×ðÁú¿­Ê±¹ÙÍøµÇ¼

ÔõÑùʹÓÃÈëÇÖ̽²âϵͳ£¨IDS£©± £»¤CentOSЧÀÍÆ÷ÃâÊÜδ¾­ÊÚȨ»á¼û

ÔõÑùʹÓÃÈëÇÖ̽²âϵͳ£¨ids£©± £»¤centosЧÀÍÆ÷ÃâÊÜδ¾­ÊÚȨ»á¼û

µ¼ÑÔ£º×÷ΪЧÀÍÆ÷ÖÎÀíÔ±£¬± £»¤Ð§ÀÍÆ÷ÃâÊÜδ¾­ÊÚȨ»á¼ûÊǺÜÊÇÖ÷ÒªµÄʹÃü¡£¶øÈëÇÖ̽²âϵͳ£¨Intrusion Detection System£¬¼ò³ÆIDS£©¿ÉÒÔ×ÊÖúÎÒÃÇʵÏÖÕâһĿµÄ¡£±¾ÎĽ«ÏÈÈÝÔõÑùÔÚCentOSЧÀÍÆ÷ÉÏ×°ÖúÍÉèÖÃSnort£¬Ò»¿î³£ÓõÄIDS¹¤¾ß£¬ÒÔ± £»¤Ð§ÀÍÆ÷ÃâÊÜδ¾­ÊÚȨ»á¼û¡£

Ò»¡¢×°ÖÃSnort

¸üÐÂЧÀÍÆ÷Èí¼þ°ü

ÔÚÖÕ¶ËÖÐÔËÐÐÒÔÏÂÏÂÁî¸üÐÂÈí¼þ°ü£º

sudo yum update

µÇ¼ºó¸´ÖÆ

×°ÖÃÒÀÀµÏî

×°ÖÃSnortÐèҪһЩÒÀÀµÏî¡£ÔÚÖÕ¶ËÖÐÔËÐÐÒÔÏÂÏÂÁî×°ÖÃÕâЩÒÀÀµÏ

sudo yum install libpcap-devel pcre-devel libdnet-devel

µÇ¼ºó¸´ÖÆ

ÏÂÔغͱàÒëSnort

ÏÂÔØ×îеÄSnortÔ´´úÂ룬²¢½âѹËõÏÂÔصÄÎļþ£º

wget https://www.snort.org/downloads/snort/snort-2.9.17.tar.gz
tar -xzf snort-2.9.17.tar.gz

µÇ¼ºó¸´ÖÆ

½øÈë½âѹËõºóµÄĿ¼£¬²¢±àÒëºÍ×°ÖÃSnort£º

cd snort-2.9.17
./configure --enable-sourcefire
make
sudo make install

µÇ¼ºó¸´ÖÆ

¶þ¡¢ÉèÖÃSnort

½¨ÉèSnortÉèÖÃÎļþ

ÔÚÖÕ¶ËÖÐÔËÐÐÒÔÏÂÏÂÁÉèSnortµÄÉèÖÃÎļþ£º

sudo cp /usr/local/src/snort-2.9.17/etc/*.conf* /usr/local/etc/
sudo cp /usr/local/src/snort-2.9.17/etc/*.map /usr/local/etc/

µÇ¼ºó¸´ÖÆ

±à¼­SnortÉèÖÃÎļþ

ʹÓÃÎı¾±à¼­Æ÷·­¿ªSnortµÄÉèÖÃÎļþÒÔ¾ÙÐб༭£º

sudo nano /usr/local/etc/snort.conf

µÇ¼ºó¸´ÖÆ

ÔÚÉèÖÃÎļþÖУ¬Äã¿ÉÒÔÉèÖÃÏëÒª¼à¿ØµÄÍøÂç½Ó¿Ú¡¢¹æÔòÎļþµÄλÖõÈ¡£

ÀýÈ磬Äã¿ÉÒԱ༭ÒÔÏÂÄÚÈÝÒÔ¼à¿Øeth0½Ó¿ÚÉϵÄËùÓÐÁ÷Á¿£º

# ÉèÖüà¿ØµÄÍøÂç½Ó¿Ú
config interface: eth0

# ÉèÖùæÔòÎļþµÄλÖÃ
include $RULE_PATH/rules/*.rules

µÇ¼ºó¸´ÖÆ

±ðµÄ£¬»¹¿ÉÒÔƾ֤ÏÖʵÐèÇó¶ÔSnortµÄÆäËûÉèÖþÙÐе÷½â¡£

ÉèÖùæÔòÎļþ

SnortʹÓùæÔòÎļþÀ´¼ì²âºÍ×èֹDZÔÚµÄÈëÇÖÐÐΪ¡£Äã¿ÉÒÔ´ÓSnort¹Ù·½ÍøÕ¾ÏÂÔØ×îеĹæÔòÎļþ£¬²¢½«Æä°²ÅÅÔÚ¹æÔòÎļþĿ¼ÖС£

ĬÈÏÇéÐÎÏ£¬SnortµÄ¹æÔòÎļþĿ¼Ϊ/usr/local/etc/rules£¬Äã¿ÉÒÔÔÚSnortÉèÖÃÎļþÖÐÉó²éºÍÐ޸ĸÃĿ¼µÄλÖá£

ÀýÈ磬Äã¿ÉÒԱ༭ÒÔÏÂÄÚÈÝÒÔÖ¸¶¨¹æÔòÎļþĿ¼Ϊ/usr/local/etc/rules£º

# ÉèÖùæÔòÎļþµÄλÖÃ
RULE_PATH /usr/local/etc/rules

µÇ¼ºó¸´ÖÆ

Æô¶¯Snort

ÔÚÖÕ¶ËÖÐÔËÐÐÒÔÏÂÏÂÁîÆô¶¯Snort£º

sudo snort -A console -c /usr/local/etc/snort.conf -i eth0

µÇ¼ºó¸´ÖÆ

Õ⽫ÒÔ¿ØÖÆ̨ģʽÆô¶¯Snort£¬²¢ÔÚeth0½Ó¿ÚÉϼà¿ØÁ÷Á¿¡£

Èý¡¢Ê¹ÓÃSnort¼ì²âºÍ×èֹδ¾­ÊÚȨ»á¼û

¼à¿ØÈÕÖ¾

Snort½«»áÔÚSnortÈÕÖ¾ÎļþÖмͼËü¼ì²âµ½µÄÈκÎDZÔÚÈëÇÖÐÐΪ¡£Äã¿ÉÒÔÔÚSnortÉèÖÃÎļþÖÐÉó²éºÍÐ޸ĸÃÈÕÖ¾ÎļþµÄλÖá£

ÀýÈ磬Äã¿ÉÒԱ༭ÒÔÏÂÄÚÈÝÒÔÖ¸¶¨ÈÕÖ¾ÎļþλÖÃΪ/var/log/snort/alert.log£º

# ÉèÖÃÈÕÖ¾ÎļþµÄλÖÃ
output alert_syslog: LOG_AUTH LOG_ALERT
output alert_fast: alert
output alert_full: alert.log

# ÉèÖÃÈÕÖ¾ÎļþµÄλÖÃ
config detection: search-method ac-split
config detection: ac-logdir /var/log/snort

µÇ¼ºó¸´ÖÆ

×èÖ¹IP

ÈôÊÇÄã·¢Ã÷ij¸öIPµØµãÔÚ¾ÙÐÐδ¾­ÊÚȨµÄ»á¼û£¬Äã¿ÉÒÔʹÓÃSnortµÄ×èÖ¹¹¦Ð§À´×èÖ¹¸ÃIPµØµãµÄ½øÒ»²½»á¼û¡£

ÔÚÖÕ¶ËÖÐÔËÐÐÒÔÏÂÏÂÁîÒÔ×èֹij¸öIPµØµã£º

sudo snort -A console -c /usr/local/etc/snort.conf -i eth0 --block -O

µÇ¼ºó¸´ÖÆ

±àд×Ô½ç˵¹æÔò

ÈôÊÇÄãÓÐÌض¨µÄÐèÇ󣬿ÉÒÔ±àд×Ô½ç˵µÄSnort¹æÔòÀ´¼ì²âºÍ×èÖ¹Ìض¨µÄÈëÇÖÐÐΪ¡£

ÀýÈ磬ÒÔÏÂÊÇÒ»¸ö¼òÆÓµÄ×Ô½ç˵¹æÔò£¬ÓÃÓÚ¼ì²âͨ¹ýSSH¾ÙÐеÄδ¾­ÊÚȨ»á¼û£º

# ¼ì²âͨ¹ýSSH¾ÙÐеÄδ¾­ÊÚȨ»á¼û
alert tcp $HOME_NET any -> $EXTERNAL_NET 22 (msg:"Unauthorized SSH Access"; flow:to_server,established; content:"SSH"; classtype:suspicious-login; sid:100001; rev:1;)

µÇ¼ºó¸´ÖÆ

ʹÓÃÎı¾±à¼­Æ÷·­¿ª¹æÔòÎļþ£¬²¢½«×Ô½ç˵¹æÔòÌí¼Óµ½Îļþĩβ¡£

¹æÔò¸üÐÂ

SnortµÄ¹æÔò¿âÊÇÔ˶¯¸üеÄ¡£°´ÆÚ¸üйæÔò¿ÉÒÔÈ·±£ÄãµÄSnortʼÖÕ¾ßÓÐ×îеÄÈëÇÖ¼ì²âÄÜÁ¦¡£

Äã¿ÉÒÔ´ÓSnort¹Ù·½ÍøÕ¾ÏÂÔØ×îеĹæÔòÎļþ£¬²¢½«Æä°²ÅÅÔÚ¹æÔòÎļþĿ¼ÖС£

Îå¡¢½áÂÛ

ͨ¹ýʹÓÃÈëÇÖ̽²âϵͳ£¨IDS£©ÈçSnort£¬ÎÒÃÇ¿ÉÒÔ± £»¤CentOSЧÀÍÆ÷ÃâÊÜδ¾­ÊÚȨ»á¼û¡£±¾ÎÄÒÔ×°ÖúÍÉèÖÃSnortΪÀý£¬ÏêϸÏÈÈÝÁËÔõÑùʹÓÃIDSÀ´¼à¿ØºÍ±ÜÃâDZÔÚµÄÈëÇÖÐÐΪ¡£Í¨¹ý×ñÕÕÉÏÊö°ì·¨£¬²¢Æ¾Ö¤ÏÖʵÐèÇó¾ÙÐÐÊʵ±µÄÉèÖã¬ÎÒÃÇ¿ÉÒÔÔöǿЧÀÍÆ÷µÄÇå¾²ÐÔ²¢½µµÍDZÔÚµÄΣº¦¡£

×¢ÖØ£º±¾ÎÄÖ»ÊǼòÆÓÏÈÈÝÁËÔõÑùʹÓÃSnort×÷ΪÈëÇÖ̽²âϵͳ£¬¶ø²»ÊÇÏêϸڹÊÍÆäÔ­ÀíºÍËùÓÐÉèÖÃÑ¡Ïî¡£¹ØÓÚ¸üÉîÈëµÄÃ÷È·ºÍ½øÒ»²½µÄ̽Ë÷£¬½¨Òé²Î¿¼Snort¹Ù·½Îĵµ»ò²Î¿¼ÆäËûÏà¹Ø×ÊÁÏ¡£

Ï£Íû±¾ÎĶÔÄãÓÐËù×ÊÖú£¬×£ÄãµÄЧÀÍÆ÷Çå¾²ÎÞÓÇ£¡

ÒÔÉϾÍÊÇÔõÑùʹÓÃÈëÇÖ̽²âϵͳ£¨IDS£©± £»¤CentOSЧÀÍÆ÷ÃâÊÜδ¾­ÊÚȨ»á¼ûµÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡

ÃâÔð˵Ã÷£ºÒÔÉÏչʾÄÚÈÝȪԴÓÚÏàÖúýÌå¡¢ÆóÒµ»ú¹¹¡¢ÍøÓÑÌṩ»òÍøÂçÍøÂçÕûÀí£¬°æȨÕùÒéÓë±¾Õ¾Î޹أ¬ÎÄÕÂÉæ¼°¿´·¨Óë¿´·¨²»´ú±í×ðÁú¿­Ê±¹ÙÍøµÇ¼ÂËÓÍ»úÍø¹Ù·½Ì¬¶È£¬Çë¶ÁÕß½ö×ö²Î¿¼¡£±¾ÎĽӴýתÔØ£¬×ªÔØÇë˵Ã÷À´ÓÉ¡£ÈôÄúÒÔΪ±¾ÎÄÇÖÕ¼ÁËÄúµÄ°æȨÐÅÏ¢£¬»òÄú·¢Ã÷¸ÃÄÚÈÝÓÐÈκÎÉæ¼°ÓÐÎ¥¹«µÂ¡¢Ã°·¸Ö´·¨µÈÎ¥·¨ÐÅÏ¢£¬ÇëÄúÁ¬Ã¦ÁªÏµ×ðÁú¿­Ê±¹ÙÍøµÇ¼ʵʱÐÞÕý»òɾ³ý¡£

Ïà¹ØÐÂÎÅ

ÁªÏµ×ðÁú¿­Ê±¹ÙÍøµÇ¼

18523999891

¿É΢ÐÅÔÚÏß×Éѯ

ÊÂÇéʱ¼ä£ºÖÜÒ»ÖÁÖÜÎ壬9:30-18:30£¬½ÚãåÈÕÐÝÏ¢

QR code
ÍøÕ¾µØͼ