100277273-cai-snort

1.1. Phn tch yu cu

Ci t h thng pht hin xm nhp vi snort, Log ca snort s c ghi vo c s

d liu ca MySQL, Ngi qun tr s theo di Log thng qua giao din ca BASE

(Basic Analysis And Security Engine).

Cc gi cn ci t bao gm:

- Server configuration tools: chn mc nh

Web server cn cc gi sau:Apache, Php, Php_mysql, Phpmyadmin

MySQL Database cn cc gi sau:Mysql-connector-odbc, Mysql-server,

Mysql-clien, Mysql-devel, Php-mysq

- Cc gi h tr cho snort nh: libpcap (bao gm hai gi libpcap v libpcap-

devel nu ci t rpm) khuyn khch ci t source, th vin Bison, libpcre, lipNet.

- Ci t gi Snort-2.8.4.1.

1.1.1. Ci t Server configuration tools:

Server configuration tools dng lu cc alert ca snort vo c s d liu mysql,

s sng BASE(Basic Analysis And Security Engine) th hin biu phn tch h

thng. Ta tin hnh ci t nh sau:

- Ci t apache:

sudo apt-get install apache2

- Ci t php5:

sudo apt-get install php5 libapache2-mod-php5

- Ci t phpmyadmin:

sudo apt-get install phpmyadmin

- Ci t mysql:

sudo apt-get install mysql-server mysql-client

Trong qu trnh ci t mysql cn nhp user v password truy cp vo mysql

server.

1.1.2. Ci t cc th vin Bison, Libpcap, Libpcre, LipNet.

1.1.2.1. Ci th vin flex.

bin dch libpcap thnh cng ta cn ci th vin h tr flex. Ta tin hnh ti flex

v v ci t theo link:

http://biznetnetworks.dl.sourceforge.net/sourceforge/flex/flex-2.5.35.tar.gz.

Tin hnh ci t theo cc bc sau:

- Ti flex v my:

root@Ubuntu:/home/chau/Desktop/Install#

wget http://biznetworks.dl.sourceforge.net/sourceforge /flex/flex-

2.5.35.tar.gz

- Copy file flex vo th mc ci t.

root@Ubuntu:/home/chau/Desktop/Install# cp flex-2.5.35.tar.gz /usr/local/

- Cd n th mc ci t:

root@Ubuntu:/home/chau/Desktop/Install# cd /usr/local

- Gii nn flex:

root@Ubuntu:/usr/local# tar -xvzf flex-2.5.35.tar.gz

- Cd n flex-2.5.35

root@Ubuntu:/usr/local# cd flex-2.5.35

- Cu hnh, bin dch v ci t flex

root@Ubuntu:/usr/local/flex-2.5.35# ./configure

root@Ubuntu:/usr/local/flex-2.5.35# make && make install

1.1.2.2. Ci th vin Bison:

Ta thc hin cc bc tng t nh ci flex.


wget http://ftp.gnu.org/gnu/bison/bison-2.4.1.tar.gz

root@Ubuntu:/home/chau/Desktop/Install# cp bison-2.4.1.tar.gz /usr/local/


root@Ubuntu:/usr/local # tar -xvzf bison-2.4.1.tar.gz

root@Ubuntu:/usr/local # cd bison-2.4.1

root@Ubuntu:/usr/local/bison-2.4.1# ./configure

root@Ubuntu:/usr/local/bison-2.4.1# make && make install

1.1.2.3. Ci libpcap

Ci libpcap t source: http://www.tcpdump.org/release/libpcap-1.0.0.tar.gz

root@ubuntu:/home/chau/Desktop/Install#

wget http://www.tcpdump.org/release/libpcap-1.0.0.tar.gz

root@ubuntu:/home/chau/Desktop/Install # cp libpcap-1.0.0.tar.gz /usr/local/


root@Ubuntu:/usr/local# tar -xvzf libpcap-1.0.0.tar.gz

root@Ubuntu:/usr/local# cd libpcap-1.0.0

root@Ubuntu:/usr/local/libpcap-1.0.0# ./confugure

root@Ubuntu:/usr/local/libpcap-1.0.0# make && make install

1.1.2.4. Ci t pcre

root@ubuntu:/home/chau/Desktop/Install#

wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-7.9.tar.gz

root@ubuntu:/home/chau/Desktop/Install # cp pcre-7.9.tar.gz /usr/local/


root@Ubuntu:/usr/local# tar -xvzf pcre-7.9.tar.gz

root@Ubuntu:/usr/local# cd pcre-7.9

root@Ubuntu:/usr/local/pcre-7.9# ./configure

root@Ubuntu:/usr/loca/pcre-7.9l# make && make install

1.1.2.5. Ci Libnet :


wget ftp://64.50.238.52/.1/gentoo/distfiles/libnet-1.1.2.1.tar.gz

root@ubuntu:/home/chau/Desktop/Install # cp libnet-1.1.2.1.tar.gz /usr/local/

root@Ubuntu:/home/chau.Desktop/Instal# cd /usr/local/

root@Ubuntu:/usr/local# tar -xvzf libnet-1.1.2.1.tar.gz

root@Ubuntu:/usr/local# cd libnet

root@Ubuntu:/usr/local/ libnet# ./configure

root@Ubuntu:/usr/local/ libnet# make && make install

1.1.3. Ci Snort:


wget http://www.procyonlabs.com/mirrors/snort/snort-2.8.4.1.tar.gz

root@ubuntu:/home/chau/Desktop/Install # cp snort-2.8.4.1.tar.gz /usr/local/

root@ubuntu:/home/chau/Desktop/Install # cd /usr/local/

root@Ubuntu:/usr/local# tar -xvzf snort-2.8.4.1.tar.gz

root@Ubuntu:/usr/local# cd snort-2.8.4.1

root@Ubuntu:/usr/local/ snort-2.8.4.1# ./configure --with-mysql

root@Ubuntu:/usr/local/ snort-2.8.4.1# make && make install

1.2. To database lu cc alert:

- ng nhp sql bng sql-client: root@Ubuntu:/usr/local# mysql -u root p

- Nhp password cho user root ca mysql.

- Sau khi ng nhp thnh cng, ta to user mysql s dng cho snort. User c

tn l snort v password l 123456.

mysql> use mysql;

mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY '123456';

mysql> flush privileges;

- To CSDL cho snort c tn l snort:

mysql> create database snort;

- Cp quyn cho ti khon snort.

mysql> GRANT CREATE, INSERT, SELECT, DELETE, UPDATE ON snort.* to

snort@localhost;

- To cc bng: vo th mc schames m bn gii nn snort:

root@Ubuntu:~# cd /usr/local/snort-2.8.4.1/schemas/

root@Ubuntu:/usr/local/snort-2.8.4.1/schemas# mysql -u root -p < create_mysql

snort

S c yu cu nhp password cho user root. Ta nhp password ca root cu

lnh c thc thi.

1.3. Cu hnh snort:

1.3.1. To group v user chy snort

- To mt lin kt mm (symbolic link) ca file snort binary n /usr/sbin/snort, tp

tin snort binary nm ng dn /usr/local/bin/snort:

root@Ubuntu:/usr/local/snort-2.8.4.1#

ln -s /usr/local/bin/snort /usr/sbin/snort

- To group v user:

root@Ubuntu:~# groupadd snort

root@Ubuntu:~# useradd -g snort snort

- Set quyn s hu v cho php Snort ghi log vo th mc cha log

root@Ubuntu:~# chown snort:snort /var/log/snort/

1.3.2. To rules cho snort:

- To th mc snort

root@Ubuntu:~#mkdir /etc/snort

root@Ubuntu:~# mkdir /etc/snort/rules

- To th mc cho Snort lu file log

root@Ubuntu:~# mkdir /var/log/snort/

- Chp cc file cn thit vo th mc c to:

root@Ubuntu:~# cd /usr/local/snort-2.8.4.1/etc/

root@Ubuntu:/usr/local/snort-2.8.4.1/etc# cp */etc/snort

- To file rules. Vo file /etc/snort/rules/icmp.rules to ni dung cho file cho file

icmp.rules:

alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)

Lu li file icmp.rules.

- Chnh li file cu hnh snort.conf tr ti file icmp.rules v thng tin truy nhp vo

mysql. Vo xa ht ni dung ca file cu hnh snort.conf. To ni dung mi cho file cu

hnh snort.conf:

include /etc/snort/rules/icmp.rules

output database: log,mysql, user=snort password = 123456 dbname=snort

host=localhost

Lu li file cu hnh.

1.4. Ci t BASE

- Web server v PHP ci t sn ta cn ci thm vi gi pear cho PHP.

root@Ubuntu:/home/chau/Desktop/Install# pear install Image_Graph-alpha

Image_Canvas-alpha Image_Color Numbers_Roman

root@Ubuntu:/home/chau/Desktop/Install# apt-get install php-pear

- Ci t ADODB


wget http://nchc.dl.sourceforge.net/sourceforge/adodb/adodb508a.tgz

root@Ubuntu:/home/chau/Desktop/Install# cp adodb508a.tgz /var/www/

root@Ubuntu:/home/chau/Desktop/Install# cd /var/www/

root@Ubuntu:/var/www# tar -xvzf adodb508a.tgz

- Ci BASE:


wget http://nchc.dl.sourceforge.net/sourceforge/secureideas/base-1.4.2.tar.gz

root@Ubuntu:/home/chau/Desktop/Install# cp base-1.4.2.tar.gz /var/www/

root@Ubuntu:/home/chau/Desktop/Install# cd /var/www/

root@Ubuntu:/var/www# tar -xzvf base-1.4.2.tar.gz

root@Ubuntu:/var/www# rm -rf base-1.4.2.tar.gz

root@Ubuntu:/var/www# cd base-1.4.2/

root@Ubuntu:/var/www/base-1.4.2# cp base_conf.php.dist base_conf.php

root@Ubuntu:/var/www/base-1.4.2# vi base_conf.php

Chnh li thng s cc dng sau:

- Sa li ng dn cho BASE: root@Ubuntu:/var/www# mv base-1.4.2/ base/

$DBlib_path = '/var/www/adodb5';

$DBtype = 'mysql';

$alert_dbname = 'snort';

$alert_host = 'localhost';

$alert_port = '';

$alert_user = 'snort';

$alert_password = '123456';

$archive_exists = 1; # Set this to 1 if you have an archive DB

$archive_dbname = 'snort';

$archive_host = 'localhost';

$archive_port = '';

$archive_user = 'snort';

$archive_password = '123456';

/* Whois query */

$external_whois_link = '';

/* DNS query */

$external_dns_link = '';

/* SamSpade "all" query */

$external_all_link = '';

100277273-cai-snort

Documents