chun

http://www.internetsecurityguru.com/documents/Snort_Base_Barnyard_CentOS_5.pdf

 

http://miskm.blogspot.com/

 

1.wget http://www.snort.org/dl/current/snort-2.8.1.tar.gz
2.wget http://www.tcpdump.org/release/tcpdump-3.9.8.tar.gz
3.wget http://www.tcpdump.org/release/libpcap-0.9.8.tar.gz

4.tar xvfz libpcap-0.9.8.tar.gz
   #cd libpcap-0.9.8

 #./configure

将
#include <linux/types.h>
加入到
/usr/include/linux/if_packet.h

#make

#make install

 

5.wget http://jaist.dl.sourceforge.net/sourceforge/pcre/pcre-7.7.tar.gz

   # cd pcre-7.7

#./configure

#make

#make install

 

6. cd snort-2.8.1

  #./configure --with-mysql --enable-dynamicplugin

  #make

  #make install

#groupadd snort
#useradd -g snort snort –s /sbin/nologin

mkdir /etc/snort

mkdir /etc/snort/rules

mkdir /var/log/snort

cd etc/

cp * /etc/snort

wget http://dump.komsi.se/snortrules-snapshot-2.8.tar.gz

 tar zxvf snortrules-snapshot-2.8.tar.gz -C /etc/snort/

cd /etc/snort/

joe snort.conf

 

var HOME_NET 10.0.0.0/24 (make this what ever your internal network is, use CIDR. If you do not know CIDR then go to http://www.oav.net/mirrors/cidr.html) var EXTERNAL_NET !$HOME_NET (this means everything that is not your home net is external to your network)

 

change “var RULE_PATH ../rules” to “var RULE_PATH /etc/snort/rules”

After the line that says “preprocessor stream4_reassemble” add a line that looks like “preprocessor stream4_reassemble: both,ports 21 23 25 53 80 110 111 139 143 445 513 1433” (without the quotes)

 

Uncomment (remove the #)

from the following lines in the output section of /etc/snort/snort.conf

# output alert_unified: filename snort.alert, limit 128

# output log_unified: filename snort.log, limit 128