为公司信息安全要求,上周配置了一台网络入侵检测系统(NIDS),今天把安装过程记录下来,供自己和其它朋友们以后参考。
关于本NIDS成功安装及本文的形成,我参考了很多网上的相关文档,具体文档略,不过非常感谢各位前辈们的无私奉献。
操作系统:Red Hat Enterprise Linux 5.4
Web服务器:Apache:httpd-2.2.15
下载地址http://dev.mysql.com/downloads/mysql/
# tar -zxvf mysql-5.1.46.tar.gz //解压缩
# cd mysql-5.1.46 //进入解压缩后的文件目录
# ./configure --prefix=/usr/local/mysql \ //设定安装目录
--enable-thread-safe-client \ //编译线程安全版的客户端库
--without-debug \ //关闭debug功能
# /usr/local/mysql/bin/mysql_install_db //初始化授权表
# chown –R root /usr/local/mysql //文件属性改为root用户
# chgrp –R root /usr/local/mysql //文件属性改为root用户所属组
# /usr/local/mysql/bin/mysqld_safe --user=root & //启动MySQL
# /usr/local/mysql/bin/mysqladmin –u root password ‘123456’ //修改root用户的密码为123456
注:如果接下来在安装Snort后进行配置测试时提示无法找到以下文件:libmysqlclient.so.16和mysql.sock
方法1 # vi /etc/ ld.so.conf 向此文件添加以下两行内容
/usr/local/mysql/lib/mysql
方法2 # ln –s /usr/local/mysql/lib/mysql/libmysqlclient.so.16 /usr/local/lib/libmysqlclient.so.16
ln –s /var/lib/mysql/mysql.sock /tmp/mysql.sock
下载地址http://httpd.apache.org/download.cgi
# tar -zxvf httpd-2.2.15.tar.gz
# ./configure --prefix=/usr/local/apache --enable-module=most --enable-shared=max –enable-so
# /usr/local/apache/bin/apachectl start //启动MySQL
下载地址http://www.php.net/downloads.php
# tar -zxvf php-5.2.13.tar.gz
# ./configure –prefix=/usr/local/php \
–with-mysql=/usr/local/mysql --with-apxs2=/usr/local/apache/bin/apxs --with-zlib --with-gd --enable-sockets –disable-debug
# cp php.ini-dist /usr/local/php/lib/php.ini
五、配置Apache 服务的httpd.conf 文件及测试 1、编辑/usr/local/apache/conf/httpd.conf文件
在DirectoryIndex后添加index.php
在AddType application后面添加以下两行
AddType application/x-httpd-php .php
AddType applicatoin/x-httpd-php-source .phps
# /usr/local/apache/bin/apachectl restart
如果有php的信息,则说明apache+php+mysql配置成功了,注意 gd和mysql的支持信息
下载地址http://sourceforge.net/projects/pcre/files/
# tar –zxvf pcre-8.02.tar.gz
下载地址http://down1.chinaunix.net/distfiles/snort-2.4.5.tar.gz
# tar -zxvf snort-2.4.5.tar.gz
# ./configure --with-mysql
# mkdir /etc/snort //建立snort目录
# cp * /etc/snort //拷贝配置文件
软件包snortrules-pr-2.4.tar.gz
下载地址http://down1.chinaunix.net/distfiles/snortrules-pr-2.4.tar.gz
# tar -zxvf snortrules-pr-2.4.tar.gz
# mkdir /etc/snort/rules //建立snort规则目录
# mkdir /var/log/snort //建立snort日志目录
# cp * /etc/snort/rules //拷贝规则
4、编辑/etc/snort/snort.conf文件
更改var HOME_NET 192.168.6.0/24 //你的实际工作网段
更改”var RULE_PATH ../rules” 为 “var RULE_PATH /etc/snort/rules”
output database: log,mysql, user=root password=mysql密码 dbname=snort host=localhost
# include ?$RULE_PATH/web-attacks.rules
# include ?$RULE_PATH/backdoor.rules
# include ?$RULE_PATH/shellcode.rules
# include ?$RULE_PATH/policy.rules
# include ?$RULE_PATH/porn.rules
# include ?$RULE_PATH/info.rules
# include ?$RULE_PATH/icmp-info.rules
include ?$RULE_PATH/virus.rules
# include ?$RULE_PATH/chat.rules
# include ?$RULE_PATH/multimedia.rules
# include ?$RULE_PATH/p2p.rules
mysql> create database snort;
mysql> grant INSERT,SELECT on snort.* to root@localhost;
# mysql –u root -p < /usr/local/snort-2.4.5/schemas /create_mysql snort //为snort建立数据表
Enter password: //
输入 root
密码 Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.1.46 Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
16 rows in set (0.00 sec)
mysql> exit; 1、软件包acid-0.9.6b23.tar.gz
下载地址http://acidlab.sourceforge.net/
下载地址http://sourceforge.net/projects/adodb/files/
下载地址http://sourceforge.net/projects/jpgraph/files/
把acid-0.9.6b23.tar.gz,adodb511.tgz,jpgraph-1.16.tar.gz放入网站根目录下,我这里是/usr/local/apache/htdocs
# cd /usr/local/apache/htdocs
# tar -zxvf jpgraph-1.16.tar.gz
# mv jpgraph-1.16 jpgraph
# tar -zxvf acid-0.9.6b23.tar.gz
3、编辑/usr/local/apache/htdocs/acid/acid_conf.php
把“?$DBlib_path = ";” 改成“?$DBlib_path = "/usr/local/apache/htdocs/adodb”
?$alert_dbname = "snort";
?$alert_host = "localhost";
?$alert_password = "test"; //改成你的数据库密码
?$archive_dbname = "snort";
?$archive_host = "localhost";
?$archive_password = "test” //改成你的数据库密码
把“?$ChartLib_path = ";” 改成“?$ChartLib_path = "/usr/local/apache/htdocs/jpgraph/src";”
# /usr/local/apache/bin/apachectl restart
# snort -c /etc/snort/snort.conf
http://你的主机地址/acid/acid_main.php,点"Setup Page"链接 ->Create Acid AG
然后再访问http://你的主机地址/acid/ ACID界面出现
用一些扫描工具对主机进行扫描,将产生警告记录,访问acid,可查看记录
RHEL5.4 下Apache+php+MySQL+Snort+acid 配置完成,帖几张图片秀一下