HYPERLINK"http://www.boobooke.com/bbs/forumdisplay.php?fid=5&filter=type&typeid=4"[资料]Linux下入侵检测系统(snort+guardian)HYPERLINK"http://www.boobooke.com/bbs/tag-Linux.html"\t"_blank"Linux,HYPERLINK"http://www.boobooke.com/bbs/tag-guardian.html"\t"_blank"guardian,HYPERLINK"http://www.boobooke.com/bbs/tag-snort.html"\t"_blank"snort,HYPERLINK"http://www.boobooke.com/bbs/tag-%C8%EB%C7%D6%BC%EC%B2%E2%CF%B5%CD%B3.html"\t"_blank"入侵检测系统文章来源:原创作者:没长叶子的树2007-05-09HYPERLINK"http://www.pcmag.com.cn/solution"\t"_blank"http://www.pcmag.com.cn/solution...05/51003176_3.shtml入侵检测▲构建小型入侵检测系统libpcap下载地址:HYPERLINK"http://download.chinaunix.net/download/0006000/5971.shtml"\t"_blank"http://download.chinaunix.net/download/0006000/5971.shtmlSnort:下载地址:HYPERLINK"http://www.snort.org/dl/current/snort-2.6.1.3.tar.gz"\t"_blank"http://www.snort.org/dl/current/snort-2.6.1.3.tar.gzguardian下载地址:HYPERLINK"http://www.snort.org/dl/contrib/"\t"_blank"http://www.snort.org/dl/contrib/...guardian-1.6.tar.gzpcre下载地址:HYPERLINK"http://sourceforge.net/project/s"\t"_blank"http://sourceforge.net/project/s...p;release_id=472551安装:①解压libpcap包,并进入解压出来的目录,执行./configure②执行make;makeinstall命令编译并安装③执行updatedb;locatelibpcap命令,如果有信息返回,则说明libpcap安装成功,如果没有则说明安装未成功,需要重新安装.④解压pcre包,并在解压出的目录中执行./configure;make;makeinstall安装.⑤解压snort包并进入其目录,执行./configure⑥执行make;makeinstall安装snort.注意:在执行snort的./configure时,可以使用--enable-smbalerts选项,该选项可以通过SAMBA把snort的报警消息发送到Windows主机。配置snort:①在解压出来的snort目录下执行cpetc/snort.conf/etc②在解压出来的snort目录下执行mkdir/etc/snort.③在HYPERLINK"http://www.snort.org/pub-bin/downloads.cgi"\t"_blank"http://www.snort.org/pub-bin/downloads.cgi下载snort规则文件,并将其放在/etc/snort目录下,并对其解包.注意:snort规则需下载注册用户的.④执行mkdir/var/log/snort命令,创建snort日志目录⑤vi/etc/snort.conf文件,跳到第26行,放开varHOME_NET字段,并在后面按原来的格式填上要监控的网段.⑥跳到114行,找到varRULE_PATH字段,并在其后面填上完整的snort规则存放路径,这里为/etc/snort/rules.⑦跳到第476行,iis_unicode_map字段,在其后面写上/etc/snort/rules/unicode.map1252⑧跳到第905行,找到includeclassification.config项,将其改为:include/etc/snort/rules/