[分享]開放原始碼的入侵偵測系統:Snort
- 主題發起人 夢夢狐
- 開始日期
會只偵測第一張網路卡......
在Linux平臺,沒有手動指定的話會只偵測eth0
而在Windows平臺,則一定要設參數設定要偵測的網路卡
Snort所認定的網路卡順序請用 [作業系統槽]\snort\bin\snort -W 查看
不過建議還是手動設定要偵測的網路卡比較好。有些小問題如果沒指定網路卡就會跑出來
Snort因為很消耗電腦效能(流量大的時候),所以預設是只能偵測一張的
-------------------------------------------------------------------------------------
還有......很對不起的是,要問問題可以,
但本討論串自今日起笨笨狐不接受PM發問......
請直接像這篇一樣用回覆的發問,謝謝。
有幾位網友為了問我問題而註冊,發了PM,結果笨笨狐撥時間回覆發了回去,
之後在幾個月後,去查看PM回條功能結果發現那些人到現在都沒有開來看過Orz
(好心酸呀......炸)
有沒有說感謝在下並不是那麼重視,但至少不要問了就跑沒用到
別人的解答連開來看都不開結果浪費別人的時間......
為了那些問題,有時笨笨狐還要開電腦去重新摸一次耶=w=|||
(嗯......不過前面幾位有回覆的人笨笨狐也在這裡說聲謝謝喔~>w<)
再來~~大大能不能說明一下ACID裡面的功能~~
簡單介紹~~像如何看~~
又有啥功能之類的~~
因為>"< 比我視窗版的防火牆還難懂~~~
我用netlimiter 2 pro看的連線IP在ACID裡面看不到>"<
可是又有正確運作~~怪怪~~~
那要如何做~~才可以監視兩張網卡??
我現在再用Vmware + Red Hat Enterprise AS 4 有用兩張網卡~~
之後做NAT~~~
所以有想要用監視兩張網卡的方法~~
再來~~能否用到遠端管理~~
是不是我在MYSQL裡面的帳號snort 和 acid 裡面加入遠端的連線即可??
因為我還沒有裝~~就先簡略問一下~~
我正在準備套件跟安裝方法~~
拜託大大指點一下囉~~
簡單介紹~~像如何看~~
又有啥功能之類的~~
因為>"< 比我視窗版的防火牆還難懂~~~
我用netlimiter 2 pro看的連線IP在ACID裡面看不到>"<
可是又有正確運作~~怪怪~~~
那要如何做~~才可以監視兩張網卡??
我現在再用Vmware + Red Hat Enterprise AS 4 有用兩張網卡~~
之後做NAT~~~
所以有想要用監視兩張網卡的方法~~
再來~~能否用到遠端管理~~
是不是我在MYSQL裡面的帳號snort 和 acid 裡面加入遠端的連線即可??
因為我還沒有裝~~就先簡略問一下~~
我正在準備套件跟安裝方法~~
拜託大大指點一下囉~~
最後編輯:
大大~~~我先安裝
snort-2.6.1.2-1.RHEL4.i386.rpm
在安裝
snort-mysql-2.6.1.2-1.RHEL4.i386.rpm
結果都會出現說我沒有安裝
libmysqlclient
可是我安裝AS4時是用最大安裝~~
我看MYSQL跟HTTP裡面我都有安裝捏~~~
怎會這樣?
snort-2.6.1.2-1.RHEL4.i386.rpm
在安裝
snort-mysql-2.6.1.2-1.RHEL4.i386.rpm
結果都會出現說我沒有安裝
libmysqlclient
可是我安裝AS4時是用最大安裝~~
我看MYSQL跟HTTP裡面我都有安裝捏~~~
怎會這樣?
snort: /usr/lib/mysql/libmysqlclient.so.14: no version information available (required by snort)
Running in IDS mode
--== Initializing Snort ==--
Initializing Output Plugins!
Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Var 'HOME_NET' defined, value len = 3 chars, value = any
Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
Var 'DNS_SERVERS' defined, value len = 3 chars, value = any
Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any
Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any
Var 'SQL_SERVERS' defined, value len = 3 chars, value = any
Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any
Var 'SNMP_SERVERS' defined, value len = 3 chars, value = any
Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
Var 'AIM_SERVERS' defined, value len = 185 chars
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
Var 'RULE_PATH' defined, value len = 16 chars, value = /etc/snort/rules
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
`----------------------------------------------
Frag3 global config:
Max frags: 65536
Fragment memory cap: 4194304 bytes
Frag3 engine config:
Target-based policy: FIRST
Fragment timeout: 60 seconds
Fragment min_ttl: 1
Fragment ttl_limit: 5
Fragment Problems: 1
Bound Addresses: 0.0.0.0/0.0.0.0
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
Session count max: 8192 sessions
Session cleanup count: 5
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Enforce TCP State: INACTIVE
Midstream Drop Alerts: INACTIVE
Allow Blocking of TCP Sessions in Inline: ACTIVE
Server Data Inspection Limit: -1
WARNING /etc/snort/snort.conf(439) => flush_behavior set in config file, using old static flushpoints (0)
Stream4_reassemble config:
Server reassembly: INACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
Flush stream on alert: INACTIVE
flush_data_diff_size: 500
Reassembler Packet Preferance : Favor Old
Packet Sequence Overlap Limit: -1
Flush behavior: Small (<255 bytes)
Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /etc/snort/unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Server profile: All
Ports: 80 8080 8180
Flow Depth: 300
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900
2833 Snort rules read...
2833 Option Chains linked into 196 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Tagged Packet Limit: 256
+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1 sig-id=2495 type=Both tracking=dst count=20 seconds=60
| gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 seconds=60
| gen-id=1 sig-id=3542 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=2496 type=Both tracking=dst count=20 seconds=60
| gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60
| gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 seconds=60
| gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10
| gen-id=1 sig-id=3527 type=Limit tracking=dst count=5 seconds=60
| gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=2494 type=Both tracking=dst count=20 seconds=60
| gen-id=1 sig-id=3543 type=Threshold tracking=src count=5 seconds=2
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->pass->drop->alert->log
Log directory = /var/log/snort
Loading dynamic engine /usr/lib/snort-2.6.1.2_dynamicengine/libsf_engine.so... done
Loading all dynamic preprocessor libs from /usr/lib/snort-2.6.1.2_dynamicpreprocessor/...
Loading dynamic preprocessor library /usr/lib/snort-2.6.1.2_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort-2.6.1.2_dynamicpreprocessor//libsf_dns_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort-2.6.1.2_dynamicpreprocessor//libsf_ssh_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort-2.6.1.2_dynamicpreprocessor//libsf_smtp_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort-2.6.1.2_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
Finished Loading all dynamic preprocessor libs from /usr/lib/snort-2.6.1.2_dynamicpreprocessor/
FTPTelnet Config:
GLOBAL CONFIG
Inspection Type: stateful
Check for Encrypted Traffic: YES alert: YES
Continue to check encrypted data: NO
TELNET CONFIG:
Ports: 23
Are You There Threshold: 200
Normalize: YES
Detect Anomalies: NO
FTP CONFIG:
FTP Server: default
Ports: 21
Check for Telnet Cmds: YES alert: YES
Identify open data channels: YES
FTP Client: default
Check for Bounce Attacks: YES alert: YES
Check for Telnet Cmds: YES alert: YES
Max Response Length: 256
SMTP Config:
Ports: 25
Inspection Type: STATEFUL
Normalize Spaces: YES
Ignore Data: NO
Ignore TLS Data: NO
Ignore Alerts: NO
Max Command Length: 0
Max Header Line Length: 0
Max Response Line Length: 0
X-Link2State Alert: YES
Drop on X-Link2State Alert: NO
DCE/RPC Decoder config:
Autodetect ports ENABLED
SMB fragmentation ENABLED
DCE/RPC fragmentation ENABLED
Max Frag Size: 3000 bytes
Memcap: 100000 KB
Alert if memcap exceeded DISABLED
DNS config:
DNS Client rdata txt Overflow Alert: ACTIVE
Obsolete DNS RR Types Alert: INACTIVE
Experimental DNS RR Types Alert: INACTIVE
Ports: 53
Verifying Preprocessor Configurations!
Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked.
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Warning: flowbits key 'dce.bind.veritas' is set but not ever checked.
Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
35 out of 512 flowbits in use.
***
*** interface device lookup found: eth0
***
Initializing Network Interface eth0
Decoding Ethernet on interface eth0
+--[Pattern Matcher:Aho-Corasick Summary]----------------------
| Alphabet Size : 256 Chars
| Sizeof State : 2 bytes
| Storage Format : Full
| Num States : 68436
| Num Transitions : 1745434
| State Density : 10.0%
| Finite Automatum : DFA
| Memory : 65.31Mbytes
+-------------------------------------------------------------
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.6.1.2 (Build 34)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2006 Sourcefire Inc., et al.
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6 <Build 11>
Preprocessor Object: SF_DCERPC Version 1.0 <Build 3>
Preprocessor Object: SF_SMTP Version 1.0 <Build 6>
Preprocessor Object: SF_SSH Version 1.0 <Build 1>
Preprocessor Object: SF_DNS Version 1.0 <Build 1>
Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 8>
Not Using PCAP_FRAMES
這是執行後的狀態~~
為啥MYSQL都連不上??我都照做了~~~
Running in IDS mode
--== Initializing Snort ==--
Initializing Output Plugins!
Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Var 'HOME_NET' defined, value len = 3 chars, value = any
Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
Var 'DNS_SERVERS' defined, value len = 3 chars, value = any
Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any
Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any
Var 'SQL_SERVERS' defined, value len = 3 chars, value = any
Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any
Var 'SNMP_SERVERS' defined, value len = 3 chars, value = any
Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
Var 'AIM_SERVERS' defined, value len = 185 chars
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
Var 'RULE_PATH' defined, value len = 16 chars, value = /etc/snort/rules
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
`----------------------------------------------
Frag3 global config:
Max frags: 65536
Fragment memory cap: 4194304 bytes
Frag3 engine config:
Target-based policy: FIRST
Fragment timeout: 60 seconds
Fragment min_ttl: 1
Fragment ttl_limit: 5
Fragment Problems: 1
Bound Addresses: 0.0.0.0/0.0.0.0
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
Session count max: 8192 sessions
Session cleanup count: 5
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Enforce TCP State: INACTIVE
Midstream Drop Alerts: INACTIVE
Allow Blocking of TCP Sessions in Inline: ACTIVE
Server Data Inspection Limit: -1
WARNING /etc/snort/snort.conf(439) => flush_behavior set in config file, using old static flushpoints (0)
Stream4_reassemble config:
Server reassembly: INACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
Flush stream on alert: INACTIVE
flush_data_diff_size: 500
Reassembler Packet Preferance : Favor Old
Packet Sequence Overlap Limit: -1
Flush behavior: Small (<255 bytes)
Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /etc/snort/unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Server profile: All
Ports: 80 8080 8180
Flow Depth: 300
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900
2833 Snort rules read...
2833 Option Chains linked into 196 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Tagged Packet Limit: 256
+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1 sig-id=2495 type=Both tracking=dst count=20 seconds=60
| gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 seconds=60
| gen-id=1 sig-id=3542 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=2496 type=Both tracking=dst count=20 seconds=60
| gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60
| gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 seconds=60
| gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10
| gen-id=1 sig-id=3527 type=Limit tracking=dst count=5 seconds=60
| gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=2494 type=Both tracking=dst count=20 seconds=60
| gen-id=1 sig-id=3543 type=Threshold tracking=src count=5 seconds=2
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->pass->drop->alert->log
Log directory = /var/log/snort
Loading dynamic engine /usr/lib/snort-2.6.1.2_dynamicengine/libsf_engine.so... done
Loading all dynamic preprocessor libs from /usr/lib/snort-2.6.1.2_dynamicpreprocessor/...
Loading dynamic preprocessor library /usr/lib/snort-2.6.1.2_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort-2.6.1.2_dynamicpreprocessor//libsf_dns_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort-2.6.1.2_dynamicpreprocessor//libsf_ssh_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort-2.6.1.2_dynamicpreprocessor//libsf_smtp_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort-2.6.1.2_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
Finished Loading all dynamic preprocessor libs from /usr/lib/snort-2.6.1.2_dynamicpreprocessor/
FTPTelnet Config:
GLOBAL CONFIG
Inspection Type: stateful
Check for Encrypted Traffic: YES alert: YES
Continue to check encrypted data: NO
TELNET CONFIG:
Ports: 23
Are You There Threshold: 200
Normalize: YES
Detect Anomalies: NO
FTP CONFIG:
FTP Server: default
Ports: 21
Check for Telnet Cmds: YES alert: YES
Identify open data channels: YES
FTP Client: default
Check for Bounce Attacks: YES alert: YES
Check for Telnet Cmds: YES alert: YES
Max Response Length: 256
SMTP Config:
Ports: 25
Inspection Type: STATEFUL
Normalize Spaces: YES
Ignore Data: NO
Ignore TLS Data: NO
Ignore Alerts: NO
Max Command Length: 0
Max Header Line Length: 0
Max Response Line Length: 0
X-Link2State Alert: YES
Drop on X-Link2State Alert: NO
DCE/RPC Decoder config:
Autodetect ports ENABLED
SMB fragmentation ENABLED
DCE/RPC fragmentation ENABLED
Max Frag Size: 3000 bytes
Memcap: 100000 KB
Alert if memcap exceeded DISABLED
DNS config:
DNS Client rdata txt Overflow Alert: ACTIVE
Obsolete DNS RR Types Alert: INACTIVE
Experimental DNS RR Types Alert: INACTIVE
Ports: 53
Verifying Preprocessor Configurations!
Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked.
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Warning: flowbits key 'dce.bind.veritas' is set but not ever checked.
Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
35 out of 512 flowbits in use.
***
*** interface device lookup found: eth0
***
Initializing Network Interface eth0
Decoding Ethernet on interface eth0
+--[Pattern Matcher:Aho-Corasick Summary]----------------------
| Alphabet Size : 256 Chars
| Sizeof State : 2 bytes
| Storage Format : Full
| Num States : 68436
| Num Transitions : 1745434
| State Density : 10.0%
| Finite Automatum : DFA
| Memory : 65.31Mbytes
+-------------------------------------------------------------
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.6.1.2 (Build 34)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2006 Sourcefire Inc., et al.
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6 <Build 11>
Preprocessor Object: SF_DCERPC Version 1.0 <Build 3>
Preprocessor Object: SF_SMTP Version 1.0 <Build 6>
Preprocessor Object: SF_SSH Version 1.0 <Build 1>
Preprocessor Object: SF_DNS Version 1.0 <Build 1>
Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 8>
Not Using PCAP_FRAMES
這是執行後的狀態~~
為啥MYSQL都連不上??我都照做了~~~
很對不起,目前手邊電腦Linux重灌掉了(Sorry......)
所以可能暫時還沒辦法實做......有些問題回的不是很詳細請見諒。
1.在Win平台個人是這樣啦,每次都是用手動開......因為主要還是在Linux上用
可以試試看寫批次檔放在啟動資料夾?和人借過本書裡面好像是把程式作成服務吧,但笨笨狐並沒有詳細看......
在Linux上,如果用RPM裝的話裝成功就會在服務那邊出現了
設定成每次開機就啟動就好。
2.因為Snort是個入侵偵測系統,只會把有危險性的封包紀錄起來
所以正常時在ACID是看不到東西的(因為通過的都是正常的封包)
在偵測到惡意封包後畫面會有紅色的長條表示百分比
然後數字方面是可以選的,選了以後會跳到那個數字所代表的區域
(TCP、UDP還是ICMP,或著是左邊的各項top 10)
按封包的名稱就可以看到攻擊的名稱,ICRT當初發布這個安全性警報的網頁(有的不會有)、檔頭(來源及目的IP之類)
以及下面是整個封包的全部二進位內容XD
至於多網卡的應用,這裡是有寫......不過在手邊沒電腦的情況下沒辦法確定是否可行@ @|||
http://forum.icst.org.tw/phpBB2/viewtopic.php?t=2974
一般而言最常用的還是裝在多臺電腦(因流量問題.....),然後結果放在同一個遠端MySQL資料庫裡
3. & 4.
你用的作業系統所使用的MySQL使用者端程式(libmysqlclient.so.xx)
有裝是沒錯啦,但是版本和在下的可能不一樣......
因為在下是使用CentOS,可能AS4是使用不一樣的終端了。
RPM裡的編譯完成檔和閣下的作業系統不同可能配不起來,所以可能要用tar.gz原始碼安裝
(或著先改用FC5版的snort裝看看......)
想請問一下閣下會不會用tar.gz原始碼編譯的方式安裝程式......因為這種裝法就不會有這種相容性問題了!@w@
不過比較麻煩Orz
------------------------------------------------------------------------------------
實用上使用ACID時請小心喔,可能要用Apache把ACID網頁改成鎖上密碼
不然會被偷看......XD
ACID是使用php架構,運行起來其實就像網頁一樣......
所以可能暫時還沒辦法實做......有些問題回的不是很詳細請見諒。
1.在Win平台個人是這樣啦,每次都是用手動開......因為主要還是在Linux上用
可以試試看寫批次檔放在啟動資料夾?和人借過本書裡面好像是把程式作成服務吧,但笨笨狐並沒有詳細看......
在Linux上,如果用RPM裝的話裝成功就會在服務那邊出現了
設定成每次開機就啟動就好。
2.因為Snort是個入侵偵測系統,只會把有危險性的封包紀錄起來
所以正常時在ACID是看不到東西的(因為通過的都是正常的封包)
在偵測到惡意封包後畫面會有紅色的長條表示百分比
然後數字方面是可以選的,選了以後會跳到那個數字所代表的區域
(TCP、UDP還是ICMP,或著是左邊的各項top 10)
按封包的名稱就可以看到攻擊的名稱,ICRT當初發布這個安全性警報的網頁(有的不會有)、檔頭(來源及目的IP之類)
以及下面是整個封包的全部二進位內容XD
至於多網卡的應用,這裡是有寫......不過在手邊沒電腦的情況下沒辦法確定是否可行@ @|||
http://forum.icst.org.tw/phpBB2/viewtopic.php?t=2974
一般而言最常用的還是裝在多臺電腦(因流量問題.....),然後結果放在同一個遠端MySQL資料庫裡
3. & 4.
你用的作業系統所使用的MySQL使用者端程式(libmysqlclient.so.xx)
有裝是沒錯啦,但是版本和在下的可能不一樣......
因為在下是使用CentOS,可能AS4是使用不一樣的終端了。
RPM裡的編譯完成檔和閣下的作業系統不同可能配不起來,所以可能要用tar.gz原始碼安裝
(或著先改用FC5版的snort裝看看......)
想請問一下閣下會不會用tar.gz原始碼編譯的方式安裝程式......因為這種裝法就不會有這種相容性問題了!@w@
不過比較麻煩Orz
------------------------------------------------------------------------------------
實用上使用ACID時請小心喔,可能要用Apache把ACID網頁改成鎖上密碼
不然會被偷看......XD
ACID是使用php架構,運行起來其實就像網頁一樣......
