Linux AS 3.0系统被人攻击。如果解决?
Linux AS 3.0系统被人攻击。如果解决?如何使用系统自带的防火墙?比如:iptables这个我开了。不过好象没有用的。应该要怎样设置呢?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
Linux AS 3.0系统被人攻击。如果解决?如何使用系统自带的防火墙?比如:iptables这个我开了。不过好象没有用的。应该要怎样设置呢?
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
发布评论
评论(5)
“被人攻击”这个描述太模糊
被谁攻击?
用netstat -na看来源
攻击目标是什么?
用netstat -nap和top看哪些端口和哪些进程正在遭受攻击
用何种方式攻击?
使用tcpdump抓包并用ethereal对抓包结果进行分析
......
以上思路只是抛砖引玉
如果还是一点头绪也没有
建议拔网线或者干脆拔电源
想清楚了再上电联网
你自己扫描下自己把。
看开了呢些端口。
把不用的服务关了
被DDOS攻击了,80端口给搞死了,拒绝服务攻击,服务器的流量不会很大,但WEB服务无法启动了,LINUX下用什么防火墙可以防一下,开启iptables,没有做用,可能是配置不对,iptables起不了做用,
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:9010 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 218.16.120.80:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 218.16.120.80:80 219.131.45.207:21278 ESTABLISHED
tcp 0 0 218.16.120.80:80 219.129.175.45:2969 ESTABLISHED
tcp 0 0 218.16.120.80:80 219.129.175.45:2968 ESTABLISHED
tcp 0 0 218.16.120.80:80 219.129.175.45:2971 ESTABLISHED
tcp 0 0 218.16.120.80:80 222.78.248.8:64039 ESTABLISHED
tcp 0 0 218.16.120.80:80 60.180.167.31:2714 ESTABLISHED
tcp 0 0 218.16.120.80:80 222.78.248.8:64040 ESTABLISHED
tcp 0 0 218.16.120.80:80 60.180.167.31:2482 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.185.208.82:63876 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.185.208.82:63873 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.185.208.82:63872 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.185.208.82:63875 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.185.208.82:63874 ESTABLISHED
tcp 0 0 218.16.120.80:80 221.233.202.148:4247 ESTABLISHED
tcp 0 0 218.16.120.80:80 218.83.67.69:30090 ESTABLISHED
tcp 0 0 218.16.120.80:80 218.83.67.69:30094 ESTABLISHED
tcp 0 0 218.16.120.80:80 219.131.45.207:21323 ESTABLISHED
tcp 0 0 218.16.120.80:80 219.131.45.207:21324 ESTABLISHED
tcp 0 0 218.16.120.80:80 221.233.202.148:4248 ESTABLISHED
tcp 0 0 218.16.120.80:80 222.89.253.171:1048 ESTABLISHED
tcp 0 0 218.16.120.80:80 220.170.151.49:1765 ESTABLISHED
tcp 0 0 218.16.120.80:80 222.89.253.171:1046 ESTABLISHED
tcp 0 0 218.16.120.80:25 61.141.175.87:3991 TIME_WAIT
tcp 0 0 218.16.120.80:80 220.170.151.49:1772 ESTABLISHED
tcp 0 0 218.16.120.80:80 220.170.151.49:1773 ESTABLISHED
tcp 0 0 218.16.120.80:80 219.129.175.45:2808 ESTABLISHED
tcp 0 0 218.16.120.80:80 219.129.175.45:2831 ESTABLISHED
tcp 0 0 127.0.0.1:32768 127.0.0.1:32771 ESTABLISHED
tcp 0 0 218.16.120.80:80 222.78.248.8:63155 ESTABLISHED
tcp 0 0 218.16.120.80:80 219.131.45.207:22917 ESTABLISHED
tcp 0 0 218.16.120.80:80 221.233.202.148:4176 ESTABLISHED
tcp 0 0 218.16.120.80:80 219.149.175.33:2871 ESTABLISHED
tcp 0 0 218.16.120.80:80 219.149.175.33:2870 ESTABLISHED
tcp 0 0 218.16.120.80:80 219.131.45.207:24755 ESTABLISHED
tcp 0 0 218.16.120.80:80 221.217.138.180:1845 ESTABLISHED
tcp 0 0 218.16.120.80:80 220.170.9.181:2498 ESTABLISHED
tcp 0 0 218.16.120.80:80 220.170.9.181:2497 ESTABLISHED
tcp 0 0 218.16.120.80:80 220.170.9.181:2496 ESTABLISHED
tcp 0 0 218.16.120.80:80 219.149.175.33:2877 ESTABLISHED
tcp 0 0 218.16.120.80:80 220.170.9.181:2511 ESTABLISHED
tcp 0 0 218.16.120.80:80 220.170.9.181:2510 ESTABLISHED
tcp 0 0 218.16.120.80:80 219.149.175.33:2879 ESTABLISHED
tcp 0 0 218.16.120.80:80 220.170.9.181:2509 ESTABLISHED
tcp 0 0 218.16.120.80:80 219.149.175.33:2872 ESTABLISHED
tcp 0 0 218.16.120.80:80 220.170.9.181:2506 ESTABLISHED
tcp 0 0 218.16.120.80:80 219.149.175.33:2875 ESTABLISHED
tcp 0 0 218.16.120.80:80 220.170.9.181:2518 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.185.208.82:63869 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.185.208.82:63871 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.185.208.82:63870 ESTABLISHED
tcp 0 0 218.16.120.80:80 219.129.175.45:2881 ESTABLISHED
tcp 0 0 218.16.120.80:80 219.129.175.45:2882 ESTABLISHED
tcp 0 0 218.16.120.80:80 221.233.202.148:4119 ESTABLISHED
tcp 0 0 218.16.120.80:80 221.233.202.148:4117 ESTABLISHED
tcp 0 0 218.16.120.80:80 220.170.9.181:2494 ESTABLISHED
tcp 0 0 218.16.120.80:80 60.180.167.31:2904 ESTABLISHED
tcp 0 0 218.16.120.80:80 220.170.9.181:2493 ESTABLISHED
tcp 0 0 218.16.120.80:80 210.21.209.207:57238 ESTABLISHED
tcp 0 0 218.16.120.80:80 222.175.36.170:1980 ESTABLISHED
tcp 0 0 218.16.120.80:80 222.175.36.170:1983 ESTABLISHED
tcp 0 0 218.16.120.80:80 210.21.209.207:9090 ESTABLISHED
tcp 0 0 218.16.120.80:80 221.233.202.148:4159 ESTABLISHED
tcp 0 0 218.16.120.80:80 210.21.209.207:9088 ESTABLISHED
tcp 0 0 218.16.120.80:80 222.175.36.170:1965 ESTABLISHED
tcp 0 0 218.16.120.80:80 210.21.209.207:9093 ESTABLISHED
tcp 1 0 218.16.120.80:80 218.85.247.154:1612 CLOSE_WAIT
tcp 0 0 218.16.120.80:80 222.50.31.166:50147 ESTABLISHED
tcp 0 0 218.16.120.80:80 218.13.42.87:1248 ESTABLISHED
tcp 0 0 218.16.120.80:80 218.13.42.87:1249 ESTABLISHED
tcp 1 0 218.16.120.80:80 218.85.247.154:2667 CLOSE_WAIT
tcp 0 0 218.16.120.80:80 222.50.31.166:50118 ESTABLISHED
tcp 0 0 218.16.120.80:80 218.85.247.154:2050 ESTABLISHED
tcp 0 0 218.16.120.80:80 218.58.15.228:24046 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1209 ESTABLISHED
tcp 0 0 218.16.120.80:80 219.159.167.42:3020 ESTABLISHED
tcp 0 1 218.16.120.80:53 221.219.32.89:1914 LAST_ACK
tcp 0 0 218.16.120.80:80 219.159.167.42:3014 ESTABLISHED
tcp 0 0 218.16.120.80:80 218.20.123.244:50818 ESTABLISHED
tcp 0 0 218.16.120.80:80 219.159.167.42:3062 ESTABLISHED
tcp 0 0 218.16.120.80:80 219.159.167.42:3057 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1414 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1415 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1412 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1413 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1411 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1416 ESTABLISHED
tcp 0 0 218.16.120.80:80 218.65.221.88:1738 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1398 ESTABLISHED
tcp 0 0 218.16.120.80:80 218.65.221.88:1739 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1399 ESTABLISHED
tcp 0 0 218.16.120.80:80 218.104.83.184:51312 ESTABLISHED
tcp 0 0 218.16.120.80:80 218.65.221.88:1736 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1396 ESTABLISHED
tcp 0 0 218.16.120.80:80 218.65.221.88:1737 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1397 ESTABLISHED
tcp 0 0 218.16.120.80:80 218.65.221.88:1742 ESTABLISHED
tcp 1 0 218.16.120.80:80 218.85.247.154:1997 CLOSE_WAIT
tcp 0 0 218.16.120.80:80 61.145.239.6:1394 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1395 ESTABLISHED
tcp 0 0 218.16.120.80:80 218.65.221.88:1740 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1392 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1393 ESTABLISHED
tcp 0 0 218.16.120.80:80 218.13.42.87:1398 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1406 ESTABLISHED
tcp 0 0 218.16.120.80:80 218.13.42.87:1399 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1407 ESTABLISHED
tcp 0 0 218.16.120.80:80 218.13.42.87:1396 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1404 ESTABLISHED
tcp 0 0 218.16.120.80:80 218.13.42.87:1397 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1405 ESTABLISHED
tcp 0 0 218.16.120.80:80 218.13.42.87:1394 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1402 ESTABLISHED
tcp 0 0 218.16.120.80:80 60.180.165.152:2165 ESTABLISHED
tcp 0 0 218.16.120.80:80 218.13.42.87:1395 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1403 ESTABLISHED
tcp 0 0 218.16.120.80:80 60.180.165.152:2166 ESTABLISHED
tcp 1 0 218.16.120.80:80 218.85.247.154:1991 CLOSE_WAIT
tcp 0 0 218.16.120.80:80 61.145.239.6:1400 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1401 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1382 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1383 ESTABLISHED
tcp 1 0 218.16.120.80:80 218.85.247.154:2011 CLOSE_WAIT
tcp 0 0 218.16.120.80:80 61.145.239.6:1381 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1390 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1391 ESTABLISHED
tcp 0 0 218.16.120.80:80 218.65.221.88:1744 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1388 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1389 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1386 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1387 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1384 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1385 ESTABLISHED
tcp 1 0 218.16.120.80:80 218.85.247.154:2006 CLOSE_WAIT
tcp 1 0 218.16.120.80:80 218.85.247.154:2028 CLOSE_WAIT
tcp 1 0 218.16.120.80:80 218.85.247.154:2019 CLOSE_WAIT
tcp 1 0 218.16.120.80:80 218.85.247.154:2023 CLOSE_WAIT
tcp 1 0 218.16.120.80:80 218.85.247.154:2022 CLOSE_WAIT
tcp 0 0 218.16.120.80:80 219.145.110.181:3727 ESTABLISHED
tcp 1 0 218.16.120.80:80 218.85.247.154:2032 CLOSE_WAIT
tcp 1 0 218.16.120.80:80 218.85.247.154:2039 CLOSE_WAIT
tcp 0 0 218.16.120.80:80 61.134.59.244:2298 ESTABLISHED
tcp 0 0 218.16.120.80:80 218.65.221.88:1166 ESTABLISHED
tcp 0 0 218.16.120.80:80 218.65.221.88:1167 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.134.59.244:2295 ESTABLISHED
tcp 0 0 218.16.120.80:80 220.166.127.102:1504 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1060 ESTABLISHED
tcp 0 0 218.16.120.80:80 218.65.221.88:1168 ESTABLISHED
tcp 0 0 218.16.120.80:80 60.180.165.152:1570 ESTABLISHED
tcp 1 0 218.16.120.80:80 218.85.247.154:2453 CLOSE_WAIT
tcp 1 0 218.16.120.80:80 218.85.247.154:1962 CLOSE_WAIT
tcp 0 0 218.16.120.80:80 61.145.239.6:1054 ESTABLISHED
tcp 0 0 218.16.120.80:80 61.145.239.6:1055 ESTABLISHED
tcp 0 0 218.16.120.80:80 220.166.127.102:1500 ESTABLISHED
tcp 0 0 218.16.120.80:80 220.166.127.102:1502 ESTABLISHED
tcp 1 0 218.16.120.80:80 218.85.247.154:1977 CLOSE_WAIT
tcp 0 0 ::ffff:127.0.0.1:6802 :::* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 532 ::ffff:218.16.120.80:22 ::ffff:61.141.175.:3493 ESTABLISHED
tcp 0 0 ::ffff:127.0.0.1:32771 ::ffff:127.0.0.1:32768 ESTABLISHED
udp 0 0 0.0.0.0:53 0.0.0.0:*
udp 0 0 218.16.120.80:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 0 0 0.0.0.0:631 0.0.0.0:*
udp 0 304 :::32768 :::*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 3676 /tmp/.font-unix/fs7100
unix 2 [ ACC ] STREAM LISTENING 3185 /var/lib/mysql/mysql.sock
unix 2 [ ACC ] STREAM LISTENING 3531 /dev/gpmctl
unix 2 [ ACC ] STREAM LISTENING 3307 public/cleanup
unix 2 [ ACC ] STREAM LISTENING 3314 private/rewrite
unix 2 [ ACC ] STREAM LISTENING 3318 private/bounce
unix 2 [ ACC ] STREAM LISTENING 3322 private/defer
unix 2 [ ACC ] STREAM LISTENING 3326 public/flush
unix 2 [ ACC ] STREAM LISTENING 3330 private/proxymap
unix 2 [ ACC ] STREAM LISTENING 3334 private/smtp
unix 2 [ ACC ] STREAM LISTENING 3338 private/relay
unix 2 [ ACC ] STREAM LISTENING 3342 public/showq
unix 2 [ ACC ] STREAM LISTENING 3346 private/error
unix 2 [ ACC ] STREAM LISTENING 3350 private/local
unix 2 [ ACC ] STREAM LISTENING 3354 private/virtual
unix 2 [ ACC ] STREAM LISTENING 3358 private/lmtp
unix 2 [ ACC ] STREAM LISTENING 3362 private/maildrop
unix 2 [ ACC ] STREAM LISTENING 3366 private/old-cyrus
unix 2 [ ACC ] STREAM LISTENING 3370 private/cyrus
unix 2 [ ACC ] STREAM LISTENING 3374 private/uucp
unix 2 [ ACC ] STREAM LISTENING 3378 private/ifmail
unix 2 [ ACC ] STREAM LISTENING 3382 private/bsmtp
unix 2 [ ACC ] STREAM LISTENING 2947 /var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 3720 /var/run/dbus/system_bus_socket
unix 17 [ ] DGRAM 2753 /dev/log
unix 2 [ ACC ] STREAM LISTENING 3463 /usr/prima/tmp/aca.str
unix 3 [ ] STREAM CONNECTED 8292 private/rewrite
unix 3 [ ] STREAM CONNECTED 8291
unix 2 [ ] DGRAM 8280
unix 3 [ ] STREAM CONNECTED 8260 private/rewrite
unix 3 [ ] STREAM CONNECTED 8259
unix 3 [ ] STREAM CONNECTED 8179 private/rewrite
unix 3 [ ] STREAM CONNECTED 8178
unix 3 [ ] STREAM CONNECTED 8074 private/rewrite
unix 3 [ ] STREAM CONNECTED 8073
unix 2 [ ] DGRAM 8059
unix 2 [ ] DGRAM 8029
unix 2 [ ] DGRAM 4369
unix 2 [ ] DGRAM 4285
unix 2 [ ] DGRAM 3710
unix 2 [ ] DGRAM 3632
unix 2 [ ] DGRAM 3530
unix 2 [ ] DGRAM 3519
unix 2 [ ] DGRAM 3389
unix 2 [ ] DGRAM 3388
unix 3 [ ] STREAM CONNECTED 3385
unix 3 [ ] STREAM CONNECTED 3384
unix 3 [ ] STREAM CONNECTED 3381
unix 3 [ ] STREAM CONNECTED 3380
unix 3 [ ] STREAM CONNECTED 3377
unix 3 [ ] STREAM CONNECTED 3376
unix 3 [ ] STREAM CONNECTED 3373
unix 3 [ ] STREAM CONNECTED 3372
unix 3 [ ] STREAM CONNECTED 3369
unix 3 [ ] STREAM CONNECTED 3368
unix 3 [ ] STREAM CONNECTED 3365
unix 3 [ ] STREAM CONNECTED 3364
unix 3 [ ] STREAM CONNECTED 3361
unix 3 [ ] STREAM CONNECTED 3360
unix 3 [ ] STREAM CONNECTED 3357
unix 3 [ ] STREAM CONNECTED 3356
unix 3 [ ] STREAM CONNECTED 3353
unix 3 [ ] STREAM CONNECTED 3352
unix 3 [ ] STREAM CONNECTED 3349
unix 3 [ ] STREAM CONNECTED 3348
unix 3 [ ] STREAM CONNECTED 3345
unix 3 [ ] STREAM CONNECTED 3344
unix 3 [ ] STREAM CONNECTED 3341
unix 3 [ ] STREAM CONNECTED 3340
unix 3 [ ] STREAM CONNECTED 3337
unix 3 [ ] STREAM CONNECTED 3336
unix 3 [ ] STREAM CONNECTED 3333
unix 3 [ ] STREAM CONNECTED 3332
unix 3 [ ] STREAM CONNECTED 3329
unix 3 [ ] STREAM CONNECTED 3328
unix 3 [ ] STREAM CONNECTED 3325
unix 3 [ ] STREAM CONNECTED 3324
unix 3 [ ] STREAM CONNECTED 3321
unix 3 [ ] STREAM CONNECTED 3320
unix 3 [ ] STREAM CONNECTED 3317
unix 3 [ ] STREAM CONNECTED 3316
unix 3 [ ] STREAM CONNECTED 3313
unix 3 [ ] STREAM CONNECTED 3312
unix 3 [ ] STREAM CONNECTED 3310
unix 3 [ ] STREAM CONNECTED 3309
unix 3 [ ] STREAM CONNECTED 3306
unix 3 [ ] STREAM CONNECTED 3305
unix 3 [ ] STREAM CONNECTED 3303
unix 3 [ ] STREAM CONNECTED 3302
unix 2 [ ] DGRAM 3290
unix 2 [ ] DGRAM 3059
unix 2 [ ] DGRAM 2968
unix 2 [ ] DGRAM 2763
开的端口不少呀!看是不是被人做了代理,先停网,再架个弱点扫描,看看漏洞。这篇文章没有测试,不知道能否帮上忙!
安裝Snort + MySQL + ACID + IDS Policy Manager
前言:
目前Intrusion Dection Service非常的流行,而Snort這個程式雖然是個自由軟體,但是它的功能卻絲毫不遜於其它的商業軟體。而此篇文章另外會介紹IDS Policy Manager和ACID(Analysis Console for Intrusion Databases )來管理你的rule和分析log。
=========================================
作者: zoob (vincent@myunix.idv.tw)
版權聲明:可以任意轉載,轉載時請務必標明原始出處和作者資訊
1、準備工作
OS:RedHat 8.0
請事先安裝以下套件
(1)Apache 1.3
(2)PHP、PHP-MySQL
(3)mysqlclient9-3.23、mysql-devel-3.23、mysql-3.23、mysql-server-3.23
(4)libpcap-0.6.2
2、安裝Snort
(1)請至 http://www.snort.org 下載 snort-1.9.0-1snort.i386.rpm 和 snort-mysql-1.9.0-1snort.i386.rpm,並且請安裝起來
(2)下載 Snort-Rules,並將解壓縮並複製到/etc/snort/目錄下
(3)下載 IDS Policy Manager,解壓縮後請在Windows 平台上執行安裝程式來管理snort agent。
(4)請在IDS Policy Manager裡增加一Sensor和Policy,設定系統為1.90。
(5)啟動Policy裡面的「Loging」->;「Database」(記得打勾),並設定範例如下:
「Sensor」:Your Sensor Name
「DB Name」:snort
「DB Type」:mysql
「Encoding」:hex
「Log Rule Type」:log
「Detail」:full
「User」:snort
「User Pass」:snort
「DB Host」:localhost
「DB Port」:3306
(6)設定完畢後,請選擇「Save & Exit」
(7)針對先前增加的Sensor執行「Uppolicy to Sensor」
3、設定Mysql的DB
(1)建立一個名為「snort」的DB
代碼:
mysqladmin -u root -ppassword create snort
(2)將以下敘述存做為一檔案(ex: create_mysql)
# Copyright (C) 2000-2002 Carnegie Mellon University
#
# Maintainer: Roman Danyliw <rdd@cert.org>;, <roman@danyliw.com>;
#
# Original Author(s): Jed Pickel <jed@pickel.net>; (2000-2001)
# Roman Danyliw <rdd@cert.org>;
# Todd Schrubb <tls@cert.org>;
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
CREATE TABLE schema ( vseq INT UNSIGNED NOT NULL,
ctime DATETIME NOT NULL,
PRIMARY KEY (vseq));
INSERT INTO schema (vseq, ctime) VALUES ('106', now());
CREATE TABLE event ( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
signature INT UNSIGNED NOT NULL,
timestamp DATETIME NOT NULL,
PRIMARY KEY (sid,cid),
INDEX sig (signature),
INDEX time (timestamp));
CREATE TABLE signature ( sig_id INT UNSIGNED NOT NULL AUTO_INCREMENT,
sig_name VARCHAR(255) NOT NULL,
sig_class_id INT UNSIGNED NOT NULL,
sig_priority INT UNSIGNED,
sig_rev INT UNSIGNED,
sig_sid INT UNSIGNED,
PRIMARY KEY (sig_id),
INDEX sign_idx (sig_name(20)),
INDEX sig_class_id_idx (sig_class_id));
CREATE TABLE sig_reference (sig_id INT UNSIGNED NOT NULL,
ref_seq INT UNSIGNED NOT NULL,
ref_id INT UNSIGNED NOT NULL,
PRIMARY KEY(sig_id, ref_seq));
CREATE TABLE reference ( ref_id INT UNSIGNED NOT NULL AUTO_INCREMENT,
ref_system_id INT UNSIGNED NOT NULL,
ref_tag TEXT NOT NULL,
PRIMARY KEY (ref_id));
CREATE TABLE reference_system ( ref_system_id INT UNSIGNED NOT NULL AUTO_INCREMENT,
ref_system_name VARCHAR(20),
PRIMARY KEY (ref_system_id));
CREATE TABLE sig_class ( sig_class_id INT UNSIGNED NOT NULL AUTO_INCREMENT,
sig_class_name VARCHAR(60) NOT NULL,
PRIMARY KEY (sig_class_id),
INDEX (sig_class_id),
INDEX (sig_class_name));
# store info about the sensor supplying data
CREATE TABLE sensor ( sid INT UNSIGNED NOT NULL AUTO_INCREMENT,
hostname TEXT,
interface TEXT,
filter TEXT,
detail TINYINT,
encoding TINYINT,
last_cid INT UNSIGNED NOT NULL,
PRIMARY KEY (sid));
# All of the fields of an ip header
CREATE TABLE iphdr ( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
ip_src INT UNSIGNED NOT NULL,
ip_dst INT UNSIGNED NOT NULL,
ip_ver TINYINT UNSIGNED,
ip_hlen TINYINT UNSIGNED,
ip_tos TINYINT UNSIGNED,
ip_len SMALLINT UNSIGNED,
ip_id SMALLINT UNSIGNED,
ip_flags TINYINT UNSIGNED,
ip_off SMALLINT UNSIGNED,
ip_ttl TINYINT UNSIGNED,
ip_proto TINYINT UNSIGNED NOT NULL,
ip_csum SMALLINT UNSIGNED,
PRIMARY KEY (sid,cid),
INDEX ip_src (ip_src),
INDEX ip_dst (ip_dst));
# All of the fields of a tcp header
CREATE TABLE tcphdr( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
tcp_sport SMALLINT UNSIGNED NOT NULL,
tcp_dport SMALLINT UNSIGNED NOT NULL,
tcp_seq INT UNSIGNED,
tcp_ack INT UNSIGNED,
tcp_off TINYINT UNSIGNED,
tcp_res TINYINT UNSIGNED,
tcp_flags TINYINT UNSIGNED NOT NULL,
tcp_win SMALLINT UNSIGNED,
tcp_csum SMALLINT UNSIGNED,
tcp_urp SMALLINT UNSIGNED,
PRIMARY KEY (sid,cid),
INDEX tcp_sport (tcp_sport),
INDEX tcp_dport (tcp_dport),
INDEX tcp_flags (tcp_flags));
# All of the fields of a udp header
CREATE TABLE udphdr( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
udp_sport SMALLINT UNSIGNED NOT NULL,
udp_dport SMALLINT UNSIGNED NOT NULL,
udp_len SMALLINT UNSIGNED,
udp_csum SMALLINT UNSIGNED,
PRIMARY KEY (sid,cid),
INDEX udp_sport (udp_sport),
INDEX udp_dport (udp_dport));
# All of the fields of an icmp header
CREATE TABLE icmphdr( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
icmp_type TINYINT UNSIGNED NOT NULL,
icmp_code TINYINT UNSIGNED NOT NULL,
icmp_csum SMALLINT UNSIGNED,
icmp_id SMALLINT UNSIGNED,
icmp_seq SMALLINT UNSIGNED,
PRIMARY KEY (sid,cid),
INDEX icmp_type (icmp_type));
# Protocol options
CREATE TABLE opt ( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
optid INT UNSIGNED NOT NULL,
opt_proto TINYINT UNSIGNED NOT NULL,
opt_code TINYINT UNSIGNED NOT NULL,
opt_len SMALLINT,
opt_data TEXT,
PRIMARY KEY (sid,cid,optid));
# Packet payload
CREATE TABLE data ( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
data_payload TEXT,
PRIMARY KEY (sid,cid));
# encoding is a lookup table for storing encoding types
CREATE TABLE encoding(encoding_type TINYINT UNSIGNED NOT NULL,
encoding_text TEXT NOT NULL,
PRIMARY KEY (encoding_type));
INSERT INTO encoding (encoding_type, encoding_text) VALUES (0, 'hex');
INSERT INTO encoding (encoding_type, encoding_text) VALUES (1, 'base64');
INSERT INTO encoding (encoding_type, encoding_text) VALUES (2, 'ascii');
# detail is a lookup table for storing different detail levels
CREATE TABLE detail (detail_type TINYINT UNSIGNED NOT NULL,
detail_text TEXT NOT NULL,
PRIMARY KEY (detail_type));
INSERT INTO detail (detail_type, detail_text) VALUES (0, 'fast');
INSERT INTO detail (detail_type, detail_text) VALUES (1, 'full');
# be sure to also use the snortdb-extra tables if you want
# mappings for tcp flags, protocols, and ports
(3)匯入create_mysql檔案
代碼:
mysql -u root -ppassword snort < create_mysql
(4)建立MySQL的snort使用者
代碼:
mysql -u root -ppassword snort mysql>; grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost; mysql>; connect mysql; mysql>; set password for 'snort'@'localhost' = password('snort'); mysql>; set password for 'snort'@'%' = password('snort'); mysql>; flush privileges; mysql>; exit;
4、安裝ACID
(1)安裝ACID 0.9.6B23 http://acidlab.sourceforge.net/
將acid-0.9.*.tar.gz解壓縮至/var/www/html 目錄下
(2)安裝 ADODB v2.31 http://php.weblogs.com/adodb
將adodb231.tgz 解壓縮至/var/www/html 目錄下
(3)安裝 PHPLOT v4.4.6 http://www.phplot.com/
將phplot-4.4.6.tar.gz 解壓縮至/var/www/html 目錄下,並將phplot-4.4.6目錄更名為phplot
(4)安裝 GD v1.8.4 http://www.boutell.com/gd/
將gd-1.8.4.tar.gz 解壓縮至/var/www/html 目錄下,並將gd-1.8.4目錄更名為gd
(5)安裝 JPGraph v1.11 http://www.aditus.nu/jpgraph/
解壓縮後,將src目錄下的所有檔案複製到/var/www/html/phplot目錄下
(6)設定acid_conf.php,範例如下:
$DBlib_path="../adodb";
$alert_dbname="snort";
$alert_user="snort";
$alert_password="snort";
$Chartlib_path="../phplot";
5、啟動相關服務
(1)啟動mysqld service
(2)啟動httpd service
(3)啟動snortd service
啟動前先要修改/etc/rc.d/init.d/snortd
將start區段內的
代碼:
daemon /usr/sbin/snort -A fast -b -l /var/log/snort -d -D -i $INTERFACE -c /etc/snort/snort.conf
修改為
代碼:
daemon /usr/sbin/snort -b -d -D -i $INTERFACE -c /etc/snort/snort.conf
並將INTERFACE對應到你要修改的介面卡,EX INTERFACE=eth1
切換至/etc/rc.d/init.d 目錄下,執行 chkconfig --level 2345 snortd on,讓你在開機時可以自動啟動服務。