所属类别：Linux

文章作者：tang560128

特别推荐：免费发布信息 承包关键词~~抢爆了！^HOT!

入侵检测就是一个监视计算机系统或者网络上发生的事件，然后对其进行安全分析的过程。大多数的入侵检测系统都可以被归入到基于网络、基于主机以及分布式三类。基于网络的入侵检测系统能够监视网络数据发现入侵或者攻击的蛛丝马迹；基于主机的入侵检测系统能够监视针对主机的活动(用户的命令、登录/退出过程，使用的数据等等)，以此来判断入侵企图；分布式IDS通过分布于各个节点的传感器或者代理对整个网络和主机环境进行监视，中心监视平台收集来自各个节点的信息监视这个网络流动的数据和入侵企图。各种入侵检测系统使用的检测方法可以分为两类：基于特征码的检测方法和异常检测。使用基于特征码检测方法的系统从网络获得数据，然后从中发现以知的攻击特征。例如：在某些URL中包含一些奇怪的Unicode编码字符就是针对IIS Unicode缺陷的攻击特征。此外各种模式匹配技术的应用，提高了这种检测方法的精确性。使用异常检测的系统能够把获得的数据与一个基准进行比较，检测这些数据是否异常。 snort是一个基于libpcap的轻量级网络入侵检测系统。它运行在一个“传感器(sensor)”主机上，监听网络数据。这台机器可能是一台简陋的运行FreeBSD系统的Pentium100 PC，并且至少有一个网卡。不过建议使用最好的机器作为进行入侵检测的主机。snort能够把网络数据和规则集进行模式匹配，从而检测可能的入侵企图；或者使用SPADE插件，使用统计学方法对网络数据进行异常检测。snort使用一种易于扩展的模块化体系结构，感兴趣的开发人员可以加入自己编写的模块来扩展snort的功能。这些模块包括：HTTP解码插件、TCP数据流重组插件、端口扫描检测插件、FLEXRESP插件以及各种日志输入插件等。snort还是一个自由、简洁、快速、易于扩展的入侵检测系统，已经被移植到了各种UNIX平台和WinY2K上。同时，它也是目前安全领域中，最活跃的开放源码工程之一。snort还是昂贵的商业入侵检测系统最好的替代产品之一。上面的文字来自internet对入侵检测和snort的定义；下文是在RHEL5上构建基于snort的入侵检测系统的详细步骤：该实验的参考文档有以下几篇，其中主要参考的是在Chinaunix上一篇名为《Redhat as4 下Snort＋base＋mysql＋php＋apache with gd and Image_Graph 安装与配置》的文章除此之外其他的文章有：[url]http://linux.chinaunix.net/bbs/viewthread.php?tid=896814&extra=&highlight=snort&page=1[/url][url]http://www.snort.org/docs/setup_guides/Snort_Base_Minimal.pdf[/url][url]http://bbs.chinaunix.net/viewthread.php?tid=880326&highlight=zqli[/url]其实我本人对snort并没有非常深入的了解，只是在看过相关文档之后希望能够亲自操作一次。但是网上提供给我参考的文档我大概看过。我认为主要问题有两个： 第一，所使用的操作系统版本比较旧（很多系统在使用的系统版本基于Red Hat 9.0），在当前生产环境上部署的话很容易出现各种兼容性问题。 第二，在操作的过程中使用了大量的opoensource软件包而替换了很多系统自带的软件，在生产环境中这样的操作也会带来支持以及管理方面的困难。 第三，《Redhat as4 下Snort＋base＋mysql＋php＋apache with gd and Image_Graph 安装与配置》存在一些错误，我相信如果新手百分百按照该文档操作还是会出现一些问题。 因此我这一次的操作主要是使用当前比较新的RHEL5.1系统平台安装snort，并且在安装过程中尽量保留系统自带软件，同时指出源文在操作中的一些小错误。 在实验过程中出现的问题和snort的具体使用方法，希望高手能够给予提示和指导实验环境： 主机名称：localhost.localdomain IP：192.168.1.150 Kernel：2.6.18-53.el5xen 在该主机上部署RHEL5.1+Snort+Apache+MySql+Php+Gd with Gd & Image_Graph，在部署之前我系统安装的包组有： %packages@mysql @development-libs @editors @system-tools @gnome-software-development @text-internet@x-software-development @virtualization @legacy-network-server @dns-server @gnome-desktop@dialup @core @base @ftp-server @network-server @games @java @smb-server @base-x@chinese-support @graphics @web-server @printing @mail-server @server-cfg @sound-and-video@sql-server @admin-tools @news-server @development-tools @graphical-internet现在检查和安装相关软件包，确保mysql和php的下列软件包已经安装：[root@localhost Server]# rpm -qa grep mysqllibdbi-dbd-mysql-0.8.1a-1.2.2php-mysql-5.1.6-15.el5mysql-server-5.0.22-2.1.0.1mysql-connector-odbc-3.51.12-2.2mysql-test-5.0.22-2.1.0.1mysql-5.0.22-2.1.0.1mysql-bench-5.0.22-2.1.0.1mysql-devel-5.0.22-2.1.0.1[root@localhost Server]# rpm -qa grep phpphp-cli-5.1.6-15.el5php-ldap-5.1.6-15.el5php-pdo-5.1.6-15.el5php-pear-1.4.9-4php-common-5.1.6-15.el5php-mysql-5.1.6-15.el5php-devel-5.1.6-15.el5php-5.1.6-15.el5php-gd-5.1.6-15.el5其实通过上述的操作，一个基本的Apache+Php+Mysql结构已经完成。可以进行一个简单的测试：[root@localhost ~]# echo "AddType application/x-httpd-php .php" >> /etc/httpd/conf/httpd.conf[root@localhost ~]# chkconfig httpd on[root@localhost ~]# service httpd start[root@localhost ~]# chkconfig mysqld on[root@localhost ~]# service mysqld start[root@localhost ~]# echo "<?php phpinfo();?>" >> /var/www/html/test.php此时可以运行一个浏览器去访问[url]http://192.168.1.150/test.php[/url]页面。如果配置成功，页面能够正常显示我所需要的opensource软件包包括：[root@localhost Server]# mount -o username=jerrywjl //192.168.1.254/sd /mntPassword:[root@localhost Server]# cd /mnt/soft/Linux/[root@localhost Linux]# cp snort-2.8.0.1.tar.gz /usr/local/ --snort源码包[root@localhost Linux]# cp snortrules-pr-2.4.tar.gz /usr/local/ --snort规则[root@localhost Linux]# cp snort /etc/init.d/ --下载获得的snort脚本该脚本的内容：[root@localhost local]# cat /etc/init.d/snort#!/bin/sh## chkconfig: 2345 99 82# description: Starts and stops the snort intrusion detection system## config: /etc/snort/snort.conf# processname: snort# Source function library. /etc/rc.d/init.d/functionsBASE=snortDAEMON="-D"INTERFACE="-i eth0"CONF="/etc/snort/snort.conf"# Check that $BASE exists.[ -f /usr/local/bin/$BASE ] exit 0# Source networking configuration.. /etc/sysconfig/network# Check that networking is up.[ ${NETWORKING} = "no" ] && exit 0RETVAL=0# See how we were called.case "$1" instart) if [ -n "`/sbin/pidof $BASE`" ]; then echo -n $"$BASE: already running" echo "" exit $RETVAL fi echo -n "Starting snort service: " /usr/local/bin/$BASE $INTERFACE -c $CONF $DAEMON sleep 1 action "" /sbin/pidof $BASE RETVAL=$? [ $RETVAL -eq 0 ] && touch /var/lock/subsys/snort ;;stop) echo -n "Shutting down snort service: " killproc $BASE RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/snort ;;restartreload) $0 stop $0 start RETVAL=$? ;;status) status $BASE RETVAL=$? ;;*) echo "Usage: snort {startstoprestartreloadstatus}" exit 1esacexit $RETVAL并定义该脚本可执行以及自启动：[root@localhost ~]# chmod 755 /etc/init.d/snort[root@localhost ~]# chkconfig snort on然后继续：[root@localhost Linux]# cp Image_Canvas-0.3.1.tgz /usr/local/[root@localhost Linux]# cp Image_Color-1.0.2.tgz /usr/local/[root@localhost Linux]# cp Image_Graph-0.7.0.tar /usr/local/[root@localhost Linux]# cp adodb480.tgz /usr/local/[root@localhost Linux]# cp adodb480.tgz /var/www/[root@localhost Linux]# cp base-1.2.6.tar.gz /var/www/html/[root@localhost Linux]# cp base-1.2.6.tar.gz /usr/local/[root@localhost Linux]# cp jpegsrc.v6b.tar.gz /usr/local/首先编译jpegsrv.v6b.tar.gz：[root@localhost local]# tar -zxf jpegsrc.v6b.tar.gz[root@localhost local]# cd jpeg-6b/[root@localhost jpeg-6b]# mkdir -p /usr/local/jpeg/{bin,lib,include,man,man/man1}[root@localhost jpeg-6b]# ./configure --prefix=/usr/local/jpeg --enable-shared --enable-static[root@localhost jpeg-6b]# make[root@localhost jpeg-6b]# make install之后编译安装snort：[root@localhost ~]# cd /usr/local/[root@localhost local]# tar -zxf snort-2.8.0.1.tar.gz[root@localhost local]# cd snort-2.8.0.1[root@localhost snort-2.8.0.1]# ./configure --with-mysql --enable-dynamicplugin[root@localhost snort-2.8.0.1]# make[root@localhost snort-2.8.0.1]# make install[root@localhost snort-2.8.0.1]# mkdir -p /etc/snort/rules /var/log/snort 建立snort规则目录和日志目录[root@localhost snort-2.8.0.1]# groupadd snort --建立snort用户和组[root@localhost snort-2.8.0.1]# useradd -g snort snort -s /sbin/nologin执行./configure编译环境检查很可能会出错，因为需要安装下面的软件包：libpcap-devel-0.9.4-11.el5.i386.rpmpcre-devel-6.6-1.1.i386.rpm最后将所有已经编译生成的配置文件拷贝到/etc/snort目录下：[root@localhost snort-2.8.0.1]# cp etc/* /etc/snort/以及将所有的规则解压，并拷贝到已经指定的规则目录：[root@localhost local]# tar -zxf snortrules-pr-2.4.tar.gz[root@localhost local]# cp rules/* /etc/snort/rules/现在可以修改snort配置文件：[root@localhost ~]# cp /etc/snort/snort.conf snort.conf.bak[root@localhost ~]# vi /etc/snort/snort.conf所修改的内容包括：a.将原来的var EXTERNAL_NET any修改为var EXTERNAL_NET 192.168.1.0/24b.指定规则文件位置，将原来的var RULE_PATH ../rules修改为var RULE_PATH /etc/snort/rulesc.修改output database为：output database: log, mysql, user=root password=123456 dbname=snort host=localhost （我待会会在mysql中定义这些内容） d.定义stream： 我在实验过程中于这个地方栽了跟头，按照网上的文章《Redhat as4 下Snort＋base＋mysql＋php＋apache with gd and Image_Graph 安装与配置》所描述的，如果：After the line that says“preprocessor stream4_reassemble”add a line that looks likepreprocessor stream4_reassemble: both,ports 21 23 25 53 80 110 111 139 143 445 513 1433 并且不对其他内容修改，snort服务是起不来的，因为在后面有说明，stream4和stream5是不能共存的。（当时就是忽略了这点）： # Stream5 is a target-based stream engine for Snort.Its functionality# replaces that of Stream4.Consequently, BOTH Stream4 and Stream5# cannot be used simultaneously.Comment out the stream4 configurations# above to use Stream5.所以这里干脆什么都不改，直接使用stream5就是了。完成之后为snort在mysql中建立数据库：[root@localhost ~]# mysql Welcome to the MySQL monitor.Commands end with ; or \g.Your MySQL connection id is 2 to server version: 5.0.22Type 'help;' or '\h' for help. Type '\c' to clear the buffer.以下是定义数据库snort的基本参数和针对管理用户授权：mysql>SET PASSWORD FOR root@localhost=PASSWORD('123456');Query OK, 0 rows affected (0.07 sec)mysql> create database snort;Query OK, 1 row affected (0.05 sec)mysql> grant INSERT,SELECT on root.* to snort@localhost;Query OK, 0 rows affected (0.05 sec)mysql> SET PASSWORD FOR snort@localhost=PASSWORD('123456'); --源文在这里有错Query OK, 0 rows affected (0.00 sec) mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;Query OK, 0 rows affected (0.00 sec)mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;Query OK, 0 rows affected (0.00 sec)mysql> quitBye将预先定义好的默认的snort所需要的表批量导入mysql的snort数据库中：[root@localhost ~]# mysql -u root -p < /usr/local/snort-2.8.0.1/schemas/create_mysql snortEnter password:检查：[root@localhost ~]# mysql -u root -pEnter password:Welcome to the MySQL monitor.Commands end with ; or \g.Your MySQL connection id is 4 to server version: 5.0.22Type 'help;' or '\h' for help. Type '\c' to clear the buffer.mysql> use snort;Reading table information for completion of table and column namesYou can turn off this feature to get a quicker startup with -ADatabase changedmysql> show tables;+------------------+ Tables_in_snort+------------------+ data detail encoding event icmphdr iphdr opt reference reference_system schema sensor sig_class sig_reference signature tcphdr udphdr +------------------+16 rows in set (0.00 sec)mysql>最后安装配置base和Image[root@localhost local]# pear install Image_Color-1.0.2.tgzinstall ok: channel://pear.php.net/Image_Color-1.0.2[root@localhost local]# pear install Image_Canvas-0.3.1.tgzinstall ok: channel://pear.php.net/Image_Canvas-0.3.1[root@localhost local]# pear install Image_Graph-0.7.0.tarpear/Image_Graph can optionally use package "pear/Numbers_Roman"pear/Image_Graph can optionally use package "pear/Numbers_Words"install ok: channel://pear.php.net/Image_Graph-0.7.0[root@localhost ~]# cd /var/www/[root@localhost www]# tar -zxf adodb480.tgz[root@localhost www]# rm -fr adodb480.tgz[root@localhost www]# cd /var/www/html/[root@localhost html]# tar -zxf base-1.2.6.tar.gz[root@localhost html]# mv base-1.2.6 base[root@localhost html]# rm -fr base-1.2.6.tar.gz[root@localhost html]# cd base/建立和修改配置文件：[root@localhost ~]# cd /var/www/html/base/[root@localhost base]# cp base_conf.php.dist base_conf.php[root@localhost base]# vi base_conf.php所需要修改的内容包括：$BASE_urlpath = "/base";$DBlib_path = "/var/www/adodb/ ";$DBtype = "mysql";$alert_dbname = "snort";$alert_host = "localhost";$alert_port = "";$alert_user = "snort";$alert_password = "123456";/* Archive DB connection parameters */$archive_exists = 0; # Set this to 1 if you have an archive DB这个修改当然是要和在snort数据库中设定的内容对应。最后启动snort：通常第一次启动会失败：[root@localhost ~]# service snort startStarting snort service:[FAILED][root@localhost ~]# tail -f /var/log/messagesMar5 21:34:06 localhost snort[647]: Alert if memcap exceeded DISABLEDMar5 21:34:06 localhost snort[647]:Mar5 21:34:06 localhost snort[647]: DNS config:Mar5 21:34:06 localhost snort[647]: DNS Client rdata txt Overflow Alert: ACTIVEMar5 21:34:06 localhost snort[647]: Obsolete DNS RR Types Alert: INACTIVEMar5 21:34:06 localhost snort[647]: Experimental DNS RR Types Alert: INACTIVEMar5 21:34:06 localhost snort[647]: Ports:Mar5 21:34:06 localhost snort[647]:53Mar5 21:34:06 localhost snort[647]:Mar5 21:34:07 localhost snort[647]: FATAL ERROR: (/etc/snort/rules/web-misc.rules)97 => Cannot use 'rawbytes' and 'http_uri' as modifiers for the same "content" nor use 'rawbytes' with "uricontent".因此按照提示修改/etc/snort/rules/web-misc.rules文件，将出错的行注释：[root@localhost ~]# vi /etc/snort/rules/web-misc.rules注释的内容为：#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ///cgi-bin access"; flow:to_server,established; uricontent:"///cgi-bin"; nocase; rawbytes; reference:nessus,11032; classtype:attempted-recon; sid:1143; rev:7;)#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /cgi-bin/// access"; flow:to_server,established; uricontent:"/cgi-bin///"; nocase; rawbytes; reference:nessus,11032; classtype:attempted-recon; sid:1144; rev:7;)再启动一次：[root@localhost ~]# service snort startStarting snort service:[FAILED][root@localhost ~]# tail -f /var/log/messagesMar5 21:42:37 localhost snort[707]: Alert if memcap exceeded DISABLEDMar5 21:42:37 localhost snort[707]:Mar5 21:42:37 localhost snort[707]: DNS config:Mar5 21:42:37 localhost snort[707]: DNS Client rdata txt Overflow Alert: ACTIVEMar5 21:42:37 localhost snort[707]: Obsolete DNS RR Types Alert: INACTIVEMar5 21:42:37 localhost snort[707]: Experimental DNS RR Types Alert: INACTIVEMar5 21:42:37 localhost snort[707]: Ports:Mar5 21:42:37 localhost snort[707]:53Mar5 21:42:37 localhost snort[707]:Mar5 21:42:38 localhost snort[707]: FATAL ERROR: ERROR /etc/snort/rules/web-misc.rules Line 452 => unable to parse pcre regex "fn=Eye\d{4}_\d{2}.log/Rmsi因此按照提示修改/etc/snort/rules/web-misc.rules文件，接着注释出错的内容：[root@localhost ~]# vi /etc/snort/rules/web-misc.rules注释的内容为：#alert tcp $EXTERNAL_NET any -> $HOME_NET 8090 (msg:"WEB-MISC TrackerCam ComGetLogFile.php3 directory traversal attempt"; flow:to_server,established; content:"/ComGetLogFile.php3"; distance:0; nocase; pcre:"/fn=\x2e\x2e(\x2f\x5c)/Rmsi"; reference:bugtraq,12592; reference:cve,2005-0481; classtype:web-application-attack; sid:3544; rev:2;)#alert tcp $EXTERNAL_NET any -> $HOME_NET 8090 (msg:"WEB-MISC TrackerCam ComGetLogFile.php3 log information disclosure"; flow:to_server,established; content:"/ComGetLogFile.php3"; nocase; pcre:"fn=Eye\d{4}_\d{2}.log/Rmsi"; reference:bugtraq,12592; reference:cve,2005-0481; classtype:web-application-activity; sid:3545; rev:2;)第三次启动：[root@localhost ~]# service snort startStarting snort service:735[OK][root@localhost ~]# tail -f /var/log/messagesMar5 21:46:29 localhost snort[735]: Pattern Chars : 97521Mar5 21:46:29 localhost snort[735]: Num States : 52738Mar5 21:46:29 localhost snort[735]: Num Match States : 7558Mar5 21:46:29 localhost snort[735]: Memory : 1.40MbytesMar5 21:46:29 localhost snort[735]: Patterns : 0.31MMar5 21:46:29 localhost snort[735]: Match Lists : 0.30MMar5 21:46:29 localhost snort[735]: Transitions : 0.77MMar5 21:46:29 localhost snort[735]: +-------------------------------------------------Mar5 21:46:29 localhost snort[735]: Snort initialization completed successfully (pid=735)Mar5 21:46:29 localhost snort[735]: Not Using PCAP_FRAMES方法有点笨，但是毕竟启动起来了。现在可以通过浏览器进行访问测试：[url]http://192.168.1.150/base[/url]访问之后页面将自动跳转到：[url]http://192.168.1.150/base/base_main.php[/url]然后出现首页：Basic Analysis and Security Engine (BASE)The underlying database snort@localhost appears to be incomplete/invalid.The database version is valid, but the BASE DB structure (table: acid_ag)is not present. Use the Setup page to configure and optimize the DB.点击setup page进行安装即可。在安装之后，当点击administration之后，会出现一个出错提示页面：Database ERROR:Database ERROR:Table 'snort.base_users' doesn't exist这个问题主要因为不同的base版本差异的影响，为了解决该问题。我重新建立base配置文件：首先将/var/www/html/base/base_conf.php移动到其他位置，之后提示访问[url]http://192.168.1.150/base/setup[/url]按照提示重新建立配置文件，内容包括定义数据库名称、管理员、密码等。完成之后会提示base_conf.php文件出错，但是同时又会给出一个完整base_conf.php文件内容，并提示将该内容拷贝到/var/www/html/base/base_conf.php中。这时再次访问[url]http://192.168.1.150[/url]所有页面都能够正确显示提供给大家参考的是我的base_conf.php脚本内容：[root@localhost base]# vi base_conf.php<?php/********************************************************************************* Basic Analysis and Security Engine (BASE)** Copyright (C) 2004 BASE Project Team** Copyright (C) 2000 Carnegie Mellon University**** (see the file "base_main.php" for license details)**** Project Leads: Kevin Johnson <[email]kjohnson@secureideas.net[/email]>** Built upon work by Roman Danyliw <[email]rdd@cert.org[/email]>, <[email]roman@danyliw.com[/email]>**** Purpose: Vanilla Config file********************************************************************************** Authors:********************************************************************************** Kevin Johnson <[email]kjohnson@secureideas.net[/email]***********************************************************************************/ session_start(); $BASE_VERSION = '1.2.6 (christine)'; /* Set the below to the language you would like people to use while viewing your install of BASE. */ $BASE_Language = 'english'; /* Set the $Use_Auth_System variable to 1 if you would like to force users to authenticate to use the system.Only turn this off if the system is not accessible to the public or the network at large.i.e. a home user testing it out! */ $Use_Auth_System = 0; /* Set the base_urlpath to the url location that is the root of your BASE install. This must be set for BASE to function! Do not include a trailing slash! But also put the preceding slash. e.g. Your URL is [url]http://127.0.0.1/base[/url] set this to /base */ $BASE_urlpath = '/base'; /* Unique BASE ID.The below variable, if set, will append its value to the * title bar of the browser.This is for people who manage multiple installs * of BASE and want a simple way to differentiate them on the task bar. */ $BASE_installID = ''; /* Custom footer addition.The below variable, if set, will cause *base_main.php to include what ever file is specified. *A sample custom footer file is in the contrib directory */ $base_custom_footer = ''; /* Path to the DB abstraction library *(Note: DO NOT include a trailing backslash after the directory) * e.g. $foo = '/tmp' [OK] * $foo = '/tmp/' [OK] * $foo = 'c:\tmp' [OK] * $foo = 'c:\tmp\' [WRONG] */ $DBlib_path = '/var/www/adodb'; /* The type of underlying alert database * *MySQL : 'mysql' *PostgresSQL : 'postgres' *MS SQL Server : 'mssql' *Oracle : 'oci8' */ $DBtype = 'mysql'; /* Alert DB connection parameters * - $alert_dbname : MySQL database name of Snort alert DB * - $alert_host : host on which the DB is stored * - $alert_port : port on which to access the DB * - $alert_user : login to the database with this user * - $alert_password : password of the DB user * *This information can be gleaned from the Snort database *output plugin configuration. */ $alert_dbname = 'snort'; $alert_host = 'localhost'; $alert_port = ''; $alert_user = 'snort'; $alert_password = '123456'; /* Archive DB connection parameters */ $archive_exists = ''; # Set this to 1 if you have an archive DB $archive_dbname = ''; $archive_host = ''; $archive_port = ''; $archive_user = ''; $archive_password = ''; /* Type of DB connection to use * 1: use a persistant connection (pconnect) * 2: use a normal connection (connect) */ $db_connect_method = 1; /* Use referential integrity * 1: use * 0: ignore (not installed) * * Note: Only PostgreSQL and MS-SQL Server databases support * referential integrity.Use the associated * create_acid_tbls_?_extra.sql script to add this * functionality to the database. * * Referential integrity will greatly improve the * speed of record deletion, but also slow record * insertion. */ $use_referential_integrity = 0; /* Variable to start the ability to handle themes... */ $base_style = 'base_style.css'; /* File format of charts (png, jpeg, gif) */ $chart_file_format = 'png'; /* Chart default colors - (red, green, blue) * - $chart_bg_color_default : background color of chart * - $chart_lgrid_color_default : gridline color of chart * - $chart_bar_color_default : bar/line color of chart */ $chart_bg_color_default = array(255,255,255); $chart_lgrid_color_default= array(205,205,205); $chart_bar_color_default = array(190, 5, 5); /* Maximum number of rows per criteria element */ $MAX_ROWS = 10; /* Number of rows to display for any query results */ $show_rows = 48; /* Number of items to return during a snapshot *Last _X_ # of alerts/unique alerts/ports/IP */ $last_num_alerts = 15; $last_num_ualerts = 15; $last_num_uports = 15; $last_num_uaddr = 15; /* Number of items to return during a snapshot *Most Frequent unique alerts/IPs/ports */ $freq_num_alerts = 5; $freq_num_uaddr = 15; $freq_num_uports = 15; /* Number of scroll buttons to use when displaying query results */ $max_scroll_buttons = 12; /* Debug mode - how much debugging information should be shown * Timing mode - display timing information * SQL trace mode - log SQL statements * 0 : no extra information * 1 : debugging information * 2 : extended debugging information * * HTML no cache - whether a no-cache directive should be sent * to the browser (should be = 1 for IE) * * SQL trace file - file to log SQL traces */ $debug_mode = 0; $debug_time_mode = 1; $html_no_cache = 1; $sql_trace_mode = 0; $sql_trace_file = ''; /* Auto-Screen refresh * - Refresh_Stat_Page - Should certain statistics pages refresh? * - Stat_Page_Refresh_Time - refresh interval (in seconds) */ $refresh_stat_page = 1; $stat_page_refresh_time = 180; /* Display First/Previous/Last timestamps for alerts or * just First/Last on the Unique Alert listing. * 1: yes * 0: no */ $show_previous_alert = 0; /* Sets maximum execution time (in seconds) of any particular page. * Note: this overrides the PHP configuration file variable * max_execution_time.Thus script can run for a total of * ($max_script_runtime + max_execution_time) seconds */ $max_script_runtime = 180; /* How should the IP address criteria be entered in the Search screen? * 1 : each octet is a separate field * 2 : entire address is as a single field */ $ip_address_input = 2; /* Should a combo box with possible signatures be displayed on the * search form. (Requires Javascript) * 0 : disabled * 1 : show only non pre-processor signatures (e.g., ignore portscans) * 2 : show all signatures */ $use_sig_list = 0; /* Resolve IP to FQDN (on certain queries?) * 1 : yes * 0 : no */ $resolve_IP = 0; /* Should summary stats be calculated on every Query Results page * (Enabling this option will slow page loading time) */ $show_summary_stats = 0; /* DNS cache lifetime (in minutes) */ $dns_cache_lifetime = 20160; /* Whois information cache lifetime (in minutes) */ $whois_cache_lifetime = 40320; /* Snort spp_portscan log file */ $portscan_file = ''; /* Show part of portscan payload in signature */ $portscan_payload_in_signature = '1'; /* Event cache Auto-update * *Should the event cache be verified and updated on every *page log?Otherwise, the cache will have to be explicitly *updated from the 'cache and status' page. * *Note: enabling this option could substantially slow down *the page loading time when there are many uncached alerts. *However, this is only a one-time penalty. * * 1 : yes * 0 : no */ $event_cache_auto_update = 1; /* Maintain a history of the visited pages so that the 'Back' * button can be used. * * Note: Enabling this option will cause the PHP-session to * grow substantially after many pages have been viewed causing * a slow down in page loading time. Periodically return to the * main page to clear the history. * * 1 : yes * 0 : no */ $maintain_history = 1; /* Level of detail to display on the main page. * * Note: The presence of summary statistics will slow page loading time * * 1 : show both the links and summary statistics * 0 : show only the links and a count of the number of alerts */ $main_page_detail = 1; /* avoid count(*) whenever possible * * Note: On some databases (e.g., postgres) this can greatly increase * performance if you have a large number of events. On other databases * (e.g., mysql) this will have little to no effect. Enabling this * option will prevent the number of events in the database from being * shown on the main screen and will remove the percentages associated * with the number of events on the alert screen. */ $avoid_counts = 0; /* show links to first/last/previous event on alert screen * * Note: Enabling this can slow down loading of the alert screen on large * databases */ $show_first_last_links = 0; /* * External URLs */ /* Whois query */ $external_whois_link = 'http://www.dnsstuff.com/tools/whois.ch?ip='; /* DNS query */ $external_dns_link = 'http://www.dnsstuff.com/tools/ptr.ch?ip='; /* SamSpade 'all' query */ $external_all_link = 'http://www.whois.sc/'; /* TCP/UDP port database */ $external_port_link = array('sans' => 'http://isc.sans.org/port_details.php?port=', 'portsdb'=> 'http://www.portsdb.org/bin/portsdb.cgi?portnumber=', 'tantalo'=> 'http://ports.tantalo.net/?q=', 'sstats' => 'http://www.securitystats.com/tools/portsearch.php?type=port&select=any&Submit=Submit&input='); /* Signature references */ $external_sig_link = array('bugtraq' => array('http://www.securityfocus.com/bid/', ''), 'snort' => array('http://www.snort.org/pub-bin/sigs.cgi?sid=', ''), 'cve' => array('http://cve.mitre.org/cgi-bin/cvename.cgi?name=', ''), 'arachnids' => array('http://www.whitehats.com/info/ids', ''), 'mcafee' => array('http://vil.nai.com/vil/content/v_', '.htm'), 'icat' => array('http://icat.nist.gov/icat.cfm?cvename=CAN-', ''), 'nessus' => array('http://www.nessus.org/plugins/index.php?view=single&id=', ''), 'url' => array('http://', ''), 'local' => array('signatures/', '.txt')); /* Email Alert action * * - action_email_from : email address to use in the FROM field of the mail message * - action_email_subject : subject to use for the mail message * - action_email_msg : additional text to include in the body of the mail message * - action_email_mode : specifies how the alert information should be enclosed * 0 : alerts should be in the body of the message * 1 : alerts should be enclosed in an attachment */ $action_email_from = 'BASE Alert '; $action_email_subject = 'BASE Incident Report'; $action_email_msg = ''; $action_email_mode = 0; /* Custom (user) PHP session handlers * * - use_user_session : sets whether user PHP session can be used (configured * with the session.save_handler variable in php.ini) * 0 : no * 1 : yes (assuming that 'user_session_path' and 'user_session_function' * are configured correctly) * - user_session_path : file to include that implements the custom PHP session * handler * - user_session_function : function to invoke in the custom session * implementation that will register the session handler * functions */ $use_user_session = 0; $user_session_path = ''; $user_session_function = ''; /* The below line should not be changed! */ $BASE_path = dirname(__FILE__); // _BASE_INC is a variable set to prevent direct access to certain include files.... define( '_BASE_INC', 1 ); // Include for languages include("$BASE_path/languages/$BASE_Language.lang.php"); ?>"base_conf.php" [New] 364L, 13299C written

....