5.8.1--实例——使用Snort进行入侵检测

5.8.1实例——使用Snort进行入侵检测1．实验环境实验环境如图5.48所示：图5.48实验环境2．实验步骤第1步：在192.168.10.5上安装Snort。到上下载snort-2.8.0.2.tar.gz和snortrules-pr-2.4.tar.gz。安装Snort之前先下载并且安装libpcap-devel、pcre和pcre-devel。将snort-2.8.0.2.tar.gz解压后进入snort-2.8.0.2，然后依次执行如下命令：[root@localhostsnort-2.8.0.2]#./configure[root@localhostsnort-2.8.0.2]#make[root@localhostsnort-2.8.0.2]#makeinstall[root@localhostsnort-2.8.0.2]#mkdir-p/etc/snort/rules[root@localhostsnort-2.8.0.2]#cpetc/*.conf/etc/snort[root@localhostsnort-2.8.0.2]#cpetc/*.config/etc/snort[root@localhostsnort-2.8.0.2]#cpetc/unicode.map/etc/snort[root@localhostsnort-2.8.0.2]#mkdir/var/log/snort将snortrules-pr-2.4.tar.gz解压后，将其中的规则文件全部复制到/etc/snort/rules下。编辑/etc/snort/snort.conf文件，将“varRULE_PATH../rules”改为“varRULE_PATH/etc/snort/rules”。编辑/etc/snort/rules/icmp.rules文件，如图5.49所示。图5.49编辑/etc/snort/rules/icmp.rules文件第2步：在192.168.10.5上启动snort进行入侵检测，执行的命令如下：[root@localhost~]#snort-ieth1-c/etc/snort/snort.conf-Afast-l/var/log/snort/第3步：在192.168.10.1上的终端窗口中执行ping192.168.10.5命令，如图5.50所示，然后再使用端口扫描工具对192.168.10.5进行端口扫描，如图5.51所示。第4步：在192.168.10.5上分析检测数据，如图5.52所示，前4行对应与第3步的ping命令，第6行表明192.168.10.1对192.168.10.5进行了端口扫描。图5.50执行ping192.168.10.5命令图5.51对192.168.10.5进行端口扫描图5.52分析检测数据