RHEL5.1 + SNORT 的监控系统安装与配置(二)

时间:2008-11-15 02:45:57   来源:chinaunix  作者:jerrywjl  点击:次  出处:技术无忧
关键字:snort linux 监控

现在检查和安装相关软件包,确保mysql和php的下列软件包已经安装:

[root@localhost Server]# rpm -qa | grep mysql

libdbi-dbd-mysql-0.8.1a-1.2.2

php-mysql-5.1.6-15.el5

mysql-server-5.0.22-2.1.0.1

mysql-connector-odbc-3.51.12-2.2

mysql-test-5.0.22-2.1.0.1

mysql-5.0.22-2.1.0.1

mysql-bench-5.0.22-2.1.0.1

mysql-devel-5.0.22-2.1.0.1

 

[root@localhost Server]# rpm -qa | grep php

php-cli-5.1.6-15.el5

php-ldap-5.1.6-15.el5

php-pdo-5.1.6-15.el5

php-pear-1.4.9-4

php-common-5.1.6-15.el5

php-mysql-5.1.6-15.el5

php-devel-5.1.6-15.el5

php-5.1.6-15.el5

php-gd-5.1.6-15.el5

 

其实通过上述的操作,一个基本的Apache+Php+Mysql结构已经完成。可以进行一个简单的测试:

[root@localhost ~]# echo "AddType application/x-httpd-php .php" >> /etc/httpd/conf/httpd.conf

[root@localhost ~]# chkconfig httpd on

[root@localhost ~]# service httpd start

[root@localhost ~]# chkconfig mysqld on

[root@localhost ~]# service mysqld start

[root@localhost ~]# echo "<?php phpinfo();?>" >> /var/www/html/test.php

此时可以运行一个浏览器去访问http://192.168.1.150/test.php页面。如果配置成功,页面能够正常显示。

 

我所需要的opensource软件包包括:

[root@localhost Server]# mount -o username=jerrywjl //192.168.1.254/sd /mnt

Password:

[root@localhost Server]# cd /mnt/soft/Linux/

[root@localhost Linux]# cp snort-2.8.0.1.tar.gz /usr/local/                      --àsnort源码包

[root@localhost Linux]# cp snortrules-pr-2.4.tar.gz /usr/local/                --àsnort规则

[root@localhost Linux]# cp snort /etc/init.d/                                                --à下载获得的snort脚本

该脚本的内容:

[root@localhost local]# cat /etc/init.d/snort

#!/bin/sh

#

# chkconfig: 2345 99 82

# description: Starts and stops the snort intrusion detection system

#

# config: /etc/snort/snort.conf

# processname: snort

 

# Source function library

. /etc/rc.d/init.d/functions

 

BASE=snort

DAEMON="-D"

INTERFACE="-i eth0"

CONF="/etc/snort/snort.conf"

 

# Check that $BASE exists.

[ -f /usr/local/bin/$BASE ] || exit 0

 

# Source networking configuration.

. /etc/sysconfig/network

 

# Check that networking is up.

[ ${NETWORKING} = "no" ] && exit 0

 

RETVAL=0

# See how we were called.

case "$1" in

 start)

       if [ -n "`/sbin/pidof $BASE`" ]; then

               echo -n $"$BASE: already running"

               echo ""

               exit $RETVAL

       fi

       echo -n "Starting snort service: "

       /usr/local/bin/$BASE $INTERFACE -c $CONF $DAEMON

       sleep 1

       action "" /sbin/pidof $BASE

       RETVAL=$?

       [ $RETVAL -eq 0 ] && touch /var/lock/subsys/snort

       ;;

 stop)

       echo -n "Shutting down snort service: "

       killproc $BASE

       RETVAL=$?

       echo

       [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/snort

       ;;

 restart|reload)

       $0 stop

       $0 start

       RETVAL=$?

       ;;

 status)

       status $BASE

       RETVAL=$?

       ;;

 *)

       echo "Usage: snort {start|stop|restart|reload|status}"

       exit 1

esac

 

exit $RETVAL

 

并定义该脚本可执行以及自启动:

[root@localhost ~]# chmod 755 /etc/init.d/snort

[root@localhost ~]# chkconfig snort on

然后继续:

[root@localhost Linux]# cp Image_Canvas-0.3.1.tgz /usr/local/

[root@localhost Linux]# cp Image_Color-1.0.2.tgz /usr/local/

[root@localhost Linux]# cp Image_Graph-0.7.0.tar /usr/local/

[root@localhost Linux]# cp adodb480.tgz /usr/local/

[root@localhost Linux]# cp adodb480.tgz /var/www/

[root@localhost Linux]# cp base-1.2.6.tar.gz /var/www/html/

[root@localhost Linux]# cp base-1.2.6.tar.gz /usr/local/

[root@localhost Linux]# cp jpegsrc.v6b.tar.gz /usr/local/

 

首先编译jpegsrv.v6b.tar.gz:

[root@localhost local]# tar -zxf jpegsrc.v6b.tar.gz

[root@localhost local]# cd jpeg-6b/

[root@localhost jpeg-6b]# mkdir -p /usr/local/jpeg/{bin,lib,include,man,man/man1}

[root@localhost jpeg-6b]# ./configure --prefix=/usr/local/jpeg --enable-shared --enable-static

[root@localhost jpeg-6b]# make

[root@localhost jpeg-6b]# make install

 

之后编译安装snort:

[root@localhost ~]# cd /usr/local/

[root@localhost local]# tar -zxf snort-2.8.0.1.tar.gz

[root@localhost local]# cd snort-2.8.0.1

[root@localhost snort-2.8.0.1]# ./configure --with-mysql --enable-dynamicplugin

[root@localhost snort-2.8.0.1]# make

[root@localhost snort-2.8.0.1]# make install

[root@localhost snort-2.8.0.1]# mkdir -p /etc/snort/rules /var/log/snortà建立snort规则目录和日志目录

[root@localhost snort-2.8.0.1]# groupadd snort                                           --à建立snort用户和组

[root@localhost snort-2.8.0.1]# useradd -g snort snort -s /sbin/nologin

执行./configure编译环境检查很可能会出错,因为需要安装下面的软件包:

libpcap-devel-0.9.4-11.el5.i386.rpm

pcre-devel-6.6-1.1.i386.rpm

最后将所有已经编译生成的配置文件拷贝到/etc/snort目录下:

[root@localhost snort-2.8.0.1]# cp etc/* /etc/snort/

以及将所有的规则解压,并拷贝到已经指定的规则目录:

[root@localhost local]# tar -zxf snortrules-pr-2.4.tar.gz

[root@localhost local]# cp rules/* /etc/snort/rules/

 

现在可以修改snort配置文件:

[root@localhost ~]# cp /etc/snort/snort.conf snort.conf.bak

[root@localhost ~]# vi /etc/snort/snort.conf

所修改的内容包括:

a.将原来的var EXTERNAL_NET any修改为var EXTERNAL_NET 192.168.1.0/24

b.指定规则文件位置,将原来的var RULE_PATH ../rules修改为var RULE_PATH /etc/snort/rules

c.修改output database为:

output database: log, mysql, dbname=snort user=root password=123456 dbname=snort host=localhost

      (我待会会在mysql中定义这些内容)

      d.定义stream:

      我在实验过程中于这个地方栽了跟头,按照网上的文章《Redhat as4下Snort+base+mysql+php+apache with gd and Image_Graph安装与配置》所描述的,如果:

After the line that says
“preprocessor stream4_reassemble”
add a line that looks like
preprocessor stream4_reassemble: both,ports 21 23 25 53 80 110 111 139 143 445 513 1433

      并且不对其他内容修改,snort服务是起不来的,因为在后面有说明,stream4和stream5是不能共存的。(当时就是忽略了这点):

      # Stream5 is a target-based stream engine for Snort. Its functionality

# replaces that of Stream4. Consequently, BOTH Stream4 and Stream5

# cannot be used simultaneously. Comment out the stream4 configurations

# above to use Stream5.

所以这里干脆什么都不改,直接使用stream5就是了。

拥有帝国一切,皆有可能。欢迎访问phome.net

文章评论

共有 0 位网友发表了评论 此处只显示部分留言 点击查看完整评论页面