Install the intrusion detection system based on Suricata + Barnyard2 + Base in CentOS6.2

Source: hi.baidu.compia_cablogitem2767d3f424376edd7931aa28.html 1. Forget the preface. This part is saved. Go straight to the topic below. Ii. Preparations for CentOS6.2 I want to minimize installation and use the 163 source for update at the same time. Therefore, install the following dependency package: [piaca @ piaca ~] $ Sud

Source: http://hi.baidu.com/pia_ca/blog/item/2767d3f386376edd7931aa28.html I. Preface forget, this part is saved. Go straight to the topic below. Ii. Preparations for CentOS 6.2 I want to minimize installation and use the 163 source for update at the same time. Therefore, you also need to install the following dependency package: [piaca @ piaca ~] $ Sud

Source: http://hi.baidu.com/pia_ca/blog/item/2767d3f424376edd7931aa28.html1. Preface

Forget it. This part is saved. Go straight to the topic below.

2. Preparations

CentOS 6.2 is a minimal installation, and the 163 source is used for update. Therefore, you need to install the following dependency package:

[Piaca @ piaca ~] $ Sudo yum install gcc make pcre-devel libpcap-devel

Disable iptables and ip6tables at the same time:

[Piaca @ piaca ~] $ Sudo service iptables stop

[Piaca @ piaca ~] $ Sudo service ip6tables stop

[Piaca @ piaca ~] $ Sudo chkconfig -- level 2345 iptables off

[Piaca @ piaca ~] $ Sudo chkconfig -- level 2345 ip6tables off

Software to be downloaded:

Suricata

Http://www.openinfosecfoundation.org/index.php/downloads

Barnyard 2

Http://www.securixlive.com/barnyard2/

Base

Http://base.secureideas.net/

Yaml

Http://pyyaml.org/

Adodb

Http://sourceforge.net/projects/adodb/

Rules

Http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz

Image_Canvas

Http://download.pear.php.net/package/Image_Canvas-0.3.3.tgz

Image_Graph

Http://download.pear.php.net/package/Image_Graph-0.8.0.tgz

3. Configure the APM Environment

Base requires the APM (Apache, PHP, Mysql) environment to be installed using yum.

[Piaca @ piaca ids] $ sudo yum install httpd php mysql-server mysql-devel php-mysql php-gd php-pear

Start httpd and mysql services

[Piaca @ piaca ids] $ sudo/etc/init. d/httpd start

[Piaca @ piaca ids] $ sudo/etc/init. d/mysqld start

The default web root directory is/var/www/html. In this directory, create a phpinfo test file to check whether the configuration is correct.

PS: After mysql is installed, the default password of the root account is blank. You can use the following command to modify the password of the root account:

[Piaca @ piaca ~] $ Mysqladmin-uroot-p password [New password]

4. Install Barnyard 2

The installation process is as follows:

[Piaca @ piaca ids] $ tar zxvf barnyard2-1.9.tar.gz

[Piaca @ piaca ids] $ cd barnyard2-1.9

[Piaca @ piaca barnyard2-1.9] $./configure -- with-mysql

[Piaca @ piaca barnyard2-1.9] $ make

[Piaca @ piaca barnyard2-1.9] $ sudo make install

5. Install Suricata

The installation process is as follows:

Suricata depends on yaml. First install yaml

[Piaca @ piaca ids] $ tar zxvf yaml-0.1.4.tar.gz

[Piaca @ piaca ids] $ cd yaml-0.1.4

[Piaca @ piaca yaml-0.1.4] $./configure

[Piaca @ piaca yaml-0.1.4] $ make

[Piaca @ piaca yaml-0.1.4] $ sudo make install

[Piaca @ piaca ids] $ tar zxvf suricata-1.1.1.tar.gz

[Piaca @ piaca ids] $ cd suricata-1.1.1

[Piaca @ piaca suricata-1.1.1] $./configure

[Piaca @ piaca suricata-1.1.1] $ make

[Piaca @ piaca suricata-1.1.1] $ sudo make install

6. Configure Suricata and Barnyard 2

Configure Barnyard 2

Copy the etc/barnyard2.conf file in the installation source file of Barnyard 2 to the Suricata configuration directory.

[Piaca @ piaca ids] $ cd barnyard2-1.9

[Piaca @ piaca barnyard2-1.9] $ sudo cp etc/barnyard2.conf/etc/suricata/

Create a barnyard2 log directory/var/log/barnyard2

[Piaca @ piaca ~] $ Sudo mkdir/var/log/barnyard2

Configure Database

You need to create a database and the corresponding account

[Piaca @ piaca ~] $ Mysql-uroot-p

Mysql> create database ids;

Mysql> grant create, select, update, insert, delete on ids. * to ids @ localhost identified by 'ids123 ';

In the installation source file of Barnyard 2, schemas/create_mysql is the SQL file for creating tables. You can create tables as follows:

[Piaca @ piaca ~] $ Mysql-uids-p-Dids <ids/barnyard2-1.9/schemas/create_mysql

Configure Suricata

Create Suricata configuration directory and log directory

[Piaca @ piaca ~] $ Sudo mkdir/var/log/suricata

[Piaca @ piaca ~] $ Sudo mkdir/etc/suricata

Copy the rule file to the Suricata configuration directory.

[Piaca @ piaca ids] $ tar zxvf emerging.rules.tar.gz

[Piaca @ piaca ids] $ sudo cp-R rules/etc/suricata/

Copy the Suricata. yaml/classification. config/reference. config file in the suricata installation source file to the Suricata configuration directory.

[Piaca @ piaca ids] $ cd suricata-1.1.1

[Piaca @ piaca suricata-1.1.1] $ sudo cp suricata. yaml classification. config reference. config/etc/suricata/

Edit the barnyard2.conf File

[Piaca @ piaca ~] $ Cd/etc/suricata/

[Piaca @ piaca suricata] $ sudo vim barnyard2.conf

Find the following content

Config reference_file:/etc/snort/reference. config

Config classification_file:/etc/snort/classification. config

Config gen_file:/etc/snort/gen-msg.map

Config sid_file:/etc/snort/sid-msg.map

The red content is changed as follows:

Config reference_file:/etc/suricata/reference. config

Config classification_file:/etc/suricata/classification. config

Config gen_file:/etc/suricata/rules/gen-msg.map

Config sid_file:/etc/suricata/rules/sid-msg.map

Add the following lines at the end of the file, and fill in the red mysql database and account information according to the actual situation.

Output database: log, mysql, user = ids password = ids123 dbname = ids host = localhost

Edit suricata. yaml File

[Piaca @ piaca suricata] $ sudo vim suricata. yaml

Find HOME_NET: "[192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12]" and modify it based on the actual network conditions. Here I change it to HOME_NET: "[192.168.0.0/16]"

Find the following content:

Host-OS-policy:

# Make the default policy windows.

Windows: [0.0.0.0/0]

Bsd: []

Bsd_right: []

Old_linux: []

Linux: [10.0.0.0/8, 192.168.1.100, "8762: 2352: 6241: 7245: E000: 0000: 0000: 0000"]

Old_solaris: []

Solaris: [": 1"]

Hpux10: []

Hpux11: []

Irix: []

Macos: []

Vista: []

Windows2k3: []

Modify according to the actual network conditions.

Start Suricata and Barnyard 2

[Piaca @ piaca ~] $ Sudo/usr/local/bin/barnyard2-c/etc/suricata/barnyard2.conf-d/var/log/suricata-f unified2.alert-w/var/log/suricata. waldo-D

[Piaca @ piaca ~] $ Sudo/usr/local/bin/suricata-c/etc/suricata. yaml-I eth1-D

The-I parameter for suricata startup is the image traffic Nic.

To test whether suricata works properly, run the following command:

[Piaca @ piaca suricata] $ curl www.testmyids.com

After the command is executed, fast in the/var/log/suricata directory. log/suricata. the waldo/unified2.alert * file size changes, and you can view the fast. if the log file has the following similar content, suricata works properly:

01/12/2012-02:16:27. 964981 [**] [283028:3] et policy curl User-Agent Outbound [**] [Classification: Attempted Informa

Tion Leak] [Priority: 2] {TCP} 192.168.230.100: 56260-> 217.160.51.31: 80

01/12/2012-02:16:28. 309707 [**] [1: 2100498: 7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potential

Ly Bad Traffic] [Priority: 2] {TCP} 217.160.51.31: 80-> 192.168.230.100: 56260

VII. Configure the Base

Base uses the adodb, Image_Canvas, and Image_Graph drawing components. The configuration process is as follows:

Decompress adodb514.zip

[Piaca @ piaca ids] $ unzip adodb514.zip

Copy adodb5 to the/usr/local/lib/directory. This directory is randomly specified and will be used later.

[Piaca @ piaca ids] $ sudo cp-R adodb5/usr/local/lib/

Install Image_Canvas and Image_Graph

[Piaca @ piaca ids] $ sudo pear install Image_Canvas-0.3.3.tgz

[Piaca @ piaca ids] $ sudo pear install Image_Graph-0.8.0.tgz

Decompress base-1.4.5.tar.gz

[Piaca @ piaca ids] $ tar zxvf base-1.4.5.tar.gz

Copy base-1.4.5 to the/var/www/html directory

[Piaca @ piaca ids] $ sudo cp-R base-1.4.5/var/www/html/base

Change the owner of/var/www/html/base to apache

[Piaca @ piaca ids] $ cd/var/www/html/

[Piaca @ piaca html] $ sudo chown-R apache: apache base

Then access http: // 192.168.230.100/base through a browser

Follow the red prompts on the page.

Modify php. ini

[Piaca @ piaca html] $ sudo vim/etc/php. ini

Locate error_reporting = E_ALL &~ Modify the content of E_DEPRECATED as follows: error_reporting = E_ALL &~ E_DEPRECATED &~ E_NOTICE

Reload apache configuration

[Piaca @ piaca html] $ sudo/etc/init. d/httpd reload

Then click "Continue" to the next step.

Select the language, and the path of the previous adodb5, and then click "Continue"

Enter mysql information and click "Continue" to Continue

Enter Authentication information. If you need to verify your identity, check "Use Authentication System" and click "Continue"

Click "Create base ag"

Click "step 5" to go to the homepage.

8. Last

The above is the entire installation process. The value of IDS lies in whether the rules are set properly. Only when appropriate rules are set according to the actual situation can the powerful IDS be reflected.