CiscoTik

Networking Administration

CiscoTik

Networking Administration

CiscoTik

آموزش شبکه های مبتنی بر سیسکو و میکروتیک و ...

طبقه بندی موضوعی
محبوب ترین مطالب
  • ۹۲/۱۲/۱۲
    eBGP
  • ۹۳/۰۷/۱۵
    VTP
نویسندگان
  • ۱
  • ۰

نصب و پیکربندی اسنورت بر روی اوبونتو (به همراه MySQL)

در این پست
نصب و پیکربندی اسنورت بر روی اوبونتو که البته به زبان انگلیسیه براتون قرار دادم...
متن کامل هست و ساده و به نظرم ترجمه نیاز نداشت...


An Intrusion Detection system is like a burglar alarm for your computer. It monitors you network and system activities for malicious activities or policy violations and reports to some kind of management station. This is great as it lets you know who were when & how people are trying to break into your network and knowing this is half the battle. You may be thinking that this isn’t enough and you want to block all hacks from happening, well most IDS systems include some “Network Intrusion Prevention” features. However the main concern should be closing up vulnerabilities rather than blocking someone already trying to hack your systems, after all it’s a bit late if they are already in your system, and this way you may accedently block innocent users.

Another common use of an Intrusion Detection system is to use it as a honeypot. In Wikipedia’s words a honeypot is “In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.”. Basically if you trying to find some hackers address or an active botnet then installing a honeypot on a popular webserver is a good way to go about this.


So what the best IDS, well infoworld.com said that the The greatest open source software of all time was Snort, and if it’s the best open source software of all time, you can sure as hell bet it’s the best open source IDS. Snort contains a full featured IDS as well as receiving regular updates to its rules library as well as great Network Intrusion Prevention features. So let’s discuss how to install this and get it reporting to a MySQL database.

In this tutorial we are going to be setting up a snort server to run and monitor a single machine, this is great for protecting your webserver or creating a honeypot. However if you want an IDS to monitor your entire network this solution won’t work, you’ll need to buy a switch with a monitoring port (most manages switches) so that a copy of all the data sent across the network is mirrored to your snort server, if you do have this function turn it on and follow this tutorial as normal.

So let’s get started, first we need to install some base packages, mainly LAMP (Linux, Apache, MySQL & PHP) so type into your terminal:

sudo tasksel install lamp-server

During this install you’ll be asked for a password to set for the root account on your new MySQL server, be sure to remember this as you’ll need it later.

Now we just need some tools to test the server later:

sudo apt-get install nmap
sudo apt-get install nbtscan

Just becuase its good practice remember to update your package lists:

sudo apt-get update

Now we’ve got that out of the way we can install snort:

sudo apt-get install snort-mysql

now you should see this widow, this is where you choose what range the snort server will monitor, if your just installing this on one machine enter the machines IP address followed by /32, if it’s a whole network use /24 at the end, for example:

Single Machine: 192.168.0.1/32
Whole Network: 192.168.0.0/24 (remember this will need a monitoring port)

Next we are told we need a database to continue, don’t worry we installed this earlier, just press ok (Tab to select)

Now we are asked if we want a database setup, click yes.

Now we see the final config window, just click ok.

If you read the last window you see that we need to configure the database, this isn’t to hard just type:

mysql -u root -p

whitch will open the MySQL console window, in this type:

create database snort;

followed by

quit

Now we need to add some tables to the database we just created:

cd /usr/share/doc/snort-mysql
zcat create_mysql.gz | mysql -u root -p snort

Once that’s done we need to re-configure snort with the updated database, so type:

sudo dpkg-reconfigure -plow snort-mysql

This is the first screen you’ll see, unless you know otherwise select boot

Now we choose the network interface to listen on, unless you know otherwise leave this to its default value

Here we renter our network selection, just leave as is and click ok

Here you choose whether you want to run snort in promiscuous mode or not. Even through i said that you can’t monitor over hosts (without a monitoring port) this is where you can, sort of, in promiscuous mode snort will monitor broadcasted events, personally I set this to no to reduce overhead but it’s up to you.

Just leave this blank

Again this one is up to you, personally I like the daily email reports but if you don’t want the hassle select no.

Since we have gone to the effort of setting up our database we might as well use it, select yes.

Enter 127.0.0.1 If you want to use another database server here is where you would enter its address, however setting this up is out of the scope of this email.

Here enter the database name, which should be sort

For this tutorial we haven’t added any additional users so I’ve just used root, however this is bad practice, I recommend you add a dedicated snort user to you MySQL database, a good tutorial of that can be found here

Now enter the password for the user you selected in the previous step.

Now you have finished configuring snort, just click ok.

To start snort you need to confirm you have setup your database by typing:

sudo rm /etc/snort/db-pending-config

and start the Snort server




sudo /etc/init.d/snort status

Now if you want to see what attempted hacks have taken place simply type

echo "select * from signature;" | mysql -u root -p snort

this will show what attack signatures have been called.

نظرات (۱)

برای آگاهی از آخرین اخبار فناوری اطلاعات به سایت تکانه مراجعه کنید
takane.ir

ارسال نظر

ارسال نظر آزاد است، اما اگر قبلا در بیان ثبت نام کرده اید می توانید ابتدا وارد شوید.
شما میتوانید از این تگهای html استفاده کنید:
<b> یا <strong>، <em> یا <i>، <u>، <strike> یا <s>، <sup>، <sub>، <blockquote>، <code>، <pre>، <hr>، <br>، <p>، <a href="" title="">، <span style="">، <div align="">
تجدید کد امنیتی