Windows server 2003 平台下搭建snort***检测系统<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

 

 

 

,需要的软件

 

1.apache

 

下载: http://apache.mirror.phpchina.com/httpd/binaries/win32/apache_<?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" />2.2.8-win32-x86-no_ssl.msi

 

 

 

2.acid

 

下载:http://acidlab.sourceforge.net/acid-0.9.6b23.tar.gz

 

 

 

3.adodb

 

下载: http://jaist.dl.sourceforge.net/sourceforge/adodb/adodb504.tgz

 

 

 

4.jpgraph

 

下载: http://hem.bredband.net/jpgraph2/jpgraph-2.3.tar.gz

 

 

 

5.mysql

 

下载:http://mysql.mirror.kangaroot.net/Downloads/MySQL-5.0/mysql-5.0.51a-win32.zip

 

 

 

6.php

 

下载:http://cn.php.net/distributions/php-5.2.5-Win32.zip

 

 

 

7.snort

 

下载: http://www.snort.org/dl/binaries/win32/Snort_2_8_0_2_Installer.exe

 

 

 

8.winpcap

 

下载:http://www.winpcap.org/install/bin/WinPcap_4_0_2.exe

 

 

 

9.snortrules

 

下载:http://www.snort.org 需要注册用户才能下载

 

 

 

,安装步骤

 

计划把所有的软件包安装到c:\ids文件夹

 

1.安装apache

 

指定安装目录c:\ids\apache

 

 

 

2.安装php

 

解压缩phpc:\ids\php5文件夹

 

复制php5ts.dll文件到 c:\windows\system32文件夹

 

复制php.ini-dist c:\windows下并重命名为php.ini

 

修改c:\ids\apache\conf\httpd.config文件,加入apachephp的支持

 

   LoadModule php5_module c:/ids/php5/php5apache2_2.dll

 

   AddType application/x-httpd-php .php

 

 

 

3.修改c:\widows\php.ini文件,extension=php_gd2.dll前的分号

 

复制c:\ids\php5\ext文件夹下php_gd2.dll文件到c:\windows文件夹下

 

 

 

4.重新启动apache

 

 

 

5.c:\ids\apache\htdocs文件夹下编写test.php文件内容为<?php phpinfo(); ?>

 

 

 

6.打开浏览器输入http://lcoalhsot/test.php.如果浏览到了php的信息则说明一切正常.这里容易产生的问题是,test.php文件被下载了回来.原因是addtype的那句话有错误,检查修改就可以了.

 

 

 

7.安装winpcap

 

采取默认值即可

 

 

 

8.安装snort并指定路径为c:\ids\snort文件夹

 

 

 

9.测试snort安装是否正确

 

C:\ids\snort\snort\bin\snort.exe W

 

注意看下方的编号: 系统真正的网卡的编号是4

 

 

 

10.安装mysql

 

指定路径为c:\ids\mysql

 

 

 

11.创建snort数据库的表

 

拷贝c:\ids\snort\schames文件夹下的create_mysql文件到c:\ids\snort\bin文件夹下

 

打开mysql的的客户端执行如下命令

 

Create database snort;

 

Create database snort_archive;

 

Use snort;

 

Source create_mysql;绝对路径c:\snort\snort\schemas\create_mysql

 

Use snort_archive;

 

Source create_mysql;

 

Grant all on *.* to “root@localhost

 

 

 

12加入phpmysql的支持

 

修改c:\windows\php.ini文件去掉 extension=php_mysql.dll前的分号

 

拷贝 c:\ids\php5\ext文件夹下的php_mysql.dll文件到c:\windows文件夹

c:\ids\php5\文件夹下的libmysql.dll文件到c:\windows\system32文件夹

 

 

 

 

13.安装adodb

 

解压缩adodbc:\ids\php5\adodb文件夹下

 

 

 

14安装jgraph

 

解压缩jpgraphc:\ids\php5\jpgraph文件夹下

 

 

 

15.安装acid

 

解压缩acidc\ids\apache\htdocs\acid文件夹下

 

修改acid_config.php文件

 

为以下内容

 

$DBlib_path = "c:\ids\php5\adodb";

 

$DBtype = "mysql";

 

$alert_dbname   = "snort";

 

$alert_host     = "localhost";

 

$alert_port     = "3306";

 

$alert_user     = "root";

 

$alert_password = "111111";

 

$archive_dbname   = "snort_archive";

 

$archive_host     = "localhost";

 

$archive_port     = "3306";

 

$archive_user     = "root";

 

$archive_password = "111111";

 

$ChartLib_path = "c:\php5\jpgraph\src";

 

 

 

16.在浏览器中初始化acid数据库

 

http://localhost/acid/acid_db_setup.php

 

 

 

17.修改snort配置文件c:\ids\snort\etc\snort.conf

 

内容如下

 

dynamicpreprocessor file C:\ids\Snort\lib\snort_dynamicpreprocessor\sf_dcerpc.dll

 

dynamicpreprocessor file C:\ids\Snort\lib\snort_dynamicpreprocessor\sf_dns.dll

 

dynamicpreprocessor file C:\ids\Snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll

 

dynamicpreprocessor file C:\ids\Snort\lib\snort_dynamicpreprocessor\sf_smtp.dll

 

dynamicpreprocessor file C:\ids\Snort\lib\snort_dynamicpreprocessor\sf_ssh.dll

 

dynamicengine C:/ids/Snort/lib/snort_dynamicengine/sf_engine.dll

 

output database: alert, mysql, user=root password=111111 dbname=snort host=localhost encoding=hex detail=full

 

include c:\ids\snort\etc\classification.config

 

include c:\ids\snort\etc\reference.config

 

 

 

18.解压缩snort规则包

 

把压缩包内的所有文件解压缩到c:\ids\snort\

 

 

 

19.启动snort***检测

 

C:\ids\snort\bin\snort.exe c c:\ids\snort\etc\snort.confg” –l c:\ids\snort\log” –I 4 d  -e  X

 

如果你希望看到snort抓取的数据包则可以在-X之后加入参数-v

 

 

 

20.查看统计数据

 

http://www.lrq.com/acid/acid_main.php

 

 

 

21错误处理

 

ERROR: Unable to open rules file: ../rules/local.rules or c:\ids\snort\etc\../rules/local.rules

 

Fatal Error, Quitting..

 

处理方法:规则包还没有安装吧?

 

 

 

Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... ERROR: Failed to load /usr/local/lib/snort_dynamicengine/libsf_engine.so: 126

 

Fatal Error, Quitting..

 

处理方法:snort的配置文件中指定libsf_engine.的路径和文件名

 

 

 

Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so... ERROR: Failed to load /usr/local/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so: 126

 

处理方法: snort的配置文件中指定libsf_dcerpc_prepro的路径和文件名

 

 

 

Not Using PCAP_FRAMES

 

Set PCAP_FRAMES=MAX

32768