[研究] iftop 1.0pre4 流量監控工具 安裝(CentOS 7.0 x64)
2015-02-03
2017-10-18 CentOS 7.4 的 iftop 版本相同
官方網站
http://www.ex-parrot.com/~pdw/iftop/
*********************************************************************************
2018-01-28 補充
[研究] 安裝、啟用 EPEL Repository (軟件庫) (CentOS 7.x)
http://shaurong.blogspot.com/2014/08/epel-repository-centos-70.html
*********************************************************************************
安裝
rpm -ivh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
yum -y install iftop
或
wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
rpm -ivh epel-release-7-5.noarch.rpm
yum -y install iftop
或
yum -y install epel-release
yum -y install iftop
執行
iftop
(完)
相關
[研究] iftop 1.0pre4 流量監控工具 安裝(CentOS 7.0 x64)
http://shaurong.blogspot.com/2015/02/iftop-10pre4-centos-70-x64.html
[研究] iftop 1.0pre2 流量監控工具 安裝(CentOS 6.5 x64)
http://shaurong.blogspot.tw/2014/01/iftop-10pre2-centos-65-x64.html
[研究] iftop顯示網路即時傳輸狀況 (Fedora 8)
http://forum.icst.org.tw/phpbb/viewtopic.php?t=15027
2015年2月5日 星期四
2015年2月3日 星期二
[研究] CentOS Linux 7.0.1406 x64 以 ext4 檔案系統進行安裝
[研究] CentOS Linux 7.0.1406 x64 以 ext4 檔案系統進行安裝
2015-02-03
CentOS 7.0 安裝請參考這篇
[研究] CentOS Linux 7.0.1406 安裝
http://shaurong.blogspot.tw/2014/07/centos-linux-701406.html
預設使用 xfs 檔案系統 ( XFS File System ),但是某些軟體不支援
http://en.wikipedia.org/wiki/XFS
要安裝 ext4 檔案系統的 CentOS 7.0,部分步驟請改參考下面畫面
(下圖) 逐一把 /home , /boot , / 等 File System 從預設 xfs 改為 ext4
(完)
2015-02-03
CentOS 7.0 安裝請參考這篇
[研究] CentOS Linux 7.0.1406 安裝
http://shaurong.blogspot.tw/2014/07/centos-linux-701406.html
預設使用 xfs 檔案系統 ( XFS File System ),但是某些軟體不支援
http://en.wikipedia.org/wiki/XFS
要安裝 ext4 檔案系統的 CentOS 7.0,部分步驟請改參考下面畫面
(下圖) 逐一把 /home , /boot , / 等 File System 從預設 xfs 改為 ext4
(完)
[研究] Snort 2.9.7.0 + Barnyard 2.13 安裝 (CentOS 6.6 x64) 快速安裝程式
[研究] Snort 2.9.7.0 + Barnyard 2.13 安裝 (CentOS 6.6 x64) 快速安裝程式
2015-02-03
********************************************************************************
這幾篇是相關的 ( 3 大步驟)
[研究] snort-2.9.7.0.tar.gz (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2015/02/snort-2970targz-centos-66-x64.html
[研究] Snort 2.9.7.0 + Barnyard 2.13 安裝 (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.com/2015/02/snort-2970-barnyard-213-centos-66-x64.html
********************************************************************************
這幾篇是相關的 ( 3 大步驟)
[研究] snort-2.9.6.2.tar.gz (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.com/2014/08/snort-2962targz-centos-65-x64.html
[研究] Snort 2.9.6.2 + Barnyard 2.13 安裝 (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.com/2014/08/snort-2962-barnyard-213-centos-65-x64.html
[研究] Snort 2.9.6.1 + Barnyard + BASE 安裝 (CentOS 6.5 x64) 快速安裝程式
(待測試)
********************************************************************************
這幾篇是相關的 ( 3 大步驟)
[研究] snort-2.9.6.1.tar.gz (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2014/06/snort-2961targz-centos-65-x64.html
[研究] Snort 2.9.6.1 + Barnyard 2.13 安裝 (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-213-centos-65-x64.html
或
[研究] Snort 2.9.6.1 + Barnyard 安裝 (CentOS 6.5 x64)
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-centos-65-x64.html
[研究] Snort 2.9.6.1 + Barnyard + BASE 安裝 (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-base-centos-65-x64_20.html
或
[研究] Snort 2.9.6.1 + Barnyard + BASE 安裝 (CentOS 6.5 x64)
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-base-centos-65-x64.html
********************************************************************************
資料庫名稱小弟用 snortdb,您可以換掉
MySQL root 密碼用 654321,您可以換掉
MySQL 帳號 barnyard2 ,您可以換掉
MySQL 帳號 barnyard2 的密碼 123456,您可以換掉
全部用 root 操作省麻煩
su root
快速安裝程式如下
其中 barnyard2 執行情況如下
[root@localhost barnyard2]# barnyard2 -T -c /etc/snort/barnyard.conf -d /var/log/snort -w /var/log/snort/barnyard2.waldo -l /var/log/snort -a /var/log/snort -f snort.log -X /var/lock/subsys/barnyard2-eth0.pid
Running in Test mode
--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard.conf"
+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+
Barnyard2 spooler: Event cache size set to [2048]
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
[ClassificationPullDataStore()]: No Classification found in database ...
[SignaturePullDataStore()]: No signature found in database ...
[SystemPullDataStore()]: No System found in database ...
[ReferencePullDataStore()]: No Reference found in database ...
[SignatureReferencePullDataStore()]: No Reference found in database ...
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = localhost
database: user = barnyard2
database: database name = snortdb
database: sensor name = localhost.localdomain:NULL
database: sensor id = 1
database: sensor cid = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility
--== Initialization Complete ==--
______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.14 (Build 335)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' + (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com>
Barnyard2 successfully loaded configuration file!
Barnyard2 exiting
database: Closing connection to database "snortdb"
[root@localhost barnyard2]#
用 ps aux | grep snort 檢查應該有兩筆,一筆是 snort 執行,一筆是 barnyard2 執行,少了就有問題。
[root@localhost barnyard2]# ps aux | grep snort
root 29516 0.0 20.3 722560 387292 ? Ssl 12:20 0:00 /usr/local/bin/snort -D -i eth0 -c /etc/snort/snort.conf
root 29550 55.6 5.0 148000 96556 ? Ss 12:20 0:23 barnyard2 -D -c /etc/snort/barnyard.conf -d /var/log/snort -w /var/log/snort/barnyard2.waldo -l /var/log/snort -a /var/log/snort -f snort.log -X /var/lock/subsys/barnyard2-eth0.pid
root 29569 0.0 0.0 103244 872 pts/1 S+ 12:21 0:00 grep snort
[root@localhost barnyard2]#
測試
手動去
http://www.phpmyadmin.net/home_page/downloads.php
網站下載 phpMyAdmin-4.0.10-all-languages.zip 回來安裝,方便稍後檢查是否輸出到 mysql
( phpMyAdmin 4.1.x 和 4.2.x 只支援 MySQL 5.5.0 或更新,不支援 CentOS 6.6 用 yum 安裝的 5.1.x 版,只能下載 4.0.x 版用)
[root@localhost src]# yum -y install httpd
[root@localhost src]# service httpd restart
[root@localhost src]# cd /usr/local/src
[root@localhost src]# unzip phpMyAdmin-4.0.10.8-all-languages.zip -d /var/www/html
[root@localhost src]# mv /var/www/html/phpMyAdmin-4.0.10.8-all-languages /var/www/html/phpMyAdmin
檢查目前輸出情況
[root@localhost src]# ls -al /var/log/snort
total 48
drwx------. 5 snort snort 4096 Feb 3 12:21 .
drwxr-xr-x. 14 root root 4096 Feb 3 12:14 ..
-rw-r--r--. 1 root root 4343 Feb 3 12:04 alert
-rw-------. 1 root root 2056 Feb 3 12:21 barnyard2.waldo
-rw-r--r--. 1 snort snort 18 Oct 16 21:56 .bash_logout
-rw-r--r--. 1 snort snort 176 Oct 16 21:56 .bash_profile
-rw-r--r--. 1 snort snort 124 Oct 16 21:56 .bashrc
drwxr-xr-x. 3 root root 4096 Feb 3 12:17 eth0
drwxr-xr-x. 2 snort snort 4096 Nov 12 2010 .gnome2
drwxr-xr-x. 4 snort snort 4096 Feb 3 2015 .mozilla
-rw-------. 1 root root 2876 Feb 3 12:04 snort.log.1422935941
-rw-------. 1 root root 0 Feb 3 12:20 snort.log.1422937241
[root@localhost src]#
(下圖) 用瀏覽器連上
http://192.168.128.101/phpMyAdmin
網址 (IP 是 mysql + phpMyAdmin 主機的 IP ,帳號密碼為可存取 mysql 資料庫的,例如 root 和 654321 (問你自己) 或 barnyard2 和 123456)
點選 snortdb 資料庫,看目前所有 tables 有幾 筆資料
到另一台主機,進行攻擊 (實測若 nikto.pl 和 snort 同一台,測試無攻擊效果)
Snort 那台 IP 為 192.168.128.101
[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.101
回 snort 電腦檢查結果
[root@localhost src]# ls -al /var/log/snort
total 52
drwx------. 5 snort snort 4096 Feb 3 12:21 .
drwxr-xr-x. 14 root root 4096 Feb 3 12:14 ..
-rw-r--r--. 1 root root 4343 Feb 3 12:04 alert
-rw-------. 1 root root 2056 Feb 3 12:27 barnyard2.waldo
-rw-r--r--. 1 snort snort 18 Oct 16 21:56 .bash_logout
-rw-r--r--. 1 snort snort 176 Oct 16 21:56 .bash_profile
-rw-r--r--. 1 snort snort 124 Oct 16 21:56 .bashrc
drwxr-xr-x. 3 root root 4096 Feb 3 12:17 eth0
drwxr-xr-x. 2 snort snort 4096 Nov 12 2010 .gnome2
drwxr-xr-x. 4 snort snort 4096 Feb 3 2015 .mozilla
-rw-------. 1 root root 2876 Feb 3 12:04 snort.log.1422935941
-rw-------. 1 root root 3572 Feb 3 12:27 snort.log.1422937241
[root@localhost src]#
應該會有一個 barnyard2.waldo 檔案存在,snort.log.xxxx 可能不只一個,在每次 snort 重新啟動都會新建立一個,只有新建立的這個 size 會變大
(下圖) 所有 tables 的資料筆數應該增加 ( 請等幾秒按 F5 更新畫面,寫入要花點時間)
alert 檔案在只安裝 snort,沒有安裝 barnyard 時候,每攻擊一次會變大一次,但是目前不會變大了
(未完待續....還有 BASE 和 ADODB)
(完)
相關文章
2015-02-03
********************************************************************************
這幾篇是相關的 ( 3 大步驟)
[研究] snort-2.9.7.0.tar.gz (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2015/02/snort-2970targz-centos-66-x64.html
[研究] Snort 2.9.7.0 + Barnyard 2.13 安裝 (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.com/2015/02/snort-2970-barnyard-213-centos-66-x64.html
********************************************************************************
這幾篇是相關的 ( 3 大步驟)
[研究] snort-2.9.6.2.tar.gz (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.com/2014/08/snort-2962targz-centos-65-x64.html
[研究] Snort 2.9.6.2 + Barnyard 2.13 安裝 (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.com/2014/08/snort-2962-barnyard-213-centos-65-x64.html
[研究] Snort 2.9.6.1 + Barnyard + BASE 安裝 (CentOS 6.5 x64) 快速安裝程式
(待測試)
********************************************************************************
這幾篇是相關的 ( 3 大步驟)
[研究] snort-2.9.6.1.tar.gz (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2014/06/snort-2961targz-centos-65-x64.html
[研究] Snort 2.9.6.1 + Barnyard 2.13 安裝 (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-213-centos-65-x64.html
或
[研究] Snort 2.9.6.1 + Barnyard 安裝 (CentOS 6.5 x64)
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-centos-65-x64.html
[研究] Snort 2.9.6.1 + Barnyard + BASE 安裝 (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-base-centos-65-x64_20.html
或
[研究] Snort 2.9.6.1 + Barnyard + BASE 安裝 (CentOS 6.5 x64)
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-base-centos-65-x64.html
********************************************************************************
資料庫名稱小弟用 snortdb,您可以換掉
MySQL root 密碼用 654321,您可以換掉
MySQL 帳號 barnyard2 ,您可以換掉
MySQL 帳號 barnyard2 的密碼 123456,您可以換掉
全部用 root 操作省麻煩
su root
快速安裝程式如下
#!/bin/bash echo -e "\033[31m" echo -e "Program : snort2.9.7.0_barnyard2_centos6.6x64.sh " echo -e "Barnyard 2.13 Install Shell Script (CentOS 6.6 x64 + Snort 2.9.7.0) " echo -e "by Shau-Rong Lu 2015-02-03 " echo -e "\033[0m" yum -y install mysql mysql-devel git libtool mysql-server httpd php php-mysql php-mbstring php-mcrypt cd /usr/local/src git clone https://github.com/firnsy/barnyard2.git barnyard2 cd barnyard2 ./autogen.sh if [ "`uname -a | grep x86_64`" != "" ]; then echo "x86_64" ./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql else echo "x86" ./configure --with-mysql exit fi make && make install cp rpm/barnyard2 /etc/init.d/ chmod +x /etc/init.d/barnyard2 cp rpm/barnyard2.config /etc/sysconfig/barnyard2 chkconfig --add barnyard2 ln -s /usr/local/etc/barnyard2.conf /etc/snort/barnyard.conf ln -s /usr/local/bin/barnyard2 /usr/bin/ mkdir -p /var/log/snort/eth0/archive/ ln -s /usr/local/bin/snort /usr/sbin/snort # modify BARNYARD_OPTS= sed -i -e "s@BARNYARD_OPTS=@#BARNYARD_OPTS=@" /etc/init.d/barnyard2 sed -i -e "/BARNYARD_OPTS=\"-D -c \$CONF/aBARNYARD_OPTS=\"-D -c /etc/snort/barnyard.conf -d /var/log/snort -w /var/log/snort/barnyard2.waldo -l /var/log/snort -a /var/log/snort -f snort.log -X /var/lock/subsys/barnyard2-eth0.pid\"" /etc/init.d/barnyard2 cat /etc/init.d/barnyard2 | grep "BARNYARD_OPTS=" chkconfig barnyard2 reset # modify /etc/sysconfig/barnyard2, match barnyard's and snort's setting # remark LOG_FILE= sed -i -e "s@LOG_FILE=@#LOG_FILE=@" /etc/sysconfig/barnyard2 # append LOG_FILE="snort.log" sed -i -e "/LOG_FILE=\"snort_unified.log\"/aLOG_FILE=\"snort.log\"" /etc/sysconfig/barnyard2 # check cat /etc/sysconfig/barnyard2 | grep "LOG_FILE=" # modify /etc/snort/snort.conf # remark output unified2 sed -i -e "s@output unified2@#output unified2@" /etc/snort/snort.conf # append output unified2: filename snort.log, limit 128 sed -i -e "/output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types/aoutput unified2: filename snort.log, limit 128" /etc/snort/snort.conf # check cat /etc/snort/snort.conf | grep "output unified2" # modify /etc/sysconfig/snort cp /usr/local/src/snort-2.9.7.0/rpm/snort.sysconfig /etc/sysconfig/snort # remark two line sed -i -e "s@ALERTMODE=fast@#ALERTMODE=fast@" /etc/sysconfig/snort sed -i -e "s@BINARY_LOG=1@#BINARY_LOG=1@" /etc/sysconfig/snort # check cat /etc/sysconfig/snort | grep "ALERTMODE=fast" cat /etc/sysconfig/snort | grep "BINARY_LOG=1" # set MySQL root's password is 654321, you can change service mysqld restart /usr/bin/mysqladmin -u root password '654321' /usr/bin/mysqladmin -u root -h localhost.localdomain password '654321' -p654321 mysql -e "create database snortdb;" -uroot -p654321 mysql -e "grant all privileges on snortdb.* to barnyard2@localhost identified by '123456';" -uroot -p654321 mysql -e "flush privileges;" -uroot -p654321 #set barnyard2 output to mysql #remark sed -i -e "s@output database@#output database@" /etc/snort/barnyard.conf #append sed -i -e "/output database: log, mysql, user=root password=test dbname=db host=localhost/aoutput database: log, mysql, user=barnyard2 password=123456 dbname=snortdb host=localhost" /etc/snort/barnyard.conf # check cat /etc/snort/barnyard.conf | grep "output database" # create barnyard2's tables in snortdb mysql snortdb -ubarnyard2 -p123456 < /usr/local/src/barnyard2/schemas/create_mysql #check mysql -e "use snortdb; show tables;" -uroot -p654321 cp /usr/local/src/snort-2.9.7.0/etc/gen-msg.map /etc/snort/. #Start barnyard2 -T -c /etc/snort/barnyard.conf -d /var/log/snort -w /var/log/snort/barnyard2.waldo -l /var/log/snort -a /var/log/snort -f snort.log -X /var/lock/subsys/barnyard2-eth0.pid if [ "$?" != "0" ]; then echo "Barnyard2 or Snort Setting is error !" exit fi service snortd restart if [ "$?" != "0" ]; then echo "Snort ReStart Failed !" exit fi service snortd status ps axu| grep snort service barnyard2 restart if [ "$?" != "0" ]; then echo "Barnyard2 ReStart Failed !" exit fi service barnyard2 status ps aux | grep snort |
其中 barnyard2 執行情況如下
[root@localhost barnyard2]# barnyard2 -T -c /etc/snort/barnyard.conf -d /var/log/snort -w /var/log/snort/barnyard2.waldo -l /var/log/snort -a /var/log/snort -f snort.log -X /var/lock/subsys/barnyard2-eth0.pid
Running in Test mode
--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard.conf"
+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+
Barnyard2 spooler: Event cache size set to [2048]
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
[ClassificationPullDataStore()]: No Classification found in database ...
[SignaturePullDataStore()]: No signature found in database ...
[SystemPullDataStore()]: No System found in database ...
[ReferencePullDataStore()]: No Reference found in database ...
[SignatureReferencePullDataStore()]: No Reference found in database ...
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = localhost
database: user = barnyard2
database: database name = snortdb
database: sensor name = localhost.localdomain:NULL
database: sensor id = 1
database: sensor cid = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility
--== Initialization Complete ==--
______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.14 (Build 335)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' + (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com>
Barnyard2 successfully loaded configuration file!
Barnyard2 exiting
database: Closing connection to database "snortdb"
[root@localhost barnyard2]#
用 ps aux | grep snort 檢查應該有兩筆,一筆是 snort 執行,一筆是 barnyard2 執行,少了就有問題。
[root@localhost barnyard2]# ps aux | grep snort
root 29516 0.0 20.3 722560 387292 ? Ssl 12:20 0:00 /usr/local/bin/snort -D -i eth0 -c /etc/snort/snort.conf
root 29550 55.6 5.0 148000 96556 ? Ss 12:20 0:23 barnyard2 -D -c /etc/snort/barnyard.conf -d /var/log/snort -w /var/log/snort/barnyard2.waldo -l /var/log/snort -a /var/log/snort -f snort.log -X /var/lock/subsys/barnyard2-eth0.pid
root 29569 0.0 0.0 103244 872 pts/1 S+ 12:21 0:00 grep snort
[root@localhost barnyard2]#
測試
手動去
http://www.phpmyadmin.net/home_page/downloads.php
網站下載 phpMyAdmin-4.0.10-all-languages.zip 回來安裝,方便稍後檢查是否輸出到 mysql
( phpMyAdmin 4.1.x 和 4.2.x 只支援 MySQL 5.5.0 或更新,不支援 CentOS 6.6 用 yum 安裝的 5.1.x 版,只能下載 4.0.x 版用)
[root@localhost src]# yum -y install httpd
[root@localhost src]# service httpd restart
[root@localhost src]# cd /usr/local/src
[root@localhost src]# unzip phpMyAdmin-4.0.10.8-all-languages.zip -d /var/www/html
[root@localhost src]# mv /var/www/html/phpMyAdmin-4.0.10.8-all-languages /var/www/html/phpMyAdmin
檢查目前輸出情況
[root@localhost src]# ls -al /var/log/snort
total 48
drwx------. 5 snort snort 4096 Feb 3 12:21 .
drwxr-xr-x. 14 root root 4096 Feb 3 12:14 ..
-rw-r--r--. 1 root root 4343 Feb 3 12:04 alert
-rw-------. 1 root root 2056 Feb 3 12:21 barnyard2.waldo
-rw-r--r--. 1 snort snort 18 Oct 16 21:56 .bash_logout
-rw-r--r--. 1 snort snort 176 Oct 16 21:56 .bash_profile
-rw-r--r--. 1 snort snort 124 Oct 16 21:56 .bashrc
drwxr-xr-x. 3 root root 4096 Feb 3 12:17 eth0
drwxr-xr-x. 2 snort snort 4096 Nov 12 2010 .gnome2
drwxr-xr-x. 4 snort snort 4096 Feb 3 2015 .mozilla
-rw-------. 1 root root 2876 Feb 3 12:04 snort.log.1422935941
-rw-------. 1 root root 0 Feb 3 12:20 snort.log.1422937241
[root@localhost src]#
(下圖) 用瀏覽器連上
http://192.168.128.101/phpMyAdmin
網址 (IP 是 mysql + phpMyAdmin 主機的 IP ,帳號密碼為可存取 mysql 資料庫的,例如 root 和 654321 (問你自己) 或 barnyard2 和 123456)
點選 snortdb 資料庫,看目前所有 tables 有幾 筆資料
到另一台主機,進行攻擊 (實測若 nikto.pl 和 snort 同一台,測試無攻擊效果)
Snort 那台 IP 為 192.168.128.101
[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.101
回 snort 電腦檢查結果
[root@localhost src]# ls -al /var/log/snort
total 52
drwx------. 5 snort snort 4096 Feb 3 12:21 .
drwxr-xr-x. 14 root root 4096 Feb 3 12:14 ..
-rw-r--r--. 1 root root 4343 Feb 3 12:04 alert
-rw-------. 1 root root 2056 Feb 3 12:27 barnyard2.waldo
-rw-r--r--. 1 snort snort 18 Oct 16 21:56 .bash_logout
-rw-r--r--. 1 snort snort 176 Oct 16 21:56 .bash_profile
-rw-r--r--. 1 snort snort 124 Oct 16 21:56 .bashrc
drwxr-xr-x. 3 root root 4096 Feb 3 12:17 eth0
drwxr-xr-x. 2 snort snort 4096 Nov 12 2010 .gnome2
drwxr-xr-x. 4 snort snort 4096 Feb 3 2015 .mozilla
-rw-------. 1 root root 2876 Feb 3 12:04 snort.log.1422935941
-rw-------. 1 root root 3572 Feb 3 12:27 snort.log.1422937241
[root@localhost src]#
應該會有一個 barnyard2.waldo 檔案存在,snort.log.xxxx 可能不只一個,在每次 snort 重新啟動都會新建立一個,只有新建立的這個 size 會變大
(下圖) 所有 tables 的資料筆數應該增加 ( 請等幾秒按 F5 更新畫面,寫入要花點時間)
alert 檔案在只安裝 snort,沒有安裝 barnyard 時候,每攻擊一次會變大一次,但是目前不會變大了
(未完待續....還有 BASE 和 ADODB)
(完)
相關文章
[研究] snort-2.9.6.1.tar.gz (CentOS 6.5 x64) 快速安裝程式
[研究] Snort 2.9.6.1 + Barnyard 2.13 安裝 (CentOS 6.5 x64) 快速安裝程式
或
[研究] Snort 2.9.6.1 + Barnyard 安裝 (CentOS 6.5 x64)
[研究] Snort 2.9.6.1 + Barnyard + BASE 安裝 (CentOS 6.5 x64) 快速安裝程式
或
[研究] Snort 2.9.6.1 + Barnyard + BASE 安裝 (CentOS 6.5 x64)
--------------
[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式(二)
或
[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式
[研究] Snort 2.9.5.5 + Barnyard 安裝 (CentOS 6.4 x64)
[研究] Snort 2.9.5.5 + Barnyard +BASE 安裝 (CentOS 6.4 x64)
--------------
[研究] snort-2.9.4.tar.gz (CentOS 6.3 x86) 快速安裝程式
[研究] Snort 2.9.0.5 安裝(Fedora 15 x86)
[研究] N-Stalker Web Application Security Scanner X Free Edition 網站漏洞掃描軟體使用
[研究] N-Stalker Free Edition 2012 網站漏洞掃描軟體使用教學
[研究] Snort 2.9.0.5 安裝(Fedora 15 x86)
[研究] Snort 2.9.0.3 (tar.gz)安裝(Fedora 14 x86)
[研究] Snort 2.8.5.2.tar.gz+MySQL+BASE快速安裝程式(CentOS 5.4)
[研究]Snort 2.8.5.2.tar.gz+MySQL+BASE快速安裝程式(Fedora 12 x86)
[教學] [研究] Snort 2.8.1快速安裝程式精簡版(Fedora 8 )
[研究] snort-2.9.7.0.tar.gz (CentOS 6.6 x64) 快速安裝程式
[研究] snort-2.9.7.0.tar.gz (CentOS 6.6 x64) 快速安裝程式
2015-02-03
官方網站
https://www.snort.org/
連上
http://ftp.uninett.no/linux/epel/6/x86_64/
看看 epel-release-6-8.noarch.rpm 是否存在,或更新版本為
epel-release-6-9.noarch.rpm
epel-release-6-10.noarch.rpm
...
下方的快速安裝程式的這一行或許要修改
rpm -Uvh http://ftp.uninett.no/linux/epel/6/x86_64/epel-release-6-8.noarch.rpm
參考
http://shaurong.blogspot.tw/2012/12/snort-294targz-centos-63-x86.html
http://manual.snort.org/
http://www.snort.org/docs
http://s3.amazonaws.com/snort-org/www/assets/202/snort2953_centos6x.pdf
snort-2.9.7.0.tar.gz 和 daq-2.0.4.tar.gz 下載網址
http://www.snort.org/
libdnet-1.11.tar.gz 下載網址
http://libdnet.sourceforge.net/
PS:後來發現這裡有 libdnet-1.12.tar.gz,官方網站搬家?
https://code.google.com/p/libdnet/downloads/list
snortrules-snapshot-2970.tar.gz 下載網址 (免費註冊,點 Sign In,登入後才能下載)
http://www.snort.org/
https://www.snort.org/downloads/registered/snortrules-snapshot-2970.tar.gz
Subscriber Release 是花錢訂閱才能下載的,跳過不看
Registered User Release 免費註冊,登入後才能下載
請自己手動下載下面檔案,放到 /usr/local/src 目錄
libdnet-1.12.tar.gz
daq-2.0.4.tar.gz
snort-2.9.7.0.tar.gz
snortrules-snapshot-2970.tar.gz
snort在版本2.9.3開始不再支援MySQL,好像可以靠 Barnyard2解決,ADOdb 和 BASE 小弟在本篇也暫不討論,有機會再說。
Database output is dead. R.I.P.
Wednesday, July 18, 2012
http://blog.snort.org/2012/07/database-output-is-dead-rip.html
Barnyard 2 官方網站
http://www.securixlive.com/
ADOdb 官方網站
http://adodb.sourceforge.net/
http://sourceforge.net/projects/adodb/files/adodb-php5-only/
(最後更新為 2014-04-30,檔案 adodb-519-for-php5 )
BASE 官方網站 (Basic Analysis and Security Engine)
http://base.secureideas.net/
http://sourceforge.net/projects/secureideas/files/BASE/
(最後更新為 v1.4.5 版 May 2010-03-05)
快速安裝程式內容(實際測試可用),請先用 su root 切換成 root 執行
注意,下面網路卡使用的是 eth0,如果您不是,要修改
看到下面訊息,表示快速安裝程式成功
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.7.0 GRE (Build 149)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.4.0
Using PCRE version: 7.8 2008-09-05
Using ZLIB version: 1.2.3
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 2.4 <Build 1>
Preprocessor Object: SF_POP Version 1.0 <Build 1>
Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
Preprocessor Object: SF_SIP Version 1.1 <Build 1>
Preprocessor Object: SF_GTP Version 1.1 <Build 1>
Preprocessor Object: SF_IMAP Version 1.0 <Build 1>
Preprocessor Object: SF_MODBUS Version 1.1 <Build 1>
Preprocessor Object: SF_DNS Version 1.1 <Build 4>
Preprocessor Object: SF_SSH Version 1.1 <Build 3>
Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
Preprocessor Object: SF_SDF Version 1.1 <Build 1>
Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1>
Snort successfully validated the configuration!
Snort exiting
[ OK ]
You can service httpd restart, then use N-Stalker Free Edition (http://nstalker.com/products/free/download-free-edition) on MS-Windows to attack WebSite
or Nikto (http://www.cirt.net/nikto2) on another Linux to attack WebSite
wget http://www.cirt.net/nikto/nikto-current.tar.gz
tar zxvf nikto-current.tar.gz
cd nikto-*
chmod +x nikto.pl
./nikto.pl -h xxx.xxx.xxx.xxx
[root@localhost ~]#
測試
[root@localhost snort]# service snortd status
snort (pid 24153) is running...
[root@localhost snort]# service snortd stop
Stopping Snort: [ OK ]
[root@localhost snort]# service snortd start
Starting Snort: PCAP_FRAMES -> 32768 * 4096 / 2 = 67108864 (1600)
Spawning daemon child...
My daemon child 24206 lives...
Daemon parent exiting (0)
[ OK ]
[root@localhost snort]# service snortd status
snort (pid 24206) is running...
[root@localhost snort]# ps aux | grep snort
root 24206 0.0 20.3 722540 387364 ? Ssl 11:59 0:00 /usr/local/bin/snort -D -i eth0 -c /etc/snort/snort.conf
root 24225 0.0 0.0 103244 872 pts/1 S+ 11:59 0:00 grep snort
[root@localhost snort]#
準備當被攻擊主機
[root@localhost snort]# service httpd restart
Stopping httpd: [FAILED]
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain for ServerName
[ OK ]
[root@localhost snort]#
[ OK ]
防火牆暫時關閉
[root@localhost ~]# service iptables stop
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
[root@localhost ~]#
先看一下 snort 目前 log,其中 alert 為 0 byte
[root@localhost snort]# ls -al /var/log/snort
total 28
drwx------. 4 snort snort 4096 Feb 3 11:59 .
drwxr-xr-x. 14 root root 4096 Feb 3 11:55 ..
-rw-r--r--. 1 root root 0 Feb 3 11:56 alert
-rw-r--r--. 1 snort snort 18 Oct 16 21:56 .bash_logout
-rw-r--r--. 1 snort snort 176 Oct 16 21:56 .bash_profile
-rw-r--r--. 1 snort snort 124 Oct 16 21:56 .bashrc
drwxr-xr-x. 2 snort snort 4096 Nov 12 2010 .gnome2
drwxr-xr-x. 4 snort snort 4096 Feb 3 2015 .mozilla
-rw-------. 1 root root 0 Feb 3 11:59 snort.log.1422935941
[root@localhost snort]#
另外找一台主機來攻擊 ( nikto 好像無法對自己攻擊,所以必須另外找一台)
192.168.128.101 是安裝 snort 主機
192.168.128.102 是安裝 nikto 主機
[root@localhost ~]# wget http://www.cirt.net/nikto/nikto-current.tar.gz
[root@localhost ~]# tar zxvf nikto-current.tar.gz
[root@localhost ~]# cd nikto-*
[root@localhost nikto-2.1.5]# chmod +x nikto.pl
[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.101
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
^C[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.101
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.128.101
+ Target Hostname: 192.168.128.101
+ Target Port: 80
+ Start Time: 2015-02-03 12:04:23 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 1049978, size: 5108, mtime: 0x438c0358aae80
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2015-02-03 12:04:41 (GMT8) (18 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
[root@localhost nikto-2.1.5]#
回到原來安裝 snort 主機,可以看到 alert 檔案從 0 byte 變成不是 0 bytes,表示 snort 有正常運作
[root@localhost snort]# ls -al /var/log/snort
total 40
drwx------. 4 snort snort 4096 Feb 3 11:59 .
drwxr-xr-x. 14 root root 4096 Feb 3 11:55 ..
-rw-r--r--. 1 root root 4343 Feb 3 12:04 alert
-rw-r--r--. 1 snort snort 18 Oct 16 21:56 .bash_logout
-rw-r--r--. 1 snort snort 176 Oct 16 21:56 .bash_profile
-rw-r--r--. 1 snort snort 124 Oct 16 21:56 .bashrc
drwxr-xr-x. 2 snort snort 4096 Nov 12 2010 .gnome2
drwxr-xr-x. 4 snort snort 4096 Feb 3 2015 .mozilla
-rw-------. 1 root root 2876 Feb 3 12:04 snort.log.1422935941
[root@localhost snort]#
測試成功。
(完)
[研究] snort-2.9.7.0.tar.gz (CentOS 6.6 x64) 快速安裝程式
http://shaurong.blogspot.tw/2015/02/snort-2970targz-centos-66-x64.html
[研究] snort-2.9.6.2.tar.gz (CentOS 6.6 x64) 快速安裝程式
http://shaurong.blogspot.com/2014/08/snort-2962targz-centos-65-x64.html
2015-02-03
官方網站
https://www.snort.org/
連上
http://ftp.uninett.no/linux/epel/6/x86_64/
看看 epel-release-6-8.noarch.rpm 是否存在,或更新版本為
epel-release-6-9.noarch.rpm
epel-release-6-10.noarch.rpm
...
下方的快速安裝程式的這一行或許要修改
rpm -Uvh http://ftp.uninett.no/linux/epel/6/x86_64/epel-release-6-8.noarch.rpm
參考
http://shaurong.blogspot.tw/2012/12/snort-294targz-centos-63-x86.html
http://manual.snort.org/
http://www.snort.org/docs
http://s3.amazonaws.com/snort-org/www/assets/202/snort2953_centos6x.pdf
snort-2.9.7.0.tar.gz 和 daq-2.0.4.tar.gz 下載網址
http://www.snort.org/
libdnet-1.11.tar.gz 下載網址
http://libdnet.sourceforge.net/
PS:後來發現這裡有 libdnet-1.12.tar.gz,官方網站搬家?
https://code.google.com/p/libdnet/downloads/list
snortrules-snapshot-2970.tar.gz 下載網址 (免費註冊,點 Sign In,登入後才能下載)
http://www.snort.org/
https://www.snort.org/downloads/registered/snortrules-snapshot-2970.tar.gz
Subscriber Release 是花錢訂閱才能下載的,跳過不看
Registered User Release 免費註冊,登入後才能下載
請自己手動下載下面檔案,放到 /usr/local/src 目錄
libdnet-1.12.tar.gz
daq-2.0.4.tar.gz
snort-2.9.7.0.tar.gz
snortrules-snapshot-2970.tar.gz
snort在版本2.9.3開始不再支援MySQL,好像可以靠 Barnyard2解決,ADOdb 和 BASE 小弟在本篇也暫不討論,有機會再說。
Database output is dead. R.I.P.
Wednesday, July 18, 2012
http://blog.snort.org/2012/07/database-output-is-dead-rip.html
Barnyard 2 官方網站
http://www.securixlive.com/
ADOdb 官方網站
http://adodb.sourceforge.net/
http://sourceforge.net/projects/adodb/files/adodb-php5-only/
(最後更新為 2014-04-30,檔案 adodb-519-for-php5 )
BASE 官方網站 (Basic Analysis and Security Engine)
http://base.secureideas.net/
http://sourceforge.net/projects/secureideas/files/BASE/
(最後更新為 v1.4.5 版 May 2010-03-05)
快速安裝程式內容(實際測試可用),請先用 su root 切換成 root 執行
注意,下面網路卡使用的是 eth0,如果您不是,要修改
#!/bin/bash echo -e "\033[31m" echo -e "Program : snort2.9.7.0_centos6.6x64.sh " echo -e "snort-2.9.7.0.tar.gz Install Shell Script (CentOS 6.6 x64) " echo -e "by Shau-Rong Lu 2015-02-03 " echo -e "\033[0m" rpm -Uvh http://ftp.uninett.no/linux/epel/6/i386/epel-release-6-8.noarch.rpm yum -y install gcc gcc-c++ flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel tcpdump libdnet libdnet-devel cd /usr/local/src # if [ ! -s libdnet-1.12.tar.gz ]; then # echo "Can not find /usr/local/src/libdnet-1.12.tar.gz" # wget http://downloads.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz?r=http%3A%2F%2Flibdnet.sourceforge.net%2F&ts=1382718432&use_mirror=nchc # exit # fi if [ ! -s daq-2.0.4.tar.gz ]; then echo "Can not find /usr/local/src/daq-2.0.4.tar.gz" exit fi if [ ! -s snort-2.9.7.0.tar.gz]; then echo "Can not find /usr/local/src/snort-2.9.7.0.tar.gz" exit fi if [ ! -s snortrules-snapshot-2970.tar.gz]; then echo "Can not find /usr/local/src/snortrules-snapshot-2970.tar.gz" exit fi # tar zxvf libdnet-1.11.tar.gz tar zxvf daq-2.0.4.tar.gz tar zxvf snort-2.9.7.0.tar.gz # cd /usr/local/src/libdnet-1.11 # ./configure --with-pic # make # make install cd /usr/local/src/daq-2.0.4 ./configure make make install cd /usr/local/src/snort-2.9.7.0 ./configure --enable-sourcefire make make install # cd /usr/local/lib # ldconfig -v /usr/local/lib mkdir -p /etc/snort cd /usr/local/src tar xzvf /usr/local/src/snortrules-snapshot-2970.tar.gz -C /etc/snort touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules groupadd -g 40000 snort useradd snort -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort cd /etc/snort chown -R snort:snort * chown -R snort:snort /var/log/snort cp /etc/snort/etc/* /etc/snort/. sed -i -e "s@var RULE_PATH@#var RULE_PATH@" /etc/snort/snort.conf sed -i -e "/var RULE_PATH/avar RULE_PATH /etc/snort/rules" /etc/snort/snort.conf cat /etc/snort/snort.conf | grep "var RULE_PATH" sed -i -e "s@var SO_RULE_PATH@#var SO_RULE_PATH@" /etc/snort/snort.conf sed -i -e "/var SO_RULE_PATH/avar SO_RULE_PATH /etc/snort/so_rules" /etc/snort/snort.conf cat /etc/snort/snort.conf | grep "var SO_RULE_PATH" sed -i -e "s@var PREPROC_RULE_PATH@#var PREPROC_RULE_PATH@" /etc/snort/snort.conf sed -i -e "/var PREPROC_RULE_PATH/avar PREPROC_RULE_PATH /etc/snort/preproc_rules" /etc/snort/snort.conf cat /etc/snort/snort.conf | grep "var PREPROC_RULE_PATH" sed -i -e "s@var WHITE_LIST_PATH@#var WHITE_LIST_PATH@" /etc/snort/snort.conf sed -i -e "/var WHITE_LIST_PATH/avar WHITE_LIST_PATH /etc/snort/rules" /etc/snort/snort.conf cat /etc/snort/snort.conf | grep "var WHITE_LIST_PATH" sed -i -e "s@var BLACK_LIST_PATH@#var BLACK_LIST_PATH@" /etc/snort/snort.conf sed -i -e "/var BLACK_LIST_PATH/avar BLACK_LIST_PATH /etc/snort/rules" /etc/snort/snort.conf cat /etc/snort/snort.conf | grep "var BLACK_LIST_PATH" mkdir -p /usr/local/lib/snort_dynamicrules chown -R snort:snort /usr/local/lib/snort_dynamicrules chmod -R 700 /usr/local/lib/snort_dynamicrules snort -T -c /etc/snort/snort.conf if [ "$?" != "0" ]; then echo "Snort Test Failed !" exit fi #cp /root/snort-2.9.7.0/rpm/snortd /etc/init.d/. #chmod +x /etc/init.d/snortd #cp /root/snort-2.9.7.0/rpm/snort.sysconfig /etc/sysconfig/snort #ln -s /usr/local/bin/snort /usr/sbin/snort rm -fr /etc/init.d/snortd echo '#!/bin/bash' > /etc/init.d/snortd echo "" >> /etc/init.d/snortd echo "# chkconfig: 345 99 01" >> /etc/init.d/snortd echo "# description: Snort startup script" >> /etc/init.d/snortd echo "# 345 - levels to configure" >> /etc/init.d/snortd echo "# 99 - startup order" >> /etc/init.d/snortd echo "# 01 - stop order" >> /etc/init.d/snortd echo "" >> /etc/init.d/snortd echo ". /etc/rc.d/init.d/functions " >> /etc/init.d/snortd echo "INTERFACE=eth0" >> /etc/init.d/snortd echo "" >> /etc/init.d/snortd echo "case \"\$1\" in " >> /etc/init.d/snortd echo "start)" >> /etc/init.d/snortd echo " echo -n \"Starting Snort: \"" >> /etc/init.d/snortd echo " daemon PCAP_FRAMES=max /usr/local/bin/snort -D -i \$INTERFACE -c /etc/snort/snort.conf" >> /etc/init.d/snortd echo " echo" >> /etc/init.d/snortd echo " ;;" >> /etc/init.d/snortd echo "" >> /etc/init.d/snortd echo "stop)" >> /etc/init.d/snortd echo " echo -n \"Stopping Snort: \"" >> /etc/init.d/snortd echo " killproc snort" >> /etc/init.d/snortd echo " echo" >> /etc/init.d/snortd echo " ;;" >> /etc/init.d/snortd echo "" >> /etc/init.d/snortd echo "restart)" >> /etc/init.d/snortd echo " \$0 stop" >> /etc/init.d/snortd echo " \$0 start" >> /etc/init.d/snortd echo " ;;" >> /etc/init.d/snortd echo "status)" >> /etc/init.d/snortd echo " status snort" >> /etc/init.d/snortd echo " ;;" >> /etc/init.d/snortd echo "*)" >> /etc/init.d/snortd echo " echo \"Usage: $0 {start|stop|restart|status}\"" >> /etc/init.d/snortd echo " exit 1" >> /etc/init.d/snortd echo " esac" >> /etc/init.d/snortd echo " exit 0" >> /etc/init.d/snortd chmod +x /etc/init.d/snortd chkconfig --add snortd chkconfig snortd on service snortd start ps aux | grep snort echo "You can service httpd restart, then use N-Stalker Free Edition (http://nstalker.com/products/free/download-free-edition) on MS-Windows to attack WebSite " echo "" echo "or Nikto (http://www.cirt.net/nikto2) on another Linux to attack WebSite" echo " wget http://www.cirt.net/nikto/nikto-current.tar.gz" echo " tar zxvf nikto-current.tar.gz" echo " cd nikto-*" echo " chmod +x nikto.pl" echo " ./nikto.pl -h xxx.xxx.xxx.xxx" |
看到下面訊息,表示快速安裝程式成功
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.7.0 GRE (Build 149)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.4.0
Using PCRE version: 7.8 2008-09-05
Using ZLIB version: 1.2.3
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 2.4 <Build 1>
Preprocessor Object: SF_POP Version 1.0 <Build 1>
Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
Preprocessor Object: SF_SIP Version 1.1 <Build 1>
Preprocessor Object: SF_GTP Version 1.1 <Build 1>
Preprocessor Object: SF_IMAP Version 1.0 <Build 1>
Preprocessor Object: SF_MODBUS Version 1.1 <Build 1>
Preprocessor Object: SF_DNS Version 1.1 <Build 4>
Preprocessor Object: SF_SSH Version 1.1 <Build 3>
Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
Preprocessor Object: SF_SDF Version 1.1 <Build 1>
Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1>
Snort successfully validated the configuration!
Snort exiting
[ OK ]
You can service httpd restart, then use N-Stalker Free Edition (http://nstalker.com/products/free/download-free-edition) on MS-Windows to attack WebSite
or Nikto (http://www.cirt.net/nikto2) on another Linux to attack WebSite
wget http://www.cirt.net/nikto/nikto-current.tar.gz
tar zxvf nikto-current.tar.gz
cd nikto-*
chmod +x nikto.pl
./nikto.pl -h xxx.xxx.xxx.xxx
[root@localhost ~]#
測試
[root@localhost snort]# service snortd status
snort (pid 24153) is running...
[root@localhost snort]# service snortd stop
Stopping Snort: [ OK ]
[root@localhost snort]# service snortd start
Starting Snort: PCAP_FRAMES -> 32768 * 4096 / 2 = 67108864 (1600)
Spawning daemon child...
My daemon child 24206 lives...
Daemon parent exiting (0)
[ OK ]
[root@localhost snort]# service snortd status
snort (pid 24206) is running...
[root@localhost snort]# ps aux | grep snort
root 24206 0.0 20.3 722540 387364 ? Ssl 11:59 0:00 /usr/local/bin/snort -D -i eth0 -c /etc/snort/snort.conf
root 24225 0.0 0.0 103244 872 pts/1 S+ 11:59 0:00 grep snort
[root@localhost snort]#
準備當被攻擊主機
[root@localhost snort]# service httpd restart
Stopping httpd: [FAILED]
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain for ServerName
[ OK ]
[root@localhost snort]#
[ OK ]
防火牆暫時關閉
[root@localhost ~]# service iptables stop
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
[root@localhost ~]#
先看一下 snort 目前 log,其中 alert 為 0 byte
[root@localhost snort]# ls -al /var/log/snort
total 28
drwx------. 4 snort snort 4096 Feb 3 11:59 .
drwxr-xr-x. 14 root root 4096 Feb 3 11:55 ..
-rw-r--r--. 1 root root 0 Feb 3 11:56 alert
-rw-r--r--. 1 snort snort 18 Oct 16 21:56 .bash_logout
-rw-r--r--. 1 snort snort 176 Oct 16 21:56 .bash_profile
-rw-r--r--. 1 snort snort 124 Oct 16 21:56 .bashrc
drwxr-xr-x. 2 snort snort 4096 Nov 12 2010 .gnome2
drwxr-xr-x. 4 snort snort 4096 Feb 3 2015 .mozilla
-rw-------. 1 root root 0 Feb 3 11:59 snort.log.1422935941
[root@localhost snort]#
另外找一台主機來攻擊 ( nikto 好像無法對自己攻擊,所以必須另外找一台)
192.168.128.101 是安裝 snort 主機
192.168.128.102 是安裝 nikto 主機
[root@localhost ~]# wget http://www.cirt.net/nikto/nikto-current.tar.gz
[root@localhost ~]# tar zxvf nikto-current.tar.gz
[root@localhost ~]# cd nikto-*
[root@localhost nikto-2.1.5]# chmod +x nikto.pl
[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.101
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
^C[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.101
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.128.101
+ Target Hostname: 192.168.128.101
+ Target Port: 80
+ Start Time: 2015-02-03 12:04:23 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 1049978, size: 5108, mtime: 0x438c0358aae80
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2015-02-03 12:04:41 (GMT8) (18 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
[root@localhost nikto-2.1.5]#
回到原來安裝 snort 主機,可以看到 alert 檔案從 0 byte 變成不是 0 bytes,表示 snort 有正常運作
[root@localhost snort]# ls -al /var/log/snort
total 40
drwx------. 4 snort snort 4096 Feb 3 11:59 .
drwxr-xr-x. 14 root root 4096 Feb 3 11:55 ..
-rw-r--r--. 1 root root 4343 Feb 3 12:04 alert
-rw-r--r--. 1 snort snort 18 Oct 16 21:56 .bash_logout
-rw-r--r--. 1 snort snort 176 Oct 16 21:56 .bash_profile
-rw-r--r--. 1 snort snort 124 Oct 16 21:56 .bashrc
drwxr-xr-x. 2 snort snort 4096 Nov 12 2010 .gnome2
drwxr-xr-x. 4 snort snort 4096 Feb 3 2015 .mozilla
-rw-------. 1 root root 2876 Feb 3 12:04 snort.log.1422935941
[root@localhost snort]#
測試成功。
(完)
[研究] snort-2.9.7.0.tar.gz (CentOS 6.6 x64) 快速安裝程式
http://shaurong.blogspot.tw/2015/02/snort-2970targz-centos-66-x64.html
[研究] snort-2.9.6.2.tar.gz (CentOS 6.6 x64) 快速安裝程式
http://shaurong.blogspot.com/2014/08/snort-2962targz-centos-65-x64.html