Ci t Snort

Ci t Package
1.yum install -y gcc flex bison zlib* libxml2 libpcap* pcre* tcpdump git libtool
curl man make daq
2. yum groupinstall - y "Development Tools"
3.yum install -y mysql-server mysql-devel php-mysql php-adodb php-pear php-gd ht
tpd wget pcre pcre-devel
Chun b cc file ci t ring sau
libdnet-1.12.tgz
Nguyen Van Hung
libdnet-1.12-6.el6.x86_64.rpm
CNTT
libdnet-devel-1.12-6.el6.x86_64.rpm

Nguoi thuc hien:

Ban:

Ti file snort mi nht ti Snort.org

daq-2.0.4.tar
snort-2.9.7.2.tar
cd /usr/local/src
tar -zxvf /root/Desktop/daq-2.0.4.tar.gz
tar -zxvf /root/Desktop/snort-2.9.7.2.tar.gz
cd daq-2.0.4.tar
./configure
make && make install
cd /usr/local/src/snort-2.9.7.2
./configure --enable-sourcefire
make && make install
cd /etc
mkdir snort
cd snort
cp /usr/local/src/snort-2.9.7.2/etc/* .
tar -zvxf /root/Desktop/snortrules-snapshot-2970.tar.gz
touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules
To user, group, cp quyn
groupadd -g 40000 snort
useradd snort -u 40000 -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort
cd /etc/snort
chown -R snort:snort *
chown -R snort:snort /var/log/snort
Cu hnh snort
vi /etc/snort/snort.conf
ipvar HOME_NET any
>
ipvar HOME_NET 192.168.x.x
ipvar EXTERNAL_NET any
>
ipvar EXTERNAL_NET !$HOME_NET
var SO_RULE_PATH ../so_rules >
105 var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH ../preproc_rules
> 106 var PREPROC_RULE_PATH /etc/sno
rt/preproc_rules
var WHITE_LIST_PATH ../rules

>

109 var WHITE_LIST_PATH /etc/snort/rule

s
var BLACK_LIST_PATH ../rules
s

>

110 var BLACK_LIST_PATH /etc/snort/rule

cd /usr/local/src
chown -R snort:snort daq-2.0.4
chown -R 777 daq-2.0.4
chown -R snort:snort snort-2.9.7.2
chown -R 755 snort-2.9.7.2
chown -R snort:snort snort_dynamicsrc
chown -R 777 snort_dynamicsrc
Start snort
cd /usr/local/src/snort-2.9.7.2/rpm
cp snortd /etc/init.d/snort
cp /usr/local/src/snort-2.9.7.2/rpm/snort.sysconfig /etc/sysconfig/snort
chmod 777 /etc/init.d/snort
chkconfig --add /etc/init.d/snort
chkconfig snortd on
cd /usr/sbin
ln -s /usr/local/bin/snort snort
Nu ko c directory /var/log
cd /var/log
mkdir snort
Quyn
chmod 777 snort
chown -R snort:snort snort
cd /usr/local/lib
chown -R snort:snort snort*
chown -R snort:snort snort_dynamic*
chown -R snort:snort pkgconfig
chown -R 777 snort*
chown -R 777 pkgconfig
cd /usr/local/bin
chown -R snort:snort daq-modules-config
chown -R snort:snort u2*
chown -R 777 daq-modules-config
chown 777 u2*
cd /etc
chown -R snort:snort snort
chown -R 777 snort
check
cd /usr/local/bin
./snort -T -i eht0 -u snort -g snort -c /etc/snort/snort.conf
Kim tra
snort -v
snort -T -i eht0 -u snort -g snort -c /etc/snort/snort.conf

ERROR: /etc/snort/snort.conf(249) Could not stat dynamic module path "/usr/local

/lib/snort_dynamicrules": No such file or directory.
To th mc dynamicrules
mkdir -p /usr/local/lib/snort_dynamicrules
chown -R snort:snort /usr/local/lib/snort_dynamicrules
chown -R 777 /usr/local/lib/snort_dynamicrules
Nu ok
cd /usr/local/bin
./snort -A fast -b -D -d -i eht0 -u snort -g snort -c /etc/snort/snort.conf -l /
var/log/snort
service snort start /stop /restart
Add rule
gedit /etc/snort/rules/local.rules
alert icmp any any -> $HOME_NET any (msg:"Co Nguoi Ping"; sid:1000003;rev:1;)
Xem
snort -c /etc/snort/snort.conf -i eth0 -A console
snort -vde
Rules khc
drop icmp any any -> any any (itype:0;msg:"Chan Ping";sid:1000002;)
alert icmp any any -> $HOME_NET 81 (msg:"Scanning Port 81"; sid:1000001;rev:1;)
alert tcp any any -> $HOME_NET 22 (msg:"Scanning Port 22"; sid:1000002;rev:1;)
alert icmp any any -> any any (msg:"UDP Tesing Rule"; sid:1000006;rev:1;)
alert tcp any any -> $HOME_NET 80 (msg:"HTTP Test!!!"; classtype:not-suspicious;
sid:1000005; rev:1;)
Xem File Log Cnh bo snort
/var/log/snort
Cu hnh Snort Inline
Chun b 1 my Centos 6.5
Chun b 1 my Attacker
2 Card mng.
1 card WAN NAT - 1 card LAN (host)
NAT card LAN ra card WAN cho bn ngoi ping c
vi /etc/sysctl.conf
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 7 -j DNAT --to 192.168.1.10
:7
1. Configure the Inline Packet Normalization to be enabled. If running Snort in pa
ssive mode (IDS),
comment/disable Inline Packet Normalization:
## Keep these unchanged. If they are commented out, then uncomment them.
preprocessor normalize_ip4
preprocessor normalize_tcp: ips ecn stream
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6
2. Configure Snort Policy mode to run in inline (IPS):
## Under Step #2: add the following line
config policy_mode:inline

3. Configure DAQ variables to run AFPacket in inline (IPS) mode:

## Configure DAQ variables for AFPacket
vi /etc/snort/snort.conf
config daq: afpacket
config daq_mode: inline
config daq_dir: /usr/local/lib/daq
config daq_var: buffer_size_mb=128
Xem. Kim tra
/usr/local/bin/snort -i eth0:eth1 -A console -c /etc/snort/snort.conf -l /var/lo
g/snort/ -Q
Thnh cng chn port ping
Thm rules chn nmap
Snort pht hin v chn >>>> Thnh cng
Ci phpmyadmin
yum -y install phpmyadmin
b li No package phpmyadmin available th
rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
yum -y install http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3
-1.el6.rf.x86_64.rpm
yum -y install phpmyadmin

> Ci Ok

Ci MySql
yum install -y mysql-server mysql-devel php-mysql php-adodb php-pear php-gd libt
ool php-imap php-ldap hp-mbstring php-odbc php-pear php-xml php-xmlr
yum install php-pecl-apc
chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start
mysql_secure_installation
/usr/bin/mysqladmin -u root password 'mt khu mi'
V th truy cp MySQL xem sao:
#
service httpd start
service mysqld start
chkconfig httpd on
chkconfig mysqld on
mysqladmin -u root password 123456
# mysql -u root -p
mysql> create database snort;
Query OK, 1 row affected (0.00 sec)
mysql> grant select,insert,update,delete,create on snort.* to snort@localhost;
Query OK, 0 rows affected (0.06 sec)
mysql> set password for snort@localhost=PASSWORD('123456');
Query OK, 0 rows affected (0.00 sec)
mysql>exit
Ci Barnyard2

cd /usr/local/src/
tar zxvf /root/Desktop/barnyard2-2-1.13.tar.gz
cd barnyard2-2-1.13/
autoreconf -fvi -I ./m4
./configure --with-mysql(centos 32)
./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql
make && make install
cp etc/barnyard2.conf /etc/snort
Tao database
mysql -u snort -p123456 snort < schemas/create_mysql
vi /usr/local/etc/barnyard2.conf
mkdir
chown
touch
chown
touch

/var/log/barnyard2
snort.snort /var/log/barnyard2
/var/log/snort/barnyard2.waldo
snort.snort /var/log/snort/barnyard2.waldo
/etc/snort/sid-msg.map

Ci PulledPork
cd /usr/local/src/snort
tar xvfvz pulledpork-0.7.0.tar.gz
cd pulledpork-0.7.0
cp pulledpork.pl /usr/local/bin
chmod 755 /usr/sbin/pulledpork.pl
etc/* /etc/snort/
vi /etc/snort/pulledpork.conf
updatedb
locate snort.conf

Ci php
yum install php
yum install php-mysql php-gd php-imap php-ldap php-odbc php-pear php-xml php-xml
rpc
service httpd restart

Test xen qu trnh ci module PHP thnh cng hay cha, ta to 1 file info.php cha trong
/html vi ni dung nh sau:
<?php
phpinfo();
?>
#
#
#
#
#

pear
pear
pear
pear
pear

channel-update pear.php.net
install Numbers_Roman
install Image_Color-1.0.4
install Image_Canvas-0.3.5
install Image_Graph-0.8.0

Ci t BASE v adodb
tar -xvzf adodb518.tgz
mv adodb5 /var/adodb
tar -zxvf base-1.4.5.tar.gz

mv base-1.4.5 /var/www/html/base/
cd /var/www/httml/base
cp base_conf.php.dist base_conf.php
chown -R www-data:www-data /var/www/base
chmod o-r /var/www/base/base_conf.php
vi /var/www/base/base_conf.php
$BASE_urlpath = '/base';
$DBlib_path = '/var/adodb';
$DBtype = 'mysql';
$alert_dbname = 'snort';
$alert_host = 'localhost';
$alert_user = 'snort';
$alert_password = ''snort';
chmod 777 /var/www/html/base
vi /etc/sysconfig/barnyard2
mv base-1.4.5 /var/www/html/base/
cd /var/www/html/base
cp base_conf.php.dist base_conf.php
chmod o-r /var/www/html/base/base_conf.php
vi /var/www/html/base/base_conf.php
vi /etc/http/conf/httd.conf
Alias /base /var/www/html/base/
<Directory "/var/www/html/base/">
AllowOverride None
Order allow,deny
Allow from all
</directory>
Alias /adodb/ "/var/adodb/"
<Directory "/var/adodb">
AllowOverride None
Order allow,deny
Allow from all
</Directory>
service httd restart
chcon -R -t httpd_sys_content_t /var/www/html/base/
chcon -R -h -t httpd_sys_content_t /var/adodb