CentOS6u9 基于Snort+Barnyard2+Base的入侵检测系统搭建

简单说明：

本实验基于博文 https://www.cnblogs.com/zlslch/p/7306632.html 搭建测试
该IDS是基于LAMP架构的入侵检测系统，核心组件为Snort和Barnyard2以及Base
使用Snort做入侵检测并输出到alert文件
使用Barnyard2读取alert文件格式化输出到库
使用Base从库中读取数据进行展示
依据《CentOS6实验机模板搭建部署》克隆实验机进行部署测试

安装配置LAMP：

# 安装epel源
yum install -y epel-release

# 安装配置LAMP
yum -y install httpd mysql-server mysql-devel \
php php-mysql php-mbstring php-mcrypt php-gd

# 安装php插件
yum -y install mcrypt libmcrypt libmcrypt-devel

# 安装pear插件
yum -y install php-pear
pear upgrade pear
pear channel-update pear.php.net
pear install mail mail_mime Numbers_Roman\
Image_Graph-alpha Image_Canvas-alpha Image_Color 

# 安装adodb
# PHP存取数据库的中间件，下载地址：
# https://sourceforge.net/projects/adodb/files/latest/download
cd /var/www/html
unzip /tmp/adodb-5.20.12.zip
mv /var/www/html/adodb5 /var/www/html/adodb

# 安装base，下载地址：
# https://sourceforge.net/projects/secureideas/files/latest/download
tar -xf /tmp/base-1.4.5.tar.gz -C /var/www/html
mv /var/www/html/base-1.4.5 /var/www/html/base

# 修改php.ini
sed -i 's/^\(error_reporting = E_ALL & \).*$/\1 ~E_NOTICE/g' /etc/php.ini

# 设置html目录权限
chown -R apache:apache /var/www/html

# 设置adodb权限
chmod 755 /var/www/html/adodb

# 配置mysql
service mysqld start
mysqladmin -uroot password vincent 
mysql -uroot -pvincent
create database snort;
grant create,select,update,insert,delete 
on snort.* to snort@localhost identified by 'snort';
flush privileges;
exit

# 下载barnyard，下载地址：
# 根据转载博文提到的相应网盘下载 http://pan.baidu.com/s/1mgzYhO8
# 不能使用最新版本
cd /tmp
tar -xf barnyard2-1.9.tar.gz
mysql -usnort -psnort -Dsnort < barnyard2-1.9/schemas/create_mysql

# 配置base
service mysqld restart
sed -i 's/^#ServerName .*$/&\nServerName 127.0.0.1/g' /etc/httpd/conf/httpd.conf
service httpd start

# 网页配置
http://192.168.77.200/base/setup/index.php

安装配置Snort和Barnyard2：

# 安装DAQ
yum -y install gcc flex bison tcpdump \
zlib zlib-devel libpcap libpcap-devel \
pcre pcre-devel libdnet libdnet-devel \
autoconf automake libtool
cd /tmp
tar -xf /tmp/daq-2.0.6.tar.gz
cd daq-2.0.6
./configure
make && make install
cd /usr/local/lib
ldconfig -v /usr/local/lib

# 安装Snort
cd /tmp
tar -xf /tmp/snort-2.9.11.1.tar.gz
cd snort-2.9.11.1
./configure --enable-sourcefire
make && make install
cd /usr/local/lib
ldconfig -v /usr/local/lib

# 配置snort
mkdir /etc/snort
mkdir /var/log/snort
mkdir /usr/local/lib/snort_dynamicrules
mkdir /etc/snort/rules
touch /etc/snort/rules/white_list.rules
touch /etc/snort/rules/black_list.rules
cd /tmp/snort-2.9.11.1/etc
cp -av gen-msg.map threshold.conf \
classification.config reference.config \
unicode.map snort.conf /etc/snort/

# 配置更改路径
sed -i 's|^\(var RULE_PATH\).*|\1 /etc/snort/rules|g' /etc/snort/snort.conf
sed -i 's|^\(var SO_RULE_PATH\).*|\1 /etc/snort/so_rules|g' /etc/snort/snort.conf
sed -i 's|^\(var PREPROC_RULE_PATH\).*|\1 /etc/snort/preproc_rules|g' /etc/snort/snort.conf
sed -i 's|^\(var WHITE_LIST_PATH\).*|\1 /etc/snort/rules|g' /etc/snort/snort.conf
sed -i 's|^\(var BLACK_LIST_PATH\).*|\1 /etc/snort/rules|g' /etc/snort/snort.conf

# 配置log目录
sed -i 's|^# config logdir:|&\nconfig logdir: /var/log/snort|g' /etc/snort/snort.conf

# 配置输出插件
sed -i 's|^# output unified2:.*$|&\noutput unified2: filename snort.log,limit 128|g' /etc/snort/snort.conf

# 解压安装配置规则
cd /tmp
tar -xf snortrules-snapshot-29111.tar.gz -C /etc/snort/
cp /etc/snort/etc/sid-msg.map /etc/snort/

# 测试snort
snort -T -i eth0 -c /etc/snort/snort.conf
# -T 指定启动模式：测试
# -i 指定网络接口
# -c 指定配置文件
# Snort successfully validated the configuration!
# Snort exiting
# 表示测试通过

# 安装barnyard2
cd /tmp/barnyard2-1.9
./autogen.sh
./configure --with-mysql \
--with-mysql-libraries=/usr/lib64/mysql/
make && make install

# 配置barnyard2
mkdir /var/log/barnyard2
touch /var/log/snort/barnyard2.waldo
cp -av /tmp/barnyard2-1.9/etc/barnyard2.conf /etc/snort

# 修改配置文件
cat >>/etc/snort/barnyard2.conf<<EOF
config logdir:    /var/log/barnyard2
config hostname:  localhost
config interface: eth0
config waldo_file:/var/log/snort/barnyard.waldo
output database:  log, mysql, user=snort password=snort dbname=snort host=localhost
EOF

# 测试barnyard2
barnyard2 -c /etc/snort/barnyard2.conf \
-d /var/log/snort -f snort.log \
-w /var/log/snort/barnyard2.waldo
# -c 指定配置文件
# -d 指定log目录
# -f 指定log文件
# -w 指定waldo文件
# 如果出现"Waiting for new spool file"表示配置成功
# ctrl+c终止测试

测试IDS：

# 测试IDS是否正常工作
# 添加测试规则
echo 'alert icmp any any -> any any (msg: "IcmP Packet detected";sid:1000001;)'>>/etc/snort/rules/local.rules
# 添加一条检查ping包的规则
# alert     触发规则后做出的动作
# icmp      协议类型
# 第一个any 源IP（网段），any表示任意
# 第二个any 源端口，any表示任意
# ->        表示方向
# 第三个any 目标IP（网段），any表示任意
# 第四个any 目标端口，any表示任意
# Msg字符   告警名称
# Sid       id号，个人编写的规则使用1,000,000以上

# 启动LAMP
service mysqld restart
service httpd restart
# 手动启动barnyard2和snort
barnyard2 -c /etc/snort/barnyard2.conf \
-d /var/log/snort -f snort.log \
-w /var/log/snort/barnyard2.waldo -D
snort -c /etc/snort/snort.conf -i eth0 -D

# PING主机测试
ping 192.168.77.200
# 查看 http://192.168.77.200/base/base_main.php

# 手动停止IDS
killall -9 snort barnyard2
service mysqld stop
service httpd stop

[TOC]