• 操作系统： Windows 7 (service pack 1)
• 所需软件：
  • 虚拟机：VirtualBox
  • 网络数据包截取驱动程序：WinPcap 4.1.3 (WinPcap_4_1_3.exe)
  • Windows版本的Snort安装包：Snort 2.8.6 for Win32 (Snort_2_8_6_Installer.exe)
  • 官方认证Snort规则库：snortrules-snapshot-2860.tar.gz
  • 数据库组件及分析平台：AppServ 8.6.0 (appserv-win32-8.6.0.exe)
  • WEB前端：Basic Analysis and Security Engine 1.4.5 (base-1.4.5.tar.gz)

由于我们建立的是测试环境，所有的组件安装都在一台机器上完成。

---

安装前的准备

• 安装虚拟机virtualbox，过程比较简单，此处略过。

• 导入虚拟电脑

  
  
  ?

  

  打开virtualbox，点击左上角管理，然后选择导入虚拟电脑

---

部署过程

WinPcap安装过程非常简单，此处略过。

Snort的安装和配置

var RULE_PATH c:snortrules var SO_RULE_PATH c:snortso_rules var PREPROC_RULE_PATH c:snortpreproc_rules 

# path to dynamic preprocessor libraries dynamicpreprocessor directory c:snortlibsnort_dynamicpreprocessor # path to base preprocessor engine dynamicengine c:snortlibsnort_dynamicenginesf_engine.dll 

preprocessor http_inspect: global iis_unicode_map c:snortetcunicode.map 1252 

output database: alert,mysql,user=snort password=snort dbname=snortdb host=localhost

include $RULE_PATH/snmp.rules include $RULE_PATH/icmp.rules include $RULE_PATH/tftp.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/shellcode.rules include $RULE_PATH/policy.rules include $RULE_PATH/info.rules include $RULE_PATH/icmp-info.rules include $RULE_PATH/virus.rules include $RULE_PATH/chat.rules include $RULE_PATH/multimedia.rules include $RULE_PATH/p2p.rules include $RULE_PATH/spyware-put.rules include $RULE_PATH/specific-threats.rules include $RULE_PATH/voip.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/bad-traffic.rules # decoder and preprocessor event rules include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules # dynamic library rules include $SO_RULE_PATH/bad-traffic.rules include $SO_RULE_PATH/chat.rules include $SO_RULE_PATH/dos.rules include $SO_RULE_PATH/exploit.rules include $SO_RULE_PATH/imap.rules include $SO_RULE_PATH/misc.rules include $SO_RULE_PATH/multimedia.rules include $SO_RULE_PATH/netbios.rules include $SO_RULE_PATH/nntp.rules include $SO_RULE_PATH/p2p.rules include $SO_RULE_PATH/smtp.rules include $SO_RULE_PATH/sql.rules include $SO_RULE_PATH/web-activex.rules include $SO_RULE_PATH/web-client.rules include $SO_RULE_PATH/web-misc.rules 

---

AppServ安装和配置

---

在MySql中创建snortdb和snortarc，以及所需数据表

mysql> create database snortdb;  mysql> create database snortarc;  mysql> use snortdb;  mysql> source c:snortschemascreate_mysql  mysql> use snortarc;  mysql> source c:snortschemascreate_mysql  mysql> grant usage on *.* to "snort"@"localhost" identified by "snort";  mysql> grant select,insert,update,delete,create,alter on snortdb .* to "snort"@"localhost";  mysql> grant select,alter on snortarc .* to "snort"@"localhost";  mysql> set password for "snort"@"localhost"=password(‘snort‘); 

---

配置base

在命令行输入以下命令，使snort工作在网络监测系统模式，并在另一台主机用nmap扫描该主机，则可以在base界面看到统计信息，如下图所示。

c:snortbinsnort -i1 -dev -c c:snortetcsnort.conf -l c:snortlog 

如果运行snort出现以下错误，则按图中步骤进行操作：

至此，windows环境下的snort+base入侵检测系统搭建完毕！