== snort yum -y install libpcap-devel wget http://www.snort.org/dl/current/snort-2.6.1.4.tar.gz rpmbuild -tb --clean snort-2.6.1.4.tar.gz rpm -Uvh /usr/src/redhat/RPMS/i386/snort-2.6.1.4-1.i386.rpm vi /etc/snort/snort.conf var HOME_NET 192.168.1.0/24 var EXTERNAL_NET !$HOME_NET tar zxvf snortrules-snapshot-CURRENT.tar.gz /bin/cp -r rules/* /etc/snort/rules/ wget http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz tar zxvf Community-Rules-CURRENT.tar.gz /bin/cp -r rules/* /etc/snort/rules/ /etc/rc.d/init.d/snortd start vi /etc/snort/snort.conf ADD alert icmp $HOME_NET any -> $HOME_NET any (msg:"ICMP traffic";sid:777;) /etc/rc.d/init.d/snortd restart tail /var/log/snort/alert == SnortSnarf cpan2rpm --install Time-modules vi /etc/yum.conf exclude=snort perl-Time-modules  wget http://www.snort.org/dl/contrib/data_analysis/snortsnarf/SnortSnarf-050314.1.tar.gz tar zxvf SnortSnarf-050314.1.tar.gz mkdir /usr/local/snortsnarf cp SnortSnarf-050314.1/snortsnarf.pl /usr/local/snortsnarf/ cp -r SnortSnarf-050314.1/include/ /usr/local/snortsnarf/ vi /usr/local/snortsnarf/include/SnortSnarf/HTMLMemStorage.pm return @arr->[($first-1)..$end]; ↓ return @arr[($first-1)..$end]; vi /usr/local/snortsnarf/include/SnortSnarf/HTMLAnomMemStorage.pm return @arr->[($first-1)..$end]; ↓ return @arr[($first-1)..$end]; mkdir /var/www/snort vi /etc/httpd/conf.d/snort.conf Alias /snort /var/www/snort Order deny,allow Deny from all Allow from 127.0.0.1 Allow from 192.168.20 /etc/rc.d/init.d/httpd reload vi snortsnarf.sh #!/bin/bash cd /usr/local/snortsnarf if [ -s /var/log/snort/alert ]; then if [ -s /var/log/snort/portscan.log ]; then ./snortsnarf.pl -dns -d /var/www/snort /var/log/snort/alert /var/log/snort/portscan.log else ./snortsnarf.pl -dns -d /var/www/snort /var/log/snort/alert fi fi chmod 700 snortsnarf.sh ./snortsnarf.sh  crontab -e 00 * * * * /root/snortsnarf.sh wget http://jaist.dl.sourceforge.net/sourceforge/oinkmaster/oinkmaster-2.0.tar.gz tar zxvf oinkmaster-2.0.tar.gz cp oinkmaster-2.0/oinkmaster.pl /usr/local/bin/ cp oinkmaster-2.0/oinkmaster.conf /etc/ cp oinkmaster-2.0/oinkmaster.1 /usr/share/man/man1/  vi /etc/oinkmaster.conf  url = http://www.snort.org/pub-bin/oinkmaster.cgi/####CODE####/snortrules-snapshot-CURRENT.tar.gz url = http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz oinkmaster.pl -o /etc/snort/rules/ vi /etc/cron.daily/snort-rule-update #!/bin/sh /usr/bin/oinkmaster.pl -o /etc/snort/rules/ 2>&1 | logger -t oinkmaster /etc/rc.d/init.d/snortd restart > /dev/null chmod +x /etc/cron.daily/snort-rule-update