Monday , 27 March 2017
Home » English » Install Snort Inline on Centos

Install Snort Inline on Centos

Install Snort Inline on Centos

snort

[[email protected] ~]# wget http://downloads.sourceforge.net/project/snort-inline/snort_inline%20source%20%282.8.x%29/snort_inline-2.8.2.1-RC1/snort_inline-2.8.2.1-RC1.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fsnort-inline%2F&ts=1417143676&use_mirror=nchc
[[email protected] ~]# tar zxvf snort_inline-2.8.2.1-RC1.tar.gz

[[email protected] ~]# mkdir /etc/snort_inline
[[email protected] ~]# mkdir /etc/snort_inline/rules

[[email protected] ~]# cp snort_inline-2.8.2.1-RC1 /etc/* /etc/snort_inline/
[[email protected] ~]# vi /etc/snort_inline/snort_inline.conf

Find row:

# Path to your rules files (this can be a relative path)
#var RULE_PATH /etc/snort_inline/drop-rules

Replate with:
var RULE_PATH /etc/snort_inline/rules

[[email protected] ~]# cd snort_inline-2.8.2.1-RC1 /etc
[[email protected] etc]# cp classification.config /etc/snort_inline/rules/
[[email protected] etc]# cp reference.config /etc/snort_inline/rules/

[[email protected] etc]# mkdir /var/log/snort_inline

[[email protected] ~]# yum -y install mysql-server libpcap-devel

[[email protected] ~]# /etc/init.d/mysqld start
To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:
/usr/bin/mysqladmin -u root password ‘new-password’
/usr/bin/mysqladmin -u root -h server3.centos.hva password ‘new-password’

Alternatively you can run:
/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

The latest information about MySQL is available on the web at

http://www.mysql.com

Support MySQL by buying support/licenses at http://shop.mysql.com
[ OK ] Starting MySQL: [ OK ]

Set password root for MySQL
[[email protected] ~]# mysqladmin -u root password centos

Examble : centos is password

[[email protected] ~]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.0.77 Source distribution

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.

mysql> create database snort;
Query OK, 1 row affected (0.00 sec)

mysql> grant all on snort.* to [email protected] identified by ’snort’;
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> exit

[[email protected] ~]# mysql -u root -p snort < snort_inline-2.8.2.1-RC1 /schemas/create_mysql
Enter password:

[[email protected] ~]# vi /etc/snort_inline/snort_inline.conf

Tìm dòng output alert_fast: snort_inline-fast thêm vào
output database: log, mysql, user=snortuser password=snort dbname=snort host=localhost

checking for pcap_datalink in -lpcap… no

ERROR! Libpcap library/headers not found, go get it from

http://www.tcpdump.org

or use the –with-libpcap-* options, if you have it installed
in unusual place

[[email protected] ~]# wget http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz
[[email protected] ~]# tar zxvf libpcap-1.1.1.tar.gz
[[email protected] ~]# cd libpcap-1.1.1
[[email protected] libpcap-1.1.1]# ./configure
[[email protected] libpcap-1.1.1]# make
[[email protected] libpcap-1.1.1]# make install

ERROR! Libpcre header not found, go get it from

http://www.pcre.org

[[email protected] snort_inline-2.8.2.1-RC1]# cd

[[email protected] ~]# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.02.tar.gz
[[email protected] ~]# tar zxvf pcre-8.02.tar.gz
[[email protected] ~]# cd pcre-8.02
[[email protected] pcre-8.02]# ./configure

[[email protected] pcre-8.02]# make
[[email protected] pcre-8.02]# make install

**********************************************
ERROR: unable to find mysql headers (mysql.h)
checked in the following places
/usr/include
/usr/include/mysql
/usr/local/include
/usr/local/include/mysql
**********************************************

[[email protected]]# yum install mysql-devel

[[email protected] snort_inline-2.8.2.1-RC1]# yum install mysql-devel

./configure: line 24184: dnet-config: command not found
./configure: line 24186: dnet-config: command not found
checking libipq.h usability… no
checking libipq.h presence… no
checking for libipq.h… no
configure: error: libipq.h not found …

# yum install iptables-devel

checking dnet.h presence… no
checking for dnet.h… no

ERROR! Libdnet header not found, go get it from
http://libdnet.sourceforge.net or use the –with-dnet-*
options, if you have it installed in an unusual place

[[email protected] ~]# wget http://downloads.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz?use_mirror=nchc
[[email protected] ~]# tar zxvf libdnet-1.11.tar.gz
[[email protected] ~]# cd libdnet-1.11
[[email protected] libdnet-1.11]# ./configure
[[email protected] libdnet-1.11]# make
[[email protected] libdnet-1.11]# make install

[[email protected] snort_inline-2.8.2.1-RC1]# ./configure –with-mysql
[[email protected] snort_inline-2.8.2.1-RC1]# make
[[email protected] snort_inline-2.8.2.1-RC1]# make install

[[email protected] ~]# snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l /var/log/snort_inline
Reading from iptables
Running in IDS mode
Initializing Inline mode
InitInline: : Failed to send netlink message: Connection refused

[[email protected] ~]# modprobe ip_queue
[[email protected] ~]# lsmod | grep ip_queue
ip_queue 14561 0

[[email protected] ~]# iptables -A INPUT -j QUEUE

[[email protected] ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

[[email protected] ~]# ps -ef | grep snort_inline
root 3163 2989 0 15:23 pts/0 00:00:00 grep snort_inline

[[email protected] ~]# vi /etc/init.d/snort_inlined

#!/bin/bash
#
# snort_inline

start(){
# Start daemons.
echo “Starting ip_queue module:”
lsmod | grep ip_queue >/dev/null || /sbin/modprobe ip_queue;
#
echo “Starting iptables rules:”
# iptables traffic sent to the QUEUE:
# accept internal localhost connections
iptables -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
# send all the incoming, outgoing and forwarding traffic to the QUEUE
iptables -A INPUT -j QUEUE
iptables -A FORWARD -j QUEUE
iptables -A OUTPUT -j QUEUE
# Start Snort_inline
echo “Starting snort_inline: ”
/usr/local/bin/snort_inline -c /etc/snort_inline/snort_inline.conf -Q -D -v \
-l /var/log/snort_inline
# -Q -> process the queued traffic
# -D -> run as a daemon
# -v -> verbose
# -l -> log path
# -c -> config path
}

stop() {
# Stop daemons.
# Stop Snort_Inline
# echo “Shutting down snort_inline: ”
killall snort_inline
# Remove all the iptables rules and
# set the default Netfilter policies to accept
echo “Removing iptables rules:”
iptables -F
# -F -> flush iptables
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# -P -> default policy
}

restart(){
stop
start
}

case “$1″ in

start)
start
;;

stop)
stop
;;

restart)
restart
;;
*)
echo $”Usage: $0 {start|stop|restart|}”
exit 1
esac

[[email protected] ~]# chmod 755 /etc/init.d/snort_inlined
[[email protected] ~]# /etc/init.d/snort_inlined restart

 

[[email protected] ~]# snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l /var/log/snort_inline
Reading from iptables
Running in IDS mode
Initializing Inline mode

–== Initializing Snort ==–
Initializing Output Plugins!

See more:

If you want to see the password on laptop?

Lượt xem (2078)

About Nguyễn Thanh Sơn

Nguyễn Thanh Sơn
Network Security, Web Design, Computer Science

Xem thêm

31_white_abstract

Denial of service vulnerability in the OpenSSL serious

OpenSSL founder recently batch processing flaw in their coding library includes a serious flaw could …

Để lại bình luận:

Loading Facebook Comments ...

Leave a Reply

Your email address will not be published. Required fields are marked *