實(shí)驗(yàn)指導(dǎo)手冊參考snort的配置與使用

1、 11）21）系統(tǒng)環(huán)境：Windows XP/Windows JDK：jdk-6u17-windows-i586.exe（可選TOMCAT：apache-tomcat-5.5.30.exe（可選：-5.5.15- 11）21）系統(tǒng)環(huán)境：Windows XP/Windows JDK：jdk-6u17-windows-i586.exe（可選TOMCAT：apache-tomcat-5.5.30.exe（可選：-5.5.15-3 安裝3.1.1JDK 版本：jdk-6u17-windows-/ / 變量變量 將的文件拷貝到將的文件拷貝到 ii) 將apache-tomcat-5.5.30server

2、webapps admin 件夾c:ProgramFilesApacheSoftwareFoundationTomcat5.5serverwebapps ii) 將apache-tomcat-5.5.30serverwebapps admin 件夾c:ProgramFilesApacheSoftwareFoundationTomcat5.5serverwebapps 安裝與配-5.5.15-步驟 1：啟命令行輸入：net;hlocalhosturoot步驟 2：步驟 1：啟命令行輸入：net;hlocalhosturoot步驟 2：Snort archive 庫（注意命令后的“;” 中建立 S

3、nort Snort createdatabasecreatedatabase步驟 3：利用以下語 grantusageon*.*to“snort”localhost”identifiedby ：setpasswordfor“snort”localhost”=grantusageon*.*to“snort”localhost”identifiedby ：setpasswordfor“snort”localhost”=和flush show下（下分別在新建的兩個(gè)庫中建，下（下分別在新建的兩個(gè)庫中建，在usesourceusesourceysql-Dsnort-uroot-;步驟 7：ysql-D

4、snort-uroot-;步驟 7：useshowuseshow3.1.4ap 安裝與配版本3.1.4ap 安裝與配版本3.1.5Snort 安裝與配版本3.1.5Snort 安裝與配版本 Snort OriginalLine(s):ipvarHOME_NETChangeto:ipvarHOME_NETOriginalLine(s):varRULE_PATHChangeto:varRULE_PATHOriginalLine(s):varSO_RULE_PATHChangeto:varSO_RULE_PATHOriginal Line(s): var PREPROC_RULE_PATH Chan

5、geto:varPREPROC_RULE_PATHOriginalLine(s):sorChange to: dynamicprepro OriginalLine(s):Changeto:dynamicengineOriginal Line(s): dynamicdetection directory Changeto:#dynamicdetectiondirectory ssor ssor frag3_engine: policy windows s overlap_limit min_fragment_length100timeoutoutputalert_fast:OriginalLin

6、e(s):#outputdatabase:log,user= password= test dbname= host= Change to: output database: log, user=snort password=l0gg3r dbname=snort host=winids sensor_name=WinIDSOriginalLine(s):includeChangeto:includeOriginalLine(s):includeChangeto:includeOriginalsorsornormalize_tcp:ipsecnstream sor normalize_icmp

7、4sor normalize_ip6 Change#sor# preprosornormalize_tcp:ipsecnstream # preprosor normalize_icmp4#sor#sorOriginal Line(s): preprosor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 20480press_depth 20480 Change to: preprosorhttp_inspect:globaliis_unicode_mapunicode.map 1252 compres

8、s_depth 65535press_depth 65535Original Line(s): # preprosorsfportscan:protoallmemcap10000000 sense_level low Change to: preprosorsfportscan:protoallmemcap10000000 sense_level low logfile portscan.log 3.1.6IDScenter安裝與Original# include $PREPROC_RULE_PATH/prepro# include $PREPROC_RULE_PATH/decoder.rul

9、es# include $PREPROC_RULE_PATH/sensitive-Changeinclude$PREPROC_RULE_PATH/preproinclude $PREPROC_RULE_PATH/decoder.rules# include $PREPROC_RULE_PATH/sensitive-OriginalLine(s):includeChangeto:include 。snort W 。snort W |Alertdetection:Files|Alertdetection:Filesnotspecifiedforalert如果“Configuration error

10、s”窗口沒有錯(cuò)誤出現(xiàn)，則整個(gè)配置過程成功完成。3.2Snort3.2.1Snort -）c:snortc”c:snortetcsnort.conf”-i2 -l3.2Snort3.2.1Snort -）c:snortc”c:snortetcsnort.conf”-i2 -l“c:snortlog”-deX( 層cketd e參數(shù)：顯示 。3.2.2c:snort -v -c:snort -在LOG 文件上，可以c:snortbin-snort c:snortlog - Snort c:snortbin-snort -c:snortlog -b - Snort c:snortbin-snort -c:snortlog -b - 下會生成一個(gè)名如 PCAP檢測本身是一件很復(fù)雜的事情。Snort 善的 rules，定時(shí)更新 snort.conf Snort 在IDScenter中的Wi