2011年2月4日 星期五

Snort - Web頁面啟動管理功能

SnortCenter是一個基於Web的snort探針和規則管理系統,用於遠端修改snort探針的配置,起動、停止探針,編輯、分發snort特徵碼規則。   我們可以將來自於各snort agent集中管理,控制。

下載地址:
網址: http://users.pandora.be/larc/download/


解壓縮/安裝[root@snort darwin]# tar zxvf snortcenter-console-3-31-05.tar.gz
[root@snort darwin]# mv snortcenter-release  /var/www/html/snortcenter
[root@snort darwin]# cd /var/www/html/snortcenter

建立snortcenter的資料庫
[root@snort snortcenter]# echo "CREATE DATABASE snortcenter;" | mysql -u root -p
Enter password:   //輸入密碼


編輯 snortcenter config 檔案
[root@snort sc]# vi config.php 
內容如下:
$DBlib_path = "/usr/local/lib/adodb/";
$curl_path = "/usr/bin/";
$DBtype = "mysql";
$DB_dbname   = "snortcenter";       // $DB_dbname   : MySQL database name of  SnortCenter DB
$DB_host     = "localhost";              // $DB_host     : host on which the DB is stored
$DB_user     = "root";                      // $DB_user     : login to the database with this user
$DB_password = "gh8Q6prt";      // $DB_password  : password of the DB user
$DB_port     = "";                            // $DB_port      : port on which to access the DB (blank is default)
$hidden_key_num      = "4322";
$alert_console = "http://192.168.1.100/base/";  //加入base 連結


編輯database.php
 [root@snort snortcenter]# vi database.php
內容如下
大約294行  "CREATE TABLE schema" to "CREATE TABLE `schema` " 加上`  `
大約304行  "INSERT INTO schema" to "INSERT INTO `schema` "


打開瀏覽器
http://192.168.1.100/snortcenter




預設帳號/密碼: admin/change


安裝Snortcenter-agent
網址: http://sourceforge.net/projects/snortcenter2/files/

解壓縮/安裝
[root@snort darwin]# tar zxvf snortcenter-agent-v2.x.linux.tar.gz
[root@snort darwin]# mv sensor/ /opt/snortagent
[root@snort darwin]# cd /opt/snortagent/
[root@snort darwin]# ./setup.sh


回答一些問題
 ***********************************************************************************
*       Welcome to the SnortCenter Sensor Agent setup script, version 1.0 RC1        *
***********************************************************************************

Installing Sensor in /opt/snortagent ...
*************************************************************************************
The Sensor Agent uses separate directories for configuration files and log files.
Unless you want to place them in a other directory, you can just accept the defaults.

Config file directory [/opt/snortagent/conf]:
Log file directory [/opt/snortagent/log]:

****************************************************************************************
SnortCenter Sensor Agent is written entirely in Perl. Please enter the full path to the
Perl 5 interpreter on your system.

Full path to perl (default /usr/bin/perl):
Testing Perl ...
Perl seems to be installed ok

*********************************************************************************
SnortCenter Sensor Agent needs Snort to be installed, 'As if you didn't know :-)'
Please enter the full path to snort binary.

Full path to snort (default /usr/local/bin/):
Ok, found Snort   o"  )~   Version 2.8.5.3 (Build 124)
           Using PCRE version: 6.6 06-Feb-2006

Snort Rule config file directory [/opt/snortagent/rules/]:  /etc/snort/rules
***********************************************************************
For Webmin to work properly, it needs to know which operating system
type and version you are running. Please select your system type by
entering the number next to it from the list below
---------------------------------------------------------------------------
  1) Sun Solaris            2) Caldera OpenLinux eS   3) Caldera OpenLinux
  4) Redhat Linux           5) Slackware Linux        6) Debian Linux
  7) SuSE Linux             8) United Linux           9) Corel Linux
 10) TurboLinux            11) Cobalt Linux          12) Mandrake Linux
 13) Mandrake Linux Corpo  14) Delix DLD Linux       15) Conectiva Linux
 16) ThizLinux Desktop     17) ThizServer            18) MSC Linux
 19) MkLinux               20) LinuxPPC              21) XLinux
 22) LinuxPL               23) Trustix               24) Cendio LBS Linux
 25) Ute Linux             26) Lanthan Linux         27) Yellow Dog Linux
 28) Corvus Latinux        29) Immunix Linux         30) Gentoo Linux
 31) Lycoris Desktop/LX    32) Secure Linux          33) Generic Linux
 34) FreeBSD               35) OpenBSD               36) NetBSD
 37) BSDI                  38) HP/UX                 39) SGI Irix
 40) DEC/Compaq OSF/1      41) IBM AIX               42) SCO UnixWare
 43) SCO OpenServer        44) Darwin                45) Mac OS X
 46) Mac OS X / OS X Serv  47) Cygwin
---------------------------------------------------------------------------
Operating system: 4
Please choose which version of Redhat Linux you are running, by entering
the number next to it from the list below
---------------------------------------------------------------------------
  1) Redhat Linux 4.0                     2) Redhat Linux 4.1
  3) Redhat Linux 4.2                     4) Redhat Linux 5.0
  5) Redhat Linux 5.1                     6) Redhat Linux 5.2
  7) Redhat Linux 6.0                     8) Redhat Linux 6.1
  9) Redhat Linux 6.2                    10) Redhat Linux 7.0
 11) Redhat Linux 7.1                    12) Redhat Linux 7.2
 13) Redhat Linux 7.3                    14) Redhat Linux 2.1AS
 15) Redhat Linux 2.1ES                  16) Redhat Linux 2.1WS
 17) Redhat Linux 8.0                    18) Redhat Linux 8.1
 19) Redhat Linux 9.0
---------------------------------------------------------------------------
Version: 4
Operating system name:    Redhat Linux
Operating system version: 5.0

********************************************************************
SnortCenter Sensor Agent uses its own password protected web server
The setup script needs to know :
 - What port to run the Sensor Agent on. There must not be another
   service already using this port.
 - What ip address to listen on.
 - The login name required to access the Sensor Agent.
 - The password required to access the Sensor Agent.
 - The hostname of this system that the Sensor Agent should use.
 - If the Sensor Agent should use SSL (if your system supports it).
 - Whether to use ip access control.
 - Whether to start Snortcenter Sensor Agent at boot time.

Sensor port (default 2525):

If this host has multiple IP addresses,
the server can be configured to listen on
only one address (default any): 192.168.1.100  Login name (default admin):
Login password:
Password again:
Sensor host name (default snort.catchlink.com): snort
Use SSL (y/n): n

*********************************************************************************************
The Sensor Agent can be configured allow access only from certain IP addresses.
Hostnames (like foo.bar.com) and IP networks (like 10.254.3.0 or 10.254.1.0/255.255.255.128)
can also be entered.
You should limit access to your sensor to trusted addresses like the
SnortCenter Management Console, especially if it is accessible from the Internet.
Otherwise, anyone who guesses your password will have complete control of your system.
You can enter multiple addresses by typing a space between them like (127.0.0.1 foo.bar.com)


Allowed IP addresses (default localhost):192.168.1.0
Start Sensor at boot time (y/n): y
***********************************************************************
Creating Sensor Agent config files..
..done

Inserting path to perl into scripts..
..done

Creating start and stop scripts..
..done

Copying config files..
..done

Configuring SnortCenter Sensor Agent to start at boot time..
Created init script /etc/rc.d/init.d/sensor
..done

Creating uninstall script /opt/snortagent/conf/uninstall.sh ..
..done

Changing ownership and permissions ..
..done

Attempting to start Sensor Agent..
Starting SnortCenter Sensor Agent server in /opt/snortagent
..done

**********************************************************************************
SnortCenter Sensor Agent has been installed and started successfully.
You can now create and configure the sensor in the SnortCenter Management Console.
Or use your webbrowser to go to


 http://snort.catchlink.com:2525/

and login with the name and password you entered previously.
-----------------------------------------------------------------------------------------------------------------------------
大致完成 !!


[root@snort snort]# cp /etc/snort/snort.conf /etc/snort/snort.eth0.conf

打開瀏覽器 agent port 2525

註: 可遠端設定agent的snort process 啟用/關閉

啟用agent[root@snort conf]# /opt/snortagent/conf/start
Starting SnortCenter Sensor Agent server in /opt/snortagent
[root@snort conf]# netstat -na |grep -w 2525
tcp        0      0 192.168.1.100:2525          0.0.0.0:*          LISTEN


停用agent
[root@snort conf]# /opt/snortagent/conf/stop


移除snort agent
[root@snort snortcenter]# cd conf
[root@snort conf]# ./uninstall.sh
Are you sure you want to uninstall SnortCenter Sensor Agent? (y/n) : y


開機自動啟用agent
[root@snort snortagent]# chkconfig --level 35 sensor on
[root@snort snortagent]# chkconfig --list sensor
sensor          0:off   1:off   2:off   3:on    4:off   5:on    6:off


將snort agent納入中央管控



也可由中央管控對snort 開啟/關閉


以上SnortCenter 設定ok!

沒有留言:

張貼留言