2012年12月14日 星期五

[研究] snort-2.9.4.tar.gz (CentOS 6.3 x86) 快速安裝程式


[研究] snort-2.9.4.tar.gz (CentOS 6.3 x86) 快速安裝程式

snort-2.9.4.tar.gz 和 daq-2.0.0.tar.gz 下載網址
http://www.snort.org/snort-downloads?

libdnet-1.11.tar.gz 下載網址
http://libdnet.sourceforge.net/

snortrules-snapshot-2931.tar.gz 下載網址 (免費註冊,登入後才能下載)
http://www.snort.org/snort-rules/?

Registered User Release 免費註冊,登入後才能下載
Subscriber Release 是花錢訂閱才能下載的

請自己手動下載下面檔案,放到 /usr/local/src 目錄
libdnet-1.11.tar.gz 
daq-2.0.0.tar.gz
snort-2.9.4.tar.gz
snortrules-snapshot-2923.tar.gz
  
快速安裝程式內容(實際測試可用)

#!/bin/bash
echo -e "\033[31m"
echo -e "Program : snort2.9.4_centos6.3x86.sh "
echo -e "snort-2.9.4.tar.gz Install Shell Script (CentOS 6.3 x86) "
echo -e "by Shau-Rong Lu 2012/12/14 "
echo -e "\033[0m"

yum -y install gcc gcc-c++ flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel tcpdump
yum -y install dos2unix

cd /usr/local/src

if [ ! -s libdnet-1.11.tar.gz ]; then
  echo "Can not find libdnet-1.11.tar.gz"
  exit
fi

if [ ! -s daq-2.0.0.tar.gz ]; then
  echo "Can not find daq-2.0.0.tar.gz"
  exit
fi

if [ ! -s snort-2.9.4.tar.gz]; then
  echo "Can not find snort-2.9.4.tar.gz"
  exit
fi

if [ ! -s snortrules-snapshot-2923.tar.gz]; then
  echo "Can not find snortrules-snapshot-2923.tar.gz"
  exit
fi



tar zxvf libdnet-1.11.tar.gz
tar zxvf daq-2.0.0.tar.gz
tar zxvf snort-2.9.4.tar.gz

cd /usr/local/src/libdnet-1.11
./configure --with-pic
make
make install

cd /usr/local/src/daq-2.0.0
./configure
make
make install

cd /usr/local/src/snort-2.9.4
./configure --enable-sourcefire
make
make install

# cd /usr/local/lib
# ldconfig -v /usr/local/lib

mkdir -p /etc/snort
cd /usr/local/src
tar xzvf /usr/local/src/snortrules-snapshot-2923.tar.gz -C /etc/snort
touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules

groupadd -g 40000 snort
useradd snort -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort
cd /etc/snort
chown -R snort:snort *
chown -R snort:snort /var/log/snort

cp /etc/snort/etc/* /etc/snort/.

sed -i -e "s@var RULE_PATH@#var RULE_PATH@"   /etc/snort/snort.conf
sed -i -e "/var RULE_PATH/avar RULE_PATH /etc/snort/rules"   /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var RULE_PATH"

sed -i -e "s@var SO_RULE_PATH@#var SO_RULE_PATH@"   /etc/snort/snort.conf
sed -i -e "/var SO_RULE_PATH/avar SO_RULE_PATH /etc/snort/so_rules"   /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var SO_RULE_PATH"

sed -i -e "s@var PREPROC_RULE_PATH@#var PREPROC_RULE_PATH@"   /etc/snort/snort.conf
sed -i -e "/var PREPROC_RULE_PATH/avar PREPROC_RULE_PATH /etc/snort/preproc_rules"   /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var PREPROC_RULE_PATH"

sed -i -e "s@var WHITE_LIST_PATH@#var WHITE_LIST_PATH@"   /etc/snort/snort.conf
sed -i -e "/var WHITE_LIST_PATH/avar WHITE_LIST_PATH /etc/snort/rules"   /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var WHITE_LIST_PATH"

sed -i -e "s@var BLACK_LIST_PATH@#var BLACK_LIST_PATH@"   /etc/snort/snort.conf
sed -i -e "/var BLACK_LIST_PATH/avar BLACK_LIST_PATH /etc/snort/rules"   /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var BLACK_LIST_PATH"


mkdir -p /usr/local/lib/snort_dynamicrules
chown -R snort:snort /usr/local/lib/snort_dynamicrules
chmod -R 700 /usr/local/lib/snort_dynamicrules

snort -T -c /etc/snort/snort.conf
if [ "$?" != "0" ]; then
  echo "Snort Test Failed !"
  exit
fi

#cp /root/snort-2.9.4/rpm/snortd  /etc/init.d/.
#chmod +x /etc/init.d/snortd
#cp /root/snort-2.9.4/rpm/snort.sysconfig /etc/sysconfig/snort
#ln -s /usr/local/bin/snort /usr/sbin/snort

rm -fr /etc/init.d/snortd
echo ""  > /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo ". /etc/rc.d/init.d/functions "  >> /etc/init.d/snortd
echo "INTERFACE=eth0" >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo "case \"\$1\" in " >> /etc/init.d/snortd
echo "start)" >> /etc/init.d/snortd
echo "  echo -n \"Starting Snort: \"" >> /etc/init.d/snortd
echo "  daemon PCAP_FRAMES=max /usr/local/bin/snort -D -i \$INTERFACE -c /etc/snort/snort.conf" >> /etc/init.d/snortd
echo "  echo" >> /etc/init.d/snortd
echo "  ;;" >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo "stop)" >> /etc/init.d/snortd
echo "  echo -n \"Stopping Snort: \"" >> /etc/init.d/snortd
echo "  killproc snort" >> /etc/init.d/snortd
echo "  echo" >> /etc/init.d/snortd
echo "  ;;" >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo "restart)" >> /etc/init.d/snortd
echo "  \$0 stop" >> /etc/init.d/snortd
echo "  \$0 start" >> /etc/init.d/snortd
echo "  ;;" >> /etc/init.d/snortd
echo "status)" >> /etc/init.d/snortd
echo "  status snort" >> /etc/init.d/snortd
echo "  ;;" >> /etc/init.d/snortd
echo "*)" >> /etc/init.d/snortd
echo "  echo \"Usage: $0 {start|stop|restart|status}\"" >> /etc/init.d/snortd
echo "  exit 1" >> /etc/init.d/snortd
echo "  esac" >> /etc/init.d/snortd
echo "  exit 0" >> /etc/init.d/snortd

chmod +x /etc/init.d/snortd


echo "You can service httpd restart, then use N-Stalker Free Edition (http://nstalker.com/products/free/download-free-edition) on MS-Windows to attack WebSite "
echo ""
echo "or Nikto (http://www.cirt.net/nikto2) on another Linux to attack WebSite"
echo "  wget http://www.cirt.net/nikto/nikto-current.tar.gz"
echo "  tar zxvf nikto-current.tar.gz"
echo "  cd nikto-current"
echo "  nikto.pl -h xxx.xxx.xxx.xxx"

(完)

相關文章

[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式
http://shaurong.blogspot.tw/2013/10/snort-2955targz-centos-64-x64.html

[研究] snort-2.9.4.tar.gz (CentOS 6.3 x86) 快速安裝程式
http://shaurong.blogspot.tw/2012/12/snort-294targz-centos-63-x86.html

[研究] Snort 2.9.0.5 安裝(Fedora 15 x86)
http://shaurong.blogspot.tw/2011/07/snort-2905-fedora-15-x86.html

[研究] N-Stalker Web Application Security Scanner X Free Edition 網站漏洞掃描軟體使用
http://shaurong.blogspot.tw/2013/08/n-stalker-web-application-security.html

[研究] N-Stalker Free Edition 2012 網站漏洞掃描軟體使用教學
http://shaurong.blogspot.tw/2011/07/n-stalker-free-edition-2012.html

7 則留言:

  1. 您好:

    我們公司也在建置SNORT系統,目前由小弟負責這個案子,只是小弟資質不夠遇到很多瓶頸,目前系統建置完畢但是無法讓規則生效(BASE有起來淡是沒有辦法有任何偵測的紀錄回饋)因此冒昧請教您

    不知您是否可以撥空回覆小弟

    回覆刪除
    回覆
    1. 詳細說明您的步驟和抓圖,小弟抽空幫您測試看看

      刪除
  2. 基本上我是參照這篇http://www.server-world.info/en/note?os=CentOS_6&p=snort 去做的

    我做到他的第六步驟 [root@www ~]#/etc/rc.d/init.d/snortd start 設定啟動 ,這邊我的服務起不來

    但怪的是BASE可以安裝
    他的第七步驟,安裝BASE的路徑我是放在 /var/www/html/base (原始是/var/www/base)

    最後是安裝BASE ,步驟都可過,但是就是最後我無法有任何偵測的回應

    或是小弟可以開TEAMVIEW給您診斷看看,留言無法貼圖,再煩請你解答了

    回覆刪除
    回覆
    1. 您說那篇小弟實際測試會有問題

      [root@www SPECS]# rpmbuild -bb --with mysql snort.spec
      ...
      /usr/bin/install: cannot stat `plain/src/dynamic-preprocessors/build//usr/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so.0': No such file or directory
      error: Bad exit status from /var/tmp/rpm-tmp.9UgFeu (%install)


      RPM build errors:
      Bad exit status from /var/tmp/rpm-tmp.9UgFeu (%install)
      [root@localhost SPECS]#

      另找別篇吧

      刪除
  3. 我用你的自動化程式去跑,可是會出現如下錯誤

    Nothing to do
    Can not find libdnet-1.11.tar.gz

    我確定我有這隻,檔名也沒錯
    實在很怪

    回覆刪除
    回覆
    1. 我的快速安裝程式要把所有檔案放在 /usr/local/src 目錄

      刪除
    2. [研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式
      http://shaurong.blogspot.tw/2013/10/snort-2955targz-centos-64-x64.html

      刪除