CentOS 6.2我是最小化安裝,同時使用163的源進行update,所以還需要安裝如下的依賴包:
[[email protected] ~]$ sudo yum install gcc make pcre pcre-devel libpcap libpcap-devel
同時需要關閉iptables、ip6tables:
[[email protected] ~]$ sudo service iptables stop
[[email protected] ~]$ sudo service ip6tables stop
[[email protected] ~]$ sudo chkconfig --level 2345 iptables off
[[email protected] ~]$ sudo chkconfig --level 2345 ip6tables off
需要下載的軟件:
Suricata
http://www.openinfosecfoundation.org/index.php/downloads
Barnyard 2
http://www.securixlive.com/barnyard2/
Base
http://base.secureideas.net/
yaml
http://pyyaml.org/
adodb
http://sourceforge.net/projects/adodb/
rules
http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
Image_Canvas
http://download.pear.php.net/package/Image_Canvas-0.3.3.tgz
Image_Graph
http://download.pear.php.net/package/Image_Graph-0.8.0.tgz
Base需要APM(Apache、PHP、Mysql)環境,通過yum來進行安裝。
[[email protected] ids]$ sudo yum install httpd php mysql mysql-server mysql-devel php-mysql php-gd php-pear
啟動httpd、mysql服務
[[email protected] ids]$ sudo /etc/init.d/httpd start
[[email protected] ids]$ sudo /etc/init.d/mysqld start
默認的web根目錄是/var/www/html,在此目錄新建phpinfo測試文件,來確認配置是否正確。
PS:mysql安裝后root賬號默認口令為空,通過下面命令可以修改root賬號口令
[[email protected] ~]$ mysqladmin -uroot -p password [新密碼]
安裝過程如下:
[[email protected] ids]$ tar zxvf barnyard2-1.9.tar.gz
[[email protected] ids]$ cd barnyard2-1.9
[[email protected] barnyard2-1.9]$ ./configure --with-mysql
[[email protected] barnyard2-1.9]$ make
[[email protected] barnyard2-1.9]$ sudo make install
安裝過程如下:
Suricata需要依賴yaml,首先安裝yaml
[[email protected] ids]$ tar zxvf yaml-0.1.4.tar.gz
[[email protected] ids]$ cd yaml-0.1.4
[[email protected] yaml-0.1.4]$ ./configure
[[email protected] yaml-0.1.4]$ make
[[email protected] yaml-0.1.4]$ sudo make install
[[email protected] ids]$ tar zxvf suricata-1.1.1.tar.gz
[[email protected] ids]$ cd suricata-1.1.1
[[email protected] suricata-1.1.1]$ ./configure
[[email protected] suricata-1.1.1]$ make
[[email protected] suricata-1.1.1]$ sudo make install
把Barnyard 2安裝源文件中的etc/barnyard2.conf文件拷貝到Suricata的配置目錄下
[[email protected] ids]$ cd barnyard2-1.9
[[email protected] barnyard2-1.9]$ sudo cp etc/barnyard2.conf /etc/suricata/
創建barnyard2日志目錄/var/log/barnyard2
[[email protected] ~]$ sudo mkdir /var/log/barnyard2
需要創建數據庫和相應的賬號
[[email protected] ~]$ mysql -uroot –p
mysql> create database ids;
mysql> grant create,select,update,insert,delete on ids.* to [email protected] identified by 'ids123';
Barnyard 2安裝源文件中的schemas/create_mysql是創建表的sql文件,通過如下方式建表:
[[email protected] ~]$ mysql -uids -p -Dids < ids/barnyard2-1.9/schemas/create_mysql
創建Suricata配置目錄和日志目錄
[[email protected] ~]$ sudo mkdir /var/log/suricata
[[email protected] ~]$ sudo mkdir /etc/suricata
把規則文件拷貝到Suricata配置目錄下
[[email protected] ids]$ tar zxvf emerging.rules.tar.gz
[[email protected] ids]$ sudo cp -R rules/ /etc/suricata/
把Suricata安裝源文件中的suricata.yaml/classification.config/reference.config文件拷貝到Suricata的配置目錄下
[[email protected] ids]$ cd suricata-1.1.1
[[email protected] suricata-1.1.1]$ sudo cp suricata.yaml classification.config reference.config /etc/suricata/
編輯barnyard2.conf文件
[[email protected] ~]$ cd /etc/suricata/
[[email protected] suricata]$ sudo vim barnyard2.conf
找到下面的內容
config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map
更改為的內容如下:
config reference_file: /etc/suricata/reference.config
config classification_file: /etc/suricata/classification.config
config gen_file: /etc/suricata/rules/gen-msg.map
config sid_file: /etc/suricata/rules/sid-msg.map
同時在文件的末尾添加如下行,紅色的mysql數據庫、賬號信息根據實際情況填寫
output database: log, mysql, user=ids password=ids123 dbname=ids host=localhost
編輯suricata.yaml文件
[[email protected] suricata]$ sudo vim suricata.yaml
找到
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
這一行,根據實際的網絡情況來修改,在這里我修改為
HOME_NET: "[192.168.0.0/16]"
找到下面的內容:
host-os-policy:
# Make the default policy windows.
windows: [0.0.0.0/0]
bsd: []
bsd_right: []
old_linux: []
linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
old_solaris: []
solaris: ["::1"]
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []
根據實際網絡情況修改。
啟動Suricata、Barnyard 2
[[email protected] ~]$ sudo /usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo -D
[[email protected] ~]$ sudo /usr/local/bin/suricata -c /etc/suricata/suricata.yaml -i eth1 -D
啟動suricata的-i參數是鏡像流量的網卡。
測試suricata工作是否正常,可以通過如下命令:
[[email protected] suricata]$ curl www.testmyids.com
執行后,/var/log/suricata目錄下的fast.log/suricata.waldo/unified2.alert*文件大小發生變化,同時查看fast.log文件有如下類似的內容則表示suricata工作正常:
01/12/2012-02:16:27.964981 [**] [1:2013028:3] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Informa
tion Leak] [Priority: 2] {TCP} 192.168.230.100:56260 -> 217.160.51.31:80
01/12/2012-02:16:28.309707 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potential
ly Bad Traffic] [Priority: 2] {TCP} 217.160.51.31:80 -> 192.168.230.100:56260
Base需要用到adodb以及Image_Canvas、Image_Graph繪圖組件,配置過程如下:
解壓adodb514.zip
[[email protected] ids]$ unzip adodb514.zip
把adodb5拷貝到/usr/local/lib/目錄下,這個目錄隨意指定,記下來后面要用到
[[email protected] ids]$ sudo cp -R adodb5 /usr/local/lib/
安裝Image_Canvas、Image_Graph
[[email protected] ids]$ sudo pear install Image_Canvas-0.3.3.tgz
[[email protected] ids]$ sudo pear install Image_Graph-0.8.0.tgz
解壓base-1.4.5.tar.gz
[[email protected] ids]$ tar zxvf base-1.4.5.tar.gz
拷貝base-1.4.5到/var/www/html目錄下
[[email protected] ids]$ sudo cp -R base-1.4.5 /var/www/html/base
更改/var/www/html/base的屬主為apache
[[email protected] ids]$ cd /var/www/html/
[[email protected] html]$ sudo chown -R apache:apache base
然后通過瀏覽器訪問http://192.168.230.100/base
?
根據頁面中紅色的部分提示來進行操作。
修改php.ini
[[email protected] html]$ sudo vim /etc/php.ini
找到
error_reporting = E_ALL & ~E_DEPRECATED
內容,修改為如下:
error_reporting = E_ALL & ~E_DEPRECATED & ~E_NOTICE
重新載入apache配置
[[email protected] html]$ sudo /etc/init.d/httpd reload
然后點擊“Continue”到下一步 ? 
選擇語言,和前面我們的adodb5的路徑,然后點擊“Continue” ? 
填寫mysql相關信息,點擊“Continue”繼續 ? 
填寫認證的相關信息,如果需要驗證身份,請勾上“Use Authentication System”,點擊“Continue” ? 
點擊“Create BASE AG” ? 
點擊“step 5”,跳到首頁。
?
以上是整個安裝過程,IDS的價值在于規則設置的是否合適,根據實際情況設置合適的規則才能夠體現IDS的強大。規則的設置見以后的文章。