IDS（***检测）

功能：

1.监控，分析用户和系统的活动

2.核查系统配置和漏洞

3.评估关键系统和数据文件的完整性

4.识别***的活动模式并向网络管理人员发出报警

5.对异常活动的统计分析

6.操作系统审计跟踪管理，识别违反政策的用户活动

分类：

1.基于主机（分析主机日志，记录）

2.基于网络（分析网络数据包）

3.混合型（比前两者全面）

IDS的检测模型始终落后于***者的新知识和技术手段原因：

1.利用加密技术欺骗IDS

2.躲避IDS的安全策略

3.快速发送进攻，IDS无法反应

4.发动大规模进攻，使IDS判断出错

5.直接破坏IDS

6.智能***技术，边***边学习，使IDS成为***者的工具

安装和配置snot：

 所需软件包

acid-0.9.6b23.tar.gz  adodb468.tgz          jpgraph-3.0.7.tar.bz2 snort-2.8.4.1.tar.gz  另外需要apache，php，mysql，libpcap这些软件包，偷懒使用系统自带的软件包 [root@localhost ~]# yum install zlib-*  libpcap*  mysql*  httpd* [root@localhost ~]# vim /etc/httpd/conf/httpd.conf 391 DirectoryIndex index.php  index.html index.html.var 992 addtype  application/x-httpd-php .php [root@localhost ~]# vim /var/www/html/index.php   <?php phpinfo(); ?> <?php $link=mysql_connect('localhost','root',''); if(!$link) echo "fail"; else echo "success"; mysql_close(); ?> [root@localhost ~]# service httpd restart [root@localhost ~]# service mysqld restart 测试：

 

 

snort安装： [root@localhost ~]# mkdir /etc/snort [root@localhost ~]# mkdir /var/log/snort [root@localhost ~]# tar -zxvf snort-2.8.4.1.tar.gz [root@localhost ~]# cd snort-2.8.4.1 [root@localhost snort-2.8.4.1]# ./configure --with-mysql=/usr/bin/mysql 报错： ERROR!  Libpcre header not found.    Get it from 下载软件包 pcre-8.30.zip [root@localhost ~]# unzip pcre-8.30.zip [root@localhost pcre-8.30]# ./configure [root@localhost pcre-8.30]# make && make install [root@localhost snort-2.8.4.1]# ./configure --with-mysql [root@localhost snort-2.8.4.1]# make && make install [root@localhost snort-2.8.4.1]# cd etc/ [root@localhost etc]# cp *.map  *.config /etc/snort/ 下载软件包 snort-2.8.4.1.tar.gz  [root@localhost ~]# tar -zxvf snortrules-pr-2.4.tar.gz [root@localhost ~]# cd rules/ [root@localhost rules]# cp *  /etc/snort/ [root@localhost ~]# vim /etc/snort/snort.conf  25  var HOME_NET 10.10.10.0/24  110 var RULE_PATH  /etc/snort/  572  output database: log, mysql, user=root password=  dbname=snort  host=localhost [root@localhost etc]# mysqladmin -uroot password 123 [root@localhost ~]# mysql -uroot -p123 mysql> grant all privileges on *.*  to   identified by '123' with grant option; mysql> create database snort; mysql> connect snort; mysql> source /root/snort-2.8.4.1/schemas/create_mysql; mysql> grant all on snort.* to snort; mysql> grant all on snort.* to ; mysql> flush privileges; [root@localhost ~]# snort -d -D -c /etc/snort/snort.conf [root@localhost snort]# vim /etc/snort/web-misc.rules 97.97.452行注释掉 [root@localhost snort]# snort  -c /etc/snort/snort.conf

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-

  o"  )~   Version 2.8.4.1 (Build 38)     ''''    By Martin Roesch & The Snort Team:            Copyright (C) 1998-2009 Sourcefire, Inc., et al.            Using PCRE version: 8.30 2012-02-04

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.10  <Build 16>

           Preprocessor Object: SF_DCERPC  Version 1.1  <Build 4>            Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 11>            Preprocessor Object: SF_DNS  Version 1.1  <Build 2>            Preprocessor Object: SF_SSH  Version 1.1  <Build 1>            Preprocessor Object: SF_Dynamic_Example_Preprocessor  Version 1.0  <Build 1>            Preprocessor Object: SF_SMTP  Version 1.1  <Build 7>            Preprocessor Object: SF_SSLPP  Version 1.1  <Build 2>            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 1>  如果能够看到这个小猪证明成功  [root@localhost html]# cp adodb468.gz /var/www/html/  [root@localhost html]# cp adodb468.gz /var/www/html/  [root@localhost html]# tar -zxvf adodb468.gz   [root@localhost html]# cp /root/jpgraph-3.0.7.tar.bz2 ./  [root@localhost html]# tar -jxvf jpgraph-3.0.7.tar.bz2  [root@localhost html]# mkdir jpgraph-3.0.7  [root@localhost html]# mv src  VERSION README docportal jpgraph-3.0.7  [root@localhost html]# rm -rf jpgraph-3.0.7.tar.bz2  [root@localhost html]# cd jpgraph-3.0.7/  [root@localhost jpgraph-3.0.7]# rm -rf README  [root@localhost html]# cp /root/acid-0.9.6b23.tar.gz  /var/www/html/  [root@localhost html]# mkdir acid  [root@localhost html]# cd acid/  [root@localhost acid]# vim acid_conf.php  12 $DBlib_path = "/var/www/html/adodb";  32 $alert_dbname   = "snort";  33 $alert_host     = "localhost";  34 $alert_port     = "";  35 $alert_user     = "root";  36 $alert_password = "123";  39 $archive_dbname   = "snort";  40 $archive_host     = "localhost";  41 $archive_port     = "";  42 $archive_user     = "root";  43 $archive_password = "123";  69 $ChartLib_path = "/var/www/html/jpgraph-3.0.7/src";

测试：

 

 

 

Database ERROR:Table 'snort.acid_ag' doesn't exist

 mysql> source /root/acid/create_acid_tbls_mysql.sql;