I'm just doing a backup here. How to install the Snort intrusion detection system on Ubuntu
Snort is an excellent open-source host intrusion detection system that can be installed and run on both Windows and Linux platforms. Ubuntu , as a desktop-based Linux operating system, can also install snort.
Installing the snort process
[Install Lamp,snort and some software libraries]
Because Ubuntu is a Debian Linux, the installation of software is very simple, and Ubuntu in China University of Science and Technology has a mirror, in the Education Network and Technology network download very fast (2~6m/s), the download of the installation package abroad, the trouble, All software can be installed in a few 10 seconds with just one command. This is installed using the Ubuntu default command line Package Manager apt.
$ sudo apt-get install Libpcap0.8-dev libmysqlclient15-dev mysql-client-5.0 mysql-server-5.0 Bison Flex apache2 Libapache 2-MOD-PHP5 php5-gd php5-mysql libphp-adodb php-pear pcregrep snort snort-rules-default
It is important to note that when you install the MySQL database, you will be prompted to set the MySQL root user password interface and temporarily set it as "test".
[Build a database for Snort in MySQL database]
There is a default package snort-mysql in the Ubuntu repository that provides accessibility and installs this package with the Package Manager.
$ sudo apt-get install Snort-mysql
Review the Help documentation after installation:
$ Less/usr/share/doc/snort-mysql/readme-database.debian
Set up Snort database users and databases in MySQL according to the instructions in the help documentation. The command used is as follows:
$ mysql–u Root–p
Enter the password set above at the prompt test
mysql> CREATE DATABASE snort;
Mysql> Grant CREATE, INSERT, SELECT, UPDATE on snort.* to [email protected];
Mysql> Grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort;
mysql> SET PASSWORD for [email Protected]=password (' snort-db ');
Mysql> exit
The function of the above command is to build a snort database in the MySQL database, and set up a snort user to manage the database and set the snort user's password to snort-db.
The structure of the snort database is then established according to the instructions in Readme-database.debian.
$ cd/usr/share/doc/snort-mysql
$ Zcat create_mysql.gz | Mysql-u snort-d snort-psnort-db
This establishes the structure of the database for snort in MySQL, including the tables that each snort needs to use.
[Set snort to output the log file to the MySQL database]
Modify Snort's configuration file:/etc/snort/snort.conf
$ sudo vim/etc/snort/snort.conf
Comment out the home_net related item in the configuration file, then set the home_net to the network where the native IP is located, comment out the external_net related items, and set it as a non-native network, as follows:
#var Home_net any
var home_net 192.168.0.0/16
#var External_net any
var external_net! $HOME _net
Comment out the output database related items and set the log outputs to the MySQL database as follows:
Output Database:log, MySQL, user=snort password=snort-db dbname=snort host=localhost
#output Database:log, MySQL
In this way, snort no longer writes records to the files in the/var/log/snort directory, and instead stores the records in the MySQL snort database. It's time to test if Snort is working properly:
$ sudo snort-c/etc/snort/snort.conf
If a piglet is drawn with an ASCII character, then snort works fine, you can use Ctrl-c to exit, and if Snort exits unexpectedly, you need to find out the correctness of the above configuration.
[Test Web server Apache and PHP are working properly]
Configure Apache's PHP module to add extensions for mSQL and GD.
$ sudo vim/etc/php5/apache2/php.ini
Extension=msql.so
Extension=gd.so
Re-launch Apache
$/etc/init.d/apache2 Restart
Create a new text file under the/var/www/directory test.php
$ sudo vim/var/www/test.php
Input content:
<?php
Phpinfo ();
?>
Then enter the http://localhost/test.php in the browser, if the configuration is correct, the PHP INFO will appear the classic interface, marking LAMP work properly.
[Install and configure Acid-base]
Installing Acid-base is simple, using the Ubuntu Package Manager to download and install:
$ sudo apt-get install Acidbase
During the installation process, you need to enter the database chosen by acidbase, choose MySQL, root user password test, and acid-base password (seemingly can also skip not set).
Copy the acidbase from the installation directory to the WWW directory, or you can create a virtual directory directly in Apache to point to the installation directory, where it is copied primarily for security reasons.
sudo cp–r/usr/share/acidbase//var/www/
Because the base_conf.php in the Acidbase directory is originally a symbolic link to/etc/acidbase/under the base_conf.php, in order to ensure that the permissions can be controlled, we want to delete this link and create a new base_conf.php file.
$ RM base_conf.php
$ Touch base_conf.php
Temporarily change the/var/www/acidbase/directory permission to everyone writable, primarily for the purpose of configuring Acidbase.
$ sudo chmod 757 acidbase/
Now you can start to configure Acid-base, enter http://localhost/acidbase in the browser address bar, will go to the installation interface, and then click on the continue to install step-by-step:
Choose the path of the language as English,adodb:/USR/SHARE/PHP/ADODB; Select the database as MySQL, the database name is snort, the database host is localhost, the database user name is snort password is snort-db; Acidbase system administrator user name and password, set the system administrator user name is admin, password is test. Then go on all the way, and the installation will be complete.
After installation, you can enter the login screen, enter the username and password, enter the Acidbase system.
The need to change the permissions of the Acidbase directory back to ensure security and then start snort in the background indicates that the snort intrusion detection system was installed and started normally:
$ sudo chmod 775 acidbase/
$ sudo snort-c/etc/snort/snort.conf-i eth0–d
[Check intrusion detection system working condition, change intrusion detection rule]
Under normal circumstances, in an insecure network, a network attack can be discovered shortly after logging in to Acidbase. If you do not find a network attack, you can add stricter rules to allow normal network connections to be reported as well, to test Snort IDS for correctness, such as adding the following at the end of/etc/snort/rules/web-misc.rules:
$ sudo vi/etc/snort/rules/web-misc.rules
Alert TCP any:1024-$HTTP _server 500:
This line means that the TCP packets sent from any address less than 1024 port to the local 500 port are alerted. Killing Snort's background process and restarting it should detect that the normal package is also being attacked.
$ sudo kill ' pgrep snort '
$ sudo snort–c/etc/snort/snort.conf–i eth0-d
Summarize
Using Ubuntu to install the Snort intrusion detection system and the Web console is fairly easy because Ubuntu provides a handy package installation feature, but sometimes the custom performance is poor and requires the user to manually find the installation location of the package.
When installing Snort-mysql, the software can not be found in the source, so with a new source of software, the following is my list of software sources
Deb Http://mirrors.ustc.edu.cn/ubuntu/trusty main Universe restricted multiverse
DEB-SRC http://mirrors.ustc.edu.cn/ubuntu/trusty main Universe restricted Multiverse #Added by software-properties
Deb Http://security.ubuntu.com/ubuntu/trusty-security restricted universe main multiverse
Deb Http://kr.archive.ubuntu.com/ubuntu Precise main universe
Deb Http://th.archive.ubuntu.com/ubuntu Precise main universe
#deb Http://mirror.lupaworld.com/ubuntu Precise Main universe
Deb Http://kambing.vlsm.org/ubuntu Precise main universe
#deb http://ubuntu.mithril-linux.org/archives Precise Main universe
Deb Http://mirror.in.th/ubuntu Precise main universe
Deb Http://mirror.rootguide.org/ubuntu Precise main universe
Install snort under Ubuntu