snort+base搭建IDS入侵检测系统(2)

5.[root@localhost CentOS6]# rpm -ivh snort-2.8.5.1-1.fc13.i686.rpm //安装snort包出现依赖关系系
warning: snort-2.8.5.1-1.fc13.i686.rpm: Header V3 RSA/SHA256 Signature, key ID e8e40fde: NOKEY
error: Failed dependencies:
        libgnutls.so.26 is needed by snort-2.8.5.1-1.fc13.i686
        libpcap >= 0.4 is needed by snort-2.8.5.1-1.fc13.i686
        libpcap.so.1 is needed by snort-2.8.5.1-1.fc13.i686
        libprelude.so.2 is needed by snort-2.8.5.1-1.fc13.i686

[root@localhost centos6]# rpm -q libpcap//查询libpcap没装
package libpcap is not installed

[root@localhost centos6]# yum -y install libpcap//安装libpcap包

[root@localhost centos6]# rpm -ivh snort-2.8.5.1-1.fc13.i686.rpm//在次安装snort出现两个依赖
warning: snort-2.8.5.1-1.fc13.i686.rpm: Header V3 RSA/SHA256 Signature, key ID e8e40fde: NOKEY
error: Failed dependencies:
        libgnutls.so.26 is needed by snort-2.8.5.1-1.fc13.i686
        libprelude.so.2 is needed by snort-2.8.5.1-1.fc13.i686

[root@localhost centos6]# yum -y install libgnutls26//安装libgnutls26包
Loaded plugins: fastestmirror
Determining fastest mirrors
 * base: centos.ustc.edu.cn
 * extras: centos.ustc.edu.cn
 * updates: centos.ustc.edu.cn
Setting up Install Process
No package libgnutls26 available.
Error: Nothing to do

[root@localhost centos6]# yum -y install gnutls//安装gnutls包
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.ustc.edu.cn
 * extras: centos.ustc.edu.cn
 * updates: centos.ustc.edu.cn
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package gnutls.i686 0:2.8.5-4.el6_2.2 set to be updated
--> Processing Dependency: libtasn1.so.3(LIBTASN1_0_3) for package: gnutls-2.8.5-4.el6_2.2.i686
--> Processing Dependency: libtasn1.so.3 for package: gnutls-2.8.5-4.el6_2.2.i686
--> Running transaction check
---> Package libtasn1.i686 0:2.3-3.el6_2.1 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package           Arch          Version                    Repository     Size
================================================================================
Installing:
 gnutls            i686          2.8.5-4.el6_2.2            base          336 k
Installing for dependencies:
 libtasn1          i686          2.3-3.el6_2.1              base          239 k

Transaction Summary
================================================================================
Install       2 Package(s)
Upgrade       0 Package(s)

Total download size: 575 k
Installed size: 1.4 M
Downloading Packages:
(1/2): gnutls-2.8.5-4.el6_2.2.i686.rpm                   | 336 kB     00:00    
(2/2): libtasn1-2.3-3.el6_2.1.i686.rpm                   | 239 kB     00:00    
--------------------------------------------------------------------------------
Total                                           1.7 MB/s | 575 kB     00:00    
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
  Installing     : libtasn1-2.3-3.el6_2.1.i686                              1/2
  Installing     : gnutls-2.8.5-4.el6_2.2.i686                              2/2

Installed:
  gnutls.i686 0:2.8.5-4.el6_2.2                                               

Dependency Installed:
  libtasn1.i686 0:2.3-3.el6_2.1                                               

Complete!//完成安装。

[root@localhost centos6]# ls//显示当前目录
                                     libprelude-1.0.0-3.fc13.i686.rpm
adodb517.zip                         snort-2.8.5.1-1.fc13.i686.rpm
base-1.4.5.tar.gz                    snortcenter-v1.0-RC1.tar.gz
daq-1.1.1_rc-1.RHEL6.i386.rpm        snortrules-snapshot-2.8.tar.gz
libprelude-0.9.24.1-2.fc12.i686.rpm

[root@localhost centos6]# rpm -ivh snort-2.8.5.1-1.fc13.i686.rpm//安装snort出现依赖
warning: snort-2.8.5.1-1.fc13.i686.rpm: Header V3 RSA/SHA256 Signature, key ID e8e40fde: NOKEY
error: Failed dependencies:
        libprelude.so.2 is needed by snort-2.8.5.1-1.fc13.i686
[root@localhost centos6]# rpm -ivh libprelude-1.0.0-3.fc13.i686.rpm //安装依赖包
warning: libprelude-1.0.0-3.fc13.i686.rpm: Header V3 RSA/SHA256 Signature, key ID e8e40fde: NOKEY
Preparing...                ########################################### [100%]
   1:libprelude             ########################################### [100%]

[root@localhost centos6]# ls//查看当前目录
adodb4992.tgz                  libprelude-1.0.0-3.fc13.i686.rpm
adodb517.zip                   snort-2.8.5.1-1.fc13.i686.rpm
base-1.4.5.tar.gz              snortcenter-v1.0-RC1.tar.gz
daq-1.1.1_rc-1.RHEL6.i386.rpm  snortrules-snapshot-2.8.tar.gz

[root@localhost centos6]# rpm -ivh daq-1.1.1_rc-1.RHEL6.i386.rpm  //安装daq包

[root@localhost centos6]# rpm -ivh snort-mysql-2.8.5.1-1.fc13.i686.rpm //安装snort-mysql软件包支持mysql数据库,在设置/etc/snort/snort.conf配置output database参数的时候启动snort -c /etc/snort/snort.conf时候会出错

database: 'mysql' support is not compiled into this build of snort

ERROR: If this build of snort was obtained as a binary distribution (e.g., rpm,
or Windows), then check for alternate builds that contains the necessary
'mysql' support.

If this build of snort was compiled by you, then re-run the
the ./configure script using the '--with-mysql' switch.
For non-standard installations of a database, the '--with-mysql=DIR'
syntax may need to be used to specify the base directory of the DB install.

See the database documentation for cursory details (doc/README.database).
and the URL to the most recent database plugin documentation.
Fatal Error, Quitting..

[root@localhost centos6]# rpm -ivh snort-2.8.5.1-1.fc13.i686.rpm //最后成功安装snort
warning: snort-2.8.5.1-1.fc13.i686.rpm: Header V3 RSA/SHA256 Signature, key ID e8e40fde: NOKEY
Preparing...                ########################################### [100%]
   1:snort                  ########################################### [100%]

[root@localhost centos6]# cp -rf snortrules-snapshot-2.8.tar.gz /etc/snort/rules //拷贝snortrules到/etc/snort/rules目录下
 
[root@localhost centos6]# cd /etc/snort/rules //切换到snort目录

[root@localhost rules]# tar -zxvf snortrules-snapshot-2.8.tar.gz //解压tar.gz包。如果启动不了拷贝rules到/etc/rules里去。

[root@localhost snort]# service snortd start//启动snortd服务失败
Starting snort:                                            [FAILED]

[root@localhost ~]# cat /var/log/messages //查看messages错误

 14 02:47:53 localhost snort[2351]:     Ports:
Jul 14 02:47:53 localhost snort[2351]: #01122
Jul 14 02:47:53 localhost snort[2351]:
Jul 14 02:47:53 localhost snort[2351]: FATAL ERROR: /etc/snort/snort.conf(616) Unknown preprocessor: "dcerpc2".//提示的错误找到snort.conf文件注释掉

# DCE/RPC 2 //注释掉下面两个dcerpc2.
#----------------------------------------
# See doc/README.dcerpc2 for explanations of what the
# preprocessor does and how to configure it.
#
#preprocessor dcerpc2
#preprocessor dcerpc2_server: default

[root@localhost ~]# service snortd start//最后启动成功
Starting snort:                                            [  OK  ]

[root@localhost ~]# snort -V//查看snort版本提示成功。

,,_     -*> Snort! <*-
  o"  )~   Version 2.8.5.1 (Build 114) 
   ''''    By Martin Roesch & The Snort Team:
           Copyright (C) 1998-2009 Sourcefire, Inc., et al.
           Using PCRE version: 7.8 2008-09-05

[root@localhost ~]# service snortd restart//重启成功
Stopping snort:                                            [  OK  ]
Starting snort:                                            [  OK  ]
[root@localhost ~]# service snortd status//查看snortd服务状态。
snort (pid 1677) is running...

[root@localhost centos6]# yum -y install mysql mysql-server httpd php php-mysql php-gd//安装mysql httpd php,如果不安装php-mysql会出现500内部服务器错误。

[root@localhost centos6]# mysqladmin -uroot password 123456//修改mysqladmin密码为123456

[root@localhost centos6]# cp -rf adodb517.zip base-1.4.5.tar.gz /var/www/html//拷贝adodb和base到/var/www/html目录下

[root@localhost centos6]# cd /var/www/html//切换到/var/www/html目录下

[root@localhost html]# ls//查看目录内容
adodb517.zip  base-1.4.5.tar.gz

[root@localhost html]# unzip adodb517.zip |tar -zxvf base-1.4.5.tar.gz //解压adodb和base包

[root@localhost html]# rm -rf adodb517.zip base-1.4.5.tar.gz //删除包

[root@localhost html]# ls//显示当前目录
adodb5  base-1.4.5
[root@localhost html]# mv adodb5 adodb//修改名字为adodb

[root@localhost html]# cp -rf base-1.4.5/* . //拷贝base目录所有内容到当前目录

[root@localhost html]# rm -rf base-1.4.5/  //删除base-1.4.5文件夹。

[root@localhost html]# rpm -ql snort//查看snort rpm包的路径。

/usr/share/doc/snort-2.8.5.1/create_mysql//创建mysql数据库文件create_mysql.

[root@localhost centos6]# mysql -uroot -p123456//进入mysql

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.1.61 Source distribution

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;//查看当前数据库
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| test               |
+--------------------+
3rows in set (0.00 sec)

mysql> create database snort；//创建snort数据库
mysql> create database snortarchive;//创建归档数据库。
Query OK, 1 row affected (0.00 sec)

mysql> use snort//进入snort数据库
Database changed
mysql> source /usr/share/doc/snort-2.8.5.1/create_mysql//创建数据库成功如下

Query OK, 0 rows affected (0.00 sec)
......

Query OK, 1 row affected (0.00 sec)//导入成功提示

mysql>grant all privileges on snort.* to snort@'localhost' identified by "snort";//给snort授权。

mysql> use snortarchive;//重新导入snortarchive数据库。
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> source /usr/share/doc/snort-2.8.5.1/create_mysql
//导入数据库。