在Windows环境下搭建Snort+BASE入侵检测系统

小程序：扫一扫查出行
【扫一扫了解最新限行尾号】
复制小程序

操作系统： Windows 7 (service pack 1)
所需软件：
- 虚拟机：VirtualBox
- 网络数据包截取驱动程序：WinPcap 4.1.3 (WinPcap_4_1_3.exe)
- Windows版本的Snort安装包：Snort 2.8.6 for Win32 (Snort_2_8_6_Installer.exe)
- 官方认证Snort规则库：snortrules-snapshot-2860.tar.gz
- 数据库组件及分析平台：AppServ 8.6.0 (appserv-win32-8.6.0.exe)
- WEB前端：Basic Analysis and Security Engine 1.4.5 (base-1.4.5.tar.gz)

由于我们建立的是测试环境，所有的组件安装都在一台机器上完成。

安装前的准备

安装虚拟机virtualbox，过程比较简单，此处略过。
导入虚拟电脑

打开virtualbox，点击左上角管理，然后选择导入虚拟电脑

选择需要导入的虚拟电脑文件进行导入

最好重新初始化网卡地址

部署过程

WinPcap安装过程非常简单，此处略过。

Snort的安装和配置

snort软件安装包

点击同意进到下一步

默认就好，点击next

点击Next

默认安装到c盘，此处我们不需要改变，点击Next

安装完成，点击close

提示snort安装成功

安装规则包

安装规则包之前，rules目录是空的

如果出现是否合并文件夹，一律选是

选择是

安装规则包之后的snort根目录结构

用编辑器打开配置文件snort.conf

按图修改，或者拷贝下面内容把相应行覆盖

var RULE_PATH c:\snort\rules var SO_RULE_PATH c:\snort\so_rules var PREPROC_RULE_PATH c:\snort\preproc_rules

按图修改，或者拷贝下面内容把相应行覆盖

# path to dynamic preprocessor libraries dynamicpreprocessor directory c:\snort\lib\snort_dynamicpreprocessor# path to base preprocessor engine dynamicengine c:\snort\lib\snort_dynamicengine\sf_engine.dll

按图修改，或者拷贝下面内容把相应行覆盖

preprocessor http_inspect: global iis_unicode_map c:\snort\etc\unicode.map 1252

按图修改，或者拷贝下面内容把相应行覆盖

output database: alert, mysql, user=snort password=snort dbname=snortdb host=localhost

按图修改，或者拷贝下面内容把相应行覆盖

include $RULE_PATH/snmp.rules include $RULE_PATH/icmp.rules include $RULE_PATH/tftp.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/shellcode.rules include $RULE_PATH/policy.rules include $RULE_PATH/info.rules include $RULE_PATH/icmp-info.rules include $RULE_PATH/virus.rules include $RULE_PATH/chat.rules include $RULE_PATH/multimedia.rules include $RULE_PATH/p2p.rules include $RULE_PATH/spyware-put.rules include $RULE_PATH/specific-threats.rules include $RULE_PATH/voip.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/bad-traffic.rules# decoder and preprocessor event rules include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules# dynamic library rules include $SO_RULE_PATH/bad-traffic.rules include $SO_RULE_PATH/chat.rules include $SO_RULE_PATH/dos.rules include $SO_RULE_PATH/exploit.rules include $SO_RULE_PATH/imap.rules include $SO_RULE_PATH/misc.rules include $SO_RULE_PATH/multimedia.rules include $SO_RULE_PATH/netbios.rules include $SO_RULE_PATH/nntp.rules include $SO_RULE_PATH/p2p.rules include $SO_RULE_PATH/smtp.rules include $SO_RULE_PATH/sql.rules include $SO_RULE_PATH/web-activex.rules include $SO_RULE_PATH/web-client.rules include $SO_RULE_PATH/web-misc.rules

AppServ安装和配置

AppServ安装包

点Next

点I Agree

默认安装到C盘，不需要改，点Next

全部选上，点Next

点确定

勾上I agree...，然后点Install

安装成功，点close

默认就好，不需要改变，点Next

设置八位数密码，字符集默认就好，点Install

点Finish

如果弹出安全警报，则点允许访问

此时，打开firefox浏览器，在地址栏输入localhost应该能够看到图中信息，如果不能显示图中信息，则表明AppServ安装有问题，或者没有运行Appche服务

在MySql中创建snortdb和snortarc，以及所需数据表

打开cmd，按照截图所示，以root用户连接到mysql，下面命令都是在mysql输入，注意两个source命令后面没有分号

mysql> create database snortdb;mysql> create database snortarc;mysql> use snortdb;mysql> source c:\snort\schemas\create_mysqlmysql> use snortarc;mysql> source c:\snort\schemas\create_mysqlmysql> grant usage on *.* to "snort"@"localhost" identified by "snort";mysql> grant select,insert,update,delete,create,alter on snortdb .* to "snort"@"localhost";mysql> grant select,insert,update,delete,create,alter on snortarc .* to "snort"@"localhost";mysql> set password for "snort"@"localhost"=password('snort');