1.1.

Phn tch yu cu
Ci t h thng pht hin xm nhp vi snort, Log ca snort s c ghi vo c s d liu ca MySQL, Ngi qun tr s theo di Log thng qua giao din ca BASE (Basic Analysis And Security Engine). Cc gi cn ci t bao gm: Server configuration tools: chn mc nh Web server cn cc gi sau:Apache, Php, Php_mysql, Phpmyadmin MySQL Database cn cc gi sau:Mysql-connector-odbc, Mysql-server, Mysql-clien, Mysql-devel, Php-mysq Cc gi h tr cho snort nh: libpcap (bao gm hai gi libpcap v libpcapCi t gi Snort-2.8.4.1. devel nu ci t rpm) khuyn khch ci t source, th vin Bison, libpcre, lipNet. -

1.1.1. Ci t Server configuration tools:

Server configuration tools dng lu cc alert ca snort vo c s d liu mysql, s sng BASE(Basic Analysis And Security Engine) th hin biu phn tch h thng. Ta tin hnh ci t nh sau: Ci t apache: sudo apt-get install apache2 Ci t php5: sudo apt-get install php5 libapache2-mod-php5 Ci t phpmyadmin: sudo apt-get install phpmyadmin Ci t mysql: sudo apt-get install mysql-server mysql-client Trong qu trnh ci t mysql cn nhp user v password truy cp vo mysql server.

1.1.2. Ci t cc th vin Bison, Libpcap, Libpcre, LipNet.

1.1.2.1. Ci th vin flex.

bin dch libpcap thnh cng ta cn ci th vin h tr flex. Ta tin hnh ti flex v v ci t theo link: http://biznetnetworks.dl.sourceforge.net/sourceforge/flex/flex-2.5.35.tar.gz. Tin hnh ci t theo cc bc sau: Ti flex v my: /flex/flex-

root@Ubuntu:/home/chau/Desktop/Install# wget http://biznetworks.dl.sourceforge.net/sourceforge 2.5.35.tar.gz Copy file flex vo th mc ci t.

root@Ubuntu:/home/chau/Desktop/Install# cp flex-2.5.35.tar.gz /usr/local/ Cd n th mc ci t:

root@Ubuntu:/home/chau/Desktop/Install# cd /usr/local Gii nn flex:

root@Ubuntu:/usr/local# tar -xvzf flex-2.5.35.tar.gz Cd n flex-2.5.35

root@Ubuntu:/usr/local# cd flex-2.5.35 Cu hnh, bin dch v ci t flex

root@Ubuntu:/usr/local/flex-2.5.35# ./configure root@Ubuntu:/usr/local/flex-2.5.35# make && make install 1.1.2.2. Ci th vin Bison: Ta thc hin cc bc tng t nh ci flex. root@Ubuntu:/home/chau/Desktop/Install# wget http://ftp.gnu.org/gnu/bison/bison-2.4.1.tar.gz root@Ubuntu:/home/chau/Desktop/Install# cp bison-2.4.1.tar.gz /usr/local/

root@Ubuntu:/home/chau/Desktop/Install# cd /usr/local root@Ubuntu:/usr/local # tar -xvzf bison-2.4.1.tar.gz root@Ubuntu:/usr/local # cd bison-2.4.1 root@Ubuntu:/usr/local/bison-2.4.1# ./configure root@Ubuntu:/usr/local/bison-2.4.1# make && make install 1.1.2.3. Ci libpcap Ci libpcap t source: http://www.tcpdump.org/release/libpcap-1.0.0.tar.gz root@ubuntu:/home/chau/Desktop/Install# wget http://www.tcpdump.org/release/libpcap-1.0.0.tar.gz root@ubuntu:/home/chau/Desktop/Install # cp libpcap-1.0.0.tar.gz /usr/local/ root@Ubuntu:/home/chau/Desktop/Install# cd /usr/local root@Ubuntu:/usr/local# tar -xvzf libpcap-1.0.0.tar.gz root@Ubuntu:/usr/local# cd libpcap-1.0.0 root@Ubuntu:/usr/local/libpcap-1.0.0# ./confugure root@Ubuntu:/usr/local/libpcap-1.0.0# make && make install 1.1.2.4. Ci t pcre

root@ubuntu:/home/chau/Desktop/Install# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-7.9.tar.gz root@ubuntu:/home/chau/Desktop/Install # cp pcre-7.9.tar.gz /usr/local/ root@Ubuntu:/home/chau/Desktop/Install# cd /usr/local root@Ubuntu:/usr/local# tar -xvzf pcre-7.9.tar.gz root@Ubuntu:/usr/local# cd pcre-7.9 root@Ubuntu:/usr/local/pcre-7.9# ./configure root@Ubuntu:/usr/loca/pcre-7.9l# make && make install 1.1.2.5. Ci Libnet :

root@Ubuntu:/home/chau/Desktop/Install# wget ftp://64.50.238.52/.1/gentoo/distfiles/libnet-1.1.2.1.tar.gz root@ubuntu:/home/chau/Desktop/Install # cp libnet-1.1.2.1.tar.gz /usr/local/

root@Ubuntu:/home/chau.Desktop/Instal# cd /usr/local/ root@Ubuntu:/usr/local# tar -xvzf libnet-1.1.2.1.tar.gz root@Ubuntu:/usr/local# cd libnet root@Ubuntu:/usr/local/ libnet# ./configure root@Ubuntu:/usr/local/ libnet# make && make install

1.1.3. Ci Snort:
root@Ubuntu:/home/chau/Desktop/Install# wget http://www.procyonlabs.com/mirrors/snort/snort-2.8.4.1.tar.gz root@ubuntu:/home/chau/Desktop/Install # cp snort-2.8.4.1.tar.gz /usr/local/ root@ubuntu:/home/chau/Desktop/Install # cd /usr/local/ root@Ubuntu:/usr/local# tar -xvzf snort-2.8.4.1.tar.gz root@Ubuntu:/usr/local# cd snort-2.8.4.1 root@Ubuntu:/usr/local/ snort-2.8.4.1# ./configure --with-mysql root@Ubuntu:/usr/local/ snort-2.8.4.1# make && make install

1.2. To database lu cc alert:

ng nhp sql bng sql-client: root@Ubuntu:/usr/local# mysql -u root p Nhp password cho user root ca mysql. Sau khi ng nhp thnh cng, ta to user mysql s dng cho snort. User c tn l snort v password l 123456. mysql> use mysql; mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY '123456'; mysql> flush privileges; To CSDL cho snort c tn l snort:

mysql> create database snort; Cp quyn cho ti khon snort.

mysql> GRANT CREATE, INSERT, SELECT, DELETE, UPDATE ON snort.* to snort@localhost; To cc bng: vo th mc schames m bn gii nn snort:

root@Ubuntu:~# cd /usr/local/snort-2.8.4.1/schemas/ root@Ubuntu:/usr/local/snort-2.8.4.1/schemas# mysql -u root -p < create_mysql snort S c yu cu nhp password cho user root. Ta nhp password ca root cu lnh c thc thi.

1.3. Cu hnh snort:

1.3.1. To group v user chy snort
- To mt lin kt mm (symbolic link) ca file snort binary n /usr/sbin/snort, tp tin snort binary nm ng dn /usr/local/bin/snort: root@Ubuntu:/usr/local/snort-2.8.4.1# ln -s /usr/local/bin/snort /usr/sbin/snort To group v user: root@Ubuntu:~# groupadd snort root@Ubuntu:~# useradd -g snort snort Set quyn s hu v cho php Snort ghi log vo th mc cha log root@Ubuntu:~# chown snort:snort /var/log/snort/

1.3.2. To rules cho snort:

To th mc snort root@Ubuntu:~#mkdir /etc/snort root@Ubuntu:~# mkdir /etc/snort/rules To th mc cho Snort lu file log root@Ubuntu:~# mkdir /var/log/snort/ Chp cc file cn thit vo th mc c to: root@Ubuntu:~# cd /usr/local/snort-2.8.4.1/etc/

root@Ubuntu:/usr/local/snort-2.8.4.1/etc# cp */etc/snort - To file rules. Vo file /etc/snort/rules/icmp.rules to ni dung cho file cho file icmp.rules: alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;) Lu li file icmp.rules. - Chnh li file cu hnh snort.conf tr ti file icmp.rules v thng tin truy nhp vo mysql. Vo xa ht ni dung ca file cu hnh snort.conf. To ni dung mi cho file cu hnh snort.conf: include /etc/snort/rules/icmp.rules output database: log,mysql, user=snort password = 123456 dbname=snort host=localhost Lu li file cu hnh.

1.4. Ci t BASE
Web server v PHP ci t sn ta cn ci thm vi gi pear cho PHP.

root@Ubuntu:/home/chau/Desktop/Install# pear Image_Canvas-alpha Image_Color Numbers_Roman

Ci t ADODB

install

Image_Graph-alpha

root@Ubuntu:/home/chau/Desktop/Install# apt-get install php-pear

-

root@Ubuntu:/home/chau/Desktop/Install# wget http://nchc.dl.sourceforge.net/sourceforge/adodb/adodb508a.tgz root@Ubuntu:/home/chau/Desktop/Install# cp adodb508a.tgz /var/www/ root@Ubuntu:/home/chau/Desktop/Install# cd /var/www/ root@Ubuntu:/var/www# tar -xvzf adodb508a.tgz
Ci BASE:

root@Ubuntu:/home/chau/Desktop/Install# wget http://nchc.dl.sourceforge.net/sourceforge/secureideas/base-1.4.2.tar.gz root@Ubuntu:/home/chau/Desktop/Install# cp base-1.4.2.tar.gz /var/www/ root@Ubuntu:/home/chau/Desktop/Install# cd /var/www/

root@Ubuntu:/var/www# tar -xzvf base-1.4.2.tar.gz root@Ubuntu:/var/www# rm -rf base-1.4.2.tar.gz root@Ubuntu:/var/www# cd base-1.4.2/ root@Ubuntu:/var/www/base-1.4.2# cp base_conf.php.dist base_conf.php root@Ubuntu:/var/www/base-1.4.2# vi base_conf.php
Chnh li thng s cc dng sau:

$DBlib_path = '/var/www/adodb5'; $DBtype = 'mysql'; $alert_dbname = 'snort'; $alert_host = 'localhost'; $alert_port = '';

$alert_user = 'snort';
$alert_password = '123456'; $archive_exists = 1; # Set this to 1 if you have an archive DB $archive_dbname = 'snort'; $archive_host = 'localhost'; $archive_port = '';

$archive_user = 'snort';
$archive_password = '123456'; /* Whois query */ $external_whois_link = ''; /* DNS query */ $external_dns_link = '';

/* SamSpade "all" query */

$external_all_link = '';

Sa li ng dn cho BASE: root@Ubuntu:/var/www# mv base-1.4.2/ base/