1 安装Ubuntu16.04

2 配置网络eth1或em1

3 安装snort的前提条件：

sudo apt-get install -y build-essential; sudo apt-get install -y libpcap-dev libpcre3-dev libdumbnet-dev; sudo apt-get install -y bison flex; 

创建文件夹: mkdir ~/snort_src; cd ~/snort_src

进入官网下载DAQ最新版: wget https://snort.org/downloads/snort/daq-2.0.6.tar.gz

tar -xvzf daq-2.0.6.tar.gz; cd daq-2.0.6; ./configure; make; sudo make install

4 安装snort

sudo apt-get install -y zlib1g-dev liblzma-dev openssl libssl-dev; sudo apt-get install -y libnghttp2-dev

cd ~/snort_src; wget https://snort.org/downloads/snort/snort-2.9.12.tar.gz; tar -xvzf snort-2.9.12.tar.gz

cd snort-2.9.12; ./configure --enable-sourcefire; make; sudo make install

更新共享库：sudo ldconfig; 

sudo ln -s /usr/local/bin/snort /usr/sbin/snort

snort -V

5 配置snort运行在NIDS模式

# 创建snort用户和组：

sudo groupadd snort

sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

# 创建snort目录:

sudo mkdir /etc/snort

sudo mkdir /etc/snort/rules

sudo mkdir /etc/snort/rules/iplists

sudo mkdir /etc/snort/preproc_rules

sudo mkdir /usr/local/lib/snort_dynamicrules

sudo mkdir /etc/snort/so_rules

# 创建一些存储规则和IP列表的文件

sudo touch /etc/snort/rules/iplists/black_list.rules

sudo touch /etc/snort/rules/iplists/white_list.rules

sudo touch /etc/snort/rules/local.rules

sudo touch /etc/snort/sid-msg.map

# 创建日志目录：

sudo mkdir /var/log/snort

sudo mkdir /var/log/snort/archived_logs

# 调整权限：

sudo chmod -R 5775 /etc/snort

sudo chmod -R 5775 /var/log/snort

sudo chmod -R 5775 /var/log/snort/archived_logs

sudo chmod -R 5775 /etc/snort/so_rules

sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules

# 更改文件夹的所有权：

sudo chown -R snort:snort /etc/snort

sudo chown -R snort:snort /var/log/snort

sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

#/etc/snort 配置文件和动态处理

cd ~/snort_src/snort-2.9.9.0/etc/

sudo cp *.conf* /etc/snort

sudo cp *.map /etc/snort

sudo cp *.dtd /etc/snort

cd ~/snort_src/snort-2.9.9.0/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/

sudo cp * /usr/local/lib/snort_dynamicpreprocessor/

#注释掉snort配置文件中引用的所有单个规则文件（不需要单独下载每个文件）

sudo sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf

sudo vi /etc/snort/snort.conf

设置：ipvar HOME_NET 10.0.0.0/24（em1网段或者any) #采用/HOME_NET

在第104行开始设置：:104

var RULE_PATH /etc/snort/rules

var SO_RULE_PATH /etc/snort/so_rules

var PREPROC_RULE_PATH /etc/snort/preproc_rules

var WHITE_LIST_PATH /etc/snort/rules/iplists

var BLACK_LIST_PATH /etc/snort/rules/iplists

在546行插入：include $RULE_PATH/local.rules

查看snort是否配置成功：

$ sudo snort -T -i eth0 -c /etc/snort/snort.conf （或eth1 em1)

6 写入简单规则进行snort检测

sudo vi /etc/snort/rules/local.rules

alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; GID:1; sid:10000001; rev:001; classtype:icmpevent;) (源ip 端口号-> 目的IP 目的端口）

设置/etc/snort/sid-msg.map

1 || 10000001 || 001 || icmp-event || 0 || ICMP Test detected || url,tools.ietf.org/html/rfc792

sudo snort -T -c /etc/snort/snort.conf -i em1

$ sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i em1

匹配数据保存在/var/log/snort中，name snort.log.nnnnnnnnn

7 安装Barnyard2

将snort事件写入Mysql数据库

安装前提：sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool

告诉snort输入告警在二进制文件

/etc/snort/snort.conf 521行

# output unified2: filename merged.log, limit 128, nostamp, mpls event types, vlan event typesg

output unified2: filename snort.u2, limit 128 （128M大小）

下载Barnyard2

cd ~/snort_src

wget https://github.com/firnsy/barnyard2/archive/master.tar.gz -O barnyard2-Master.tar.gz

tar zxvf barnyard2-Master.tar.gz

cd barnyard2-master

autoreconf -fvi -I ./m4

创建软链接

sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h

sudo ldconfig

选择版本 uname -a

# Choose ONE of these two commands to run

./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu

./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu

完成安装到/usr/local/bin/barnyard2:

make

sudo make install

$ /usr/local/bin/barnyard2 -V

复制相关文件

sudo cp ~/snort_src/barnyard2-master/etc/barnyard2.conf /etc/snort/

# the /var/log/barnyard2 folder is never used or referenced

# but barnyard2 will error without it existing

sudo mkdir /var/log/barnyard2

sudo chown snort.snort /var/log/barnyard2

sudo touch /var/log/snort/barnyard2.waldo

sudo chown snort.snort /var/log/snort/barnyard2.waldo

创建snort数据库

$ mysql -u root -p

mysql> create database snort;

mysql> use snort;

mysql> source ~/snort_src/barnyard2-master/schemas/create_mysql

mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY 'MySqlSNORTpassword';

mysql> grant create, insert, select, delete, update on snort.* to 'snort'@'localhost';

mysql> exit

编辑/etc/snort/barnyard2.conf; 在最后一行添加

output database: log, mysql, user=snort password=MySqlSNORTpassword dbname=snort host=localhost sensor name=sensor01

组织其他用户查看

sudo chmod o-r /etc/snort/barnyard2.conf

测试snort事件写入数据库

sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i em1 -D

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort

8 安装pulledpork

#install pulledpork

sudo apt-get install -ylibcrypt-ssleay-perl liblwp-useragent-determined-perl

cd ~/snort_src

wgethttps://github.com/shirkdog/pulledpork/archive/master.tar.gz -Opulledpork-master.tar.gz

tar xzvf pulledpork-master.tar.gz

cd pulledpork-master/

sudo cp pulledpork.pl /usr/local/bin

sudo chmod +x /usr/local/bin/pulledpork.pl

sudo cp etc/*.conf /etc/snort