**作業Linux系統Snot---弄出入侵檢測系統的現實戰狀**~** Linux operating system Snot --- come up with the reality of war intrusion detection systems like**~

**作業Linux系統Snot---弄出入侵檢測系統的現實戰狀**~ **Linus operstimg Snot---come up with the reality of intrusion detection systems like~**

所以內部攻擊更容易成功 !!*
**Enterprise network currently threatened mainly from two locations:  
 one is internal
 one external. From external threats can be blocked by a firewall,
 but it is not good to prevent internal attacks.
Because of the system of internal staff and have a deep understanding of 
 legitimate access privileges, so internal attacks more likely to succeed !!

當發現可疑行為時,就向特定的當事人發出警報。 IDS分為兩類:
主機IDS(HIDS)和網絡IDS(NIDS)。 HIDS安裝在受監控主機上,
擁有對敏感文件的訪問特權。 HIDS利用這一訪問特權對異常行為進行監控。
 NIDS存在於網絡中,通過捕獲發往其他主機的流量來保護大量網絡設施  ~!*
**IDS and real-world anti-theft alarm device similar in that they are  
 monitoring the invasion, when suspicious behavior on the parties to a  
 particular alert. IDS is divided into two categories: Host IDS (HIDS) and 
 Network IDS (NIDS). HIDS installed on the monitored host,  
 has access privileges to sensitive files.  
HIDS access privileges to use this monitor for abnormal behavior.  
 NIDS exist on the network, by capturing the traffic destined for other 
hosts to protect a large number of network facilities  *!*

---安裝和維護IDS的思路和方法  :    
  安裝Snort    1、安裝準備工作

但是當大型企業中連接上天台網絡設備時,這成了難以施展的艱鉅任務 !!*
****HIDS and NIDS has its own advantages and disadvantages,  
 a complete security solution should include both IDS, for it is more  
difficult to achieve. People often do not understand that this area IDS is 
 like a master key that can solve all security problems. For example, 
some units spent a considerable sum of money to buy a commercial 
 IDS configured properly but made ​​again and again because of 
 false positives, suddenly filled with a lot of packet loss put the database 
and then crashes. This attitude makes people think that as long as  
the IDS casually placed in the network everything will be fine,
!!do not worry about any problems, in fact, far from it. 
 No one would think that the Email server directly connected to the 
 Internet can function correctly. Also, you need the right strategy plan  
 IDS sensor placement. The following open source software Snort  
 installation and maintenance of an example, properly installed and  
 maintained IDS ideas and methods.

Installing Snort
1, the installation preparations

We installed before we know that we need to monitor the content,  

the ideal situation is for all to be monitored.  
All network devices and any connections from the external to the  
 enterprise are in Snort under surveillance.  
Although this plan for small companies only dozens of machines is  
 likely to achieve, but when a large enterprise network devices  
connected to the roof, it became difficult to play the difficult task of  **!  

---成本會有所增加。 Snort IDS的維護問題是無法迴避的。
---懂得維護IDS的專業人士 !!*
**In order to strengthen the security of snort detection is best able to 
provide independent monitoring intelligent network switches, if you 
 need to configure a distributed configuration, you can now access 
the server and console on a switch, two other sensors placed in 
different physical location, but such costs will increase.  
Snort IDS maintenance problems can not be avoided.  
Sooner or later you want to Snort signature updates and writing  custom 
rules, so you also need a professional who knows how to protect IDS*   





    • Frag2
    • Stream4
    • Stream4_reassemble
    • Http_decode
    • RPC_decode
    • BO
    • Telnet_decode
    • ARPspoof
    • ASNI_decode
    • Fnord
    • Conversation
    • Portscan2
    • SPADE


--將報警數據轉儲到另一種資源或文件中  **



啟用在frag2預處理程序和stream4預處理程序中的 ---
 連檢測100M網都出現了丟包現象   ** 
**2.6, Snort performance issues

Snort effective work performance may be affected by the  

 restrictions the following options: hardware, operating system  
 and networking components.

The greatest impact on the performance of snort snort configuration  

 is set and the ruleset settings. Internal bottlenecks are mainly in the 
 packet decoding stage, to snort check the package contents, then it  
must be more than a general rule, consuming system resources.  
 Check the package contents to enable more rules, snort run requires 
more system resources. If you want to activate the pre-program some 
configuration options, you will need to consume additional   
 system resources. The most obvious example is enabled in ---
---frag2 stream4 preprocessor preprocessor and the "maximum storage 
 capacity (memcap)" option. If you intend to activate a large  
resource-intensive preprocessor options, it is best to determine  
 sufficient hardware resources. I have encountered a user spent a  
lot of money to buy the most advanced IDS improper configuration,  
and even detect 100M network packet loss have emerged        **


--網絡結構中引入監控網段的方法。 Cisco交換機的中高端產品都有 
SPAN端口或鏡像端口。 Span端口既可以是一個專用端口,也可以

  操作系統:Red Hat Enterprise Linux 5.5
首先我們需要安裝MySQL 、Apache(必須安裝mod_ssl模塊) 、

#tar zxf snort-
#cd snort-
#./configure --with-mysql=/usr/local/mysql & make & make install
創建配置文件目錄mkdir /etc/snort
創建日誌目錄mkdir /var/log/snort
tar zxf snortrules-snapshot-2860.tar.gztar zxf 

mv rules/ /etc/snort
cp * /etc/snort/
監聽的本地網段var HOME_NET
有五行以output database: 開頭的行,將其“#”號去掉。
  3) 創建snort數據庫
mysql> create database snort;
mysql> connect snort;
mysql> source /usr/local/src/snort-;

UPDATE on snort.* to snort;

UPDATE on snort.* to snort@localhost;

創建/刪除/修改表格,刪除/編輯/新增字段,執行SQL腳本等     !!!

**1), SPAN port monitoring
While monitoring we are bound to do SPAN, SPAN port monitoring  

 is another structure of the existing network monitoring network to 
introduce a method. Cisco switches and high-end products have a  
 SPAN port or mirror port. Span ports can be either a dedicated port,  
 the port can also be achieved through all ports on the switch 
configuration options. Achieved using the SPAN port monitoring 
feature is a practical approach. Using SPAN port monitoring method 
does not give the network to be monitored to introduce a single  
 point of error. Hub with network monitoring method compared to 
 using SPAN port monitoring which is the biggest advantage.
Note: Mirroring order problems: When the monitored network 

to be upgraded for high-bandwidth network, you can only mirrors a 
first port of snort performance observed for some time, and make  
 adjustments as needed. When the snort after adjusting the port  
 can be realistic, gradual increase in other ports should be noted,  
 do not add too much at once the port. SPAN port monitoring method  
 using Bunsen swap will reduce performance of the device will  
 switch SPAN port using the device's memory overburdened, 
so that the device performance degradation. Mapping of the flow is  
a very memory-intensive process.
2.7, install Snort
Operating System: Red Hat Enterprise Linux 5.5
Database: MySQL: mysql-5.1
Web Server: Apache: httpd-2.2
WEB Language: PHP: php-5.4
First we need to install MySQL,

 Apache (mod_ssl module must be installed),
PHP, and configure Apache, its details can be found in the  
installation process "Linux enterprise application case is solved,"  
a book is not here to explain.
1), install the main program
# Tar zxf snort-
# Cd snort-
#. / Configure - with-mysql = / usr / local / mysql & make & make install
Create a configuration file directory mkdir / etc / snort
Create log directory mkdir / var / log / snort
2) Install snort rules
tar zxf snortrules-snapshot-2860.tar.gztar zxf snortrules-snapshot-

mv rules / / etc / snort
cp * / etc / snort /
Modify / etc / snort / snort.conf file
Monitor local network segment var HOME_NET
There are five elements to output database: the beginning of the line, 

its "#" sign removed.
3) Create a database snort
mysql> create database snort;
mysql> connect snort;
mysql> source / usr/local/src/snort-;

 UPDATE on snort. * to snort;

 UPDATE on snort. * to snort @ localhost;
Also interested users can try to use phpMyadmin this tool,  

 phpMyAdmin is a web-based MySQL database management tool.  
 It can create and drop databases, create / delete / modify tables,  
 delete / edit / add fields, execute SQL scripts, etc    **

  #snort -c /etc/snort/snort.conf    

***2.8, start snort

Correctly installed and configured, the next step we need to start snort

# snort-c / etc / snort / snort.conf         

---用戶和組#useradd snort,如果是redhat在創建用戶的同時就創建了snort組:
#snort –u snort –g snort –U –d –D –c /etc/snort/snort.conf
接下來就需要安裝Acid+Adodb+Jpgraph, ACID(Analysis Console for--

-- Incident Databases)是snort使用的標準分析員控制台軟件。 ACID是一個 
定位到ACID的主頁https ://IP地址/acid/,如圖1所示   !!   
**To snort safety should avoid run as root snort, then you need to create 
 a dedicated user and group # useradd snort, if it is redhat while creating 
 a user group is created snort:  

# snort-u snort-g snort-U-d-D-c / etc / snort / snort.conf 

Then you need to install Acid + Adodb + Jpgraph, ACID (Analysis Console 

 for Incident Databases) is a standard used by analysts snort console software
 ACID is a PHP-based analysis engine that can search and processing 
 snort resulting database. Here is the installation and configuration process.  
This process is very simple and will jpgraph adodb a tar package to --
--Apache root directory, untied acid package, modify acid_conf.php 
configuration can be. Note Acid configuration parameters are  
acid_config.php file, all values ​​must be enclosed in double quotation marks ("),  
 and the back to add a semicolon (;) SSL mode must now start Apache,  
navigate to the home page https ACID :/ / IP address / acid /,  
as shown in Figure 1 


**▲圖1 ACID界面**

• 為每個網卡運行一個獨立的Snort進程;
• 通過綁定Linux內核的特徵將所有的網卡綁定在一起。

alias bond0 bonding

ifconfig bondu
ifenslave bond0 eth0
ifenflave bond0 eth1

snort < options> -i bond0                            

**2.9, improved performance
If it is a network monitoring 10/100M okay, if the amount of traffic on 

the need to improve the monitoring of performance snort, the most 
 economical way is to run on a dual NIC Snort program, Snort can be 
configured to listen on multiple NICs, the problem is Snort each 
command-line option (-i) only accept a card. Kind of run Snort in a 
variety of ways on the card:
• For each network card running a separate Snort process;
• the characteristics of the Linux kernel by binding all the NIC teaming together.
With Snort monitor multiple network cards which method to choose 

depends on your environment and priority and other factors. Snort 
running multiple processes will increase the workload, and waste 
 a lot of processor time period unacceptable. If you have the available 
 resources to run two or more Snort process, then you should think 
 about data management issues. Assuming all instances in the 
same way Snort configuration, the same attack times are reported. 
 This would cause intrusion detection system administrators 
a headache, especially when the alarm is enabled. When you are 
faced with different cards have different intrusion detection requirements 
 for each NIC assign a single Snort process is ideal. If you work for 
each network card is assigned a separate Snort process, then you will 
create a similar card for each virtual sensors. Erected on a machine 

several "Sensor", you can Snort process for each individual load 
different configurations, rules and output plugin. This is most suitable 
 in a separate Snort process. On the other hand, if you can not or do 
 not want to enable additional card for each Snort process, you can 
put two NIC teaming together. Snort is enabled so that when you are, 
you can use-i option to specify a command has been---
--- bound to the NIC (eg bond0).
To achieve this purpose, edit / etc / modules.conf, add the following line:
alias bond0 bonding
Now, each time you restart the machine, you need to be assigned 

 to the NIC IP address information entered after the Oakland today  
 under the desk while getting live bound NIC:
ifconfig bondu
ifenslave bond0 eth0
ifenflave bond0 eth1
Note that you can use these commands in a script, when the system 

starts to run the script. When running Snort, you can use as follows bond0 NIC:
snort <options>-i bond0                                                    

的应用软件。它用的是PHP/MySQL Web界面,安装完成启动界面如图2所示。
▲图2 SnortCenter 界面

  • snort后台进程状态监视器;
  • 远程snort停止/启动/重启;
  • snortcenter用户的访问控制;
  • 传感器组;
  • ACID集成;
  • MySQL;
  • Apache;
  • PHP;
  • ADODB;
  • OpenSSL;
  • cURL

**When you install the system after the system is bound to maintain
or right to make some important changes to Snort in order to maintain 
 its relevance, such as upgrading the rule set, modify the configuration 
options, and finally upgrade Snort application itself. If you are running 
a distributed system consisting of multiple sensors, although these 
 manual methods is desirable, but manually modify multiple sensors 
 will become very difficult, but also prone to error.

This is what we need to manage assistant SnortCenter, it is a 
 Web-based upgrades and maintenance Snort configuration 
management application software. Is a Snort sensor for remote 
management software applications. It uses PHP / MySQL Web 
 interface, the installation is complete, start the interface shown in Figure 2.

Figure 2 SnortCenter interface


• snort daemon status monitor;

• Remote snort stop / start / restart;

• snortcenter user access control;

• Sensor group;

• ACID integration;

SnortCenter including PHP-based management applications 
and SnortCenter agents. SnortCenter Management Console 
installed on the Snort server and SnortCenter Sensor Agent is 
installed on the managed sensor. SnortCenter enhanced 
distributed systems may be installed in the Snort, the server 
requires the following packages:

• MySQL;

• Apache;

• PHP;


• OpenSSL;

• cURL

Here, in addition cURL package, other packages should all be 
 more familiar, because the vast majority of operating systems 
include these packages, SnortCenter Management Console can be 
 run on Windows, Linux and BSD systems. SnortCenter sensor 
agent needs to be installed on a UNIX-based operating systems on 
Perl. The agent in some additional help precompiled programs can 
be run on a Windows-based sensor           


在Red Hat上是否安装了该软件包:
Rpm -qa   grep curl
来配置SnortCenter 。
  • DBlib_path设定Adodb库的位置。
  • url_path该变量应设为cURL可执行文件的位置。
  • DBtype这里设置你所安装的数据库的类型
  • DB_dbname这是你在下一步中要创建的SnortCenter数据库名
  • DB_host DB_host是Snort服务器的主机名。如果SnortCenter
  • DB_user SnortCenter登录数据库所用的帐号。
  • DB_ password数据库—用户的密码;
  • DB_ port DB_ port是数据库运行的端口号。

>create database snortcenter;
看到SnortCenter管理控制台(地址为https: //localhost/snortcenter)了。
你也可以用位于tarball的snortcenter db.Mysql脚本创建它们。
Perl Makefile.pl
Make install
  • 程序目录:/usr/local/snortcenter
  • 配置目录:/usr/local/snortcenter/conf
  • 日志目录:/usrAocal/snortcenter/log
  • 策略目录:/usr/local/snortcenter/rules
#openssl req -new -x509 -days 365 -nodes
-out snortcenter.pem -keyout snortcenter. pem

在Red Hat上是否安装了该软件包:
Rpm -qa   grep curl

来配置SnortCenter 。
  • DBlib_path设定Adodb库的位置。
  • url_path该变量应设为cURL可执行文件的位置。
  • DBtype这里设置你所安装的数据库的类型
  • DB_dbname这是你在下一步中要创建的SnortCenter 

  • DB_host DB_host是Snort服务器的主机名。
  • DB_user SnortCenter登录数据库所用的帐号。
  • DB_ password数据库—用户的密码;
  • DB_ port DB_ port是数据库运行的端口号。
>create database snortcenter;
管理控制台(地址为https: //localhost/snortcenter)了。这里建立了
Perl Makefile.pl
Make install
  • 程序目录:/usr/local/snortcenter
  • 配置目录:/usr/local/snortcenter/conf
  • 日志目录:/usrAocal/snortcenter/log
  • 策略目录:/usr/local/snortcenter/rules
#openssl req -new -x509 -days 365 -nodes -out snortcenter.pem 
 -keyout snortcenter. pem

和控制Snort传感器。你可以通过如下命令行检查在Red Hat上
Rpm -qa   grep curl
文件来配置SnortCenter 。
  • DBlib_path设定Adodb库的位置。
  • url_path该变量应设为cURL可执行文件的位置。
  • DBtype这里设置你所安装的数据库的类型
  • DB_dbname这是你在下一步中要创建的SnortCenter数据库名
  • DB_host DB_host是Snort服务器的主机名。如果SnortCenter
  • DB_user SnortCenter登录数据库所用的帐号。
  • DB_ password数据库—用户的密码;
  • DB_ port DB_ port是数据库运行的端口号。
>create database snortcenter;
的所有表。你也可以用位于tarball的snortcenter db.Mysql脚本
Perl Makefile.pl
Make install
  • 程序目录:/usr/local/snortcenter
  • 配置目录:/usr/local/snortcenter/conf
  • 日志目录:/usrAocal/snortcenter/log
  • 策略目录:/usr/local/snortcenter/rules
#openssl req -new -x509 -days 365 -nodes -out snortcenter.pem
-keyout snortcenter. pem
****1, SnortCenter installation
The premise is to install and configure Acid, so you should advance as Snort server installed on the machine MySQL, Apache, PHP, ADODB and OpenSSL. You can SnortCenter installed on a Linux system.
1.1, SnortCenter Management Console
Before installing SnortCenter only need to install the package is cURL, which is a URL does not require user intervention to transfer files via the command-line tool that is used to manage and control the Snort sensors. You can use the following command line check on Red Hat whether the package is installed:
Rpm-qa grep curl
This command line will query string contains a curl package, and if you do not install cURL, you can go online to download.
The next step in the WEB root directory create snortcenter directory, unpack the downloaded files into this directory, and then configure the config.php file to configure SnortCenter.
For this configuration file to note the following points:
• DBlib_path set Adodb library.
• url_path cURL the variable should be set to the location of the executable file.
• DBtype here to set your type of database installed
• DB_dbname This is your next step in the name of the database to be created SnortCenter
• DB_host DB_host is Snort server's host name. If SnortCenter management console and database installed on the same computer, you should set this parameter to localhost;
• DB_user SnortCenter login account used by the database.
• DB_ password database - the user's password;
• DB_ port DB_ port is the port number of the database is running.
Save the changes and close the config.php, the next task is to establish DB_dbname variable specified database, you first need to log in MysqL database, and then create SnortCenter database, the command is as follows:
> Create database snortcenter;
After the database is created in a Web browser, you can see SnortCenter Management Console (address https://localhost/snortcenter) a. Established here SnortCenter need all the tables. You can also use the script in the tarball snortcenter db.Mysql create them. This completes the part of the installation SnortCenter management console. The first time you log in, you need to modify the user name admin and password.
1.2, the installation SnortCenter sensor agents
To complete the installation SnortCenter, they need you want to use SnortCenter management sensors installed on SnortCenter sensor agents. Installing UNIX-based agents need Perl, OpenSSL and Perl module Net :: SSLeay. We've already installed on the sensor OpenSSL and Perl, and now only need Net :: SSLeay module installation. You can download the module in the URL http://search.cpan.org.
Download and install Net :: SSLeay, first in the source directory, run the following command:
Perl Makefile.pl
Make install
Install Net :: SSLeay module, you need to create SnortCenter directory used by the sensor agents that create the following directories:
• program directory :/ usr / local / snortcenter
• configuration directory :/ usr / local / snortcenter / conf
• log directory :/ usrAocal / snortcenter / log
• Strategic directory :/ usr / local / snortcenter / rules
Then, you need to create an SSL certificate for the SnortCenter. With the following command line to create it:
# Openssl req-new-x509-days 365-nodes-out snortcenter.pem-keyout snortcenter. Pem
The snortcenter.pem copy files to / usr / local / snortcenter / conf directory. Now you're ready to install SnortCenter sensor agents, and in http://users.pandora.be/larc/download/ download the appropriate version.
Unzip the file and move it to / usr / local / snortcenter / directory. Run the installation shell script:
#. / Setup.sh
The installation script will ask you many questions. Snort and SnortCenter you've created the desired folder, when asked when the turn enter these directories. Agents can run on any port, and can be arbitrary, but remember that you choose which one port. Specify SnortCeneter management and listening NIC IP address. When the Enable SSL option, select Yes. You should also pay attention to remember proxy login name and password in the management console, enter authentication information. Snort last option is to set the IP address of the server. This completes the installation of SnortCenter sensor agent. Repeat the installation procedure for your Snort sensor is installed in each environment agency.
