Manual do Snort

The Open Source Network Intrusion Detection System
Por Alex Rodrigues - alex(arroba)bsbnet.com e Paulo Sergio - pauloss@brfree.com.br

Atualizado em 27/02/2006 10:02

Links relativos ao Snort (Links about Snort)

Snort - www.snort.org
Apache - http://www.apache.org/
OpenSSL - http://www.openssl.org/
MOD SSL - http://www.modssl.org/
Acid - http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html
Aanval Console - Snort IDS Console - http://www.aanval.com
MySql - http://www.mysql.com/ - http://mysql.mirror.anlx.net/Downloads/MySQL-3.23/
AdoDB - http://php.weblogs.com/adodb
PhPlot - http://www.phplot.com
SnortSnarf - http://www.silicondefense.com/software/snortsnarf/
GD - http://www.boutell.com/gd
WhiteHats - www.whitehats.com
PHP - http://www.php.net/
Perl - http://perl.apache.org
Demarc - www.demarc.org
Estatísticas do Snort - http://www.lug-burghausen.org/projects/index.html#snort-stat
WebMin - http://www.webmin.com/webmin/download.html
Snort WebMin Interface - http://msbnetworks.net/snort/
SnortReport - http://www.circuitsmaximus.com
JPGraph - www.aditus.nu/jpgraph
Scanners de vulnerabilidades
- Stealth Http Scanner - http://www.hideaway.net/Server_Security/Software/Stealth/stealth.html
- Languard - www.languard.com
- Nmap - http://www.insecure.org/nmap/
Cabo UTP para Sniffers - http://personal.ie.cuhk.edu.hk/~msng0/sniffing_cable/index.htm
HogWash - http://hogwash.sourceforge.net
PHP MySQL Admin - http://www.phpmyadmin.net/index.php?dl=2
PHP Nuke:
- http://www.simcoweb.com/nuke/article.php?sid=7
- Web site powered by PHP-Nuke
Ntop - http://voxel.dl.sourceforge.net/sourceforge/ntop/ntop-3.0.tgz
Wireless
- Netstumbler - http://www.netstumbler.com/download.php?op=getit&lid=22
- Ferramentas: http://www.networkintrusion.co.uk/wireless.htm

1 - Instale o Red Hat 7.3 com a opção padrão, escolhendo server, sem módulos adicionais e sem regras de firewall.

2 - Download - Baixe todos esses arquivos para o diretório /tmp.

Programa Principal

Snort - http://www.snort.org/dl/snort-2.3.0RC1.tar.gz
Vision Snort Rules - http://www.whitehats.com/ids/vision18.conf.gz
Snort Rules - http://www.snort.org/dl/rules/snortrules-stable.tar.gz

Programas dependentes (dependents software and modules)

Gerenciadores do Snort

SnortReport - http://www.circuitsmaximus.com/snortreport/snortreport-1.11.tar.gz
SnortSnarf - http://www.snort.org/downloads/SnortSnarf-010821.1.tar.gz
Demarc - http://www.demarc.org/downloads/demarc-105/demarc-1.05-RC1.tar.gz
SnortSnarf - http://www.silicondefense.com/software/snortsnarf/SnortSnarf-010821.1.tar.gz

Analizadores de Tráfego

Ntop (RPM)http://umn.dl.sourceforge.net/sourceforge/ntop/ntop-3.2-0.src.rpm

3 - Instale o Mysql nesta ordem usando o package manager:

MySQL-3.23/MySQL-3.23.48-1.i386.rpm
MySQL-client-3.23.48-1.i386.rpm
MySQL-devel-3.23.48-1.i386.rpm
MySQL-shared-3.23.48-1.i386.rpm

4 - Instale o LIBPCAP

cd /tmp
tar xvfz libpcap-current.tar.gz
cd [diretório da libpcap]
./configure
make
make install

5 - Instale o Snort

cd /tmp
tar xvfz snort-2.0.0.tar.gz
mv snort-2.0.0 /usr/local/snort
cd /usr/local/snort
./configure --with-mysql=/usr
make
make install
mkdir /var/log/snort

6 - Prepare o mysql para trabalhar com o snort.

cd /usr/local/snort/schemas
service mysql start
mysql -u - root -p
create database snort;
grant insert, select on snort.* to snort@localhost identified by 'senha_do_snort';
grant insert, select, delete, update, create on snort.* to acid@localhost identified by 'senha_do_acid';
quit
mysql -u root -p snort < create_mysql

7 - Instale o apache e PHP4.

cd /tmp
tar xvfz apache_1.3.33.tar.gz
tar xvfz php-4.3.8.tar.gz
cd apache_1.3.33
./configure --prefix=/www
cd ../php-4.3.8
./configure --with-mysql --with-gd --with-apache=../apache_1.3.33 --enable-track-vars --with-zlib-dir
make
make install
cd ../apache_1.3.33
./configure --enable-module=so --activate-module=src/modules/php4/libphp4.a
make
make install
cd ../php-4.3.8
cp php.ini-dist /usr/local/lib/php.ini
Edite seu /usr/local/apache/conf/httpd.conf
1. AddType application/x-httpd-php .php

8 - Instale a Interface Acid

cd /tmp
tar xvfz acid-0.9.6b21.tar.gz
mv acid /usr/local/apache/htdocs/acid
tar xvfz phplot-4.4.6.tar.gz
mv phplot-4.4.6 /usr/local/apache/htdocs/
tar xvfz adodb140.tgz
mv adodb /usr/local/apache/htdocs
Edite o arquivo /usr/local/apache/htdocs/acid/config/acid_conf.php e altere as linhas $alert:
1. $alert_dbname = "snort";
2. $alert_host = "localhost";
3. $alert_port = "";
4. $alert_user = "acid";
5. $alert_password = "acid_senha";
/usr/local/apache/bin/apachectl start
Entre no endereço http://localhost/acid/acid_main.php e clique no link Setup Page para iniciar a configuração da base de dados. Na próxima página você verá um botão chamado CREATE ACID AG. Clique neste botão. Mostrando sucesso, clique no botão CREATE ACID AGE para continuar a criação dos índices e tabelas.

mysql -u root -p
revoke create on snort.* from acid@#localhost;

9 - Execute o snort

cd /usr/local/snort/src
./snort -dev -c ../etc/snort.conf
Entre no endereço http://localhost/acid/acid_main.php para testar o ACID.