Lightweight Snort IDS tool in Linux

Article Title: a lightweight Snort IDS tool in Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
　　 1. Introduction to snort
Snort is designed to fill the gaps left by systems that are designed to detect expensive and heavy network intrusions. Snort is a free, cross-platform software package that monitors small TCP/IP network sniffer, logging, and intrusion detectors. It can run on linux/UNIX and Win32 systems. You only need to install it in a few minutes and start using it.
Some functions of Snort:
-Real-time communication analysis and information package records
-Packaging payload check
-Protocol Analysis and Content Query matching
-Detects buffer overflow, secret port scanning, CGI attacks, SMB detection, and operating system intrusion attempts
-Real-Time alerts for system logs, specified files, Unix sockets, or WinPopus using Samba
Snort has three main modes: information packet sniffer, information packet recorder or mature intrusion detection system. Following the most important practices of development/Free Software, Snort supports various forms of plug-ins, extensions and customization, including database or XML records, small frame detection, and statistical exception detection.
Information Package payload detection is one of the most useful features of Snort, which means that many additional types of hostility can be detected.
　　
　　 Ii. Installation and installation of required software packages
The required software package
1. libcap
Http://www.mirrors.wiretapped.net/security/packet-capture/libpcap/libpcap-0.8.3.tar.gz
2. snort
Http://www.snort.org/dl/snort-2.2.0.tar.gz
3. snort trules
Http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz
4. openssl
Http://www.openssl.org/source/openssl-0.9.7d.tar.gz
5. acid Web-based intrusion event database analysis Console
Http://acidlab.sourceforge.net
6. gd
Http://www.boutell.com/gd/
7. adodb provides convenient database interfaces for ACID;
Http://php.weblogs.com/ADODB
8. phplot ACID-dependent Image Library;
Http://www.phplot.com/
9. apache
Http://www.apache.org
10. mysql
Http://wwww.mysql.com
11. php (v> 4.2)
Http://www.php.net
　　
Start installation:
　　
1. Install MySQL,
# Addgroup mysql
# Adduser mysql
Then, Log On As mysql and execute the following command:
$ Gzip-d-c mysql-3.23.49.tar.gz | tar xvf-
$ Mysql-3.23.49 cd
$./Configure
$ Make
$ Make install
　　
2. Install openssl
# Tar zxvf openssl *
# Cd openssl
#./Configure
# Make
# Make test
# Make install
　　
3. Install libpcap
# Tar zxvf libpcap *
# Cd libpcap-0.8.3
#./Configure
If:
Configure: warning: cannot determine packet capture interface
Configure: warning: (see INSTALL for more info)
The system kernel needs to be compiled to support CONFIG_PACKET.
# Make
# Make install
　　
4. Install snort
# Tar zxvf snort *
# Cd snort-2.2.0
#./Configure -- enable-flexresp -- with-mysql =/usr/local/mysql -- with-openssl =/usr/local/ssl
Supports mysql and openssl. For more options, see the tarball document.
If:
ERROR! Libpcre header not found, go get it from
Please http://www.pcre.org to download the lib library installation.
If:
ERROR! Libnet header not found
Please download and install packetfactory.net/projects/libnet.
If the installation has been completed, you can use the -- with-libnet-* option.
# Make
# Make install
　　
5. install apache
#./Configure -- prefix =/usr/local/apache -- enable-so
# Make
# Make install
　　
6. Install gd
First install the GD library that provides both the PNG and JPG image generation function for PHP:
# Gzip-d-c gd-2.0.28.tar.gz | tar xvf-
# Cd gd-2.0.28
# Make
# Make install
　　
7. install php
# Gzip-d-c php-4.3.2.tar.gz | tar xvf-
# Cd php-4.3.2
#./Configure-with-mysql =/usr/local/mysql \
-- With-apxs =/usr/local/apache/bin/apxs \
-- With-gd =/usr/local
# Make
# Make install
　　
8. Install ACID
The installation of this Part includes three software packages: adodb452.tar.gz?phplot-5.0rc1.tar.gzand acid-0.9.6b23.tar.gz. The installation process is very simple. You only need to extract the three software packages and expand them under the Apache server's document root directory.
As follows: (the document directory of this server is/www/ids)
# Cd/www/ids/
# Gzip-d-c adodb452.tar.gz | tar xvf-
# Gzip-d-c phplot-5.0rc1.tar.gz | tar xvf-
# Gzip-d-c acid-0.9.6b23.tar.gz | tar xvf-
　　
Then, start the configuration and go to the acid directory to edit the ACID configuration file: acid_conf.php, assign values to the following variables:
$ Dblib_path = "../adodb"
$ DBtype = "mysql"
$ Alert_dbname = "snort"
$ Alert_host = "localhost"
$ Alert_port = "3306"
$ Alert_user = "root"
$ Alert_password = "123"
$ Archive_dbname = "snort"
$ Archive_host = "localhost"
$ Archive_port = "3306"
$ Archive_user = "root"
$ Archive_password = "123"
$ ChartLib_path = "../phplot"
$ Chart_file_format = "png"
$ Portscan_file = "/var/log/snort/portscan. log"
Now, the required software is installed. Next, set and start snort.
　　
　　 Iii. snort configuration and startup
We can run Snort in the chroot environment. The setting is also very simple. First, we can select a place where there is enough location for the Snort Log. If you regularly check and clear the Log documentation, you can put the chroot environment of Snort in/home/snort.
Snort user, execute the following command to add the Snort User:
# Groupadd snort
# Useradd-g "snort"-d "/home/snort"-s "/nonexists"-c "Snort User" snort
　　
Then decompress the snortrules.tar.gz file in/home/snort, decompress the snortrules package, and go to/home/snort /? Throwing? The ules file appears. This is the Ruleset used by Snort. These rulesets are the basis for Snort to detect any network reflection. In rules, there is a "snort. conf", which is the Snort configuration file and needs to be modified according to the actual situation.
In snort. conf, You need to modify a few to execute Snort. The following are the possible changes:
　　
-Var HOME_NET
The IP address of the network or host. For example, if you only have this server, you can only enter the IP address of the server. If the machine has more than two IP addresses,
You can use this method:
Var HOME_NET [192.168.1.1, 192.168.1.2]
Or
Var HOME_NET 192.168.1.0/24
　　
-Var SMTP [IP. Address]
If the location of the SMTP server is different from that in HOME_NET, you only need to remove $ HOME_NET and add the IP address of the specified SMTP server.
-Var HTTP_SERVERS
The HTTP Server is the same as the setting in SMTP. If the Server that becomes a Web Server is not a HOME_NET machine, you can specify it to another IP address.
-Var DNS_SERVERS
The IP address of the DNS server. At the same time, You Need To Uncomment the following line:
Preprocessor portscan-ignorehosts: $ DNS_SERVERS
This prevents useless PortScan records due to DNS Lookup.
　　
Finally, for the configuration of the record part, we added support for "MySQL" during Snort compilation. To use MySQL records, we must first
　　
Create the Databases, username, and password used by Snort, and execute the following command:
# Echo "create database snort;" | mysql-u root-p
# Grant INSERT, SELECT on snort. * to snort @ localhost
What is the Snort source start code? Japanese "contrib/create_mysql", and then execute the following command to create Tables
# Mysql-u root-p <create_mysql
　　
After that ,? E. Forget to start MySQL support in snort. conf. Simply Uncomment:
In row 3:
Output database: log, mysql, user = snort password = 123 dbname = snort host = localhost
In row 3:
Ruletype redalert
{
Type alert
Output alert_syslog: LOG_AUTH LOG_ALERT
Output database: log, mysql, user = snort dbname = snort host = localhost
}
　　
　　 4. Execute snort
Everything is ready, so now we have started to run snort :)
But before that, please:
# Mkdir/var/log/snort
# Chown snort. snort/var/log/snort
Now start cd to enter/home/snort? ? Slow down and slow down? Turbo
/Home/snort # snort-B-d-I eth0-u snort-g snort-c/home/snort/rules/snort. conf-l/var/log/snort &
-The u function enables the snort to be executed by the "snort" user and enter the chroot user environment.
-C: specified directory used
& Just execute in the background
　　
　　 V. Introduction to SNORT rules
An Snort rule can be divided into two parts: the rule header and the following option. The rule header contains the matched action commands, protocol types, and traffic selection tuples (source destination IP address and source destination port ). The option part of the rule is met by one or more options, and the relationship between all main options is. There may be some dependencies between options. The options can be divided into four types. The first type is the description options of various features related to data packets, such as conte.