100277273-cai-snort
TRANSCRIPT
-
1.1. Phn tch yu cu
Ci t h thng pht hin xm nhp vi snort, Log ca snort s c ghi vo c s
d liu ca MySQL, Ngi qun tr s theo di Log thng qua giao din ca BASE
(Basic Analysis And Security Engine).
Cc gi cn ci t bao gm:
- Server configuration tools: chn mc nh
Web server cn cc gi sau:Apache, Php, Php_mysql, Phpmyadmin
MySQL Database cn cc gi sau:Mysql-connector-odbc, Mysql-server,
Mysql-clien, Mysql-devel, Php-mysq
- Cc gi h tr cho snort nh: libpcap (bao gm hai gi libpcap v libpcap-
devel nu ci t rpm) khuyn khch ci t source, th vin Bison, libpcre, lipNet.
- Ci t gi Snort-2.8.4.1.
1.1.1. Ci t Server configuration tools:
Server configuration tools dng lu cc alert ca snort vo c s d liu mysql,
s sng BASE(Basic Analysis And Security Engine) th hin biu phn tch h
thng. Ta tin hnh ci t nh sau:
- Ci t apache:
sudo apt-get install apache2
- Ci t php5:
sudo apt-get install php5 libapache2-mod-php5
- Ci t phpmyadmin:
sudo apt-get install phpmyadmin
- Ci t mysql:
sudo apt-get install mysql-server mysql-client
Trong qu trnh ci t mysql cn nhp user v password truy cp vo mysql
server.
-
1.1.2. Ci t cc th vin Bison, Libpcap, Libpcre, LipNet.
1.1.2.1. Ci th vin flex.
bin dch libpcap thnh cng ta cn ci th vin h tr flex. Ta tin hnh ti flex
v v ci t theo link:
http://biznetnetworks.dl.sourceforge.net/sourceforge/flex/flex-2.5.35.tar.gz.
Tin hnh ci t theo cc bc sau:
- Ti flex v my:
root@Ubuntu:/home/chau/Desktop/Install#
wget http://biznetworks.dl.sourceforge.net/sourceforge /flex/flex-
2.5.35.tar.gz
- Copy file flex vo th mc ci t.
root@Ubuntu:/home/chau/Desktop/Install# cp flex-2.5.35.tar.gz /usr/local/
- Cd n th mc ci t:
root@Ubuntu:/home/chau/Desktop/Install# cd /usr/local
- Gii nn flex:
root@Ubuntu:/usr/local# tar -xvzf flex-2.5.35.tar.gz
- Cd n flex-2.5.35
root@Ubuntu:/usr/local# cd flex-2.5.35
- Cu hnh, bin dch v ci t flex
root@Ubuntu:/usr/local/flex-2.5.35# ./configure
root@Ubuntu:/usr/local/flex-2.5.35# make && make install
1.1.2.2. Ci th vin Bison:
Ta thc hin cc bc tng t nh ci flex.
root@Ubuntu:/home/chau/Desktop/Install#
wget http://ftp.gnu.org/gnu/bison/bison-2.4.1.tar.gz
root@Ubuntu:/home/chau/Desktop/Install# cp bison-2.4.1.tar.gz /usr/local/
-
root@Ubuntu:/home/chau/Desktop/Install# cd /usr/local
root@Ubuntu:/usr/local # tar -xvzf bison-2.4.1.tar.gz
root@Ubuntu:/usr/local # cd bison-2.4.1
root@Ubuntu:/usr/local/bison-2.4.1# ./configure
root@Ubuntu:/usr/local/bison-2.4.1# make && make install
1.1.2.3. Ci libpcap
Ci libpcap t source: http://www.tcpdump.org/release/libpcap-1.0.0.tar.gz
root@ubuntu:/home/chau/Desktop/Install#
wget http://www.tcpdump.org/release/libpcap-1.0.0.tar.gz
root@ubuntu:/home/chau/Desktop/Install # cp libpcap-1.0.0.tar.gz /usr/local/
root@Ubuntu:/home/chau/Desktop/Install# cd /usr/local
root@Ubuntu:/usr/local# tar -xvzf libpcap-1.0.0.tar.gz
root@Ubuntu:/usr/local# cd libpcap-1.0.0
root@Ubuntu:/usr/local/libpcap-1.0.0# ./confugure
root@Ubuntu:/usr/local/libpcap-1.0.0# make && make install
1.1.2.4. Ci t pcre
root@ubuntu:/home/chau/Desktop/Install#
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-7.9.tar.gz
root@ubuntu:/home/chau/Desktop/Install # cp pcre-7.9.tar.gz /usr/local/
root@Ubuntu:/home/chau/Desktop/Install# cd /usr/local
root@Ubuntu:/usr/local# tar -xvzf pcre-7.9.tar.gz
root@Ubuntu:/usr/local# cd pcre-7.9
root@Ubuntu:/usr/local/pcre-7.9# ./configure
root@Ubuntu:/usr/loca/pcre-7.9l# make && make install
1.1.2.5. Ci Libnet :
root@Ubuntu:/home/chau/Desktop/Install#
wget ftp://64.50.238.52/.1/gentoo/distfiles/libnet-1.1.2.1.tar.gz
root@ubuntu:/home/chau/Desktop/Install # cp libnet-1.1.2.1.tar.gz /usr/local/
-
root@Ubuntu:/home/chau.Desktop/Instal# cd /usr/local/
root@Ubuntu:/usr/local# tar -xvzf libnet-1.1.2.1.tar.gz
root@Ubuntu:/usr/local# cd libnet
root@Ubuntu:/usr/local/ libnet# ./configure
root@Ubuntu:/usr/local/ libnet# make && make install
1.1.3. Ci Snort:
root@Ubuntu:/home/chau/Desktop/Install#
wget http://www.procyonlabs.com/mirrors/snort/snort-2.8.4.1.tar.gz
root@ubuntu:/home/chau/Desktop/Install # cp snort-2.8.4.1.tar.gz /usr/local/
root@ubuntu:/home/chau/Desktop/Install # cd /usr/local/
root@Ubuntu:/usr/local# tar -xvzf snort-2.8.4.1.tar.gz
root@Ubuntu:/usr/local# cd snort-2.8.4.1
root@Ubuntu:/usr/local/ snort-2.8.4.1# ./configure --with-mysql
root@Ubuntu:/usr/local/ snort-2.8.4.1# make && make install
1.2. To database lu cc alert:
- ng nhp sql bng sql-client: root@Ubuntu:/usr/local# mysql -u root p
- Nhp password cho user root ca mysql.
- Sau khi ng nhp thnh cng, ta to user mysql s dng cho snort. User c
tn l snort v password l 123456.
mysql> use mysql;
mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY '123456';
mysql> flush privileges;
- To CSDL cho snort c tn l snort:
mysql> create database snort;
- Cp quyn cho ti khon snort.
-
mysql> GRANT CREATE, INSERT, SELECT, DELETE, UPDATE ON snort.* to
snort@localhost;
- To cc bng: vo th mc schames m bn gii nn snort:
root@Ubuntu:~# cd /usr/local/snort-2.8.4.1/schemas/
root@Ubuntu:/usr/local/snort-2.8.4.1/schemas# mysql -u root -p < create_mysql
snort
S c yu cu nhp password cho user root. Ta nhp password ca root cu
lnh c thc thi.
1.3. Cu hnh snort:
1.3.1. To group v user chy snort
- To mt lin kt mm (symbolic link) ca file snort binary n /usr/sbin/snort, tp
tin snort binary nm ng dn /usr/local/bin/snort:
root@Ubuntu:/usr/local/snort-2.8.4.1#
ln -s /usr/local/bin/snort /usr/sbin/snort
- To group v user:
root@Ubuntu:~# groupadd snort
root@Ubuntu:~# useradd -g snort snort
- Set quyn s hu v cho php Snort ghi log vo th mc cha log
root@Ubuntu:~# chown snort:snort /var/log/snort/
1.3.2. To rules cho snort:
- To th mc snort
root@Ubuntu:~#mkdir /etc/snort
root@Ubuntu:~# mkdir /etc/snort/rules
- To th mc cho Snort lu file log
root@Ubuntu:~# mkdir /var/log/snort/
- Chp cc file cn thit vo th mc c to:
root@Ubuntu:~# cd /usr/local/snort-2.8.4.1/etc/
-
root@Ubuntu:/usr/local/snort-2.8.4.1/etc# cp */etc/snort
- To file rules. Vo file /etc/snort/rules/icmp.rules to ni dung cho file cho file
icmp.rules:
alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)
Lu li file icmp.rules.
- Chnh li file cu hnh snort.conf tr ti file icmp.rules v thng tin truy nhp vo
mysql. Vo xa ht ni dung ca file cu hnh snort.conf. To ni dung mi cho file cu
hnh snort.conf:
include /etc/snort/rules/icmp.rules
output database: log,mysql, user=snort password = 123456 dbname=snort
host=localhost
Lu li file cu hnh.
1.4. Ci t BASE
- Web server v PHP ci t sn ta cn ci thm vi gi pear cho PHP.
root@Ubuntu:/home/chau/Desktop/Install# pear install Image_Graph-alpha
Image_Canvas-alpha Image_Color Numbers_Roman
root@Ubuntu:/home/chau/Desktop/Install# apt-get install php-pear
- Ci t ADODB
root@Ubuntu:/home/chau/Desktop/Install#
wget http://nchc.dl.sourceforge.net/sourceforge/adodb/adodb508a.tgz
root@Ubuntu:/home/chau/Desktop/Install# cp adodb508a.tgz /var/www/
root@Ubuntu:/home/chau/Desktop/Install# cd /var/www/
root@Ubuntu:/var/www# tar -xvzf adodb508a.tgz
- Ci BASE:
root@Ubuntu:/home/chau/Desktop/Install#
wget http://nchc.dl.sourceforge.net/sourceforge/secureideas/base-1.4.2.tar.gz
root@Ubuntu:/home/chau/Desktop/Install# cp base-1.4.2.tar.gz /var/www/
root@Ubuntu:/home/chau/Desktop/Install# cd /var/www/
-
root@Ubuntu:/var/www# tar -xzvf base-1.4.2.tar.gz
root@Ubuntu:/var/www# rm -rf base-1.4.2.tar.gz
root@Ubuntu:/var/www# cd base-1.4.2/
root@Ubuntu:/var/www/base-1.4.2# cp base_conf.php.dist base_conf.php
root@Ubuntu:/var/www/base-1.4.2# vi base_conf.php
Chnh li thng s cc dng sau:
-
- Sa li ng dn cho BASE: root@Ubuntu:/var/www# mv base-1.4.2/ base/
$DBlib_path = '/var/www/adodb5';
$DBtype = 'mysql';
$alert_dbname = 'snort';
$alert_host = 'localhost';
$alert_port = '';
$alert_user = 'snort';
$alert_password = '123456';
$archive_exists = 1; # Set this to 1 if you have an archive DB
$archive_dbname = 'snort';
$archive_host = 'localhost';
$archive_port = '';
$archive_user = 'snort';
$archive_password = '123456';
/* Whois query */
$external_whois_link = '';
/* DNS query */
$external_dns_link = '';
/* SamSpade "all" query */
$external_all_link = '';