Part One: A Simple Introduction to IDS (Intrusion Detection System) with a focus on DAQ installation.
IDS monitors the operation status of networks and systems based on certain security policies through software or hardware, aiming to detect various attack attempts, behaviors, and results as much as possible to ensure the confidentiality, integrity, and reliability of network system resources. Generally, IDS is used as a supplement to firewalls, located after them, enabling real-time network monitoring and recording.
Snort, as a lightweight intrusion detection system, has the following characteristics:
(1) Low resource consumption and minimal impact on network performance;
(2) Wide system support, can be used cross-platform;
(3) Snort has three main modes: packet sniffer, packet logger, and a mature intrusion detection system;
(4) It uses a misuse detection model, firstly establishing an intrusion behavior signature database, then comparing collected data packets with the signature codes during detection to determine any intrusion;
(5) It is open source and written in the C language.
Snort Architecture
(1) Data Collection: Snort uses libpcap for data collection;
(2) Data Analysis: Contains two parts: packet decoding and detection engine. Packet decoding prepares data for the detection engine, which analyzes each packet according to the rules loaded at startup;
(3) Logging/Alert Record: Logging and alerting are two separate subsystems. Logging records the information collected by packet decoding, which by default is written to the /var/log/snort folder, while alert logs are recorded in the /var/log/snort/alert file.
Simple diagram illustrating data flow:
Part Two: System Setup
I. Setting up the LAMP stack
This is relatively simple, and because this article contains a lot, it will not be explained here.
II. Installing software required for Snort
1. libpcap is a library for capturing network packets on the Linux platform, and most network monitoring software uses it as a foundation.
Before installing libpcap, two other programs need to be installed:
[root@localhost soft]# wget ftp://ftp.gnu.org/gnu/bison/bison-2.4.1.tar.bz2
[root@localhost soft]# tar xf bison-2.4.1.tar.bz2
[root@localhost soft]# cd bison-2.4.1 [root@localhost bison-2.4.1]# ./configure && make && make install
[root@localhost soft]# wget http://nchc.dl.sourceforge.net/project/flex/flex/flex-2.5.35/flex-2.5.35.tar.bz2
[root@localhost soft]# tar xf flex-2.5.35.tar.bz2
[root@localhost flex-2.5.35]# ./configure && make && make install
Next is installing libpcap:
[root@localhost soft]# wget http://www.tcpdump.org/release/libpcap-1.2.1.tar.gz
[root@localhost soft]# tar xf libpcap-1.2.1.tar.gz [root@localhost soft]# cd libpcap-1.2.1 [root@localhost libpcap-1.2.1]# ./configure –prefix=/usr/local/libpcap
[root@localhost libpcap-1.2.1]# make
[root@localhost libpcap-1.2.1]# make install
2. DAQ, which is used during Snort compilation
[root@localhost soft]# wget http://www.snort.org/dl/snort-current/daq-0.6.2.tar.gz
[root@localhost soft]# tar xf daq-0.6.2.tar.gz [root@localhost soft]# cd daq-0.6.2
[root@localhost daq-0.6.2]# ./configure && make && make install
3. libdnet, a general network security development library
[root@localhost soft]# wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
[root@localhost soft]# tar xf libdnet-1.12.tgz [root@localhost soft]# cd libdnet-1.12 [root@localhost libdnet-1.12]# ./configure && make && make install
4. Snort installation
[root@localhost soft]# wget http://www.procyonlabs.com/mirrors/snort/snort-2.9.2.1.tar.gz
[root@localhost soft]# tar xf snort-2.9.2.1.tar.gz [root@localhost soft]# cd snort-2.9.2.1
[root@localhost snort-2.9.2.1]# ./configure –with-mysql=/usr/local/mysql –with-libpcap-includes=/usr/local/libpcap/include –with-libpcap-libraries=/usr/local/libpcap/lib
[root@localhost snort-2.9.2.1]# make
[root@localhost snort-2.9.2.1]# make install
III. Snort Configuration
[root@localhost snort-2.9.2.1]# mkdir /etc/snort ——Main configuration file directory for Snort [root@localhost snort-2.9.2.1]# mkdir /var/log/snort ————-Log file directory for Snort [root@localhost snort-2.9.2.1]# groupadd snort ———Create Snort user group [root@localhost snort-2.9.2.1]# useradd -g snort -s /sbin/nologin snort ————Create Snort user
[root@localhost soft]# tar xf snortrules-snapshot-2920.tar.gz -C /etc/snort/ [root@localhost soft]# cd /etc/snort/ [root@localhost snort]# ls etc preproc_rules rules so_rules [root@localhost snort]# cp etc/* /etc/snort/
[root@localhost snort]# chown snort.snort /var/log/snort———-Change owner and group of related directories [root@localhost snort]# touch /var/log/snort/alert [root@localhost snort]# chown snort.snort /var/log/snort/alert [root@localhost snort]# chmod 600 /var/log/snort/alert —————Prevent other users from modifying
[root@localhost snort]# mkdir /usr/local/lib/snort_dynamicrules [root@localhost snort]# cp /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.2.0/*.so /usr/local/lib/snort_dynamicrules/ ————-Library files
[root@localhost RHEL-6-0]# cp x86-64/2.9.2.0/*.so /usr/local/lib/snort_dynamicrules/
[root@localhost snort_dynamicrules]# vi /etc/snort/snort.conf#Modify the following lines
var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules
output unified2: filename snort.log, limit 128
IV. MySQL Database Modification
[root@localhost snort_dynamicrules]# mysql ——There is no password for my data here Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 470 Server version: 5.1.36-debug-log Source distribution Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement. mysql> create database snort; ————–Create Snort database
mysql> grant all privileges on snort.* to snort@’localhost’ with grant option ; ————-Authorize Snort user Query OK, 0 rows affected (0.12 sec) mysql> set password for snort@localhost = password(‘aixocm’); ——–This is also a way to change MySQL user password Query OK, 0 rows affected (0.00 sec) mysql> exit Bye [root@localhost snort_dynamicrules]# cd /soft/snort snort-2.9.2.1/ snortrules-snapshot-2920.tar.gz snort-2.9.2.1.tar.gz [root@localhost snort_dynamicrules]# cd /soft/snort-2.9.2.1 [root@localhost snort-2.9.2.1]# cd schemas/ [root@localhost schemas]# ls create_db2 create_mysql create_postgresql Makefile.am create_mssql create_oracle.sql Makefile Makefile.in [root@localhost schemas]# mysql < create_mysql snort [root@localhost schemas]# mysql Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 472 Server version: 5.1.36-debug-log Source distribution Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.mysql> show databases; +——————–+ | Database | +——————–+ | information_schema | | bbs | | itop | | mysql | | snort | | test | +——————–+ 6 rows in set (0.00 sec) mysql> use snort; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; +——————+ | Tables_in_snort | +——————+ | data | | detail | | encoding | | event | | icmphdr | | iphdr | | opt | | reference | | reference_system | | schema | | sensor | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +——————+ 16 rows in set (0.00 sec) V. Base and ADOdb Installation
[root@localhost lib]# wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
[root@localhost lib]# tar xf base-1.4.5.tar.gz -C /var/www/———–/var/www is Apache’s DocumentRoot
[root@localhost lib]# cd /var/www/ [root@localhost www]# mv base-1.4.5 base
[root@localhost www]# wget http://nchc.dl.sourceforge.net/project/adodb/adodb-php5-only/adodb-511-for-php5/adodb511.zip
[root@localhost www]# unzip adodb511.zip
[root@localhost www]# mv adodb5 adodb
[root@localhost www]# chown daemon.daemon /var/www/base -R
VI. Base Page Installation
Access the browser http://127.0.0.1/base/setup/index.php
Click Continue
Select Simplified Chinese, enter the path for adodb as /var/www/adodb, then click Continue
Enter the relevant MySQL information and click continue
Set the admin account password, then click continue
Click create base AG
You can see the red part indicating success, proceed to the next step by clicking Now continue to step 5…
Then you can see our base interface
VII. After completing the page configuration, the plugin for the icon needs to be installed, requiring PHP to support GD.
To make BASE work, some plugins need to be installed, and an internet connection is required.
[root@localhost www]# pear install image_Canvas-alpha
WARNING: “pear/Image_Color” is deprecated in favor of “pear/Image_Color2” downloading Image_Canvas-0.3.5.tgz … Starting to download Image_Canvas-0.3.5.tgz (54,486 bytes) ………….done: 54,486 bytes downloading Image_Color-1.0.4.tgz … Starting to download Image_Color-1.0.4.tgz (9,501 bytes) …done: 9,501 bytes install ok: channel://pear.php.net/Image_Color-1.0.4 install ok: channel://pear.php.net/Image_Canvas-0.3.5
[root@localhost www]# pear install image_Graph-0.8.0
Did not download optional dependencies: pear/Numbers_Words, use –alldeps to download automatically pear/Image_Graph can optionally use package “pear/Numbers_Words” downloading Image_Graph-0.8.0.tgz … Starting to download Image_Graph-0.8.0.tgz (367,646 bytes) …………………………………………………………………done: 367,646 bytes install ok: channel://pear.php.net/Image_Graph-0.8.0
[root@localhost www]# pear install Numbers_Roman
Downloading Numbers_Roman-1.0.2.tgz … Starting to download Numbers_Roman-1.0.2.tgz (6,210 bytes) …..done: 6,210 bytes install ok: channel://pear.php.net/Numbers_Roman-1.0.2
VIII. Testing Snort
Modify Snort’s configuration file again
[root@localhost lib]# vi /etc/snort/snort.conf
Change 511 # output database: alert, , user= password= test dbname= host= 512 # output database: log, , user= password= test dbname= host=
Pay close attention here. If you are using the same version as I am, be sure to format every entry correctly and use a comma after each, as the version has bugs! Missing commas will cause
Error:
Fatal Error, Quitting..
Change to:
514 output database: alert, mysql, user=snort ,password=123456, dbname=snort, host=localhost
515 output database: log, mysql, user=snort,password=123456, dbname=snort, host=localhost
Comment out these four lines by adding a # before each line:
110 var WHITE_LIST_PATH /etc/snort/rules 111 var BLACK_LIST_PATH /etc/snort/rules
488 whitelist $WHITE_LIST_PATH/white_list.rules, \ 489 blacklist $BLACK_LIST_PATH/black_list.rules
Remove the # from the following three lines:
Next, test Snort:
[root@localhost snort]# snort -c /etc/snort/snort.conf
If you see this little pig, it means you’ve succeeded, haha.
After this step, Snort will not exit by itself; you’ll need to use ctrl+c to terminate it manually.
Open the browser again http://127.0.0.1/base/base_main.php
Data has been detected here, but there’s not enough of it. Next, we need more testing.
IX. Intrusion Testing
I recommend using a scanning tool for Windows called X-way
Click OK
After scanning, open the page again http://127.0.0.1/base/base_main.php
Click on the 100% I circled to view detailed intrusion records