mysql> grant usage on *.* to "acid"@"localhost">
mysql> grant usage on *.* to "snort"@"localhost"> 12、利用以下语句为acid拥护和snort 拥护设置密码
mysql>set password for "acid"@"localhost" = password('123');
mysql>set password for "snort"@"localhost" = password('123');
13、利用以下语句为acid 用户和snort 用户分配相关权限
mysql> grant select,insert,update,delete,create,alter on snort .* to "acid"@"localhost";
mysql> grant select,insert,update,delete,create,alter on snort_archive .* to "acid"@"localhost";
mysql> grant select,insert,update,delete,create,alter on snort .* to "snort"@"localhost";
mysql> grant select,insert,update,delete,create,alter on snort_archive .* to "acid"@"localhost";
(注意:以上三个步骤的任务可以利用以脚本来完成,具体的方法是——在C盘创建一个脚本文件snort_mysql内容如下:
################################################################################
create database snort;
create database snort_archive;
grant usage on *.* to "acid"@"localhost">
grant usage on *.* to "snort"@"localhost"> set password for "acid"@"localhost" = password('123');
set password for "snort"@"localhost" = password('123');
grant select,insert,update,delete,create,alter on snort .* to "acid"@"localhost";
grant select,insert,update,delete,create,alter on snort_archive .* to "acid"@"localhost";
grant select,insert,update,delete,create,alter on snort .* to "snort"@"localhost";
grant select,insert,update,delete,create,alter on snort_archive .* to "snort"@"localhost";
#################################################################################
然后c:\>mysql -D mysql -u root -p < c:\snort_mysql.txt;)
14、利用以下语句,使用c:\snort\schemas目录下的create_mysql脚本分别在新建的库中建立Snort运行必须的数据表
c:\mysql\bin\mysql -D snort -u root -p < c:\snort\schemas\create_mysql
c:\mysql\bin\mysql -D snort_archive -u root -p < c:\snort\schemas\create_mysql
(或是将C:\Snort\schemas下的create_mysql文件拷贝到C:\mysql\bin目录下后, 分别在snort和snort_archive库中执行mysql>source create_mysql)
15、安装adodb,解压缩adodb495a到c:\php\adodb 目录下
16、安装jpgrapg 库,解压缩jpgraph-2.2.tar到c:\php\jpgraph,
并且修改C:\php\jpgraph\src\jpgraph.php,添加如下一行
DEFINE("CACHE_DIR","/tmp/jpgraph_cache/");
17、安装acid,解压缩acid-0.9.6b23.tar到c:\apache\htdocs\acid 目录下,
并将C:\Apache\htdocs\acid\acid_conf.php文件的如下各行内容修改为:
$DBlib_path = "c:\php\adodb";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "3306";
$alert_user = "acid";
$alert_password = "123";
$archive_dbname = "snort_archive";
$archive_host = "localhost";
$archive_port = "3306";
$archive_user = "acid";
$archive_password = "123";
$ChartLib_path = "c:\php\jpgraph\src";
17、通过浏览器访问http:/127.0.0.1/acid/acid_db_setup.php,在打开页面中点取“Create ACID AG”按钮,让系统自动在mysql中建立acid 运行必须的数据库
18、简单的snort配置,打开c:\Snort\etc下的snort.conf文件,将下列各行修改如下:
dynamicengine c:\Snort\lib\snort_dynamicengine\sf_engine.dll
dynamicpreprocessor directory c:\Snort\lib\snort_dynamicpreprocessor
var RULE_PATH c:/snort/rules
include c:\snort\etc\classification.config
include c:\Snort\etc\reference.config
19、配置snort的输出插件, 打开c:\Snort\etc下的snort.conf文件,添加如下行:
output database: alert, Mysql, host=localhost port=3306 dbname=snort user=root password=123 sensor_name=n encoding=ascii detail=Full
(注意:如果mysql和snort不在同一台服务器上,要将“localhost”改为具体的mysql服务器的ip地址)
20、为Snort添加响应规则,或配置Snort的规则,也可以从Internet下载已有的规则,
本实例是通过现有的规则包——snortrules-snapshot-CURRENT.tar解压到c:\snort来实现的
21、分别用以下命令测试Snort是否工作正常
c:\>snort -dev,能看到一只正在奔跑的小猪证明工作正常
c:\>snort -W,查看本地网络适配器编号
c:\>snort –c c:\snort\etc\snort.conf –l c:\snort\log –devX,测试配置文件能够支持工作,但是,在使用过程中snortrules-snapshot-CURRENT.tar包中的web-misc.rules有问题,所以为了其他内容能后正常进行***检测,修改c:\Snort\etc\snort.conf,在include $RULE_PATH/web-misc.rules前加#号将其注释掉
22、可以选用IDSCenter配置snort项,采用默认安装IDSCenter11rc4来完成
23、使用SAM,需要Java支持,所以首先安装jre-1_5_0_12-windows-i586-p安装好后,解压sam_20050206_bin到c:\,进入才c:\sam\,直接双击sam.jar运行SAM软件
24、运行snort捕获数据包,进行***检测,在命令提示符中输入:
c:\>snort -c "c:\snort\etc\snort.conf" -i 2 -l "c:\snort\log" -deX
-X 参数用于在数据链接层记录raw packet 数据
-d 参数记录应用层的数据
-e 参数显示/记录第二层报文头数据
-c 参数用以指定snort 的配置文件的路径
-i 参数指定监视的网络适配器的编号
并使用SAM 和ACID 监视服务器情况。
25、SNORT的更多辅助工具:
Snortsnarf http://www.silicondefense.com/software/snortsnarf
Snortplot.php http://www.snort.org/dl/contrib/data_analysis/snortplot.pl
Swatch http://acidlab.sourceforge.net
Demarc http://www.demarc.com
Razorback http://www.intersectalliance.com/projects/razorback/index.html
Incident.pl http://www.cse.fau.edu/~valankar/incident
Loghog http://sourceforge.net/project/loghog
Oinkmaster http://www.algonet.se/~nitzer/oinkmaster
Sneakyman http://sneak.sourceforge.net
Snortreport http://www.circurtsmaximus.com/download.html