救急啊!snort伺服器配置!高手進來看下!!
大家好!我剛剛接觸linux由於課題需要!我再red hat linux9.0下配置snort系統!情面我用了PHP-5.2.6.tar.gz+httpd-2.2.10.tar.gz+mysql-5.0.22.tar.gz+libpcap-0.7.2+jpgraph-2.3.3.tar.gz+acid-0.9.6b23.tar.gz+adodb4991.gz+snort-2.8.0.1.tar.gz的配置前面都沒有問題啦!可是我輸入以下代碼的時候:
tar zxvf snort-2.8.0.1.tar.gz
cd snort-2.8.0.1
./configure --with-mysql=/usr/local/mysql
make && make intall
mkdir /etc/snort
mkdir /var/log/snort
cd ../etc
cp * /etc/snort
vi /etc/snort/snort.conf
將var HOME_NET改為自己的內網ip,如果192.168.0.0/24
將var DNS_SERVERS改為自己的DNS地址
將var RULE_PATH改為/etc/snort/rules #以後會將下載的規則解壓至此
把「# output database: log, mysql, user=root password=test dbname=db host=localhost」改成「output database: log, mysql, user=root password=123456 dbname=snort host=localhost」密碼改成你自己的,把前面的#號去掉。
把# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules前面的#號刪除。
修改完畢后,保存退出。
然後到http://www.snort.org上下載規則包,拷貝至/etc/snort/rules里。
這些完成以後要在mysql中建立資料庫:
#########
mysql -u root -p
create database snort;
grant INSERT,SELECT,DELETE on root.* to snort@localhost;
然後進入snort安裝目錄里的schemas目錄(老的版本是進入contrib目錄)
mysql -u root -p 123456 < ./create_mysql snort
之後要使用snortdb-extra.gz這個文件,據說老版本的snort里有,我下的這個版本里沒有.......只能上網找一個,殘念......
zcat snortdb-extra.gz |mysql -u root -p 123456 snort
等待片刻,不出意外什麼的應該就好了......
之後可以進資料庫確認一下,show databases;一下,恩,成功了。
然後就安裝配置Acid
把acid-0.9.6b23.tar.gz、adodb330.tgz、jpgraph-1.11.tar.gz放到網頁根目錄。全部解壓縮之後修改acid里的配置文件。
##################
vi acid_conf.php
把「$DBlib_path = "";」 改成「$DBlib_path = "/usr/local/apache/htdocs/adodb"」
$alert_dbname = "snort_log"; //改成snort
$alert_host = "localhost";
$alert_port = "";
$alert_user = "root";
$alert_password = "mypassword"; //改成你的資料庫密碼
/* Archive DB connection parameters */
$archive_dbname = "snort_archive"; //改成snort
$archive_host = "localhost";
$archive_port = "";
$archive_user = "root";
$archive_password = "mypassword";」 //改成你的資料庫密碼
把「$ChartLib_path = "";」 改成「$ChartLib_path = "/usr/local/apache/htdocs/jpgraph/src";」
#################################
修改完畢后,保存退出。
最後啟動snort,snort -c /etc/snort/snort.conf -D
打開web,輸入http://yourhost/acid/acid_main.php,點"Setup Page"鏈接 ->;Create Acid AG
訪問http://yourhost/acid將會看到ACID界面.
但是我都配置完后輸入了我的地址http://210.43.2.242/acid/acid_main.php出現的並不是圖形化界面上面沒有"Setup Page"鏈接 ->;Create 讓我點擊!而是出現了類似聲明的界面
《解決方案》
具體出現的界面如下:
<?php
/*
** Copyright (C) 2000 Carnegie Mellon University
**
** Author: Roman Danyliw <rdd@cert.org>, <roman@danyliw.com>
**
** This program is free software; you can redistribute it and/or modify
** it under the terms of the GNU General Public License as published by
** the Free Software Foundation; either version 2 of the License, or
** (at your option) any later version.
**
** This program is distributed in the hope that it will be useful,
** but WITHOUT ANY WARRANTY; without even the implied warranty of
** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
** GNU General Public License for more details.
**
** You should have received a copy of the GNU General Public License
** along with this program; if not, write to the Free Software
** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*/
/*
* Analysis Console for Incident Databases (ACID) by Roman Danyliw
*
* This application was developed at the CERT Coordination Center as a part
* of the AIRCERT project.
*
* See http://www.cert.org/kb/acid for the most up to date
* information and documentation about this application.
*
* Purpose:
*
* ACID is an PHP-based analysis engine to search and process
* a database of security incidents generated by the NIDS Snort.
*
* Configuration:
*
* See the 'README' file, and 'acid.conf'
*
*/
?>
<?php
$start = time();
include("acid_conf.php");
include("acid_include.inc");
include_once("acid_common.php");
include_once("acid_stat_common.php");
include_once("acid_db_common.php");
RegisterGlobalState();
//InitGlobalState();
/* Initialize the history */
$HTTP_SESSION_VARS = NULL;
InitArray($HTTP_SESSION_VARS['back_list'], 1, 3, "");
$HTTP_SESSION_VARS['back_list_cnt'] = 0;
PushHistory();
?>
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<!-- Analysis Console for Incident Databases (ACID) <?php echo $ACID_VERSION; ?> -->
<HTML>
<HEAD>
<META name="Author" content="Roman Danyliw">
<META HTTP-EQUIV="pragma" CONTENT="no-cache">
<?php
PrintFreshPage($refresh_stat_page, $stat_page_refresh_time);
?>
<TITLE>Analysis Console for Intrusion Databases (ACID) </TITLE>
<LINK rel="stylesheet" type="text/css" href="acid_style.css">
</HEAD>
<BODY>
<TABLE WIDTH="100%" BORDER=0 CELLSPACING=0 CELLPADDING=5>
<TR>
<TD class="mainheader">   </TD>
<TD class="mainheadertitle">
<U>A</U>nalysis <U>C</U>onsole for <U>I</U>ntrusion <U>D</U>atabases
</TD>
</TR>
</TABLE>
<P><P>
<?php
if ( $debug_mode == 1 )
PrintPageHeader();
/* Check that PHP was built correctly */
$tmp_str = verify_php_build($DBtype);
if ( $tmp_str != "")
{
echo $tmp_str;
die();
}
/* Connect to the Alert database */
$db = NewACIDDBConnection($DBlib_path, $DBtype);
$db->acidDBConnect($db_connect_method,
$alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password);
/* Check that the DB schema is recent */
$tmp_str = verify_db($db, $alert_dbname, $alert_host);
if ( $tmp_str != "")
{
echo $tmp_str;
die();
}
if ( $event_cache_auto_update == 1 ) UpdateAlertCache($db);
printf("<B>Queried on </B><FONT> : %s<BR>",date("D F d, Y H:i:s",time()));
printf("<B>Database:</B> %s (<B>schema version:</B> %d) \n<BR>\n",
($alert_dbname.'@'.$alert_host. ($alert_port != "" ? ':'.$alert_port : "") ),
$db->acidGetDBVersion() );
StartStopTime($start_time, $end_time, $db);
if ( $start_time != "" )
printf("<B>Time window:</B> [%s] - [%s]\n<P>\n", $start_time, $end_time);
else
printf("<B>Time window:</B> <I>no alerts detected</I>\n");
echo '<TABLE BORDER=1 WIDTH="100%">
<TR>
<TD WIDTH="30%" VALIGN=TOP>';
PrintGeneralStats($db, 0, $main_page_detail, "", "", true);
echo ' </TD>
<TD WIDTH="70%" VALIGN=TOP>
<B>Traffic Profile by Protocol</B>';
PrintProtocolProfileGraphs($db);
echo ' </TD>
</TR>
</TABLE>';
?>
<P>
<LI><B><A HREF="acid_qry_main.php?new=1">Search</A></B>
<LI><B><A HREF="acid_graph_main.php">Graph Alert data</A></B>
<P>
<LI><B>Snapshot</B>
<?php
$tmp_month = date("m");
$tmp_day = date("d");
$tmp_year = date("Y");
$today = '&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3D'.
'&time%5B0%5D%5B2%5D='.$tmp_month.
'&time%5B0%5D%5B3%5D='.$tmp_day.
'&time%5B0%5D%5B4%5D='.$tmp_year.
'&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D='.
'&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+';
$yesterday_year = date("Y", time()-86400);
$yesterday_month = date("m", time()-86400);
$yesterday_day = date ("d", time()-86400);
$yesterday_hour = date ("H", time()-86400);
$yesterday = '&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D'.
'&time%5B0%5D%5B2%5D='.$yesterday_month.
'&time%5B0%5D%5B3%5D='.$yesterday_day.
'&time%5B0%5D%5B4%5D='.$yesterday_year.
'&time%5B0%5D%5B5%5D='.$yesterday_hour.
'&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D='.
'&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+';
$last72_year = date("Y", time()-86400*3);
$last72_month = date("m", time()-86400*3);
$last72_day = date ("d", time()-86400*3);
$last72_hour = date ("H", time()-86400*3);
$last72 = '&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D'.
'&time%5B0%5D%5B2%5D='.$last72_month.
'&time%5B0%5D%5B3%5D='.$last72_day.
'&time%5B0%5D%5B4%5D='.$last72_year.
'&time%5B0%5D%5B5%5D='.$last72_hour.
'&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D='.
'&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+';
$tmp_24hour = 'acid_qry_main.php?new=1'.$yesterday.'&submit=Query+DB&num_result_rows=-1&time_cnt=1';
$tmp_24hour_unique = 'acid_stat_alerts.php?time_cnt=1'.$yesterday;
$tmp_24hour_sip = 'acid_stat_uaddr.php?addr_type=1&sort_order=occur_d&time_cnt=1'.$yesterday;
$tmp_24hour_dip = 'acid_stat_uaddr.php?addr_type=2&sort_order=occur_d&time_cnt=1'.$yesterday;
$tmp_72hour = 'acid_qry_main.php?new=1'.$last72.'&submit=Query+DB&num_result_rows=-1&time_cnt=1';
$tmp_72hour_unique = 'acid_stat_alerts.php?time_cnt=1'.$last72;
$tmp_72hour_sip = 'acid_stat_uaddr.php?addr_type=1&sort_order=occur_d&time_cnt=1'.$last72;
$tmp_72hour_dip = 'acid_stat_uaddr.php?addr_type=2&sort_order=occur_d&time_cnt=1'.$last72;
$tmp_today = 'acid_qry_main.php?new=1'.$today.'&submit=Query+DB&num_result_rows=-1&time_cnt=1';
$tmp_today_unique = 'acid_stat_alerts.php?time_cnt=1'.$today;
$tmp_sip = 'acid_stat_uaddr.php?addr_type=1&sort_order=occur_d&time_cnt=1'.$today;
$tmp_dip = 'acid_stat_uaddr.php?addr_type=2&sort_order=occur_d&time_cnt=1'.$today;
echo '
<TABLE WIDTH="100%" BORDER=0>
<TR>
<TD WIDTH="45%" VALIGN=TOP>
<BLOCKQUOTE>
<LI>Most recent <?php echo $last_num_alerts; ?> Alerts:
<A HREF="acid_qry_main.php?new=1&caller=last_any&num_result_rows=-1&submit=Last%20Any">any protocol</A>,
<A HREF="acid_qry_main.php?new=1&layer4=TCP&caller=last_tcp&num_result_rows=-1&submit=Last%20TCP">TCP</A>,
<A HREF="acid_qry_main.php?new=1&layer4=UDP&caller=last_udp&num_result_rows=-1&submit=Last%20UDP">UDP</A>,
<A HREF="acid_qry_main.php?new=1&layer4=ICMP&caller=last_icmp&num_result_rows=-1&submit=Last%20ICMP">ICMP</A>
<LI>Today\'s: alerts <A HREF="'.$tmp_today_unique.'">unique</A>,
<A HREF="'.$tmp_today.'">listing</A>;
IP <A HREF="'.$tmp_sip.'">src</A> / <A HREF="'.$tmp_dip.'">dst</A>
<LI>Last 24 Hours: alerts <A HREF="'.$tmp_24hour_unique.'">unique</A>,
<A HREF="'.$tmp_24hour.'">listing</A>;
IP <A HREF="'.$tmp_24hour_sip.'">src</A> / <A HREF="'.$tmp_24hour_dip.'">dst</A>
<LI>Last 72 Hours: alerts <A HREF="'.$tmp_72hour_unique.'">unique</A>,
<A HREF="'.$tmp_72hour.'">listing</A>;
IP <A HREF="'.$tmp_72hour_sip.'">src</A> / <A HREF="'.$tmp_72hour_dip.'">dst</A>';
?>
<LI>Most <A HREF="acid_stat_alerts.php?caller=last_alerts&sort_order=last_d">
recent <?php echo $last_num_ualerts; ?> Unique Alerts</A>
<P>
<LI>Last Source Ports:
<A HREF="acid_stat_ports.php?caller=last_ports&port_type=1&proto=-1&sort_order=last_d">
any
</A>,
<A HREF="acid_stat_ports.php?caller=last_ports&port_type=1&proto=6&sort_order=last_d">
TCP
</A>,
<A HREF="acid_stat_ports.php?caller=last_ports&port_type=1&proto=17&sort_order=last_d">
UDP
</A>
<LI>Last Destination Ports:
<A HREF="acid_stat_ports.php?caller=last_ports&port_type=2&proto=-1&sort_order=last_d">
any
</A>,
<A HREF="acid_stat_ports.php?caller=last_ports&port_type=2&proto=6&sort_order=last_d">
TCP
</A>,
<A HREF="acid_stat_ports.php?caller=last_ports&port_type=2&proto=17&sort_order=last_d">
UDP
</A>
<!-- <P>
<LI>Last IP addresses:
<A HREF="acid_stat_uaddr.php?caller=last_addr&addr_type=1&sort_order=last_d">source</A>
<A HREF="acid_stat_uaddr.php?caller=last_addr&addr_type=2&sort_order=last_d">destination</A>
-->
</BLOCKQUOTE>
</TD>
<TD WIDTH="45%" VALIGN=TOP>
<LI>Most <A HREF="acid_stat_alerts.php?caller=most_frequent&sort_order=occur_d">
frequent <?php echo $freq_num_alerts; ?> Alerts</A>
<P>
<LI>Most Frequent Source Ports:
<A HREF="acid_stat_ports.php?caller=most_frequent&port_type=1&proto=-1&sort_order=occur_d">
any
</A>,
<A HREF="acid_stat_ports.php?caller=most_frequent&port_type=1&proto=6&sort_order=occur_d">
TCP
</A>,
<A HREF="acid_stat_ports.php?caller=most_frequent&port_type=1&proto=17&sort_order=occur_d">
UDP
</A>
<LI>Most Frequent Destination Ports:
<A HREF="acid_stat_ports.php?caller=most_frequent&port_type=2&proto=-1&sort_order=occur_d">
any
</A>,
<A HREF="acid_stat_ports.php?caller=most_frequent&port_type=2&proto=6&sort_order=occur_d">
TCP
</A>,
<A HREF="acid_stat_ports.php?caller=most_frequent&port_type=2&proto=17&sort_order=occur_d">
UDP
</A>
<P>
<LI>Most frequent <?php echo $freq_num_uaddr; ?> addresses:
<A HREF="acid_stat_uaddr.php?caller=most_frequent&addr_type=1&sort_order=occur_d">source</A>,
<A HREF="acid_stat_uaddr.php?caller=most_frequent&addr_type=2&sort_order=occur_d">destination</A>
</TD>
<TD></TD>
</TR>
</TABLE>
<P>
<LI><FONT>Graph alert </FONT><A HREF="acid_stat_time.php">detection time</A>
</UL>
<FONT>
<P>
<LI><B>Alert Group (AG) <A HREF="acid_ag_main.php?ag_action=list">maintenance</A></B>
<LI><B>Application <A HREF="acid_maintenance.php">cache and status</A></B>
</FONT>
<?php
$stop = time();
if ( $debug_time_mode > 0 )
echo "<H3></H3>";
?>
<P>
<TABLE WIDTH="100%" BORDER=0 CELLSPACING=0 CELLPADDING=5>
<TR>
<TD class="mainheader">
<?php
include("acid_footer.html");
?>
</TD>
</TR>
</TABLE>
</BODY>
</HTML>
請問這是怎麼回事啊??裝好了沒有!沒裝好出現問題可能在哪裡啊???請高手解答!!
《解決方案》
你的 php 模塊沒裝好。
《解決方案》
哦!那是說我要從裝PHP嗎???
《解決方案》
但是我怕一動全都不行啦!!
《解決方案》
先用 index.php 測試一下。
<?php
phpinfo();
?>
《解決方案》
輸入http://210.43.2.242/index.php
頁面顯示就是<?php
phpinfo();
?>正常啊
《解決方案》
回復 #7 ly_lee 的帖子
證明你的 web 服務無法調用 php,好好檢查一下安裝 php 時的步驟吧~
《解決方案》
我有重新裝了一邊httpd -2.2.10:root@weiming root]# cd /usr/local/src
# tar -zxvf httpd-2.0.55.tar.gz
# cd httpd-2.0.55
# ./configure --prefix=/usr/local/apache2 --enable-so --enable-rewrite
#make; make install
# /usr/local/apache2/bin/apachectl start
輸入組后一個命令時顯示:98)Address already in use: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
Unable to open logs
但是我再WAB上輸入http://210.43.2.242時顯示it's work!!
當我輸入]# /usr/local/apache2/bin/apachectl start
出現的:98)Address already in use: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
Unable to open logs是什麼意思啊??怎麼解決?
《解決方案》
回復 #9 ly_lee 的帖子
bind 到 0.0.0.0:80?
看一下你的apche配置,裡面關於ip地址的配置應該你沒配對。
你在一樓的問題應該是php模塊沒正常工作,感覺應該還是apache的配置問題,重裝之(不要重裝操作系統)。要多試,呵呵