2014-08-26
********************************************************************************
這幾篇是相關的 ( 3 大步驟)
[研究] snort-2.9.6.2.tar.gz (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.com/2014/08/snort-2962targz-centos-65-x64.html
[研究] Snort 2.9.6.2 + Barnyard 2.13 安裝 (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.com/2014/08/snort-2962-barnyard-213-centos-65-x64.html
[研究] Snort 2.9.6.1 + Barnyard + BASE 安裝 (CentOS 6.5 x64) 快速安裝程式
(待測試)
********************************************************************************
這幾篇是相關的 ( 3 大步驟)
[研究] snort-2.9.6.1.tar.gz (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2014/06/snort-2961targz-centos-65-x64.html
[研究] Snort 2.9.6.1 + Barnyard 2.13 安裝 (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-213-centos-65-x64.html
或
[研究] Snort 2.9.6.1 + Barnyard 安裝 (CentOS 6.5 x64)
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-centos-65-x64.html
[研究] Snort 2.9.6.1 + Barnyard + BASE 安裝 (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-base-centos-65-x64_20.html
或
[研究] Snort 2.9.6.1 + Barnyard + BASE 安裝 (CentOS 6.5 x64)
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-base-centos-65-x64.html
********************************************************************************
資料庫名稱小弟用 snortdb,您可以換掉
MySQL root 密碼用 654321,您可以換掉
MySQL 帳號 barnyard2 ,您可以換掉
MySQL 帳號 barnyard2 的密碼 123456,您可以換掉
全部用 root 操作省麻煩
| su root |
快速安裝程式如下
| #!/bin/bash echo -e "\033[31m" echo -e "Program : snort2.9.6.2_barnyard2_centos6.5x64.sh " echo -e "Barnyard 2.13 Install Shell Script (CentOS 6.5 x64 + Snort 2.9.6.2) " echo -e "by Shau-Rong Lu 2014-08-20 " echo -e "\033[0m" yum -y install mysql mysql-devel git libtool mysql-server httpd php php-mysql php-mbstring php-mcrypt cd /usr/local/src git clone https://github.com/firnsy/barnyard2.git barnyard2 cd barnyard2 ./autogen.sh if [ "`uname -a | grep x86_64`" != "" ]; then echo "x86_64" ./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql else echo "x86" ./configure --with-mysql exit fi make && make install cp rpm/barnyard2 /etc/init.d/ chmod +x /etc/init.d/barnyard2 cp rpm/barnyard2.config /etc/sysconfig/barnyard2 chkconfig --add barnyard2 ln -s /usr/local/etc/barnyard2.conf /etc/snort/barnyard.conf ln -s /usr/local/bin/barnyard2 /usr/bin/ mkdir -p /var/log/snort/eth0/archive/ ln -s /usr/local/bin/snort /usr/sbin/snort # modify BARNYARD_OPTS= sed -i -e "s@BARNYARD_OPTS=@#BARNYARD_OPTS=@" /etc/init.d/barnyard2 sed -i -e "/BARNYARD_OPTS=\"-D -c \$CONF/aBARNYARD_OPTS=\"-D -c /etc/snort/barnyard.conf -d /var/log/snort -w /var/log/snort/barnyard2.waldo -l /var/log/snort -a /var/log/snort -f snort.log -X /var/lock/subsys/barnyard2-eth0.pid\"" /etc/init.d/barnyard2 cat /etc/init.d/barnyard2 | grep "BARNYARD_OPTS=" chkconfig barnyard2 reset # modify /etc/sysconfig/barnyard2, match barnyard's and snort's setting # remark LOG_FILE= sed -i -e "s@LOG_FILE=@#LOG_FILE=@" /etc/sysconfig/barnyard2 # append LOG_FILE="snort.log" sed -i -e "/LOG_FILE=\"snort_unified.log\"/aLOG_FILE=\"snort.log\"" /etc/sysconfig/barnyard2 # check cat /etc/sysconfig/barnyard2 | grep "LOG_FILE=" # modify /etc/snort/snort.conf # remark output unified2 sed -i -e "s@output unified2@#output unified2@" /etc/snort/snort.conf # append output unified2: filename snort.log, limit 128 sed -i -e "/output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types/aoutput unified2: filename snort.log, limit 128" /etc/snort/snort.conf # check cat /etc/snort/snort.conf | grep "output unified2" # modify /etc/sysconfig/snort cp /usr/local/src/snort-2.9.6.2/rpm/snort.sysconfig /etc/sysconfig/snort # remark two line sed -i -e "s@ALERTMODE=fast@#ALERTMODE=fast@" /etc/sysconfig/snort sed -i -e "s@BINARY_LOG=1@#BINARY_LOG=1@" /etc/sysconfig/snort # check cat /etc/sysconfig/snort | grep "ALERTMODE=fast" cat /etc/sysconfig/snort | grep "BINARY_LOG=1" # set MySQL root's password is 654321, you can change service mysqld restart /usr/bin/mysqladmin -u root password '654321' /usr/bin/mysqladmin -u root -h localhost.localdomain password '654321' -p654321 mysql -e "create database snortdb;" -uroot -p654321 mysql -e "grant all privileges on snortdb.* to barnyard2@localhost identified by '123456';" -uroot -p654321 mysql -e "flush privileges;" -uroot -p654321 #set barnyard2 output to mysql #remark sed -i -e "s@output database@#output database@" /etc/snort/barnyard.conf #append sed -i -e "/output database: log, mysql, user=root password=test dbname=db host=localhost/aoutput database: log, mysql, user=barnyard2 password=123456 dbname=snortdb host=localhost" /etc/snort/barnyard.conf # check cat /etc/snort/barnyard.conf | grep "output database" # create barnyard2's tables in snortdb mysql snortdb -ubarnyard2 -p123456 < /usr/local/src/barnyard2/schemas/create_mysql #check mysql -e "use snortdb; show tables;" -uroot -p654321 cp /usr/local/src/snort-2.9.6.2/etc/gen-msg.map /etc/snort/. #Start barnyard2 -T -c /etc/snort/barnyard.conf -d /var/log/snort -w /var/log/snort/barnyard2.waldo -l /var/log/snort -a /var/log/snort -f snort.log -X /var/lock/subsys/barnyard2-eth0.pid if [ "$?" != "0" ]; then echo "Barnyard2 or Snort Setting is error !" exit fi service snortd restart if [ "$?" != "0" ]; then echo "Snort ReStart Failed !" exit fi service snortd status ps axu| grep snort service barnyard2 restart if [ "$?" != "0" ]; then echo "Barnyard2 ReStart Failed !" exit fi service barnyard2 status ps aux | grep snort |
其中 barnyard2 執行情況如下
[root@localhost barnyard2]# barnyard2 -T -c /etc/snort/barnyard.conf -d /var/log/snort -w /var/log/snort/barnyard2.waldo -l /var/log/snort -a /var/log/snort -f snort.log -X /var/lock/subsys/barnyard2-eth0.pid Running in Test mode --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/etc/snort/barnyard.conf" +[ Signature Suppress list ]+ ---------------------------- +[No entry in Signature Suppress List]+ ---------------------------- +[ Signature Suppress list ]+ Barnyard2 spooler: Event cache size set to [2048] INFO database: Defaulting Reconnect/Transaction Error limit to 10 INFO database: Defaulting Reconnect sleep time to 5 second [ClassificationPullDataStore()]: No Classification found in database ... [SignaturePullDataStore()]: No signature found in database ... [SystemPullDataStore()]: No System found in database ... [ReferencePullDataStore()]: No Reference found in database ... [SignatureReferencePullDataStore()]: No Reference found in database ... database: compiled support for (mysql) database: configured to use mysql database: schema version = 107 database: host = localhost database: user = barnyard2 database: database name = snortdb database: sensor name = localhost.localdomain:NULL database: sensor id = 1 database: sensor cid = 1 database: data encoding = hex database: detail level = full database: ignore_bpf = no database: using the "log" facility --== Initialization Complete ==-- ______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.13 (Build 327) |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/ + '''' + (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com> Barnyard2 successfully loaded configuration file! Barnyard2 exiting database: Closing connection to database "snortdb" [root@localhost barnyard2]# [root@localhost barnyard2]# service snortd restart Stopping Snort: [ OK ] Starting Snort: PCAP_FRAMES -> 32768 * 4096 / 2 = 67108864 (1600) Spawning daemon child... My daemon child 53272 lives... Daemon parent exiting (0) [ OK ] |
用 ps aux | grep snort 檢查應該有兩筆,一筆是 snort 執行,一筆是 barnyard2 執行,少了就有問題。
[root@localhost src]# ps aux | grep snort root 29164 0.2 18.2 662164 348684 ? Ssl 23:26 0:00 /usr/local/bin/snort -D -i eth0 -c /etc/snort/snort.conf root 29194 6.0 4.8 143656 92468 ? Ss 23:26 0:26 barnyard2 -D -c /etc/snort/barnyard.conf -d /var/log/snort -w /var/log/snort/barnyard2.waldo -l /var/log/snort -a /var/log/snort -f snort.log -X /var/lock/subsys/barnyard2-eth0.pid root 29333 0.0 0.0 103248 872 pts/1 S+ 23:33 0:00 grep snort [root@localhost src]# |
測試
手動去
http://www.phpmyadmin.net/home_page/downloads.php
網站下載 phpMyAdmin-4.0.10-all-languages.zip 回來安裝,方便稍後檢查是否輸出到 mysql
( phpMyAdmin 4.1.x 和 4.2.x 只支援 MySQL 5.5.0 或更新,不支援 CentOS 6.5 用 yum 安裝的 5.1.x 版,只能下載 4.0.x 版用)
[root@localhost src]# yum -y install httpd
[root@localhost src]# service httpd restart
[root@localhost src]# cd /usr/local/src
[root@localhost src]# unzip phpMyAdmin-4.0.10.2-all-languages.zip -d /var/www/html
[root@localhost src]# mv /var/www/html/phpMyAdmin-4.0.10.2-all-languages /var/www/html/phpMyAdmin
檢查目前輸出情況
[root@localhost src]# ls -al /var/log/snort
total 36
drwx------. 5 snort snort 4096 Aug 26 23:26 .
drwxr-xr-x. 14 root root 4096 Aug 26 23:24 ..
-rw-r--r--. 1 root root 0 Aug 26 23:20 alert
-rw-------. 1 root root 2056 Aug 26 23:26 barnyard2.waldo
-rw-r--r--. 1 snort snort 18 Jul 18 2013 .bash_logout
-rw-r--r--. 1 snort snort 176 Jul 18 2013 .bash_profile
-rw-r--r--. 1 snort snort 124 Jul 18 2013 .bashrc
drwxr-xr-x. 3 root root 4096 Aug 26 23:25 eth0
drwxr-xr-x. 2 snort snort 4096 Nov 12 2010 .gnome2
drwxr-xr-x. 4 snort snort 4096 Aug 18 02:47 .mozilla
-rw-------. 1 root root 0 Aug 26 23:26 snort.log.1409066778
[root@localhost src]#
(下圖) 用瀏覽器連上
http://192.168.128.201/phpMyAdmin
網址 (IP 是 mysql + phpMyAdmin 主機的 IP ,帳號密碼為可存取 mysql 資料庫的,例如 root 和 654321 (問你自己) 或 barnyard2 和 123456)
點選 snortdb 資料庫,看目前所有 tables 有幾 筆資料
到另一台主機,進行攻擊 (實測若 nikto.pl 和 snort 同一台,測試無攻擊效果)
Snort 那台 IP 為 192.168.128.201
[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.201
回 snort 電腦檢查結果
[root@localhost src]# ls -al /var/log/snort
total 40
drwx------. 5 snort snort 4096 Aug 26 23:26 .
drwxr-xr-x. 14 root root 4096 Aug 26 23:24 ..
-rw-r--r--. 1 root root 0 Aug 26 23:20 alert
-rw-------. 1 root root 2056 Aug 26 23:31 barnyard2.waldo
-rw-r--r--. 1 snort snort 18 Jul 18 2013 .bash_logout
-rw-r--r--. 1 snort snort 176 Jul 18 2013 .bash_profile
-rw-r--r--. 1 snort snort 124 Jul 18 2013 .bashrc
drwxr-xr-x. 3 root root 4096 Aug 26 23:25 eth0
drwxr-xr-x. 2 snort snort 4096 Nov 12 2010 .gnome2
drwxr-xr-x. 4 snort snort 4096 Aug 18 02:47 .mozilla
-rw-------. 1 root root 3572 Aug 26 23:31 snort.log.1409066778
[root@localhost src]#
應該會有一個 barnyard2.waldo 檔案存在,snort.log.xxxx 可能不只一個,在每次 snort 重新啟動都會新建立一個,只有新建立的這個 size 會變大
(下圖) 所有 tables 的資料筆數應該增加 ( 請等幾秒按 F5 更新畫面,寫入要花點時間)
alert 檔案在只安裝 snort,沒有安裝 barnyard 時候,每攻擊一次會變大一次,但是目前不會變大了
(未完待續....還有 BASE 和 ADODB)
(完)
相關文章
[研究] snort-2.9.6.1.tar.gz (CentOS 6.5 x64) 快速安裝程式
[研究] Snort 2.9.6.1 + Barnyard 2.13 安裝 (CentOS 6.5 x64) 快速安裝程式
或
[研究] Snort 2.9.6.1 + Barnyard 安裝 (CentOS 6.5 x64)
[研究] Snort 2.9.6.1 + Barnyard + BASE 安裝 (CentOS 6.5 x64) 快速安裝程式
或
[研究] Snort 2.9.6.1 + Barnyard + BASE 安裝 (CentOS 6.5 x64)
--------------
[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式(二)
或
[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式
[研究] Snort 2.9.5.5 + Barnyard 安裝 (CentOS 6.4 x64)
[研究] Snort 2.9.5.5 + Barnyard +BASE 安裝 (CentOS 6.4 x64)
--------------
[研究] snort-2.9.4.tar.gz (CentOS 6.3 x86) 快速安裝程式
[研究] Snort 2.9.0.5 安裝(Fedora 15 x86)
[研究] N-Stalker Web Application Security Scanner X Free Edition 網站漏洞掃描軟體使用
[研究] N-Stalker Free Edition 2012 網站漏洞掃描軟體使用教學
[研究] Snort 2.9.0.5 安裝(Fedora 15 x86)
[研究] Snort 2.9.0.3 (tar.gz)安裝(Fedora 14 x86)
[研究] Snort 2.8.5.2.tar.gz+MySQL+BASE快速安裝程式(CentOS 5.4)
[研究]Snort 2.8.5.2.tar.gz+MySQL+BASE快速安裝程式(Fedora 12 x86)
[教學] [研究] Snort 2.8.1快速安裝程式精簡版(Fedora 8 )
[root@localhost snort]# service snortd start
回覆刪除sudo: ./etc/rc.d/init.d/functions: command not found
Starting Snort: sudo: daemon: command not found
You have new mail in /var/spool/mail/root
不好意思請問一下
我的執行結果好像行不通的說
他給我這一段東西可是我不知道這一段是怎麼回事@@
還有daemon是指甚麼東西??我不懂這個東西
你的電腦中沒有 ./etc/rc.d/init.d/functions
刪除你是 CentOS 6.x 版 x64 嗎 ?
請問一下喔
刪除我用這些版本安裝
snort 2.9.7.0
barnyard2-2-1.13
centos 6.5x64
這些來安裝的話會跟你的教學差很多嗎?
Snort 2.9.6.2 => snort 2.9.7.0 是很小的改版,理論上安裝方法相同
刪除[研究] snort-2.9.7.0.tar.gz (CentOS 6.6 x64) 快速安裝程式
刪除http://shaurong.blogspot.tw/2015/02/snort-2970targz-centos-66-x64.html
[研究] Snort 2.9.7.0 + Barnyard 2.13 安裝 (CentOS 6.5 x64) 快速安裝程式
刪除http://shaurong.blogspot.com/2015/02/snort-2970-barnyard-213-centos-66-x64.html
注意你的網卡名稱是 System eth0 還是 eth0
刪除謝謝你,大部分的問題都解決了,現在都安裝完成了
刪除現在卻是發生了另外一個問題,我使用你說的NIKTO下去做攻擊測試,BASE是可以截取到的
可是我用IPV6的工具EX:smurf6去做攻擊的時候卻無法接收到ICMP的封包
可以顯示IPV4卻無法顯示IPV6的BASE有什麼辦法可以解決嗎@@
P.S. Snort是都可以接收到封包的
另外找工具吧,如果您有發現合適的,麻煩也告訴小弟一聲,謝謝 :)
刪除版主請問一聲,
回覆刪除1. 如果要monitor多個1張NIC, 是不是加1個instance去做? 改這files可不可行 /etc/sysconfig/snort and /etc/sysconfig/barnyard2 ?
On /etc/sysconfig/snort
INTERFACE=“eth0 eth1”
On /etc/sysconfig/barnyard2
INTERFACES=“eth0 eth1"
snort version 2.9.6.1
barnyard2 version 2.1.13 Build 327
mysql version 5.1.73-3 64bit
2. upgrade snort, 是不是install 新version rpm就可以?
Regards,
Wilson
問題1請看這篇下方的討論
刪除http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-centos-65-x64.html
> 2. upgrade snort, 是不是install 新version rpm就可以?
刪除Linux 套件只要差異 0.1 版就是大改版,就可能不行,例如 2.8.x 到 2.9.x,但不保證絕對不行;如果是 2.9.6.x 變成 2.9.7.x 算小改版,可能可以,但不保證絕對可以,有可能設定檔案被蓋掉,或發生甚麼沒預料到的事情
版主,
刪除Snort 已可以monitor 2張NIC了.
(i) copy /etc/sysconfig/snort to another file
(ii) change the network interface name on file from (i)
(iii) copy /etc/init.d/snort to another file
(iv) change the new filename from (ii) "/etc/sysconfig/snort" on init file from (iii)
But the Barnyard cannot detect new alert from the snort log file. From the /var/log/message it show it waiting for new data on the new spool snort file.
Will check again tomorrow!!!
謝謝你
感謝 :)
刪除Barnyard2 還是不update record to database....
刪除用原來的code去start snort 和 barnyard2就無問題 (/etc/init.d/snortd 同 /etc/init.d/barnyard2) 但只能monitor eth0 only.
1. copy /etc/sysconfig/barnyard2 to /etc/sysconfig/barnyard2_0 and /etc/sysconfig/barnyard2_1
改 /var/log/snort 去新 path
2. copy /etc/snort/barnyard.conf to /etc/sysconfig/barnyard0.conf and /etc/sysconfig/barnyard1.conf
改 interface name eth0 and eth1
3. copy /etc/init.d/barnyard2 to /etc/init.d/barnyard2_0 and /etc/init.d/barnyard2_1
改新file內的 sysconfig file為 /etc/sysconfig/barnyard0.conf and /etc/sysconfig/barnyard1.conf
還有什麼miss?
想問start multi snort 用這個start, 但個Log path 是不是用同1個path? 因為/etc/snort/snort.conf無 例出 /var/log/snort
刪除snort -c /etc/snort/snort.conf 和
snort -c /etc/snort/snort2.conf
版主,
刪除問題巳解決. 原因startup snort的parameter做成.
有問題startup是這樣
/usr/local/bin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort0
而正常startup是這樣
/usr/local/bin/snort -D -i eth0 -c /etc/snort/snort.conf -l /var/log/snort0
Regards,
Wilson
感謝分享經驗, -g 應該是執行 snort 的 group,-u應該是執行 snort 的 user,如果電腦中有這個帳號和群組,而且有足夠權限,應該是可以的,如果沒有或權限不足,就會失敗
刪除版主,
刪除在https://github.com/firnsy/barnyard2/issues/ 有人回答,問題是那個snort log file有可能不是否u2 format所以barnyard2吾識讀所以 snort log file有update但barnyard2 無update.