Install & amp; #6.2 based on Suricata + Barnyard 2 + Base in CentOS 12042

0x00 preparations

CentOS 6.2 is a minimal installation, and the 163 source is used for update. Therefore, you need to install the following dependency package:

[root@root ~]$ sudo yum install gcc make pcre pcre-devel libpcap libpcap-devel

Disable iptables and ip6tables at the same time:

[root@root ~]$ sudo service iptables stop[root@root ~]$ sudo service ip6tables stop[root@root ~]$ sudo chkconfig --level 2345 iptables off[root@root ~]$ sudo chkconfig --level 2345 ip6tables off

Software to be downloaded:

Suricatahttp://www.openinfosecfoundation.org/index.php/downloadsBarnyard 2http://www.securixlive.com/barnyard2/Basehttp://base.secureideas.net/yamlhttp://pyyaml.org/adodbhttp://sourceforge.net/projects/adodb/ruleshttp://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gzImage_Canvashttp://download.pear.php.net/package/Image_Canvas-0.3.3.tgzImage_Graphhttp://download.pear.php.net/package/Image_Graph-0.8.0.tgz

0x01 configure the APM Environment

Base requires the APM (Apache, PHP, Mysql) environment to be installed using yum.

[root@root ids]$ sudo yum install httpd php mysql mysql-server mysql-devel php-mysql php-gd php-pear

Start httpd and mysql services

[root@root ids]$ sudo /etc/init.d/httpd start[root@root ids]$ sudo /etc/init.d/mysqld start

The default web root directory is/var/www/htmlCreate a phpinfo test file in this directory to check whether the configuration is correct.

PS: After mysql is installed, the default password of the root account is blank. You can use the following command to modify the password of the root account:

[Root @ root ~] $ Mysqladmin-uroot-p password [New password]

0x02 install Barnyard 2

The installation process is as follows:

[root@root ids]$ tar zxvf barnyard2-1.9.tar.gz[root@root ids]$ cd barnyard2-1.9[root@root barnyard2-1.9]$ ./configure --with-mysql[root@root barnyard2-1.9]$ make[root@root barnyard2-1.9]$ sudo make install

0x03 install Suricata

The installation process is as follows:

Suricata depends on yaml. First install yaml

[root@root ids]$ tar zxvf yaml-0.1.4.tar.gz[root@root ids]$ cd yaml-0.1.4[root@root yaml-0.1.4]$ ./configure[root@root yaml-0.1.4]$ make[root@root yaml-0.1.4]$ sudo make install[root@root ids]$ tar zxvf suricata-1.1.1.tar.gz[root@root ids]$ cd suricata-1.1.1[root@root suricata-1.1.1]$ ./configure[root@root suricata-1.1.1]$ make[root@root suricata-1.1.1]$ sudo make install

0x04 configure Suricata and Barnyard 2 Configure Barnyard 2

Install Barnyard 2 in the source fileetc/barnyard2.confCopy the file to the Suricata configuration directory.

[root@root ids]$ cd barnyard2-1.9[root@root barnyard2-1.9]$ sudo cp etc/barnyard2.conf /etc/suricata/

Create a barnyard2 log directory/var/log/barnyard2

[root@root ~]$ sudo mkdir /var/log/barnyard2

Configure Database

You need to create a database and the corresponding account

[root@root ~]$ mysql -uroot –pmysql> create database ids;mysql> grant create,select,update,insert,delete on ids.* to ids@localhost identified by 'ids123';

In the installation source file of Barnyard 2, schemas/create_mysql is the SQL file for creating tables. You can create tables as follows:

[root@root ~]$ mysql -uids -p -Dids < ids/barnyard2-1.9/schemas/create_mysql

Configure Suricata

Create Suricata configuration directory and log directory

[root@root ~]$ sudo mkdir /var/log/suricata[root@root ~]$ sudo mkdir /etc/suricata

Copy the rule file to the Suricata configuration directory.

[root@root ids]$ tar zxvf emerging.rules.tar.gz[root@root ids]$ sudo cp -R rules/ /etc/suricata/

Installsuricata.yaml/classification.config/reference.configCopy the file to the Suricata configuration directory.

[root@root ids]$ cd suricata-1.1.1[root@root suricata-1.1.1]$ sudo cp suricata.yaml classification.config reference.config /etc/suricata/

Edit the barnyard2.conf File

[root@root ~]$ cd /etc/suricata/[root@root suricata]$ sudo vim barnyard2.conf

Find the following content

config reference_file:      /etc/snort/reference.configconfig classification_file: /etc/snort/classification.configconfig gen_file:            /etc/snort/gen-msg.mapconfig sid_file:                /etc/snort/sid-msg.map

The changed content is as follows:

config reference_file:      /etc/suricata/reference.configconfig classification_file: /etc/suricata/classification.configconfig gen_file:            /etc/suricata/rules/gen-msg.mapconfig sid_file:            /etc/suricata/rules/sid-msg.map

Add the following lines at the end of the file, and fill in the red mysql database and account information according to the actual situation.

output database: log, mysql, user=ids password=ids123 dbname=ids host=localhost

Edit suricata. yaml File

[root@root suricata]$ sudo vim suricata.yaml

Find

HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"

This line is modified according to the actual network conditions. Here I change it

HOME_NET: "[192.168.0.0/16]"

Find the following content:

host-os-policy:  # Make the default policy windows.  windows: [0.0.0.0/0]  bsd: []  bsd_right: []  old_linux: []  linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]  old_solaris: []  solaris: ["::1"]  hpux10: []  hpux11: []  irix: []  macos: []  vista: []  windows2k3: []

Modify according to the actual network conditions.

Start Suricata and Barnyard 2

[root@root ~]$ sudo /usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo -D[root@root ~]$ sudo /usr/local/bin/suricata -c /etc/suricata/suricata.yaml -i eth1 -D

The-I parameter for suricata startup is the image traffic Nic.

To test whether suricata works properly, run the following command:

[root@root suricata]$ curl www.testmyids.com

After the command is executed, fast in the/var/log/suricata directory. log/suricata. the waldo/unified2.alert * file size changes, and you can view the fast. if the log file has the following similar content, suricata works properly:

01/12/2012-02:16:27.964981  [**] [1:2013028:3] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.230.100:56260 -> 217.160.51.31:8001/12/2012-02:16:28.309707  [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 217.160.51.31:80 -> 192.168.230.100:56260

0x05 configure Base

Base uses the adodb, Image_Canvas, and Image_Graph drawing components. The configuration process is as follows:

Decompress adodb514.zip

[root@root ids]$ unzip adodb514.zip

Copy adodb5 to the/usr/local/lib/directory. This directory is randomly specified and will be used later.

[root@root ids]$ sudo cp -R adodb5 /usr/local/lib/

Install Image_Canvas and Image_Graph

[root@root ids]$ sudo pear install Image_Canvas-0.3.3.tgz[root@root ids]$ sudo pear install Image_Graph-0.8.0.tgz 

Decompress base-1.4.5.tar.gz

[root@root ids]$ tar zxvf base-1.4.5.tar.gz

Copy base-1.4.5 to the/var/www/html directory

[root@root ids]$ sudo cp -R base-1.4.5 /var/www/html/base

Change the owner of/var/www/html/base to apache

[root@root ids]$ cd /var/www/html/[root@root html]$ sudo chown -R apache:apache base

Then access http: // 192.168.230.100/base through a browser

Bytes

Follow the red prompts on the page.

Modify php. ini

[root@root html]$ sudo vim /etc/php.ini

Find

error_reporting = E_ALL & ~E_DEPRECATED

To:

error_reporting = E_ALL & ~E_DEPRECATED & ~E_NOTICE

Reload apache configuration

[root@root html]$ sudo /etc/init.d/httpd reload

Then click "Continue" to Continue

Select the language, and the path of the previous adodb5, and then click "Continue" Continue

Enter mysql information and click "Continue" to Continue renewal

Enter Authentication information. If you need to verify your identity, check "Use Authentication System" and click "Continue" login.

Click Create BASE AG

Click "step 5" to go to the homepage.

Bytes

0x06 last

The above is the entire installation process. The value of IDS lies in whether the rules are set properly. Only when appropriate rules are set according to the actual situation can the powerful IDS be reflected. For more information about Rule settings, see the following article.