這是LOG分析的IDS
原廠網址
http://sagan.quadrantsec.com/
//******紀錄安裝步驟*********//
//套件
apt-get -y install flex bison gcc g++ libesmtp-dev libpcap0.8-dev make
libpcre3-dev libpcre3 liblognorm0 liblognorm-dev libdumbnet1 libdumbnet-dev
mysql-server-5.5 mysql-client-5.5 libmysqlclient15-dev
mysql-server-5.5 mysql-client-5.5 libmysqlclient15-dev
tar zxvf libdnet-1.12.tgz
cd libdnet-1.12
./configure
make
make install
tar zxvf libpcap-1.3.0.tar.gz
cd libpcap-1.3.0
./configure
make
make install
//主程式
tar zxvf sagan-0.3.0.tar.gz
cd sagan-0.3.0
./configure --with-mysql-libraries=/usr/lib/i386-linux-gnu/ --disable-postgresql --disable-prelude --disable-lognorm --with-libpcap-libraries=/usr/lib/i386-linux-gnu/ --build=x86_64-unknown-linux
make
make install
******************************************************
vi /etc/rsyslog.conf
# The standard "input" template Sagan uses. Basically the message 'format' Sagan understands. The template is _one_ line. $template sagan,"%fromhost-ip%|%syslogfacility-text%|%syslogpriority-text%|%syslogseverity-text%|%syslogtag%|%timegenerated:1:10:date-rfc3339%|%timegenerated:12:19:date-rfc3339%|%programname%|%msg%\n" # The FIFO/named pipe location. This is what Sagan will read. *.* |/var/run/sagan.fifo;sagan
******************************************************
/etc/init.d/rsyslog restart
//****useradd sagan --shell /sbin/nologin --home /****//
chown sagan:sagan /var/run/sagan.fifo
mkdir /var/log/sagan
mkdir /var/run/sagan
chown -R sagan:sagan /var/log/sagan
chown -R sagan:sagan /var/run/sagan
chown sagan:sagan /var/run/sagan.fifo
chown sagan:sagan /var/run/sagan.fifo
mkdir /var/log/sagan
mkdir /var/run/sagan
chown -R sagan:sagan /var/log/sagan
chown -R sagan:sagan /var/run/sagan
chown sagan:sagan /var/run/sagan.fifo
//****rules****//
wget http://sagan.quadrantsec.com/rules/sagan-rules-current.tar.gztar zxvf sagan-rules-current.tar.gz
cd /usr/local/etc
mkdir sagan-rules
cd sagan-rules
沒有留言:
張貼留言