“UbuntuHelp:SnortIDS”的版本间的差异
来自Ubuntu中文
小 (创建新页面为 '{{From|https://help.ubuntu.com/community/SnortIDS}} {{Languages|UbuntuHelp:SnortIDS}} An intrusion detection system (IDS) inspects all inbound and outbound network activity and ...') |
小 |
||
| 第1行: | 第1行: | ||
{{From|https://help.ubuntu.com/community/SnortIDS}} | {{From|https://help.ubuntu.com/community/SnortIDS}} | ||
{{Languages|UbuntuHelp:SnortIDS}} | {{Languages|UbuntuHelp:SnortIDS}} | ||
| + | === Introduction === | ||
An intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. | An intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. | ||
An IDS differs from a firewall in that a firewall inspects the traffic and stops it based upon user specified rules. An IDS on the other hand, inspects and evaluates the traffic to determine if it is suspicious. The IDS may raise alerts based upon the analysis. | An IDS differs from a firewall in that a firewall inspects the traffic and stops it based upon user specified rules. An IDS on the other hand, inspects and evaluates the traffic to determine if it is suspicious. The IDS may raise alerts based upon the analysis. | ||
| 第10行: | 第11行: | ||
Both of the above examples are monitoring our firewall to ensure no suspicious traffic is on the LAN. As previously stated, there are multiple locations an IDS can be deployed. An additional scenario would be an IDS in front of the firewall, and an IDS behind the firewall. This will allow you to know what suspicious traffic is coming in on the Wide Area Network (WAN) and what suspicious traffic made it through the firewall. | Both of the above examples are monitoring our firewall to ensure no suspicious traffic is on the LAN. As previously stated, there are multiple locations an IDS can be deployed. An additional scenario would be an IDS in front of the firewall, and an IDS behind the firewall. This will allow you to know what suspicious traffic is coming in on the Wide Area Network (WAN) and what suspicious traffic made it through the firewall. | ||
In this tutorial we will install and configure an IDS. | In this tutorial we will install and configure an IDS. | ||
| + | === Prerequisites === | ||
| + | ==== System Setup ==== | ||
To begin, set up an Ubuntu 9.04 (Jaunty Jackalope) system. In this guide, Ubuntu will be set up in a virtual environment using KVM-84. | To begin, set up an Ubuntu 9.04 (Jaunty Jackalope) system. In this guide, Ubuntu will be set up in a virtual environment using KVM-84. | ||
To ease the visualization of Snort related data, we will install a web-based front end. The Analysis Console for Intrusion Detection (ACID) will serve this purpose. | To ease the visualization of Snort related data, we will install a web-based front end. The Analysis Console for Intrusion Detection (ACID) will serve this purpose. | ||
| − | Once your operating system is installed, install the LAMP suite | + | ==== LAMP Server ==== |
| + | Once your operating system is installed, install the [[UbuntuHelp:ApacheMySQLPHP|LAMP suite]]: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo tasksel install lamp-server | sudo tasksel install lamp-server | ||
| 第19行: | 第23行: | ||
https://help.ubuntu.com/community/SnortIDS?action=AttachFile&do=get&target=lamp_install.png | https://help.ubuntu.com/community/SnortIDS?action=AttachFile&do=get&target=lamp_install.png | ||
The LAMP suite not only serves as a HTTP server for ACID, but will also serve as a MySQL backend for Snort. | The LAMP suite not only serves as a HTTP server for ACID, but will also serve as a MySQL backend for Snort. | ||
| + | === SNORT === | ||
| + | ==== SNORT Database ==== | ||
Create the database to be used by Snort. | Create the database to be used by Snort. | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第27行: | 第33行: | ||
quit | quit | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | Install Snort | + | ==== SNORT Install ==== |
| + | Install Snort: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo apt-get -y install snort-mysql | sudo apt-get -y install snort-mysql | ||
| 第36行: | 第43行: | ||
You will receive a warning similar to the following: | You will receive a warning similar to the following: | ||
Snort will not start as its database is not yet configured. | Snort will not start as its database is not yet configured. | ||
| + | ==== SNORT Configuration ==== | ||
Update our database with the Snort table structure. | Update our database with the Snort table structure. | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第61行: | 第69行: | ||
tail /var/log/daemon.log | tail /var/log/daemon.log | ||
</nowiki></pre> | </nowiki></pre> | ||
| + | === ACID === | ||
| + | ==== ACID Installation ==== | ||
Next we will install a web front-end (ACID) to monitor Snort's output. | Next we will install a web front-end (ACID) to monitor Snort's output. | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第69行: | 第79行: | ||
https://help.ubuntu.com/community/SnortIDS?action=AttachFile&do=get&target=acidbase_install.png | https://help.ubuntu.com/community/SnortIDS?action=AttachFile&do=get&target=acidbase_install.png | ||
Upon entering the database administrator password, you will be prompted to create a MySQL password for acidbase to connect to the database. In this tutorial I will use the same password as the snort user. | Upon entering the database administrator password, you will be prompted to create a MySQL password for acidbase to connect to the database. In this tutorial I will use the same password as the snort user. | ||
| + | ==== ACID Configuration ==== | ||
When installed, the acidbase web front-end is configured to only allow access from the localhost. Modify acidbase's HTTP configuration to allow other workstations to connect. | When installed, the acidbase web front-end is configured to only allow access from the localhost. Modify acidbase's HTTP configuration to allow other workstations to connect. | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第81行: | 第92行: | ||
Choose the button labelled "Create BASE AG" and new tables to support acidbase will be added to our Snort database. | Choose the button labelled "Create BASE AG" and new tables to support acidbase will be added to our Snort database. | ||
You can then return to the main page http://snort.home.local/acidbase/base_main.php | You can then return to the main page http://snort.home.local/acidbase/base_main.php | ||
| + | === Test IDS === | ||
To test Snort and acidbase, perform a portscan of the Snort host. | To test Snort and acidbase, perform a portscan of the Snort host. | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第86行: | 第98行: | ||
</nowiki></pre> | </nowiki></pre> | ||
Refresh the acidbase web interface and you should see the results of your port scan. | Refresh the acidbase web interface and you should see the results of your port scan. | ||
| + | === Further === | ||
| + | ==== Oinkmaster ==== | ||
The installation of Snort comes with the analysis rules available in the repository. I suggest you sign up to receive updated rules at the [http://www.snort.org Snort web site]. You can then configure oinkmaster (a script that will help you update and manage your Snort rules) to automate the rule update process. | The installation of Snort comes with the analysis rules available in the repository. I suggest you sign up to receive updated rules at the [http://www.snort.org Snort web site]. You can then configure oinkmaster (a script that will help you update and manage your Snort rules) to automate the rule update process. | ||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] | ||
2009年11月17日 (二) 20:38的最新版本
 |
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
目录
Introduction
An intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system.
An IDS differs from a firewall in that a firewall inspects the traffic and stops it based upon user specified rules. An IDS on the other hand, inspects and evaluates the traffic to determine if it is suspicious. The IDS may raise alerts based upon the analysis.
There are multiple locations an IDS should be located. The following are two example placement locations.
Our first example, shows the IDS behind our firewall. Data coming into the Local Area Network (LAN) is mirrored to the port the IDS is connected to. The interface on the IDS is in promiscuous mode allowing it to inspect all traffic.
Our second example is our workstation acting as an IDS.
Both of the above examples are monitoring our firewall to ensure no suspicious traffic is on the LAN. As previously stated, there are multiple locations an IDS can be deployed. An additional scenario would be an IDS in front of the firewall, and an IDS behind the firewall. This will allow you to know what suspicious traffic is coming in on the Wide Area Network (WAN) and what suspicious traffic made it through the firewall.
In this tutorial we will install and configure an IDS.
Prerequisites
System Setup
To begin, set up an Ubuntu 9.04 (Jaunty Jackalope) system. In this guide, Ubuntu will be set up in a virtual environment using KVM-84. To ease the visualization of Snort related data, we will install a web-based front end. The Analysis Console for Intrusion Detection (ACID) will serve this purpose.
LAMP Server
Once your operating system is installed, install the LAMP suite:
sudo tasksel install lamp-server
Please note: You will be prompted to create a MySQL root password during the installation process.
The LAMP suite not only serves as a HTTP server for ACID, but will also serve as a MySQL backend for Snort.
SNORT
SNORT Database
Create the database to be used by Snort.
mysql -u root -p create database snort; GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES ON snort.* TO 'snort'@'localhost' IDENTIFIED BY 'password'; FLUSH PRIVILEGES; quit
SNORT Install
Install Snort:
sudo apt-get -y install snort-mysql
Please note: you will be prompted to enter the IP address for the local network in Classless Inter-Domain Routing (CIDR) format.
At the end of Snort's installation routine, you will be prompted if you wish to set up a database for use with Snort. Choose no. We will manually configure Snort to connect to our previously created database.
You will receive a warning similar to the following:
Snort will not start as its database is not yet configured.
SNORT Configuration
Update our database with the Snort table structure.
pushd /usr/share/doc/snort-mysql sudo zcat create_mysql.gz | mysql -u snort -p snort # The syntax is: mysql -u <username> -p <prompt for password> <database> popd
Modify the Snort configuration file to include our MySQL specific information.
sudo sed -i "s/output\ log_tcpdump:\ tcpdump.log/#output\ log_tcpdump:\ tcpdump.log\noutput\ database:\ log,\ mysql, user=snort password=password dbname=snort host=localhost/" /etc/snort/snort.conf
The above line was located at line number 786 /etc/snort/snort.conf. The snippet simply places a comment in front of the output for the log, and appends the output line for our database. Remove the pending Snort database configuration file.
sudo rm -rf /etc/snort/db-pending-config
Start the Snort service.
sudo /etc/init.d/snort start
Verify the Snort daemon successfull started.
sudo /etc/init.d/snort status tail /var/log/daemon.log
ACID
ACID Installation
Next we will install a web front-end (ACID) to monitor Snort's output.
sudo apt-get -y install acidbase
During the installation process for acidbase, you will be prompted to configure a database for acidbase. Choose yes and use MySQL for the database type.
You will be prompted for the password of the database administrator. This is the same password we used when MySQL was initially installed with the LAMP stack.
Upon entering the database administrator password, you will be prompted to create a MySQL password for acidbase to connect to the database. In this tutorial I will use the same password as the snort user.
ACID Configuration
When installed, the acidbase web front-end is configured to only allow access from the localhost. Modify acidbase's HTTP configuration to allow other workstations to connect.
sudo sed -i "s#allow\ from\ 127.0.0.0/255.0.0.0#allow\ from\ 127.0.0.0/255.0.0.0\ 10.10.1.10/255.255.255.0#" /etc/acidbase/apache.conf
In the above snippet, I am allowing access to acidbase from my desktop which has IP address 10.10.1.10/24. Restart apache for the acidbase configuration change to take affect.
sudo /etc/init.d/apache2 restart
The final configuration step is to access the acidbase web front-end's configuration at http://snort.home.local/acidbase/base_db_setup.php Choose the button labelled "Create BASE AG" and new tables to support acidbase will be added to our Snort database. You can then return to the main page http://snort.home.local/acidbase/base_main.php
Test IDS
To test Snort and acidbase, perform a portscan of the Snort host.
sudo nmap -p1-65535 -sV -sS -O snort.home.local
Refresh the acidbase web interface and you should see the results of your port scan.
Further
Oinkmaster
The installation of Snort comes with the analysis rules available in the repository. I suggest you sign up to receive updated rules at the Snort web site. You can then configure oinkmaster (a script that will help you update and manage your Snort rules) to automate the rule update process.
