**作業Linux系統Snot---弄出入侵檢測系統的現實戰狀**~ **Linus operstimg Snot---come up with the reality of intrusion detection systems like~**
**企業的網絡目前威脅主要來自兩個位置:一個是內部,一個是外部。
來自外部的威脅都能被防火牆所阻止,但內部的攻擊都不好防範。
因為公司內部人員對系統了解很深且有合法訪問權限,
所以內部攻擊更容易成功 !!*
**Enterprise network currently threatened mainly from two locations:
one is internal,
one external. From external threats can be blocked by a firewall,
but it is not good to prevent internal attacks.
Because of the system of internal staff and have a deep understanding of
legitimate access privileges, so internal attacks more likely to succeed !!
**IDS與現實世界裡的防竊報警裝置類似,它們都對入侵進行監控,
當發現可疑行為時,就向特定的當事人發出警報。 IDS分為兩類:
主機IDS(HIDS)和網絡IDS(NIDS)。 HIDS安裝在受監控主機上,
擁有對敏感文件的訪問特權。 HIDS利用這一訪問特權對異常行為進行監控。
NIDS存在於網絡中,通過捕獲發往其他主機的流量來保護大量網絡設施 ~!*
**IDS and real-world anti-theft alarm device similar in that they are
monitoring the invasion, when suspicious behavior on the parties to a
particular alert. IDS is divided into two categories: Host IDS (HIDS) and
Network IDS (NIDS). HIDS installed on the monitored host,
has access privileges to sensitive files.
HIDS access privileges to use this monitor for abnormal behavior.
NIDS exist on the network, by capturing the traffic destined for other
hosts to protect a large number of network facilities *!*
**HIDS和NIDS都有各自的優點和缺點,完整的安全解決方案應包括--
--這兩種IDS,對於這一點比較難做到。不了解這一領域的人常常認為--
--IDS就像一把萬能鑰匙,能解決所有安全問題。
例如有的單位花了大筆的錢購置了商業IDS由於配置不當反而搞得連連誤報,
一下子就把數據庫塞滿了大量丟包進而崩潰。
這種態度使人們以為只要將IDS隨便安放在網絡中就萬事大吉了,
不必擔心任何問題,實際上遠非如此。
沒有人會認為Email服務器直接連在Internet上就能正確運作。
同樣,你也需要正確的計劃IDS策略,傳感器的放置。
下文以開源軟件Snort的安裝與維護為例,介紹正確地---
---安裝和維護IDS的思路和方法 :
安裝Snort 1、安裝準備工作
我們在安裝前我們要知道我們需要監控的內容,理想的狀況是對一切--
--進行監控。所有網絡設備和任何從外部到企業的連接都處在Snort的--
--監視之下。儘管這一計劃對小公司只有幾十台機器是很可能實現的,
但是當大型企業中連接上天台網絡設備時,這成了難以施展的艱鉅任務 !!*
****HIDS and NIDS has its own advantages and disadvantages,
a complete security solution should include both IDS, for it is more
difficult to achieve. People often do not understand that this area IDS is
like a master key that can solve all security problems. For example,
some units spent a considerable sum of money to buy a commercial
IDS configured properly but made again and again because of
false positives, suddenly filled with a lot of packet loss put the database
and then crashes. This attitude makes people think that as long as
the IDS casually placed in the network everything will be fine,
!!do not worry about any problems, in fact, far from it.
No one would think that the Email server directly connected to the
Internet can function correctly. Also, you need the right strategy plan
IDS sensor placement. The following open source software Snort
installation and maintenance of an example, properly installed and
maintained IDS ideas and methods.
Installing Snort
1, the installation preparations
We installed before we know that we need to monitor the content,
the ideal situation is for all to be monitored.
All network devices and any connections from the external to the
enterprise are in Snort under surveillance.
Although this plan for small companies only dozens of machines is
likely to achieve, but when a large enterprise network devices
connected to the roof, it became difficult to play the difficult task of **!
**為了加強snort檢測的安全性,最好能為監控網段提供獨立的智能---
---交換機,如果你需要配置分佈式的配置,可以吧服務器和控制台接---
---在一個交換機上,二其他傳感器放置在不同的物理位置,但這樣的---
---成本會有所增加。 Snort IDS的維護問題是無法迴避的。
你遲早要對Snort特徵更新並編寫定制的規則,所以你還需要一個---
---懂得維護IDS的專業人士 !!*
**In order to strengthen the security of snort detection is best able to
provide independent monitoring intelligent network switches, if you
need to configure a distributed configuration, you can now access
the server and console on a switch, two other sensors placed in
different physical location, but such costs will increase.
Snort IDS maintenance problems can not be avoided.
Sooner or later you want to Snort signature updates and writing custom
rules, so you also need a professional who knows how to protect IDS*
**2、深入Snort
Snort包含很多可配置的內部組件,它們對誤報、漏報以及抓包和記錄---
---日誌等的性能都有很大影響。能深入了解Snort的內幕有助於有效地---
---利用Snort監控人侵。還會幫助你根據自己的網絡定制Snort,
並且避免它的一些常見缺陷。
2.1、用Libpcap輸送Snort包
Snort沒有自己的捕包工具,它需要一個外部的捕包程序庫:libpcap。
Snort利用libpcap獨立地從物理鏈路上進行捕包,它可以藉助libpcap的
平台為一個真正的與平台無關的應用程序。
直接從網卡捕包的任務由libpcap承擔。
這一捕獲原始包的工具是由底層操作系統提供給其他應用程序使用的。
Snort需要數據保持原始狀態,它利用的就是原始包所有的協議頭信息都
保持完整,未被操作系統更改的特性來檢測某些形式的攻擊。
由於利用libpcap獲取原始包,一次只能處理一個包,這不是最好的方法,
這也制約了它對千兆網絡進行監控的瓶頸。
2.2、包解碼器
包一被收集到Snort必須對每一個具體的協議元素進行解碼。
在包通過各種協議的解碼器時,解碼後的包數據將堆滿一個數據結構。
包數據一被存人數據結構中,就會迅速被送到預處理程序和
檢測引擎進行分析。
2.3、預處理程序
Snort的預處理分為兩類。它們可以用來針對可疑行為檢查包或--
--者修改包以便檢測引擎能對其正確解釋。
預處理的參數可以通過snort.Conf配置文件調整。
預處理器:
• Frag2
• Stream4
• Stream4_reassemble
• Http_decode
• RPC_decode
• BO
• Telnet_decode
• ARPspoof
• ASNI_decode
• Fnord
• Conversation
• Portscan2
• SPADE
2.4、檢測引擎
檢測引擎將流量與規則按其載人內存的順序依次進行匹配。
是Snort的一個主要部件。
2.5、輸出插件
Snort的輸出插件接收Snort傳來的入侵數據。輸出插件的目的是--
--將報警數據轉儲到另一種資源或文件中 **
**2.6、Snort的性能問題
Snort有效工作的性能可能會受到以下幾種選擇的限制:
硬件、操作系統和連網的組件。
對snort的性能影響最大的是snort的配置設定以及規則集設置。
內部瓶頸則主要出現在包解碼階段,要snort檢查包的容,那麼它比一般
的規則都要更加耗費系統資源。啟用的檢查包內容的規則越多,
snort的運行就需要越多的系統資源。如果要激活預處理程序中的
某些設置選項,就會需要消耗額外的系統資源。最明顯的例子就是
啟用在frag2預處理程序和stream4預處理程序中的 ---
---“最大存儲容量(memcap)”選項。如果您打算激活大量耗費資源
的預處理程序選項,最好確定有足夠的硬件資源的支持。
我曾經遇到過一個用戶花了大筆的錢購買了最先進的IDS由於配置不當,
連檢測100M網都出現了丟包現象 **
**2.6, Snort performance issues
Snort effective work performance may be affected by the
restrictions the following options: hardware, operating system
and networking components.
The greatest impact on the performance of snort snort configuration
is set and the ruleset settings. Internal bottlenecks are mainly in the
packet decoding stage, to snort check the package contents, then it
must be more than a general rule, consuming system resources.
Check the package contents to enable more rules, snort run requires
more system resources. If you want to activate the pre-program some
configuration options, you will need to consume additional
system resources. The most obvious example is enabled in ---
---frag2 stream4 preprocessor preprocessor and the "maximum storage
capacity (memcap)" option. If you intend to activate a large
resource-intensive preprocessor options, it is best to determine
sufficient hardware resources. I have encountered a user spent a
lot of money to buy the most advanced IDS improper configuration,
and even detect 100M network packet loss have emerged **
**1)、SPAN端口監控
在監控時我們必然需要做SPAN,SPAN端口監控是另外一種在現有--
--網絡結構中引入監控網段的方法。 Cisco交換機的中高端產品都有
SPAN端口或鏡像端口。 Span端口既可以是一個專用端口,也可以
通過該端口實現交換機上所有的端口的配置選項設定。
利用SPAN端口的特點實現監控功能是一種實用的方法。使用SPAN端口--
--監控法並不會給所要監控的網絡引入單點錯誤的問題。
與網內Hub監控法相比,這是使用SPAN端口監控最大的優點。
注意:鏡像順序問題:當所監控的網絡要升級為高帶寬網絡時,
可以先是只鏡像一個端口,對snort的性能觀察一段時間,
並根據需要進行調整。當snort的這個端口調整好了之後,可以切合實際的、
循序漸進的增加別的端口,要注意的是,千萬不能一下子增加過多的端口。
用SPAN端口監控法將會降低本生交換設備的性能用SPAN端口會使交換--
--設備的內存負擔過重,從而使設備的性能下降。
對流量的映是一個非常耗費內存的過程。
2.7、安裝Snort
操作系統:Red Hat Enterprise Linux 5.5
數據庫:MySQL:mysql-5.1
Web服務器:Apache:httpd-2.2
WEB語言:PHP:php-5.4
首先我們需要安裝MySQL 、Apache(必須安裝mod_ssl模塊) 、
PHP、並進行配置Apache,其詳細安裝過程可以參見
《Linux企業應用案例精解》一書不在這裡講解。
1)、安裝主程序
#tar zxf snort-2.8.5.2.tar.gz
#cd snort-2.8.5.2
#./configure --with-mysql=/usr/local/mysql & make & make install
創建配置文件目錄mkdir /etc/snort
創建日誌目錄mkdir /var/log/snort
2)安裝snort規則
tar zxf snortrules-snapshot-2860.tar.gztar zxf
snortrules-snapshot-CURRENT.tar.gz
mv rules/ /etc/snort
cp * /etc/snort/
修改/etc/snort/snort.conf文件
監聽的本地網段var HOME_NET 192.168.150.0/24
有五行以output database: 開頭的行,將其“#”號去掉。
3) 創建snort數據庫
mysql> create database snort;
mysql> connect snort;
mysql> source /usr/local/src/snort-2.8.4.1/schemas/create_mysql;
mysql>grant CREATE,INSERT,SELECT,DELETE,
UPDATE on snort.* to snort;
mysql>grant CREATE,INSERT,SELECT,DELETE,
UPDATE on snort.* to snort@localhost;
另外有興趣的網友可以嘗試使用phpMyadmin這一工具,phpMyAdmin是
一個基於web的MySQL數據庫管理工具。它能夠創建和刪除數據庫,
創建/刪除/修改表格,刪除/編輯/新增字段,執行SQL腳本等 !!!
**1), SPAN port monitoring
While monitoring we are bound to do SPAN, SPAN port monitoring
is another structure of the existing network monitoring network to
introduce a method. Cisco switches and high-end products have a
SPAN port or mirror port. Span ports can be either a dedicated port,
the port can also be achieved through all ports on the switch
configuration options. Achieved using the SPAN port monitoring
feature is a practical approach. Using SPAN port monitoring method
does not give the network to be monitored to introduce a single
point of error. Hub with network monitoring method compared to
using SPAN port monitoring which is the biggest advantage.
Note: Mirroring order problems: When the monitored network
to be upgraded for high-bandwidth network, you can only mirrors a
first port of snort performance observed for some time, and make
adjustments as needed. When the snort after adjusting the port
can be realistic, gradual increase in other ports should be noted,
do not add too much at once the port. SPAN port monitoring method
using Bunsen swap will reduce performance of the device will
switch SPAN port using the device's memory overburdened,
so that the device performance degradation. Mapping of the flow is
a very memory-intensive process.
2.7, install Snort
Operating System: Red Hat Enterprise Linux 5.5
Database: MySQL: mysql-5.1
Web Server: Apache: httpd-2.2
WEB Language: PHP: php-5.4
First we need to install MySQL,
Apache (mod_ssl module must be installed),
PHP, and configure Apache, its details can be found in the
installation process "Linux enterprise application case is solved,"
a book is not here to explain.
1), install the main program
# Tar zxf snort-2.8.5.2.tar.gz
# Cd snort-2.8.5.2
#. / Configure - with-mysql = / usr / local / mysql & make & make install
Create a configuration file directory mkdir / etc / snort
Create log directory mkdir / var / log / snort
2) Install snort rules
tar zxf snortrules-snapshot-2860.tar.gztar zxf snortrules-snapshot-
CURRENT.tar.gz
mv rules / / etc / snort
cp * / etc / snort /
Modify / etc / snort / snort.conf file
Monitor local network segment var HOME_NET 192.168.150.0/24
There are five elements to output database: the beginning of the line,
its "#" sign removed.
3) Create a database snort
mysql> create database snort;
mysql> connect snort;
mysql> source / usr/local/src/snort-2.8.4.1/schemas/create_mysql;
mysql> grant CREATE, INSERT, SELECT, DELETE,
UPDATE on snort. * to snort;
mysql> grant CREATE, INSERT, SELECT, DELETE,
UPDATE on snort. * to snort @ localhost;
Also interested users can try to use phpMyadmin this tool,
phpMyAdmin is a web-based MySQL database management tool.
It can create and drop databases, create / delete / modify tables,
delete / edit / add fields, execute SQL scripts, etc **
**2.8、啟動snort
正確安裝並配置完成以後,下一步我們需要啟動snort
#snort -c /etc/snort/snort.conf
***2.8, start snort
Correctly installed and configured, the next step we need to start snort
# snort-c / etc / snort / snort.conf
****
**為了snort安全應避免用root身份運行snort,這時需要創建專用的---
---用戶和組#useradd snort,如果是redhat在創建用戶的同時就創建了snort組:
#snort –u snort –g snort –U –d –D –c /etc/snort/snort.conf
接下來就需要安裝Acid+Adodb+Jpgraph, ACID(Analysis Console for--
-- Incident Databases)是snort使用的標準分析員控制台軟件。 ACID是一個
基於PHP的分析引擎,它能夠搜索、處理snort產生的數據庫。
下面是安裝及配置過程。這一過程也非常簡單將adodb和jpgraph的tar包
複製到Apache根目錄下,解開acid包後,修改acid_conf.php配置即可。
注意Acid配置參數都在acid_config.php文件裡,所有的值都必須放在
雙引號內(“),而且後面要加上分號(;)必須現已SSL模式啟動Apache,
定位到ACID的主頁https ://IP地址/acid/,如圖1所示 !!
**To snort safety should avoid run as root snort, then you need to create
a dedicated user and group # useradd snort, if it is redhat while creating
a user group is created snort:
# snort-u snort-g snort-U-d-D-c / etc / snort / snort.conf
Then you need to install Acid + Adodb + Jpgraph, ACID (Analysis Console
for Incident Databases) is a standard used by analysts snort console software.
ACID is a PHP-based analysis engine that can search and processing
snort resulting database. Here is the installation and configuration process.
This process is very simple and will jpgraph adodb a tar package to --
--Apache root directory, untied acid package, modify acid_conf.php
configuration can be. Note Acid configuration parameters are
acid_config.php file, all values must be enclosed in double quotation marks ("),
and the back to add a semicolon (;) SSL mode must now start Apache,
navigate to the home page https ACID :/ / IP address / acid /,
as shown in Figure 1
****
**▲圖1 ACID界面**
**2.9、提高性能
如果是監控10/100M的網絡還行,如果流量過大就需要提高snort的
監控性能,目前最經濟的方法是,在雙網卡上運行Snort程序,
可以配置Snort來偵聽多個網卡,問題是Snort每個命令行選項(-i)只接受
一個網卡。有種在多種網卡上運行Snort的方法:
• 為每個網卡運行一個獨立的Snort進程;
• 通過綁定Linux內核的特徵將所有的網卡綁定在一起。
用Snort監控多個網卡時選擇哪種方法取決於你的環境和優先級--
--等多種因素。運行多個Snort進程會增大工作量,並浪費大量的無法接受
的處理器時間週期。如果你有可用的資源來運行兩個或多個Snort進程,
那麼你應該考慮一下數據管理問題。假設所有的Snort實例以同樣的方式配置,
那麼同樣的攻擊會被報告多次。這會令人侵檢測系統管理員頭疼,尤其是--
--啟用時報警的時候。當你面對不同的網卡有不同的入侵檢測需求時,
為每個網卡分配單個Snort程是最理想的。如果你為每個網卡都分配了
一個獨立的Snort進程,那麼你就為每個網卡創建一個類似虛擬的傳感器。
在一個機器上架設幾個“傳感器”,你就可以為每個獨立的Snort進程載入
不同的配置、規則和輸出插件。這最適合於獨立的Snort進程。另一方面,
如果你不能這樣、或者不想為每個網卡啟用額外的Snort進程,你可以將兩個---
---網卡綁定在一起。這樣當你啟用Snort時,就能用-i命令選項指定個已被綁定
的網卡(如bond0)。
為了實現這個目的,請編輯/etc/modules.conf,加入如下行:
alias bond0 bonding
現在,每次重啟機器,你都需要在將IP地址信息分配給網卡之後輸入
下而的侖今桌漸活綁定的網卡:
ifconfig bondu
ifenslave bond0 eth0
ifenflave bond0 eth1
注意,你可將這些命令放在一個腳本里,在系統啟動時運行該腳本。
當運行Snort時,可以按如下方式使用的bond0網卡:
snort < options> -i bond0 **
**2.9, improved performance
If it is a network monitoring 10/100M okay, if the amount of traffic on
the need to improve the monitoring of performance snort, the most
economical way is to run on a dual NIC Snort program, Snort can be
configured to listen on multiple NICs, the problem is Snort each
command-line option (-i) only accept a card. Kind of run Snort in a
variety of ways on the card:
• For each network card running a separate Snort process;
• the characteristics of the Linux kernel by binding all the NIC teaming together.
With Snort monitor multiple network cards which method to choose
depends on your environment and priority and other factors. Snort
running multiple processes will increase the workload, and waste
a lot of processor time period unacceptable. If you have the available
resources to run two or more Snort process, then you should think
about data management issues. Assuming all instances in the
same way Snort configuration, the same attack times are reported.
This would cause intrusion detection system administrators
a headache, especially when the alarm is enabled. When you are
faced with different cards have different intrusion detection requirements
for each NIC assign a single Snort process is ideal. If you work for
each network card is assigned a separate Snort process, then you will
create a similar card for each virtual sensors. Erected on a machine
several "Sensor", you can Snort process for each individual load
different configurations, rules and output plugin. This is most suitable
in a separate Snort process. On the other hand, if you can not or do
not want to enable additional card for each Snort process, you can
put two NIC teaming together. Snort is enabled so that when you are,
you can use-i option to specify a command has been---
--- bound to the NIC (eg bond0).
To achieve this purpose, edit / etc / modules.conf, add the following line:
alias bond0 bonding
Now, each time you restart the machine, you need to be assigned
to the NIC IP address information entered after the Oakland today
under the desk while getting live bound NIC:
ifconfig bondu
ifenslave bond0 eth0
ifenflave bond0 eth1
Note that you can use these commands in a script, when the system
starts to run the script. When running Snort, you can use as follows bond0 NIC:
snort <options>-i bond0
**当你安装好系统后就必然会对系统进行维护,或是对Snort做一些重要
的改动以保持它的相关性,比如升级规则集,修改配置选项,最后升级
Snort应用程序本身。如果你运行的是多个传感器构成的分布式系统,
虽然这些手工方法也是可取的,但手工修改多个传感器就会变得相当困难,
还容易出错。
这是我们需要管理助手SnortCenter,它是一款基于Web方式升级
和维护Snort配置的管理应用软件。是一款用于远程管理Snort传感器
的应用软件。它用的是PHP/MySQL Web界面,安装完成启动界面如图2所示。
特征:
• snort后台进程状态监视器;
• 远程snort停止/启动/重启;
• snortcenter用户的访问控制;
• 传感器组;
• ACID集成;
SnortCenter包括基于PHP的管理应用软件和SnortCenter代理。
SnortCenter管理控制台安装在Snort服务器上,而SnortCenter传感器
代理被安装在所管理的传感器中。SnortCenter增强了可能安装在
分布式系统上的Snort,服务器端需要如下的软件包:
• MySQL;
• Apache;
• PHP;
• ADODB;
• OpenSSL;
• cURL
这里,除了cURL软件包,其他的软件包应该都是大家
比较熟悉的,因为绝大多数的操作系统都包括这些软件包,
SnortCenter管理控制台可运行在Windows、Linux和BSD系统上。
SnortCenter传感器代理需要安装在基于UNIX操作系统的Perl上。
该代理在一些附加的预编译程序帮助下可以运行在基于Windows的传感器上
**When you install the system after the system is bound to maintain,
or right to make some important changes to Snort in order to maintain
its relevance, such as upgrading the rule set, modify the configuration
options, and finally upgrade Snort application itself. If you are running
a distributed system consisting of multiple sensors, although these
manual methods is desirable, but manually modify multiple sensors
will become very difficult, but also prone to error.
This is what we need to manage assistant SnortCenter, it is a
Web-based upgrades and maintenance Snort configuration
management application software. Is a Snort sensor for remote
management software applications. It uses PHP / MySQL Web
interface, the installation is complete, start the interface shown in Figure 2.
▲ Figure 2 SnortCenter interface
Features:
• snort daemon status monitor;
• Remote snort stop / start / restart;
• snortcenter user access control;
• Sensor group;
• ACID integration;
SnortCenter including PHP-based management applications
and SnortCenter agents. SnortCenter Management Console
installed on the Snort server and SnortCenter Sensor Agent is
installed on the managed sensor. SnortCenter enhanced
distributed systems may be installed in the Snort, the server
requires the following packages:
• MySQL;
• Apache;
• PHP;
• ADODB;
• OpenSSL;
• cURL
Here, in addition cURL package, other packages should all be
more familiar, because the vast majority of operating systems
include these packages, SnortCenter Management Console can be
run on Windows, Linux and BSD systems. SnortCenter sensor
agent needs to be installed on a UNIX-based operating systems on
Perl. The agent in some additional help precompiled programs can
be run on a Windows-based sensor
**1、SnortCenter的安装
前提是要安装并配置好Acid,因此你应该预先在作为Snort
服务器的机器上安装MySQL,Apache,PHP,ADODB和OpenSSL。
你可以将SnortCenter安装在Linux系统上了。
1.1、SnortCenter管理控制台
在安装SnortCenter之前惟一还需要安装的软件包是cURL,
这是一个不需要用户干涉通过URL传输文件的命令行工具,
它用于管理和控制Snort传感器。你可以通过如下命令行检查
在Red Hat上是否安装了该软件包:
Rpm -qa grep curl
该命令行将会查询包含了curl字符串的软件包,如果你没有
安装cURL,可以去网上下载。
下一步在WEB根目录下建立snortcenter目录,将下载文件
包解压到这个目录里,然后就通过配置config.php文件
来配置SnortCenter 。
对于这个配置文件需要说明的有以下几点:
• DBlib_path设定Adodb库的位置。
• url_path该变量应设为cURL可执行文件的位置。
• DBtype这里设置你所安装的数据库的类型
• DB_dbname这是你在下一步中要创建的SnortCenter数据库名
• DB_host DB_host是Snort服务器的主机名。如果SnortCenter
管理控制台和数据库安装在同一台计算机上,应将该参数设为localhost;
• DB_user SnortCenter登录数据库所用的帐号。
• DB_ password数据库—用户的密码;
• DB_ port DB_ port是数据库运行的端口号。
保存修改并关闭config.php,下一个任务是建立DB_dbname
变量指定的数据库,首先需要登录MysqL数据库,然后
创建SnortCenter数据库,命令如下:
>create database snortcenter;
创建好数据库之后,在Web浏览器中就可以
看到SnortCenter管理控制台(地址为https: //localhost/snortcenter)了。
这里建立了SnortCenter需要的所有表。
你也可以用位于tarball的snortcenter db.Mysql脚本创建它们。
这就完成了SnortCenter管理控制台部分的安装。第一次登录时,
你需修改用户名admin和口令。
1.2、安装SnortCenter传感器代理
要完成SnortCenter的安装,还需在你想用SnortCenter管理的
传感器上安装SnortCenter传感器代理。安装基于UNIX的代理需要Perl、
OpenSSL和Perl模块Net::SSLeay。前面我们已经在传感器上安装了
OpenSSL和Perl,现在只需要进行Net::SSLeay模块的安装。
你可以在网址http://search.cpan.org下载该模块。
下载并安装Net::SSLeay,首先在源目录下执行下列命令:
Perl Makefile.pl
Make install
安装好Net::SSLeay模块后,需创建SnortCenter传感器代理
所用的目录,即创建下列目录:
• 程序目录:/usr/local/snortcenter
• 配置目录:/usr/local/snortcenter/conf
• 日志目录:/usrAocal/snortcenter/log
• 策略目录:/usr/local/snortcenter/rules
接着,你还需为SnortCenter创建一个SSL证书。
用下面的命令行创建它:
#openssl req -new -x509 -days 365 -nodes
-out snortcenter.pem -keyout snortcenter. pem
将snortcenter.pem文件复制--
--到/usr/local/snortcenter/conf目录下。
现在你就可以准备安装SnortCenter传感器代理了,在http://users.pandora.be/larc/download/下载合适的版本。
将文件解压并移动到/usr/local/snortcenter/目录下。
运行安装的shell脚本:
#./setup.sh
安装脚本会向你提出许多问题。你已经为Snort和SnortCenter
创建所需的文件夹,当询问时依次输入这些目录。代理可以运
行在任何端口上的,可以任意指定,但要记住你选择的是哪
一个端口。指定SnortCeneter管理和侦听的网卡IP地址。
当出现启用SSL选项时,选择Yes。你也应该注意记住代理的
登录名和口令,在管理器控制台中输入认证信息。最后的选项
是设置Snort服务器的IP地址。这样就完成了SnortCenter传感器
代理的安装。重复这个安装过程,为你的Snort环境中的
每个传感器安装代理。
注意配置snortcenter要想升级传感器的多种配置,
必须首先在snortcenter管理控制台中添加他们1、SnortCenter的安装
前提是要安装并配置好Acid,因此你应该预先在作为
Snort服务器的机器上安装MySQL,Apache,PHP,
ADODB和OpenSSL。你可以将SnortCenter安装在Linux系统上了。
1.1、SnortCenter管理控制台
在安装SnortCenter之前惟一还需要安装的软件包是cURL,
这是一个不需要用户干涉通过URL传输文件的命令行工具,
它用于管理和控制Snort传感器。你可以通过如下命令行检查
在Red Hat上是否安装了该软件包:
Rpm -qa grep curl
该命令行将会查询包含了curl字符串的软件包,
如果你没有安装cURL,可以去网上下载。
下一步在WEB根目录下建立snortcenter目录,
将下载文件包解压到这个目录里,然后就通过配置config.php文件
来配置SnortCenter 。
对于这个配置文件需要说明的有以下几点:
• DBlib_path设定Adodb库的位置。
• url_path该变量应设为cURL可执行文件的位置。
• DBtype这里设置你所安装的数据库的类型
• DB_dbname这是你在下一步中要创建的SnortCenter
数据库名
• DB_host DB_host是Snort服务器的主机名。
如果SnortCenter管理控制台和数据库安装在同一台计算机上,
应将该参数设为localhost;
• DB_user SnortCenter登录数据库所用的帐号。
• DB_ password数据库—用户的密码;
• DB_ port DB_ port是数据库运行的端口号。
保存修改并关闭config.php,下一个任务是建立DB_dbname变
量指定的数据库,首先需要登录MysqL数据库,然后创
建SnortCenter数据库,命令如下:
>create database snortcenter;
创建好数据库之后,在Web浏览器中就可以看到SnortCenter
管理控制台(地址为https: //localhost/snortcenter)了。这里建立了
SnortCenter需要的所有表。你也可以用位于tarball的snortcenter
db.Mysql脚本创建它们。这就完成了SnortCenter管理控制台部分
的安装。第一次登录时,你需修改用户名admin和口令。
1.2、安装SnortCenter传感器代理
要完成SnortCenter的安装,还需在你想用SnortCenter管理的
传感器上安装SnortCenter传感器代理。安装基于UNIX的代理需要Perl、
OpenSSL和Perl模块Net::SSLeay。前面我们已经在传感器上安装了
OpenSSL和Perl,现在只需要进行Net::SSLeay模块的安装。
你可以在网址http://search.cpan.org下载该模块。
下载并安装Net::SSLeay,首先在源目录下执行下列命令:
Perl Makefile.pl
Make install
安装好Net::SSLeay模块后,需创建SnortCenter传感器代理
所用的目录,即创建下列目录:
• 程序目录:/usr/local/snortcenter
• 配置目录:/usr/local/snortcenter/conf
• 日志目录:/usrAocal/snortcenter/log
• 策略目录:/usr/local/snortcenter/rules
接着,你还需为SnortCenter创建一个SSL证书。
用下面的命令行创建它:
#openssl req -new -x509 -days 365 -nodes -out snortcenter.pem
-keyout snortcenter. pem
将snortcenter.pem文件复制到/usr/local/snortcenter/conf
目录下。现在你就可以准备安装SnortCenter传感器代理了,
在http://users.pandora.be/larc/download/下载合适的版本。
将文件解压并移动到/usr/local/snortcenter/目录下。
运行安装的shell脚本:
#./setup.sh
安装脚本会向你提出许多问题。你已经为Snort和SnortCenter
创建所需的文件夹,当询问时依次输入这些目录。代理可以运行在
任何端口上的,可以任意指定,但要记住你选择的是哪一个端口。
指定SnortCeneter管理和侦听的网卡IP地址。当出现启用SSL选项时,
选择Yes。你也应该注意记住代理的登录名和口令,在管理器控制台
中输入认证信息。最后的选项是设置Snort服务器的IP地址。
这样就完成了SnortCenter传感器代理的安装。重复这个安装过程,
为你的Snort环境中的每个传感器安装代理。
注意配置snortcenter要想升级传感器的多种配置,必须首先
在snortcenter管理控制台中添加他们1、SnortCenter的安装
前提是要安装并配置好Acid,因此你应该预先在作为Snort服务--
--器的机器上安装MySQL,Apache,PHP,ADODB和OpenSSL。
你可以将SnortCenter安装在Linux系统上了。
1.1、SnortCenter管理控制台
在安装SnortCenter之前惟一还需要安装的软件包是cURL,
这是一个不需要用户干涉通过URL传输文件的命令行工具,它用于管理
和控制Snort传感器。你可以通过如下命令行检查在Red Hat上
是否安装了该软件包:
Rpm -qa grep curl
该命令行将会查询包含了curl字符串的软件包,如果你没有
安装cURL,可以去网上下载。
下一步在WEB根目录下建立snortcenter目录,将下载文件
包解压到这个目录里,然后就通过配置config.php
文件来配置SnortCenter 。
对于这个配置文件需要说明的有以下几点:
• DBlib_path设定Adodb库的位置。
• url_path该变量应设为cURL可执行文件的位置。
• DBtype这里设置你所安装的数据库的类型
• DB_dbname这是你在下一步中要创建的SnortCenter数据库名
• DB_host DB_host是Snort服务器的主机名。如果SnortCenter
管理控制台和数据库安装在同一台计算机上,应将该参数设为localhost;
• DB_user SnortCenter登录数据库所用的帐号。
• DB_ password数据库—用户的密码;
• DB_ port DB_ port是数据库运行的端口号。
保存修改并关闭config.php,下一个任务是建立DB_dbname
变量指定的数据库,首先需要登录MysqL数据库,然后
创建SnortCenter数据库,命令如下:
>create database snortcenter;
创建好数据库之后,在Web浏览器中就可以
看到SnortCenter管理控制台(地址为https:
//localhost/snortcenter)了。这里建立了SnortCenter需要
的所有表。你也可以用位于tarball的snortcenter db.Mysql脚本
创建它们。这就完成了SnortCenter管理控制台部分的安装。
第一次登录时,你需修改用户名admin和口令。
1.2、安装SnortCenter传感器代理
要完成SnortCenter的安装,还需在你想用SnortCenter管理
的传感器上安装SnortCenter传感器代理。安装基于UNIX的代理
需要Perl、OpenSSL和Perl模块Net::SSLeay。前面我们已经在
传感器上安装了OpenSSL和Perl,现在只需要进行Net::SSLeay模块
的安装。你可以在网址http://search.cpan.org下载该模块。
下载并安装Net::SSLeay,首先在源目录下执行下列命令:
Perl Makefile.pl
Make install
安装好Net::SSLeay模块后,需创建SnortCenter传感器
代理所用的目录,即创建下列目录:
• 程序目录:/usr/local/snortcenter
• 配置目录:/usr/local/snortcenter/conf
• 日志目录:/usrAocal/snortcenter/log
• 策略目录:/usr/local/snortcenter/rules
接着,你还需为SnortCenter创建一个SSL证书。
用下面的命令行创建它:
#openssl req -new -x509 -days 365 -nodes -out snortcenter.pem
-keyout snortcenter. pem
将snortcenter.pem文件复制到/usr/local/snortcenter/conf目录下。
现在你就可以准备安装SnortCenter传感器代理了,在http://users.pandora.be/larc/download/下载合适的版本。
将文件解压并移动到/usr/local/snortcenter/目录下。
运行安装的shell脚本:
#./setup.sh
安装脚本会向你提出许多问题。你已经为Snort和SnortCenter创建
所需的文件夹,当询问时依次输入这些目录。代理可以运行在任何
端口上的,可以任意指定,但要记住你选择的是哪一个端口。
指定SnortCeneter管理和侦听的网卡IP地址。当出现启用SSL选项时,
选择Yes。你也应该注意记住代理的登录名和口令,在管理器控制台中
输入认证信息。最后的选项是设置Snort服务器的IP地址。这样就完成
了SnortCenter传感器代理的安装。重复这个安装过程,为你的Snort
环境中的每个传感器安装代理。
注意配置snortcenter要想升级传感器的多种配置,必须首先
在snortcenter管理控制台中添加他们
****1, SnortCenter installation
The premise is to install and configure Acid, so you should advance as Snort server installed on the machine MySQL, Apache, PHP, ADODB and OpenSSL. You can SnortCenter installed on a Linux system.
1.1, SnortCenter Management Console
Before installing SnortCenter only need to install the package is cURL, which is a URL does not require user intervention to transfer files via the command-line tool that is used to manage and control the Snort sensors. You can use the following command line check on Red Hat whether the package is installed:
Rpm-qa grep curl
This command line will query string contains a curl package, and if you do not install cURL, you can go online to download.
The next step in the WEB root directory create snortcenter directory, unpack the downloaded files into this directory, and then configure the config.php file to configure SnortCenter.
For this configuration file to note the following points:
• DBlib_path set Adodb library.
• url_path cURL the variable should be set to the location of the executable file.
• DBtype here to set your type of database installed
• DB_dbname This is your next step in the name of the database to be created SnortCenter
• DB_host DB_host is Snort server's host name. If SnortCenter management console and database installed on the same computer, you should set this parameter to localhost;
• DB_user SnortCenter login account used by the database.
• DB_ password database - the user's password;
• DB_ port DB_ port is the port number of the database is running.
Save the changes and close the config.php, the next task is to establish DB_dbname variable specified database, you first need to log in MysqL database, and then create SnortCenter database, the command is as follows:
> Create database snortcenter;
After the database is created in a Web browser, you can see SnortCenter Management Console (address https://localhost/snortcenter) a. Established here SnortCenter need all the tables. You can also use the script in the tarball snortcenter db.Mysql create them. This completes the part of the installation SnortCenter management console. The first time you log in, you need to modify the user name admin and password.
1.2, the installation SnortCenter sensor agents
To complete the installation SnortCenter, they need you want to use SnortCenter management sensors installed on SnortCenter sensor agents. Installing UNIX-based agents need Perl, OpenSSL and Perl module Net :: SSLeay. We've already installed on the sensor OpenSSL and Perl, and now only need Net :: SSLeay module installation. You can download the module in the URL http://search.cpan.org.
Download and install Net :: SSLeay, first in the source directory, run the following command:
Perl Makefile.pl
Make install
Install Net :: SSLeay module, you need to create SnortCenter directory used by the sensor agents that create the following directories:
• program directory :/ usr / local / snortcenter
• configuration directory :/ usr / local / snortcenter / conf
• log directory :/ usrAocal / snortcenter / log
• Strategic directory :/ usr / local / snortcenter / rules
Then, you need to create an SSL certificate for the SnortCenter. With the following command line to create it:
# Openssl req-new-x509-days 365-nodes-out snortcenter.pem-keyout snortcenter. Pem
The snortcenter.pem copy files to / usr / local / snortcenter / conf directory. Now you're ready to install SnortCenter sensor agents, and in http://users.pandora.be/larc/download/ download the appropriate version.
Unzip the file and move it to / usr / local / snortcenter / directory. Run the installation shell script:
#. / Setup.sh
The installation script will ask you many questions. Snort and SnortCenter you've created the desired folder, when asked when the turn enter these directories. Agents can run on any port, and can be arbitrary, but remember that you choose which one port. Specify SnortCeneter management and listening NIC IP address. When the Enable SSL option, select Yes. You should also pay attention to remember proxy login name and password in the management console, enter authentication information. Snort last option is to set the IP address of the server. This completes the installation of SnortCenter sensor agent. Repeat the installation procedure for your Snort sensor is installed in each environment agency.
Note that in order to upgrade the sensor configuration snortcenter multiple configurations, you must first add them snortcenter Management Console1, SnortCenter installation
The premise is to install and configure Acid, so you should advance as Snort server installed on the machine MySQL, Apache, PHP, ADODB and OpenSSL. You can SnortCenter installed on a Linux system.
1.1, SnortCenter Management Console
Before installing SnortCenter only need to install the package is cURL, which is a URL does not require user intervention to transfer files via the command-line tool that is used to manage and control the Snort sensors. You can use the following command line check on Red Hat whether the package is installed:
Rpm-qa grep curl
This command line will query string contains a curl package, and if you do not install cURL, you can go online to download.
The next step in the WEB root directory create snortcenter directory, unpack the downloaded files into this directory, and then configure the config.php file to configure SnortCenter.
For this configuration file to note the following points:
• DBlib_path set Adodb library.
• url_path cURL the variable should be set to the location of the executable file.
• DBtype here to set your type of database installed
• DB_dbname This is your next step in the name of the database to be created SnortCenter
• DB_host DB_host is Snort server's host name. If SnortCenter management console and database installed on the same computer, you should set this parameter to localhost;
• DB_user SnortCenter login account used by the database.
• DB_ password database - the user's password;
• DB_ port DB_ port is the port number of the database is running.
Save the changes and close the config.php, the next task is to establish DB_dbname variable specified database, you first need to log in MysqL database, and then create SnortCenter database, the command is as follows:
> Create database snortcenter;
After the database is created in a Web browser, you can see SnortCenter Management Console (address https://localhost/snortcenter) a. Established here SnortCenter need all the tables. You can also use the script in the tarball snortcenter db.Mysql create them. This completes the part of the installation SnortCenter management console. The first time you log in, you need to modify the user name admin and password.
1.2, the installation SnortCenter sensor agents
To complete the installation SnortCenter, they need you want to use SnortCenter management sensors installed on SnortCenter sensor agents. Installing UNIX-based agents need Perl, OpenSSL and Perl module Net :: SSLeay. We've already installed on the sensor OpenSSL and Perl, and now only need Net :: SSLeay module installation. You can download the module in the URL http://search.cpan.org.
Download and install Net :: SSLeay, first in the source directory, run the following command:
Perl Makefile.pl
Make install
Install Net :: SSLeay module, you need to create SnortCenter directory used by the sensor agents that create the following directories:
• program directory :/ usr / local / snortcenter
• configuration directory :/ usr / local / snortcenter / conf
• log directory :/ usrAocal / snortcenter / log
• Strategic directory :/ usr / local / snortcenter / rules
Then, you need to create an SSL certificate for the SnortCenter. With the following command line to create it:
# Openssl req-new-x509-days 365-nodes-out snortcenter.pem-keyout snortcenter. Pem
The snortcenter.pem copy files to / usr / local / snortcenter / conf directory. Now you're ready to install SnortCenter sensor agents, and in http://users.pandora.be/larc/download/ download the appropriate version.
Unzip the file and move it to / usr / local / snortcenter / directory. Run the installation shell script:
#. / Setup.sh
The installation script will ask you many questions. Snort and SnortCenter you've created the desired folder, when asked when the turn enter these directories. Agents can run on any port, and can be arbitrary, but remember that you choose which one port. Specify SnortCeneter management and listening NIC IP address. When the Enable SSL option, select Yes. You should also pay attention to remember proxy login name and password in the management console, enter authentication information. Snort last option is to set the IP address of the server. This completes the installation of SnortCenter sensor agent. Repeat the installation procedure for your Snort sensor is installed in each environment agency.
Note that in order to upgrade the sensor configuration snortcenter multiple configurations, you must first add them snortcenter Management Console1, SnortCenter installation
The premise is to install and configure Acid, so you should advance as Snort server installed on the machine MySQL, Apache, PHP, ADODB and OpenSSL. You can SnortCenter installed on a Linux system.
1.1, SnortCenter Management Console
Before installing SnortCenter only need to install the package is cURL, which is a URL does not require user intervention to transfer files via the command-line tool that is used to manage and control the Snort sensors. You can use the following command line check on Red Hat whether the package is installed:
Rpm-qa grep curl
This command line will query string contains a curl package, and if you do not install cURL, you can go online to download.
The next step in the WEB root directory create snortcenter directory, unpack the downloaded files into this directory, and then configure the config.php file to configure SnortCenter.
For this configuration file to note the following points:
• DBlib_path set Adodb library.
• url_path cURL the variable should be set to the location of the executable file.
• DBtype here to set your type of database installed
• DB_dbname This is your next step in the name of the database to be created SnortCenter
• DB_host DB_host is Snort server's host name. If SnortCenter management console and database installed on the same computer, you should set this parameter to localhost;
• DB_user SnortCenter login account used by the database.
• DB_ password database - the user's password;
• DB_ port DB_ port is the port number of the database is running.
Save the changes and close the config.php, the next task is to establish DB_dbname variable specified database, you first need to log in MysqL database, and then create SnortCenter database, the command is as follows:
> Create database snortcenter;
After the database is created in a Web browser, you can see SnortCenter Management Console (address https://localhost/snortcenter) a. Established here SnortCenter need all the tables. You can also use the script in the tarball snortcenter db.Mysql create them. This completes the part of the installation SnortCenter management console. The first time you log in, you need to modify the user name admin and password.
1.2, the installation SnortCenter sensor agents
To complete the installation SnortCenter, they need you want to use SnortCenter management sensors installed on SnortCenter sensor agents. Installing UNIX-based agents need Perl, OpenSSL and Perl module Net :: SSLeay. We've already installed on the sensor OpenSSL and Perl, and now only need Net :: SSLeay module installation. You can download the module in the URL http://search.cpan.org.
Download and install Net :: SSLeay, first in the source directory, run the following command:
Perl Makefile.pl
Make install
Install Net :: SSLeay module, you need to create SnortCenter directory used by the sensor agents that create the following directories:
• program directory :/ usr / local / snortcenter
• configuration directory :/ usr / local / snortcenter / conf
• log directory :/ usrAocal / snortcenter / log
• Strategic directory :/ usr / local / snortcenter / rules
Then, you need to create an SSL certificate for the SnortCenter. With the following command line to create it:
# Openssl req-new-x509-days 365-nodes-out snortcenter.pem-keyout snortcenter. Pem
The snortcenter.pem copy files to / usr / local / snortcenter / conf directory. Now you're ready to install SnortCenter sensor agents, and in http://users.pandora.be/larc/download/ download the appropriate version.
Unzip the file and move it to / usr / local / snortcenter / directory. Run the installation shell script:
#. / Setup.sh
The installation script will ask you many questions. Snort and SnortCenter you've created the desired folder, when asked when the turn enter these directories. Agents can run on any port, and can be arbitrary, but remember that you choose which one port. Specify SnortCeneter management and listening NIC IP address. When the Enable SSL option, select Yes. You should also pay attention to remember proxy login name and password in the management console, enter authentication information. Snort last option is to set the IP address of the server. This completes the installation of SnortCenter sensor agent. Repeat the installation procedure for your Snort sensor is installed in each environment agency.
Note that in order to upgrade the sensor configuration snortcenter multiple configurations, you must first add them snortcenter Management Console1, SnortCenter installation
The premise is to install and configure Acid, so you should advance as Snort server installed on the machine MySQL, Apache, PHP, ADODB and OpenSSL. You can SnortCenter installed on a Linux system.
1.1, SnortCenter Management Console
Before installing SnortCenter only need to install the package is cURL, which is a URL does not require user intervention to transfer files via the command-line tool that is used to manage and control the Snort sensors. You can use the following command line check on Red Hat whether the package is installed:
Rpm-qa grep curl
This command line will query string contains a curl package, and if you do not install cURL, you can go online to download.
The next step in the WEB root directory create snortcenter directory, unpack the downloaded files into this directory, and then configure the config.php file to configure SnortCenter.
For this configuration file to note the following points:
• DBlib_path set Adodb library.
• url_path cURL the variable should be set to the location of the executable file.
• DBtype here to set your type of database installed
• DB_dbname This is your next step in the name of the database to be created SnortCenter
• DB_host DB_host is Snort server's host name. If SnortCenter management console and database installed on the same computer, you should set this parameter to localhost;
• DB_user SnortCenter login account used by the database.
• DB_ password database - the user's password;
• DB_ port DB_ port is the port number of the database is running.
Save the changes and close the config.php, the next task is to establish DB_dbname variable specified database, you first need to log in MysqL database, and then create SnortCenter database, the command is as follows:
> Create database snortcenter;
After the database is created in a Web browser, you can see SnortCenter Management Console (address https://localhost/snortcenter) a. Established here SnortCenter need all the tables. You can also use the script in the tarball snortcenter db.Mysql create them. This completes the part of the installation SnortCenter management console. The first time you log in, you need to modify the user name admin and password.
1.2, the installation SnortCenter sensor agents
To complete the installation SnortCenter, they need you want to use SnortCenter management sensors installed on SnortCenter sensor agents. Installing UNIX-based agents need Perl, OpenSSL and Perl module Net :: SSLeay. We've already installed on the sensor OpenSSL and Perl, and now only need Net :: SSLeay module installation. You can download the module in the URL http://search.cpan.org.
Download and install Net :: SSLeay, first in the source directory, run the following command:
Perl Makefile.pl
Make install
Install Net :: SSLeay module, you need to create SnortCenter directory used by the sensor agents that create the following directories:
• program directory :/ usr / local / snortcenter
• configuration directory :/ usr / local / snortcenter / conf
• log directory :/ usrAocal / snortcenter / log
• Strategic directory :/ usr / local / snortcenter / rules
Then, you need to create an SSL certificate for the SnortCenter. With the following command line to create it:
# Openssl req-new-x509-days 365-nodes-out snortcenter.pem-keyout snortcenter. Pem
The snortcenter.pem copy files to / usr / local / snortcenter / conf directory. Now you're ready to install SnortCenter sensor agents, and in http://users.pandora.be/larc/download/ download the appropriate version.
Unzip the file and move it to / usr / local / snortcenter / directory. Run the installation shell script:
#. / Setup.sh
The installation script will ask you many questions. Snort and SnortCenter you've created the desired folder, when asked when the turn enter these directories. Agents can run on any port, and can be arbitrary, but remember that you choose which one port. Specify SnortCeneter management and listening NIC IP address. When the Enable SSL option, select Yes. You should also pay attention to remember proxy login name and password in the management console, enter authentication information. Snort last option is to set the IP address of the server. This completes the installation of SnortCenter sensor agent. Repeat the installation procedure for your Snort sensor is installed in each environment agency.
Note that in order to upgrade the sensor configuration snortcenter multiple configurations, you must first add them snortcenter Management Console1, SnortCenter installation
The premise is to install and configure Acid, so you should advance as Snort server installed on the machine MySQL, Apache, PHP, ADODB and OpenSSL. You can SnortCenter installed on a Linux system.
1.1, SnortCenter Management Console
Before installing SnortCenter only need to install the package is cURL, which is a URL does not require user intervention to transfer files via the command-line tool that is used to manage and control the Snort sensors. You can use the following command line check on Red Hat whether the package is installed:
Rpm-qa grep curl
This command line will query string contains a curl package, and if you do not install cURL, you can go online to download.
The next step in the WEB root directory create snortcenter directory, unpack the downloaded files into this directory, and then configure the config.php file to configure SnortCenter.
For this configuration file to note the following points:
• DBlib_path set Adodb library.
• url_path cURL the variable should be set to the location of the executable file.
• DBtype here to set your type of database installed
• DB_dbname This is your next step in the name of the database to be created SnortCenter
• DB_host DB_host is Snort server's host name. If SnortCenter management console and database installed on the same computer, you should set this parameter to localhost;
• DB_user SnortCenter login account used by the database.
• DB_ password database - the user's password;
• DB_ port DB_ port is the port number of the database is running.
Save the changes and close the config.php, the next task is to establish DB_dbname variable specified database, you first need to log in MysqL database, and then create SnortCenter database, the command is as follows:
> Create database snortcenter;
After the database is created in a Web browser, you can see SnortCenter Management Console (address https://localhost/snortcenter) a. Established here SnortCenter need all the tables. You can also use the script in the tarball snortcenter db.Mysql create them. This completes the part of the installation SnortCenter management console. The first time you log in, you need to modify the user name admin and password.
1.2, the installation SnortCenter sensor agents
To complete the installation SnortCenter, they need you want to use SnortCenter management sensors installed on SnortCenter sensor agents. Installing UNIX-based agents need Perl, OpenSSL and Perl module Net :: SSLeay. We've already installed on the sensor OpenSSL and Perl, and now only need Net :: SSLeay module installation. You can download the module in the URL http://search.cpan.org.
Download and install Net :: SSLeay, first in the source directory, run the following command:
Perl Makefile.pl
Make install
Install Net :: SSLeay module, you need to create SnortCenter directory used by the sensor agents that create the following directories:
• program directory :/ usr / local / snortcenter
• configuration directory :/ usr / local / snortcenter / conf
• log directory :/ usrAocal / snortcenter / log
• Strategic directory :/ usr / local / snortcenter / rules
Then, you need to create an SSL certificate for the SnortCenter. With the following command line to create it:
# Openssl req-new-x509-days 365-nodes-out snortcenter.pem-keyout snortcenter. Pem
The snortcenter.pem copy files to / usr / local / snortcenter / conf directory. Now you're ready to install SnortCenter sensor agents, and in http://users.pandora.be/larc/download/ download the appropriate version.
Unzip the file and move it to / usr / local / snortcenter / directory. Run the installation shell script:
#. / Setup.sh
The installation script will ask you many questions. Snort and SnortCenter you've created the desired folder, when asked when the turn enter these directories. Agents can run on any port, and can be arbitrary, but remember that you choose which one port. Specify SnortCeneter management and listening NIC IP address. When the Enable SSL option, select Yes. You should also pay attention to remember proxy login name and password in the management console, enter authentication information. Snort last option is to set the IP address of the server. This completes the installation of SnortCenter sensor agent. Repeat the installation procedure for your Snort sensor is installed in each environment agency.
Note that in order to upgrade the sensor configuration snortcenter multiple configurations, you must first add them snortcenter Management Console1, SnortCenter installation
The premise is to install and configure Acid, so you should advance as Snort server installed on the machine MySQL, Apache, PHP, ADODB and OpenSSL. You can SnortCenter installed on a Linux system.
1.1, SnortCenter Management Console
Before installing SnortCenter only need to install the package is cURL, which is a URL does not require user intervention to transfer files via the command-line tool that is used to manage and control the Snort sensors. You can use the following command line check on Red Hat whether the package is installed:
Rpm-qa grep curl
This command line will query string contains a curl package, and if you do not install cURL, you can go online to download.
The next step in the WEB root directory create snortcenter directory, unpack the downloaded files into this directory, and then configure the config.php file to configure SnortCenter.
For this configuration file to note the following points:
• DBlib_path set Adodb library.
• url_path cURL the variable should be set to the location of the executable file.
• DBtype here to set your type of database installed
• DB_dbname This is your next step in the name of the database to be created SnortCenter
• DB_host DB_host is Snort server's host name. If SnortCenter management console and database installed on the same computer, you should set this parameter to localhost;
• DB_user SnortCenter login account used by the database.
• DB_ password database - the user's password;
• DB_ port DB_ port is the port number of the database is running.
Save the changes and close the config.php, the next task is to establish DB_dbname variable specified database, you first need to log in MysqL database, and then create SnortCenter database, the command is as follows:
> Create database snortcenter;
After the database is created in a Web browser, you can see SnortCenter Management Console (address https://localhost/snortcenter) a. Established here SnortCenter need all the tables. You can also use the script in the tarball snortcenter db.Mysql create them. This completes the part of the installation SnortCenter management console. The first time you log in, you need to modify the user name admin and password.
1.2, the installation SnortCenter sensor agents
To complete the installation SnortCenter, they need you want to use SnortCenter management sensors installed on SnortCenter sensor agents. Installing UNIX-based agents need Perl, OpenSSL and Perl module Net :: SSLeay. We've already installed on the sensor OpenSSL and Perl, and now only need Net :: SSLeay module installation. You can download the module in the URL http://search.cpan.org.
Download and install Net :: SSLeay, first in the source directory, run the following command:
Perl Makefile.pl
Make install
Install Net :: SSLeay module, you need to create SnortCenter directory used by the sensor agents that create the following directories:
• program directory :/ usr / local / snortcenter
• configuration directory :/ usr / local / snortcenter / conf
• log directory :/ usrAocal / snortcenter / log
• Strategic directory :/ usr / local / snortcenter / rules
Then, you need to create an SSL certificate for the SnortCenter. With the following command line to create it:
# Openssl req-new-x509-days 365-nodes-out snortcenter.pem-keyout snortcenter. Pem
The snortcenter.pem copy files to / usr / local / snortcenter / conf directory. Now you're ready to install SnortCenter sensor agents, and in http://users.pandora.be/larc/download/ download the appropriate version.
Unzip the file and move it to / usr / local / snortcenter / directory. Run the installation shell script:
#. / Setup.sh
The installation script will ask you many questions. Snort and SnortCenter you've created the desired folder, when asked when the turn enter these directories. Agents can run on any port, and can be arbitrary, but remember that you choose which one port. Specify SnortCeneter management and listening NIC IP address. When the Enable SSL option, select Yes. You should also pay attention to remember proxy login name and password in the management console, enter authentication information. Snort last option is to set the IP address of the server. This completes the installation of SnortCenter sensor agent. Repeat the installation procedure for your Snort sensor is installed in each environment agency.
Note that in order to upgrade the sensor configuration snortcenter multiple configurations, you must first add them snortcenter Management Console !!
******************
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
沒有留言:
張貼留言
if you like make fds, wellcome you here~~anytime***
my free place for everyones who want the good software,
come & download them~ wellcome!!