[研究] Barnyard2 for Suricata 1.4.6 安裝 (CentOS 6.4 x64)
2013-11-02
**********************************************************************************
這幾篇是相關的
[研究] Suricata 1.4.6 入侵偵測系統安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/10/suricata-146-centos-64-x64.html
或
[研究] Suricata 1.4.6 快速安裝程式 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/10/suricata-146-centos-64-x64_31.html
[研究] Barnyard2 for Suricata 1.4.6 安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/11/barnyard2-for-suricata-146-centos-64-x64.html
或
[研究] Barnyard2 for Suricata 1.4.6 快速安裝程式 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/10/barnyard2-for-suricata-146-centos-64-x64.html
[研究] Suricata 1.4.6 + Barnyard + BASE 安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/11/suricata-146-barnyard-base-centos-64-x64.html
**********************************************************************************
請先完成 Suricata 1.4.6 安裝
[研究] Suricata 1.4.6 入侵偵測系統安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.tw/2013/10/suricata-146-centos-64-x64.html
[研究] Suricata 1.4.6 快速安裝程式 (CentOS 6.4 x64)
http://shaurong.blogspot.tw/2013/10/suricata-146-centos-64-x64_31.html
# 安裝 Barnyard2 *******************************
請先切換成 root 後執行
su root
cd /usr/local/src
git clone https://github.com/firnsy/barnyard2.git barnyard2
cd barnyard2
./autogen.sh
./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql
# 如果是 x86
# ./configure --with-mysql
make && make install
cd /usr/local/src/barnyard2
cp rpm/barnyard2 /etc/init.d/
chmod +x /etc/init.d/barnyard2
cp rpm/barnyard2.config /etc/sysconfig/barnyard2
chkconfig --add barnyard2
ln -s /usr/local/etc/barnyard2.conf /etc/suricata/barnyard.conf
ln -s /usr/local/bin/barnyard2 /usr/bin/
# 修改 /etc/init.d/barnyard2 *******************************
vi /etc/init.d/barnyard2
把這兩行註解
[ -x /usr/sbin/snort ] || exit 1
[ -r /etc/snort/snort.conf ] || exit 1
# 改為
# [ -x /usr/sbin/snort ] || exit 1
# [ -r /etc/snort/snort.conf ] || exit 1
# 找到
BARNYARD_OPTS="-D -c $CONF -d $suricataDIR/${INT} -w $WALDO_FILE -L $suricataDIR/${INT} -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS"
# 改為
BARNYARD_OPTS="-D -c /etc/suricata/barnyard.conf -d /var/log/suricata -w /var/log/suricata/barnyard2.waldo -l /var/log/suricata -a /var/log/suricata -f unified2.alert -X /var/lock/subsys/barnyard2.pid"
# 找到
Snort Output Processor
# 改為
Suricata Output Processor
chkconfig barnyard2 reset
# 或直接用下面命令完成
sed -i -e "s@exit 1@# exit 1@" /etc/init.d/barnyard2
sed -i -e "s@Snort Output Processor@Suricata Output Processor@" /etc/init.d/barnyard2
sed -i -e "s@BARNYARD_OPTS=@#BARNYARD_OPTS=@" /etc/init.d/barnyard2
sed -i -e "/daemon/iBARNYARD_OPTS=\"-D -c \/etc\/suricata\/barnyard.conf -d \/var\/log\/suricata -w \/var\/log\/suricata\/barnyard2.waldo -l \/var\/log\/suricata -a \/var\/log\/suricata -f unified2.alert -X \/var\/lock\/subsys\/barnyard2.pid\"" /etc/init.d/barnyard2
chkconfig barnyard2 reset
#相關參數說明
[root@localhost ~]# barnyard2
______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.13 (Build 327)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' + (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com>
USAGE: barnyard2 [-options] <filter options>
Gernal Options:
-c <file> Use configuration file <file>
-C <file> Read the classification map from <file>
-D Run barnyard2 in background (daemon) mode
-e Display the second layer header info
-F Turn off fflush() calls after binary log writes
-g <gname> Run barnyard2 gid as <gname> group (or gid) after initialization
-G <file> Read the gen-msg map from <file>
-h <name> Define the hostname <name>. For logging purposes only
-i <if> Define the interface <if>. For logging purposes only
-I Add Interface name to alert output
-l <ld> Log to directory <ld>
-m <umask> Set umask = <umask>
-O Obfuscate the logged IP addresses
-q Quiet. Don't show banner and status report
-r <id> Include 'id' in barnyard2_intf<id>.pid file name
-R <file> Read the reference map from <file>
-S <file> Read the sid-msg map from <file>
-t <dir> Chroots process to <dir> after initialization
-T Test and report on the current barnyard2 configuration
-u <uname> Run barnyard2 uid as <uname> user (or uid) after initialization
-U Use UTC for timestamps
-v Be verbose
-V Show version number
-y Include year in timestamp in the alert and log files
-? Show this information
Continual Processing Options:
-a <dir> Archive processed files to <dir>
-f <base> Use <base> as the base filename pattern
-d <dir> Spool files from <dir>
-n Only process new events
-w <file> Enable bookmarking using <file>
Batch Processing Mode Options:
-o Enable batch processing mode
# 修改 /etc/init.d/barnyard2 *******************************
[root@localhost ~]# vi /etc/sysconfig/barnyard2
將下面
# Config file for /etc/init.d/barnyard2
LOG_FILE="snort_unified.log"
# You probably don't want to change this, but in case you do
SNORTDIR="/var/log/snort"
INTERFACES="eth0"
# Probably not this either
CONF=/etc/snort/barnyard.conf
EXTRA_ARGS=""
改為
# Config file for /etc/init.d/barnyard2
#LOG_FILE="snort_unified.log"
LOG_FILE="unified2.log"
# You probably don't want to change this, but in case you do
# SNORTDIR="/var/log/snort"
SURICATADIR="/var/log/suricata"
INTERFACES="eth0"
# Probably not this either
#CONF=/etc/snort/barnyard.conf
CONF=/etc/suricata/barnyard.conf
EXTRA_ARGS=""
或直接用下面命令修改
sed -i -e "s@LOG_FILE@#LOG_FILE@" /etc/sysconfig/barnyard2
sed -i -e "/Config file/aLOG_FILE=\"unified2.log\"" /etc/sysconfig/barnyard2
sed -i -e "s@CONF@#CONF@" /etc/sysconfig/barnyard2
sed -i -e "/Probably not this either/aCONF=\/etc\/suricata\/barnyard.conf" /etc/sysconfig/barnyard2
echo "***** Check : /etc/sysconfig/barnyard2 *****"
grep suricata /etc/suricata/barnyard.conf
# 處理 mysql *******************************
[root@localhost ~]# service mysqld restart
# 替 MySQL 的 root 帳號設定密碼 (除了輸入密碼,其他全部按下 Enter 回答)(非必須,但建議)
[root@localhost ~]# /usr/bin/mysql_secure_installation
...
Set root password? [Y/n]
New password: 輸入密碼
Re-enter new password: 再輸入一次密碼
Password updated successfully!
Reloading privilege tables..
... Success!
或用下面命令修改
[root@localhost ~]# mysqladmin -u root password 新密碼
[root@localhost ~]# mysqladmin -u root -p'舊密碼' password 新密碼
# 建立 suricatadb 資料庫,存取帳號 barnyard2,密碼 123456,執行 flush privileges; 立刻生效
[root@localhost ~]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 5.1.69 Source distribution
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create database suricatadb;
Query OK, 1 row affected (0.00 sec)
mysql> grant all privileges on suricatadb.* to barnyard2@localhost identified by '123456';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> exit
Bye
[root@localhost ~]#
# 或用下面命令修改
mysql -e "create database suricatadb; "
#mysql -e "grant all on suricatadb.* to barnyard2@localhost; "
#mysql -e "set password for barnyard2@localhost=password('123456'); "
mysql -e "grant all privileges on suricatadb.* to barnyard2@localhost identified by '123456'; "
mysql -e "flush privileges; "
# 顯示目前 mysql 有哪些資料庫 (重點是看是否有 suricatadb 資料庫)
echo "show databases; " | mysql -p密碼
# 顯示所有資料表
echo "use suricatadb; show tables;" | mysql -ubarnyard2 -p123456
# 修改 /etc/suricata/barnyard.conf *******************************
#設定 barnyard2 輸出到 mysql
[root@localhost ~]# vi /etc/suricata/barnyard.conf
尋找 output database
新建立一行
output database: log, mysql, user=barnyard2 password=123456 dbname=suricatadb host=localhost
尋找
config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map
改為
config reference_file: /etc/suricata/reference.config
config classification_file: /etc/suricata/classification.config
config gen_file: /etc/suricata/rules/gen-msg.map
config sid_file: /etc/suricata/rules/sid-msg.map
在 suricatadb 資料庫中建立 barnyard 放 suricata 結果資料的 table (密碼 123456)
[root@localhost ~]# mysql suricatadb -ubarnyard2 -p < /usr/local/src/barnyard2/schemas/create_mysql
[root@localhost ~]# vi /etc/suricata//suricata.yaml
outputs:
- console:
enabled: yes
- file:
enabled: no
filename: /var/log/suricata.log
- syslog:
enabled: no
facility: local5
format: "[%i] <%d> -- "
把 filename: /var/log/suricata.log 上一行 enabled: no 改為 enabled: yes
- file:
enabled: yes
filename: /var/log/suricata.log
注意,enabled 和下一行 filename 排縮必須對齊,否則 suricata 程式會執行失敗
# 或用下面命令修改
sed -i -e "/database: log to a variety of databases/aoutput database: log, mysql, user=barnyard2 password=123456 dbname=suricatadb host=localhost" /etc/suricata/barnyard.conf
# remark some configurations
sed -i -e "s@config reference_file@# config reference_file@" /etc/suricata/barnyard.conf
sed -i -e "s@config classification_file@# config classification_file@" /etc/suricata/barnyard.conf
sed -i -e "s@config gen_file@# config gen_file@" /etc/suricata/barnyard.conf
sed -i -e "s@config sid_file@# config sid_file@" /etc/suricata/barnyard.conf
sed -i -e "/config reference_file/aconfig reference_file: \/etc\/suricata\/reference.config" /etc/suricata/barnyard.conf
sed -i -e "/config classification_file/aconfig classification_file: \/etc\/suricata\/classification.config" /etc/suricata/barnyard.conf
sed -i -e "/config gen_file/aconfig gen_file: \/etc\/suricata\/rules\/gen-msg.map" /etc/suricata/barnyard.conf
sed -i -e "/config sid_file/aconfig sid_file: \/etc\/suricata\/rules\/sid-msg.map" /etc/suricata/barnyard.conf
mysql suricatadb -ubarnyard2 -p123456 < /usr/local/src/barnyard2/schemas/create_mysql
sed -i '645d' /etc/suricata//suricata.yaml
sed -i -e "/suricata.log/i\ \ \ \ \ \ enabled: yes" /etc/suricata//suricata.yaml
# 驗證 suricatadb 資料庫中 event 資料筆數
echo "select count(*) from event;" | mysql suricatadb -ubarnyard2 -p123456
# 顯示 /etc/suricata/barnyard.conf 與 suricata 相關目前設定
grep suricata /etc/suricata/barnyard.conf
# 測試 /etc/suricata//suricata.yaml 設定檔案 *******************************
/usr/bin/suricata -T -c /etc/suricata//suricata.yaml
# 如果看到類似下面 Warning (警告) 沒關係
# 1/11/2013 -- 10:57:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/emerging-icmp.rules
# 這是因為 emerging-icmp.rules 中沒有開啟任何 rule
# 不過寫 Shell Script 則很討厭,因為 Warning 導致回傳值不是 0 (0 表示成功)
#if [ "$?" != "0" ]; then
# echo "/etc/suricata//suricata.yaml Test Failed !"
# exit 1
#fi
# 測試 /etc/suricata/barnyard.conf 設定檔案 *******************************
barnyard2 -T -c /etc/suricata/barnyard.conf
# Shell Script 可用下面判斷是否測試成功
if [ "$?" != "0" ]; then
echo "/etc/suricata/barnyard.conf Test Failed !"
exit 1
fi
# 啟動
service suricatad restart
service suricatad status
ps axu| grep suricata
service barnyard2 restart
service barnyard2 status
ps axu| grep suricata
**************************************************************************
測試
先測試一下本機器狀態 (log 和 event 數量)
[root@localhost ~]# ls -al /var/log/suricata
total 6720
drwxr-xr-x. 3 root root 4096 Nov 1 11:12 .
drwxr-xr-x. 14 root root 4096 Nov 1 11:09 ..
-rw-------. 1 root root 2056 Nov 1 11:17 barnyard2.waldo
-rw-r-----. 1 root root 4842544 Nov 1 11:18 fast.log
drwxr-xr-x. 2 root root 4096 Oct 17 16:38 files
-rw-r-----. 1 root root 1451995 Nov 1 11:17 http.log
-rw-r--r--. 1 root root 469341 Nov 1 11:20 stats.log
-rw-r-----. 1 root root 31544 Oct 17 16:43 unified2.alert.1381999172
-rw-r-----. 1 root root 61363 Nov 1 11:17 unified2.alert.1383275558
[root@localhost ~]# echo "select count(*) from event;" | mysql suricatadb -ubarnyard2 -p123456
count(*)
271
[root@localhost ~]#
把防火牆關閉,安裝啟動 httpd 方便攻擊測試
service iptables stop
yum -y install httpd
service httpd restart
********************************************************************
到另一台安裝 nikto (一定要另一台)
wget http://www.cirt.net/nikto/nikto-current.tar.gz
tar zxvf nikto-current.tar.gz
cd nikto-*
chmod +x nikto.pl
進行攻擊
./nikto.pl -h 192.168.128.102
如果看到 0 host(s) tested, 表示找不到攻擊目標,請檢查防火牆和 httpd
[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.102
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ No web server found on 192.168.128.102:80
---------------------------------------------------------------------------
+ 0 host(s) tested
[root@localhost nikto-2.1.5]#
[root@localhost ~]# ./nikto.pl -h 192.168.128.102
-bash: ./nikto.pl: No such file or directory
[root@localhost ~]# cd nikto-2.1.5/
[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.102
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.128.102
+ Target Hostname: 192.168.128.102
+ Target Port: 80
+ Start Time: 2013-10-30 00:22:29 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 3146028, size: 5108, mtime: 0x438c0358aae80
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6545 items checked: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2013-10-30 00:22:46 (GMT8) (17 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
[root@localhost nikto-2.1.5]#
********************************************************************
回到 Suricata 主機檢查
[root@localhost ~]# echo "select count(*) from event;" | mysql suricatadb -ubarnyard2 -p123456
count(*)
277
[root@localhost ~]# ls -al /var/log/suricata
total 8376
drwxr-xr-x. 3 root root 4096 Nov 1 11:12 .
drwxr-xr-x. 14 root root 4096 Nov 1 11:09 ..
-rw-------. 1 root root 2056 Nov 1 11:27 barnyard2.waldo
-rw-r-----. 1 root root 4863033 Nov 1 11:27 fast.log
drwxr-xr-x. 2 root root 4096 Oct 17 16:38 files
-rw-r-----. 1 root root 2901133 Nov 1 11:27 http.log
-rw-r--r--. 1 root root 688202 Nov 1 11:28 stats.log
-rw-r-----. 1 root root 31544 Oct 17 16:43 unified2.alert.1381999172
-rw-r-----. 1 root root 63259 Nov 1 11:27 unified2.alert.1383275558
[root@localhost ~]#
event 數量從 271 變成 277,表示抓到攻擊事件,目前 Suricata + Barnyard2 + mysql 安裝都正常。
如果 event 沒有增加,請重新檢查。
(完)
因為快速安裝方式我沒辦法過 因此回本篇實做
回覆刪除本篇下這行指令 echo "select count(*) from event;" | mysql suricatadb -ubarnyard2 -p123456
會報錯下面:
ERROR 1045 (28000): Access denied for user 'barnyard2'@'localhost' (using password: YES)
用Phpmyadmin 連線進入資料庫 是有這個資料庫和使用者 密碼也定123456
這部分我就不知道問題出在哪
但是確定
# ls -al /var/log/suricata
可以跑
suricata 可以跑,不等於 barnyard2 可以跑
刪除suricata 可以跑,barnyard2 可以跑,不等於 barnyard2 能寫資料到 mysql (你現在的問題在此)
那個 ERROR 和 資料庫, 帳號, 密碼相關
1.驗證 suricatadb 資料庫是否存在 (假設 root 密碼為 1234)
[root@localhost ~]# echo "show databases; " | mysql -uroot -p1234 | grep suricatadb
suricatadb
2.驗證 barnyard2 帳號是否存在
[root@localhost ~]# echo "use mysql; select user from user " | mysql -uroot -p1234 | grep barnyard2
barnyard2
或 (你可以看到密碼編碼過,phpMyAdmin 不可能看到)
[root@localhost ~]# echo "use mysql; select user, host, password from user " | mysql -uroot -p1234 | grep barnyard2
barnyard2 localhost *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
3.驗證帳號 barnyard2 密碼 123456 可否登入 suricatadb 資料庫
[root@localhost ~]# mysql suricatadb -ubarnyard2 -p123456
如果登入失敗,請修正密碼
[root@localhost ~]# echo "use mysql; update user set password=PASSWORD('123456') where user='barnyard2'; flush privileges; " | mysql -uroot -p1234
PS:密碼不是非要設定 123456,但是所有相對應的地方都要修改