手动打造Snort+barnyard2+BASE可视化报警平台

步骤9．用ping命令测试。 用ping命令进行测试的目的是为了让snort产生报警。ping命令使用ICMP协议，在IDS中使用libpcap函数所捕获的也是ICMP数据包。下面在Snort主机上操作： #snort -i eth0 -c /etc/snort/snort.conf -A fast

Step 9. Test with ping command. The test with ping command is designed to cause alarm to snort. Ping command uses the ICMP protocol and uses the libpcap function to capture the ICMP data package in IDS. The following is operated on the Snowt mainframe: #snort-ieth0-c/etc/snort/snort.conf-Afast

Tips:以上命令中-A fast的含义如下。 -A fast含义：该参数报警信息包括以下内容：

Tips: The meaning of -A fast in the above command is as follows. -A fast meaning: This parameter alerts information to include the following:

• timestamp时间戳
• 报警消息
• 源/目的IP地址
• 端口

输入上面的命令之后，报警记录在/var/log/snort/alert和/var/log/snort/snort.log.timestamp(这是一个存储数据包的二进制文件，用tail命令无法读取)中。用下面的命令直观查看alert报警。 #cd /var/log/snort/ #tail -f /var/log/snort/alert //查看报警

After entering the above command, the alarm is recorded in /var/log/snort/alert and /var/log/snort/snort.log.timestamp (a binary file that stores the data package and cannot be read with the tail command). View the alarm with the following command. #cd/var/log/snort/#tail-f/var/log/snort/alert//see the alarm. #cd/var/log/snort/

实例： ? 可以看到这些都是文本文件。

Example: 做为基础用户我们需要了解 snort将1~1000000做为自己的保留的内部编号，而将大于1000000 编号供使用者自己使用。这是一种习惯，而非强制，所以我们自己编写规则时，需要在sid-msg.map添加自己的规则编号和消息。其中sig_reference、sig_class是对他其中sig_id和sig_class_id属性的扩展描述。

Later in the course of the BASE debugging experiment, we will find the image of classification, as shown in the figure below.

mysql>CREATE DATABASE snort; //新建数据库

Mysql> CREATE DATABASE snort; // new database

mysql>USE snort;

mysql>CREATE USER 'snort'@'localhost' IDENTIFIED BY '123456';

在以上命令中，“123456”是MySQL中用户Snort的密码。 接着创建名为snort、密码为“123456”的数据库用户，并赋予名为“snort”的数据库权限 在进行下面的操作之前，先将barnyard2-1.9.tar.gz解压到/usr/local/src/

In the above command, “123456” is the password of Snowt, the user in MySQL. Then create a database user named snort, the password “123456” and give access to the database named “snort” before proceeding with the operation below, release barnyard2-1.9.tar.gz to/usr/local/src/

下面授权用户snort对数据库的操作权限 mysql>GRANT CREATE,SELECT,UPDATE,INSERT,DELETE ON snort.* TO snort@localhost IDENTIFIED BY '123456';

The following users are authorized to operate the database: mysql> GRANT CREATE, SELECT, UPDATE, INSERT, DELETE ON snort.* TO Snort@localhost IDENTIFED BY '123456';

mysql>SET PASSWORD FOR 'snort'@'localhost'=PASSWORD('123456'); //为用户snort设置访问密码

Mysql> SET PASSWORD FOR'snort'@'localhost'=PASSWORD('123456'); / set access passwords for the user snort

mysql>SOURCE /usr/local/src/barnyard2-1.9/schemas/create_mysql; //通过引入文件create_mysql来创建数据库结构，该命令不可重复输入，在后面的安装BASE步骤中还会在snort库中写入多个表。 该命令执行成功之后大家会看到下列提示信息： Query OK, 0 rows affected (0.01 sec) Query OK, 1 row affected (0.00 sec) Query OK, 0 rows affected (0.00 sec) Query OK, 0 rows affected (0.00 sec) Query OK, 0 rows affected (0.01 sec) Query OK, 0 rows affected (0.00 sec) Query OK, 0 rows affected (0.00 sec) Query OK, 0 rows affected (0.00 sec) Query OK, 0 rows affected (0.00 sec) Query OK, 0 rows affected (0.00 sec) Query OK, 0 rows affected (0.00 sec) Query OK, 0 rows affected (0.00 sec) Query OK, 0 rows affected (0.01 sec) Query OK, 0 rows affected (0.00 sec) Query OK, 0 rows affected (0.00 sec) Query OK, 0 rows affected (0.00 sec) Query OK, 1 row affected (0.00 sec) Query OK, 1 row affected (0.00 sec) Query OK, 1 row affected (0.00 sec) Query OK, 0 rows affected (0.00 sec) Query OK, 1 row affected (0.00 sec) Query OK, 1 row affected (0.00 sec)

Mysql> SOURCE/usr/local/src/barnyard2-1.9/schemas/mysql; / creating database structures by introducing create_mysql, which is not re-entryable, with tables to be included in the subsequent BASE installation steps in the snort library. Query ff ff ff ff ff ff ff ff ff ff ff, < < < < < < < < < < < < < < < >, < < < < < < >, < < < < < < < < <, < < < < <, < < < <, < < < <, < < < < >, < < < / < < < < < < < < < < < < < < < < < < < < < <...................

执行完create_mysql脚本后，用户可以通过在mysql提示符下，运行下面的SQL语句来验证配置的正确性。 mysql> SHOW TABLES; +------------------+ | Tables_in_snort | +------------------+ | data | | detail | | encoding | | event | | icmphdr | | iphdr | | opt | | reference | | reference_system | | schema | | sensor | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +------------------+ 16 rows in set (0.00 sec)

After executing the create_mysql script, the user can verify the correctness of the configuration by running the following SQL statement under the Mysql hint. mysql> SHOW TABLES; +------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

mysql>FLUSH PRIVILEGES; //刷新数据库权限

Mysql>FLUSH PRIVILEGES; // refresh database privileges

mysql>exit

注意：在导入barnyard2-1.9中的mysql数据库表时所在路径使用绝对路径。

Note: An absolute path is used when importing the Mysql database table in barnyard2-1.9.

步骤4．安装和配置Barnyard2。 Barnyard2的作用是读取Snort产生的二进制事件文件(/var/log/snort/snort.log.XXXXXXXXXX)并存储到MySQL中。Snort的配置文件自身含有插件，它允许将Snort报警记录到MySQL中，但这样一来，系统数据会激增。当IDS系统检测到**行为时，它会用INSERT语句向数据库中写入数据，导致更新非常慢。所以如果直接将Snort输出到数据库，在数据量增大时这种方案的效率并不高，故使用外部代理将报警输出到Barnyard2。 ●源码包安装。 我们再次进入barnyard2-1.9/目录 #cd /usr/local/src/barnyard2-1.9/ #https://blog.51cto.com/chenguang/configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql //此处配置参数很重要，切勿出错 注意：如果你选用其他Linux发行版，根据上面一行命令输入/usr/lib64/mysql，进行预编译时，有可能找不到.so的路径的提示，此时只要根据提示，采用find命令查到系统实际路径即可。举个例子，例如在Debian 9 Linux系统中： #find / -name "libmysqlclient." /usr/lib/libmysqlclient.so.18.0.0 /usr/lib/libmysqlclient.so.18 /usr/lib/libmysqlclient.a /usr/lib/libmysqlclient.so 我们发现mysql的.so文件路径为/usr/lib/。此时只要将上面一条命令修改： #https://blog.51cto.com/chenguang/configure --with-mysql --with-mysql-libraries=/usr/lib/
好了，下面我们继续。 #make //见到如下内容后，才可继续安装 只有确保上面关键两步不出错，才能继续安装。如果报错，需要根据提示查找错误原因，如忽略错误，继续往下做都是徒劳的。 #make install

Step 4. Installing and configuring Barnyard2. Barnyard2 functions as reading the binary event file produced by Snowt (/var/log/snort/snort.log.XXXX) and storing it in MySQL. The configuration document in Snowt contains plugins that allow the Snort to be recorded in MySQL, but then the system data will increase dramatically. When the IDS system detects **r.ffr. behaviour, it can be used to write data in the database (#nort_snort_snort_snort_sat_sn.

● 配置Barnyard2。 首先在/var/log/中创建目录Barnyard2和文件barnyard2.waldo。 #mkdir /var/log/barnyard2 #touch /var/log/snort/barnyard2.waldo

• Configure Barnnard2. First, create a directory of Barnnard2 and a file of Barnnard2.waldo in /var/log/. #mkdir/var/log/barnyard2 #touch/var/log/snort/barnyard2.waldo

● 设置文件barnyard2.waldo的属主和属组。 #chown snort:snort /var/log/snort/barnyard2.waldo

• Set the owner and sub-group of the barnyard2.waldo file. #chensnort:snort/var/log/snort/barnyard2.waldo

● 复制Barnyard2的配置文件。 与Snort配置类似，Barnyard的初始化配置也是通过复制已有的.conf配置文件来完成。因此先将Barnyard2的配置模板文件复制到/etc/snort目录下。 #cp /usr/local/src/barnyard2-1.9/etc/barnyard2.conf /etc/snort

• Copy the configuration file for Barnyard2. Similar to the Snowt configuration, Barnard's initial configuration is done by copying the existing.conf configuration file. Therefore, the configuration template file for Barnyard2 is copied under the /etc/snort directory. #cp/usr/local/src/barnyard2-1.9/etc/barnyard2.conf/etc/snort

● 修改配置文件barnyard2.conf。 #vi /etc/snort/barnyard2.conf

• Modify configuration file barnyard2.conf. #vi/etc/snort/barnyard2.conf

找到对应行并将其修改成如下内容： 第44行 config logdir:/var/log/barnyard2 //注意该目录属主和属组权限为snort.snort，如设置错误会导致实验失败。 第56行 config hostname: localhost 第57行 config interface: eth0 第131行 config waldo_file:/var/log/snort/barnyard2.waldo

Find the corresponding line and modify it to read as follows: Line 44 config logdir: /var/log/barnyard2/ / notes that the directory is owned and subject to group privileges as snort.snort and that an error in setting it will cause the experiment to fail. Line 56 config hostname: localhost 57 config interface: eth0 line 131 config waldo_file: /var/log/snort/barnyard2.waldo: /var/

下面这条语句用来设置数据库访问权限，其中定义了用户名为snort，密码为123456，数据库名称为snort，主机名为localhost。 第318行 output database: log,mysql,user=snort password=123456 dbname=snort host=localhost

The following statement is used to set up access rights to the database, which defines the user as snort, password 123456, database as snort, hostname as localhost. Line 318 output database: log,mysql,user=snort password=123456 dbname=snort host=localhost

编辑完成后保存退出。至此对barnyard2.conf文件的修改到此结束。 ● 修改目录的属主和属组。 #chown snort:snort /var/log/barnyard2

Saves exit after editing has been completed. This is the end of the changes to the barnyard2.conf file. * Changes the directory's owner and sub-group. #chensnort:snort/var/log/barnyard2

● 启动Snort和Barnyard2进行联合测试 #snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 –D

• Launch of joint testing by Snowt and Barnard2 #snort-q-u snort-g snort-c/etc/snort/snort.conf-i eth0 ~D

执行完这条命令之后，不会看到大量输出，只会出现以下三行提示信息： Spawning daemon child... My daemon child 12903 lives... Daemon parent exiting (0) Snort程序安静的在后台运行（“-D”参数表示以后台进程运行）。

After this command has been executed, there will be no large output, but only three lines of information: My daemon child 12903 lives... Daemon parent operating (0) Snowt is running quietly in the backstage (the “-D” parameter indicates that the later stage is running).

● 测试Barnyard2。 下面执行的这条命令用于测试Barnyard2程序是否能正常执行。 #barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort/ -f snort.log -w /var/log/snort/barnyard2.waldo -g snort -u snort -T 该命令产生输出信息如下： Running in Test mode

• Tests for Barnnard2. The following command is used to test whether the Barnnard 2 program can be carried out properly. #barnyard2 - c/etc/snort/barnyard2.conf -d/var/log/snort/ -f snort.log -w/var/log/snort/barnyard2.waldo -g snort -u snort -T generated the following output information: Running in Test mode

Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/etc/snort/barnyard2.conf" database: compiled support for (mysql) database: configured to use mysql database: schema version=107 database: host=localhost database: user=snort database: database name=snort database: sensor name=localhost:NULL database: sensor id=1 database: sensor cid=1 database: data encoding=hex database: detail level=full database: ignore_bpf=no database: using the "log" facility

______ -> Barnyard2 <- / ,,_ \ Version 2.1.9 (Build 263) |o" )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php

• '''' + (C) Copyright 2008-2010 SecurixLive.

Barnyard2 successfully loaded configuration file! Snort exiting database: Closing connection to database "snort"

如果大家的机器也出现上述信息，说明程序可以正常运行，此时我们才能继续下面的操作。

If you have the same information on your machine, which means that the program can function properly, then we can continue the operation below.

同样ping主机，开始正式启动barnyard2程序，继续执行以下命令。 #barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort/ -f snort.log –w /var/log/snort/barnyard2.waldo 命令参数的解释如下所示。 ● -c：该选项指定Barnyard配置文件的路径。该参数为必选项。

Similarly, the ping mainframe started the formal launch of the barnyard2 program and continued the following orders. #barnyard2 -c/etc/snort/barnyard2.conf -d/var/log/snort/ -f snort.log –w/var/log/snort/barnyard2.waldo 大家可以看到报警文件格式都是snort.log.时间戳。而为什么格式必须是snort.log.XXXXXXX呢？我们在配置snort.conf的第五步曾经配置过一行语句： output unified2:filename snort.log,limit 128 这里定义了输出报警文件的格式，假如你想把snort.log.XXXXX，改成unified2.alert.XXXXX，请按照下面语句修改： output unified2:filename unified2.alert,limit 128 与此同时 -f参数后面就要跟 unified2.alert,而不是snort.log啦，这里要注意一一对应的关系。

*-f: This option designates the Unified filename of Barniard when running in a continuous manner. Snowt has a UNIX time stamp after each generated Snort Unified file, removing the time stamp from the file name. The results of the execution under the above command will be generated under the /var/log/snort/ directory as follows: 如果在count(*)下方没有数字，则表示报警信息没有存入数据库，那么需要从头检查配置过程。 下面的命令非常重要，再次强调Barnyard2完整启动命令： [root@localhost ~]# barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort/ -f snort.log -w /var/log/snort/barnyard2.waldo -g snort -u snort Running in Continuous mode --==Initializing Barnyard2==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/etc/snort/barnyard2.conf" //配置文件路径 Log directory=/var/log/barnyard2 //日志存储路径 database: compiled support for (mysql) database: configured to use mysql database: schema version=107 database: host=localhost database: user=snort //启动程序用户为snort database: database name=snort database: sensor name=localhost:eth0 //Snort传感器在eth0网卡 database: sensor id=1 database: sensor cid=1 database: data encoding=hex database: detail level=full database: ignore_bpf=no database: using the "log" facility

The operational effects are shown below.

______ -> Barnyard2 <- / ,,_ \ Version 2.1.9 (Build 263) |o" )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php

• '''' + (C) Copyright 2008-2010 SecurixLive.

WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/barnyard2.waldo' Waiting for new spool file

注意：程序在启动过程中会弹出很多信息，当出现“Waiting for new spool file”字样表示该命令启动成功，如没有，则从该环节的步骤1开始检查。

N.B. A lot of information will be ejected during the start-up process, and when the words “Waiting for new spool file” appear to indicate that the order has been activated successfully or, if not, it will be checked from step 1 of the chain.

如果在一个简单的模拟环境下实验，该步骤可忽略。

This step can be ignored if tested in a simple simulation environment.

假设场景，我只希望某一个IP能访问Snort服务器上的22、80端口，我们在Snort主机上做如下设置。

Assuming a scenario, I would only like an IP to access the 22-80 ports on the Snowt server, and we'll set up the following settings on the Snowt mainframe.

禁止所有的IP访问Snort服务器的22、80端口。 iptables -I INPUT -p tcp --dport 80 -j DROP iptables -I INPUT -p tcp --dport 22 -j DROP

Disable all IP access to 22-80 ports on the Snowt server. iptables-I INPUT-p tcp-dport 80-j DROP iptables-I INPUT-p tcp-dport 22-j DROP

允许IP地址为192.168.11.2，访问Snort服务器的80、22端口。 iptables -I INPUT -s 192.168.11.2 -ptcp --dport 80 -j ACCEPT iptables -I INPUT -s 192.168.11.2 -ptcp --dport 22 -j ACCEPT

The IP address is 192.168.11.2, allowing access to 80, 22 ports on the Snowt server. iptables-I INPUT-s 192.1681.2 -ptcp-dport 80 -j ACCEPT i INPUT-s192168.11.2 -ptcp-dport 22 -j ACCEPT

保存iptables规则 service iptables save

Save iptables rules service iptables save

重启防火墙 #service iptables restart

Reboot firewalls #service ittablesrestart

如果以上3部分中所有环节均正常，说明已经安装了Snort系统并将报警信息存入数据库。接下来开始安装BASE（Basic Analysis and Security Engine,基于ACID构建）的步骤，Barnyard将MySQL中的Snort报警信息通过Web展示的具体原理如图1所示。 图1 Barnyard存储原理 要将存储在数据库中的日志展现在Web端，需要安装BASE（***检测事件展示的前端程序），这里用到的版本是base-1.4.5.tar.gz。既然用到了Web服务，那么首先需要安装好LAMP环境，然后再安装BASE包。此处服务器IP地址为192.168.1.120。具体安装步骤如下。

If all the components in part 3 above are normal, it is stated that the Snort system has been installed and the alarm information has been placed in the database. Next, steps to install BASE (Basic Analysis and Security Engineering, built on ACID), start installation of BASE.

步骤1．安装httpd、mysql-server、mysql-devel、php、php-mysql。 命令如下所示。 #yum install –y httpd mysql-server php php-mysql mysql-devel php-gd

Step 1. Install httpd,mysql-server,mysql-devel,php,php-mysql.

步骤2．安装PHP插件（mcrypt、libmcrypt、libmcrypt-devel），命令如下所示。 #yum install –y mcrypt libmcrypt libmcrypt-devel php-pear

Step 2 . Installing PHP plugins (mcrypt, libmcrypt-devel), as follows.

更新插件的时间比较长，操作如下所示。 #pear upgrade PEAR ?

#pear upgrade PEAR?

Step 3 continues to implement the following orders. #pearchannel-update paper.php.net?

安装 Image_Graph-alpha、Image_Canvas-alpha、Image_Color、Numbers_Roman 这 4个包。 操作如下所示。 #pear channel-update pear.php.net #pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman

Installs Image_Graph-alpha, Image_Canvas-alpha, Image_Color, Numbers_Roman. The operation is described below. #pearImage_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman

Tips：Image_graph前身是GraPHPit，它是用于图表操作的包，也是一个开源项目，后来被整合到了Pear之中，被命名为Image_Graph（-alpha是他的版本号），所以它是通过pear命令来完成安装。

Tips: Image_graph's predecessor is GraPHpit, a kit for chart operations and an open-source project, which was later integrated into Pear and named Image_Graph (-alpha is his version number), so it was installed through a pear command.

如没有正确安装pear之中的这几个软件包，在后面使用BASE控制台的环节中会出现报错画面如下： ?

In the absence of the correct installation of these packages in pear, the following misimg src="https://s1.51cto.com/images/blog/202003/05/7880cd5737b538b6659ff8bcb5117e.png?x-oss-process=image/watermark, size_16, text_QDUXQ1RP5Y2a56i, collor_FF,t_30,g_se,x,y_10,shadow_20, type_ZmFuZ3poZW5naGvpdgk=" alt=" >

Package Version State Archive_Tar 1.4.9 stable Console_Getopt 1.3.1 stable Image_Canvas 0.3.5 alpha Image_Color 1.0.4 stable Image_Graph 0.8.0 alpha Numbers_Roman 1.0.2 stable PEAR 1.9.5 stable Structures_Graph 1.0.4 stable XML_RPC 1.5.4 stable XML_Util 1.2.3 stable

步骤4．安装ADOdb包。 虽然PHP是建构Web系统强有力的工具，但是PHP存取数据库的功能并未标准化，MySQL使用了另一种不同且不兼容的应用程序接口。此时需要使用ADOdb作为中介进行转换。ADOdb的最大优点是不管后端数据库如何，存取数据库的方式都是一致的。目前ADOdb的最新版本是5.20，它支持的数据库种类较多，例如MySQL、PostgreSQL、Oracle等。下面开始安装ADOdb，首先将adodb519.tar.gz解压到/var/www/html/目录下。 # tar zxvf adodb519.tar.gz -C /var/www/html/

Step 4. Install ADOdb packages. Although PHP is a powerful tool for building Web systems, PHP access database functionality is not standardized, and MySQL uses another different and incompatible application interface. At this point, ADOdb needs to be used as an intermediary. The best advantage of ADOdb is that access to the database is consistent, regardless of the back end of the database. The latest version of ADOdb is currently 5.20, and it supports more types of databases, such as MySQL, PostgreSQL, Oracle, etc.

解压后发现增加了一个目录adodb5，将这个目录改名为adodb。 #mv /var/www/html/adodb5 /var/www/html/adodb

Dismantling revealed the addition of a directory adodb5, which was renamed adodb. #mv/var/www/html/adodb5/var/www/html/adodb

步骤5．解压BASE包。 [root@localhost src]# pwd /usr/local/src #tar zxvf base-1.4.5.tar.gz -C /var/www/html/

Step 5. Unlock BASE bags. [root@localhost src]# pwd/usr/local/src#tar zxvf base-1.4.5.tar.gz-C/var/www/html/

解压后发现增加了一个目录base-1.4.5，接着需要对它重命名。 #mv /var/www/html/base-1.4.5/ /var/www/html/base

Dismantling revealed the addition of a directory base-1.4.5, which would then need to be renamed. #mv/var/www/html/base-1.4.5//var/www/html/base

步骤6．修改PHP配置文件。 #vi /etc/php.ini

Step 6 . Modify PHP profile. #vi/etc/php.ini

将第513行内容改成如下内容。 error_reporting=E_ALL & ~E_NOTICE 修改完毕保存并退出。

Replace the text of line 513 with the following. error_reporting=E_ALL & ~E_NOTICE changes are saved and withdrawn.

注意：对于error_reporting()函数的解释： error_reporting() 设置 PHP 的报错级别并返回当前级别，错误报告是分级的，下面我们了解一下这个函数错误报告等级。

Note : The explanation for the error_reporting() function: Error_reporting() sets the PHP error level and returns the current level. The error report is graded. Here we understand the error reporting level for this function.

• E_ALL - 所有的错误和警告
• E_ERROR - 致命性运行时错
• E_WARNING - 运行时警告（非致命性错）
• E_PARSE - 编译时解析错误
• **E_NOTICE **- 运行时提醒(这些经常是是你的代码的BUG引起的。

步骤7．改变/var/www/html/目录的属主和属组权限。 #chown -R apache:apache /var/www/html/

Step 7 . Changes/var/www/html/ Principal and group privileges for directories. #chown-R apache:apache/var/www/html/

注意：如果该步骤设置不对，有可能在后期配置BASE过程中出现“Config Writeable:No”的错误提示，从而导致无法完成BASE的配置任务。

Note : If this step is not set correctly, there is a risk that an error tip “Config Writer: No” will appear in the configuration of BASE at a later stage, which will result in the failure to complete the BASE configuration task.

步骤8．分别重启MySQL和Web服务，最后停止Firewall服务。 #service mysqld restart //启动数据库服务 #service httpd restart //重启Web服务 #service iptables stop //为了调试方便暂时关闭防火墙。

Step 8. Restart MySQL and Web services, respectively, and eventually stop Firewall services. #service httpd start// reboot Web services #service ittables stop/// temporarily close firewalls for debugging convenience.

步骤9．在Web界面设置BASE。 首先测试Web，我们打开Apache的页面http://yourip/，看到测试页面之后，开始正式打开BASE的页面。 打开浏览器输入网址http://yourip/base/setup/index.php，输入完毕后弹出安装界面，如图1-7所示。 Tips:yourip表示你的IP地址。

Step 9. Setup BASE at the Web interface. First test Web, we open Apache's page at http://yourip/, see the test page and start officially opening BASE's page. Open the browser to enter the web site at http://yourip/base/setup/index.php and post the installation interface as shown in Figure 1-7. Tips:yourip indicates your IP address.

单击Continue按钮，开始选择语言和ADOdb路径，如图1-8所示。 语言项选择中文，ADOdb路径中输入/var/www/html/adodb，单击Continue按钮。接下来输入数据库名称、访问用户名和密码，如图1-9所示。 图1-7 开始设置BASE 图1-8 设置ADOdb路径 图1-9 设置数据库

Continue. Next, enter the name of the database, user names and passwords, as shown in figure 1-9. ,

这里不需要设置归档数据库，所以在图1-9中，红色大括号所包含的五项内容无需填写。下一步将管理员名称设置为root，密码依然是“123456”，Full Name不必设置，如图1-10所示。 图1-10 设置root密码 下一步开始创建BASE表结构，如图1-11、图1-12所示。 图1-11 准备创建BASE表结构 Tip：上图中“BASE AG”中的AG表示报警分组Alert Group。 图1-12 BASE表创建完成 如果看到表acid有创建完成的提示并且BASE tables状态显示为“DONE”，则表示安装完成。单击屏幕最下方的step5…按钮结束安装。在客户机终端命令行中ping主机192.168.1.120，随后就能在BASE界面中收到ICMP报警，如图1-13所示。 图1-13 收到报警 如果在Web的BASE界面中收到ICMP报警，则表明BASE安装设置完成。

#yum install phpmyadmin Modify Profile #vi/etc/httpd/conf.d/phpMyAdmin.conf Write-off line 24 by Deny from ALL?

重启Web服务 #service httpd restart

Restart Web Services #servicehttpd Restart

打开phpMyAdmin的Web UI 网址：http://yourip/phpmyadmin/ ? 图14

Open phpMyAdmin web site Web 图15

Enter the username snort under the Web interface, password 123456? 图16

如果要删除报警，首先勾选需要删除的报警，然后在“动作”下拉菜单中选择“删除报警”选项，如图1-17所示。 图1-17 删除报警

If you want to delete the alarm, first check the alarm that needs to be deleted and then select the "Delete the alarm" option in the Action menu, as shown in figure 1-17.

注意：在步骤3中需要特别留意Image_Graph的安装情况如果安装报错或者漏装，当你打开BASE界面时会出现无法绘制图象的错误。以上这些错误有很多都是准备工作（安装Snort和PHP组件）做的不充分。

Note : In step 3, special attention needs to be paid to Image_Graph's installation if it is installed wrongly or leaked, and when you open the BASE interface, there will be errors in not drawing images. Many of these errors are not sufficiently prepared (installation of Snowt and PHP components).

假设Snort服务器中只有一块网卡设备名称为eth0。为让Snort和Barnyard2自动运行，我们需要编写如下SHELL代码（Centos 7需要修改代码,使用yum install psmisc -y命令安装killall）：

Assuming that there is only one webcard device named eth0 on the Snowt server. In order for Snort and Barnyard to run automatically, we need to create the following SHELL code (Centos 7 needs to change the code and install the killall using the yum install psmisc-y command):

将以上代码保存在文件/root/idsrun.sh中，赋予可执行权限，为设置自启动服务，我们只需要将下面两行命令加入到/etc/rc.d/rc.local末尾即可。注意rc.local文件需要具有可执行权限。

Saves the above code in a file/root/idsrun.sh with executable privileges. For setting up a self-starter service, we simply need to add the following two lines to the end of /etc/rc.d/rc.local. Note that the rc.local file requires executable privileges.

保存退出即可，如果没有执行，请检查是否加入了可执行权限。通常没有可执行权限会导致脚本无法执行。

Saves exit is sufficient, and if not executed, check if executable privileges have been added.

至此我们已经将Snort安装过程讲解完毕，下面的时间就留给大家反复练习。另外大家网络环境可能各不相同，但操作系统和软件版本最好和本文中介绍的保持一致，实验时需要留意命令之间的大小写，空格，句点，单引号双引号等一些特殊符号的输入，为加深印象所有命令请大家一定要手动输入，不要使用^C ^V。

Now that we have finished the Snort installation process, the time will be left to practice again and again. There may be different web environments, but the operating systems and software versions are best aligned with what is described in this paper. The experiment will need to be sensitive to the case between commands, spaces, stop points, single quotes, etc., to the entry of special symbols, so as to enhance the impression that all commands must be entered manually, rather than using CV.

1.为了在OSSIM前端能显示丰富的图形，系统中必须安装（ ）库，它是一种图形库，可以让PHP绘制各种图形，能够创建Jpg、PNG和BMP图像。 A．Zlib B.GD C.Glibc

In order to display a wealth of graphics at the front end of OSIM, the system must install () library, which is a graphic library that allows PHP to draw various graphics that can create Jpg, PNG and BMP images. A. Zlib B.GD C. Glibc

2.下列选项中属于HIDS优势的选项包括（ ），属于HIDS局限性包括（ ）。 A.HIDS需要将代理程序部署到要监视的每个主机，部署繁琐。 B.HIDS不能检测网络侦察或扫描 C.HIDS可以检测到***是否成功 D.HIDS监视系统活动 E.HIDS可检测文件或应用程序的变化

2. Options with HIDS advantages in the following options include ( ) HIDS limitations, including ( ). A. HIDS requires deployment of proxy programs to each mainframe to be monitored and deployment is cumbersome. B. HIDS cannot detect network detection or scanning C. HIDS can detect *** success in D. HIDS surveillance system activities E. HIDS detects changes in files or applications

3. 为了提高libpcap处理数据包的效率，OSSIM 2.3平台上采用了基于零拷贝思想的( ) 机制，由于这种机制避免了多次内存复制并减少CPU的干预，故可以在高速网环境下进行数据抓包分析。 A.PF_RING B.NAPI C.DMA

4.snort规则中由reference选项定义所支持的外部系统，这些网址的内容保存在文件 ( ) 中。 A . /etc/snort/reference.config B /etc/snort/snort.conf C /etc/snort.conf 分析： 使用reference选项表示引用外部链接信息来源，从而为规则提供附加的背景资料，在snort和suricata系统中使用reference.config文件定义引用类型，该文件的名称和存储路径可以在snort.conf和suricata.yaml文件中配置。

The external system supported by the definition of the reference option in the rules is maintained in the document (). A. /etc/snort/reference.config B/etc/snort/snort.conf C/etc/snort.conf Analysis: The use of the reference option provides additional background information on the rules, and the use of the reference.config file definition type in the snort and suricata system, where the name and storage path of the document can be configured in the snort.conf and suricata.yaml files.

5. 在CentOS 7.0平台里安装Snort和Cent OS6.8有什么不同？

在CentOS 7.x下配置，有些配置习惯会有些不同，在新系统中ip add代替了ifconfig命令，网卡设备名称由eth0变为ens33等，那么在监听网络设备的时候，只要将配置命令中有关网卡的名称用新设备名称替换即可，另外在BASE配置期间，对于CentOS 7及其以上系统强烈建议临时关闭SELinux服务。 整个系统配置过程基本上大同小异，只要你理解了，就可以轻松从Centos 6.x过渡到CentOS 7.x系统。

When configured under Centos 7.x, some configuration habits may be somewhat different, when ip add replaces the ifconfig command in the new system, and the name of the network card equipment is changed from eth0 to ens33 etc., then when listening to network devices, it is sufficient to replace the name of the network card in the configuration command with the name of the new device, and during the BASE configuration, the temporary closure of SELinux services is strongly recommended for Centos 7 and above.

6.为什么/var/log/snort/alert的大小总是没有变化？ 请检查确保执行了snort -i eth0 -c /etc/snort/snort.conf -A fast命令，以及snort的规则已经正确加载。

6. Why does the size of /var/log/snort/alert always change? Please check to ensure that the snort-i eth0-c/etc/snort/snort.conf-Afast command has been correctly loaded with the snort rules.

7.如何在屏幕上输出Snort报警信息？ 在屏幕上输出报警信息命令如下： #snort -A console -u snort -g snort -i eth0 -c /etc/snort/snort.conf

How to export Snort's alarm information on the screen?

8.用vi编辑器查看,snort生成的unified2格式的数据，为什么都显示乱码？ unified2是snort插件的一种输出方式，可以用来以二进制方式存储报警数据，如果你想手动查看他们，发现无法读取，Unified2这种输出格式并非设计为命令行可以读取的，而是为Barnyard2或者pigsty（Snortby中的小工具）工具使用做准备的。

If you want to view them manually and find them unreadable, Unifield2 is not designed to be readable by the command line, but prepared for the use of the Barneyard2 or Pigsty (small tool in Snowtby) tool.

9.我们在本地添加一条测试规则alert icmp any any -> $HOME_NET any (msg:"ICMP Packet Detected";sid:1000003;rev:1;)，其中msg,sid,rev表示什么含义？

9. We add a test rule locally for any -> $HOME_NET any (msg:&quat; ICMP Packet Detected&quat; sid:100003; rev: 1) in which msg, sid, rev indicates what it means?

msg: 该选项用于规则相关文本的描述，这里设置为ICMP Packet Detected,当我们设置好BASE控制台之后，在页面上最直观展现出来的IDS引擎报警就是这条信息，所以这条信息尽可能详细。

msg: This option is used for the description of the text of the rules, set here as ICMP Packet Detected, and when we set up the BASE Console, the most visual IDS engine alarm on the page is this information, so this information is as detailed as possible.

sid: 特征标识符，用来唯一性标记规则。snort中每个规则不能重复，取值范围按如下习惯分布： 0～1000000，为Sourcefire VRT保留。 2000001-2999999 ，用于Emerging Threats (ET规则） 3000000+，为自定义。

Sid: Identity identifiers, used for unique marking rules. Each rule in snort cannot be repeated. The range of values is distributed as follows: 0 to 1,000,000, reserved for Sourcefire VRT. 2000001-2999999, used for Emerging Threats (ET Rules) 3000000+, custom-defined.

rev,表示版本修订，该选项永固表示规则发生了修改，从1开始，数字越大，修订次数越多，每次修订我们不用修改SID，而是修改rev.

Rev, meaning revision of the version, this option is a constant sign that the rule has been modified, starting with 1 and the number increases and the number of revisions increases, and we don't have to change the SID for each revision, but we have to change the rev.

10.当重新启动httpd服务时出现下面报错提示，应该如何处理？ #service httpd restart [root@snort ~]# service httpd restart Stopping httpd: [ OK ] Starting httpd: httpd: apr_sockaddr_info_get() failed for snort.localdomain httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName (98)Address already in use: make_sock: could not bind to address [::]:80 (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80 no listening sockets available, shutting down Unable to open logs [FAILED] 分析：出现上面的报错提示大家可以先检查/etc/sysconfig/network文件，在该文件中HOSTNAME=localhost.localdomain定义了主机名的原始参数，如果修改了HOSTNAME则会导致上面故障的发送。

#Service httpd recall [root@snort~]#serving httpd Restart Stopping httpd: [OK] Starting httpd: httpd: apr_sockaddr_info_get()

11.BASE安装成功之后，想切换界面中/英文显示,要如何操作？

11. After successful installation of BASE, how do you want to operate by switching the interface to medium/English?

系统安装完成之后，有中文界面想转英文的，有英文想转中文界面 的，下面以英文转中文为例，开始下面的操作。 我们首先进入/var/www/html/base/目录下要找到base_config.php这个配置文件。 将$BASE_Language='english'; 改为：$BASE_Language='simplified_chinese'; 修改完成之后,保存退出，还需要重启Web服务，才能生效 #service httpd restart 刷新页面，搞定！

When the system is installed, there is a Chinese interface to be converted to English, and there is a Chinese interface to be converted to Chinese. The following operations will be started, for example, in English. We first enter /var/www/html/base/ directory to find the base_config.php configuration file. Replace $BASE_Language=`english' with: $BASE_Language='ssimplied_chinese'; save the exit after the changes have been completed and we need to restart the Web service before #service httpd restart brushes the new page and is done!

12.出现下面故障页面，最有可能是什么问题造成？ 目录需要加入可写权限，我们可以尝试改变/var/www/html/目录的属主和属组并设置其权限。 #chown –R apache:apache /var/www/html #chmod -R 755 /var/www/html 为了安全起见，尽量不要给目录设置777权限。

Note: The test environment of Snowt+barnyard+BASE has been installed and the virtual machine (obdde4828705c0185ec5cf6bdfc6a9.jpg?x-oss-process=image/watermark, size_16,text_QDuxQ1RP5Y2a5a6i, color_FFA,t_30,g_se,x_10,y_shadow_20,ty_ZmF3ZZZW5vpk" >.

欧易(OKX)最新版本

【遇到注册下载问题请加文章最下面的客服微信】永久享受返佣20%手续费！

APP下载   全球官网 大陆官网

币安(Binance)最新版本

币安交易所app【遇到注册下载问题请加文章最下面的客服微信】永久享受返佣20%手续费！

APP下载   官网地址

火币HTX最新版本

火币老牌交易所【遇到注册下载问题请加文章最下面的客服微信】永久享受返佣20%手续费！

APP下载   官网地址