2016年2月18日 星期四

[研究] snort-2.9.8.0.tar.gz (CentOS 7.2 x64) 快速安裝程式

[研究] snort-2.9.8.0.tar.gz (CentOS 7.2 x64) 快速安裝程式

2016-02-18

下面這篇用 rpm 方式安裝 snort 其實比較快速簡便

[研究] Snort 2.9.8.0 安裝 + 快速安裝程式 (CentOS 7.2 x64)
http://shaurong.blogspot.com/2016/02/snort-2980-centos-72-x64.html

但是測試和 Barnyard 2.13 搭配有問題,所以又研究用 .tar.gz 方式安裝 snort,寫了這篇。
( 因為 rpm 安裝的沒有 /usr/local/src/snort-2.9.8.0/rpm/snort.sysconfig  檔案,是否還有其他問題不知)

官方網站
https://www.snort.org/

連上
http://dl.fedoraproject.org/pub/epel/7/x86_64/e/
看看 epel-release-7-5.noarch.rpm 是否存在,或更新版本為
epel-release-7-6.noarch.rpm
epel-release-7-7.noarch.rpm
...
下方的快速安裝程式的這一行或許要修改
rpm  -Uvh  http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm

參考
http://shaurong.blogspot.tw/2012/12/snort-294targz-centos-63-x86.html
http://manual.snort.org/
http://www.snort.org/docs
http://s3.amazonaws.com/snort-org/www/assets/202/snort2953_centos6x.pdf

snort-2.9.8.0.tar.gz 和 daq-2.0.6.tar.gz 下載網址
http://www.snort.org/
https://www.snort.org/downloads/snort/daq-2.0.6-1.centos7.x86_64.rpm
https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
https://www.snort.org/downloads/snort/snort-2.9.8.0.tar.gz

libdnet-1.11.tar.gz 下載網址
http://libdnet.sourceforge.net/

PS:後來發現這裡有 libdnet-1.12.tar.gz,官方網站搬家?
https://code.google.com/p/libdnet/downloads/list

rules 下載網址 (免費註冊,右上角點 Sign In,登入後才能下載)
http://www.snort.org/
https://www.snort.org/downloads/community/community-rules.tar.gz
https://www.snort.org/downloads/registered/snortrules-snapshot-2980.tar.gz

( 不可用 wget 下載,用瀏覽器下載後,用 WinSCP 丟到 CentOS 上)

Subscriber Release 是花錢訂閱才能下載的,跳過不看
Registered User Release 免費註冊,登入後才能下載

請自己手動下載下面檔案,放到 /usr/local/src 目錄
libdnet-1.12.tar.gz
daq-2.0.5.tar.gz
snort-2.9.8.0.tar.gz
snortrules-snapshot-2980.tar.gz

snort在版本2.9.3開始不再支援MySQL,好像可以靠 Barnyard2解決,ADOdb 和 BASE 小弟在本篇也暫不討論,有機會再說。

Database output is dead. R.I.P.
Wednesday, July 18, 2012
http://blog.snort.org/2012/07/database-output-is-dead-rip.html

Barnyard 2 官方網站
http://www.securixlive.com/
https://github.com/firnsy/barnyard2

ADOdb 官方網站
http://adodb.sourceforge.net/
http://sourceforge.net/projects/adodb/files/adodb-php5-only/
(最後更新為 2015-12-27,檔案 adodb-520-for-php5 )

BASE 官方網站 (Basic Analysis and Security Engine)
http://base.secureideas.net/
http://sourceforge.net/projects/secureideas/files/BASE/
(最後更新為 v1.4.5 版 May 2010-03-05)

安裝參考
https://www.snort.org/documents
Getting SNORT working in CentOS 6.x/7.x and VirtualBox 4.x.x

先確認目前網路卡名稱


[root@localhost ~]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.128.158  netmask 255.255.255.0  broadcast 192.168.128.255
        inet6 fe80::20c:29ff:fed6:f1fd  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:d6:f1:fd  txqueuelen 1000  (Ethernet)
        RX packets 677410  bytes 954720766 (910.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 340378  bytes 28929160 (27.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 94  bytes 5512 (5.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 94  bytes 5512 (5.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@localhost ~]#


快速安裝程式內容(實際測試可用),請先用  su  root 切換成 root 執行
chmod   +x   snort2.9.8.0_centos7.2x64.sh
./snort2.9.8.0_centos7.2x64.sh


#!/bin/bash
echo -e "\033[31m"
echo -e "Program : snort2.9.8.0_centos7.2x64.sh "
echo -e "snort-2.9.8.0.tar.gz Install Shell Script (CentOS 7.2 x64) "
echo -e "by Shau-Rong Lu 2016-02-18 "
echo -e "\033[0m"

yum -y install gcc gcc-c++ flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel tcpdump libdnet libdnet-devel

rpm  -Uvh  https://www.snort.org/downloads/snort/daq-2.0.6-1.centos7.x86_64.rpm

cd  /usr/local/src
wget  https://www.snort.org/downloads/snort/snort-2.9.8.0.tar.gz

if [ ! -s snortrules-snapshot-2980.tar.gz]; then
  echo "Can not find  /usr/local/src/snortrules-snapshot-2980.tar.gz"
  exit
fi

tar zxvf snort-2.9.8.0.tar.gz
cd /usr/local/src/snort-2.9.8.0
./configure
make
make install

mkdir -p /etc/snort
cd /usr/local/src
tar xzvf /usr/local/src/snortrules-snapshot-2980.tar.gz -C /etc/snort
touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules

groupadd -g 40000 snort
useradd snort -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort
cd /etc/snort
chown -R snort:snort *
chown -R snort:snort /var/log/snort

cp /etc/snort/etc/* /etc/snort/.

sed -i -e "s@var RULE_PATH@#var RULE_PATH@"   /etc/snort/snort.conf
sed -i -e "/var RULE_PATH/avar RULE_PATH /etc/snort/rules"   /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var RULE_PATH"

sed -i -e "s@var SO_RULE_PATH@#var SO_RULE_PATH@"   /etc/snort/snort.conf
sed -i -e "/var SO_RULE_PATH/avar SO_RULE_PATH /etc/snort/so_rules"   /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var SO_RULE_PATH"

sed -i -e "s@var PREPROC_RULE_PATH@#var PREPROC_RULE_PATH@"   /etc/snort/snort.conf
sed -i -e "/var PREPROC_RULE_PATH/avar PREPROC_RULE_PATH /etc/snort/preproc_rules"   /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var PREPROC_RULE_PATH"

sed -i -e "s@var WHITE_LIST_PATH@#var WHITE_LIST_PATH@"   /etc/snort/snort.conf
sed -i -e "/var WHITE_LIST_PATH/avar WHITE_LIST_PATH /etc/snort/rules"   /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var WHITE_LIST_PATH"

sed -i -e "s@var BLACK_LIST_PATH@#var BLACK_LIST_PATH@"   /etc/snort/snort.conf
sed -i -e "/var BLACK_LIST_PATH/avar BLACK_LIST_PATH /etc/snort/rules"   /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var BLACK_LIST_PATH"

mkdir -p /usr/local/lib/snort_dynamicrules
chown -R snort:snort /usr/local/lib/snort_dynamicrules
chmod -R 700 /usr/local/lib/snort_dynamicrules

snort -T -c /etc/snort/snort.conf -i eno16777736 -g snort -u snort
if [ "$?" != "0" ]; then
  echo "Snort Test Failed !"
  exit
fi

ps aux | grep snort

# snort-2.9.8.0.tar.gz 中的 snortd 用了會失敗,所以下面自己做一個
#cp  /usr/local/src/snort-2.9.8.0/rpm/snortd  /etc/init.d/.
#chmod +x /etc/init.d/snortd
#cp /root/snort-2.9.8.0/rpm/snort.sysconfig /etc/sysconfig/snort
#ln -s /usr/local/bin/snort /usr/sbin/snort

mv  /etc/init.d/snortd   /etc/init.d/snortd.old

echo '#!/bin/bash'  > /etc/init.d/snortd

echo ""  >> /etc/init.d/snortd
echo "# chkconfig: 345 99 01"  >> /etc/init.d/snortd
echo "# description: Snort startup script"  >> /etc/init.d/snortd
echo "# 345 - levels to configure"  >> /etc/init.d/snortd
echo "# 99 - startup order"  >> /etc/init.d/snortd
echo "# 01 - stop order"  >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo ". /etc/rc.d/init.d/functions "  >> /etc/init.d/snortd
#echo "INTERFACE=eth0" >> /etc/init.d/snortd
echo "INTERFACE=eno16777736" >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo "case \"\$1\" in " >> /etc/init.d/snortd
echo "start)" >> /etc/init.d/snortd
echo "  echo -n \"Starting Snort: \"" >> /etc/init.d/snortd
echo "  daemon PCAP_FRAMES=max /usr/local/bin/snort -D -i \$INTERFACE -c /etc/snort/snort.conf" >> /etc/init.d/snortd
echo "  echo" >> /etc/init.d/snortd
echo "  ;;" >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo "stop)" >> /etc/init.d/snortd
echo "  echo -n \"Stopping Snort: \"" >> /etc/init.d/snortd
echo "  killproc snort" >> /etc/init.d/snortd
echo "  echo" >> /etc/init.d/snortd
echo "  ;;" >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo "restart)" >> /etc/init.d/snortd
echo "  \$0 stop" >> /etc/init.d/snortd
echo "  \$0 start" >> /etc/init.d/snortd
echo "  ;;" >> /etc/init.d/snortd
echo "status)" >> /etc/init.d/snortd
echo "  status snort" >> /etc/init.d/snortd
echo "  ;;" >> /etc/init.d/snortd
echo "*)" >> /etc/init.d/snortd
echo "  echo \"Usage: $0 {start|stop|restart|status}\"" >> /etc/init.d/snortd
echo "  exit 1" >> /etc/init.d/snortd
echo "  esac" >> /etc/init.d/snortd
echo "  exit 0" >> /etc/init.d/snortd

chmod +x /etc/init.d/snortd
chkconfig  --add  snortd
chkconfig  snortd on
service  snortd  start

# 確認 (用 service snortd status 的不夠可靠)
ps aux | grep snort

echo "You can service httpd restart, then use N-Stalker Free Edition (http://nstalker.com/products/free/download-free-edition) on MS-Windows to attack WebSite "
echo ""
echo "or Nikto (http://www.cirt.net/nikto2) on another Linux to attack WebSite"
echo "  wget http://www.cirt.net/nikto/nikto-current.tar.gz"
echo "  tar zxvf nikto-current.tar.gz"
echo "  cd nikto-*"
echo "  chmod +x nikto.pl"
echo "  ./nikto.pl -h xxx.xxx.xxx.xxx"


看到下面訊息,表示快速安裝程式成功


[root@localhost snort]# snort -T -c /etc/snort/snort.conf -i eno16777736 -g snort -u snort

...(略)

Snort successfully validated the configuration!
Snort exiting
[root@localhost snort]#


測試 (啟動需要點時間)


[root@localhost snort]# service snortd start
Starting snortd (via systemctl):                           [  OK  ]

[root@localhost snort]# service snortd status
â— snortd.service - SYSV: Snort startup script
   Loaded: loaded (/etc/rc.d/init.d/snortd)
   Active: active (running) since Thu 2016-02-18 14:09:25 CST; 4s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 25956 ExecStop=/etc/rc.d/init.d/snortd stop (code=exited, status=0/SUCCESS)
  Process: 26110 ExecStart=/etc/rc.d/init.d/snortd start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/snortd.service
           â””─26167 /usr/local/bin/snort -D -i eno16777736 -c /etc/snort/snort...

Feb 18 14:09:25 localhost.localdomain snort[26167]:            Preprocessor O...
Feb 18 14:09:25 localhost.localdomain snort[26167]:            Preprocessor O...
Feb 18 14:09:25 localhost.localdomain snort[26167]:            Preprocessor O...
Feb 18 14:09:25 localhost.localdomain snort[26167]:            Preprocessor O...
Feb 18 14:09:25 localhost.localdomain snort[26167]:            Preprocessor O...
Feb 18 14:09:25 localhost.localdomain snort[26167]:            Preprocessor O...
Feb 18 14:09:25 localhost.localdomain snort[26167]:            Preprocessor O...
Feb 18 14:09:25 localhost.localdomain snort[26167]:            Preprocessor O...
Feb 18 14:09:25 localhost.localdomain snort[26167]:            Preprocessor O...
Feb 18 14:09:25 localhost.localdomain snort[26167]: Commencing packet process...
Hint: Some lines were ellipsized, use -l to show in full.

[root@localhost snort]# ps aux | grep snort
root      26167  0.0 23.8 786532 446072 ?       Ssl  14:09   0:00 /usr/local/bin/snort -D -i eno16777736 -c /etc/snort/snort.conf
root      26243  0.0  0.0 112644   960 pts/0    S+   14:09   0:00 grep --color=auto snort
[root@localhost snort]#



準備當被攻擊主機


[root@localhost snort]# yum  -y  install  httpd
[root@localhost snort]# service httpd restart


防火牆暫時關閉


[root@localhost ~]# service firewalld stop


先看一下 snort 目前 log,其中 alert 為 0 byte


[root@localhost snort]# ls -al /var/log/snort
total 20
drwx------.  3 snort snort 4096 Feb 18 14:16 .
drwxr-xr-x. 20 root  root  4096 Feb 18 14:17 ..
-rw-r--r--.  1 root  root     0 Feb 18 14:03 alert
-rw-r--r--.  1 snort snort   18 Nov 20 13:02 .bash_logout
-rw-r--r--.  1 snort snort  193 Nov 20 13:02 .bash_profile
-rw-r--r--.  1 snort snort  231 Nov 20 13:02 .bashrc
drwxr-xr-x.  4 snort snort   37 Feb 17 19:49 .mozilla
-rw-------.  1 snort snort    0 Feb 18 14:04 snort_eno16777736.pid.lck
-rw-------.  1 root  root     0 Feb 18 14:03 snort.log.1455775427
-rw-------.  1 root  root     0 Feb 18 14:16 snort.log.1455776207
[root@localhost snort]#


另外找一台主機來攻擊 ( nikto 好像無法對自己攻擊,所以必須另外找一台)
192.168.128.133 是安裝 snort 主機
192.168.128.134 是安裝 nikto 主機


[root@localhost ~]# cd  /usr/local
[root@localhost ~]# wget http://www.cirt.net/nikto/nikto-current.tar.gz
[root@localhost ~]# tar zxvf nikto-current.tar.gz
[root@localhost ~]# cd nikto-*
[root@localhost nikto-2.1.5]# chmod +x nikto.pl
[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.133
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.128.133
+ Target Hostname:    192.168.128.133
+ Target Port:        80
+ Start Time:         2016-02-18 22:22:40 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.6 (CentOS)
+ Server leaks inodes via ETags, header found with file /, fields: 0x1321 0x5058a1e728280
+ The anti-clickjacking X-Frame-Options header is not present.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2016-02-18 22:22:47 (GMT8) (7 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested



回到原來安裝 snort 主機,可以看到 alert 檔案從 0 byte 變成不是 0 bytes,表示 snort 有正常運作


[root@localhost snort]# ls -al /var/log/snort
total 48
drwx------.  3 snort snort  4096 Feb 18 14:16 .
drwxr-xr-x. 20 root  root   4096 Feb 18 14:17 ..
-rw-r--r--.  1 root  root    387 Feb 18 14:22 alert
-rw-r--r--.  1 snort snort    18 Nov 20 13:02 .bash_logout
-rw-r--r--.  1 snort snort   193 Nov 20 13:02 .bash_profile
-rw-r--r--.  1 snort snort   231 Nov 20 13:02 .bashrc
drwxr-xr-x.  4 snort snort    37 Feb 17 19:49 .mozilla
-rw-------.  1 snort snort     0 Feb 18 14:04 snort_eno16777736.pid.lck
-rw-------.  1 root  root      0 Feb 18 14:03 snort.log.1455775427
-rw-------.  1 root  root  22754 Feb 18 14:22 snort.log.1455776207
[root@localhost snort]#


測試成功。

(完)

[研究] snort-2.9.8.0.tar.gz (CentOS 7.2 x64) 快速安裝程式
http://shaurong.blogspot.com/2016/02/snort-2980targz-centos-72-x64.html

[研究] Snort 2.9.8.0 安裝 + 快速安裝程式 (CentOS 7.2 x64)
http://shaurong.blogspot.com/2016/02/snort-2980-centos-72-x64.html

[研究] Snort 2.9.7.0 + Barnyard 2.13 安裝 (CentOS 6.6 x64) 快速安裝程式
http://shaurong.blogspot.com/2015/02/snort-2970-barnyard-213-centos-66-x64.html

[研究] snort-2.9.6.2.tar.gz (CentOS 6.5 x64) 快速安裝程式

沒有留言:

張貼留言