Snort-Inline + Apache + Base + MySQL
將偵測結果寫到 database,並使用 Web瀏覽 base
[1]. snort_inline必需編譯支援mysql database
./configure –with-mysql
[Q1]: ./configure –with-mysql
..
**********************************************
ERROR: unable to find mysql headers (mysql.h)
checked in the following places
/usr/include
/usr/include/mysql
/usr/local/include
/usr/local/include/mysql
**********************************************
[A1]: 安裝 mysql-devel
[2]. 建立資料庫mysql
echo "CREATE DATABASE snort;" | mysql -u root –p
新增snort資料庫的管理使用者snort
並把權限給管理使用者snort
mysql> GRANT ALL PRIVILEGES ON snort.* TO snort@localhost IDENTIFIED BY '123456';
也可使用phpmyadmin新增資料庫、管理者、及權限
[3]. 匯入snort的table到snort資料庫裡
cd snort_inline-2.4.4-RC5/schemas
mysql -D snort -u root -p < ./create_mysql
匯入base的table到snort資料庫裡
mysql snort -u root -p < base/sql/create_base_tbls_mysql.sql
[4]. vi snort_inline.conf
output database: log, mysql, dbname=snort user=snort host=localhost password=123456
[5]. vi base_conf.php
$DBlib_path = "/var/www/adodb";
$DBtype = "mysql";
$alert_dbanme = "base";
$alert_host = "localhost";
$alert_user = "base";
$alert_password = "base";
/* Archive DB connection parameters */ # 網頁上可選擇 Use Archive Database
$archive_exists = '1'; # Set this to 1 if you have an archive DB
$archive_dbname = 'base';
$archive_host = 'localhost';
$archive_port = '';
$archive_user = base';
$archive_password = 'base';
[6]. 瀏覽
http://xxx/base
下圖為使用文字介面觀看記錄檔
下圖為使用base介面來觀看記錄檔
改善 BASE 的效能
理由: 瀏覽網頁時很慢
因為: 每次更新是把 snort 的資料抓取至 base 自已的 table 裡,隨著 event 資料量愈來愈大,需要固定時間更新 event cache
[1.] 安裝 lynx
[2.] 指令
/usr/bin/lynx -source http://localhost/base_maintenance.php?submit=Update+Alert+Cache
[3.] 排程
vi /etc/crontab
*/5 * * * * root /usr/bin/lynx -source http://localhost/base/base_maintenance.php?submit=Update+Alert+Cache > /dev/null
[4.] 用了排程的話,如此也就不用讓 BASE自動更新
vi base_config.php
$event_cache_auto_update = 0;
DNS and Whois cache
/usr/bin/lynx -source http://localhost/base/base_maintenance.php?submit=Update+IP+Cache
/usr/bin/lynx -source http://localhost/base/base_maintenance.php?submit=Update+Whois+Cache
ref: http://www.andrew.cmu.edu/user/rdanyliw/snort/acid_faq.html
留言