Linux system Snort IDS tools of light

1. Introduction to Snort snort is designed to fill the expensive, heavy network intrusion detection system left vacant.

Snort is a free, cross-platform package for monitoring small TCP/IP network sniffer, logging, intrusion detectors. It can run on linux/UNIX and Win32 systems, you only need a few minutes to install and you can start using it. Some of the features of Snort:-real-time communication analysis and packet logging-packaging payload check-protocol analysis and content query match-probe buffer overflows, stealth port scans, CGI attacks, SMB probes, operating systems, intrusion attempts-to system logs, specify the file, or through Samba Unixsocket WinPopus real-time alerts Snort has three main models: a packet sniffer, packet logger or sophisticated intrusion detection system. Follow the development/free software's most important practice, Snort supports various plugins, expansion and customization, including a database or XML records, small frame detection and anomaly detection, and other statistics. The packet payload detection is one of the most useful Snort, this means that a lot of additional types of hostile behavior can be detected. Second, install the required packages and install the required packages 1.libcap http://www.mirrors.wiretapped.net/security/packet-capture/libpcap/libpcap-0.8.3.tar.gz 2.snort http://www.snort.org/dl/snort-2.2.0.tar.gz 3.snorttrules http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz 4.openssl http://www.openssl.org/source/openssl-0.9.7d.tar.gz 5.acid Web-based analysis console for intrusion databases http://acidlab.sourceforge.net 6.gd http://www.boutell.com/gd/7.adodb as ACID provides convenient database interface; http://php.weblogs.com/adodb 8.phplotACID relies on graphics library; http://www.phplot.com/9.apace http://www.apache.org 10.mysql http://wwww.mysql.com 11.php (v > 4.2) http://www.php.net begin installation: 1. installation of MySQL, # addgroupmysql # addusermysql and then log in to mysql, execute the following command: $ gzip-d-cmysql-3.23.49.tar.gz | tarxv cdmysql-3.23.49-$ $ $ $ make-/configure makeinstall 2. install the openssl # tarzxvfopenssl * # cdopenssl #./configure # make # maketest # makeinstall 3. installing libpcap # tarzxvflibpcap * # cdlibpcap-0.8.3 #. configure/configure if:: warning: configure: warning: cannotdeterminepacketcaptureinterace (seeINSTALLformoreino) description of the need to compile the system kernel to enable it to support # make # CONFIG_PACKET makeinstall 4. install snort # tarzxvfsnort * # cdsnort-2.2.0 #./configure--enable-flexresp--with-mysql =/usr/local/mysql--with-openssl =/usr/local/ssl support mysql, openssl and more options, you can see the document if the tarball: ERROR! Libpcreheadernotfound, gogetitrom please http://www.pcre.org lib library installed. If the ERROR appears:! Please download and install Libnetheadernotfound. http://www.packetfactory.net/projects/libnet/ If you have already installed, you can use the--with-libnet-* option # make install # makeinstall 5. apace #./configure--prefix =/usr/Local/apache--enable-so # make # makeinstall 6. install gd first installed to generate PHP provide both PNG and JPG image functions in the GD library: # gzip-d-cgd-2.0.28.tar.gz | tarxv-# cdgd-2.0.28 # make install # makeinstall 7. pp # gzip-d-cphp-4.3.2.tar.gz | tarxv-# cdphp-4.3.2 #./configure-with-mysql =/usr/local/mysql\--with-apxs =/usr/local/apache/bin/apxs\--with-gd =/usr/local # make install # makeinstall 8. ACID that part of the installation work including three packages: adodb452.tar.gz, phplot-5.0rc1.tar.gz and acid-0.9.6b23.tar.gz. The installation process is very simple, only need respectively packages extract and expand in the Apache server's document root directory, do as follows: (the server's document directory as/www/ids) # cd/www/ids/# gzip-d-cadodb452.tar.gz | tarxv-# gzip-d-cphplot-5.0rc1.tar.gz | tarxv-# gzip-d-cacid-0.9.6b23.tar.gz | tarxv-and then begin the configuration work, go to ACID acid directory edit the configuration file: acid_conf.php gave the following variable assignment: $ Dblib_path = ".. /adodb"　　$DBtype="mysql"　　$alert_dbname="snort"　　$alert_host="localost"　　$alert_port="3306"　　$alert_user="root"　　$alert_password="123"　　$archive_dbname="snort"　　$archive_host="localost"　　$archive_port="3306"　　$archive_user="root"　　$archive_password="123"　　$ChartLib_path=".. /Phplot "$ Chart_file_format =" png "$ portscan_file ="/var/log/snort/portscan.log "good, to this end, the required software installation is complete, the following entry setting and start of snort, snort settings and start up we can get Snort operation in the chroot environment, the setting is very simple, first of all, you can select a place with enough Log of Snort, if you regularly check and clear the Log, you can put the chroot environment Snort in/home/snort, then required is a snort users, execute the following commands add the Snort users: # groupaddsnort # useradd-g" snort "-d" "-s"/home/snort/nonexists "-c" SnortUser "snort and then to extract the files in the snortrules.tar.gz/home/snort, extract the snortrules package, the name is a rules file/home/snort/appears, this is the use of Snort Ruleset, Ruleset that is used for Snort to detect any network reflects the Foundation. In the rules is the snort.conf ", it is the Snort's profile, you need to modify snort.con the actual situation. In snort.conf, you need to modify several easy you can do the Snort, the following are the possible need to modify:-varHOME_NET network or host IP, for example, only one server, you can just enter the IP address of the server, if a machine with more than two IP, you can use this method: varHOME_NET [192.168.1.1, 192.168.1.2] or varHOME_NET192.168.1.0/24-varSMTP [IP.Address] SMTP service location of the server, if different, HOME_NET just send $ HOME_NET removed and specify SMTP IP of the machine. -VarHTTP_SERVERS HTTP service server, and the same set of SMTP, if a WebServer is not a machine, you can specify HOME_NET to other IP. -VarDNS_SERVERS DNS server's IP address, at the same time need to Uncomment the following line: preprocessorportscan-ignorehosts: $ DNS_SERVERS this prevents because the DNS Lookup of the record of unwanted PortScan。 The last part of the record, the compilation of configure Snort time joined the "MySQL" support, in order to use MySQL records, first established in Snort in MySQL Databases, use the user name and password, perform the following command: # CREATEDATABASEsnort; echo "" | Mysql-uroot-p # grantINSERT, SELECTonsnort. * to snort @ localhost and then in the beginning of source Snort signatures and unable to find the "contrib/create_mysql", then execute the following command to build Tables # mysql-uroot-p The rule header contains a match after the action commands, protocol type, and select the flow of the Quaternion Group (source destination IP and destination port sources). Rules of the option part is made up of one or several options, all the main options is the relationship between and. Options may have some dependencies, options can be divided into four main categories, the first packet is related to a variety of features that describe the options, such as: conte