2002年9月 3日
▽[PC] snort
IDS と言うことで入れてみる.- libpcap
$ tar zxvf libpcap-0.7.1.tar.gz $ cd libpcap-0.7.1 $ ./configure $ make $ su # make install # exit
- snort
$ tar zxvf snort-1.8.7.tar.gz $ cd snort-1.8.7 $ ./configure $ make $ su # make install # mkdir /etc/snort # cp classification.config snort.conf *.rules /etc/snort/
- 設定とログ,専用ユーザの登録
# vi /etc/snort/snort.conf ------------------------------------------------------------ var HOME_NET 192.168.0.0/24 var EXTERNAL_NET !$HOME_NET var SMTP 192.168.0.1/32 var HTTP_SERVERS 192.168.0.1/32 var SQL_SERVERS 192.168.0.1/32 var DNS_SERVERS 192.168.0.1/32 ------------------------------------------------------------ # mkdir /var/log/snort # chmod 700 /var/log/snort # groupadd snort # useradd -g snort -d /dev/null -c "Snort User" -s /bin/false snort # chown -R snort.snort /etc/snort /var/log/snort
- 起動
# /usr/local/bin/snort -Dd -A full -c /etc/snort/snort.conf -u snort -g snort # exit
- SnortSnarf
$ tar zxvf SnortSnarf-020516.1.tar.gz $ cd SnortSnarf-020516.1/Time-modules/ $ perl Makefile.PL $ make su # make install # cd ../ # mkdir /usr/local/snortsnarf # mv snortsnarf.pl /usr/local/snortsnarf # mv ./include /usr/local/snortsnarf # mkdir /usr/local/apache/htdocs/snort
- 実行
# cd /usr/local/snortsnarf # ./snortsnarf.pl -d /var/www/html/snort /var/log/snort/alert /var/log/snort/portscan.log
とやった所で,ipchains でがちがちに固めてあることに気付く....ほと んど通らないような気もする.まあ,いいか(ぉ. -
# vi /etc/crontab ------------------------------------------------------------ 30 2 * * * cd /usr/local/snortsnarf; ./snortsnarf.pl -d \ /usr/local/apache/htdocs/snort /var/log/snort/alert \ /var/log/snort/portscan.log ------------------------------------------------------------とまあ,こんなところか.ちなみに, ここ 参考にしてます.次回は Rule Set の Update を.Posted by Rust Stnard at 00:00
