安裝環(huán)境
- 操作系統(tǒng): Windows 7 (service pack 1)
- 所需軟件:
- 虛擬機:VirtualBox
- 網(wǎng)絡(luò)數(shù)據(jù)包截取驅(qū)動程序:WinPcap 4.1.3 (WinPcap_4_1_3.exe)
- Windows版本的Snort安裝包:Snort 2.8.6 for Win32 (Snort_2_8_6_Installer.exe)
- 官方認證Snort規(guī)則庫:snortrules-snapshot-2860.tar.gz
- 數(shù)據(jù)庫組件及分析平臺:AppServ 8.6.0 (appserv-win32-8.6.0.exe)
- WEB前端:Basic Analysis and Security Engine 1.4.5 (base-1.4.5.tar.gz)
由于我們建立的是測試環(huán)境蹋艺,所有的組件安裝都在一臺機器上完成。
安裝前的準備
- 安裝虛擬機virtualbox娩贷,過程比較簡單,此處略過牺汤。
-
導(dǎo)入虛擬電腦
打開virtualbox帽借,點擊左上角管理,然后選擇導(dǎo)入虛擬電腦
選擇需要導(dǎo)入的虛擬電腦文件進行導(dǎo)入
最好重新初始化網(wǎng)卡地址
部署過程
WinPcap安裝過程非常簡單谷遂,此處略過葬馋。
Snort的安裝和配置
snort軟件安裝包
點擊同意進到下一步
默認就好,點擊next
點擊Next
默認安裝到c盤肾扰,此處我們不需要改變畴嘶,點擊Next
安裝完成,點擊close
提示snort安裝成功
安裝規(guī)則包
安裝規(guī)則包之前集晚,rules目錄是空的
如果出現(xiàn)是否合并文件夾窗悯,一律選是
選擇是
安裝規(guī)則包之后的snort根目錄結(jié)構(gòu)
用編輯器打開配置文件snort.conf
按圖修改,或者拷貝下面內(nèi)容把相應(yīng)行覆蓋
var RULE_PATH c:\snort\rules
var SO_RULE_PATH c:\snort\so_rules
var PREPROC_RULE_PATH c:\snort\preproc_rules
按圖修改甩恼,或者拷貝下面內(nèi)容把相應(yīng)行覆蓋
# path to dynamic preprocessor libraries
dynamicpreprocessor directory c:\snort\lib\snort_dynamicpreprocessor
# path to base preprocessor engine
dynamicengine c:\snort\lib\snort_dynamicengine\sf_engine.dll
按圖修改蟀瞧,或者拷貝下面內(nèi)容把相應(yīng)行覆蓋
preprocessor http_inspect: global iis_unicode_map c:\snort\etc\unicode.map 1252
按圖修改,或者拷貝下面內(nèi)容把相應(yīng)行覆蓋
output database: alert, mysql, user=snort password=snort dbname=snortdb host=localhost
按圖修改条摸,或者拷貝下面內(nèi)容把相應(yīng)行覆蓋
include $RULE_PATH/snmp.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/spyware-put.rules
include $RULE_PATH/specific-threats.rules
include $RULE_PATH/voip.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/bad-traffic.rules
# decoder and preprocessor event rules
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
# dynamic library rules
include $SO_RULE_PATH/bad-traffic.rules
include $SO_RULE_PATH/chat.rules
include $SO_RULE_PATH/dos.rules
include $SO_RULE_PATH/exploit.rules
include $SO_RULE_PATH/imap.rules
include $SO_RULE_PATH/misc.rules
include $SO_RULE_PATH/multimedia.rules
include $SO_RULE_PATH/netbios.rules
include $SO_RULE_PATH/nntp.rules
include $SO_RULE_PATH/p2p.rules
include $SO_RULE_PATH/smtp.rules
include $SO_RULE_PATH/sql.rules
include $SO_RULE_PATH/web-activex.rules
include $SO_RULE_PATH/web-client.rules
include $SO_RULE_PATH/web-misc.rules
AppServ安裝和配置
AppServ安裝包
點Next
點I Agree
默認安裝到C盤悦污,不需要改,點Next
全部選上钉蒲,點Next
點確定
勾上I agree...切端,然后點Install
安裝成功,點close
默認就好顷啼,不需要改變踏枣,點Next
設(shè)置八位數(shù)密碼,字符集默認就好钙蒙,點Install
點Finish
如果彈出安全警報茵瀑,則點允許訪問
此時,打開firefox瀏覽器躬厌,在地址欄輸入localhost應(yīng)該能夠看到圖中信息马昨,如果不能顯示圖中信息,則表明AppServ安裝有問題扛施,或者沒有運行Appche服務(wù)
在MySql中創(chuàng)建snortdb和snortarc鸿捧,以及所需數(shù)據(jù)表
打開cmd,按照截圖所示疙渣,以root用戶連接到mysql匙奴,下面命令都是在mysql輸入,注意兩個source命令后面沒有分號
mysql> create database snortdb;
mysql> create database snortarc;
mysql> use snortdb;
mysql> source c:\snort\schemas\create_mysql
mysql> use snortarc;
mysql> source c:\snort\schemas\create_mysql
mysql> grant usage on *.* to "snort"@"localhost" identified by "snort";
mysql> grant select,insert,update,delete,create,alter on snortdb .* to "snort"@"localhost";
mysql> grant select,insert,update,delete,create,alter on snortarc .* to "snort"@"localhost";
mysql> set password for "snort"@"localhost"=password('snort');
配置base
按圖操作
按圖操作
按圖操作
按圖操作
按圖操作
按圖操作
按圖操作
按圖操作
按圖操作
按圖操作
在命令行輸入以下命令妄荔,使snort工作在網(wǎng)絡(luò)監(jiān)測系統(tǒng)模式泼菌,并在另一臺主機用nmap掃描該主機谍肤,則可以在base界面看到統(tǒng)計信息,如下圖所示哗伯。
c:\snort\bin\snort -i1 -dev -c c:\snort\etc\snort.conf -l c:\snort\log
在同網(wǎng)段另一臺主機使用nmap掃描該主機
base顯示的snort統(tǒng)計信息
如果運行snort出現(xiàn)以下錯誤谣沸,則按圖中步驟進行操作:
如果運行snort出現(xiàn)圖中所示錯誤,則按圖操作
至此笋颤,windows環(huán)境下的snort+base入侵檢測系統(tǒng)搭建完畢乳附!
