[研究] Barnyard2 for Suricata 1.4.6 安裝 (CentOS 6.4 x64)

[研究] Barnyard2 for Suricata 1.4.6 安裝 (CentOS 6.4 x64)

2013-11-02

**********************************************************************************

這幾篇是相關的

[研究] Suricata 1.4.6 入侵偵測系統安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/10/suricata-146-centos-64-x64.html
或
[研究] Suricata 1.4.6 快速安裝程式 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/10/suricata-146-centos-64-x64_31.html

[研究] Barnyard2 for Suricata 1.4.6 安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/11/barnyard2-for-suricata-146-centos-64-x64.html
或
[研究] Barnyard2 for Suricata 1.4.6 快速安裝程式 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/10/barnyard2-for-suricata-146-centos-64-x64.html

[研究] Suricata 1.4.6 + Barnyard + BASE 安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/11/suricata-146-barnyard-base-centos-64-x64.html

**********************************************************************************

請先完成 Suricata 1.4.6 安裝

[研究] Suricata 1.4.6 入侵偵測系統安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.tw/2013/10/suricata-146-centos-64-x64.html

[研究] Suricata 1.4.6 快速安裝程式 (CentOS 6.4 x64)
http://shaurong.blogspot.tw/2013/10/suricata-146-centos-64-x64_31.html



# 安裝 Barnyard2 *******************************

請先切換成 root 後執行

su  root

cd /usr/local/src
git clone https://github.com/firnsy/barnyard2.git barnyard2
cd barnyard2
./autogen.sh
./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql

# 如果是 x86
#  ./configure --with-mysql

make && make install

cd /usr/local/src/barnyard2
cp rpm/barnyard2 /etc/init.d/
chmod +x /etc/init.d/barnyard2
cp rpm/barnyard2.config /etc/sysconfig/barnyard2
chkconfig --add barnyard2

ln -s /usr/local/etc/barnyard2.conf /etc/suricata/barnyard.conf
ln -s /usr/local/bin/barnyard2 /usr/bin/


# 修改 /etc/init.d/barnyard2 *******************************

vi /etc/init.d/barnyard2
把這兩行註解
[ -x /usr/sbin/snort ] || exit 1
[ -r /etc/snort/snort.conf ] || exit 1
# 改為
# [ -x /usr/sbin/snort ] || exit 1
# [ -r /etc/snort/snort.conf ] || exit 1

# 找到
BARNYARD_OPTS="-D -c $CONF -d $suricataDIR/${INT} -w $WALDO_FILE -L $suricataDIR/${INT} -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS"
# 改為
BARNYARD_OPTS="-D -c /etc/suricata/barnyard.conf -d /var/log/suricata -w /var/log/suricata/barnyard2.waldo -l /var/log/suricata -a /var/log/suricata -f unified2.alert -X /var/lock/subsys/barnyard2.pid"

# 找到
Snort Output Processor
# 改為
Suricata Output Processor

chkconfig barnyard2 reset

# 或直接用下面命令完成

sed -i -e "s@exit 1@# exit 1@"   /etc/init.d/barnyard2
sed -i -e "s@Snort Output Processor@Suricata Output Processor@"   /etc/init.d/barnyard2
sed -i -e "s@BARNYARD_OPTS=@#BARNYARD_OPTS=@"   /etc/init.d/barnyard2
sed -i -e "/daemon/iBARNYARD_OPTS=\"-D -c \/etc\/suricata\/barnyard.conf -d \/var\/log\/suricata -w \/var\/log\/suricata\/barnyard2.waldo -l \/var\/log\/suricata -a \/var\/log\/suricata -f unified2.alert -X \/var\/lock\/subsys\/barnyard2.pid\""   /etc/init.d/barnyard2
chkconfig barnyard2 reset

#相關參數說明

[root@localhost ~]# barnyard2

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.13 (Build 327)
 |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
 + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com>

USAGE: barnyard2 [-options] <filter options>
Gernal Options:
        -c <file>  Use configuration file <file>
        -C <file>  Read the classification map from <file>
        -D         Run barnyard2 in background (daemon) mode
        -e         Display the second layer header info
        -F         Turn off fflush() calls after binary log writes
        -g <gname> Run barnyard2 gid as <gname> group (or gid) after initialization
        -G <file>  Read the gen-msg map from <file>
        -h <name>  Define the hostname <name>. For logging purposes only
        -i <if>    Define the interface <if>. For logging purposes only
        -I         Add Interface name to alert output
        -l <ld>    Log to directory <ld>
        -m <umask> Set umask = <umask>
        -O         Obfuscate the logged IP addresses
        -q         Quiet. Don't show banner and status report
        -r <id>    Include 'id' in barnyard2_intf<id>.pid file name
        -R <file>  Read the reference map from <file>
        -S <file>  Read the sid-msg map from <file>
        -t <dir>   Chroots process to <dir> after initialization
        -T         Test and report on the current barnyard2 configuration
        -u <uname> Run barnyard2 uid as <uname> user (or uid) after initialization
        -U         Use UTC for timestamps
        -v         Be verbose
        -V         Show version number
        -y         Include year in timestamp in the alert and log files
        -?         Show this information

Continual Processing Options:
        -a <dir>   Archive processed files to <dir>
        -f <base>  Use <base> as the base filename pattern
        -d <dir>   Spool files from <dir>
        -n         Only process new events
        -w <file>  Enable bookmarking using <file>

Batch Processing Mode Options:
        -o         Enable batch processing mode


# 修改 /etc/init.d/barnyard2 *******************************

[root@localhost ~]#  vi /etc/sysconfig/barnyard2

將下面

# Config file for /etc/init.d/barnyard2
LOG_FILE="snort_unified.log"

# You probably don't want to change this, but in case you do
SNORTDIR="/var/log/snort"
INTERFACES="eth0"

# Probably not this either
CONF=/etc/snort/barnyard.conf

EXTRA_ARGS=""

改為

# Config file for /etc/init.d/barnyard2
#LOG_FILE="snort_unified.log"
LOG_FILE="unified2.log"

# You probably don't want to change this, but in case you do
# SNORTDIR="/var/log/snort"
SURICATADIR="/var/log/suricata"
INTERFACES="eth0"

# Probably not this either
#CONF=/etc/snort/barnyard.conf
CONF=/etc/suricata/barnyard.conf

EXTRA_ARGS=""

或直接用下面命令修改

sed -i -e "s@LOG_FILE@#LOG_FILE@"   /etc/sysconfig/barnyard2
sed -i -e "/Config file/aLOG_FILE=\"unified2.log\""   /etc/sysconfig/barnyard2

sed -i -e "s@CONF@#CONF@"  /etc/sysconfig/barnyard2
sed -i -e "/Probably not this either/aCONF=\/etc\/suricata\/barnyard.conf"   /etc/sysconfig/barnyard2

echo "***** Check : /etc/sysconfig/barnyard2 *****"
grep  suricata /etc/suricata/barnyard.conf


# 處理 mysql *******************************

[root@localhost ~]#  service mysqld restart

# 替 MySQL 的 root 帳號設定密碼 (除了輸入密碼，其他全部按下 Enter 回答)(非必須，但建議)
[root@localhost ~]# /usr/bin/mysql_secure_installation
...
Set root password? [Y/n]
New password:  輸入密碼
Re-enter new password:  再輸入一次密碼
Password updated successfully!
Reloading privilege tables..
 ... Success!

或用下面命令修改

[root@localhost ~]#  mysqladmin -u root password 新密碼
[root@localhost ~]#  mysqladmin -u root -p'舊密碼' password 新密碼

# 建立 suricatadb 資料庫，存取帳號 barnyard2，密碼 123456，執行 flush privileges; 立刻生效

[root@localhost ~]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 5.1.69 Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> create database suricatadb;
Query OK, 1 row affected (0.00 sec)

mysql> grant all privileges on suricatadb.* to barnyard2@localhost identified by '123456';
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> exit
Bye
[root@localhost ~]#

# 或用下面命令修改

mysql -e "create database suricatadb; "
#mysql -e "grant all on suricatadb.* to barnyard2@localhost; "
#mysql -e "set password for barnyard2@localhost=password('123456'); "
mysql -e "grant all privileges on suricatadb.* to barnyard2@localhost identified by '123456'; "
mysql -e "flush privileges; "

# 顯示目前 mysql 有哪些資料庫 (重點是看是否有 suricatadb 資料庫)
echo "show databases; " | mysql -p密碼

# 顯示所有資料表
echo "use suricatadb; show tables;" | mysql  -ubarnyard2   -p123456



# 修改 /etc/suricata/barnyard.conf *******************************

#設定 barnyard2 輸出到 mysql

[root@localhost ~]# vi /etc/suricata/barnyard.conf
尋找 output database
新建立一行
  output database: log, mysql, user=barnyard2 password=123456 dbname=suricatadb host=localhost

尋找
config reference_file:      /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config sid_file:                /etc/snort/sid-msg.map
改為
config reference_file:      /etc/suricata/reference.config
config classification_file: /etc/suricata/classification.config
config gen_file:            /etc/suricata/rules/gen-msg.map
config sid_file:            /etc/suricata/rules/sid-msg.map


在 suricatadb 資料庫中建立 barnyard 放 suricata 結果資料的 table (密碼 123456)

[root@localhost ~]# mysql  suricatadb  -ubarnyard2 -p   <  /usr/local/src/barnyard2/schemas/create_mysql

[root@localhost ~]# vi /etc/suricata//suricata.yaml

  outputs:
  - console:
      enabled: yes
  - file:
      enabled: no
      filename: /var/log/suricata.log
  - syslog:
      enabled: no
      facility: local5
      format: "[%i] <%d> -- "

把 filename: /var/log/suricata.log 上一行 enabled: no 改為 enabled: yes

  - file:
      enabled: yes
      filename: /var/log/suricata.log

注意，enabled 和下一行 filename 排縮必須對齊，否則 suricata 程式會執行失敗

# 或用下面命令修改

sed -i -e "/database: log to a variety of databases/aoutput database: log, mysql, user=barnyard2 password=123456 dbname=suricatadb host=localhost"   /etc/suricata/barnyard.conf

# remark some configurations
sed -i -e "s@config reference_file@# config reference_file@"   /etc/suricata/barnyard.conf
sed -i -e "s@config classification_file@# config classification_file@"   /etc/suricata/barnyard.conf
sed -i -e "s@config gen_file@# config gen_file@"   /etc/suricata/barnyard.conf
sed -i -e "s@config sid_file@# config sid_file@"   /etc/suricata/barnyard.conf

sed -i -e "/config reference_file/aconfig reference_file:      \/etc\/suricata\/reference.config"   /etc/suricata/barnyard.conf
sed -i -e "/config classification_file/aconfig classification_file:      \/etc\/suricata\/classification.config"   /etc/suricata/barnyard.conf
sed -i -e "/config gen_file/aconfig gen_file:      \/etc\/suricata\/rules\/gen-msg.map"   /etc/suricata/barnyard.conf
sed -i -e "/config sid_file/aconfig sid_file:      \/etc\/suricata\/rules\/sid-msg.map"   /etc/suricata/barnyard.conf

mysql suricatadb -ubarnyard2 -p123456   <  /usr/local/src/barnyard2/schemas/create_mysql

sed -i '645d'     /etc/suricata//suricata.yaml
sed -i -e "/suricata.log/i\ \ \ \ \ \ enabled: yes"   /etc/suricata//suricata.yaml


# 驗證 suricatadb 資料庫中 event 資料筆數
echo "select count(*) from event;" | mysql suricatadb -ubarnyard2 -p123456

# 顯示 /etc/suricata/barnyard.conf 與 suricata 相關目前設定
grep  suricata /etc/suricata/barnyard.conf



# 測試 /etc/suricata//suricata.yaml 設定檔案  *******************************

/usr/bin/suricata -T -c /etc/suricata//suricata.yaml

# 如果看到類似下面 Warning (警告) 沒關係
# 1/11/2013 -- 10:57:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/emerging-icmp.rules
# 這是因為 emerging-icmp.rules 中沒有開啟任何 rule
# 不過寫 Shell Script 則很討厭，因為 Warning 導致回傳值不是 0 (0 表示成功)
#if [ "$?" != "0" ]; then
#  echo "/etc/suricata//suricata.yaml Test Failed !"
#  exit 1
#fi



# 測試 /etc/suricata/barnyard.conf 設定檔案  *******************************

barnyard2 -T  -c /etc/suricata/barnyard.conf

# Shell Script 可用下面判斷是否測試成功

if [ "$?" != "0" ]; then
  echo "/etc/suricata/barnyard.conf Test Failed !"
  exit 1
fi


# 啟動

service suricatad restart
service suricatad status
ps axu| grep suricata

service barnyard2 restart
service barnyard2 status
ps axu| grep suricata


**************************************************************************

測試

先測試一下本機器狀態 (log 和 event 數量)

[root@localhost ~]# ls -al /var/log/suricata
total 6720
drwxr-xr-x.  3 root root    4096 Nov  1 11:12 .
drwxr-xr-x. 14 root root    4096 Nov  1 11:09 ..
-rw-------.  1 root root    2056 Nov  1 11:17 barnyard2.waldo
-rw-r-----.  1 root root 4842544 Nov  1 11:18 fast.log
drwxr-xr-x.  2 root root    4096 Oct 17 16:38 files
-rw-r-----.  1 root root 1451995 Nov  1 11:17 http.log
-rw-r--r--.  1 root root  469341 Nov  1 11:20 stats.log
-rw-r-----.  1 root root   31544 Oct 17 16:43 unified2.alert.1381999172
-rw-r-----.  1 root root   61363 Nov  1 11:17 unified2.alert.1383275558

[root@localhost ~]# echo "select count(*) from event;" | mysql suricatadb -ubarnyard2 -p123456
count(*)
271
[root@localhost ~]#

把防火牆關閉，安裝啟動 httpd 方便攻擊測試
service  iptables  stop
yum  -y  install  httpd
service  httpd  restart

********************************************************************

到另一台安裝 nikto (一定要另一台)

wget http://www.cirt.net/nikto/nikto-current.tar.gz
tar zxvf nikto-current.tar.gz
cd nikto-*
chmod +x nikto.pl

進行攻擊
./nikto.pl -h  192.168.128.102

如果看到 0 host(s) tested, 表示找不到攻擊目標，請檢查防火牆和 httpd

[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.102
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ No web server found on 192.168.128.102:80
---------------------------------------------------------------------------
+ 0 host(s) tested
[root@localhost nikto-2.1.5]#


[root@localhost ~]# ./nikto.pl -h 192.168.128.102
-bash: ./nikto.pl: No such file or directory
[root@localhost ~]# cd nikto-2.1.5/
[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.102
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.128.102
+ Target Hostname:    192.168.128.102
+ Target Port:        80
+ Start Time:         2013-10-30 00:22:29 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 3146028, size: 5108, mtime: 0x438c0358aae80
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6545 items checked: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2013-10-30 00:22:46 (GMT8) (17 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
[root@localhost nikto-2.1.5]#

********************************************************************
回到 Suricata 主機檢查

[root@localhost ~]# echo "select count(*) from event;" | mysql suricatadb -ubarnyard2 -p123456
count(*)
277

[root@localhost ~]# ls -al /var/log/suricata
total 8376
drwxr-xr-x.  3 root root    4096 Nov  1 11:12 .
drwxr-xr-x. 14 root root    4096 Nov  1 11:09 ..
-rw-------.  1 root root    2056 Nov  1 11:27 barnyard2.waldo
-rw-r-----.  1 root root 4863033 Nov  1 11:27 fast.log
drwxr-xr-x.  2 root root    4096 Oct 17 16:38 files
-rw-r-----.  1 root root 2901133 Nov  1 11:27 http.log
-rw-r--r--.  1 root root  688202 Nov  1 11:28 stats.log
-rw-r-----.  1 root root   31544 Oct 17 16:43 unified2.alert.1381999172
-rw-r-----.  1 root root   63259 Nov  1 11:27 unified2.alert.1383275558
[root@localhost ~]#

event 數量從 271 變成 277，表示抓到攻擊事件，目前 Suricata + Barnyard2 + mysql 安裝都正常。

如果 event 沒有增加，請重新檢查。

(完)