第1页共12页Windows平台下基于snort的入侵检测系统安装详解序言:最近公司网络总是不间断出现点问题,也搭建了一些流量监控服务器进行监控和分析;也一直在关注网络安全方面的知识。看到snortIDS是一个开源的软件,突然想学习下。就有了搭建Windows下SnortIDS的想法。一下内容参考网络上的资料。1.软件准备Apache,php,mysql,winpcap,snort,acid,adodb,jpgraph等2.软件安装window平台:windowsxpsp3(1)apache的安装一路下一步,具体配置如下图:第2页共12页安装完成后验证web服务是否运行正常(2)mysql安装第3页共12页第4页共12页第5页共12页第6页共12页(3)php安装解压php压缩包到C盘下并命名为php复制c:\php\phpini-dist到c:\windows下并重命名为php.ini复制c:\php\php5ts.dll,c:\php\libmysql.dll到c:\windows\system32下复制c:\php\ext\php_gd2.dll到c:\windows\system32下修改c:\apache\conf\httpd配置文件添加LoadModulephp5_modulec:/php/php5apache2_2.dllAddTypeapplication/x-httpd-php.php重启apache服务在c:\apache\htdocs\下新建test.php?phpphpinfo();?验证php能否工作第7页共12页修改c:\windows下php.ini文件extension_dir=c:\php\ext去掉“;”extension=php_gd2.dll去掉“;”extension=php_mysql.dll重启apache服务验证php对mysql和gd库的支持第8页共12页(4)winpcap安装按向导进行安装(5)snort安装按向导进行安装第9页共12页(6)复制C:\Snort\schemas下的create_mysql到C:\mysql\bin下创建snort需要的数据库通过sourcecreate_mysql创建snort,snort_archive数据库第10页共12页(7)解压acid、adodb、jpgraph相关压缩包并复制到C:\apache\htdocs下如图修改acid_conf.php文件$DBlib_path=c:\apache\htdocs\adodb;$alert_dbname=snort;$alert_host=localhost;$alert_port=3306;第11页共12页$alert_user=root;$alert_password=password;/*ArchiveDBconnectionparameters*/$archive_dbname=snort_archive;$archive_host=localhost;$archive_port=3306;$archive_user=root;$archive_password=password;$ChartLib_path=c:\apache\htdocs\jpgraph\src;(8)解压缩snortrules包,并拷贝到snort安装目录修改c:\snort\etc\snort.conf文件如下varHOME_NET[192.168.12.0/23,192.168.14.0/23]/监控网段varRULE_PATHc:\snort\rules/指定规则库/指定动态处理器路径dynamicpreprocessorfilec:\snort\lib\snort_dynamicpreprocessor\sf_dcerpc.dlldynamicpreprocessorfilec:\snort\lib\snort_dynamicpreprocessor\sf_dns.dlldynamicpreprocessorfilec:\snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dlldynamicpreprocessorfilec:\snort\lib\snort_dynamicpreprocessor\sf_smtp.dlldynamicpreprocessorfilec:\snort\lib\snort_dynamicpreprocessor\sf_ssh.dlldynamicpreprocessorfilec:\snort\lib\snort_dynamicpreprocessor\sf_ssl.dlldynamicpreprocessorfilec:\Snort\lib\snort_dynamicpreprocessor\sf_dce2.dlldynamicenginec:\snort\lib\snort_dynamicengine\sf_engine.dll/注销掉动态监测功能#dynamicdetectionfile/usr/local/lib/snort_dynamicrules/bad-traffic.so#dynamicdetectionfile/usr/local/lib/snort_dynamicrules/chat.so#dynamicdetectionfile/usr/local/lib/snort_dynamicrules/dos.so#dynamicdetectionfile/usr/local/lib/snort_dynamicrules/exploit.so#dynamicdetectionfile/usr/local/lib/snort_dynamicrules/imap.so#dynamicdetectionfile/usr/local/lib/snort_dynamicrules/misc.so#dynamicdetectionfile/usr/local/lib/snort_dynamicrules/multimedia.so#dynamicdetectionfile/usr/local/lib/snort_dynamicrules/netbios.so#dynamicdetectionfile/usr/local/lib/snort_dynamicrules/nntp.so#dynamicdetectionfile/usr/local/lib/snort_dynamicrules/p2p.so#dynamicdetectionfile/usr/local/lib/snort_dynamicrules/smtp.so#dynamicdetectionfile/usr/local/lib/snort_dynamicrules/sql.so#dynamicdetectionfile/usr/local/lib/snort_dynamicrules/web-client.so#dynamicdetectionfile/usr/local/lib/snort_dynamicrules/web-misc.so/指定输出数据库类型及用户名、密码、数据库名等信息第12页共12页outputdatabase:alert,mysql,user=rootpassword=passworddbname=snorthost=localhost/指定路径includec:\snort\etc\classification.configincludec:\snort\etc\reference.config保存退出cdc:\snort\bin\snort-cc:\snort\etc\snort.conf-lc:\snort\log-de-i2在攻击机器上ping搭建snort的服务器,然后登录ACID控制台,界面如下:说明snort入侵检测平台搭建成功!看到网上的搭建说明都不是很详解和具体还有部分错误,此文档为WindowsXP实际搭建和测试截图(绝对真实和可行)!后续深入完成snort规则的定制及Linux下snort的搭建。