Hướng dẫn cài đặt IDS/IPS Snort trên Centos 6.5 2015

• 

  Lỗi bug trong Gmail Android cho phép bất cứ ai cũng có thể gửi email giả mạo

  Jan 05 2016 - Halozen
• 

  15 bức ảnh khoa học tuyệt đẹp trong năm 2015

  Jan 05 2016 - Halozen
• 

  Tổng hợp game mobile đua xe đáng chơi nhất 2015

  Jan 04 2016 - Halozen
• 

  Key bản quyền Sublime Text 3 (2015-2016)

  Jan 04 2016 - Halozen
• 

  Lenovo nói gì về sự cố máy tính cài sẵn phần mềm gián điệp?

  Jan 04 2016 - Halozen
• 

  Top 10 ngôn ngữ lập trình dễ bị Hack

  Jan 04 2016 - Halozen
• 

  Nguyễn Hà Đông giải thích lý do game mới Swing Copters 2 'từ chối' người Việt

  Jan 04 2016 - Halozen
• 

  Mark Zuckerberg học theo Iron Man: phát triển trợ lý ảo như 'Jarvis'

  Jan 04 2016 - Halozen

BlogCNTT xin hướng dẫn các bạn quản trị, an ninh mạng cài đặt cấu hình IDS/IPS Snort + inline trên Centos 6.5

Hình ảnh nhỏ trong clip hướng dẫn cài đặt DS/IPS Snort + inline trên Centos 6.5 

Mô Hình Snort IDS/IPS của BlogCNTT như sau
1 máy Centos 6.5 Snort - 2 Card mạng. LAN WAN
2 máy Client LAN WAN
Snort 1 card WAN NAT - 1 card LAN (host)
NAT card LAN ra card WAN cho bên ngoài ping đc
BlogCNTT chỉ cấu hình xem log trên console terminal, còn BASE giao diện đồ họa web thì cấu hình trong file txt nhưng chưa làm, vì hỉ làm bài tập nhỏ về Snort IDS/IPS chứ ko có làm đồ án nên ko nghiên cứu sâu rộng được mong các bạn thông cảm

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311<Cài đặt Snort

Cài đặt Package

yum install -y gcc flex bison zlib* libxml2 libpcap* pcre* tcpdump git libtool curl man make daq
yum groupinstall - y "Development Tools"

Chuẩn bị các file cài đặt riêng sau

libdnet-1.12.tgz   
libdnet-1.12-6.el6.x86_64.rpm
libdnet-devel-1.12-6.el6.x86_64.rpm 

Tải file snort mới nhất tại Snort.org
daq-2.0.4.tar
snort-2.9.7.0.tar


cd /usr/local/src
tar -zxvf /root/Desktop/daq-2.0.4.tar.gz
tar -zxvf /root/Desktop/snort-2.9.7.0.tar.gz

cd daq-2.0.4.tar
./configure
make && make install

cd /usr/local/src/snort-2.9.7.0
./configure --enable-sourcefire
make && make install

cd /etc
mkdir snort
cd snort 
cp /usr/local/src/snort-2.9.7.0/etc/* .
tar -zvxf /root/Desktop/snortrules-snapshot-2970.tar.gz
touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules

Tạo user, group, cấp quyền

groupadd -g 40000 snort
useradd snort -u 40000 -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort
cd /etc/snort
chown -R snort:snort *
chown -R snort:snort /var/log/snort

Cấu hình snort

vi /etc/snort/snort.conf
ipvar HOME_NET any         >        ipvar HOME_NET 192.168.x.x
ipvar EXTERNAL_NET any      >       ipvar EXTERNAL_NET !$HOME_NET
var SO_RULE_PATH  ../so_rules   >    105 var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH ../preproc_rules    >   106 var PREPROC_RULE_PATH /etc/snort/preproc_rules

var WHITE_LIST_PATH ../rules     >       109 var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH ../rules     >       110 var BLACK_LIST_PATH /etc/snort/rules


cd /usr/local/src
chown -R snort:snort daq-2.0.4
chown -R 755 daq-2.0.4
chown -R snort:snort snort-2.9.7.0
chown -R 755 snort-2.9.7.0
chown -R snort:snort snort_dynamicsrc
chown -R 755 snort_dynamicsrc

Start snort

cd /usr/local/src/snort-2.9.7.0/rpm
cp snortd /etc/init.d/snortd
cp /usr/local/src/snort-2.9.7.0/rpm/snort.sysconfig /etc/sysconfig/snort
chkconfig --add /etc/init.d/snortd
chkconfig snortd on

cd /usr/sbin
ln -s /usr/local/bin/snort snort

Nếu ko có directory /var/log
cd /var/log
mkdir snort

Quyền
chmod 755 snort
chown -R snort:snort snort

cd /usr/local/lib
chown -R snort:snort snort*
chown -R snort:snort snort_dynamic*
chown -R snort:snort pkgconfig
chown -R 755 snort*
chown -R 755 pkgconfig

cd /usr/local/bin
chown -R snort:snort daq-modules-config
chown -R snort:snort u2*
chown -R 755 daq-modules-config 
chown 755 u2*

cd /etc
chown -R snort:snort snort
chown -R 755 snort


check
cd /usr/local/bin
./snort -T -i eht0 -u snort -g snort -c /etc/snort/snort.conf


Kiểm tra
snort -v
snort -T -i eht0 -u snort -g snort -c /etc/snort/snort.conf

ERROR: /etc/snort/snort.conf(249) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such file or directory.
Tạo thư mực dynamicrules
mkdir -p /usr/local/lib/snort_dynamicrules
chown -R snort:snort /usr/local/lib/snort_dynamicrules
chown -R 755 /usr/local/lib/snort_dynamicrules

Nếu ok

cd /usr/local/bin
./snort -A fast -b -D -d -i eht0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

service snort start/stop/restart
Add rule
gedit /etc/snort/rules/local.rules
alert icmp any any -> $HOME_NET any (msg:"Co Nguoi Ping"; sid:1000003;rev:1;)

Xem
snort -c /etc/snort/snort.conf -i eth0 -A console
snort -vde


Rules khác
drop icmp any any -> any any (itype:0;msg:"Chan Ping";sid:1000002;)
alert icmp any any -> $HOME_NET 81 (msg:"Scanning Port 81"; sid:1000001;rev:1;)
alert tcp any any -> $HOME_NET 22 (msg:"Scanning Port 22"; sid:1000002;rev:1;)
alert icmp any any -> any any (msg:"UDP Tesing Rule"; sid:1000006;rev:1;)
alert tcp any any -> $HOME_NET 80 (msg:"HTTP Test!!!"; classtype:not-suspicious; sid:1000005;  rev:1;)


Xem File Log Cảnh báo snort
/var/log/snort

Cấu hình Snort Inline

Chuẩn bị 1 máy Centos 6.5 
Chuẩn bị 1 máy Attacker 
2 Card mạng.
1 card WAN NAT - 1 card LAN (host)
NAT card LAN ra card WAN cho bên ngoài ping đc
vi /etc/sysctl.conf
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 7 -j DNAT --to 192.168.1.10:7


1. Configure the “Inline Packet Normalization” to be enabled. If running Snort in passive mode (IDS),
comment/disable “Inline Packet Normalization”:
## Keep these unchanged. If they are commented out, then uncomment them.
preprocessor normalize_ip4
preprocessor normalize_tcp: ips ecn stream
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6
2. Configure Snort Policy mode to run in inline (IPS):
## Under Step #2: add the following line
config policy_mode:inline
3. Configure DAQ variables to run AFPacket in inline (IPS) mode:
## Configure DAQ variables for AFPacket
config daq: afpacket
config daq_mode: inline
config daq_dir: /usr/local/lib/daq
config daq_var: buffer_size_mb=128

Xem. Kiểm tra 

/usr/local/bin/snort -i eth0:eth1 -A console -c /etc/snort/snort.conf -l /var/log/snort/ -Q

Thành công chặn port ping
Thêm rules chặn nmap


Snort phát hiện và chặn >>>> Thành công


Cài phpmyadmin

yum -y install phpmyadmin

bị lỗi No package phpmyadmin available thì 
rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
yum -y install http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm

yum -y install phpmyadmin    > Cài Ok

Cài MySql

yum install -y mysql-server mysql-devel php-mysql php-adodb php-pear php-gd libtool php-imap php-ldap hp-mbstring php-odbc php-pear php-xml php-xmlr
yum install php-pecl-apc
chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start
mysql_secure_installation
/usr/bin/mysqladmin -u root password 'mật khẩu mới'
Và thử truy cập MySQL xem sao:

# mysql -u root -p

mysql> create database snort;
mysql> create user 'snort'@'localhost' IDENTIFIED BY 'root';
mysql> grant create,select,update,insert,delete on snort.* to snort@localhost;
mysql> set password for snort@localhost=PASSWORD('snort');
mysql> source /usr/local/src/barnyard2-2-1.13/schemas/create_mysql
mysql> flush privileges;
mysql> exit

Cài Barnyard2

cd /usr/local/src/
tar zxvf /root/Desktop/barnyard2-2-1.13.tar.gz 
cd barnyard2-2-1.13/
autoreconf -fvi -I ./m4
./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql
make && make install
vi /usr/local/etc/barnyard2.conf
cp etc/barnyard2.conf /etc/snort
mkdir /var/log/barnyard2
chown snort.snort /var/log/barnyard2
touch /var/log/snort/barnyard2.waldo
chown snort.snort /var/log/snort/barnyard2.waldo
touch /etc/snort/sid-msg.map


Cài PulledPork
cd /usr/local/src/snort
tar xvfvz pulledpork-0.7.0.tar.gz
cd pulledpork-0.7.0
cp pulledpork.pl /usr/local/bin
chmod 755 /usr/sbin/pulledpork.pl
etc/* /etc/snort/
vi /etc/snort/pulledpork.conf
updatedb
locate snort.conf



Cài php
yum install php
yum install php-mysql php-gd php-imap php-ldap php-odbc php-pear php-xml php-xmlrpc
service httpd restart

Test xen quá trình cài module PHP đã thành công hay chưa, ta tạo 1 file info.php chứa trong /var/www/html với nội dung như sau:



# pear channel-update pear.php.net
# pear install Numbers_Roman
# pear install Image_Color-1.0.4
# pear install Image_Canvas-0.3.5
# pear install Image_Graph-0.8.0

Cài đặt BASE và adodb

tar -xvzf adodb518.tgz
mv adodb5 /var/adodb

tar -zxvf base-1.4.5.tar.gz
mv base-1.4.5 /var/www/html/base/
cd /var/www/httml/base
cp base_conf.php.dist base_conf.php
chown -R www-data:www-data /var/www/base
chmod o-r /var/www/base/base_conf.php
vi /var/www/base/base_conf.php

$BASE_urlpath = '/base';
$DBlib_path = '/var/adodb';
$DBtype = 'mysql';
$alert_dbname = 'snort';
$alert_host = 'localhost';
$alert_user = 'snort';
$alert_password = ''snort';

chmod 777 /var/www/html/base

vi /etc/sysconfig/barnyard2
mv base-1.4.5 /var/www/html/base/
cd /var/www/html/base
cp base_conf.php.dist base_conf.php
chmod o-r /var/www/html/base/base_conf.php
vi /var/www/html/base/base_conf.php


vi /etc/http/conf/httd.conf
Alias /base /var/www/html/base/


    AllowOverride None
    Order allow,deny
    Allow from all


Alias /adodb/ "/var/adodb/"


    AllowOverride None
    Order allow,deny
    Allow from all


service httd restart
chcon -R -t httpd_sys_content_t /var/www/html/base/
chcon -R -h -t httpd_sys_content_t /var/adodb
>

Bản Quyền Của BlogCNTT