标签:usr m4Copying m4 Snort file libtoolize 入侵 surcatas snort
1. 平台环境配置
1.1 辅助程序flex和bison
1.1.1 flex
https://github.com/westes/flex
./autogen.sh
./configure && make && make install
在安装时出现的问题
yan@ubuntu:~/Works/flex-master$ ./autogen.sh LIBTOOLIZE=/path/to/libtoolize
error: libtoolize not working, re-run with LIBTOOLIZE=/path/to/libtoolize
LIBTOOLIZE is currently ""
解决办法
sudo apt install mlocate
sudo apt install libtool
验证环境
$locate libtool
/snap/gnome-3-38-2004/99/usr/bin/libtool
/snap/gnome-3-38-2004/99/usr/bin/libtoolize
/snap/gnome-3-38-2004/99/usr/lib/x86_64-linux-gnu/gobject-introspection/giscanner/libtoolimporter.py
/snap/gnome-3-38-2004/99/usr/share/libtool
/snap/gnome-3-38-2004/99/usr/share/aclocal/libtool.m4
/snap/gnome-3-38-2004/99/usr/share/gtksourceview-3.0/language-specs/libtool.lang
/snap/gnome-3-38-2004/99/usr/share/gtksourceview-4/language-specs/libtool.lang
/snap/gnome-3-38-2004/99/usr/share/info/libtool.info
/snap/gnome-3-38-2004/99/usr/share/info/libtool.info-1
/snap/gnome-3-38-2004/99/usr/share/info/libtool.info-2
/snap/gnome-3-38-2004/99/usr/share/libtool/COPYING.LIB
/snap/gnome-3-38-2004/99/usr/share/libtool/Makefile.am
/snap/gnome-3-38-2004/99/usr/share/libtool/Makefile.in
/snap/gnome-3-38-2004/99/usr/share/libtool/README
/snap/gnome-3-38-2004/99/usr/share/libtool/aclocal.m4
/snap/gnome-3-38-2004/99/usr/share/libtool/build-aux
/snap/gnome-3-38-2004/99/usr/share/libtool/config-h.in
/snap/gnome-3-38-2004/99/usr/share/libtool/configure
/snap/gnome-3-38-2004/99/usr/share/libtool/configure.ac
/snap/gnome-3-38-2004/99/usr/share/libtool/ltdl.mk
/snap/gnome-3-38-2004/99/usr/share/libtool/build-aux/compile
/snap/gnome-3-38-2004/99/usr/share/libtool/build-aux/config.guess
/snap/gnome-3-38-2004/99/usr/share/libtool/build-aux/config.sub
/snap/gnome-3-38-2004/99/usr/share/libtool/build-aux/depcomp
/snap/gnome-3-38-2004/99/usr/share/libtool/build-aux/install-sh
/snap/gnome-3-38-2004/99/usr/share/libtool/build-aux/ltmain.sh
/snap/gnome-3-38-2004/99/usr/share/libtool/build-aux/missing
/usr/share/gtksourceview-4/language-specs/libtool.lang
运行时仍然出现问题
./autogen.sh
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'build-aux'.
libtoolize: linking file 'build-aux/config.guess'
libtoolize: linking file 'build-aux/config.sub'
libtoolize: linking file 'build-aux/install-sh'
libtoolize: linking file 'build-aux/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: linking file 'm4/libtool.m4'
libtoolize: linking file 'm4/ltoptions.m4'
libtoolize: linking file 'm4/ltsugar.m4'
libtoolize: linking file 'm4/ltversion.m4'
libtoolize: linking file 'm4/lt~obsolete.m4'
Can't exec "autopoint": 没有那个文件或目录 at /usr/share/autoconf/Autom4te/FileUtils.pm line 345.
autoreconf: failed to run autopoint: No such file or directory
autoreconf: autopoint is needed because this package uses Gettext
解决方法
sudo apt install -y autopoint
执行成功
$ ./autogen.sh
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'build-aux'.
libtoolize: linking file 'build-aux/config.guess'
libtoolize: linking file 'build-aux/config.sub'
libtoolize: linking file 'build-aux/install-sh'
libtoolize: linking file 'build-aux/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: linking file 'm4/libtool.m4'
libtoolize: linking file 'm4/ltoptions.m4'
libtoolize: linking file 'm4/ltsugar.m4'
libtoolize: linking file 'm4/ltversion.m4'
libtoolize: linking file 'm4/lt~obsolete.m4'
Copying file ABOUT-NLS
Copying file build-aux/config.rpath
Copying file m4/codeset.m4
Copying file m4/extern-inline.m4
Copying file m4/fcntl-o.m4
Copying file m4/gettext.m4
Copying file m4/glibc2.m4
Copying file m4/glibc21.m4
Copying file m4/iconv.m4
Copying file m4/intdiv0.m4
Copying file m4/intl.m4
Copying file m4/intldir.m4
Copying file m4/intlmacosx.m4
Copying file m4/intmax.m4
Copying file m4/inttypes-pri.m4
Copying file m4/inttypes_h.m4
Copying file m4/lcmessage.m4
Copying file m4/lib-ld.m4
Copying file m4/lib-link.m4
Copying file m4/lib-prefix.m4
Copying file m4/lock.m4
Copying file m4/longlong.m4
Copying file m4/nls.m4
Copying file m4/po.m4
Copying file m4/printf-posix.m4
Copying file m4/progtest.m4
Copying file m4/size_max.m4
Copying file m4/stdint_h.m4
Copying file m4/threadlib.m4
Copying file m4/uintmax_t.m4
Copying file m4/visibility.m4
Copying file m4/wchar_t.m4
Copying file m4/wint_t.m4
Copying file m4/xsize.m4
Copying file po/Makefile.in.in
Copying file po/Makevars.template
Copying file po/Rules-quot
Copying file po/boldquot.sed
Copying file po/en@boldquot.header
Copying file po/en@quot.header
Copying file po/insert-header.sin
Copying file po/quot.sed
Copying file po/remove-potcdate.sin
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'build-aux'.
libtoolize: copying file 'build-aux/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: copying file 'm4/libtool.m4'
libtoolize: copying file 'm4/ltoptions.m4'
libtoolize: copying file 'm4/ltsugar.m4'
libtoolize: copying file 'm4/ltversion.m4'
libtoolize: copying file 'm4/lt~obsolete.m4'
configure.ac:31: installing 'build-aux/compile'
configure.ac:33: installing 'build-aux/missing'
doc/Makefile.am:5: installing 'build-aux/mdate-sh'
doc/Makefile.am:5: installing 'build-aux/texinfo.tex'
src/Makefile.am: installing 'build-aux/depcomp'
configure.ac: installing 'build-aux/ylwrap'
parallel-tests: installing 'build-aux/test-driver'
后发现更为便捷的方法
sudo apt install flex
1.1.2 bison
下载bison -3.8版本,后发现安装十分繁琐,其只有Makefile.in和Makefile.am文件,因此需要通过那两个文件构造Makefile文件,因此后续采用了更为简单的方法
sudo apt install bison
bison --version
bison (GNU Bison) 3.5.1
1.2 snob
Snort - Network Intrusion Detection & Prevention System
wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz
wget https://www.snort.org/downloads/snort/snort-2.9.19.tar.gz
tar xvzf daq-2.0.7.tar.gz
cd daq-2.0.7
./configure && make && sudo make install
tar xvzf snort-2.9.19.tar.gz
cd snort-2.9.19
./configure --enable-sourcefire && make && sudo make install
1.2.1 在daq-2.0.7的安装中,出现错误
ERROR! Libpcap library version >= 1.0.0 not found.
Get it from http://www.tcpdump.org
尝试解决方案如下,失败
wget http://www.tcpdump.org/release/libpcap-1.0.0.tar.gz tar xvfz libpcap-1.0.0.tar.gz cd libpcap-1.0.0/
./configure make make install
在后续探索中,发现了基于arm64架构的libpcap
https://ubuntu.pkgs.org/20.04/ubuntu-main-arm64/libpcap-dev_1.9.1-3_arm64.deb.html
此处可作为国产处理器的基本架构构建平台
在ubuntu20.04系统中,本处使用的解决方法如下
sudo apt-get install libpcap-dev
1.2.2 在snort-2.9.19的安装中,出现错误
出现错误1:
ERROR! Libpcre header not found.
Get it from http://www.pcre.org
解决方案
sudo apt-get install libpcre3-dev
问题解决
出现错误2:
ERROR! dnet header not found, go get it from
http://code.google.com/p/libdnet/ or use the --with-dnet-*
options, if you have it installed in an unusual place
make: *** 没有指明目标并且找不到 makefile。 停止。
下载dnet代码 https://github.com/dugsong/libdnet/releases
./configure
make
sudo make install
问题解决
出现错误3:
ERROR! zlib header not found, go get it from
http://www.zlib.net
解决方法
sudo apt-get install zlib1g-dev
问题解决
出现错误4:
ERROR! LuaJIT library not found. Go get it from http://www.luajit.org/ (or)
Try compiling without openAppId using '--disable-open-appid'
configure: error: "Fatal!"
解决方案
./configure --disable-open-appid && make && sudo make install
1.3 suricatacn在Ubuntu中安装
安装 — Suricata 4.1.0-dev 文档 (suricatacn.readthedocs.io)
https://suricatacn.readthedocs.io/zh_CN/latest/index.html
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata
1.4 安装AC(在snob中内含)
morenice/ahocorasick: C implementation Aho-Corasick string matching (github.com)
$ mkdir build; cd build
$ cmake ..
$ make
2. IDS入侵检测系统
2.1 snort配置(此部分参考博客https://www.cnblogs.com/thresh/p/12019466.html)
https://www.cnblogs.com/jake-jin/p/14221593.html
$ snort -V
,,_ -*> Snort! <*-
o" )~ Version 2.9.19 GRE (Build 85)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.9.1 (with TPACKET_V3)
Using PCRE version: 8.39 2016-06-14
Using ZLIB version: 1.2.11
snort设置
基本配置:出于安全原因, Snort应该以非特权用户身份运行,创建一个snort用户和组
sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
创建snort需要的文件和文件夹
# 创建Snort目录:
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/rules/iplists
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules
# 创建日志文件
sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs
# 调整权限
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort/so_rules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
# 改变文件夹的所有权
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules
将snort中的文件复制到我们新建的文件夹中
cd ~/Works/snort-2.9.19/etc/
sudo cp *.conf* /etc/snort
sudo cp *.map /etc/snort
sudo cp *.dtd /etc/snort
cd ~/Works/snort-2.9.19/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor
sudo cp * /usr/local/lib/snort_dynamicpreprocessor/
编辑snort配置文件
sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf
修改snort.conf文件(这里使用gedit编辑器)
sudo gedit /etc/snort/snort.conf
配置网络信息
ipvar HOME_NET 192.168.153.134
存储位置配置
var RULE_PATH /etc/snort/rules # 104行左右
var SO_RULE_PATH /etc/snort/so_rules # 105行左右
var PREPROC_RULE_PATH /etc/snort/preproc_rules # 106行左右
var WHITE_LIST_PATH /etc/snort/rules/iplists # 113行左右
var BLACK_LIST_PATH /etc/snort/rules/iplists # 114行左右
启用规则文件
include $RULE_PATH/local.rules #取消注释,在546行左右
2.2 snort测试
sudo snort -T -c /etc/snort/snort.conf -i ens33 #ens33是网卡,可用ifconfig查看
sudo /usr/local/bin/snort -A -q -u snort -g snort -c /etc/snort/snort.conf -t ens33
标签:usr,m4Copying,m4,Snort,file,libtoolize,入侵,surcatas,snort 来源: https://www.cnblogs.com/DrinkTeaJustACup/p/16083656.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。