浮雲雅築: [研究] snort-2.9.7.0.tar.gz (CentOS 6.6 x64) 快速安裝程式

[研究] snort-2.9.7.0.tar.gz (CentOS 6.6 x64) 快速安裝程式

2015-02-03

官方網站
https://www.snort.org/

連上
http://ftp.uninett.no/linux/epel/6/x86_64/
看看 epel-release-6-8.noarch.rpm 是否存在，或更新版本為
epel-release-6-9.noarch.rpm
epel-release-6-10.noarch.rpm
...
下方的快速安裝程式的這一行或許要修改
rpm -Uvh http://ftp.uninett.no/linux/epel/6/x86_64/epel-release-6-8.noarch.rpm

參考
http://shaurong.blogspot.tw/2012/12/snort-294targz-centos-63-x86.html
http://manual.snort.org/
http://www.snort.org/docs
http://s3.amazonaws.com/snort-org/www/assets/202/snort2953_centos6x.pdf

snort-2.9.7.0.tar.gz 和 daq-2.0.4.tar.gz 下載網址
http://www.snort.org/

libdnet-1.11.tar.gz 下載網址
http://libdnet.sourceforge.net/

PS：後來發現這裡有 libdnet-1.12.tar.gz，官方網站搬家？
https://code.google.com/p/libdnet/downloads/list

snortrules-snapshot-2970.tar.gz 下載網址 (免費註冊，點 Sign In，登入後才能下載)
http://www.snort.org/
https://www.snort.org/downloads/registered/snortrules-snapshot-2970.tar.gz

Subscriber Release 是花錢訂閱才能下載的，跳過不看
Registered User Release 免費註冊，登入後才能下載

請自己手動下載下面檔案，放到 /usr/local/src 目錄
libdnet-1.12.tar.gz
daq-2.0.4.tar.gz
snort-2.9.7.0.tar.gz
snortrules-snapshot-2970.tar.gz

snort在版本2.9.3開始不再支援MySQL，好像可以靠 Barnyard2解決，ADOdb 和 BASE 小弟在本篇也暫不討論，有機會再說。

Database output is dead. R.I.P.
Wednesday, July 18, 2012
http://blog.snort.org/2012/07/database-output-is-dead-rip.html

Barnyard 2 官方網站
http://www.securixlive.com/

ADOdb 官方網站
http://adodb.sourceforge.net/
http://sourceforge.net/projects/adodb/files/adodb-php5-only/
(最後更新為 2014-04-30，檔案 adodb-519-for-php5 )

BASE 官方網站 (Basic Analysis and Security Engine)
http://base.secureideas.net/
http://sourceforge.net/projects/secureideas/files/BASE/
(最後更新為 v1.4.5 版 May 2010-03-05)

快速安裝程式內容(實際測試可用)，請先用 su root 切換成 root 執行

注意，下面網路卡使用的是 eth0，如果您不是，要修改

#!/bin/bash
echo -e "\033[31m"
echo -e "Program : snort2.9.7.0_centos6.6x64.sh "
echo -e "snort-2.9.7.0.tar.gz Install Shell Script (CentOS 6.6 x64) "
echo -e "by Shau-Rong Lu 2015-02-03 "
echo -e "\033[0m"

rpm -Uvh http://ftp.uninett.no/linux/epel/6/i386/epel-release-6-8.noarch.rpm
yum -y install gcc gcc-c++ flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel tcpdump libdnet libdnet-devel

cd /usr/local/src

# if [ ! -s libdnet-1.12.tar.gz ]; then
# echo "Can not find /usr/local/src/libdnet-1.12.tar.gz"
# wget http://downloads.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz?r=http%3A%2F%2Flibdnet.sourceforge.net%2F&ts=1382718432&use_mirror=nchc
# exit
# fi

if [ ! -s daq-2.0.4.tar.gz ]; then
echo "Can not find /usr/local/src/daq-2.0.4.tar.gz"
exit
fi

if [ ! -s snort-2.9.7.0.tar.gz]; then
echo "Can not find /usr/local/src/snort-2.9.7.0.tar.gz"
exit
fi

if [ ! -s snortrules-snapshot-2970.tar.gz]; then
echo "Can not find /usr/local/src/snortrules-snapshot-2970.tar.gz"
exit
fi

# tar zxvf libdnet-1.11.tar.gz
tar zxvf daq-2.0.4.tar.gz
tar zxvf snort-2.9.7.0.tar.gz

# cd /usr/local/src/libdnet-1.11
# ./configure --with-pic
# make
# make install

cd /usr/local/src/daq-2.0.4
./configure
make
make install

cd /usr/local/src/snort-2.9.7.0
./configure --enable-sourcefire
make
make install

# cd /usr/local/lib
# ldconfig -v /usr/local/lib

mkdir -p /etc/snort
cd /usr/local/src
tar xzvf /usr/local/src/snortrules-snapshot-2970.tar.gz -C /etc/snort
touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules

groupadd -g 40000 snort
useradd snort -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort
cd /etc/snort
chown -R snort:snort *
chown -R snort:snort /var/log/snort

cp /etc/snort/etc/* /etc/snort/.

sed -i -e "s@var RULE_PATH@#var RULE_PATH@" /etc/snort/snort.conf
sed -i -e "/var RULE_PATH/avar RULE_PATH /etc/snort/rules" /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var RULE_PATH"

sed -i -e "s@var SO_RULE_PATH@#var SO_RULE_PATH@" /etc/snort/snort.conf
sed -i -e "/var SO_RULE_PATH/avar SO_RULE_PATH /etc/snort/so_rules" /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var SO_RULE_PATH"

sed -i -e "s@var PREPROC_RULE_PATH@#var PREPROC_RULE_PATH@" /etc/snort/snort.conf
sed -i -e "/var PREPROC_RULE_PATH/avar PREPROC_RULE_PATH /etc/snort/preproc_rules" /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var PREPROC_RULE_PATH"

sed -i -e "s@var WHITE_LIST_PATH@#var WHITE_LIST_PATH@" /etc/snort/snort.conf
sed -i -e "/var WHITE_LIST_PATH/avar WHITE_LIST_PATH /etc/snort/rules" /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var WHITE_LIST_PATH"

sed -i -e "s@var BLACK_LIST_PATH@#var BLACK_LIST_PATH@" /etc/snort/snort.conf
sed -i -e "/var BLACK_LIST_PATH/avar BLACK_LIST_PATH /etc/snort/rules" /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var BLACK_LIST_PATH"

mkdir -p /usr/local/lib/snort_dynamicrules
chown -R snort:snort /usr/local/lib/snort_dynamicrules
chmod -R 700 /usr/local/lib/snort_dynamicrules

snort -T -c /etc/snort/snort.conf
if [ "$?" != "0" ]; then
echo "Snort Test Failed !"
exit
fi

#cp /root/snort-2.9.7.0/rpm/snortd /etc/init.d/.
#chmod +x /etc/init.d/snortd
#cp /root/snort-2.9.7.0/rpm/snort.sysconfig /etc/sysconfig/snort
#ln -s /usr/local/bin/snort /usr/sbin/snort

rm -fr /etc/init.d/snortd

echo '#!/bin/bash' > /etc/init.d/snortd

echo "" >> /etc/init.d/snortd
echo "# chkconfig: 345 99 01" >> /etc/init.d/snortd
echo "# description: Snort startup script" >> /etc/init.d/snortd
echo "# 345 - levels to configure" >> /etc/init.d/snortd
echo "# 99 - startup order" >> /etc/init.d/snortd
echo "# 01 - stop order" >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo ". /etc/rc.d/init.d/functions " >> /etc/init.d/snortd
echo "INTERFACE=eth0" >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo "case \"\$1\" in " >> /etc/init.d/snortd
echo "start)" >> /etc/init.d/snortd
echo " echo -n \"Starting Snort: \"" >> /etc/init.d/snortd
echo " daemon PCAP_FRAMES=max /usr/local/bin/snort -D -i \$INTERFACE -c /etc/snort/snort.conf" >> /etc/init.d/snortd
echo " echo" >> /etc/init.d/snortd
echo " ;;" >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo "stop)" >> /etc/init.d/snortd
echo " echo -n \"Stopping Snort: \"" >> /etc/init.d/snortd
echo " killproc snort" >> /etc/init.d/snortd
echo " echo" >> /etc/init.d/snortd
echo " ;;" >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo "restart)" >> /etc/init.d/snortd
echo " \$0 stop" >> /etc/init.d/snortd
echo " \$0 start" >> /etc/init.d/snortd
echo " ;;" >> /etc/init.d/snortd
echo "status)" >> /etc/init.d/snortd
echo " status snort" >> /etc/init.d/snortd
echo " ;;" >> /etc/init.d/snortd
echo "*)" >> /etc/init.d/snortd
echo " echo \"Usage: $0 {start|stop|restart|status}\"" >> /etc/init.d/snortd
echo " exit 1" >> /etc/init.d/snortd
echo " esac" >> /etc/init.d/snortd
echo " exit 0" >> /etc/init.d/snortd

chmod +x /etc/init.d/snortd
chkconfig --add snortd
chkconfig snortd on
service snortd start
ps aux | grep snort

echo "You can service httpd restart, then use N-Stalker Free Edition (http://nstalker.com/products/free/download-free-edition) on MS-Windows to attack WebSite "
echo ""
echo "or Nikto (http://www.cirt.net/nikto2) on another Linux to attack WebSite"
echo " wget http://www.cirt.net/nikto/nikto-current.tar.gz"
echo " tar zxvf nikto-current.tar.gz"
echo " cd nikto-*"
echo " chmod +x nikto.pl"
echo " ./nikto.pl -h xxx.xxx.xxx.xxx"

看到下面訊息，表示快速安裝程式成功

--== Initialization Complete ==--

,,_ -*> Snort! <*-
o" )~ Version 2.9.7.0 GRE (Build 149)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.4.0
Using PCRE version: 7.8 2008-09-05
Using ZLIB version: 1.2.3

Rules Engine: SF_SNORT_DETECTION_ENGINE Version 2.4 <Build 1>
Preprocessor Object: SF_POP Version 1.0 <Build 1>
Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
Preprocessor Object: SF_SIP Version 1.1 <Build 1>
Preprocessor Object: SF_GTP Version 1.1 <Build 1>
Preprocessor Object: SF_IMAP Version 1.0 <Build 1>
Preprocessor Object: SF_MODBUS Version 1.1 <Build 1>
Preprocessor Object: SF_DNS Version 1.1 <Build 4>
Preprocessor Object: SF_SSH Version 1.1 <Build 3>
Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
Preprocessor Object: SF_SDF Version 1.1 <Build 1>
Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1>

Snort successfully validated the configuration!
Snort exiting

[ OK ]
You can service httpd restart, then use N-Stalker Free Edition (http://nstalker.com/products/free/download-free-edition) on MS-Windows to attack WebSite

or Nikto (http://www.cirt.net/nikto2) on another Linux to attack WebSite
wget http://www.cirt.net/nikto/nikto-current.tar.gz
tar zxvf nikto-current.tar.gz
cd nikto-*
chmod +x nikto.pl
./nikto.pl -h xxx.xxx.xxx.xxx
[root@localhost ~]#

測試

[root@localhost snort]# service snortd status
snort (pid 24153) is running...

[root@localhost snort]# service snortd stop
Stopping Snort: [ OK ]

[root@localhost snort]# service snortd start
Starting Snort: PCAP_FRAMES -> 32768 * 4096 / 2 = 67108864 (1600)
Spawning daemon child...
My daemon child 24206 lives...
Daemon parent exiting (0)
[ OK ]
[root@localhost snort]# service snortd status
snort (pid 24206) is running...

[root@localhost snort]# ps aux | grep snort
root 24206 0.0 20.3 722540 387364 ? Ssl 11:59 0:00 /usr/local/bin/snort -D -i eth0 -c /etc/snort/snort.conf
root 24225 0.0 0.0 103244 872 pts/1 S+ 11:59 0:00 grep snort
[root@localhost snort]#

準備當被攻擊主機

[root@localhost snort]# service httpd restart
Stopping httpd: [FAILED]
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain for ServerName
[ OK ]
[root@localhost snort]#

[ OK ]

防火牆暫時關閉

[root@localhost ~]# service iptables stop
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
[root@localhost ~]#

先看一下 snort 目前 log，其中 alert 為 0 byte

[root@localhost snort]# ls -al /var/log/snort
total 28
drwx------. 4 snort snort 4096 Feb 3 11:59 .
drwxr-xr-x. 14 root root 4096 Feb 3 11:55 ..
-rw-r--r--. 1 root root 0 Feb 3 11:56 alert
-rw-r--r--. 1 snort snort 18 Oct 16 21:56 .bash_logout
-rw-r--r--. 1 snort snort 176 Oct 16 21:56 .bash_profile
-rw-r--r--. 1 snort snort 124 Oct 16 21:56 .bashrc
drwxr-xr-x. 2 snort snort 4096 Nov 12 2010 .gnome2
drwxr-xr-x. 4 snort snort 4096 Feb 3 2015 .mozilla
-rw-------. 1 root root 0 Feb 3 11:59 snort.log.1422935941
[root@localhost snort]#

另外找一台主機來攻擊 ( nikto 好像無法對自己攻擊，所以必須另外找一台)
192.168.128.101 是安裝 snort 主機
192.168.128.102 是安裝 nikto 主機

[root@localhost ~]# wget http://www.cirt.net/nikto/nikto-current.tar.gz
[root@localhost ~]# tar zxvf nikto-current.tar.gz
[root@localhost ~]# cd nikto-*
[root@localhost nikto-2.1.5]# chmod +x nikto.pl
[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.101

- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
^C[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.101
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.128.101
+ Target Hostname: 192.168.128.101
+ Target Port: 80
+ Start Time: 2015-02-03 12:04:23 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 1049978, size: 5108, mtime: 0x438c0358aae80
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2015-02-03 12:04:41 (GMT8) (18 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
[root@localhost nikto-2.1.5]#

回到原來安裝 snort 主機，可以看到 alert 檔案從 0 byte 變成不是 0 bytes，表示 snort 有正常運作

[root@localhost snort]# ls -al /var/log/snort
total 40
drwx------. 4 snort snort 4096 Feb 3 11:59 .
drwxr-xr-x. 14 root root 4096 Feb 3 11:55 ..
-rw-r--r--. 1 root root 4343 Feb 3 12:04 alert
-rw-r--r--. 1 snort snort 18 Oct 16 21:56 .bash_logout
-rw-r--r--. 1 snort snort 176 Oct 16 21:56 .bash_profile
-rw-r--r--. 1 snort snort 124 Oct 16 21:56 .bashrc
drwxr-xr-x. 2 snort snort 4096 Nov 12 2010 .gnome2
drwxr-xr-x. 4 snort snort 4096 Feb 3 2015 .mozilla
-rw-------. 1 root root 2876 Feb 3 12:04 snort.log.1422935941
[root@localhost snort]#

測試成功。

(完)

[研究] snort-2.9.7.0.tar.gz (CentOS 6.6 x64) 快速安裝程式
http://shaurong.blogspot.tw/2015/02/snort-2970targz-centos-66-x64.html

[研究] snort-2.9.6.2.tar.gz (CentOS 6.6 x64) 快速安裝程式
http://shaurong.blogspot.com/2014/08/snort-2962targz-centos-65-x64.html

浮雲雅築

2015年2月3日星期二

[研究] snort-2.9.7.0.tar.gz (CentOS 6.6 x64) 快速安裝程式

沒有留言:

張貼留言

2015年2月3日 星期二

[研究] snort-2.9.7.0.tar.gz (CentOS 6.6 x64) 快速安裝程式

沒有留言:

張貼留言

2015年2月3日星期二