安裝Snort + MySQL + ACID + IDS Policy Manager
前言:
目前Intrusion Dection Service非常的流行,而Snort這個程式雖然是個自由軟體,但是它的功能卻絲毫不遜於其它的商業軟體。而此篇文章另外會介紹IDS Policy Manager和ACID(Analysis Console for Intrusion Databases )來管理你的rule和分析log。
=========================================
作者: zoob (vincent@myunix.adsldns.org)
版權聲明:可以任意轉載,轉載時請務必標明原始出處和作者資訊
1、準備工作OS:RedHat 8.0
請事先安裝以下套件
(1)Apache 1.3
(2)PHP、PHP-MySQL
(3)mysqlclient9-3.23、mysql-devel-3.23、mysql-3.23、mysql-server-3.23
(4)libpcap-0.6.2
2、安裝Snort(1)請至
http://www.snort.org 下載
snort-1.9.0-1snort.i386.rpm 和
snort-mysql-1.9.0-1snort.i386.rpm,並且請安裝起來
(2)下載
Snort-Rules,並將解壓縮並複製到/etc/snort/目錄下
(3)下載
IDS Policy Manager,解壓縮後請在Windows 平台上執行安裝程式來管理snort agent。
(4)請在IDS Policy Manager裡增加一Sensor和Policy,設定系統為1.90。
(5)啟動Policy裡面的「Loging」->「Database」(記得打勾),並設定範例如下:
「Sensor」:Your Sensor Name
「DB Name」:snort
「DB Type」:mysql
「Encoding」:hex
「Log Rule Type」:log
「Detail」:full
「User」:snort
「User Pass」:snort
「DB Host」:localhost
「DB Port」:3306
(6)設定完畢後,請選擇「Save & Exit」
(7)針對先前增加的Sensor執行「Uppolicy to Sensor」
3、設定Mysql的DB(1)建立一個名為「snort」的DB
mysqladmin -u root -ppassword create snort
(2)將以下敘述存做為一檔案(ex: create_mysql)
# Copyright (C) 2000-2002 Carnegie Mellon University
#
# Maintainer: Roman Danyliw <rdd@cert.org>, <roman@danyliw.com>
#
# Original Author(s): Jed Pickel <jed@pickel.net> (2000-2001)
# Roman Danyliw <rdd@cert.org>
# Todd Schrubb <tls@cert.org>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
CREATE TABLE schema ( vseq INT UNSIGNED NOT NULL,
ctime DATETIME NOT NULL,
PRIMARY KEY (vseq));
INSERT INTO schema (vseq, ctime) VALUES ('106', now());
CREATE TABLE event ( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
signature INT UNSIGNED NOT NULL,
timestamp DATETIME NOT NULL,
PRIMARY KEY (sid,cid),
INDEX sig (signature),
INDEX time (timestamp));
CREATE TABLE signature ( sig_id INT UNSIGNED NOT NULL AUTO_INCREMENT,
sig_name VARCHAR(255) NOT NULL,
sig_class_id INT UNSIGNED NOT NULL,
sig_priority INT UNSIGNED,
sig_rev INT UNSIGNED,
sig_sid INT UNSIGNED,
PRIMARY KEY (sig_id),
INDEX sign_idx (sig_name(20)),
INDEX sig_class_id_idx (sig_class_id));
CREATE TABLE sig_reference (sig_id INT UNSIGNED NOT NULL,
ref_seq INT UNSIGNED NOT NULL,
ref_id INT UNSIGNED NOT NULL,
PRIMARY KEY(sig_id, ref_seq));
CREATE TABLE reference ( ref_id INT UNSIGNED NOT NULL AUTO_INCREMENT,
ref_system_id INT UNSIGNED NOT NULL,
ref_tag TEXT NOT NULL,
PRIMARY KEY (ref_id));
CREATE TABLE reference_system ( ref_system_id INT UNSIGNED NOT NULL AUTO_INCREMENT,
ref_system_name VARCHAR(20),
PRIMARY KEY (ref_system_id));
CREATE TABLE sig_class ( sig_class_id INT UNSIGNED NOT NULL AUTO_INCREMENT,
sig_class_name VARCHAR(60) NOT NULL,
PRIMARY KEY (sig_class_id),
INDEX (sig_class_id),
INDEX (sig_class_name));
# store info about the sensor supplying data
CREATE TABLE sensor ( sid INT UNSIGNED NOT NULL AUTO_INCREMENT,
hostname TEXT,
interface TEXT,
filter TEXT,
detail TINYINT,
encoding TINYINT,
last_cid INT UNSIGNED NOT NULL,
PRIMARY KEY (sid));
# All of the fields of an ip header
CREATE TABLE iphdr ( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
ip_src INT UNSIGNED NOT NULL,
ip_dst INT UNSIGNED NOT NULL,
ip_ver TINYINT UNSIGNED,
ip_hlen TINYINT UNSIGNED,
ip_tos TINYINT UNSIGNED,
ip_len SMALLINT UNSIGNED,
ip_id SMALLINT UNSIGNED,
ip_flags TINYINT UNSIGNED,
ip_off SMALLINT UNSIGNED,
ip_ttl TINYINT UNSIGNED,
ip_proto TINYINT UNSIGNED NOT NULL,
ip_csum SMALLINT UNSIGNED,
PRIMARY KEY (sid,cid),
INDEX ip_src (ip_src),
INDEX ip_dst (ip_dst));
# All of the fields of a tcp header
CREATE TABLE tcphdr( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
tcp_sport SMALLINT UNSIGNED NOT NULL,
tcp_dport SMALLINT UNSIGNED NOT NULL,
tcp_seq INT UNSIGNED,
tcp_ack INT UNSIGNED,
tcp_off TINYINT UNSIGNED,
tcp_res TINYINT UNSIGNED,
tcp_flags TINYINT UNSIGNED NOT NULL,
tcp_win SMALLINT UNSIGNED,
tcp_csum SMALLINT UNSIGNED,
tcp_urp SMALLINT UNSIGNED,
PRIMARY KEY (sid,cid),
INDEX tcp_sport (tcp_sport),
INDEX tcp_dport (tcp_dport),
INDEX tcp_flags (tcp_flags));
# All of the fields of a udp header
CREATE TABLE udphdr( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
udp_sport SMALLINT UNSIGNED NOT NULL,
udp_dport SMALLINT UNSIGNED NOT NULL,
udp_len SMALLINT UNSIGNED,
udp_csum SMALLINT UNSIGNED,
PRIMARY KEY (sid,cid),
INDEX udp_sport (udp_sport),
INDEX udp_dport (udp_dport));
# All of the fields of an icmp header
CREATE TABLE icmphdr( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
icmp_type TINYINT UNSIGNED NOT NULL,
icmp_code TINYINT UNSIGNED NOT NULL,
icmp_csum SMALLINT UNSIGNED,
icmp_id SMALLINT UNSIGNED,
icmp_seq SMALLINT UNSIGNED,
PRIMARY KEY (sid,cid),
INDEX icmp_type (icmp_type));
# Protocol options
CREATE TABLE opt ( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
optid INT UNSIGNED NOT NULL,
opt_proto TINYINT UNSIGNED NOT NULL,
opt_code TINYINT UNSIGNED NOT NULL,
opt_len SMALLINT,
opt_data TEXT,
PRIMARY KEY (sid,cid,optid));
# Packet payload
CREATE TABLE data ( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
data_payload TEXT,
PRIMARY KEY (sid,cid));
# encoding is a lookup table for storing encoding types
CREATE TABLE encoding(encoding_type TINYINT UNSIGNED NOT NULL,
encoding_text TEXT NOT NULL,
PRIMARY KEY (encoding_type));
INSERT INTO encoding (encoding_type, encoding_text) VALUES (0, 'hex');
INSERT INTO encoding (encoding_type, encoding_text) VALUES (1, 'base64');
INSERT INTO encoding (encoding_type, encoding_text) VALUES (2, 'ascii');
# detail is a lookup table for storing different detail levels
CREATE TABLE detail (detail_type TINYINT UNSIGNED NOT NULL,
detail_text TEXT NOT NULL,
PRIMARY KEY (detail_type));
INSERT INTO detail (detail_type, detail_text) VALUES (0, 'fast');
INSERT INTO detail (detail_type, detail_text) VALUES (1, 'full');
# be sure to also use the snortdb-extra tables if you want
# mappings for tcp flags, protocols, and ports
(3)匯入create_mysql檔案
mysql -u root -ppassword snort < create_mysql
(4)建立MySQL的snort使用者
mysql -u root -ppassword snort
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
mysql> connect mysql;
mysql> set password for 'snort'@'localhost' = password('snort');
mysql> set password for 'snort'@'%' = password('snort');
mysql> flush privileges;
mysql> exit;
4、安裝ACID(1)安裝ACID 0.9.6B23
http://acidlab.sourceforge.net/將acid-0.9.*.tar.gz解壓縮至/var/www/html 目錄下
(2)安裝 ADODB v2.31
http://php.weblogs.com/adodb將adodb231.tgz 解壓縮至/var/www/html 目錄下
(3)安裝 PHPLOT v4.4.6
http://www.phplot.com/將phplot-4.4.6.tar.gz 解壓縮至/var/www/html 目錄下,並將phplot-4.4.6目錄更名為phplot
(4)安裝 GD v1.8.4
http://www.boutell.com/gd/將gd-1.8.4.tar.gz 解壓縮至/var/www/html 目錄下,並將gd-1.8.4目錄更名為gd
(5)安裝 JPGraph v1.11
http://www.aditus.nu/jpgraph/解壓縮後,將src目錄下的所有檔案複製到/var/www/html/phplot目錄下
(6)設定acid_conf.php,範例如下:
$DBlib_path="../adodb";
$alert_dbname="snort";
$alert_user="snort";
$alert_password="snort";
$Chartlib_path="../phplot";
5、啟動相關服務(1)啟動mysqld service
(2)啟動httpd service
(3)啟動snortd service
啟動前先要修改/etc/rc.d/init.d/snortd
將start區段內的
daemon /usr/sbin/snort -A fast -b -l /var/log/snort -d -D -i $INTERFACE -c /etc/snort/snort.conf
修改為
daemon /usr/sbin/snort -b -d -D -i $INTERFACE -c /etc/snort/snort.conf
並將INTERFACE對應到你要修改的介面卡,EX INTERFACE=eth1
切換至/etc/rc.d/init.d 目錄下,執行
chkconfig --level 2345 snortd on,讓你在開機時可以自動啟動服務。