0x00 preparations
CentOS 6.2 is a minimal installation, and the 163 source is used for update. Therefore, you need to install the following dependency package:
[root@root ~]$ sudo yum install gcc make pcre pcre-devel libpcap libpcap-devel
Disable iptables and ip6tables at the same time:
[root@root ~]$ sudo service iptables stop[root@root ~]$ sudo service ip6tables stop[root@root ~]$ sudo chkconfig --level 2345 iptables off[root@root ~]$ sudo chkconfig --level 2345 ip6tables off
Software to be downloaded:
Suricatahttp://www.openinfosecfoundation.org/index.php/downloadsBarnyard 2http://www.securixlive.com/barnyard2/Basehttp://base.secureideas.net/yamlhttp://pyyaml.org/adodbhttp://sourceforge.net/projects/adodb/ruleshttp://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gzImage_Canvashttp://download.pear.php.net/package/Image_Canvas-0.3.3.tgzImage_Graphhttp://download.pear.php.net/package/Image_Graph-0.8.0.tgz
0x01 configure the APM Environment
Base requires the APM (Apache, PHP, Mysql) environment to be installed using yum.
[root@root ids]$ sudo yum install httpd php mysql mysql-server mysql-devel php-mysql php-gd php-pear
Start httpd and mysql services
[root@root ids]$ sudo /etc/init.d/httpd start[root@root ids]$ sudo /etc/init.d/mysqld start
The default web root directory is/var/www/html
Create a phpinfo test file in this directory to check whether the configuration is correct.
PS: After mysql is installed, the default password of the root account is blank. You can use the following command to modify the password of the root account:
[Root @ root ~] $ Mysqladmin-uroot-p password [New password]
0x02 install Barnyard 2
The installation process is as follows:
[root@root ids]$ tar zxvf barnyard2-1.9.tar.gz[root@root ids]$ cd barnyard2-1.9[root@root barnyard2-1.9]$ ./configure --with-mysql[root@root barnyard2-1.9]$ make[root@root barnyard2-1.9]$ sudo make install
0x03 install Suricata
The installation process is as follows:
Suricata depends on yaml. First install yaml
[root@root ids]$ tar zxvf yaml-0.1.4.tar.gz[root@root ids]$ cd yaml-0.1.4[root@root yaml-0.1.4]$ ./configure[root@root yaml-0.1.4]$ make[root@root yaml-0.1.4]$ sudo make install[root@root ids]$ tar zxvf suricata-1.1.1.tar.gz[root@root ids]$ cd suricata-1.1.1[root@root suricata-1.1.1]$ ./configure[root@root suricata-1.1.1]$ make[root@root suricata-1.1.1]$ sudo make install
0x04 configure Suricata and Barnyard 2 Configure Barnyard 2
Install Barnyard 2 in the source fileetc/barnyard2.conf
Copy the file to the Suricata configuration directory.
[root@root ids]$ cd barnyard2-1.9[root@root barnyard2-1.9]$ sudo cp etc/barnyard2.conf /etc/suricata/
Create a barnyard2 log directory/var/log/barnyard2
[root@root ~]$ sudo mkdir /var/log/barnyard2
Configure Database
You need to create a database and the corresponding account
[root@root ~]$ mysql -uroot –pmysql> create database ids;mysql> grant create,select,update,insert,delete on ids.* to ids@localhost identified by 'ids123';
In the installation source file of Barnyard 2, schemas/create_mysql is the SQL file for creating tables. You can create tables as follows:
[root@root ~]$ mysql -uids -p -Dids < ids/barnyard2-1.9/schemas/create_mysql
Configure Suricata
Create Suricata configuration directory and log directory
[root@root ~]$ sudo mkdir /var/log/suricata[root@root ~]$ sudo mkdir /etc/suricata
Copy the rule file to the Suricata configuration directory.
[root@root ids]$ tar zxvf emerging.rules.tar.gz[root@root ids]$ sudo cp -R rules/ /etc/suricata/
Installsuricata.yaml/classification.config/reference.config
Copy the file to the Suricata configuration directory.
[root@root ids]$ cd suricata-1.1.1[root@root suricata-1.1.1]$ sudo cp suricata.yaml classification.config reference.config /etc/suricata/
Edit the barnyard2.conf File
[root@root ~]$ cd /etc/suricata/[root@root suricata]$ sudo vim barnyard2.conf
Find the following content
config reference_file: /etc/snort/reference.configconfig classification_file: /etc/snort/classification.configconfig gen_file: /etc/snort/gen-msg.mapconfig sid_file: /etc/snort/sid-msg.map
The changed content is as follows:
config reference_file: /etc/suricata/reference.configconfig classification_file: /etc/suricata/classification.configconfig gen_file: /etc/suricata/rules/gen-msg.mapconfig sid_file: /etc/suricata/rules/sid-msg.map
Add the following lines at the end of the file, and fill in the red mysql database and account information according to the actual situation.
output database: log, mysql, user=ids password=ids123 dbname=ids host=localhost
Edit suricata. yaml File
[root@root suricata]$ sudo vim suricata.yaml
Find
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
This line is modified according to the actual network conditions. Here I change it
HOME_NET: "[192.168.0.0/16]"
Find the following content:
host-os-policy: # Make the default policy windows. windows: [0.0.0.0/0] bsd: [] bsd_right: [] old_linux: [] linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"] old_solaris: [] solaris: ["::1"] hpux10: [] hpux11: [] irix: [] macos: [] vista: [] windows2k3: []
Modify according to the actual network conditions.
Start Suricata and Barnyard 2
[root@root ~]$ sudo /usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo -D[root@root ~]$ sudo /usr/local/bin/suricata -c /etc/suricata/suricata.yaml -i eth1 -D
The-I parameter for suricata startup is the image traffic Nic.
To test whether suricata works properly, run the following command:
[root@root suricata]$ curl www.testmyids.com
After the command is executed, fast in the/var/log/suricata directory. log/suricata. the waldo/unified2.alert * file size changes, and you can view the fast. if the log file has the following similar content, suricata works properly:
01/12/2012-02:16:27.964981 [**] [1:2013028:3] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.230.100:56260 -> 217.160.51.31:8001/12/2012-02:16:28.309707 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 217.160.51.31:80 -> 192.168.230.100:56260
0x05 configure Base
Base uses the adodb, Image_Canvas, and Image_Graph drawing components. The configuration process is as follows:
Decompress adodb514.zip
[root@root ids]$ unzip adodb514.zip
Copy adodb5 to the/usr/local/lib/directory. This directory is randomly specified and will be used later.
[root@root ids]$ sudo cp -R adodb5 /usr/local/lib/
Install Image_Canvas and Image_Graph
[root@root ids]$ sudo pear install Image_Canvas-0.3.3.tgz[root@root ids]$ sudo pear install Image_Graph-0.8.0.tgz
Decompress base-1.4.5.tar.gz
[root@root ids]$ tar zxvf base-1.4.5.tar.gz
Copy base-1.4.5 to the/var/www/html directory
[root@root ids]$ sudo cp -R base-1.4.5 /var/www/html/base
Change the owner of/var/www/html/base to apache
[root@root ids]$ cd /var/www/html/[root@root html]$ sudo chown -R apache:apache base
Then access http: // 192.168.230.100/base through a browser
Bytes
Follow the red prompts on the page.
Modify php. ini
[root@root html]$ sudo vim /etc/php.ini
Find
error_reporting = E_ALL & ~E_DEPRECATED
To:
error_reporting = E_ALL & ~E_DEPRECATED & ~E_NOTICE
Reload apache configuration
[root@root html]$ sudo /etc/init.d/httpd reload
Then click "Continue" to Continue
Select the language, and the path of the previous adodb5, and then click "Continue" Continue
Enter mysql information and click "Continue" to Continue renewal
Enter Authentication information. If you need to verify your identity, check "Use Authentication System" and click "Continue" login.
Click Create BASE AG
Click "step 5" to go to the homepage.
Bytes
0x06 last
The above is the entire installation process. The value of IDS lies in whether the rules are set properly. Only when appropriate rules are set according to the actual situation can the powerful IDS be reflected. For more information about Rule settings, see the following article.