CentOS 6.2下安装基于Suricata + Barnyard 2 + Base的入侵检测系
来源:http://hi.baidu.com/pia_ca/blog/item/2767d3f386376edd7931aa28.html 一、前言 算了,这部分就省了吧。下面直奔主题。 二、准备工作 CentOS 6.2 我是最小化安装,同时使用 163 的源进行 update ,所以还需要安装如下的依赖包: [piaca@piaca ~]$ sud
来源:http://hi.baidu.com/pia_ca/blog/item/2767d3f386376edd7931aa28.html
一、 前言
算了,这部分就省了吧。下面直奔主题。
二、 准备工作
CentOS 6.2我是最小化安装,同时使用163的源进行update,所以还需要安装如下的依赖包:
[piaca@piaca ~]$ sudo yum install gcc make pcre pcre-devel libpcap libpcap-devel
同时需要关闭iptables、ip6tables:
[piaca@piaca ~]$ sudo service iptables stop
[piaca@piaca ~]$ sudo service ip6tables stop
[piaca@piaca ~]$ sudo chkconfig --level 2345 iptables off
[piaca@piaca ~]$ sudo chkconfig --level 2345 ip6tables off
需要下载的软件:
Suricata
http://www.openinfosecfoundation.org/index.php/downloads
Barnyard 2
http://www.securixlive.com/barnyard2/
Base
http://base.secureideas.net/
yaml
http://pyyaml.org/
adodb
http://sourceforge.net/projects/adodb/
rules
http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
Image_Canvas
http://download.pear.php.net/package/Image_Canvas-0.3.3.tgz
Image_Graph
http://download.pear.php.net/package/Image_Graph-0.8.0.tgz
三、 配置APM环境
Base需要APM(Apache、PHP、Mysql)环境,通过yum来进行安装。
[piaca@piaca ids]$ sudo yum install httpd php mysql mysql-server mysql-devel php-mysql php-gd php-pear
启动httpd、mysql服务
[piaca@piaca ids]$ sudo /etc/init.d/httpd start
[piaca@piaca ids]$ sudo /etc/init.d/mysqld start
默认的web根目录是/var/www/html,在此目录新建phpinfo测试文件,来确认配置是否正确。
PS:mysql安装后root账号默认口令为空,通过下面命令可以修改root账号口令
[piaca@piaca ~]$ mysqladmin -uroot -p password [新密码]
四、 安装Barnyard 2
安装过程如下:
[piaca@piaca ids]$ tar zxvf barnyard2-1.9.tar.gz
[piaca@piaca ids]$ cd barnyard2-1.9
[piaca@piaca barnyard2-1.9]$ ./configure --with-mysql
[piaca@piaca barnyard2-1.9]$ make
[piaca@piaca barnyard2-1.9]$ sudo make install
五、 安装Suricata
安装过程如下:
Suricata需要依赖yaml,首先安装yaml
[piaca@piaca ids]$ tar zxvf yaml-0.1.4.tar.gz
[piaca@piaca ids]$ cd yaml-0.1.4
[piaca@piaca yaml-0.1.4]$ ./configure
[piaca@piaca yaml-0.1.4]$ make
[piaca@piaca yaml-0.1.4]$ sudo make install
[piaca@piaca ids]$ tar zxvf suricata-1.1.1.tar.gz
[piaca@piaca ids]$ cd suricata-1.1.1
[piaca@piaca suricata-1.1.1]$ ./configure
[piaca@piaca suricata-1.1.1]$ make
[piaca@piaca suricata-1.1.1]$ sudo make install
六、 配置Suricata、Barnyard 2
配置Barnyard 2
把Barnyard 2安装源文件中的etc/barnyard2.conf文件拷贝到Suricata的配置目录下
[piaca@piaca ids]$ cd barnyard2-1.9
[piaca@piaca barnyard2-1.9]$ sudo cp etc/barnyard2.conf /etc/suricata/
创建barnyard2日志目录/var/log/barnyard2
[piaca@piaca ~]$ sudo mkdir /var/log/barnyard2
配置数据库
需要创建数据库和相应的账号
[piaca@piaca ~]$ mysql -uroot –p
mysql> create database ids;
mysql> grant create,select,update,insert,delete on ids.* to ids@localhost identified by 'ids123';
Barnyard 2安装源文件中的schemas/create_mysql是创建表的sql文件,通过如下方式建表:
[piaca@piaca ~]$ mysql -uids -p -Dids
配置Suricata
创建Suricata配置目录和日志目录
[piaca@piaca ~]$ sudo mkdir /var/log/suricata
[piaca@piaca ~]$ sudo mkdir /etc/suricata
把规则文件拷贝到Suricata配置目录下
[piaca@piaca ids]$ tar zxvf emerging.rules.tar.gz
[piaca@piaca ids]$ sudo cp -R rules/ /etc/suricata/
把Suricata安装源文件中的suricata.yaml/classification.config/reference.config文件拷贝到Suricata的配置目录下
[piaca@piaca ids]$ cd suricata-1.1.1
[piaca@piaca suricata-1.1.1]$ sudo cp suricata.yaml classification.config reference.config /etc/suricata/
编辑barnyard2.conf文件
[piaca@piaca ~]$ cd /etc/suricata/
[piaca@piaca suricata]$ sudo vim barnyard2.conf
找到下面的内容
config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map
更改红色的内容如下:
config reference_file: /etc/suricata/reference.config
config classification_file: /etc/suricata/classification.config
config gen_file: /etc/suricata/rules/gen-msg.map
config sid_file: /etc/suricata/rules/sid-msg.map
同时在文件的末尾添加如下行,红色的mysql数据库、账号信息根据实际情况填写
output database: log, mysql, user=ids password=ids123 dbname=ids host=localhost
编辑suricata.yaml文件
[piaca@piaca suricata]$ sudo vim suricata.yaml
找到HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"这一行,根据实际的网络情况来修改,在这里我修改为HOME_NET: "[192.168.0.0/16]"
找到下面的内容:
host-os-policy:
# Make the default policy windows.
windows: [0.0.0.0/0]
bsd: []
bsd_right: []
old_linux: []
linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
old_solaris: []
solaris: ["::1"]
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []
根据实际网络情况修改。
启动Suricata、Barnyard 2
[piaca@piaca ~]$ sudo /usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo -D
[piaca@piaca ~]$ sudo /usr/local/bin/suricata -c /etc/suricata/suricata.yaml -i eth1 -D
启动suricata的-i参数是镜像流量的网卡。
测试suricata工作是否正常,可以通过如下命令:
[piaca@piaca suricata]$ curl www.testmyids.com
执行后,/var/log/suricata目录下的fast.log/suricata.waldo/unified2.alert*文件大小发生变化,同时查看fast.log文件有如下类似的内容则表示suricata工作正常:
01/12/2012-02:16:27.964981 [**] [1:2013028:3] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Informa
tion Leak] [Priority: 2] {TCP} 192.168.230.100:56260 -> 217.160.51.31:80
01/12/2012-02:16:28.309707 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potential
ly Bad Traffic] [Priority: 2] {TCP} 217.160.51.31:80 -> 192.168.230.100:56260
七、 配置Base
Base需要用到adodb以及Image_Canvas、Image_Graph绘图组件,配置过程如下:
解压adodb514.zip
[piaca@piaca ids]$ unzip adodb514.zip
把adodb5拷贝到/usr/local/lib/目录下,这个目录随意指定,记下来后面要用到
[piaca@piaca ids]$ sudo cp -R adodb5 /usr/local/lib/
安装Image_Canvas、Image_Graph
[piaca@piaca ids]$ sudo pear install Image_Canvas-0.3.3.tgz
[piaca@piaca ids]$ sudo pear install Image_Graph-0.8.0.tgz
解压base-1.4.5.tar.gz
[piaca@piaca ids]$ tar zxvf base-1.4.5.tar.gz
拷贝base-1.4.5到/var/www/html目录下
[piaca@piaca ids]$ sudo cp -R base-1.4.5 /var/www/html/base
更改/var/www/html/base的属主为apache
[piaca@piaca ids]$ cd /var/www/html/
[piaca@piaca html]$ sudo chown -R apache:apache base
然后通过浏览器访问http://192.168.230.100/base
根据页面中红色的部分提示来进行操作。
修改php.ini
[piaca@piaca html]$ sudo vim /etc/php.ini
找到error_reporting = E_ALL & ~E_DEPRECATED内容,修改为如下:error_reporting = E_ALL & ~E_DEPRECATED & ~E_NOTICE
重新载入apache配置
[piaca@piaca html]$ sudo /etc/init.d/httpd reload
然后点击“Continue”到下一步
选择语言,和前面我们的adodb5的路径,然后点击“Continue”
填写mysql相关信息,点击“Continue”继续
填写认证的相关信息,如果需要验证身份,请勾上“Use Authentication System”,点击“Continue”
点击“Create BASE AG”
点击“step 5”,跳到首页。
八、 最后
以上是整个安装过程,IDS的价值在于规则设置的是否合适,根据实际情况设置合适的规则才能够体现IDS的强大。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1662
14
1419
52
1312
25
1262
29
1235
24
What are the backup methods for GitLab on CentOS
Apr 14, 2025 pm 05:33 PM
Backup and Recovery Policy of GitLab under CentOS System In order to ensure data security and recoverability, GitLab on CentOS provides a variety of backup methods. This article will introduce several common backup methods, configuration parameters and recovery processes in detail to help you establish a complete GitLab backup and recovery strategy. 1. Manual backup Use the gitlab-rakegitlab:backup:create command to execute manual backup. This command backs up key information such as GitLab repository, database, users, user groups, keys, and permissions. The default backup file is stored in the /var/opt/gitlab/backups directory. You can modify /etc/gitlab
Centos shutdown command line
Apr 14, 2025 pm 09:12 PM
The CentOS shutdown command is shutdown, and the syntax is shutdown [Options] Time [Information]. Options include: -h Stop the system immediately; -P Turn off the power after shutdown; -r restart; -t Waiting time. Times can be specified as immediate (now), minutes ( minutes), or a specific time (hh:mm). Added information can be displayed in system messages.
Difference between centos and ubuntu
Apr 14, 2025 pm 09:09 PM
The key differences between CentOS and Ubuntu are: origin (CentOS originates from Red Hat, for enterprises; Ubuntu originates from Debian, for individuals), package management (CentOS uses yum, focusing on stability; Ubuntu uses apt, for high update frequency), support cycle (CentOS provides 10 years of support, Ubuntu provides 5 years of LTS support), community support (CentOS focuses on stability, Ubuntu provides a wide range of tutorials and documents), uses (CentOS is biased towards servers, Ubuntu is suitable for servers and desktops), other differences include installation simplicity (CentOS is thin)
How to optimize CentOS HDFS configuration
Apr 14, 2025 pm 07:15 PM
Improve HDFS performance on CentOS: A comprehensive optimization guide to optimize HDFS (Hadoop distributed file system) on CentOS requires comprehensive consideration of hardware, system configuration and network settings. This article provides a series of optimization strategies to help you improve HDFS performance. 1. Hardware upgrade and selection resource expansion: Increase the CPU, memory and storage capacity of the server as much as possible. High-performance hardware: adopts high-performance network cards and switches to improve network throughput. 2. System configuration fine-tuning kernel parameter adjustment: Modify /etc/sysctl.conf file to optimize kernel parameters such as TCP connection number, file handle number and memory management. For example, adjust TCP connection status and buffer size
Centos configuration IP address
Apr 14, 2025 pm 09:06 PM
Steps to configure IP address in CentOS: View the current network configuration: ip addr Edit the network configuration file: sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0 Change IP address: Edit IPADDR= Line changes the subnet mask and gateway (optional): Edit NETMASK= and GATEWAY= Lines Restart the network service: sudo systemctl restart network verification IP address: ip addr
How to install mysql in centos7
Apr 14, 2025 pm 08:30 PM
The key to installing MySQL elegantly is to add the official MySQL repository. The specific steps are as follows: Download the MySQL official GPG key to prevent phishing attacks. Add MySQL repository file: rpm -Uvh https://dev.mysql.com/get/mysql80-community-release-el7-3.noarch.rpm Update yum repository cache: yum update installation MySQL: yum install mysql-server startup MySQL service: systemctl start mysqld set up booting
What are the common misunderstandings in CentOS HDFS configuration?
Apr 14, 2025 pm 07:12 PM
Common problems and solutions for Hadoop Distributed File System (HDFS) configuration under CentOS When building a HadoopHDFS cluster on CentOS, some common misconfigurations may lead to performance degradation, data loss and even the cluster cannot start. This article summarizes these common problems and their solutions to help you avoid these pitfalls and ensure the stability and efficient operation of your HDFS cluster. Rack-aware configuration error: Problem: Rack-aware information is not configured correctly, resulting in uneven distribution of data block replicas and increasing network load. Solution: Double check the rack-aware configuration in the hdfs-site.xml file and use hdfsdfsadmin-printTopo
What steps are required to configure CentOS in HDFS
Apr 14, 2025 pm 06:42 PM
Building a Hadoop Distributed File System (HDFS) on a CentOS system requires multiple steps. This article provides a brief configuration guide. 1. Prepare to install JDK in the early stage: Install JavaDevelopmentKit (JDK) on all nodes, and the version must be compatible with Hadoop. The installation package can be downloaded from the Oracle official website. Environment variable configuration: Edit /etc/profile file, set Java and Hadoop environment variables, so that the system can find the installation path of JDK and Hadoop. 2. Security configuration: SSH password-free login to generate SSH key: Use the ssh-keygen command on each node
