上海工业软水处理设备:快速建立一个入侵检测系统

来源:百度文库 编辑:中财网 时间:2024/03/29 17:36:32

快速建立一个入侵检测系统

http://web.any2000.com 时间:2005年6月14日 点击: 1622 来源:未知 入侵检测系统也叫IDS=instrusion detection system,他常常被网络管理员用来检测网络受攻击的程度和频繁度,为他进行下一步的管理提供充足的资料。

  这里采用linux+snort,因为他们都是免费的,并且采用源码包安装

  软件下载

  libpcap http://www.tcpdump.org

  snort-1.9 http://www.snort.org

  首先你必须有root权限

  su

  passwd:**********

  由于snort需要libpcap,所以先安装他

  cd /usr/src

  tar zxvf libpcap-0.6.2.tar.gz

  tar zxvf snort-1.9.0.tar.gz

  [root@SEC src]# cd libpcap-0.6.2

  [root@SEC libpcap-0.6.2]# ./configure --prefix=/usr/local/libpcap-0.6.2

  [root@SEC libpcap-0.6.2]#make

  [root@SEC libpcap-0.6.2]#make install

  接着安装snort,如果不需要把日志写到mysql数据库的话,配置很简单

  [root@SEC libpcap-0.6.2]#cd ../snort-1.9.0

  [root@SEC snort-1.9.0]#./configure --prefix=/usr/local/snort19

  [root@SEC snort-1.9.0]#make

  [root@SEC snort-1.9.0]#make install

  OK,安装完毕,如果在上述安装过程中出现任何错误,请查看README文件

  接着,把当前目录下的etc目录和rules目录cp到snort的安装目录

  [root@SEC snort-1.9.0]#cp etc /usr/local/snort19 -r

  [root@SEC snort-1.9.0]#cp rules /usr/local/snort19 -r

  接着,把etc下的classification.config复制到/root/目录下

  再把etc里面的snort.conf复制到root目录下并改名为.snortrc

  [root@SEC snort-1.9.0]#cp etc/classification.config /root/

  [root@SEC snort-1.9.0]#cp etc/snort.conf /root/.snortrc

  现在编辑snort的配置文件.snortrc

  vi /root/.snortrc

  先在102行找到var RULE_PATH ../rules

  把他改成var RULE_PATH /usr/local/snort19/rules

  然后在590行看到

  include $RULE_PATH/bad-traffic.rules

  这些是SNORT的规则集,针对系统类型和网络环境选上你所需要的规则,OK,编辑完毕!

  接着为了方便,我们把snort的可执行程序复制/usr/sbin目录

  [root@SEC snort-1.9.0]#cp /usr/local/snort19/bin/snort /usr/sbin/snort

  最后为snort放日志创建一个目录

  [root@SEC snort-1.9.0]#mkdir /var/log/snort

马上测试一下

  [root@SEC snort-1.9.0]#snort

  Initializing Output Plugins!

  Log directory = /var/log/snort

  Initializing Network Interface eth0

  using config file /root/.snortrc

  Initializing Preprocessors!

  Initializing Plug-ins!

  Parsing Rules file /root/.snortrc

  等等的输出,如果你看到的是这样的,那么恭喜你,你成功了!

  下面让我们一起来看看snort的参数

  [root@SEC snort-1.9.0]# snort --help

  Initializing Output Plugins!

  snort: invalid option -- -

  -*> Snort! <*-

  Version 1.9.0 (Build 209)

  By Martin Roesch (roesch@sourcefire.com, www.snort.org)

  USAGE: snort [-options]

  Options:

  -A Set alert mode: fast, full, console, or none (alert file alerts only)

  "unsock" enables UNIX socket logging (experimental).

  -a Display ARP packets

  -b Log packets in tcpdump format (much faster!)

  -c Use Rules File

  -C Print out payloads with character data only (no hex)

  -d Dump the Application Layer

  -D Run Snort in background (daemon) mode

  -e Display the second layer header info

  -f Turn off fflush() calls after binary log writes

  -F Read BPF filters from file

  -g Run snort gid as group (or gid) after initialization

  -G Add reference ids back into alert msgs (modes: basic, url)

  -h Home network =

  -i Listen on interface

  -I Add Interface name to alert output

  -l Log to directory

  -m Set umask =

  -n Exit after receiving packets

  -N Turn off logging (alerts still work)

  -o Change the rule testing order to Pass Alert Log

  -O Obfuscate the logged IP addresses

  -p Disable promiscuous mode sniffing

  -P set explicit snaplen of packet (default: 1514)

  -q Quiet. Dont show banner and status report

  -r Read and process tcpdump file

  -R Include id in snort_intf.pid file name

  -s Log alert messages to syslog

  -S Set rules file variable n equal to value v

  -t

  Chroots process to

  after initialization

  -T Test and report on the current Snort configuration

  -u Run snort uid as user (or uid) after initialization

  -U Use UTC for timestamps

  -v Be verbose

  -V Show version number

  -w Dump 802.11 management and control frames

  -X Dump the raw packet data starting at the link layer

  -y Include year in timestamp in the alert and log files

  -z Set assurance mode, match on established sesions (for TCP)

  -? Show this information

  are standard BPF options, as seen in TCPDump

这里主要是要了解几个重要的参数

  -A 设置报警模式,是快速,完全,或者是控制台,亦或是不报警

  -a 捕获ARP包

  -b 使用tcpdump的格式来写入日志

  -c 指定配置文件路径

  -d 捕获应用层数据

  -D 后台运行snort

  -e 显示第二层头信息

  -h 设置监听主机

  -m 设置掩码

  -z 只匹配已经完全建立链接的会话

  我一般是使用

  snort -A fast -Db -e -z来运行snort的

  其他还有一些很有用的参数,而且可以在配置文件那让snort把日志写到mysql数据库,这样对日志的处理就可以很方便了

  如果需要知道更加多的信息,可以去www.snort.org看doc,或者看man page

  这里先截取一个日志片段来说明一些问题

  11/13-05:29:27.429801 UDP src: 24.24.146.64 dst: 202.196.64.30 sport: 1028 dport: 137 tgts: 6 ports: 6 event_id: 0

  11/13-05:29:27.759801 UDP src: 24.24.146.64 dst: 202.196.64.32 sport: 1028 dport: 137 tgts: 7 ports: 7 event_id: 471

  11/13-05:29:34.279801 UDP src: 24.24.146.64 dst: 202.196.64.72 sport: 1028 dport: 137 tgts: 8 ports: 8 event_id: 471

  11/13-05:29:34.449801 UDP src: 24.24.146.64 dst: 202.196.64.73 sport: 1028 dport: 137 tgts: 9 ports: 9 event_id: 471

  11/13-05:29:37.549801 UDP src: 24.24.146.64 dst: 202.196.64.92 sport: 1028 dport: 137 tgts: 10 ports: 10 event_id: 471

  11/13-05:29:41.989801 UDP src: 24.24.146.64 dst: 202.196.64.119 sport: 1028 dport: 137 tgts: 11 ports: 11 event_id: 471

  11/13-05:29:42.139801 UDP src: 24.24.146.64 dst: 202.196.64.120 sport: 1028 dport: 137 tgts: 12 ports: 12 event_id: 471

  这段日志告诉我

  今天早上5点左右,有个IP是24.24.146.64的朋友,在扫描202.196.64网段的共享或者是在使用一些低级的操作系统鉴别工具来鉴别这个网段的操作系统类型(因为高级的系统指纹鉴别系统是不会扫描137端口的)

  详细的分析一条日志吧

  11/13-05:29:27.429801 UDP src: 24.24.146.64 dst: 202.196.64.30 sport: 1028 dport: 137 tgts: 6 ports: 6 event_id: 0

  UDP是使用的协议

  SRC是源IP

  DST是目标IP

  SPORT是源端口

  DPORT是目标端口

  根据上面的内容再结合攻击手段的特征,很容易就可以发现对方在做什么了