Snort + DAQ + PF_RING
snort 2013. 1. 16. 18:19 |성능이 얼마나 올라갈까
##############################################
======> 트래픽이 높아지니 kernel에러 또는 로그없이 스노트가 멈추는 현상이 발생해서 2.9.4.0으로 교체함. 아직까진 문제 없음.
2.9.4로 설치시 daq만 2.0으로 재설치하면 나머지 과정은 같다. (pf_ring관련모듈 재컴파일 필요)
최신버전에서는 mysql output을 지원하지 않는다. db저장시 snort-barnyard-mysql 방식을 이용할것
##############################################
환경: CentOS 5.8 / Snort 2.9.2 /
######기존snort삭제########################
make uninstall
###########################################
파일 다운로드 및 압축해제
# tar xvzf libpcap-1.2.1.tar.gz
# tar xvzf daq-0.6.2.tar.gz
# tar xvzf libdnet-1.12.tar.gz
# tar xvzf pcre-8.30.tar.gz
# tar xvzf snort-2.9.2.2.tar.gz
# cd libpcap-1.2.1
# ./configure
# make
# make install
# cd /usr/lib64/
# rm libpcap.so
# rm libpcap.so.0
# rm libpcap.so.0.9
# ln -s /usr/local/lib/libpcap.so.1.2.1 /usr/lib64/libpcap.so.1.2.1
# ln -s /usr/lib64/libpcap.so.1.2.1 /usr/lib64/libpcap.so.1
# ln -s /usr/lib64/libpcap.so.1 /usr/lib64/libpcap.so
# cd daq-0.6.2
# ./configure
# make
# make install
# cd pcre-8.30
# ./configure
# make
# make install
# cd libdnet-1.12
# ./configure
# make
# make install
# cd snort-2.9.2.2
# ./configure -with-mysql-libraries=/usr/lib64/mysql/ -enable-dynamicplugin -enable-zlib -enable-ipv6 -enable-sourcefire
# make
# make install
중간확인해보기
# snort -V
,,_ -*> Snort! <*-
o" )~ Version 2.9.2.2 IPv6 GRE (Build 121)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2012 Sourcefire, Inc., et al.
Using libpcap version 1.2.1
Using PCRE version: 8.30 2012-02-04
Using ZLIB version: 1.2.3
# groupadd snort
# useradd -g snort snort -s /sbin/nologin
# mkdir /etc/snort
# mkdir /etc/snort/rules
# mkdir /etc/snort/so_rules
# mkdir /etc/snort/preproc_rules
# mkdir /var/log/snort
# chown snort:snort /var/log/snort
# mkdir /usr/local/lib/snort_dynamicrules
# cd etc/
# cp * /etc/snort/
####룰파일 다운로드/적용(snort공홈)###########################
# tar xvzf snortrules-snapshot-2921.tar.gz
# cd rules/
# cp * /etc/snort/rules
# cp ../so_rules/precompiled/Centos-5-4/x86-64/2.9.2.1/* /etc/snort/so_rules
# cp ../preproc_rules/* /etc/snort/preproc_rules
***/etc/snort/snort.conf설정은 알아서 바꾸시고....
##PF_RING설치##############################
필요한 프로그램 다운로드 및 설치 (./configure & make & make install)
#tar zxvf autoconf-2.69.tar.gz
#tar zxvf automake-1.9.tar.gz
#tar zxvf libtool-2.4.tar.gz
PF_RING다운로드 / 압축해제
cd PF_RING/kernel
make
make install
insmod ./pf_ring.ko
***커널에 모듈이 올라왔는지 확인
***lsmod |grep pf_ring
cd lib
./configure
make
make install
***/usr/local/lib/libpfring.so파일이 생겼는지 확인
#cd snort/pfring-daq-module
#autoreconf -ivf
#./configure
#make
#make install
##Snort동작 확인#########################################
snort --daq-dir=/usr/local/lib/daq --daq pfring -i eth9 -c /etc/snort/snort.conf -T
참고
http://kezhong.wordpress.com/2012/04/07/install-snort-2-9-2-2-on-centos5-8x86_64/
'snort' 카테고리의 다른 글
| 이벤트별 DB분류 저장 (0) | 2013.01.12 |
|---|---|
| Managing Snort Alerts (0) | 2013.01.11 |
| Snort On Multiple NICs (0) | 2012.11.09 |
| snort 퍼포먼스 모니터링 (0) | 2012.09.11 |
| snort-sms연동(bash) (0) | 2012.04.19 |