2013年11月1日 星期五

[研究] Barnyard2 for Suricata 1.4.6 快速安裝程式 (CentOS 6.4 x64)

[研究] Barnyard2 for Suricata 1.4.6 快速安裝程式 (CentOS 6.4 x64)

2013-11-01

**********************************************************************************

這幾篇是相關的

[研究] Suricata 1.4.6 入侵偵測系統安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/10/suricata-146-centos-64-x64.html

[研究] Suricata 1.4.6 快速安裝程式 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/10/suricata-146-centos-64-x64_31.html

[研究] Barnyard2 for Suricata 1.4.6 安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/11/barnyard2-for-suricata-146-centos-64-x64.html

[研究] Barnyard2 for Suricata 1.4.6 快速安裝程式 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/10/barnyard2-for-suricata-146-centos-64-x64.html

[研究] Suricata 1.4.6 + Barnyard + BASE 安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/11/suricata-146-barnyard-base-centos-64-x64.html

**********************************************************************************


快速安裝程式很方便,也很危險,因為每行指令沒有 "嚴格檢查" 前一行是否成功執行,錯誤訊息可能很快過去,但避免手動輸入打錯或漏做步驟。

詳情請看

[研究] Suricata 1.4.6 入侵偵測系統安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.tw/2013/10/suricata-146-centos-64-x64.html

[研究] Suricata 1.4.6 快速安裝程式 (CentOS 6.4 x64)
http://shaurong.blogspot.tw/2013/10/suricata-146-centos-64-x64_31.html

請先切換成 root 後執行

[root@localhost ~]# su  root
[root@localhost ~]# vi   Barnyard2_for_Suricata_Install.sh
把下面框中內容全部貼上
[root@localhost ~]# chmod +x  Barnyard2_for_Suricata_Install.sh
[root@localhost ~]# ./Barnyard2_for_Suricata_Install.sh

注意:請勿把下面程式直接貼到命令提示 (例如:[root@localhost ~]#  ) 下直接執行,不然 if then ... else if 這類不是單一行命令的程式會執行錯誤。



#!/bin/bash

echo -e "\033[31m"
echo -e "Program : Barnyard2_for_Suricata_Install.sh "
echo -e "Barnyard2 v2.1.13 (Build 327) for Suricata 1.4.6 Install Shell Script (CentOS 6.4 x86_64) "
echo -e "by Shau-Rong Lu 2013/10/31 "
echo -e "\033[0m"

yum  -y  install  mysql mysql-devel git libtool mysql-server  httpd  php  php-mysql php-mbstring php-mcrypt

# ****************************************
# barnyard2
# ****************************************

cd /usr/local/src
git clone https://github.com/firnsy/barnyard2.git barnyard2
cd barnyard2
./autogen.sh
if [ "`uname -a | grep x86_64`" != "" ]; then
  echo "x86_64"
  ./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql
else
  echo "x86"
  ./configure --with-mysql
  exit
fi
make && make install

cd /usr/local/src/barnyard2
cp rpm/barnyard2 /etc/init.d/
chmod +x /etc/init.d/barnyard2
cp rpm/barnyard2.config /etc/sysconfig/barnyard2
chkconfig --add barnyard2

ln -s /usr/local/etc/barnyard2.conf /etc/suricata/barnyard.conf
ln -s /usr/local/bin/barnyard2 /usr/bin/

echo "***** Modify /etc/init.d/barnyard2 *****"

# vi /etc/init.d/barnyard2
# remark
# [ -x /usr/sbin/snort ] || exit 1
# [ -r /etc/snort/snort.conf ] || exit 1

sed -i -e "s@exit 1@# exit 1@"   /etc/init.d/barnyard2
sed -i -e "s@Snort Output Processor@Suricata Output Processor@"   /etc/init.d/barnyard2

# BARNYARD_OPTS="-D -c $CONF -d $suricataDIR/${INT} -w $WALDO_FILE -L $suricataDIR/${INT} -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS"
# become
# BARNYARD_OPTS="-D -c /etc/suricata/barnyard.conf -d /var/log/suricata -w /var/log/suricata/barnyard2.waldo -l /var/log/suricata -a /var/log/suricata -f unified2.alert -X /var/lock/subsys/barnyard2.pid"

sed -i -e "s@BARNYARD_OPTS=@#BARNYARD_OPTS=@"   /etc/init.d/barnyard2
#sed -i -e "/BARNYARD_OPTS=/aBARNYARD_OPTS=\"-D -c \/etc\/suricata\/barnyard.conf -d \/var\/log\/suricata -w \/var\/log\/suricata\/barnyard2.waldo -l \/var\/log\/suricata -a \/var\/log\/suricata -f unified2.alert -X \/var\/lock\/subsys\/barnyard2.pid\""   /etc/init.d/barnyard2
sed -i -e "/daemon/iBARNYARD_OPTS=\"-D -c \/etc\/suricata\/barnyard.conf -d \/var\/log\/suricata -w \/var\/log\/suricata\/barnyard2.waldo -l \/var\/log\/suricata -a \/var\/log\/suricata -f unified2.alert -X \/var\/lock\/subsys\/barnyard2.pid\""   /etc/init.d/barnyard2


chkconfig barnyard2 reset

sed -i -e "s@LOG_FILE@#LOG_FILE@"   /etc/sysconfig/barnyard2
sed -i -e "/Config file/aLOG_FILE=\"unified2.log\""   /etc/sysconfig/barnyard2

sed -i -e "s@CONF@#CONF@"  /etc/sysconfig/barnyard2
sed -i -e "/Probably not this either/aCONF=\/etc\/suricata\/barnyard.conf"   /etc/sysconfig/barnyard2

echo "***** Check : /etc/sysconfig/barnyard2 *****"
grep  suricata /etc/suricata/barnyard.conf

# ****************************************
# mysql
# ****************************************

service mysqld restart

# mysqladmin -u root password NEWPASSWORD
# mysqladmin -u root -p'oldpassword' password newpass

mysql -e "create database suricatadb; "
#mysql -e "grant all on suricatadb.* to barnyard2@localhost; "
#mysql -e "set password for suricataer@localhost=password('123456'); "
mysql -e "grant all privileges on suricatadb.* to barnyard2@localhost identified by '123456'; "
mysql -e "flush privileges; "

echo "***** Check : Have database been created ? *****"
echo "show databases; " | mysql

echo "***** Check : Have tables been created ? *****"
echo "use suricatadb; show tables;" | mysql

# ****************************************
# Modify : barnyard2 + mysql
# ****************************************

sed -i -e "/database: log to a variety of databases/aoutput database: log, mysql, user=barnyard2 password=123456 dbname=suricatadb host=localhost"   /etc/suricata/barnyard.conf

# remark some configurations
sed -i -e "s@config reference_file@# config reference_file@"   /etc/suricata/barnyard.conf
sed -i -e "s@config classification_file@# config classification_file@"   /etc/suricata/barnyard.conf
sed -i -e "s@config gen_file@# config gen_file@"   /etc/suricata/barnyard.conf
sed -i -e "s@config sid_file@# config sid_file@"   /etc/suricata/barnyard.conf

sed -i -e "/config reference_file/aconfig reference_file:      \/etc\/suricata\/reference.config"   /etc/suricata/barnyard.conf
sed -i -e "/config classification_file/aconfig classification_file:      \/etc\/suricata\/classification.config"   /etc/suricata/barnyard.conf
sed -i -e "/config gen_file/aconfig gen_file:      \/etc\/suricata\/rules\/gen-msg.map"   /etc/suricata/barnyard.conf
sed -i -e "/config sid_file/aconfig sid_file:      \/etc\/suricata\/rules\/sid-msg.map"   /etc/suricata/barnyard.conf

mysql suricatadb -ubarnyard2 -p123456   <  /usr/local/src/barnyard2/schemas/create_mysql

sed -i '645d'     /etc/suricata//suricata.yaml
sed -i -e "/suricata.log/i\ \ \ \ \ \ enabled: yes"   /etc/suricata//suricata.yaml

echo "***** Check : Database:suricatadb, Table:event *****"
echo "select count(*) from event;" | mysql suricatadb -ubarnyard2 -p123456
echo "****************************************************"
echo

echo "***** Check : /etc/suricata/barnyard.conf *****"
grep  suricata /etc/suricata/barnyard.conf
echo "***********************************************"
echo

# ****************************************
# Start
# ****************************************

/usr/bin/suricata -T -c /etc/suricata//suricata.yaml
#1/11/2013 -- 10:57:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/emerging-icmp.rules
#Don't check Return Code, because <Warning> let Return Code Value 1 (Failed)
#if [ "$?" != "0" ]; then
#  echo "/etc/suricata//suricata.yaml Test Failed !"
#  exit 1
#fi

barnyard2 -T  -c /etc/suricata/barnyard.conf
if [ "$?" != "0" ]; then
  echo "/etc/suricata/barnyard.conf Test Failed !"
  exit 1
fi

service suricatad restart
service suricatad status
ps axu| grep suricata

service barnyard2 restart
service barnyard2 status

echo "********** Check : ps axu| grep suricata **********"
ps axu| grep suricata
echo

echo "********** Check : ls -al /var/log/suricata **********"
ls -al /var/log/suricata
echo

echo "********** Check : event count **********"
echo "select count(*) from event;" | mysql suricatadb -ubarnyard2 -p123456
echo


測試

先測試一下本機器狀態 (log 和 event 數量)

[root@localhost ~]# ls -al /var/log/suricata
total 6720
drwxr-xr-x.  3 root root    4096 Nov  1 11:12 .
drwxr-xr-x. 14 root root    4096 Nov  1 11:09 ..
-rw-------.  1 root root    2056 Nov  1 11:17 barnyard2.waldo
-rw-r-----.  1 root root 4842544 Nov  1 11:18 fast.log
drwxr-xr-x.  2 root root    4096 Oct 17 16:38 files
-rw-r-----.  1 root root 1451995 Nov  1 11:17 http.log
-rw-r--r--.  1 root root  469341 Nov  1 11:20 stats.log
-rw-r-----.  1 root root   31544 Oct 17 16:43 unified2.alert.1381999172
-rw-r-----.  1 root root   61363 Nov  1 11:17 unified2.alert.1383275558

[root@localhost ~]# echo "select count(*) from event;" | mysql suricatadb -ubarnyard2 -p123456
count(*)
271
[root@localhost ~]#

把防火牆關閉,安裝啟動 httpd 方便攻擊測試
service  iptables  stop
service  httpd  restart

********************************************************************

到另一台安裝 nikto (一定要另一台)

wget http://www.cirt.net/nikto/nikto-current.tar.gz
tar zxvf nikto-current.tar.gz
cd nikto-*
chmod +x nikto.pl

進行攻擊
./nikto.pl -h  192.168.128.102

如果看到 0 host(s) tested, 表示找不到攻擊目標

[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.102
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ No web server found on 192.168.128.102:80
---------------------------------------------------------------------------
+ 0 host(s) tested
[root@localhost nikto-2.1.5]#


[root@localhost ~]# ./nikto.pl -h 192.168.128.102
-bash: ./nikto.pl: No such file or directory
[root@localhost ~]# cd nikto-2.1.5/
[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.102
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.128.102
+ Target Hostname:    192.168.128.102
+ Target Port:        80
+ Start Time:         2013-10-30 00:22:29 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 3146028, size: 5108, mtime: 0x438c0358aae80
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6545 items checked: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2013-10-30 00:22:46 (GMT8) (17 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
[root@localhost nikto-2.1.5]#

********************************************************************
回到 Suricata 主機檢查

[root@localhost ~]# echo "select count(*) from event;" | mysql suricatadb -ubarnyard2 -p123456
count(*)
277

[root@localhost ~]# ls -al /var/log/suricata
total 8376
drwxr-xr-x.  3 root root    4096 Nov  1 11:12 .
drwxr-xr-x. 14 root root    4096 Nov  1 11:09 ..
-rw-------.  1 root root    2056 Nov  1 11:27 barnyard2.waldo
-rw-r-----.  1 root root 4863033 Nov  1 11:27 fast.log
drwxr-xr-x.  2 root root    4096 Oct 17 16:38 files
-rw-r-----.  1 root root 2901133 Nov  1 11:27 http.log
-rw-r--r--.  1 root root  688202 Nov  1 11:28 stats.log
-rw-r-----.  1 root root   31544 Oct 17 16:43 unified2.alert.1381999172
-rw-r-----.  1 root root   63259 Nov  1 11:27 unified2.alert.1383275558
[root@localhost ~]#

event 數量從 271 變成 277,表示抓到攻擊事件,目前 Suricata + Barnyard2 + mysql 安裝都正常。

(完)

1 則留言:

  1. 本篇實做時會出現下面錯誤訊息
    database: Closing connection to database "suricatadb"
    /etc/suricata/barnyard.conf Test Failed !

    我有試著先行新增suricatadb資料庫 以及barnyard2使用者 還有密碼
    但是依舊報錯
    都是root身分操作

    回覆刪除