2014-06-19
********************************************************************************
這幾篇是相關的 ( 3 大步驟)
[研究] snort-2.9.6.1.tar.gz (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2014/06/snort-2961targz-centos-65-x64.html
[研究] Snort 2.9.6.1 + Barnyard 2.13 安裝 (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-213-centos-65-x64.html
或
[研究] Snort 2.9.6.1 + Barnyard 安裝 (CentOS 6.5 x64)
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-centos-65-x64.html
[研究] Snort 2.9.6.1 + Barnyard + BASE 安裝 (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-base-centos-65-x64_20.html
或
[研究] Snort 2.9.6.1 + Barnyard + BASE 安裝 (CentOS 6.5 x64)
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-base-centos-65-x64.html
********************************************************************************
[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式(二)
http://shaurong.blogspot.tw/2013/10/snort-2955targz-centos-64-x64_28.html
如果想知道小弟 CentOS 6.5 x86_64 到底安裝甚麼東西,可看這篇
[研究] CentOS 6.5 x86_64 安裝記
http://shaurong.blogspot.tw/2014/06/centos-65-x8664.html
先注意一下 epel 目前版本,下方的快速安裝程式或許要修改
| rpm -Uvh http://ftp.uninett.no/linux/epel/6/x86_64/epel-release-6-8.noarch.rpm yum -y install gcc gcc-c++ flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel tcpdump libdnet libdnet-devel |
如果找不到 http://ftp.uninett.no/linux/epel/6/x86_64/epel-release-6-8.noarch.rpm
請到 http://ftp.uninett.no/linux/epel/6/x86_64 目錄找看看是否有新版本,例如
epel-release-6-9.noarch.rpm
epel-release-6-10.noarch.rpm
....
參考
http://shaurong.blogspot.tw/2012/12/snort-294targz-centos-63-x86.html
http://manual.snort.org/
http://www.snort.org/docs
http://s3.amazonaws.com/snort-org/www/assets/202/snort2953_centos6x.pdf
snort-2.9.6.1.tar.gz 和 daq-2.0.2.tar.gz 下載網址
http://www.snort.org/snort-downloads?
libdnet-1.11.tar.gz 下載網址
http://libdnet.sourceforge.net/
PS:後來發現這裡有 libdnet-1.12.tar.gz,官方網站搬家?
https://code.google.com/p/libdnet/downloads/list
snortrules-snapshot-2961.tar.gz 下載網址 (免費註冊,右上角點 Sign In,登入後才能下載)
http://www.snort.org/snort-rules/?
Subscriber Release 是花錢訂閱才能下載的,跳過不看
Registered User Release 免費註冊,登入後才能下載
請自己手動下載下面檔案,放到 /usr/local/src 目錄
libdnet-1.11.tar.gz
daq-2.0.2.tar.gz
snort-2.9.6.1.tar.gz
snortrules-snapshot-2961.tar.gz
snort在版本2.9.3開始不再支援MySQL,好像可以靠 Barnyard2解決,ADOdb 和 BASE 小弟在本篇也暫不討論,有機會再說。
Barnyard 2 官方網站
http://www.securixlive.com/
ADOdb 官方網站
http://adodb.sourceforge.net/
http://sourceforge.net/projects/adodb/files/adodb-php5-only/
(最後更新為 2014-04-30)
BASE 官方網站 (Basic Analysis and Security Engine)
http://base.secureideas.net/
http://sourceforge.net/projects/secureideas/files/BASE/
(最後更新為 v1.4.5 版 May 2010-03-05)
快速安裝程式內容(實際測試可用),請先用 su root 切換成 root 執行
#!/bin/bash echo -e "\033[31m" echo -e "Program : snort2.9.6.1_centos6.5x64.sh " echo -e "snort-2.9.6.1.tar.gz Install Shell Script (CentOS 6.5 x64) " echo -e "by Shau-Rong Lu 2014-06-19 " echo -e "\033[0m" rpm -Uvh http://ftp.uninett.no/linux/epel/6/i386/epel-release-6-8.noarch.rpm yum -y install gcc gcc-c++ flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel tcpdump libdnet libdnet-devel cd /usr/local/src # if [ ! -s libdnet-1.11.tar.gz ]; then # echo "Can not find /usr/local/src/libdnet-1.11.tar.gz" # wget http://downloads.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz?r=http%3A%2F%2Flibdnet.sourceforge.net%2F&ts=1382718432&use_mirror=nchc # exit # fi if [ ! -s daq-2.0.2.tar.gz ]; then echo "Can not find /usr/local/src/daq-2.0.2.tar.gz" exit fi if [ ! -s snort-2.9.6.1.tar.gz]; then echo "Can not find /usr/local/src/snort-2.9.6.1.tar.gz" exit fi if [ ! -s snortrules-snapshot-2961.tar.gz]; then echo "Can not find /usr/local/src/snortrules-snapshot-2961.tar.gz" exit fi # tar zxvf libdnet-1.11.tar.gz tar zxvf daq-2.0.2.tar.gz tar zxvf snort-2.9.6.1.tar.gz # cd /usr/local/src/libdnet-1.11 # ./configure --with-pic # make # make install cd /usr/local/src/daq-2.0.2 ./configure make make install cd /usr/local/src/snort-2.9.6.1 ./configure --enable-sourcefire make make install # cd /usr/local/lib # ldconfig -v /usr/local/lib mkdir -p /etc/snort cd /usr/local/src tar xzvf /usr/local/src/snortrules-snapshot-2961.tar.gz -C /etc/snort touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules groupadd -g 40000 snort useradd snort -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort cd /etc/snort chown -R snort:snort * chown -R snort:snort /var/log/snort cp /etc/snort/etc/* /etc/snort/. sed -i -e "s@var RULE_PATH@#var RULE_PATH@" /etc/snort/snort.conf sed -i -e "/var RULE_PATH/avar RULE_PATH /etc/snort/rules" /etc/snort/snort.conf cat /etc/snort/snort.conf | grep "var RULE_PATH" sed -i -e "s@var SO_RULE_PATH@#var SO_RULE_PATH@" /etc/snort/snort.conf sed -i -e "/var SO_RULE_PATH/avar SO_RULE_PATH /etc/snort/so_rules" /etc/snort/snort.conf cat /etc/snort/snort.conf | grep "var SO_RULE_PATH" sed -i -e "s@var PREPROC_RULE_PATH@#var PREPROC_RULE_PATH@" /etc/snort/snort.conf sed -i -e "/var PREPROC_RULE_PATH/avar PREPROC_RULE_PATH /etc/snort/preproc_rules" /etc/snort/snort.conf cat /etc/snort/snort.conf | grep "var PREPROC_RULE_PATH" sed -i -e "s@var WHITE_LIST_PATH@#var WHITE_LIST_PATH@" /etc/snort/snort.conf sed -i -e "/var WHITE_LIST_PATH/avar WHITE_LIST_PATH /etc/snort/rules" /etc/snort/snort.conf cat /etc/snort/snort.conf | grep "var WHITE_LIST_PATH" sed -i -e "s@var BLACK_LIST_PATH@#var BLACK_LIST_PATH@" /etc/snort/snort.conf sed -i -e "/var BLACK_LIST_PATH/avar BLACK_LIST_PATH /etc/snort/rules" /etc/snort/snort.conf cat /etc/snort/snort.conf | grep "var BLACK_LIST_PATH" mkdir -p /usr/local/lib/snort_dynamicrules chown -R snort:snort /usr/local/lib/snort_dynamicrules chmod -R 700 /usr/local/lib/snort_dynamicrules snort -T -c /etc/snort/snort.conf if [ "$?" != "0" ]; then echo "Snort Test Failed !" exit fi #cp /root/snort-2.9.6.1/rpm/snortd /etc/init.d/. #chmod +x /etc/init.d/snortd #cp /root/snort-2.9.6.1/rpm/snort.sysconfig /etc/sysconfig/snort #ln -s /usr/local/bin/snort /usr/sbin/snort rm -fr /etc/init.d/snortd echo '#!/bin/bash' > /etc/init.d/snortd echo "" >> /etc/init.d/snortd echo "# chkconfig: 345 99 01" >> /etc/init.d/snortd echo "# description: Snort startup script" >> /etc/init.d/snortd echo "# 345 - levels to configure" >> /etc/init.d/snortd echo "# 99 - startup order" >> /etc/init.d/snortd echo "# 01 - stop order" >> /etc/init.d/snortd echo "" >> /etc/init.d/snortd echo ". /etc/rc.d/init.d/functions " >> /etc/init.d/snortd echo "INTERFACE=eth0" >> /etc/init.d/snortd echo "" >> /etc/init.d/snortd echo "case \"\$1\" in " >> /etc/init.d/snortd echo "start)" >> /etc/init.d/snortd echo " echo -n \"Starting Snort: \"" >> /etc/init.d/snortd echo " daemon PCAP_FRAMES=max /usr/local/bin/snort -D -i \$INTERFACE -c /etc/snort/snort.conf" >> /etc/init.d/snortd echo " echo" >> /etc/init.d/snortd echo " ;;" >> /etc/init.d/snortd echo "" >> /etc/init.d/snortd echo "stop)" >> /etc/init.d/snortd echo " echo -n \"Stopping Snort: \"" >> /etc/init.d/snortd echo " killproc snort" >> /etc/init.d/snortd echo " echo" >> /etc/init.d/snortd echo " ;;" >> /etc/init.d/snortd echo "" >> /etc/init.d/snortd echo "restart)" >> /etc/init.d/snortd echo " \$0 stop" >> /etc/init.d/snortd echo " \$0 start" >> /etc/init.d/snortd echo " ;;" >> /etc/init.d/snortd echo "status)" >> /etc/init.d/snortd echo " status snort" >> /etc/init.d/snortd echo " ;;" >> /etc/init.d/snortd echo "*)" >> /etc/init.d/snortd echo " echo \"Usage: $0 {start|stop|restart|status}\"" >> /etc/init.d/snortd echo " exit 1" >> /etc/init.d/snortd echo " esac" >> /etc/init.d/snortd echo " exit 0" >> /etc/init.d/snortd chmod +x /etc/init.d/snortd chkconfig --add snortd chkconfig snortd on service snortd start echo "You can service httpd restart, then use N-Stalker Free Edition (http://nstalker.com/products/free/download-free-edition) on MS-Windows to attack WebSite " echo "" echo "or Nikto (http://www.cirt.net/nikto2) on another Linux to attack WebSite" echo " wget http://www.cirt.net/nikto/nikto-current.tar.gz" echo " tar zxvf nikto-current.tar.gz" echo " cd nikto-*" echo " chmod +x nikto.pl" echo " ./nikto.pl -h xxx.xxx.xxx.xxx" |
測試
[root@localhost snort]# service snortd start Starting Snort: PCAP_FRAMES -> 32768 * 4096 / 2 = 67108864 (1600) Spawning daemon child... My daemon child 47471 lives... Daemon parent exiting (0) [ OK ] [root@localhost snort]# service snortd status snort (pid 47471) is running... [root@localhost snort]# ps aux | grep snort root 47471 0.1 17.5 659040 336188 ? Ssl 15:24 0:00 /usr/local/bin/snort -D -i eth0 -c /etc/snort/snort.conf root 47484 0.0 0.0 103252 832 pts/1 S+ 15:25 0:00 grep snort [root@localhost snort]# |
準備當被攻擊主機
[root@localhost snort]# service httpd restart Stopping httpd: [FAILED] Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain for ServerName [ OK ] [root@localhost snort]# [ OK ] |
防火牆暫時關閉
[root@localhost ~]# service iptables stop iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Unloading modules: [ OK ] [root@localhost ~]# |
先看一下 snort 目前 log,其中 alert 為 0 byte
[root@localhost snort]# ls -al /var/log/snort total 28 drwx------. 4 snort snort 4096 Jun 19 15:24 . drwxr-xr-x. 14 root root 4096 Jun 19 15:21 .. -rw-r--r--. 1 root root 0 Jun 19 15:24 alert -rw-r--r--. 1 snort snort 18 Jul 18 2013 .bash_logout -rw-r--r--. 1 snort snort 176 Jul 18 2013 .bash_profile -rw-r--r--. 1 snort snort 124 Jul 18 2013 .bashrc drwxr-xr-x. 2 snort snort 4096 Nov 12 2010 .gnome2 drwxr-xr-x. 4 snort snort 4096 Jun 19 2014 .mozilla -rw-------. 1 root root 0 Jun 19 15:24 snort.log.1403162676 [root@localhost snort]# |
另外找一台主機來攻擊 ( nikto 好像無法對自己攻擊,所以必須另外找一台)
192.168.128.101 是安裝 snort 主機
192.168.128.102 是安裝 nikto 主機
[root@localhost ~]# wget http://www.cirt.net/nikto/nikto-current.tar.gz [root@localhost ~]# tar zxvf nikto-current.tar.gz [root@localhost ~]# cd nikto-* [root@localhost nikto-2.1.5]# chmod +x nikto.pl [root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.101 - ***** SSL support not available (see docs for SSL install) ***** - Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 192.168.128.101 + Target Hostname: 192.168.128.101 + Target Port: 80 + Start Time: 2014-06-19 23:39:57 (GMT8) --------------------------------------------------------------------------- + Server: Apache/2.2.15 (CentOS) + The anti-clickjacking X-Frame-Options header is not present. + Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-3268: /icons/: Directory indexing found. + Server leaks inodes via ETags, header found with file /icons/README, inode: 928329, size: 5108, mtime: 0x438c0358aae80 + OSVDB-3233: /icons/README: Apache default file found. + 6544 items checked: 0 error(s) and 7 item(s) reported on remote host + End Time: 2014-06-19 23:40:05 (GMT8) (8 seconds) --------------------------------------------------------------------------- + 1 host(s) tested [root@localhost nikto-2.1.5]# |
回到原來安裝 snort 主機,可以看到 alert 檔案從 0 byte 變成不是 0 bytes,表示 snort 有正常運作
[root@localhost snort]# ls -al /var/log/snort total 40 drwx------. 4 snort snort 4096 Jun 19 15:24 . drwxr-xr-x. 14 root root 4096 Jun 19 15:21 .. -rw-r--r--. 1 root root 4340 Jun 19 15:40 alert -rw-r--r--. 1 snort snort 18 Jul 18 2013 .bash_logout -rw-r--r--. 1 snort snort 176 Jul 18 2013 .bash_profile -rw-r--r--. 1 snort snort 124 Jul 18 2013 .bashrc drwxr-xr-x. 2 snort snort 4096 Nov 12 2010 .gnome2 drwxr-xr-x. 4 snort snort 4096 Jun 19 2014 .mozilla -rw-------. 1 root root 2876 Jun 19 15:40 snort.log.1403162676 [root@localhost snort]# |
(完)
相關文章
[研究] snort-2.9.6.1.tar.gz (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2014/06/snort-2961targz-centos-65-x64.html
[研究] Snort 2.9.6.1 + Barnyard 2.13 安裝 (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-213-centos-65-x64.html
或
[研究] Snort 2.9.6.1 + Barnyard 安裝 (CentOS 6.5 x64)
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-centos-65-x64.html
[研究] Snort 2.9.6.1 + Barnyard + BASE 安裝 (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-base-centos-65-x64_20.html
或
[研究] Snort 2.9.6.1 + Barnyard + BASE 安裝 (CentOS 6.5 x64)
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-base-centos-65-x64.html
--------------
[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式(二)
http://shaurong.blogspot.tw/2013/10/snort-2955targz-centos-64-x64_28.html
或
[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式
http://shaurong.blogspot.tw/2013/10/snort-2955targz-centos-64-x64.html
[研究] Snort 2.9.5.5 + Barnyard 安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.tw/2013/10/snort-2955-barnyard-centos-64-x64.html
[研究] Snort 2.9.5.5 + Barnyard +BASE 安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.tw/2013/10/snort-2955-barnyard-base-centos-64-x64.html
--------------
[研究] snort-2.9.4.tar.gz (CentOS 6.3 x86) 快速安裝程式
http://shaurong.blogspot.tw/2012/12/snort-294targz-centos-63-x86.html
[研究] Snort 2.9.0.5 安裝(Fedora 15 x86)
http://shaurong.blogspot.tw/2011/07/snort-2905-fedora-15-x86.html
[研究] N-Stalker Web Application Security Scanner X Free Edition 網站漏洞掃描軟體使用
http://shaurong.blogspot.tw/2013/08/n-stalker-web-application-security.html
[研究] N-Stalker Free Edition 2012 網站漏洞掃描軟體使用教學
http://shaurong.blogspot.tw/2011/07/n-stalker-free-edition-2012.html
[研究] Snort 2.9.0.5 安裝(Fedora 15 x86)
http://forum.icst.org.tw/phpbb/viewtopic.php?t=20240
[研究] Snort 2.9.0.3 (tar.gz)安裝(Fedora 14 x86)
http://forum.icst.org.tw/phpbb/viewtopic.php?t=19216
[研究] Snort 2.8.5.2.tar.gz+MySQL+BASE快速安裝程式(CentOS 5.4)
http://forum.icst.org.tw/phpbb/viewtopic.php?t=17658
[研究]Snort 2.8.5.2.tar.gz+MySQL+BASE快速安裝程式(Fedora 12 x86)
http://forum.icst.org.tw/phpbb/viewtopic.php?t=17672
[教學] [研究] Snort 2.8.1快速安裝程式精簡版(Fedora 8 )
http://forum.icst.org.tw/phpbb/viewtopic.php?t=15042
http://shaurong.blogspot.tw/2014/06/snort-2961targz-centos-65-x64.html
[研究] Snort 2.9.6.1 + Barnyard 2.13 安裝 (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-213-centos-65-x64.html
或
[研究] Snort 2.9.6.1 + Barnyard 安裝 (CentOS 6.5 x64)
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-centos-65-x64.html
[研究] Snort 2.9.6.1 + Barnyard + BASE 安裝 (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-base-centos-65-x64_20.html
或
[研究] Snort 2.9.6.1 + Barnyard + BASE 安裝 (CentOS 6.5 x64)
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-base-centos-65-x64.html
--------------
[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式(二)
http://shaurong.blogspot.tw/2013/10/snort-2955targz-centos-64-x64_28.html
或
[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式
http://shaurong.blogspot.tw/2013/10/snort-2955targz-centos-64-x64.html
[研究] Snort 2.9.5.5 + Barnyard 安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.tw/2013/10/snort-2955-barnyard-centos-64-x64.html
[研究] Snort 2.9.5.5 + Barnyard +BASE 安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.tw/2013/10/snort-2955-barnyard-base-centos-64-x64.html
--------------
[研究] snort-2.9.4.tar.gz (CentOS 6.3 x86) 快速安裝程式
http://shaurong.blogspot.tw/2012/12/snort-294targz-centos-63-x86.html
[研究] Snort 2.9.0.5 安裝(Fedora 15 x86)
http://shaurong.blogspot.tw/2011/07/snort-2905-fedora-15-x86.html
[研究] N-Stalker Web Application Security Scanner X Free Edition 網站漏洞掃描軟體使用
http://shaurong.blogspot.tw/2013/08/n-stalker-web-application-security.html
[研究] N-Stalker Free Edition 2012 網站漏洞掃描軟體使用教學
http://shaurong.blogspot.tw/2011/07/n-stalker-free-edition-2012.html
[研究] Snort 2.9.0.5 安裝(Fedora 15 x86)
http://forum.icst.org.tw/phpbb/viewtopic.php?t=20240
[研究] Snort 2.9.0.3 (tar.gz)安裝(Fedora 14 x86)
http://forum.icst.org.tw/phpbb/viewtopic.php?t=19216
[研究] Snort 2.8.5.2.tar.gz+MySQL+BASE快速安裝程式(CentOS 5.4)
http://forum.icst.org.tw/phpbb/viewtopic.php?t=17658
[研究]Snort 2.8.5.2.tar.gz+MySQL+BASE快速安裝程式(Fedora 12 x86)
http://forum.icst.org.tw/phpbb/viewtopic.php?t=17672
[教學] [研究] Snort 2.8.1快速安裝程式精簡版(Fedora 8 )
http://forum.icst.org.tw/phpbb/viewtopic.php?t=15042
唔....用nikto 扫描 snort是有显示攻击信息的,但是用kali和其他工具扫描就没有(但是packet dump mode还是能抓到包).....是我plug-in的问题吗?大大您能告诉我您的snort启动command line吗?
回覆刪除service snortd restart 或 service snortd start
刪除