在Windows server 2003 平台下搭建snort入侵检测系统
一,需要的软件
1.apache
下载: http://apache.mirror.phpchina.com/httpd/binaries/win32/apache_
2.acid
下载:http://acidlab.sourceforge.net/acid-0.9.6b23.tar.gz
3.adodb
下载: http://jaist.dl.sourceforge.net/sourceforge/adodb/adodb504.tgz
4.jpgraph
下载: http://hem.bredband.net/jpgraph2/jpgraph-2.3.tar.gz
5.mysql
下载:http://mysql.mirror.kangaroot.net/Downloads/MySQL-5.0/mysql-
6.php
下载:http://cn.php.net/distributions/php-
7.snort
下载: http://www.snort.org/dl/binaries/win32/Snort_2_8_0_2_Installer.exe
8.winpcap
下载:http://www.winpcap.org/install/bin/WinPcap_4_0_2.exe
9.snortrules
下载:http://www.snort.org 需要注册用户才能下载
二,安装步骤
计划把所有的软件包安装到c:/ids文件夹
1.安装apache
指定安装目录c:/ids/apache
2.安装php
解压缩php到c:/ids/php5文件夹
复制php5ts.dll文件到 c:/windows/system32文件夹
复制php.ini-dist到 c:/windows下并重命名为php.ini
修改c:/ids/apache/conf/httpd.config文件,加入apache对php的支持
LoadModule php5_module c:/ids/php5/php5apache2_2.dll
AddType application/x-httpd-php .php
3.修改c:/widows/php.ini文件,掉extension=php_gd2.dll前的分号
复制c:/ids/php5/ext文件夹下php_gd2.dll文件到c:/windows文件夹下
4.重新启动apache
5.在c:/ids/apache/htdocs文件夹下编写test.php文件内容为<?php phpinfo(); ?>
6.打开浏览器输入http://lcoalhsot/test.php.如果浏览到了php的信息则说明一切正常.这里容易产生的问题是,test.php文件被下载了回来.原因是addtype的那句话有错误,检查修改就可以了.
7.安装winpcap
采取默认值即可
8.安装snort并指定路径为c:/ids/snort文件夹
9.测试snort安装是否正确
C:/ids/snort/snort/bin/snort.exe –W
注意看下方的编号: 系统真正的网卡的编号是4
10.安装mysql
指定路径为c:/ids/mysql
11.创建snort数据库的表
拷贝c:/ids/snort/schames文件夹下的create_mysql文件到c:/ids/snort/bin文件夹下
打开mysql的的客户端执行如下命令
Create database snort;
Create database snort_archive;
Use snort;
Source create_mysql;
Use snort_archive;
Source crate_mysql;
Grant all on *.* to “root”@”localhost”
12加入php对mysql的支持
修改c:/windows/php.ini文件去掉 extension=php_mysql.dll前的分号
拷贝 c:/ids/php5/ext文件夹下的php_mysql.dll文件到c:/windows文件夹
13.安装adodb
解压缩adodb到c:/ids/php5/adodb文件夹下
14安装jgraph
解压缩jpgraph到c:/ids/php5/jpgraph文件夹下
15.安装acid
解压缩acid到c/ids/apache/htdocs/acid文件夹下
修改acid_config.php文件
为以下内容
$DBlib_path = "c:/ids/php5/adodb";
$DBtype = "mysql";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "3306";
$alert_user = "root";
$alert_password = "111111";
$archive_dbname = "snort_archive";
$archive_host = "localhost";
$archive_port = "3306";
$archive_user = "root";
$archive_password = "111111";
$ChartLib_path = "c:/php5/jpgraph/src";
16.在浏览器中初始化acid数据库
http://localhost/acid/acid_db_setup.php
17.修改snort配置文件c:/ids/snort/etc/snort.conf
内容如下
dynamicpreprocessor file C:/ids/Snort/lib/snort_dynamicpreprocessor/sf_dcerpc.dll
dynamicpreprocessor file C:/ids/Snort/lib/snort_dynamicpreprocessor/sf_dns.dll
dynamicpreprocessor file C:/ids/Snort/lib/snort_dynamicpreprocessor/sf_ftptelnet.dll
dynamicpreprocessor file C:/ids/Snort/lib/snort_dynamicpreprocessor/sf_smtp.dll
dynamicpreprocessor file C:/ids/Snort/lib/snort_dynamicpreprocessor/sf_ssh.dll
dynamicengine C:/ids/Snort/lib/snort_dynamicengine/sf_engine.dll
output database: alert, mysql, user=root password=111111 dbname=snort host=localhost encoding=hex detail=full
include c:/ids/snort/etc/classification.config
include c:/ids/snort/etc/reference.config
18.解压缩snort规则包
把压缩包内的所有文件解压缩到c:/ids/snort/下
19.启动snort入侵检测
C:/ids/snort/bin/snort.exe –c “c:/ids/snort/etc/snort.confg” –l “c:/ids/snort/log” –I 4 –d -e –X
如果你希望看到snort抓取的数据包则可以在-X之后加入参数-v
20.查看统计数据
http://www.lrq.com/acid/acid_main.php
21错误处理
ERROR: Unable to open rules file: ../rules/local.rules or c:/ids/snort/etc/../rules/local.rules
Fatal Error, Quitting..
处理方法:规则包还没有安装吧?
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... ERROR: Failed to load /usr/local/lib/snort_dynamicengine/libsf_engine.so: 126
Fatal Error, Quitting..
处理方法:在snort的配置文件中指定libsf_engine.的路径和文件名
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so... ERROR: Failed to load /usr/local/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so: 126
处理方法: 在snort的配置文件中指定libsf_dcerpc_prepro的路径和文件名
Not Using PCAP_FRAMES
Set PCAP_FRAMES=MAX