2013-11-01
**********************************************************************************
這幾篇是相關的
[研究] Suricata 1.4.6 入侵偵測系統安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/10/suricata-146-centos-64-x64.html
或
[研究] Suricata 1.4.6 快速安裝程式 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/10/suricata-146-centos-64-x64_31.html
[研究] Barnyard2 for Suricata 1.4.6 安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/11/barnyard2-for-suricata-146-centos-64-x64.html
或
[研究] Barnyard2 for Suricata 1.4.6 快速安裝程式 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/10/barnyard2-for-suricata-146-centos-64-x64.html
[研究] Suricata 1.4.6 + Barnyard + BASE 安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/11/suricata-146-barnyard-base-centos-64-x64.html
**********************************************************************************
快速安裝程式很方便,也很危險,因為每行指令沒有 "嚴格檢查" 前一行是否成功執行,錯誤訊息可能很快過去,但避免手動輸入打錯或漏做步驟。
詳情請看
[研究] Suricata 1.4.6 入侵偵測系統安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.tw/2013/10/suricata-146-centos-64-x64.html
[研究] Suricata 1.4.6 快速安裝程式 (CentOS 6.4 x64)
http://shaurong.blogspot.tw/2013/10/suricata-146-centos-64-x64_31.html
請先切換成 root 後執行
[root@localhost ~]# su root
[root@localhost ~]# vi Barnyard2_for_Suricata_Install.sh
把下面框中內容全部貼上
[root@localhost ~]# chmod +x Barnyard2_for_Suricata_Install.sh
[root@localhost ~]# ./Barnyard2_for_Suricata_Install.sh
注意:請勿把下面程式直接貼到命令提示 (例如:[root@localhost ~]# ) 下直接執行,不然 if then ... else if 這類不是單一行命令的程式會執行錯誤。
#!/bin/bash echo -e "\033[31m" echo -e "Program : Barnyard2_for_Suricata_Install.sh " echo -e "Barnyard2 v2.1.13 (Build 327) for Suricata 1.4.6 Install Shell Script (CentOS 6.4 x86_64) " echo -e "by Shau-Rong Lu 2013/10/31 " echo -e "\033[0m" yum -y install mysql mysql-devel git libtool mysql-server httpd php php-mysql php-mbstring php-mcrypt # **************************************** # barnyard2 # **************************************** cd /usr/local/src git clone https://github.com/firnsy/barnyard2.git barnyard2 cd barnyard2 ./autogen.sh if [ "`uname -a | grep x86_64`" != "" ]; then echo "x86_64" ./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql else echo "x86" ./configure --with-mysql exit fi make && make install cd /usr/local/src/barnyard2 cp rpm/barnyard2 /etc/init.d/ chmod +x /etc/init.d/barnyard2 cp rpm/barnyard2.config /etc/sysconfig/barnyard2 chkconfig --add barnyard2 ln -s /usr/local/etc/barnyard2.conf /etc/suricata/barnyard.conf ln -s /usr/local/bin/barnyard2 /usr/bin/ echo "***** Modify /etc/init.d/barnyard2 *****" # vi /etc/init.d/barnyard2 # remark # [ -x /usr/sbin/snort ] || exit 1 # [ -r /etc/snort/snort.conf ] || exit 1 sed -i -e "s@exit 1@# exit 1@" /etc/init.d/barnyard2 sed -i -e "s@Snort Output Processor@Suricata Output Processor@" /etc/init.d/barnyard2 # BARNYARD_OPTS="-D -c $CONF -d $suricataDIR/${INT} -w $WALDO_FILE -L $suricataDIR/${INT} -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS" # become # BARNYARD_OPTS="-D -c /etc/suricata/barnyard.conf -d /var/log/suricata -w /var/log/suricata/barnyard2.waldo -l /var/log/suricata -a /var/log/suricata -f unified2.alert -X /var/lock/subsys/barnyard2.pid" sed -i -e "s@BARNYARD_OPTS=@#BARNYARD_OPTS=@" /etc/init.d/barnyard2 #sed -i -e "/BARNYARD_OPTS=/aBARNYARD_OPTS=\"-D -c \/etc\/suricata\/barnyard.conf -d \/var\/log\/suricata -w \/var\/log\/suricata\/barnyard2.waldo -l \/var\/log\/suricata -a \/var\/log\/suricata -f unified2.alert -X \/var\/lock\/subsys\/barnyard2.pid\"" /etc/init.d/barnyard2 sed -i -e "/daemon/iBARNYARD_OPTS=\"-D -c \/etc\/suricata\/barnyard.conf -d \/var\/log\/suricata -w \/var\/log\/suricata\/barnyard2.waldo -l \/var\/log\/suricata -a \/var\/log\/suricata -f unified2.alert -X \/var\/lock\/subsys\/barnyard2.pid\"" /etc/init.d/barnyard2 chkconfig barnyard2 reset sed -i -e "s@LOG_FILE@#LOG_FILE@" /etc/sysconfig/barnyard2 sed -i -e "/Config file/aLOG_FILE=\"unified2.log\"" /etc/sysconfig/barnyard2 sed -i -e "s@CONF@#CONF@" /etc/sysconfig/barnyard2 sed -i -e "/Probably not this either/aCONF=\/etc\/suricata\/barnyard.conf" /etc/sysconfig/barnyard2 echo "***** Check : /etc/sysconfig/barnyard2 *****" grep suricata /etc/suricata/barnyard.conf # **************************************** # mysql # **************************************** service mysqld restart # mysqladmin -u root password NEWPASSWORD # mysqladmin -u root -p'oldpassword' password newpass mysql -e "create database suricatadb; " #mysql -e "grant all on suricatadb.* to barnyard2@localhost; " #mysql -e "set password for suricataer@localhost=password('123456'); " mysql -e "grant all privileges on suricatadb.* to barnyard2@localhost identified by '123456'; " mysql -e "flush privileges; " echo "***** Check : Have database been created ? *****" echo "show databases; " | mysql echo "***** Check : Have tables been created ? *****" echo "use suricatadb; show tables;" | mysql # **************************************** # Modify : barnyard2 + mysql # **************************************** sed -i -e "/database: log to a variety of databases/aoutput database: log, mysql, user=barnyard2 password=123456 dbname=suricatadb host=localhost" /etc/suricata/barnyard.conf # remark some configurations sed -i -e "s@config reference_file@# config reference_file@" /etc/suricata/barnyard.conf sed -i -e "s@config classification_file@# config classification_file@" /etc/suricata/barnyard.conf sed -i -e "s@config gen_file@# config gen_file@" /etc/suricata/barnyard.conf sed -i -e "s@config sid_file@# config sid_file@" /etc/suricata/barnyard.conf sed -i -e "/config reference_file/aconfig reference_file: \/etc\/suricata\/reference.config" /etc/suricata/barnyard.conf sed -i -e "/config classification_file/aconfig classification_file: \/etc\/suricata\/classification.config" /etc/suricata/barnyard.conf sed -i -e "/config gen_file/aconfig gen_file: \/etc\/suricata\/rules\/gen-msg.map" /etc/suricata/barnyard.conf sed -i -e "/config sid_file/aconfig sid_file: \/etc\/suricata\/rules\/sid-msg.map" /etc/suricata/barnyard.conf mysql suricatadb -ubarnyard2 -p123456 < /usr/local/src/barnyard2/schemas/create_mysql sed -i '645d' /etc/suricata//suricata.yaml sed -i -e "/suricata.log/i\ \ \ \ \ \ enabled: yes" /etc/suricata//suricata.yaml echo "***** Check : Database:suricatadb, Table:event *****" echo "select count(*) from event;" | mysql suricatadb -ubarnyard2 -p123456 echo "****************************************************" echo echo "***** Check : /etc/suricata/barnyard.conf *****" grep suricata /etc/suricata/barnyard.conf echo "***********************************************" echo # **************************************** # Start # **************************************** /usr/bin/suricata -T -c /etc/suricata//suricata.yaml #1/11/2013 -- 10:57:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/emerging-icmp.rules #Don't check Return Code, because <Warning> let Return Code Value 1 (Failed) #if [ "$?" != "0" ]; then # echo "/etc/suricata//suricata.yaml Test Failed !" # exit 1 #fi barnyard2 -T -c /etc/suricata/barnyard.conf if [ "$?" != "0" ]; then echo "/etc/suricata/barnyard.conf Test Failed !" exit 1 fi service suricatad restart service suricatad status ps axu| grep suricata service barnyard2 restart service barnyard2 status echo "********** Check : ps axu| grep suricata **********" ps axu| grep suricata echo echo "********** Check : ls -al /var/log/suricata **********" ls -al /var/log/suricata echo echo "********** Check : event count **********" echo "select count(*) from event;" | mysql suricatadb -ubarnyard2 -p123456 echo |
測試
先測試一下本機器狀態 (log 和 event 數量)
[root@localhost ~]# ls -al /var/log/suricata
total 6720
drwxr-xr-x. 3 root root 4096 Nov 1 11:12 .
drwxr-xr-x. 14 root root 4096 Nov 1 11:09 ..
-rw-------. 1 root root 2056 Nov 1 11:17 barnyard2.waldo
-rw-r-----. 1 root root 4842544 Nov 1 11:18 fast.log
drwxr-xr-x. 2 root root 4096 Oct 17 16:38 files
-rw-r-----. 1 root root 1451995 Nov 1 11:17 http.log
-rw-r--r--. 1 root root 469341 Nov 1 11:20 stats.log
-rw-r-----. 1 root root 31544 Oct 17 16:43 unified2.alert.1381999172
-rw-r-----. 1 root root 61363 Nov 1 11:17 unified2.alert.1383275558
[root@localhost ~]# echo "select count(*) from event;" | mysql suricatadb -ubarnyard2 -p123456
count(*)
271
[root@localhost ~]#
把防火牆關閉,安裝啟動 httpd 方便攻擊測試
service iptables stop
service httpd restart
********************************************************************
到另一台安裝 nikto (一定要另一台)
wget http://www.cirt.net/nikto/nikto-current.tar.gz
tar zxvf nikto-current.tar.gz
cd nikto-*
chmod +x nikto.pl
進行攻擊
./nikto.pl -h 192.168.128.102
如果看到 0 host(s) tested, 表示找不到攻擊目標
[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.102
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ No web server found on 192.168.128.102:80
---------------------------------------------------------------------------
+ 0 host(s) tested
[root@localhost nikto-2.1.5]#
[root@localhost ~]# ./nikto.pl -h 192.168.128.102
-bash: ./nikto.pl: No such file or directory
[root@localhost ~]# cd nikto-2.1.5/
[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.102
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.128.102
+ Target Hostname: 192.168.128.102
+ Target Port: 80
+ Start Time: 2013-10-30 00:22:29 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 3146028, size: 5108, mtime: 0x438c0358aae80
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6545 items checked: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2013-10-30 00:22:46 (GMT8) (17 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
[root@localhost nikto-2.1.5]#
[root@localhost ~]# echo "select count(*) from event;" | mysql suricatadb -ubarnyard2 -p123456
count(*)
277
[root@localhost ~]# ls -al /var/log/suricata
total 8376
drwxr-xr-x. 3 root root 4096 Nov 1 11:12 .
drwxr-xr-x. 14 root root 4096 Nov 1 11:09 ..
-rw-------. 1 root root 2056 Nov 1 11:27 barnyard2.waldo
-rw-r-----. 1 root root 4863033 Nov 1 11:27 fast.log
drwxr-xr-x. 2 root root 4096 Oct 17 16:38 files
-rw-r-----. 1 root root 2901133 Nov 1 11:27 http.log
-rw-r--r--. 1 root root 688202 Nov 1 11:28 stats.log
-rw-r-----. 1 root root 31544 Oct 17 16:43 unified2.alert.1381999172
-rw-r-----. 1 root root 63259 Nov 1 11:27 unified2.alert.1383275558
[root@localhost ~]#
wget http://www.cirt.net/nikto/nikto-current.tar.gz
tar zxvf nikto-current.tar.gz
cd nikto-*
chmod +x nikto.pl
進行攻擊
./nikto.pl -h 192.168.128.102
如果看到 0 host(s) tested, 表示找不到攻擊目標
[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.102
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ No web server found on 192.168.128.102:80
---------------------------------------------------------------------------
+ 0 host(s) tested
[root@localhost nikto-2.1.5]#
[root@localhost ~]# ./nikto.pl -h 192.168.128.102
-bash: ./nikto.pl: No such file or directory
[root@localhost ~]# cd nikto-2.1.5/
[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.102
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.128.102
+ Target Hostname: 192.168.128.102
+ Target Port: 80
+ Start Time: 2013-10-30 00:22:29 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 3146028, size: 5108, mtime: 0x438c0358aae80
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6545 items checked: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2013-10-30 00:22:46 (GMT8) (17 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
[root@localhost nikto-2.1.5]#
********************************************************************
回到 Suricata 主機檢查[root@localhost ~]# echo "select count(*) from event;" | mysql suricatadb -ubarnyard2 -p123456
count(*)
277
[root@localhost ~]# ls -al /var/log/suricata
total 8376
drwxr-xr-x. 3 root root 4096 Nov 1 11:12 .
drwxr-xr-x. 14 root root 4096 Nov 1 11:09 ..
-rw-------. 1 root root 2056 Nov 1 11:27 barnyard2.waldo
-rw-r-----. 1 root root 4863033 Nov 1 11:27 fast.log
drwxr-xr-x. 2 root root 4096 Oct 17 16:38 files
-rw-r-----. 1 root root 2901133 Nov 1 11:27 http.log
-rw-r--r--. 1 root root 688202 Nov 1 11:28 stats.log
-rw-r-----. 1 root root 31544 Oct 17 16:43 unified2.alert.1381999172
-rw-r-----. 1 root root 63259 Nov 1 11:27 unified2.alert.1383275558
[root@localhost ~]#
event 數量從 271 變成 277,表示抓到攻擊事件,目前 Suricata + Barnyard2 + mysql 安裝都正常。
本篇實做時會出現下面錯誤訊息
回覆刪除database: Closing connection to database "suricatadb"
/etc/suricata/barnyard.conf Test Failed !
我有試著先行新增suricatadb資料庫 以及barnyard2使用者 還有密碼
但是依舊報錯
都是root身分操作