little further down$ChartLib_path = "/www/htdocs/jpgraph-1.11/src ";/* File format of charts ( 'png ', 'jpeg ', 'gif ') */$chart_file_format = "png ";进入web界面:

CopyRight owned by the original author.--(www.MegaEntry.com)

http://yourhost/acid/acid_main.php点 "Setup Page "链接 ->Create Acid AG访问http://yourhost/acid将会看到ACID界面。

六.测试系统重启系统或者直接启动相关后台程序:

CopyRight owned by the original author.--(www.MegaEntry.com)

/etc/init.d/mysql restart/etc/init.d/snort start/etc/init.d/httpd start利用nmap,nessus,CIS或者X-scan对系统进行扫描,产生告警纪录。http://yourhost/acid 察看纪录。

MegaEntry - Social networking and discussion site!

至此,一个功能强大的IDS配置完毕。各位可以利用web界面远程登陆,监控主机所处局域网,同时安装phpMyAdmin对mysql数据库进行操控。

 

 

 

MegaEntry - Social networking and discussion site!

ick S.Harper 翻译整理:ids,mapple声明:欢迎转载.[-]=========================================[-]

一.系统平台Redhat9.0发行版, 安装gcc 及相关库文件,建议不要安装

CopyRight owned by the original author.--(www.MegaEntry.com)

Apache,PHP,MySQL,我们将用源码编译安装。基于安全方面的考虑,可以设置一下iptables只允许SSH和WWW访问。二.软件MySQL4.0.12 http://mysql.secsup.orgSnort2.0.0 http://www.snort.orgApache2.0.45 http://www.apache.org

CopyRight owned by the original author.--(www.MegaEntry.com)

PHP4.3.1 http://www.php.netADODBv3.30 http://phplens.comAcid0.9.6b23 http://acidlab.sourceforge.netZlib1.1.4 http://flow.dl.sourceforge.netJPGraph1.11 http://jpgraph.techuk.comLibPcap0.7.2 http://www.tcpdump.org

MegaEntry - Social networking and discussion site!

建议到这个站点下载http://ftp.cdut.edu.cn/pub/linux/NEW/也可以到http://www.rpmfind.com下载相关的xx....若安装了rpm包,可以强行将其反安装rpm -e -nodeps xx.xx

三.安装(建议将所有的包文件考到同一目录)1.安装zlib1.1.4

MegaEntry - Social networking and discussion site!

tar -xzvf zlib-xx.tar.gzcd zlib-xx./configure;make testmake installcd ..2.安装LibPcap0.7.2

CopyRight owned by the original author.--(www.MegaEntry.com)

tar -xzvf libpcap.tar.gzcd libpcap-xx./configuremakemake installcd ..

MegaEntry - Social networking and discussion site!

3.安装MySQL4.0.123.1创建mysql组和mysql用户groupadd mysqluseradd -g mysql mysql修改/root下的.bash_profile的这一行:PATH=$PATH:$HOME/bin 为

MegaEntry - Social networking and discussion site!

PATH=$PATH:$HOME/bin:/usr/local/mysql/bin3.2安装mysqltar -xzvf mysql-xx.tar.gzcd mysql-xx./configure --prefix=/usr/local/mysqlmake

CopyRight owned by the original author.--(www.MegaEntry.com)

make installcd scripts./mysql_install_dbchown -R root /usr/local/mysqlchown -R mysql /usr/local/mysql/varchgrp -R mysql /usr/local/mysql

CopyRight owned by the original author.--(www.MegaEntry.com)

cd ../support-files/my-medium.cnf /etc/my.cnf向/etc/ld.so.conf中加入两行:/usr/local/mysql/lib/mysql/usr/local/lib载入库,执行ldconfig -v3.3测试mysql是否工作:

CopyRight owned by the original author.--(www.MegaEntry.com)

cd /usr/local/mysql/bin/./mysqld_safe --user=mysql&#ps -ef |grep mysql看mysql_safe是否工作3.4设置mysql为自启动:将mysql安装目录下的support-files目录中的

MegaEntry - Social networking and discussion site!

mysql.server文件拷到/etc/init.d目录cp mysql.server /etc/init.d/mysqlchmod 755 /etc/init.d/mysql创建硬链接:cd /etc/rc3.d(文本方式启动)ln -s /etc/init.d/mysql S85mysql

MegaEntry - Social networking and discussion site!

ln -s /etc/init.d/mysql K85mysqlcd /etc/rc5.d (图形方式启动)ln -s /etc/init.d/mysql S85mysqlln -s /etc/init.d/mysql K85mysql

4.安装Apache2.0.45和PHP4.3.1tar -zxvf httpd-2.0.xx.tar.gz

CopyRight owned by the original author.--(www.MegaEntry.com)

cd httpd_2.xx.xx./configure --prefix=/www --enable-so注:apache根目录为 /wwwmakemake install

cd ..

MegaEntry - Social networking and discussion site!

tar -zxvf php-4.3.x.tar.gzcd php-4.3.x./configure --prefix=/www/php --with-apxs2=/www/bin/apxs --with-config- filepath=/www/php --enable-sockets --with-mysql=/usr/local/mysql --with-zlibdir=/usr/local --with- gd注意:这些为一行,中间不要有回车。cp php.ini-dist /www/php/php.ini

CopyRight owned by the original author.--(www.MegaEntry.com)

编辑httpd.conf(/www/conf):加入两行LoadModule php4_module modules/libphp4.soAddType application/x-httpd-php .phphttpd.conf中相关内容如下:#

MegaEntry - Social networking and discussion site!

# LoadModule foo_module modules/mod_foo.soLoadModule php4_module modules/libphp4.so# AddType allows you to tweak mime.types without actually editing it, or $# make certain files to be certain types.#AddType application/x-tar .tgz

CopyRight owned by the original author.--(www.MegaEntry.com)

AddType image/x- icon .icoAddType application/x-httpd-php .php

设置Apache为自启动:cp /www/bin/apachectl /etc/init.d/httpdcd /etc/rc3.dln -s /etc/init.d/httpd S85httpd

MegaEntry - Social networking and discussion site!

ln -s /etc/init.d/httpd K85httpdcd /etc/rc5.dln -s /etc/init.d/httpd S85httpdln -s /etc/init.d/httpd K85httpd

测试一下 PHP:cd /etc/init.d

CopyRight owned by the original author.--(www.MegaEntry.com)

./httpd start在/www/htdocs下建立文件 test.phpcd /www/htdocsvi test.php加入<?php

CopyRight owned by the original author.--(www.MegaEntry.com)

phpinfo();?>用浏览器访问http://IP_address/test.php,成功的话,出现一些系统,apache,php信息

5.安装 Snort2.05.1建立snort配置文件和日志目录

CopyRight owned by the original author.--(www.MegaEntry.com)

mkdir /etc/snortmkdir /var/log/snorttar -zxvf snort-2.x.x.tar.gzcd snort-2.x.x./configure --with-mysql=/usr/local/mysqlmake

MegaEntry - Social networking and discussion site!

make install5.2安装规则和配置文件cd rules (在snort安装目录下)cp * /etc/snortcd ../etccp snort.conf /etc/snort

CopyRight owned by the original author.--(www.MegaEntry.com)

cp *.config /etc/snort5.3修改snort.conf(/etc/snort/snort.conf)var HOME_NET 10.2.2.0/24 (修改为你的内部网网络地址,我的是192.168.0.0/24)var RULE_PATH ../rules 修改为 var RULE_PATH /etc/snort/改变记录日志数据库:

CopyRight owned by the original author.--(www.MegaEntry.com)

output database: log, mysql, user=root password=your_passworddbname=snort host=localhost

5.4设置snort为自启动:在snort安装目录下cd /contribcp S99snort /etc/init.d/snort

MegaEntry - Social networking and discussion site!

vi /etc/init.d/snort修改snort如下:CONFIG=/etc/snort/snort.conf#SNORT_GID=nogroup (注释掉)$SNORT_PATH/snort -c $CONFIG -i $IFACE $OPTIONS(去掉原文件中的 -g $SNORT_GID )

MegaEntry - Social networking and discussion site!

chmod 755 /etc/init.d/snortcd /etc/rc3.dln -s /etc/init.d/snort S99snortln -s /etc/init.d/snort K99snortcd /etc/rc5.dln -s /etc/init.d/snort S99snort

CopyRight owned by the original author.--(www.MegaEntry.com)

ln -s /etc/init.d/snort K99snort

四.在mysql中建立数据库/usr/local/mysql/bin/mysqlmysql>SET PASSWORD FOR root@localhost=PASSWORD( 'your_password ');mysql>create database snort;

MegaEntry - Social networking and discussion site!

mysql>grant INSERT,SELECT on root.* to snort@localhost;mysql>quit;进入snort安装目录:/usr/local/mysql/bin/mysql -p <./contrib/create_mysql snort>Enter password:

安装DB表:(在contrib目录)zcat snortdb-extra.gz | /usr/local/mysql/bin/mysql -p snort

CopyRight owned by the original author.--(www.MegaEntry.com)

进入mysql数据库,看看snort数据库中的表:/usr/local/mysql/bin/mysql -p>Enter password:mysql>show databases;+------------+| Database

CopyRight owned by the original author.--(www.MegaEntry.com)

+------------+| mysql| snort| test+------------+3 rows in set (0.00 sec)

CopyRight owned by the original author.--(www.MegaEntry.com)

mysql>use snort;mysql>show tables; 将会有这些:+------------------+| Tables_in_snort |+------------------+| data

CopyRight owned by the original author.--(www.MegaEntry.com)

| detail| encoding| event| flags| icmphdr| iphdr

CopyRight owned by the original author.--(www.MegaEntry.com)

| opt| protocols| reference| reference_system| schema| sensor

CopyRight owned by the original author.--(www.MegaEntry.com)

| services| sig_class| sig_reference| signature| tcphdr| udphdr

CopyRight owned by the original author.--(www.MegaEntry.com)

+------------------+19 rows in set (0.00 sec)

mysql>exit

五.安装配置Web接口安装JPGraph1.11cp jpgraph-1.11.tar.gz /www/htdocs

MegaEntry - Social networking and discussion site!

cd /www/htdocstar -xzvf jpgraph-1.xx.tar.gzrm -rf jpgrap-1.xx.tar.gzcd jpgraph-1.11rm -rf READMErm -rf QPL.txt

CopyRight owned by the original author.--(www.MegaEntry.com)

安装ADODB:cp adodb330.tgz /www/htdocs/cd /www/htdocstar -xzvf adodb330.tgzrm -rf adodb330.tgz

安装配置Acid:

CopyRight owned by the original author.--(www.MegaEntry.com)

cp acid-0.0.6b23.tar.gz /www/htdocscd /www/htdocstar -xvzf acid-0.9.6b23.tar.gzrm -rf acid-0.9.6b23.tar.gzcd /www/htodcs/acid/编辑acid_conf.php,修改相关配置如下:

CopyRight owned by the original author.--(www.MegaEntry.com)

$DBlib_path = "/www/htdocs/adodb ";/* The type of underlying alert database** MySQL : "mysql "* PostgresSQL : "postgres "* MS SQL Server : "mssql "

CopyRight owned by the original author.--(www.MegaEntry.com)

*/$DBtype = "mysql ";/* Alert DB connection parameters* - $alert_dbname : MySQL database name of Snort alert DB* - $alert_host : host on which the DB is stored* - $alert_port : port on which to access the DB

CopyRight owned by the original author.--(www.MegaEntry.com)

* - $alert_user : login to the database with this user* - $alert_password : password of the DB user** This information can be gleaned from the Snort database* output plugin configuration.*/

MegaEntry - Social networking and discussion site!

$alert_dbname = "snort ";$alert_host = "localhost ";$alert_port = " ";$alert_user = "root ";$alert_password = "Your_Password ";/* Archive DB connection parameters */

MegaEntry - Social networking and discussion site!

$archive_dbname = "snort ";$archive_host = "localhost ";$archive_port = " ";$archive_user = "root ";$archive_password = "Your_Password ";And a little further down

MegaEntry - Social networking and discussion site!

$ChartLib_path = "/www/htdocs/jpgraph-1.11/src ";/* File format of charts ( 'png ', 'jpeg ', 'gif ') */$chart_file_format = "png ";进入web界面:http://yourhost/acid/acid_main.php点 "Setup Page "链接 ->Create Acid AG

CopyRight owned by the original author.--(www.MegaEntry.com)

访问http://yourhost/acid将会看到ACID界面。

六.测试系统重启系统或者直接启动相关后台程序:/etc/init.d/mysql restart/etc/init.d/snort start

MegaEntry - Social networking and discussion site!

/etc/init.d/httpd start利用nmap,nessus,CIS或者X-scan对系统进行扫描,产生告警纪录。http://yourhost/acid 察看纪录。至此,一个功能强大的IDS配置完毕。各位可以利用web界面远程登陆,监控主机所处局域网,同时安装phpMyAdmin对mysql

CopyRight owned by the original author.--(www.MegaEntry.com)

数据库进行操控。

Reply To This Message
Subject: 

Copyright 2005-2006 megaentry,All Rights Reserved
IE 6.0 or above is perfect