sudo apt-get update -y
sudo apt-get dist-upgrade -y
sudo apt-get install -y zlib1g-dev liblzma-dev openssl libssl-dev
sudo apt-get install -y build-essential bison flex
 
sudo apt-get install -y libpcap-dev libpcre3-dev libdumbnet-dev libnghttp2-dev
sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool
sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl libwww-perl 
 
sudo add-apt-repository ppa:ondrej/php
sudo apt-get update -y
sudo apt-get install -y apache2 libapache2-mod-php5.6 php5.6 php5.6-common php5.6-gd php5.6-cli php5.6-xml php5.6-mysql
sudo apt-get install -y php-pear libphp-adodb

wget https://www.snort.org/downloads/archive/snort/daq-2.0.6.tar.gz
wget https://www.snort.org/downloads/archive/snort/snort-2.9.9.0.tar.gz
wget https://github.com/firnsy/barnyard2/archive/v2-1.13.tar.gz -O barnyard2-2-1.13.tar.gz
wget https://github.com/shirkdog/pulledpork/archive/v0.7.3.tar.gz -O pulledpork-v0.7.3.tar.gz
wget https://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-520-for-php5/adodb-5.20.8.tar.gz
wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz

tar -xvzf daq-2.0.6.tar.gz
cd daq-2.0.6
./configure
sudo make
sudo make install

tar -xvzf snort-2.9.9.tar.gz
cd snort-2.9.9
./configure --enable-sourcefire
make
sudo make install

snort -V

# Create the snort user and group:
sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
# Create the Snort directories:
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/rules/iplists
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules
# Create some files that stores rules and ip lists
sudo touch /etc/snort/rules/iplists/black_list.rules
sudo touch /etc/snort/rules/iplists/white_list.rules
sudo touch /etc/snort/rules/local.rules
sudo touch /etc/snort/sid-msg.map
# Create our logging directories:
sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs
# Adjust permissions:
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort/so_rules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
# Change Ownership on folders:
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

cd ~/snort-2.9.9/etc/
sudo cp *.conf* /etc/snort
sudo cp *.map /etc/snort
sudo cp *.dtd /etc/snort
cd ~/snort-2.9.11/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/
sudo cp * /usr/local/lib/snort_dynamicpreprocessor/

sudo sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf

sudo vi /etc/snort/snort.conf
#第45行，ipvar HOME_NET修改为本机的内部网络
ipvar HOME_NET 192.168.89.138/24
#第104行，设置以下配置文件路径
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules/iplists
var BLACK_LIST_PATH /etc/snort/rules/iplists
#第521行添加
# output unified2: filename merged.log, l imit 128, nostamp, mpls event types, vlan event types }
output unified2: filename snort.u2, limit 128
#第546行取消注释，启用local.rules文件
include $RULE_PATH/local.rules

sudo vi /etc/snort/rules/local.rules
alert icmp any any -> $HOME_NET any (msg:"ICMP Test detected!!!"; classtype:icmp-event; sid:10000001; rev:001; GID:1; )

sudo vi /etc/snort/sid-msg.map
1 || 10000001 || 001 || icmp-event || 0 || ICMP Test detected || url,tools.ietf.org/html/rfc792

sudo snort -T -c /etc/snort/snort.conf -i eth1

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i ens32

tar zxvf barnyard2-2-1.13.tar.gz
cd barnyard2-2-1.13
autoreconf -fvi -I ./
# Choose ONE of these two commands to run
./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu
./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu
sudo make
sudo make install

barnyard2 -V

sudo cp ~/barnyard2-2-1.13/etc/barnyard2.conf /etc/snort/
# the /var/log/barnyard2 folder is never used or referenced
# but barnyard2 will error without it existing
sudo mkdir /var/log/barnyard2
sudo chown snort.snort /var/log/barnyard2
sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort.snort /var/log/snort/barnyard2.waldo

ubuntu@ubuntu:~$ mysql -u root -p
mysql> create database snort;
mysql> use snort;
mysql> source ~/barnyard2-2-1.13/schemas/create_mysql;
mysql> CREATE USER ‘snort‘@‘localhost‘ IDENTIFIED BY ‘123456‘;
mysql> grant create, insert, select, delete, update on snort.* to ‘snort‘@‘localhost‘;
mysql> exit;

sudo vi /etc/snort/barnyard2.conf
#在末尾添加数据库配置
output database: log, mysql, user=snort password=123456 dbname=snort host=localhost sensor name=sensor01

sudo snort -q -u snort -g snort -c /etc/snort/snort.conf -i ens32

# 开启barnyard2，将日志信息存入数据库
# 1.连续处理模式，设置barnyard2.waldo为书签
sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort
# 2.文件处理模式，处理单个日志文件
sudo barnyard2 -c /etc/snort/barnyard2.conf -o /var/log/snort/snort.u2.xxx

# 查看数据库条目数量，看是否增加
mysql -u snort -p -D snort -e "select count(*) from event"

tar xzvf pulledpork-v0.7.3.tar.gz
cd pulledpork-v0.7.3/
sudo cp pulledpork.pl /usr/local/bin
sudo chmod +x /usr/local/bin/pulledpork.pl
sudo cp etc/*.conf /etc/snort

ubuntu@ubuntu:~$ pulledpork.pl -V
PulledPork v0.7.3 - Making signature updates great again!

sudo vi /etc/snort/pulledpork.conf
#第19行：输入注册账户生成的oinkcode，若没有则注释掉
#第29行：取消注释可下载针对新兴威胁的规则
#第74行：更改为：
rule_path = /etc/snort/rules/snort.rules
#第89行：更改为：
local_rules = /etc/snort/rules/local.rules
#第92行：更改为：
sid_msg = /etc/snort/sid-msg.map
#第96行：更改为：
sid_msg_version = 2
#第119行：更改为：
config_path = /etc/snort/snort.conf
#第133行：更改为：
distro = Ubuntu-12-04
#第141行：更改为：
black_list = /etc/snort/rules/iplists/black_list.rules
#第150行：更改为：
IPRVersion = /etc/snort/rules/iplists

sudo vi /etc/snort/snort.conf
#第548行添加
include $RULE_PATH/snort.rules

sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l
sudo snort -T -c /etc/snort/snort.conf -i ens32

#创建服务配置文件
sudo vi /lib/systemd/system/snort.service
[Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target
[Service]
Type=simple
Restart=always
ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth1
[Install]
WantedBy=multi-user.target
 
#设置开机启动
sudo systemctl enable snort
 
#启动服务
sudo systemctl start snort
 
#检查服务状态
sudo systemctl status snort

#创建服务配置文件
sudo vi /lib/systemd/system/barnyard2.service
[Unit]
Description=Barnyard2 Daemon
After=syslog.target network.target
[Service]
Type=simple
Restart=always
ExecStart=/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -q -w /var/log/snort/barnyard2.waldo -g snort -u snort -D -a /var/log/snort/archived_logs --pid-path=/var/run
[Install]
WantedBy=multi-user.target
 
#设置开机启动
sudo systemctl enable barnyard2
 
#启动服务
sudo systemctl start barnyard2
 
#检查服务状态
sudo systemctl status barnyard2

tar xzvf base-1.4.5.tar.gz
sudo mv base-1.4.5 /var/www/html/base/

cd /var/www/html/base
sudo cp base_conf.php.dist base_conf.php
 
sudo vi /var/www/html/base/base_conf.php
$BASE_Language = ‘chinese‘; # line 27
$BASE_urlpath = ‘/base‘; # line 50
$DBlib_path = ‘/usr/share/php/adodb/‘; #line 80
$alert_dbname = ‘snort‘; # line 102
$alert_host = ‘localhost‘;
$alert_port = ‘‘;
$alert_user = ‘snort‘;
$alert_password = ‘123456‘; # line 106
// $graph_font_name = "Verdana";
// $graph_font_name = "DejaVuSans";
// $graph_font_name = "Image_Graph_Font";
$graph_font_name = "";
 
sudo chown -R www-data:www-data /var/www/html/base
sudo chmod o-r /var/www/html/base/base_conf.php
 
sudo service apache2 restart