Snort is an open source lightweight intrusion monitoring system that can monitor an abnormal situation on the network, give reports; Guardian is based on Snort iptables, which analyzes Snort's log files, automatically will automatically according to certain criteria Some malicious IPs are automatically joined the input chain of iptables, and their datagrams are discarded.
Installation steps: 1. Download Snort & Guardian, download the address as: http://www.snort.org/dl/snort-2.3.0rc2.tar.gzhttp://www.snort.org/dl/contrib/other_tools/ Guardian / Guardian-1.6.tar.gz
2. Install Snort: * Copy the above file to / OPT [root @ game snort] # rpm -qa | grep pcre # confirm that the system is installed in PCRE, Snort relies on PCRE support, if the system does not have PCRE, Snort compile Will fail, PCRE-DEVEL-3.9-10PCRE-3.9-10 * TAR ZXVF * .TGZ * CD Snort-2.3.0rc2 *. / Configure * make * make install * mkdir / etc / snort * CD / ETC / SNORT * WGET HTTP : //www.snort.org/dl/rules/snortrules-snapshot-current.tar.gz*Tar ZXVF Snortrules-Snapshot-Current.tar.gz * mkdir / var / log / snort * CD / etc * CP / ETC /snort/rules/snort.conf / etc * vi key settings snort.conf modified as follows: var HOME_NET yournetworkvar RULE_PATH / etc / snort / rulespreprocessor http_inspect: global / iis_unicode_map /etc/snort/rules/unicode.map 1252include / etc /snort/rules/reference.configinclude /etc/snort/rules/classification.config
Such as: YourNetwork 210.75.18.32/29
At the same time, you can choose to remove the include $ rule_path / local.rules, the front ## is removed, set your own rule set.
* / usr / local / bin / snort -d -l / var / log / snort -c /etc/snort.conf &
* Write the previous command to /etc/rc.d/rc.local
3. Install Guardian # Note: Requires Perl Support * CD / OPT * TAR ZXVF Guardian-1.6.tar.gz * cd Guardian-1.6 * echo> /etc/guardian.ignore* cp Guardian.pl / usr / local / bin / . * cp scripts / iptables_block.sh /usr/lock.sh* cp scripts / iptables_unblock.sh /usr/local/bin/guardian_unblock.sh* cp Guardian.conf /etc/.* Vi / etc / Guardian .conf as follows: Hostgatewaybyte 1 # Guardian log file logfile /var/log/guardian.log
# Guardian to read Snort Logs AlertFile / Var / Log / Snort / Alert
# 将 i i i 时间 时间 时间 时间 时间 时间 时间 时间 时间 时间 时间 时间 时间 时间 时间 时间 时间 时间 时间 时间 时间 时间 时间 时间 时间 时间 时间 时间
* / usr / bin / perl /usr/local/bin/guardian.pl -c /etc/guardian.conf & * Added a command to /etc/rc.d/rc.local
At this point, complete settings
Note: 1. Snort rule files are often updated, you can use the following scripts to automatically update: #! / Bin / shcd / etc / snost.org/dl/rules/snortrules-snapshot-current.tar. GZTAR ZXVF SnortRules-Snapshot-current.tar.gzexit 0
* The above script is stored as SnortUpdate and placed in /etc/cron.daily/, can be updated once a day;
2. Guardian sometimes exits automatically, you can use the following script to resolve: #! / Usr / bin / perluse proc :: processtable;
$ FOUND = 0; $ t = new proc :: processtable; $ g = "guardian.pl"; foreach $ p (@ {$ t-> table}) {$ f = ($ P-> cmndline = ~ m / Guardian /); if ($ f == 1) {$ FOUND = 1; Last;}} IF ($ FOUND == 1) {Print "Guardian is alive! / n";} else {print "Guardian is dead! / N "; Print" Restart Guardian now ... / n "; system" /usr/local/bin/guardian.pl -c /etc/guardian.conf ";} The above script is stored as TestGuardian, placed to / ETC Under /cron.Hourly, meaning: GUARDIAN is survive every hour, restart Guardian if you have died
CHMOD X /etc/cron.Hourly/testguardian
At the same time, editing / etc / crontab joins / usr / local / bin
Script: KillGuardian #! / Usr / bin / perl # kills the current Guardian.pl process, you need to install Perl Module Proc :: Processtable # access http://www.cpan.org You can get the above module assoc :: processTable;
$ T = New Proc :: Processtable;
Foreach $ p (@ {$ t-> table}) {
Kill 9, $ P-> PID $ P-> Cmndline = ~ 'Guardian.pl';
} Reference http://bbs.chinaUnix.net/forum/viewtopic.php?t=484898&show_type=&postdays=0&postorder=asc&Start=0
