Windows平台下基于snort的入侵检测系统安装详解

Windows平台下基于snort的入侵检测系统安装详解

序言：最近公司网络总是不间断出现点问题，也搭建了一些流量监控服务器进行监控和分析；也一直在关注网络安全方面的知识。看到snort IDS是一个开源的软件，突然想学习下。就有了搭建Windows下Snort IDS的想法。一下内容参考网络上的资料。

1.软件准备

Apache，php,mysql,winpcap,snort,acid,adodb,jpgraph等

2.软件安装

window平台：windows xp sp3

(1)apache的安装

一路下一步，具体配置如下图：

安装完成后验证web服务是否运行正常

(2)mysql安装

(3)php安装

解压php压缩包到C盘下并命名为php

复制c:\php\phpini-dist到c:\windows下并重命名为php.ini

复制c:\php\php5ts.dll，c:\php\libmysql.dll 到 c:\windows\system32下复制c:\php\ext\php_gd2.dll到c:\windows\system32下

修改 c:\apache\conf\httpd配置文件

添加LoadModule php5_module c:/php/php5apache2_2.dll

AddType application/x-httpd-php .php

重启apache服务

在c:\apache\htdocs\下新建test.php

phpinfo();

?>

http://x.x.x.x/test.php验证php能否工作

修改c:\windows下php.ini文件extension_dir = "c:\php\ext"

去掉“；” extension=php_gd2.dll 去掉“；” extension=php_mysql.dll 重启apache服务

验证php对mysql和gd库的支持

(4) winpcap 安装 按向导进行安装 (5)snort 安装 按向导进行安装

(6)复制C:\Snort\schemas下的create_mysql到C:\mysql\bin下创建snort需要的数据库

通过source create_mysql 创建snort,snort_archive数据库

(7) 解压acid、adodb、jpgraph相关压缩包并复制到C:\apache\htdocs下如图

修改acid_conf.php文件

$DBlib_path = "c:\apache\htdocs\adodb";

$alert_dbname = "snort";

$alert_host = "localhost";

$alert_port = "3306";

$alert_user = "root";

$alert_password = "password";

/* Archive DB connection parameters */

$archive_dbname = "snort_archive";

$archive_host = "localhost";

$archive_port = "3306";

$archive_user = "root";

$archive_password = "password";

$ChartLib_path = "c:\apache\htdocs\jpgraph\src";

(8)解压缩snortrules包，并拷贝到snort安装目录

修改c:\snort\etc\snort.conf文件如下

var HOME_NET [192.168.12.0/23,192.168.14.0/23] /监控网段

var RULE_PATH c:\snort\rules /指定规则库

/指定动态处理器路径

dynamicpreprocessor file c:\snort\lib\snort_dynamicpreprocessor\sf_dcerpc.dll dynamicpreprocessor file c:\snort\lib\snort_dynamicpreprocessor\sf_dns.dll dynamicpreprocessor file c:\snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll dynamicpreprocessor file c:\snort\lib\snort_dynamicpreprocessor\sf_smtp.dll dynamicpreprocessor file c:\snort\lib\snort_dynamicpreprocessor\sf_ssh.dll dynamicpreprocessor file c:\snort\lib\snort_dynamicpreprocessor\sf_ssl.dll dynamicpreprocessor file c:\Snort\lib\snort_dynamicpreprocessor\sf_dce2.dll dynamicengine c:\snort\lib\snort_dynamicengine\sf_engine.dll

/注销掉动态监测功能

# dynamicdetection file /usr/local/lib/snort_dynamicrules/bad-traffic.so

# dynamicdetection file /usr/local/lib/snort_dynamicrules/chat.so

# dynamicdetection file /usr/local/lib/snort_dynamicrules/dos.so

# dynamicdetection file /usr/local/lib/snort_dynamicrules/exploit.so

# dynamicdetection file /usr/local/lib/snort_dynamicrules/imap.so

# dynamicdetection file /usr/local/lib/snort_dynamicrules/misc.so

# dynamicdetection file /usr/local/lib/snort_dynamicrules/multimedia.so

# dynamicdetection file /usr/local/lib/snort_dynamicrules/netbios.so

# dynamicdetection file /usr/local/lib/snort_dynamicrules/nntp.so

# dynamicdetection file /usr/local/lib/snort_dynamicrules/p2p.so

# dynamicdetection file /usr/local/lib/snort_dynamicrules/smtp.so

# dynamicdetection file /usr/local/lib/snort_dynamicrules/sql.so

# dynamicdetection file /usr/local/lib/snort_dynamicrules/web-client.so

# dynamicdetection file /usr/local/lib/snort_dynamicrules/web-misc.so

/指定输出数据库类型及用户名、密码、数据库名等信息