RHEL5.1+Snort+Apache+MySql+Php+Gd with Gd & Image_Graph监控系统安装与配置

发布于 2022-09-24 02:21:51 字数 3040 浏览 13 评论 0

入侵检测就是一个监视计算机系统或者网络上发生的事件,然后对其进行安全分析的过程。大多数的入侵检测系统都可以被归入到基于网络、基于主机以及分布式三类。基于网络的入侵检测系统能够监视网络数据发现入侵或者攻击的蛛丝马迹;基于主机的入侵检测系统能够监视针对主机的活动(用户的命令、登录/退出过程,使用的数据等等),以此来判断入侵企图;分布式IDS通过分布于各个节点的传感器或者代理对整个网络和主机环境进行监视,中心监视平台收集来自各个节点的信息监视这个网络流动的数据和入侵企图。
各种入侵检测系统使用的检测方法可以分为两类:基于特征码的检测方法和异常检测。使用基于特征码检测方法的系统从网络获得数据,然后从中发现以知的攻击特征。例如:在某些URL中包含一些奇怪的Unicode编码字符就是针对IIS Unicode缺陷的攻击特征。此外各种模式匹配技术的应用,提高了这种检测方法的精确性。使用异常检测的系统能够把获得的数据与一个基准进行比较,检测这些数据是否异常。   

snort是一个基于libpcap的轻量级网络入侵检测系统。它运行在一个“传感器(sensor)”主机上,监听网络数据。这台机器可能是一台简陋的运行FreeBSD系统的Pentium100 PC,并且至少有一个网卡。不过建议使用最好的机器作为进行入侵检测的主机。snort能够把网络数据和规则集进行模式匹配,从而检测可能的入侵企图;或者使用SPADE插件,使用统计学方法对网络数据进行异常检测。
snort使用一种易于扩展的模块化体系结构,感兴趣的开发人员可以加入自己编写的模块来扩展snort的功能。这些模块包括:HTTP解码插件、TCP数据流重组插件、端口扫描检测插件、FLEXRESP插件以及各种日志输入插件等。
snort还是一个自由、简洁、快速、易于扩展的入侵检测系统,已经被移植到了各种UNIX平台和WinY2K上。同时,它也是目前安全领域中,最活跃的开放源码工程之一。snort还是昂贵的商业入侵检测系统最好的替代产品之一。

上面的文字来自internet对入侵检测和snort的定义;下文是在RHEL5上构建基于snort的入侵检测系统的详细步骤:

该实验的参考文档有以下几篇,其中主要参考的是在Chinaunix上一篇名为《Redhat as4 下Snort+base+mysql+php+apache with gd and Image_Graph 安装与配置》的文章除此之外其他的文章有:
http://linux.chinaunix.net/bbs/v ... ht=snort&page=1
http://www.snort.org/docs/setup_guides/Snort_Base_Minimal.pdf
http://bbs.chinaunix.net/viewthr ... &highlight=zqli

其实我本人对snort并没有非常深入的了解,只是在看过相关文档之后希望能够亲自操作一次。但是
网上提供给我参考的文档我大概看过。我认为主要问题有两个:
        第一,所使用的操作系统版本比较旧(很多系统在使用的系统版本基于Red Hat 9.0),在当前生产环境上部署的话很容易出现各种兼容性问题。
        第二,在操作的过程中使用了大量的opoensource软件包而替换了很多系统自带的软件,在生产环境中这样的操作也会带来支持以及管理方面的困难。
        第三,《Redhat as4 下Snort+base+mysql+php+apache with gd and Image_Graph 安装与配置》存在一些错误,我相信如果新手百分百按照该文档操作还是会出现一些问题。

        因此我这一次的操作主要是使用当前比较新的RHEL5.1系统平台安装snort,并且在安装过程中尽量保留系统自带软件,同时指出源文在操作中的一些小错误。
        在实验过程中出现的问题和snort的具体使用方法,希望高手能够给予提示和指导
        
      

        另外我以我的人格担保该实验和文章均出自本人之手,整个实验的过程中我在互联网上借鉴多家不同的文章才获得成功。
        不是我不相信网上的文章。主要是因为不同技术水平,不同知识结构以及不同应用环境下的人写的文档百分百是不一样的,其中不乏一些偏差和错漏。过份相信网络上的文档对自身技术水平提高没有好处。
        但是很遗憾的是在当前我发现很多人在学习和使用技术过程中不对别人的东西进行任何的实验验证就四处转贴,造成很多完全可以避免的错误在网络上乱飞。这样的话我们opensource的优势将很难发挥出来。因此尽管我会去借鉴网络上不同的文章,但最终我只相信我做的实验。
      
        在这里,我将这个文档提供出来,尽管并不能保证他完全没有任何问题,但是我已经尽力对已经出现的错误进行修复并且。希望能够对大家的提高有所帮助。
        也希望大家能够帮我解决在实验中出现的问题。

        最后我仍然非常感谢源文的作者,这个实验是在他们奠定的基础上完成的。

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(9

咿呀咿呀哟 2022-10-01 02:21:51

实验环境:
        主机名称:localhost.localdomain                IP:192.168.1.150                Kernel:2.6.18-53.el5xen
        在该主机上部署RHEL5.1+Snort+Apache+MySql+Php+Gd with Gd & Image_Graph,在部署之前我系统安装的包组有:
        %packages
@mysql        @development-libs        @editors        @system-tools         @gnome-software-development        @text-internet
@x-software-development @virtualization @legacy-network-server @dns-server @gnome-desktop
@dialup @core @base @ftp-server @network-server @games @java @smb-server @base-x
@chinese-support @graphics @web-server @printing @mail-server @server-cfg @sound-and-video
@sql-server @admin-tools @news-server @development-tools @graphical-internet

现在检查和安装相关软件包,确保mysql和php的下列软件包已经安装:
[root@localhost Server]# rpm -qa | grep mysql
libdbi-dbd-mysql-0.8.1a-1.2.2
php-mysql-5.1.6-15.el5
mysql-server-5.0.22-2.1.0.1
mysql-connector-odbc-3.51.12-2.2
mysql-test-5.0.22-2.1.0.1
mysql-5.0.22-2.1.0.1
mysql-bench-5.0.22-2.1.0.1
mysql-devel-5.0.22-2.1.0.1

[root@localhost Server]# rpm -qa | grep php
php-cli-5.1.6-15.el5
php-ldap-5.1.6-15.el5
php-pdo-5.1.6-15.el5
php-pear-1.4.9-4
php-common-5.1.6-15.el5
php-mysql-5.1.6-15.el5
php-devel-5.1.6-15.el5
php-5.1.6-15.el5
php-gd-5.1.6-15.el5

其实通过上述的操作,一个基本的Apache+Php+Mysql结构已经完成。可以进行一个简单的测试:
[root@localhost ~]# echo "AddType application/x-httpd-php .php" >> /etc/httpd/conf/httpd.conf
[root@localhost ~]# chkconfig httpd on
[root@localhost ~]# service httpd start
[root@localhost ~]# chkconfig mysqld on
[root@localhost ~]# service mysqld start
[root@localhost ~]# echo "<?php phpinfo();?>" >> /var/www/html/test.php
此时可以运行一个浏览器去访问http://192.168.1.150/test.php页面。如果配置成功,页面能够正常显示。

孤城病女 2022-10-01 02:21:51

我所需要的opensource软件包包括:
[root@localhost Server]# mount -o username=jerrywjl //192.168.1.254/sd /mnt
Password:
[root@localhost Server]# cd /mnt/soft/Linux/
[root@localhost Linux]# cp snort-2.8.0.1.tar.gz /usr/local/                                --snort源码包
[root@localhost Linux]# cp snortrules-pr-2.4.tar.gz /usr/local/                        --snort规则
[root@localhost Linux]# cp snort /etc/init.d/                                                        --下载获得的snort脚本
该脚本的内容:
[root@localhost local]# cat /etc/init.d/snort
#!/bin/sh
#
# chkconfig: 2345 99 82
# description: Starts and stops the snort intrusion detection system
#
# config: /etc/snort/snort.conf
# processname: snort

# Source function library
. /etc/rc.d/init.d/functions

BASE=snort
DAEMON="-D"
INTERFACE="-i eth0"
CONF="/etc/snort/snort.conf"

# Check that $BASE exists.
[ -f /usr/local/bin/$BASE ] || exit 0

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

RETVAL=0
# See how we were called.
case "$1" in
  start)
        if [ -n "`/sbin/pidof $BASE`" ]; then
                echo -n $"$BASE: already running"
                echo ""
                exit $RETVAL
        fi
        echo -n "Starting snort service: "
        /usr/local/bin/$BASE $INTERFACE -c $CONF $DAEMON
        sleep 1
        action "" /sbin/pidof $BASE
        RETVAL=$?
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/snort
        ;;
  stop)
        echo -n "Shutting down snort service: "
        killproc $BASE
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/snort
        ;;
  restart|reload)
        $0 stop
        $0 start
        RETVAL=$?
        ;;
  status)
        status $BASE
        RETVAL=$?
        ;;
  *)
        echo "Usage: snort {start|stop|restart|reload|status}"
        exit 1
esac

exit $RETVAL

并定义该脚本可执行以及自启动:
[root@localhost ~]# chmod 755 /etc/init.d/snort
[root@localhost ~]# chkconfig snort on
然后继续:
[root@localhost Linux]# cp Image_Canvas-0.3.1.tgz /usr/local/
[root@localhost Linux]# cp Image_Color-1.0.2.tgz /usr/local/
[root@localhost Linux]# cp Image_Graph-0.7.0.tar /usr/local/
[root@localhost Linux]# cp adodb480.tgz /usr/local/
[root@localhost Linux]# cp adodb480.tgz /var/www/
[root@localhost Linux]# cp base-1.2.6.tar.gz /var/www/html/
[root@localhost Linux]# cp base-1.2.6.tar.gz /usr/local/
[root@localhost Linux]# cp jpegsrc.v6b.tar.gz /usr/local/

作妖 2022-10-01 02:21:51

首先编译jpegsrv.v6b.tar.gz:
[root@localhost local]# tar -zxf jpegsrc.v6b.tar.gz
[root@localhost local]# cd jpeg-6b/
[root@localhost jpeg-6b]# mkdir -p /usr/local/jpeg/{bin,lib,include,man,man/man1}
[root@localhost jpeg-6b]# ./configure --prefix=/usr/local/jpeg --enable-shared --enable-static
[root@localhost jpeg-6b]# make
[root@localhost jpeg-6b]# make install

之后编译安装snort:
[root@localhost ~]# cd /usr/local/
[root@localhost local]# tar -zxf snort-2.8.0.1.tar.gz
[root@localhost local]# cd snort-2.8.0.1
[root@localhost snort-2.8.0.1]# ./configure --with-mysql --enable-dynamicplugin
[root@localhost snort-2.8.0.1]# make
[root@localhost snort-2.8.0.1]# make install
[root@localhost snort-2.8.0.1]# mkdir -p /etc/snort/rules /var/log/snort 建立snort规则目录和日志目录
[root@localhost snort-2.8.0.1]# groupadd snort                                                        --建立snort用户和组
[root@localhost snort-2.8.0.1]# useradd -g snort snort -s /sbin/nologin
执行./configure编译环境检查很可能会出错,因为需要安装下面的软件包:
libpcap-devel-0.9.4-11.el5.i386.rpm
pcre-devel-6.6-1.1.i386.rpm
最后将所有已经编译生成的配置文件拷贝到/etc/snort目录下:
[root@localhost snort-2.8.0.1]# cp etc/* /etc/snort/
以及将所有的规则解压,并拷贝到已经指定的规则目录:
[root@localhost local]# tar -zxf snortrules-pr-2.4.tar.gz
[root@localhost local]# cp rules/* /etc/snort/rules/

现在可以修改snort配置文件:
[root@localhost ~]# cp /etc/snort/snort.conf snort.conf.bak
[root@localhost ~]# vi /etc/snort/snort.conf
所修改的内容包括:
a.将原来的var EXTERNAL_NET any修改为var EXTERNAL_NET 192.168.1.0/24
b.指定规则文件位置,将原来的var RULE_PATH ../rules修改为var RULE_PATH /etc/snort/rules
c.修改output database为:
output database: log, mysql, user=root password=123456 dbname=snort host=localhost
        (我待会会在mysql中定义这些内容)
        d.定义stream:
        我在实验过程中于这个地方栽了跟头,按照网上的文章《Redhat as4 下Snort+base+mysql+php+apache with gd and Image_Graph 安装与配置》所描述的,如果:
After the line that says
“preprocessor stream4_reassemble”
add a line that looks like
preprocessor stream4_reassemble: both,ports 21 23 25 53 80 110 111 139 143 445 513 1433
        并且不对其他内容修改,snort服务是起不来的,因为在后面有说明,stream4和stream5是不能共存的。(当时就是忽略了这点):
        # Stream5 is a target-based stream engine for Snort.  Its functionality
# replaces that of Stream4.  Consequently, BOTH Stream4 and Stream5
# cannot be used simultaneously.  Comment out the stream4 configurations
# above to use Stream5.
所以这里干脆什么都不改,直接使用stream5就是了。

完成之后为snort在mysql中建立数据库:
[root@localhost ~]# mysql               
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2 to server version: 5.0.22

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
以下是定义数据库snort的基本参数和针对管理用户授权:
mysql>  SET PASSWORD FOR root@localhost=PASSWORD('123456');
Query OK, 0 rows affected (0.07 sec)

mysql> create database snort;
Query OK, 1 row affected (0.05 sec)

mysql> grant INSERT,SELECT on root.* to snort@localhost;
Query OK, 0 rows affected (0.05 sec)

mysql> SET PASSWORD FOR snort@localhost=PASSWORD('123456');                        --源文在这里有错
Query OK, 0 rows affected (0.00 sec)                                       

mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
Query OK, 0 rows affected (0.00 sec)

mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
Query OK, 0 rows affected (0.00 sec)

mysql> quit
Bye
将预先定义好的默认的snort所需要的表批量导入mysql的snort数据库中:
[root@localhost ~]# mysql -u root -p < /usr/local/snort-2.8.0.1/schemas/create_mysql snort
Enter password:
检查:
[root@localhost ~]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4 to server version: 5.0.22

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> use snort;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+------------------+
| Tables_in_snort  |
+------------------+
| data             |
| detail           |
| encoding         |
| event            |
| icmphdr          |
| iphdr            |
| opt              |
| reference        |
| reference_system |
| schema           |
| sensor           |
| sig_class        |
| sig_reference    |
| signature        |
| tcphdr           |
| udphdr           |
+------------------+
16 rows in set (0.00 sec)

mysql>

自我难过 2022-10-01 02:21:51

最后安装配置base和Image
[root@localhost local]# pear install Image_Color-1.0.2.tgz
install ok: channel://pear.php.net/Image_Color-1.0.2

[root@localhost local]# pear install Image_Canvas-0.3.1.tgz
install ok: channel://pear.php.net/Image_Canvas-0.3.1

[root@localhost local]# pear install Image_Graph-0.7.0.tar
pear/Image_Graph can optionally use package "pear/Numbers_Roman"
pear/Image_Graph can optionally use package "pear/Numbers_Words"
install ok: channel://pear.php.net/Image_Graph-0.7.0

[root@localhost ~]# cd /var/www/
[root@localhost www]# tar -zxf adodb480.tgz
[root@localhost www]# rm -fr adodb480.tgz
[root@localhost www]# cd /var/www/html/
[root@localhost html]# tar -zxf base-1.2.6.tar.gz
[root@localhost html]# mv base-1.2.6 base
[root@localhost html]# rm -fr base-1.2.6.tar.gz
[root@localhost html]# cd base/

建立和修改配置文件:
[root@localhost ~]# cd /var/www/html/base/
[root@localhost base]# cp base_conf.php.dist base_conf.php
[root@localhost base]# vi base_conf.php

所需要修改的内容包括:
$BASE_urlpath = "/base";
$DBlib_path = "/var/www/adodb/ ";
$DBtype = "mysql";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "123456";
/* Archive DB connection parameters */
$archive_exists = 0; # Set this to 1 if you have an archive DB
这个修改当然是要和在snort数据库中设定的内容对应。

最后启动snort:
通常第一次启动会失败:
[root@localhost ~]# service snort start
Starting snort service:  
[FAILED]
[root@localhost ~]# tail -f /var/log/messages
Mar  5 21:34:06 localhost snort[647]:     Alert if memcap exceeded DISABLED
Mar  5 21:34:06 localhost snort[647]:  
Mar  5 21:34:06 localhost snort[647]: DNS config:  
Mar  5 21:34:06 localhost snort[647]:     DNS Client rdata txt Overflow Alert: ACTIVE
Mar  5 21:34:06 localhost snort[647]:     Obsolete DNS RR Types Alert: INACTIVE
Mar  5 21:34:06 localhost snort[647]:     Experimental DNS RR Types Alert: INACTIVE
Mar  5 21:34:06 localhost snort[647]:     Ports:
Mar  5 21:34:06 localhost snort[647]:  53
Mar  5 21:34:06 localhost snort[647]:  
Mar  5 21:34:07 localhost snort[647]: FATAL ERROR: (/etc/snort/rules/web-misc.rules)97 => Cannot use 'rawbytes' and 'http_uri' as modifiers for the same "content" nor use 'rawbytes' with "uricontent".
因此按照提示修改/etc/snort/rules/web-misc.rules文件,将出错的行注释:
[root@localhost ~]# vi /etc/snort/rules/web-misc.rules
注释的内容为:
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ///cgi-bin access"; flow:to_server,established; uricontent:"///cgi-bin"; nocase; rawbytes; reference:nessus,11032; classtype:attempted-recon; sid:1143; rev:7
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /cgi-bin/// access"; flow:to_server,established; uricontent:"/cgi-bin///"; nocase; rawbytes; reference:nessus,11032; classtype:attempted-recon; sid:1144; rev:7

再启动一次:
[root@localhost ~]# service snort start
Starting snort service:  
[FAILED]
[root@localhost ~]# tail -f /var/log/messages
Mar  5 21:42:37 localhost snort[707]:     Alert if memcap exceeded DISABLED
Mar  5 21:42:37 localhost snort[707]:  
Mar  5 21:42:37 localhost snort[707]: DNS config:  
Mar  5 21:42:37 localhost snort[707]:     DNS Client rdata txt Overflow Alert: ACTIVE
Mar  5 21:42:37 localhost snort[707]:     Obsolete DNS RR Types Alert: INACTIVE
Mar  5 21:42:37 localhost snort[707]:     Experimental DNS RR Types Alert: INACTIVE
Mar  5 21:42:37 localhost snort[707]:     Ports:
Mar  5 21:42:37 localhost snort[707]:  53
Mar  5 21:42:37 localhost snort[707]:  
Mar  5 21:42:38 localhost snort[707]: FATAL ERROR: ERROR /etc/snort/rules/web-misc.rules Line 452 => unable to parse pcre regex "fn=Eye\d{4}_\d{2}.log/Rmsi
因此按照提示修改/etc/snort/rules/web-misc.rules文件,接着注释出错的内容:
[root@localhost ~]# vi /etc/snort/rules/web-misc.rules
注释的内容为:
#alert tcp $EXTERNAL_NET any -> $HOME_NET 8090 (msg:"WEB-MISC TrackerCam ComGetLogFile.php3 directory traversal attempt"; flow:to_server,established; content:"/ComGetLogFile.php3"; distance:0; nocase; pcre:"/fn=\x2e\x2e(\x2f|\x5c)/Rmsi"; reference:bugtraq,12592; reference:cve,2005-0481; classtype:web-application-attack; sid:3544; rev:2
#alert tcp $EXTERNAL_NET any -> $HOME_NET 8090 (msg:"WEB-MISC TrackerCam ComGetLogFile.php3 log information disclosure"; flow:to_server,established; content:"/ComGetLogFile.php3"; nocase; pcre:"fn=Eye\d{4}_\d{2}.log/Rmsi"; reference:bugtraq,12592; reference:cve,2005-0481; classtype:web-application-activity; sid:3545; rev:2

第三次启动:
[root@localhost ~]# service snort start
Starting snort service:  735
[  OK  ]
[root@localhost ~]# tail -f /var/log/messages
Mar  5 21:46:29 localhost snort[735]: | Pattern Chars    : 97521
Mar  5 21:46:29 localhost snort[735]: | Num States       : 52738
Mar  5 21:46:29 localhost snort[735]: | Num Match States : 7558
Mar  5 21:46:29 localhost snort[735]: | Memory           :   1.40Mbytes
Mar  5 21:46:29 localhost snort[735]: |   Patterns       :   0.31M
Mar  5 21:46:29 localhost snort[735]: |   Match Lists    :   0.30M
Mar  5 21:46:29 localhost snort[735]: |   Transitions    :   0.77M
Mar  5 21:46:29 localhost snort[735]: +-------------------------------------------------
Mar  5 21:46:29 localhost snort[735]: Snort initialization completed successfully (pid=735)
Mar  5 21:46:29 localhost snort[735]: Not Using PCAP_FRAMES

方法有点笨,但是毕竟启动起来了。
现在可以通过浏览器进行访问测试:
http://192.168.1.150/base
访问之后页面将自动跳转到:http://192.168.1.150/base/base_main.php
然后出现首页:
Basic Analysis and Security Engine (BASE)
The underlying database snort@localhost appears to be incomplete/invalid.
The database version is valid, but the BASE DB structure (table: acid_ag)is not present. Use the Setup page to configure and optimize the DB.
点击setup page进行安装即可。

在安装之后,当点击administration之后,会出现一个出错提示页面:
Database ERRORatabase ERROR:Table 'snort.base_users' doesn't exist
这个问题主要因为不同的base版本差异的影响,为了解决该问题。我重新建立base配置文件:
首先将/var/www/html/base/base_conf.php移动到其他位置,之后提示访问http://192.168.1.150/base/setup按照提示重新建立配置文件,内容包括定义数据库名称、管理员、密码等。
完成之后会提示base_conf.php文件出错,但是同时又会给出一个完整base_conf.php文件内容,并提示将该内容拷贝到/var/www/html/base/base_conf.php中。
这时再次访问http://192.168.1.150所有页面都能够正确显示。

小糖芽 2022-10-01 02:21:51

提供给大家参考的是我的base_conf.php脚本内容:
[root@localhost base]# vi base_conf.php

<?php
/*******************************************************************************
** Basic Analysis and Security Engine (BASE)
** Copyright (C) 2004 BASE Project Team
** Copyright (C) 2000 Carnegie Mellon University
**
** (see the file "base_main.php" for license details)
**
** Project Leads: Kevin Johnson <kjohnson@secureideas.net>
** Built upon work by Roman Danyliw <rdd@cert.org>, <roman@danyliw.com>
**
** Purpose: Vanilla Config file
********************************************************************************
** Authors:
********************************************************************************
** Kevin Johnson <kjohnson@secureideas.net
**
********************************************************************************
*/
    session_start();
    $BASE_VERSION = '1.2.6 (christine)';

    /*
     Set the below to the language you would like people to use while viewing
     your install of BASE.
    */
    $BASE_Language = 'english';

    /*
     Set the $Use_Auth_System variable to 1 if you would like to force users to
     authenticate to use the system.  Only turn this off if the system is not
     accessible to the public or the network at large.  i.e. a home user testing it
     out!
    */

    $Use_Auth_System = 0;

    /*
     Set the base_urlpath to the url location that is the root of your BASE install.
     This must be set for BASE to function! Do not include a trailing slash!
     But also put the preceding slash. e.g. Your URL is http://127.0.0.1/base
     set this to /base

     */
    $BASE_urlpath = '/base';

    /* Unique BASE ID.  The below variable, if set, will append its value to the
     * title bar of the browser.  This is for people who manage multiple installs
     * of BASE and want a simple way to differentiate them on the task bar.
     */

    $BASE_installID = '';

    /* Custom footer addition.  The below variable, if set, will cause
    *  base_main.php to include what ever file is specified.
    *  A sample custom footer file is in the contrib directory
    */
   $base_custom_footer = '';

    /* Path to the DB abstraction library
     *  (Note: DO NOT include a trailing backslash after the directory)
     *   e.g. $foo = '/tmp'      [OK]
     *        $foo = '/tmp/'     [OK]
     *        $foo = 'c:\tmp'    [OK]
     *        $foo = 'c:\tmp\'   [WRONG]
     */
    $DBlib_path = '/var/www/adodb';

    /* The type of underlying alert database
     *
     *  MySQL       : 'mysql'
     *  PostgresSQL : 'postgres'
     *  MS SQL Server : 'mssql'
     *  Oracle      : 'oci8'
     */
    $DBtype = 'mysql';

    /* Alert DB connection parameters
     *   - $alert_dbname   : MySQL database name of Snort alert DB
     *   - $alert_host     : host on which the DB is stored
     *   - $alert_port     : port on which to access the DB
     *   - $alert_user     : login to the database with this user
     *   - $alert_password : password of the DB user
     *
     *  This information can be gleaned from the Snort database
     *  output plugin configuration.
     */
    $alert_dbname   = 'snort';
    $alert_host     = 'localhost';
    $alert_port     = '';
    $alert_user     = 'snort';
    $alert_password = '123456';

    /* Archive DB connection parameters */
    $archive_exists   = ''; # Set this to 1 if you have an archive DB
    $archive_dbname   = '';
    $archive_host     = '';
    $archive_port     = '';
    $archive_user     = '';
    $archive_password = '';

    /* Type of DB connection to use
     *   1  : use a persistant connection (pconnect)
     *   2  : use a normal connection (connect)
     */
    $db_connect_method = 1;

    /* Use referential integrity
     *   1  : use
     *   0  : ignore (not installed)
     *
     * Note: Only PostgreSQL and MS-SQL Server databases support
     *       referential integrity.  Use the associated
     *       create_acid_tbls_?_extra.sql script to add this
     *       functionality to the database.
     *
     *       Referential integrity will greatly improve the
     *       speed of record deletion, but also slow record
     *       insertion.
     */
    $use_referential_integrity = 0;

    /* Variable to start the ability to handle themes... */
    $base_style = 'base_style.css';

    /* File format of charts (png, jpeg, gif) */
    $chart_file_format = 'png';

    /* Chart default colors - (red, green, blue)
     *    - $chart_bg_color_default    : background color of chart
     *    - $chart_lgrid_color_default : gridline color of chart
     *    - $chart_bar_color_default   : bar/line color of chart
     */
    $chart_bg_color_default     = array(255,255,255);
    $chart_lgrid_color_default  = array(205,205,205);
    $chart_bar_color_default    = array(190, 5, 5);

    /* Maximum number of rows per criteria element */
    $MAX_ROWS = 10;

    /* Number of rows to display for any query results */
    $show_rows = 48;

    /* Number of items to return during a snapshot
     *  Last _X_ # of alerts/unique alerts/ports/IP
     */
    $last_num_alerts = 15;
    $last_num_ualerts = 15;
    $last_num_uports = 15;
    $last_num_uaddr = 15;

    /* Number of items to return during a snapshot
     *  Most Frequent unique alerts/IPs/ports
     */
    $freq_num_alerts = 5;
    $freq_num_uaddr = 15;
    $freq_num_uports = 15;

    /* Number of scroll buttons to use when displaying query results */
    $max_scroll_buttons = 12;

    /* Debug mode     - how much debugging information should be shown
     * Timing mode    - display timing information
     * SQL trace mode - log SQL statements
     *   0 : no extra information
     *   1 : debugging information
     *   2 : extended debugging information
     *
     * HTML no cache - whether a no-cache directive should be sent
     *                 to the browser (should be = 1 for IE)
     *
     * SQL trace file - file to log SQL traces
     */
    $debug_mode = 0;
    $debug_time_mode = 1;
    $html_no_cache = 1;
    $sql_trace_mode = 0;
    $sql_trace_file = '';

    /* Auto-Screen refresh
     * - Refresh_Stat_Page - Should certain statistics pages refresh?
     * - Stat_Page_Refresh_Time - refresh interval (in seconds)
     */
    $refresh_stat_page = 1;
    $stat_page_refresh_time = 180;

    /* Display First/Previous/Last timestamps for alerts or
     * just First/Last on the Unique Alert listing.
     *    1: yes
     *    0: no
     */
    $show_previous_alert = 0;

    /* Sets maximum execution time (in seconds) of any particular page.
     * Note: this overrides the PHP configuration file variable
     *       max_execution_time.  Thus script can run for a total of
     *       ($max_script_runtime + max_execution_time) seconds
     */
    $max_script_runtime = 180;

    /* How should the IP address criteria be entered in the Search screen?
     *   1 : each octet is a separate field
     *   2 : entire address is as a single field
     */
    $ip_address_input = 2;

    /* Should a combo box with possible signatures be displayed on the
     * search form. (Requires Javascript)
     *   0 : disabled
     *   1 : show only non pre-processor signatures (e.g., ignore portscans)
     *   2 : show all signatures
     */
    $use_sig_list = 0;

    /* Resolve IP to FQDN (on certain queries?)
     *    1 : yes
     *    0 : no
     */
    $resolve_IP = 0;

    /* Should summary stats be calculated on every Query Results page
     * (Enabling this option will slow page loading time)
     */
    $show_summary_stats = 0;

    /* DNS cache lifetime (in minutes) */
    $dns_cache_lifetime = 20160;

    /* Whois information cache lifetime (in minutes) */
    $whois_cache_lifetime = 40320;

    /* Snort spp_portscan log file */
    $portscan_file = '';

    /* Show part of portscan payload in signature */
    $portscan_payload_in_signature = '1';

    /* Event cache Auto-update
     *
     *  Should the event cache be verified and updated on every
     *  page log?  Otherwise, the cache will have to be explicitly
     *  updated from the 'cache and status' page.
     *
     *  Note: enabling this option could substantially slow down
     *  the page loading time when there are many uncached alerts.
     *  However, this is only a one-time penalty.
     *
     *   1 : yes
     *   0 : no
     */
    $event_cache_auto_update = 1;

    /* Maintain a history of the visited pages so that the 'Back'
     * button can be used.
     *
     * Note: Enabling this option will cause the PHP-session to
     * grow substantially after many pages have been viewed causing
     * a slow down in page loading time. Periodically return to the
     * main page to clear the history.
     *
     *   1 : yes
     *   0 : no
     */
    $maintain_history = 1;

    /* Level of detail to display on the main page.
     *
     * Note: The presence of summary statistics will slow page loading time
     *
     *   1 : show both the links and summary statistics
     *   0 : show only the links and a count of the number of alerts
     */
    $main_page_detail = 1;

    /* avoid count(*) whenever possible
     *
     * Note: On some databases (e.g., postgres) this can greatly increase
     * performance if you have a large number of events. On other databases
     * (e.g., mysql) this will have little to no effect. Enabling this
     * option will prevent the number of events in the database from being
     * shown on the main screen and will remove the percentages associated
     * with the number of events on the alert screen.
     */
    $avoid_counts = 0;

    /* show links to first/last/previous event on alert screen
     *
     * Note: Enabling this can slow down loading of the alert screen on large
     * databases
     */
    $show_first_last_links = 0;

    /*
     * External URLs
     */

    /* Whois query */
    $external_whois_link = 'http://www.dnsstuff.com/tools/whois.ch?ip=';

     /* DNS query */
    $external_dns_link = 'http://www.dnsstuff.com/tools/ptr.ch?ip=';

    /* SamSpade 'all' query */
    $external_all_link = 'http://www.whois.sc/';

    /* TCP/UDP port database */
    $external_port_link = array('sans'     => 'http://isc.sans.org/port_details.php?port=',
                                'portsdb'  => 'http://www.portsdb.org/bin/portsdb.cgi?portnumber=',
                                'tantalo'  => 'http://ports.tantalo.net/?q=',
                                'sstats'   => 'http://www.securitystats.com/tools/portsearch.php?type=port&select=any&Submit=Submit&input=');

    /* Signature references */
    $external_sig_link = array('bugtraq'   => array('http://www.securityfocus.com/bid/', ''),
                               'snort'     => array('http://www.snort.org/pub-bin/sigs.cgi?sid=', ''),
                               'cve'       => array('http://cve.mitre.org/cgi-bin/cvename.cgi?name=', ''),
                               'arachnids' => array('http://www.whitehats.com/info/ids', ''),
                               'mcafee'    => array('http://vil.nai.com/vil/content/v_', '.htm'),
                               'icat'      => array('http://icat.nist.gov/icat.cfm?cvename=CAN-', ''),
                               'nessus'    => array('http://www.nessus.org/plugins/index.php?view=single&id=', ''),
                               'url'       => array('http://', ''),
                               'local' => array('signatures/', '.txt'));

    /* Email Alert action
     *
     * - action_email_from : email address to use in the FROM field of the mail message
     * - action_email_subject : subject to use for the mail message
     * - action_email_msg : additional text to include in the body of the mail message
     * - action_email_mode : specifies how the alert information should be enclosed
     *     0 : alerts should be in the body of the message
     *     1 : alerts should be enclosed in an attachment
     */
    $action_email_from = 'BASE Alert <base>';
    $action_email_subject = 'BASE Incident Report';
    $action_email_msg = '';
    $action_email_mode = 0;

    /* Custom (user) PHP session handlers
     *
     * - use_user_session : sets whether user PHP session can be used (configured
     *                      with the session.save_handler variable in php.ini)
     *      0 : no
     *      1 : yes (assuming that 'user_session_path' and 'user_session_function'
     *               are configured correctly)
     * - user_session_path : file to include that implements the custom PHP session
     *                       handler
     * - user_session_function : function to invoke in the custom session
     *                           implementation that will register the session handler
     *                           functions
     */
    $use_user_session = 0;
    $user_session_path = '';
    $user_session_function = '';

    /*
     The below line should not be changed!
     */
    $BASE_path = dirname(__FILE__);

    // _BASE_INC is a variable set to prevent direct access to certain include files....
    define( '_BASE_INC', 1 );

    // Include for languages
    include("$BASE_path/languages/$BASE_Language.lang.php");
    ?>
"base_conf.php" [New] 364L, 13299C written

冬天旳寂寞 2022-10-01 02:21:51

几个相关的效果截图:

半夏半凉 2022-10-01 02:21:51

最后是俺的问题,这才是我关心的:

第一,在启动snort中出现的几个错误,迫使我将/etc/snort/rules/web-misc.rules 注释,否则服务起不来。具体是什么原因?
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ///cgi-bin access"; flow:to_server,established; uricontent:"///cgi-bin"; nocase; rawbytes; reference:nessus,11032; classtype:attempted-recon; sid:1143; rev:7
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /cgi-bin/// access"; flow:to_server,established; uricontent:"/cgi-bin///"; nocase; rawbytes; reference:nessus,11032; classtype:attempted-recon; sid:1144; rev:7
#alert tcp $EXTERNAL_NET any -> $HOME_NET 8090 (msg:"WEB-MISC TrackerCam ComGetLogFile.php3 directory traversal attempt"; flow:to_server,established; content:"/ComGetLogFile.php3"; distance:0; nocase; pcre:"/fn=\x2e\x2e(\x2f|\x5c)/Rmsi"; reference:bugtraq,12592; reference:cve,2005-0481; classtype:web-application-attack; sid:3544; rev:2
#alert tcp $EXTERNAL_NET any -> $HOME_NET 8090 (msg:"WEB-MISC TrackerCam ComGetLogFile.php3 log information disclosure"; flow:to_server,established; content:"/ComGetLogFile.php3"; nocase; pcre:"fn=Eye\d{4}_\d{2}.log/Rmsi"; reference:bugtraq,12592; reference:cve,2005-0481; classtype:web-application-activity; sid:3545; rev:2

出错信息:
[root@localhost ~]# tail -f /var/log/messages
Mar  5 21:34:06 localhost snort[647]:     Alert if memcap exceeded DISABLED
Mar  5 21:34:06 localhost snort[647]:  
Mar  5 21:34:06 localhost snort[647]: DNS config:  
Mar  5 21:34:06 localhost snort[647]:     DNS Client rdata txt Overflow Alert: ACTIVE
Mar  5 21:34:06 localhost snort[647]:     Obsolete DNS RR Types Alert: INACTIVE
Mar  5 21:34:06 localhost snort[647]:     Experimental DNS RR Types Alert: INACTIVE
Mar  5 21:34:06 localhost snort[647]:     Ports:
Mar  5 21:34:06 localhost snort[647]:  53
Mar  5 21:34:06 localhost snort[647]:  
Mar  5 21:34:07 localhost snort[647]: FATAL ERROR: (/etc/snort/rules/web-misc.rules)97 => Cannot use 'rawbytes' and 'http_uri' as modifiers for the same "content" nor use 'rawbytes' with "uricontent".

[root@localhost ~]# tail -f /var/log/messages
Mar  5 21:42:37 localhost snort[707]:     Alert if memcap exceeded DISABLED
Mar  5 21:42:37 localhost snort[707]:  
Mar  5 21:42:37 localhost snort[707]: DNS config:  
Mar  5 21:42:37 localhost snort[707]:     DNS Client rdata txt Overflow Alert: ACTIVE
Mar  5 21:42:37 localhost snort[707]:     Obsolete DNS RR Types Alert: INACTIVE
Mar  5 21:42:37 localhost snort[707]:     Experimental DNS RR Types Alert: INACTIVE
Mar  5 21:42:37 localhost snort[707]:     Ports:
Mar  5 21:42:37 localhost snort[707]:  53
Mar  5 21:42:37 localhost snort[707]:  
Mar  5 21:42:38 localhost snort[707]: FATAL ERROR: ERROR /etc/snort/rules/web-misc.rules Line 452 => unable to parse pcre regex "fn=Eye\d{4}_\d{2}.log/Rmsi

第二,这个snort应该如何指定规则如何使用?!呵呵比较菜!抱歉!

最后请转贴我文章的哥们注明出处,尊重一下本人所付出一点点劳动。谢谢!

[ 本帖最后由 jerrywjl 于 2008-3-5 15:21 编辑 ]

寂寞花火° 2022-10-01 02:21:51

要沉了,自己顶!

还是这两个问题:
最后是俺的问题,这才是我关心的:

第一,在启动snort中出现的几个错误,迫使我将/etc/snort/rules/web-misc.rules 注释,否则服务起不来。具体是什么原因?
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ///cgi-bin access"; flow:to_server,established; uricontent:"///cgi-bin"; nocase; rawbytes; reference:nessus,11032; classtype:attempted-recon; sid:1143; rev:7
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /cgi-bin/// access"; flow:to_server,established; uricontent:"/cgi-bin///"; nocase; rawbytes; reference:nessus,11032; classtype:attempted-recon; sid:1144; rev:7
#alert tcp $EXTERNAL_NET any -> $HOME_NET 8090 (msg:"WEB-MISC TrackerCam ComGetLogFile.php3 directory traversal attempt"; flow:to_server,established; content:"/ComGetLogFile.php3"; distance:0; nocase; pcre:"/fn=\x2e\x2e(\x2f|\x5c)/Rmsi"; reference:bugtraq,12592; reference:cve,2005-0481; classtype:web-application-attack; sid:3544; rev:2
#alert tcp $EXTERNAL_NET any -> $HOME_NET 8090 (msg:"WEB-MISC TrackerCam ComGetLogFile.php3 log information disclosure"; flow:to_server,established; content:"/ComGetLogFile.php3"; nocase; pcre:"fn=Eye\d{4}_\d{2}.log/Rmsi"; reference:bugtraq,12592; reference:cve,2005-0481; classtype:web-application-activity; sid:3545; rev:2

出错信息:
[root@localhost ~]# tail -f /var/log/messages
Mar  5 21:34:06 localhost snort[647]:     Alert if memcap exceeded DISABLED
Mar  5 21:34:06 localhost snort[647]:  
Mar  5 21:34:06 localhost snort[647]: DNS config:  
Mar  5 21:34:06 localhost snort[647]:     DNS Client rdata txt Overflow Alert: ACTIVE
Mar  5 21:34:06 localhost snort[647]:     Obsolete DNS RR Types Alert: INACTIVE
Mar  5 21:34:06 localhost snort[647]:     Experimental DNS RR Types Alert: INACTIVE
Mar  5 21:34:06 localhost snort[647]:     Ports:
Mar  5 21:34:06 localhost snort[647]:  53
Mar  5 21:34:06 localhost snort[647]:  
Mar  5 21:34:07 localhost snort[647]: FATAL ERROR: (/etc/snort/rules/web-misc.rules)97 => Cannot use 'rawbytes' and 'http_uri' as modifiers for the same "content" nor use 'rawbytes' with "uricontent".

[root@localhost ~]# tail -f /var/log/messages
Mar  5 21:42:37 localhost snort[707]:     Alert if memcap exceeded DISABLED
Mar  5 21:42:37 localhost snort[707]:  
Mar  5 21:42:37 localhost snort[707]: DNS config:  
Mar  5 21:42:37 localhost snort[707]:     DNS Client rdata txt Overflow Alert: ACTIVE
Mar  5 21:42:37 localhost snort[707]:     Obsolete DNS RR Types Alert: INACTIVE
Mar  5 21:42:37 localhost snort[707]:     Experimental DNS RR Types Alert: INACTIVE
Mar  5 21:42:37 localhost snort[707]:     Ports:
Mar  5 21:42:37 localhost snort[707]:  53
Mar  5 21:42:37 localhost snort[707]:  
Mar  5 21:42:38 localhost snort[707]: FATAL ERROR: ERROR /etc/snort/rules/web-misc.rules Line 452 => unable to parse pcre regex "fn=Eye\d{4}_\d{2}.log/Rmsi

醉殇 2022-10-01 02:21:51

)(*&^%$#@!@#¥%……&*()

沉默吗?只能顶到有高手来为止了!

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文