Monday , 20 February 2017
Home » English » Install Snort Inline on Centos

Install Snort Inline on Centos

Install Snort Inline on Centos

snort

[root@server3 ~]# wget http://downloads.sourceforge.net/project/snort-inline/snort_inline%20source%20%282.8.x%29/snort_inline-2.8.2.1-RC1/snort_inline-2.8.2.1-RC1.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fsnort-inline%2F&ts=1417143676&use_mirror=nchc
[root@server3 ~]# tar zxvf snort_inline-2.8.2.1-RC1.tar.gz

[root@server3 ~]# mkdir /etc/snort_inline
[root@server3 ~]# mkdir /etc/snort_inline/rules

[root@server3 ~]# cp snort_inline-2.8.2.1-RC1 /etc/* /etc/snort_inline/
[root@server3 ~]# vi /etc/snort_inline/snort_inline.conf

Find row:

# Path to your rules files (this can be a relative path)
#var RULE_PATH /etc/snort_inline/drop-rules

Replate with:
var RULE_PATH /etc/snort_inline/rules

[root@server3 ~]# cd snort_inline-2.8.2.1-RC1 /etc
[root@server3 etc]# cp classification.config /etc/snort_inline/rules/
[root@server3 etc]# cp reference.config /etc/snort_inline/rules/

[root@server3 etc]# mkdir /var/log/snort_inline

[root@server3 ~]# yum -y install mysql-server libpcap-devel

[root@server3 ~]# /etc/init.d/mysqld start
To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:
/usr/bin/mysqladmin -u root password ‘new-password’
/usr/bin/mysqladmin -u root -h server3.centos.hva password ‘new-password’

Alternatively you can run:
/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

The latest information about MySQL is available on the web at

http://www.mysql.com

Support MySQL by buying support/licenses at http://shop.mysql.com
[ OK ] Starting MySQL: [ OK ]

Set password root for MySQL
[root@server3 ~]# mysqladmin -u root password centos

Examble : centos is password

[root@server3 ~]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.0.77 Source distribution

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.

mysql> create database snort;
Query OK, 1 row affected (0.00 sec)

mysql> grant all on snort.* to snortuser@localhost identified by ’snort’;
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> exit

[root@server3 ~]# mysql -u root -p snort < snort_inline-2.8.2.1-RC1 /schemas/create_mysql
Enter password:

[root@server3 ~]# vi /etc/snort_inline/snort_inline.conf

Tìm dòng output alert_fast: snort_inline-fast thêm vào
output database: log, mysql, user=snortuser password=snort dbname=snort host=localhost

checking for pcap_datalink in -lpcap… no

ERROR! Libpcap library/headers not found, go get it from

http://www.tcpdump.org

or use the –with-libpcap-* options, if you have it installed
in unusual place

[root@server3 ~]# wget http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz
[root@server3 ~]# tar zxvf libpcap-1.1.1.tar.gz
[root@server3 ~]# cd libpcap-1.1.1
[root@server3 libpcap-1.1.1]# ./configure
[root@server3 libpcap-1.1.1]# make
[root@server3 libpcap-1.1.1]# make install

ERROR! Libpcre header not found, go get it from

http://www.pcre.org

[root@server3 snort_inline-2.8.2.1-RC1]# cd

[root@server3 ~]# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.02.tar.gz
[root@server3 ~]# tar zxvf pcre-8.02.tar.gz
[root@server3 ~]# cd pcre-8.02
[root@server3 pcre-8.02]# ./configure

[root@server3 pcre-8.02]# make
[root@server3 pcre-8.02]# make install

**********************************************
ERROR: unable to find mysql headers (mysql.h)
checked in the following places
/usr/include
/usr/include/mysql
/usr/local/include
/usr/local/include/mysql
**********************************************

[root@server3]# yum install mysql-devel

[root@server3 snort_inline-2.8.2.1-RC1]# yum install mysql-devel

./configure: line 24184: dnet-config: command not found
./configure: line 24186: dnet-config: command not found
checking libipq.h usability… no
checking libipq.h presence… no
checking for libipq.h… no
configure: error: libipq.h not found …

# yum install iptables-devel

checking dnet.h presence… no
checking for dnet.h… no

ERROR! Libdnet header not found, go get it from
http://libdnet.sourceforge.net or use the –with-dnet-*
options, if you have it installed in an unusual place

[root@server3 ~]# wget http://downloads.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz?use_mirror=nchc
[root@server3 ~]# tar zxvf libdnet-1.11.tar.gz
[root@server3 ~]# cd libdnet-1.11
[root@server3 libdnet-1.11]# ./configure
[root@server3 libdnet-1.11]# make
[root@server3 libdnet-1.11]# make install

[root@server3 snort_inline-2.8.2.1-RC1]# ./configure –with-mysql
[root@server3 snort_inline-2.8.2.1-RC1]# make
[root@server3 snort_inline-2.8.2.1-RC1]# make install

[root@server3 ~]# snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l /var/log/snort_inline
Reading from iptables
Running in IDS mode
Initializing Inline mode
InitInline: : Failed to send netlink message: Connection refused

[root@server3 ~]# modprobe ip_queue
[root@server3 ~]# lsmod | grep ip_queue
ip_queue 14561 0

[root@server3 ~]# iptables -A INPUT -j QUEUE

[root@server3 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

[root@server3 ~]# ps -ef | grep snort_inline
root 3163 2989 0 15:23 pts/0 00:00:00 grep snort_inline

[root@server3 ~]# vi /etc/init.d/snort_inlined

#!/bin/bash
#
# snort_inline

start(){
# Start daemons.
echo “Starting ip_queue module:”
lsmod | grep ip_queue >/dev/null || /sbin/modprobe ip_queue;
#
echo “Starting iptables rules:”
# iptables traffic sent to the QUEUE:
# accept internal localhost connections
iptables -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
# send all the incoming, outgoing and forwarding traffic to the QUEUE
iptables -A INPUT -j QUEUE
iptables -A FORWARD -j QUEUE
iptables -A OUTPUT -j QUEUE
# Start Snort_inline
echo “Starting snort_inline: ”
/usr/local/bin/snort_inline -c /etc/snort_inline/snort_inline.conf -Q -D -v \
-l /var/log/snort_inline
# -Q -> process the queued traffic
# -D -> run as a daemon
# -v -> verbose
# -l -> log path
# -c -> config path
}

stop() {
# Stop daemons.
# Stop Snort_Inline
# echo “Shutting down snort_inline: ”
killall snort_inline
# Remove all the iptables rules and
# set the default Netfilter policies to accept
echo “Removing iptables rules:”
iptables -F
# -F -> flush iptables
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# -P -> default policy
}

restart(){
stop
start
}

case “$1″ in

start)
start
;;

stop)
stop
;;

restart)
restart
;;
*)
echo $”Usage: $0 {start|stop|restart|}”
exit 1
esac

[root@server3 ~]# chmod 755 /etc/init.d/snort_inlined
[root@server3 ~]# /etc/init.d/snort_inlined restart

 

[root@server3 ~]# snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l /var/log/snort_inline
Reading from iptables
Running in IDS mode
Initializing Inline mode

–== Initializing Snort ==–
Initializing Output Plugins!

See more:

If you want to see the password on laptop?

Lượt xem (2066)

About Nguyễn Thanh Sơn

Nguyễn Thanh Sơn
Network Security, Web Design, Computer Science

Xem thêm

31_white_abstract

Denial of service vulnerability in the OpenSSL serious

OpenSSL founder recently batch processing flaw in their coding library includes a serious flaw could …

Để lại bình luận:

Loading Facebook Comments ...

Leave a Reply

Your email address will not be published. Required fields are marked *