全面且官方的WinIDS Installation Guide:http://wenku.baidu.com/view/e676414f2b160b4e767fcf29.html
这个WINIDS以snort mysQL等为基础,在windows下搭建了一个IDS系统。
这个是他的说明文档中关于Snort安装和配置的部分,值得参考。
Install and configure Snort
Navigate to the 'd:\tmp' folder, double left-click on the 'Snort...' file to start the installer, left-click the 'I Agree' button, left-click 'Next' (leave default), left-click 'Next', in the 'Destination Folder' dialog box, type 'd:\winids\snort' (less the outside quotes), left-click 'Next' allowing Snort to install, left-click the 'Close' button, and finally left-click 'OK'.
Navigate to the 'd:\tmp' folder and dissolve the 'snortrules-snapshot-CURRENT.zip' file into 'd:\winids\snort'.
Navigate to the 'd:\winids\snort\etc' folder, right-click on the 'snort.conf' file and open with 'WordPad'.
Note: Use the Find in WordPad to locate and change the variables below.
The home network variable below defines the network you wish to monitor, like the local LAN segment for instance It is set by specifying one or more networks in the form of aCIDR.
Note: The IP address below is fictitious and must be changed to the correct IP Address and CIDR that reflects the actual network that the IDS is monitoring.
Original: var HOME_NET any
Change: var HOME_NET 192.168.1.0/24
The external network below specifies one or more networks where you believe threats or attacks will originate. Thevar EXTERNAL_NET variable below can also be set by specifying a CIDR, or you can make use of the home network variable we've specified below.
Original: var EXTERNAL_NET any
Change: var EXTERNAL_NET !$HOME_NET
Original: var RULE_PATH ../rules
Change: var RULE_PATH d:\winids\snort\rules
Original: dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so
Change: dynamicpreprocessor file d:\winids\snort\lib\snort_dynamicpreprocessor\sf_dcerpc.dll
Original: dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
Change: dynamicpreprocessor file d:\winids\snort\lib\snort_dynamicpreprocessor\sf_dns.dll
Original: dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
Change: dynamicpreprocessor file d:\winids\snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll
Original: dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
Change: dynamicpreprocessor file d:\winids\snort\lib\snort_dynamicpreprocessor\sf_smtp.dll
Original: dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
Change: dynamicpreprocessor file d:\winids\snort\lib\snort_dynamicpreprocessor\sf_ssh.dll
Original: dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
Change: dynamicengine d:\winids\snort\lib\snort_dynamicengine\sf_engine.dll
Note: Find the line entr1es below and change the next lines.
Original:
# preprocessor sfportscan: proto { all } \
# memcap { 10000000 } \
# sense_level { low }
Change:
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low } \
logfile { portscan.log }
Note: Just below '# output log_tcpdump: tcpdump.log' insert this next line:
output alert_fast: alert.ids
Original: # output database: log, mysql, user=root password=test dbname=db host=localhost
Change: output database: log, mysql, user=snort password=l0gg3r dbname=snort host=localhost sensor_name=WinIDS
Original: include classification.config
Change: include d:\winids\snort\etc\classification.config
Original: include reference.config
Change: include d:\winids\snort\etc\reference.config
Original: # include threshold.conf
Change: include d:\winids\snort\etc\threshold.conf
Now save the file and eXit WordPad.