废话不多说,直接看下面配置文件,
IDS (snort) 和 IPS (Guardian) 的原理实质为:
1 snort 利用iptables 保存的日志分析日志记录。
2 Guardian 用snort 分析日志记录的结果进行防御
3 snort guardian 的核心为iptables log 记录,下面为配置文件,
###############
## Guardian ##
###############
#rpm pakcet download
http://www.chaotic.org/guardian/
tar -xzvf guardian-***
cd guardian-***
# installing ....
cp guardian.pl /usr/sbin/
cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
cp guardian.conf /etc/snort/
touch /etc/snort/guardian.ignore
touch /etc/snort/guardian.target
touch /var/log/snort/guardian.log
# setting guardian configure file (PATH /etc/snort/guardian.conf)
Interface eth0
LogFile /var/log/snort/guardian.log
AlerFile /var/log/snort/alert
IgnoreFile /etc/snort/guardian.ignore
TargetFile /etc/snort/grardian.target
TimeLimit 86400 #units: second
# /usr/local/bin/guardian_block.sh
source=$1
interface=$2
/sbin/iptables -I INPUT -s $source -i $interface -j DROP
# /usr/local/bin/guardian_block.sh
source=$1
interface=$2
/sbin/iptables -D INPUT -s $source -i $interface -j DROP
#---------------------------------------------------------------------------------------------
# server start , restart and stop
guardian.sh [ start | restart | stop | status ]
######################################### WORKS ###############################################
command
| -----------------> iptables------------------>DROP
|if alter | |
| | |TimeLimit Timeout
| Listen | default |
alert<-----------------Guradin=================> ACCEPT
|
|--guardian.ignore
|--guardian.target
# If the connection presents IP alias ,Must make the IP alias to become effective in guardian, \
# Ip alias ip address must Increase in guardian.target
###############
## Snort ##
###############
# download snort packet (rpm)
http://www.snort.org
http://www.snort.org/dl/binaries/linux
# download snort rules databases
# register snort
https://www.snort.org/pub-bin/register.cgi
http://www.snort.org.pub-bin/downloads.cgi
#---------------------------------------------------------------------------
tar -xzvf snortrules-**
# copy rules directory all rules to "/etc/snort/rules" directory
# default snort in gear start ,but optimize policy you should \
# setting "/etc/snort/snort.conf" files
# For example (varible "var HOME_NET" value)
# host
var HOME_NET 192.168.1.10
#net
var HOMT_NET 192.168.1.0/24,192.168.2.0/24
# setting snort include rules
var RULE_PATH /etc/snort/rules include $RULE_APTH/pop3_rules #(example)
#--------------------------------------------------------------------------
# setting snort working interface
# configure files from "/etc/sysconfig/snort"
# singleness interface " INTERFACE=interface"
# more interface " INTERFACE="interface1 interface2 . . "
# For example
INTERFACE=eth0 #singleness interface
INTERFACE="eth0 eth1 eth2" #more interface
# server start , restart and stop
service snortd [ start | stop | restart ]
/etc/init.d/snortd [ start | stop | restart ]
# log file PATH "/var/log/snort/alert | var/log/snort/INTERFACE_Name/alert"
# test command bash: nmap scan port ,Whether there are records at "cat /var/log/snort/alert"
################
## Nessus ##
################
#rpm www.nessus.org
http://www.nessus.org/products/nessus/nessus-download-agreement
# Nessus server | Nessus client
#register
http://www.nessus.org/register
register expression
nessus-fetch --register xxxx-xxxx-xxxx-xxxx-xxxx