2013年10月26日 星期六

[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式

[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式

2013-10-25
2013-11-01 最新修訂

********************************************************************************

這四篇是相關的

[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式
http://shaurong.blogspot.tw/2013/10/snort-2955targz-centos-64-x64.html

[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式(二)
http://shaurong.blogspot.tw/2013/10/snort-2955targz-centos-64-x64_28.html

[研究] Snort 2.9.5.5 + Barnyard 安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.tw/2013/10/snort-2955-barnyard-centos-64-x64.html

[研究] Snort 2.9.5.5 + Barnyard +BASE 安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.tw/2013/10/snort-2955-barnyard-base-centos-64-x64.html

********************************************************************************

參考
http://shaurong.blogspot.tw/2012/12/snort-294targz-centos-63-x86.html
http://manual.snort.org/
http://www.snort.org/docs
http://s3.amazonaws.com/snort-org/www/assets/202/snort2953_centos6x.pdf

snort-2.9.5.5.tar.gz 和 daq-2.0.0.tar.gz 下載網址
http://www.snort.org/snort-downloads?

libdnet-1.11.tar.gz 下載網址
http://libdnet.sourceforge.net/

PS:後來發現這裡有 libdnet-1.12.tar.gz,官方網站搬家?
https://code.google.com/p/libdnet/downloads/list

snortrules-snapshot-2955.tar.gz 下載網址 (免費註冊,登入後才能下載)
http://www.snort.org/snort-rules/?

Registered User Release 免費註冊,登入後才能下載
Subscriber Release 是花錢訂閱才能下載的

請自己手動下載下面檔案,放到 /usr/local/src 目錄
libdnet-1.11.tar.gz
daq-2.0.1.tar.gz
snort-2.9.5.5.tar.gz
snortrules-snapshot-2955.tar.gz

snort在版本2.9.3開始不再支援MySQL,好像可以靠 Barnyard2解決,ADOdb 和 BASE 小弟在本篇也暫不討論,有機會再說。

Barnyard 2 官方網站
http://www.securixlive.com/

ADOdb 官方網站
http://adodb.sourceforge.net/
(最後更新為 2012-09-04)

BASE 官方網站 (Basic Analysis and Security Engine)
http://base.secureideas.net/

(最後更新為 v1.4.4 版 May 28, 2009)

快速安裝程式內容(實際測試可用),請先用  su  root 切換成 root 執行


#!/bin/bash
echo -e "\033[31m"
echo -e "Program : snort2.9.5.5_centos6.4x64.sh "
echo -e "snort-2.9.5.5.tar.gz Install Shell Script (CentOS 6.4 x64) "
echo -e "by Shau-Rong Lu 2013/10/26 "
echo -e "\033[0m"

yum -y install gcc gcc-c++ flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel tcpdump
yum -y install dos2unix

cd  /usr/local/src

if [ ! -s libdnet-1.11.tar.gz ]; then
  echo "Can not find  /usr/local/src/libdnet-1.11.tar.gz"
  wget http://downloads.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz?r=http%3A%2F%2Flibdnet.sourceforge.net%2F&ts=1382718432&use_mirror=nchc
  # exit
fi

if [ ! -s daq-2.0.1.tar.gz ]; then
  echo "Can not find /usr/local/src/daq-2.0.1.tar.gz"
  exit
fi

if [ ! -s snort-2.9.5.5.tar.gz]; then
  echo "Can not find /usr/local/src/snort-2.9.5.5.tar.gz"
  exit
fi

if [ ! -s snortrules-snapshot-2955.tar.gz]; then
  echo "Can not find  /usr/local/src/snortrules-snapshot-2955.tar.gz"
  exit
fi



tar zxvf libdnet-1.11.tar.gz
tar zxvf daq-2.0.1.tar.gz
tar zxvf snort-2.9.5.5.tar.gz

cd /usr/local/src/libdnet-1.11
./configure --with-pic
make
make install

cd /usr/local/src/daq-2.0.1
./configure
make
make install

cd /usr/local/src/snort-2.9.5.5
./configure --enable-sourcefire
make
make install

# cd /usr/local/lib
# ldconfig -v /usr/local/lib

mkdir -p /etc/snort
cd /usr/local/src
tar xzvf /usr/local/src/snortrules-snapshot-2955.tar.gz -C /etc/snort
touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules

groupadd -g 40000 snort
useradd snort -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort
cd /etc/snort
chown -R snort:snort *
chown -R snort:snort /var/log/snort

cp /etc/snort/etc/* /etc/snort/.

sed -i -e "s@var RULE_PATH@#var RULE_PATH@"   /etc/snort/snort.conf
sed -i -e "/var RULE_PATH/avar RULE_PATH /etc/snort/rules"   /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var RULE_PATH"

sed -i -e "s@var SO_RULE_PATH@#var SO_RULE_PATH@"   /etc/snort/snort.conf
sed -i -e "/var SO_RULE_PATH/avar SO_RULE_PATH /etc/snort/so_rules"   /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var SO_RULE_PATH"

sed -i -e "s@var PREPROC_RULE_PATH@#var PREPROC_RULE_PATH@"   /etc/snort/snort.conf
sed -i -e "/var PREPROC_RULE_PATH/avar PREPROC_RULE_PATH /etc/snort/preproc_rules"   /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var PREPROC_RULE_PATH"

sed -i -e "s@var WHITE_LIST_PATH@#var WHITE_LIST_PATH@"   /etc/snort/snort.conf
sed -i -e "/var WHITE_LIST_PATH/avar WHITE_LIST_PATH /etc/snort/rules"   /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var WHITE_LIST_PATH"

sed -i -e "s@var BLACK_LIST_PATH@#var BLACK_LIST_PATH@"   /etc/snort/snort.conf
sed -i -e "/var BLACK_LIST_PATH/avar BLACK_LIST_PATH /etc/snort/rules"   /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var BLACK_LIST_PATH"


mkdir -p /usr/local/lib/snort_dynamicrules
chown -R snort:snort /usr/local/lib/snort_dynamicrules
chmod -R 700 /usr/local/lib/snort_dynamicrules

snort -T -c /etc/snort/snort.conf
if [ "$?" != "0" ]; then
  echo "Snort Test Failed !"
  exit
fi

#cp /root/snort-2.9.5.5/rpm/snortd  /etc/init.d/.
#chmod +x /etc/init.d/snortd
#cp /root/snort-2.9.5.5/rpm/snort.sysconfig /etc/sysconfig/snort
#ln -s /usr/local/bin/snort /usr/sbin/snort

rm -fr /etc/init.d/snortd

echo '#!/bin/sh'  > /etc/init.d/snortd

echo ""  >> /etc/init.d/snortd
echo "# chkconfig: 345 99 01"  >> /etc/init.d/snortd
echo "# description: Snort startup script"  >> /etc/init.d/snortd
echo "# 345 - levels to configure"  >> /etc/init.d/snortd
echo "# 99 - startup order"  >> /etc/init.d/snortd
echo "# 01 - stop order"  >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo ". /etc/rc.d/init.d/functions "  >> /etc/init.d/snortd
echo "INTERFACE=eth0" >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo "case \"\$1\" in " >> /etc/init.d/snortd
echo "start)" >> /etc/init.d/snortd
echo "  echo -n \"Starting Snort: \"" >> /etc/init.d/snortd
echo "  daemon PCAP_FRAMES=max /usr/local/bin/snort -D -i \$INTERFACE -c /etc/snort/snort.conf" >> /etc/init.d/snortd
echo "  echo" >> /etc/init.d/snortd
echo "  ;;" >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo "stop)" >> /etc/init.d/snortd
echo "  echo -n \"Stopping Snort: \"" >> /etc/init.d/snortd
echo "  killproc snort" >> /etc/init.d/snortd
echo "  echo" >> /etc/init.d/snortd
echo "  ;;" >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo "restart)" >> /etc/init.d/snortd
echo "  \$0 stop" >> /etc/init.d/snortd
echo "  \$0 start" >> /etc/init.d/snortd
echo "  ;;" >> /etc/init.d/snortd
echo "status)" >> /etc/init.d/snortd
echo "  status snort" >> /etc/init.d/snortd
echo "  ;;" >> /etc/init.d/snortd
echo "*)" >> /etc/init.d/snortd
echo "  echo \"Usage: $0 {start|stop|restart|status}\"" >> /etc/init.d/snortd
echo "  exit 1" >> /etc/init.d/snortd
echo "  esac" >> /etc/init.d/snortd
echo "  exit 0" >> /etc/init.d/snortd

chmod +x /etc/init.d/snortd
chkconfig  --add  snortd
chkconfig  snortd on
service  snortd  start

echo "You can service httpd restart, then use N-Stalker Free Edition (http://nstalker.com/products/free/download-free-edition) on MS-Windows to attack WebSite "
echo ""
echo "or Nikto (http://www.cirt.net/nikto2) on another Linux to attack WebSite"
echo "  wget http://www.cirt.net/nikto/nikto-current.tar.gz"
echo "  tar zxvf nikto-current.tar.gz"
echo "  cd nikto-*"
echo "  chmod +x nikto.pl"
echo "  ./nikto.pl -h xxx.xxx.xxx.xxx"



測試

[root@localhost ~]# service snortd start
Starting Snort: PCAP_FRAMES -> 32768 * 4096 / 2 = 67108864 (1600)
Spawning daemon child...
My daemon child 17857 lives...
Daemon parent exiting (0)
                                                           [  OK  ]
[root@localhost ~]# service snortd status
snort (pid 17857) is running...

[root@localhost ~]# ps aux | grep snort
root     17857  0.5 33.1 654132 335628 ?       Ssl  10:24   0:00 /usr/local/bin/snort -D -i eth0 -c /etc/snort/snort.conf
root     17870  0.0  0.0 103236   856 pts/1    S+   10:24   0:00 grep snort

準備當被攻擊主機

[root@localhost ~]# service httpd restart
Stopping httpd:                                            [FAILED]
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain for ServerName
                                                           [  OK  ]
防火牆暫時關閉

[root@localhost ~]# service iptables stop
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]
[root@localhost ~]#


先看一下 snort 目前 log,其中 alert 為 0 byte

[root@localhost ~]# ls -al /var/log/snort
total 28
drwx------.  4 snort snort 4096 Oct 29 10:24 .
drwxr-xr-x. 14 root  root  4096 Oct 29 10:23 ..
-rw-r--r--.  1 root  root     0 Oct 29 10:23 alert
-rw-r--r--.  1 snort snort   18 Feb 22  2013 .bash_logout
-rw-r--r--.  1 snort snort  176 Feb 22  2013 .bash_profile
-rw-r--r--.  1 snort snort  124 Feb 22  2013 .bashrc
drwxr-xr-x.  2 snort snort 4096 Nov 12  2010 .gnome2
drwxr-xr-x.  4 snort snort 4096 Oct 18 00:00 .mozilla
-rw-------.  1 root  root     0 Oct 29 10:24 snort.log.1383013442

另外找一台主機來攻擊 ( nikto 好像無法對自己攻擊,所以必須另外找一台)

[root@localhost ~]# wget http://www.cirt.net/nikto/nikto-current.tar.gz
[root@localhost ~]# tar zxvf nikto-current.tar.gz
[root@localhost ~]# cd nikto-*
[root@localhost nikto-2.1.5]# chmod +x nikto.pl
[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.102
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.128.102
+ Target Hostname:    192.168.128.102
+ Target Port:        80
+ Start Time:         2013-10-29 10:32:28 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 3146031, size: 5108, mtime: 0x438c0358aae80
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2013-10-29 10:32:37 (GMT8) (9 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
[root@localhost nikto-2.1.5]#


回到原來安裝 snort 主機,可以看到 alert 檔案從 0 byte 變成 8248 bytes,表示 snort 有正常運作

[root@localhost ~]# ls -al /var/log/snort
total 48
drwx------.  4 snort snort 4096 Oct 29 10:24 .
drwxr-xr-x. 14 root  root  4096 Oct 29 10:23 ..
-rw-r--r--.  1 root  root  8248 Oct 29 10:32 alert
-rw-r--r--.  1 snort snort   18 Feb 22  2013 .bash_logout
-rw-r--r--.  1 snort snort  176 Feb 22  2013 .bash_profile
-rw-r--r--.  1 snort snort  124 Feb 22  2013 .bashrc
drwxr-xr-x.  2 snort snort 4096 Nov 12  2010 .gnome2
drwxr-xr-x.  4 snort snort 4096 Oct 18 00:00 .mozilla
-rw-------.  1 root  root  7359 Oct 29 10:32 snort.log.1383013442
[root@localhost ~]#


(完)

相關文章

[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式
http://shaurong.blogspot.tw/2013/10/snort-2955targz-centos-64-x64.html

[研究] snort-2.9.4.tar.gz (CentOS 6.3 x86) 快速安裝程式
http://shaurong.blogspot.tw/2012/12/snort-294targz-centos-63-x86.html

[研究] Snort 2.9.0.5 安裝(Fedora 15 x86)
http://shaurong.blogspot.tw/2011/07/snort-2905-fedora-15-x86.html

[研究] N-Stalker Web Application Security Scanner X Free Edition 網站漏洞掃描軟體使用
http://shaurong.blogspot.tw/2013/08/n-stalker-web-application-security.html

[研究] N-Stalker Free Edition 2012 網站漏洞掃描軟體使用教學
http://shaurong.blogspot.tw/2011/07/n-stalker-free-edition-2012.html

[研究] Snort 2.9.0.5 安裝(Fedora 15 x86)
http://forum.icst.org.tw/phpbb/viewtopic.php?t=20240

[研究] Snort 2.9.0.3 (tar.gz)安裝(Fedora 14 x86)
http://forum.icst.org.tw/phpbb/viewtopic.php?t=19216

[研究] Snort 2.8.5.2.tar.gz+MySQL+BASE快速安裝程式(CentOS 5.4)
http://forum.icst.org.tw/phpbb/viewtopic.php?t=17658

[研究]Snort 2.8.5.2.tar.gz+MySQL+BASE快速安裝程式(Fedora 12 x86)
http://forum.icst.org.tw/phpbb/viewtopic.php?t=17672

[教學] [研究] Snort 2.8.1快速安裝程式精簡版(Fedora 8 )
http://forum.icst.org.tw/phpbb/viewtopic.php?t=15042



7 則留言:

  1. 真是太強了,新版確定可以跑,舊版2.94還沒測試,不過小弟現在雖然暫時裝起來2.9.5.5了,但是還要一段時間摸索RULE

    如果沒有BASE或是其它可供圖形化的介面,光在文字介面下似乎很難明確地看的出來被攻擊的報告,這部分又要頭痛(公司上層不想看文字介面,看不懂)

    回覆刪除
  2. 您的快速安装程式很有用,但是用nikto扫描过后,alert还是空白一片(packet dump mode可以探测到攻击,但是alert也是空白)

    回覆刪除
    回覆
    1. 您的靶機是否把所有安全性更新全補上了,所以沒有弱點了 ?

      刪除
    2. 這邊有新的

      [研究] snort-2.9.6.1.tar.gz (CentOS 6.5 x64) 快速安裝程式
      http://shaurong.blogspot.tw/2014/06/snort-2961targz-centos-65-x64.html

      刪除
    3. 根据新的这篇终于装上了,太感谢您了,之前琢磨了两个月都没装好,现在直接run您的三个sh就装好了,帮了我大忙了!!!

      (还有一个问题求解,snort如何在被攻击时用邮件通知管理员?)

      刪除
    4. > snort如何在被攻击时用邮件通知管理员?
      沒研究,改天有空再說

      刪除