1. 平臺環境配置

1.1 輔助程式flex和bison

1.1.1 flex

https://github.com/westes/flex

./autogen.sh
./configure && make && make install

在安裝時出現的問題

yan@ubuntu:~/Works/flex-master$ ./autogen.sh LIBTOOLIZE=/path/to/libtoolize
error: libtoolize not working, re-run with LIBTOOLIZE=/path/to/libtoolize
       LIBTOOLIZE is currently ""
 

解決辦法

sudo apt install mlocate
sudo apt install libtool

驗證環境

$locate libtool
/snap/gnome-3-38-2004/99/usr/bin/libtool
/snap/gnome-3-38-2004/99/usr/bin/libtoolize
/snap/gnome-3-38-2004/99/usr/lib/x86_64-linux-gnu/gobject-introspection/giscanner/libtoolimporter.py
/snap/gnome-3-38-2004/99/usr/share/libtool
/snap/gnome-3-38-2004/99/usr/share/aclocal/libtool.m4
/snap/gnome-3-38-2004/99/usr/share/gtksourceview-3.0/language-specs/libtool.lang
/snap/gnome-3-38-2004/99/usr/share/gtksourceview-4/language-specs/libtool.lang
/snap/gnome-3-38-2004/99/usr/share/info/libtool.info
/snap/gnome-3-38-2004/99/usr/share/info/libtool.info-1
/snap/gnome-3-38-2004/99/usr/share/info/libtool.info-2
/snap/gnome-3-38-2004/99/usr/share/libtool/COPYING.LIB
/snap/gnome-3-38-2004/99/usr/share/libtool/Makefile.am
/snap/gnome-3-38-2004/99/usr/share/libtool/Makefile.in
/snap/gnome-3-38-2004/99/usr/share/libtool/README
/snap/gnome-3-38-2004/99/usr/share/libtool/aclocal.m4
/snap/gnome-3-38-2004/99/usr/share/libtool/build-aux
/snap/gnome-3-38-2004/99/usr/share/libtool/config-h.in
/snap/gnome-3-38-2004/99/usr/share/libtool/configure
/snap/gnome-3-38-2004/99/usr/share/libtool/configure.ac
/snap/gnome-3-38-2004/99/usr/share/libtool/ltdl.mk
/snap/gnome-3-38-2004/99/usr/share/libtool/build-aux/compile
/snap/gnome-3-38-2004/99/usr/share/libtool/build-aux/config.guess
/snap/gnome-3-38-2004/99/usr/share/libtool/build-aux/config.sub
/snap/gnome-3-38-2004/99/usr/share/libtool/build-aux/depcomp
/snap/gnome-3-38-2004/99/usr/share/libtool/build-aux/install-sh
/snap/gnome-3-38-2004/99/usr/share/libtool/build-aux/ltmain.sh
/snap/gnome-3-38-2004/99/usr/share/libtool/build-aux/missing
/usr/share/gtksourceview-4/language-specs/libtool.lang
 

執行時仍然出現問題

./autogen.sh 
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'build-aux'.
libtoolize: linking file 'build-aux/config.guess'
libtoolize: linking file 'build-aux/config.sub'
libtoolize: linking file 'build-aux/install-sh'
libtoolize: linking file 'build-aux/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: linking file 'm4/libtool.m4'
libtoolize: linking file 'm4/ltoptions.m4'
libtoolize: linking file 'm4/ltsugar.m4'
libtoolize: linking file 'm4/ltversion.m4'
libtoolize: linking file 'm4/lt~obsolete.m4'
Can't exec "autopoint": 沒有那個檔案或目錄 at /usr/share/autoconf/Autom4te/FileUtils.pm line 345.
autoreconf: failed to run autopoint: No such file or directory
autoreconf: autopoint is needed because this package uses Gettext
 

解決方法

sudo apt install -y autopoint

執行成功

$ ./autogen.sh 
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'build-aux'.
libtoolize: linking file 'build-aux/config.guess'
libtoolize: linking file 'build-aux/config.sub'
libtoolize: linking file 'build-aux/install-sh'
libtoolize: linking file 'build-aux/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: linking file 'm4/libtool.m4'
libtoolize: linking file 'm4/ltoptions.m4'
libtoolize: linking file 'm4/ltsugar.m4'
libtoolize: linking file 'm4/ltversion.m4'
libtoolize: linking file 'm4/lt~obsolete.m4'
Copying file ABOUT-NLS
Copying file build-aux/config.rpath
Copying file m4/codeset.m4
Copying file m4/extern-inline.m4
Copying file m4/fcntl-o.m4
Copying file m4/gettext.m4
Copying file m4/glibc2.m4
Copying file m4/glibc21.m4
Copying file m4/iconv.m4
Copying file m4/intdiv0.m4
Copying file m4/intl.m4
Copying file m4/intldir.m4
Copying file m4/intlmacosx.m4
Copying file m4/intmax.m4
Copying file m4/inttypes-pri.m4
Copying file m4/inttypes_h.m4
Copying file m4/lcmessage.m4
Copying file m4/lib-ld.m4
Copying file m4/lib-link.m4
Copying file m4/lib-prefix.m4
Copying file m4/lock.m4
Copying file m4/longlong.m4
Copying file m4/nls.m4
Copying file m4/po.m4
Copying file m4/printf-posix.m4
Copying file m4/progtest.m4
Copying file m4/size_max.m4
Copying file m4/stdint_h.m4
Copying file m4/threadlib.m4
Copying file m4/uintmax_t.m4
Copying file m4/visibility.m4
Copying file m4/wchar_t.m4
Copying file m4/wint_t.m4
Copying file m4/xsize.m4
Copying file po/Makefile.in.in
Copying file po/Makevars.template
Copying file po/Rules-quot
Copying file po/boldquot.sed
Copying file po/[email protected]
Copying file po/[email protected]
Copying file po/insert-header.sin
Copying file po/quot.sed
Copying file po/remove-potcdate.sin
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'build-aux'.
libtoolize: copying file 'build-aux/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: copying file 'm4/libtool.m4'
libtoolize: copying file 'm4/ltoptions.m4'
libtoolize: copying file 'm4/ltsugar.m4'
libtoolize: copying file 'm4/ltversion.m4'
libtoolize: copying file 'm4/lt~obsolete.m4'
configure.ac:31: installing 'build-aux/compile'
configure.ac:33: installing 'build-aux/missing'
doc/Makefile.am:5: installing 'build-aux/mdate-sh'
doc/Makefile.am:5: installing 'build-aux/texinfo.tex'
src/Makefile.am: installing 'build-aux/depcomp'
configure.ac: installing 'build-aux/ylwrap'
parallel-tests: installing 'build-aux/test-driver'

後發現更為便捷的方法

sudo apt install flex

1.1.2 bison

http://ftp.gnu.org/gnu/bison/

下載bison -3.8版本，後發現安裝十分繁瑣，其只有Makefile.in和Makefile.am檔案，因此需要通過那兩個檔案構造Makefile檔案，因此後續採用了更為簡單的方法

sudo apt install bison
bison --version
bison (GNU Bison) 3.5.1

1.2 snob

Snort - Network Intrusion Detection & Prevention System

wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz
                      
wget https://www.snort.org/downloads/snort/snort-2.9.19.tar.gz
tar xvzf daq-2.0.7.tar.gz
                      
cd daq-2.0.7
./configure && make && sudo make install
​
tar xvzf snort-2.9.19.tar.gz
                      
cd snort-2.9.19
./configure --enable-sourcefire && make && sudo make install

1.2.1 在daq-2.0.7的安裝中，出現錯誤

ERROR!  Libpcap library version >= 1.0.0 not found.
    Get it from http://www.tcpdump.org

嘗試解決方案如下，失敗

wget http://www.tcpdump.org/release/libpcap-1.0.0.tar.gz tar xvfz libpcap-1.0.0.tar.gz cd libpcap-1.0.0/ 
./configure make make install

在後續探索中，發現了基於arm64架構的libpcap

https://ubuntu.pkgs.org/20.04/ubuntu-main-arm64/libpcap-dev_1.9.1-3_arm64.deb.html

此處可作為國產處理器的基本架構構建平臺

在ubuntu20.04系統中，本處使用的解決方法如下

sudo apt-get install libpcap-dev

1.2.2 在snort-2.9.19的安裝中，出現錯誤

出現錯誤1：

   ERROR!  Libpcre header not found.
   Get it from http://www.pcre.org

解決方案

sudo apt-get install libpcre3-dev

問題解決

出現錯誤2：

ERROR!  dnet header not found, go get it from
   http://code.google.com/p/libdnet/ or use the --with-dnet-*
   options, if you have it installed in an unusual place
make: *** 沒有指明目標並且找不到 makefile。 停止。

下載dnet程式碼 https://github.com/dugsong/libdnet/releases

./configure
make
sudo make install

問題解決

出現錯誤3：

   ERROR!  zlib header not found, go get it from
   http://www.zlib.net

解決方法

sudo apt-get install zlib1g-dev

問題解決

出現錯誤4：

   ERROR!  LuaJIT library not found. Go get it from http://www.luajit.org/ (or)
   Try compiling without openAppId using '--disable-open-appid'
configure: error: "Fatal!"

解決方案

./configure --disable-open-appid && make && sudo make install

1.3 suricatacn在Ubuntu中安裝

安裝 — Suricata 4.1.0-dev 文件 (suricatacn.readthedocs.io)

https://suricatacn.readthedocs.io/zh_CN/latest/index.html

sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata

1.4 安裝AC（在snob中內含）

morenice/ahocorasick: C implementation Aho-Corasick string matching (github.com)

$ mkdir build; cd build
$ cmake ..
$ make

2. IDS入侵檢測系統

2.1 snort配置（此部分參考部落格https://www.cnblogs.com/thresh/p/12019466.html）

https://www.cnblogs.com/jake-jin/p/14221593.html

$ snort -V
​
   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.19 GRE (Build 85) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.9.1 (with TPACKET_V3)
           Using PCRE version: 8.39 2016-06-14
           Using ZLIB version: 1.2.11

snort設定

基本配置：出於安全原因， Snort應該以非特權使用者身份執行，建立一個snort使用者和組

sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

建立snort需要的檔案和資料夾

# 建立Snort目錄:
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/rules/iplists
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules

# 建立日誌檔案
sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs

# 調整許可權
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort/so_rules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules

# 改變資料夾的所有權
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

將snort中的檔案複製到我們新建的資料夾中

cd ~/Works/snort-2.9.19/etc/
sudo cp *.conf* /etc/snort
sudo cp *.map /etc/snort
sudo cp *.dtd /etc/snort

cd ~/Works/snort-2.9.19/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor
sudo cp * /usr/local/lib/snort_dynamicpreprocessor/

編輯snort配置檔案

sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

修改snort.conf檔案（這裡使用gedit編輯器）
sudo gedit /etc/snort/snort.conf

配置網路資訊

ipvar HOME_NET 192.168.153.134

儲存位置配置

var RULE_PATH /etc/snort/rules           # 104行左右
var SO_RULE_PATH /etc/snort/so_rules        # 105行左右
var PREPROC_RULE_PATH /etc/snort/preproc_rules   # 106行左右
var WHITE_LIST_PATH /etc/snort/rules/iplists    # 113行左右
var BLACK_LIST_PATH /etc/snort/rules/iplists    # 114行左右

啟用規則檔案

include $RULE_PATH/local.rules      #取消註釋，在546行左右

2.2 snort測試

sudo snort -T -c /etc/snort/snort.conf -i ens33   #ens33是網絡卡，可用ifconfig檢視

sudo /usr/local/bin/snort -A -q -u snort -g snort -c /etc/snort/snort.conf -t ens33