执行如下命令:
apt-get update
apt-get upgrade
apt-get dist-upgrade
apt-get clean
2安装入侵检测系统Snort
2.1安装daq依赖程序
执行如下命令:
sudo apt-get install flex
sudo apt-get install bison
sudo apt install aptitude
sudo aptitude install libpcap-dev
2.2安装daq
执行如下命令:
wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz
tar xvfz daq-2.0.7.tar.gz
cd daq-2.0.7
./configure && make && sudo make install
make
2.3安装snort的依赖程序
执行如下命令:
sudo su
aptitude install libpcre3-dev
aptitude install libdumbnet-dev
aptitude install zlib1g-dev
apt install openssl
apt-get install libssl-dev
安装LuaJIT:
sudo wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
sudo tar -zxvf LuaJIT-2.0.5.tar.gz
cd LuaJIT-2.0.5/
sudo make && sudo make install
LuaJIT-2.0.5安装完成:
2.4安装Snort
执行如下命令:
wget https://www.snort.org/downloads/snort/snort-2.9.20.tar.gz
tar xvfz snort-2.9.20.tar.gz
cd snort-2.9.20
./configure --enable-sourcefire && make && sudo make install
报错:fatal error: rpc/types.h: No such file or directory
执行如下命令:
sudo apt-get install -y libtirpc-dev
sudo ln -s /usr/include/tirpc/rpc/* /usr/include/rpc
报错:fatal error: netconfig.h: No such file or directory
执行如下命令:
sudo ln -s /usr/include/tirpc/netconfig.h /usr/include
执行如下命令:
snort
已成功安装
3对Snort进行配置
3.1创建一些必要的文件夹
#Snort的安装目录
sudo mkdir -p /etc/snort/rules/iplists
sudo mkdir -p /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules
#存储过滤规则和服务器黑白名单
sudo touch /etc/snort/rules/iplists/default.blacklist
sudo touch /etc/snort/rules/iplists/default.whitelist
sudo touch /etc/snort/rules/so_rules
#创建日志目录
sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs
#调整权限
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort/rules/so_rules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
3.2复制文件到 /etc/snort
cd /home/lingqi/daq-2.0.7/LuaJIT-2.0.5/
cp ./snort-2.9.20/etc/*.conf* /etc/snort
cp ./snort-2.9.20/etc/*.map /etc/snort
cp ./snort-2.9.20/etc/*.dtd /etc/snort
cp ./snort-2.9.20/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/* /usr/local/lib/snort_dynamicpreprocessor/
3.3修改默认配置
打开配置文件
sudo vim /etc/snort/snort.conf
修改路径
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules/iplists/
var BLACK_LIST_PATH /etc/snort/rules/iplists/
让黑白名单生效
3.4****安装rules包
wget Snort - Network Intrusion Detection & Prevention System
sudo tar zxvf snortrules-snapshot-29181.tar.gz -C /etc/snort
报错:
看报错描述,stdin: not in gzip format,其实已经说明了问题所在,即文件不是gzip格式。可以使用“file”命令查看文件的具体信息:
发现这个文件是 HTML document。回到snort官网,直接下载文件。
sudo tar zxvf snortrules-snapshot-29181.tar.gz -C /etc/snort
sudo cp /etc/snort/so_rules/precompiled/RHEL-8/x86-64/2.9.18.1/* /usr/local/lib/snort_dynamicrules/
4****启动测试
sudo snort -T -c /etc/snort/snort.conf
CentOS:
一、准备工作
使用镜像CentOS-6.8-x86_64-mini在虚拟机中安装操作系统。
默认安装时,网络IP是自动获取的,需要改成静态IP地址。
#ifconfig -a //查看网卡配置信息
#vi /etc/sysconfig/network-scripts/ifcfg-eth0 //编辑网卡配置文件
修改为静态IP地址的