Snort+IPTables的一个主动防火墙
时间:2007-03-16 来源:zzymonk
Snort 是一个开源的轻量级入侵监测系统,可以监测网络上的异常情况,给出报告;
Guardian是基于Snort+IPTables的一个主动防火墙,它分析Snort的日志文件,根据一定的判据自动将某些恶意的IP自动加入IPTables的输入链,将其数据包丢弃。
我自使用Snort+Guardian以来,每天可以看到很多的恶意行为被终止,心里很是高兴!
推荐大家使用!
安装步骤:
1)安装Snort:
*现在Snort & Guardian,目前下载地址为:
http://www.snort.org/dl/old/snort-2.3.2.tar.gz
http://www.snort.org/dl/contrib/other_tools/guardian/guardian-1.6.tar.gz
*将上述文件拷贝至/tmp
*tar zxvf *.tgz
*cd snort-2.3.0RC2
*./configure
*make
*make install
*mkdir /etc/snort
*cd /etc/snort
*wget http://www.snort.org/pub-bin/oinkmaster.cgi/c752f561a53ebeb9c9b0b9a3954eade7fc220fe1/snortrules-snapshot-2.3.tar.gz
* tar zxvf snortrules-snapshot-CURRENT.tar.gz
*mkdir /var/log/snort
*cd /etc
l cp 安装目录下的snort.conf 到/etc/snort.conf
*vi snort.conf
修改后一些关键设置如下:
var HOME_NET yournetwork
var RULE_PATH /etc/snort/rules
preprocessor http_inspect: global \
iis_unicode_map /etc/snort/rules/unicode.map 1252
include /etc/snort/rules/reference.config
include /etc/snort/rules/classification.config
如:yournetwork 220.8.0.0/16
同时,可以选择将类似
include $RULE_PATH/local.rules
等,前面的#号去掉,设置自己的规则集
vi /etc/ini.d/snort
********************
#!/bin/sh
#
# chkconfig: 2345 99 82
# description: Starts and stops the snort intrusion detection system
#
# config: /etc/snort/snort.conf
# processname: snort
# Source function library
. /etc/rc.d/init.d/functions
BASE=snort
DAEMON="-D"
INTERFACE="-i eth0"
CONF="/etc/snort/snort.conf"
# Check that $BASE exists.
[ -f /usr/local/bin/$BASE ] || exit 0
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
RETVAL=0
# See how we were called.
case "$1" in
start)
if [ -n "`/sbin/pidof $BASE`" ]; then
echo -n $"$BASE: already running"
echo ""
exit $RETVAL
fi
echo -n "Starting snort service: "
/usr/local/bin/$BASE $INTERFACE -c $CONF $DAEMON
sleep 1
action "" /sbin/pidof $BASE
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/snort
;;
stop)
echo -n "Shutting down snort service: "
killproc $BASE
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/snort
;;
restart|reload)
$0 stop
$0 start
RETVAL=$?
;;
status)
status $BASE
RETVAL=$?
;;
*)
echo "Usage: snort {start|stop|restart|reload|status}"
exit 1
esac
exit $RETVAL
chkconfig –add snort
* 将上一条命令写入/etc/rc.d/rc.local
2)安装guardian---需要perl支持
* cd /tmp
* tar zxvf guardian-1.6.tar.gz
* cd guardian-1.6
* echo > /etc/guardian.ignore
* cp guardian.pl /usr/local/bin/.
* cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
* cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
* cp guardian.conf /etc/.
* vi /etc/guardian.conf
如下:
HostGatewayByte 1
# guardian的日志文件
LogFile /var/log/guardian.log
#guardian从何处读取snort的日志
AlertFile /var/log/snort/alert
#将你需要忽略的IP放在此文件中
IgnoreFile /etc/guardian.ignore
# 封锁IP的最长时间,99999999为没有时限
TimeLimit 86400
* /usr/bin/perl /usr/local/bin/guardian.pl -c /etc/guardian.conf
* 将上一条命令加入 /etc/rc.d/rc.local
至此,完成设置
注意:
1)snort的规则文件经常更新,可以使用如下脚本自动更新:
#!/bin/sh
cd /etc/snort
wget http://www.snort.org/pub-bin/oinkmaster.cgi/c752f561a53ebeb9c9b0b9a3954eade7fc220fe1/snortrules-snapshot-2.3.tar.gz
tar zxvf snortrules-snapshot-2.3.tar.gz
exit 0
*将上述脚本存为snortupdate,并放置到/etc/cron.daily/下,可以每天更新一次;
2)guardian有时会自动退出,可以使用如下脚本解决:
#!/bin/sh
/usr/local/bin/killguardian
/usr/local/bin/guardian.pl -c /etc/guardian.conf
exit 0
将上述脚本存为restartguardian,放置到/usr/local/bin
同时,crontab -e,加入如下一句:
* */6 * * * /usr/local/bin/restartguardian
意思为:每6小时重新启动guardian
perl -MCPAN -e shell
l install Proc::ProcessTable
脚本:killguardian
#!/usr/bin/perl
#杀死当前guardian.pl进程,需要安装perl module Proc::ProcessTable
l #访问http://www.cpan.org可以获得上述module
use Proc::ProcessTable;
$t = new Proc::ProcessTable;
foreach $p (@{$t->table})
{
kill 9, $p->pid if $p->cmndline =~ 'guardian.pl';
}
Garfield
A lazy, fat CAT I am!
Snort是一个轻便的网络入侵检测系统,可以完成实时流量分析和对网络上的IP包登录进行测试等功能,能完成协议分析,内容查找/匹配,能用来探测多种攻击和嗅探(如缓冲区溢出、秘密断口扫描、CGI攻击、SMB嗅探、拇纹采集尝试等)。
前提:Apache要支持PHP,这样我们才能在浏览器上通过acid分析日志,喜欢看文本日志的除外more /var/log/snort/alert
需要的软件包:
①httpd-2.0.52.tar.gz,http://httpd.apache.org/download.cgi
②mysql-standard-4.1.9-pc-linux-gnu-i686.tar.gz,
http://dev.mysql.com/get/Downloads/MySQL-4.1/mysql-standard-4.1.9-pc-linux-gnu-i686.tar.gz/from/pick
③php-4.3.10.tar.gz,http://www.php.net/downloads.php
④snort+acid+adodb+jpgraph+libpcap+pcre这些包我已经打包好放我网站里了,地址:
http://www.grlinux.net/squall/snort_soft.tar.bz2
apache+mysql+php这里不介绍了,不清楚的到我那拿PDF的吧。
(这里说明一下,最新的snort-2.3.3.tar.gz的contrib目录里很多重要文件都没有,所以按照参考教程又下了一个snort-2.0.0.tar.gz)
一、准备工作
# 把所有tar包放到/usr/local/src/下。
# tar zxvf libpcap-0.7.2.tar.gz
# cd libpcap-0.7.2
# ./configure
# make
# make install
# cd ..
# tar zxvf pcre-5.0.tar.gz
# ./configure
# make
# make install
# 我这里没有安装zlib,因为我的系统里有,如果你要安装新的zlib包,请先卸载自带的包。
二、安装snort
我们还是要编译snort-2.3.3.tar.gz,因为很多规则都是最新的,至于contrib目录里的文件我们用snort-2.0.0.tar.gz这个。
# tar zxvf snort-2.3.3.tar.gz
# tar zxvf snort-2.0.0.tar.gz
# cd snort-2.3.3
# ./configure --with-mysql=/usr/local/mysql
# make
# make install
# cd rules
# mkdir /etc/snort
# mkdir /var/log/snort
# cp * /etc/snort
# cd ../etc
# cp snort.conf /etc/snort
# cp *.config /etc/snort
# cd
# vi /etc/snort/snort.conf
var HOME_NET yournetwork
var RULE_PATH /etc/snort/rules
preprocessor http_inspect: global \
iis_unicode_map /etc/snort/rules/unicode.map 1252
include /etc/snort/rules/reference.config
include /etc/snort/rules/classification.config
# 把“# var HOME_NET 10.1.1.0/24”改成“var HOME_NET 192.168.0.0/24”你自己LAN内的地址,把前面的#号去掉。
# 把“var RULE_PATH ../rules”改成“var RULE_PATH /etc/snort”
# 把“# output database: log, mysql, user=root password=test dbname=db host=localhost”
改成“output database: log, mysql, user=root password=123456 dbname=snort host=localhost”密码改成你自己的,把前面的#号去掉。
# 把“
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules”前面的#号删除。
# 修改完毕后,保存退出。
三、建立snort数据库
# /usr/local/mysql/bin/mysql -uroot -p123456
# create database snort;
# create database snort_archive;
#grant select,insert,update,delete,create,alter on snort .* to "root"@"localhost";
#grant select,insert,update,delete,create,alter on snort_archive .* to "root"@"localhost";
# exit
# 这时我们进入snort2.0的contrib的目录
# cd /usr/local/src/snort-2.0.0/contrib/
# /usr/local/mysql/bin/mysql -uroot -p123456 < create_mysql snort
# /usr/local/mysql/bin/mysql -uroot -p123456 < create_mysql snort_archive
mysql> set password for 'root'@'localhost'=old_password('mysqlpwd');
mysql> set password for 'root'@'localhost'=old_password('mysqlpwd');
mysql> select Host, User, Password FROM mysql.user;
mysql> update mysql.user set password=old_password('snorttest') where host='localhost' and user= 'snorttest';
mysql> update mysql.user set password=old_password('acidtest') where host='localhost' and user= 'acidtest';
# 进入mysql数据库,看看snort数据库中的表:
# /usr/local/mysql/bin/mysql -uroot -p123456
mysql>show databases;
+------------+
Database
+------------+
mysql
snort
test
+------------+
3 rows in set (0.00 sec)
mysql>use snort;
mysql>show tables; 将会有这些:
+------------------+
Tables_in_snort
+------------------+
data
detail
encoding
event
flags
icmphdr
iphdr
opt
protocols
reference
reference_system
schema
sensor
services
sig_class
sig_reference
signature
tcphdr
udphdr
+------------------+
19 rows in set (0.00 sec)
mysql>exit
四、安装配置Acid
# 把acid-0.9.6b23.tar.gz、adodb330.tgz、jpgraph-1.11.tar.gz放到网页根目录,我这里是默认的。
# cp a*.* /usr/local/apache/htdocs
# cp jpgraph-1.11.tar.gz /usr/local/apache/htdocs
# tar zxvf adodb330.tgz
# tar zxvf jpgraph-1.11.tar.gz
# mv jpgraph-1.11 jpgraph
# tar zxvf acid-0.9.6b23.tar.gz
# cd acid
# vi acid_conf.php
# 把“$DBlib_path = "";” 改成“$DBlib_path = "/usr/local/apache/htdocs/adodb"”
# $alert_dbname = "snort_log"; //改成snort
$alert_host = "localhost";
$alert_port = "";
$alert_user = "root";
$alert_password = "mypassword"; //改成你的数据库密码
/* Archive DB connection parameters */
$archive_dbname = "snort_archive"; //改成snort
$archive_host = "localhost";
$archive_port = "";
$archive_user = "root";
$archive_password = "mypassword";” //改成你的数据库密码
# 把“$ChartLib_path = "";” 改成“$ChartLib_path = "/usr/local/apache/htdocs/jpgraph/src";”
# 修改完毕后,保存退出。
五、写一个snort规则
# cd /usr/local/
# vi snort.sh
#!/bin/sh
snort -d -h 192.168.0.0/24 -l /var/log/snort -c /etc/snort.conf -i eth0 -A full
# 保存退出。
# chmod 755 snort.sh
六,启动服务
# /usr/local/apache/bin/apachectl start
# cd /usr/local/mysql/
# vi mysql_start.sh
#!/bin/sh
/usr/local/mysql/bin/mysqld_safe --user=mysql &
# 保存退出。
# chmod 755 mysql_start.sh
# cp mysql_start.sh /usr/sbin/
# ./mysql_start.sh
# /usr/local/snort.sh
# service named start
七、进入web界面:
# http://yourhost/acid/acid_main.php,点"Setup Page"链接 ->Create Acid AG
# 访问http://yourhost/acid将会看到ACID界面。
八、测试IDS
# 利用nmap,nessus,CIS或者X-scan对系统进行扫描,产生告警纪录。
# http://yourhost/acid 察看纪录。
# 至此,一个功能强大的IDS配置完毕。各位可以利用web界面远程登陆,监控主机所处局域网,同时安装 phpMyAdmin或webmin对mysql数据库进行操控。
参考:《构建小型的入侵检测系统》以及bbs.chinaunix.net搜索引擎的帖子和《Snort(入侵检测系统)中文手册》
相关阅读 更多 +
