2016年2月22日 星期一

[研究] 停用 SELinux (CentOS 7.2 x64)

[研究] 停用 SELinux (CentOS 7.2 x64)

2016-02-22

檢查 SELinux 狀態

[root@centos1 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

SELinux 有三種模式:強制 (enforcing)、寬容 (permissive)、關閉 (disabled)
寬容 (permissive) 模式讓 SELinux 只會警告無法順利連線的訊息, 而不是直接抵擋主體程序的讀取權限。

[root@centos1 ~]# setenforce 0

檢查 SELinux 狀態

[root@centos1 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
[root@centos1 ~]#

真要停掉 SELinux,請修改 SELinux 設定檔案

[root@centos1 ~]#  vi /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

SELINUX=enforcing
改為
SELINUX=disabled

重新啟動電腦

[root@centos1 ~]# reboot

測試 SELinux 狀態

[root@centos1 ~]# sestatus
SELinux status:                 disabled

[root@centos1 ~]# getenforce
Disabled

********************************************************************************

如果要在 shell script 偵測是否 SELinux 可以用  selinuxenabled 指令

[root@localhost ~]# man selinuxenabled
...(略)
DESCRIPTION
       selinuxenabled Indicates whether SELinux is  enabled  or  disabled.  It
       exits with status 0 if SELinux is enabled and 1 if it is not enabled.
...(略)

在 shell script 中



selinuxenabled
if  [  $?   -eq  1  ]
then
  echo SELinux is diabled
else
  echo SELinux is enabled
fi


注意,$? 會傳回剛剛執行命令的狀態,所以 selinuxenabled 和 判斷 $? 之間不能再寫其他程式碼。另外  [  和 $?   之間至少要有一個空格。

(完)





[研究] ifconfig 不見了 (CentOS 7.2 最小安裝)

[研究] ifconfig 不見了 (CentOS 7.2 最小安裝)

2016-02-22

第一次使用 CentOS 7.2 最小安裝 (Minimal Install),發現沒有 ifconfig 指令,查了一下,原來改用 ip addr了。

[root@centos1 ~]# ifconfig
-bash: ifconfig: command not found

[root@centos1 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:5b:fe:f1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.128.101/24 brd 192.168.128.255 scope global eno16777736
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe5b:fef1/64 scope link
       valid_lft forever preferred_lft forever


[root@centos1 ~]# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
    link/ether 00:0c:29:5b:fe:f1 brd ff:ff:ff:ff:ff:ff
[root@centos1 ~]#


[root@centos1 ~]# ip -s link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    RX: bytes  packets  errors  dropped overrun mcast
    0          0        0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    0          0        0       0       0       0
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
    link/ether 00:0c:29:5b:fe:f1 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast
    81527836   70562    0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    9750560    36116    0       0       0       0
[root@centos1 ~]#

查一下哪個套件包含 ifconfig
(有時候會無法查出,答案是 net-tools)

[root@centos1 ~]# yum provides ifconfig
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.cs.nctu.edu.tw
 * extras: centos.cs.nctu.edu.tw
 * updates: centos.cs.nctu.edu.tw
base/7/x86_64/filelists_db                               | 6.2 MB     00:00
extras/7/x86_64/filelists_db                             | 256 kB     00:00
updates/7/x86_64/filelists_db                            | 1.9 MB     00:00
No matches found

[root@centos1 ~]# yum provides ifconfig
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.aol.in
 * extras: centos.aol.in
 * updates: centos.aol.in
net-tools-2.0-0.17.20131004git.el7.x86_64 : Basic networking tools
Repo        : @base
Matched from:
Filename    : /usr/sbin/ifconfig


[root@centos1 ~]# yum whatprovides ifconfig
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.cs.nctu.edu.tw
 * extras: centos.cs.nctu.edu.tw
 * updates: centos.cs.nctu.edu.tw
No matches found
[root@centos1 ~]#

安裝 net-tools

[root@centos1 ~]# yum -y install net-tools

有 ifconfig 可以用了。

[root@centos1 ~]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.128.101  netmask 255.255.255.0  broadcast 192.168.128.255
        inet6 fe80::20c:29ff:fe5b:fef1  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:5b:fe:f1  txqueuelen 1000  (Ethernet)
        RX packets 70949  bytes 81864876 (78.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 36313  bytes 9771242 (9.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@centos1 ~]# man  ifconfig
(... 略)
NOTE
       This  program  is obsolete!  For replacement check ip addr and ip link.
       For statistics use ip -s link.
(... 略)

這個程式已經過時了!改用 ip addr 和 ip link 取代檢查了。
對於統計數據可使用ip -s  link。

(完)



[研究] Suricata 3.0 入侵偵測系統安裝 (CentOS 7.2 x64)

[研究] Suricata 3.0 入侵偵測系統安裝 (CentOS 7.2 x64)

2016-02-22

官方網站
http://oisf.net/suricata/

教學
http://suricata-ids.org/docs/
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_Installation

Suricata IDS 是一種入侵偵測系統(intrusion Detection Systems, IDS)。

Snort vs Suricata 比較
http://wiki.aanval.com/wiki/Snort_vs_Suricata
Suricata 最大優於 Snort 特點是支援 Multi-Threads

Quantitative Analysis of Intrusion Detection Systems: Snort and Suricata
http://people.clarkson.edu/~jmatthew/publications/SPIE_SnortSuricata_2013.pdf
(這裡有效能圖比較,為了方便辨識,小弟上了點顏色)

(下圖) 預設組態,在 2,3,4 cores 時候,Suricata 效能遠超過 Snort


(下圖) Suricata 的 CPU 使用率比 Snort 低

(下圖) CPU cores 不大於4個時,Suricata 的 RAM 用量較高,超過8個時候,Snort暴增




安裝
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_Installation

su root

rpm -Uvh https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm

yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel \

  zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make \
  libnetfilter_queue-devel lua-devel  wget 

cd /usr/local/src
wget http://www.openinfosecfoundation.org/download/suricata-3.0.tar.gz
tar zxvf suricata-3.0.tar.gz
cd suricata-3.0
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua

[root@centos1 suricata-3.0]# ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua
...(略)
Suricata Configuration:
  AF_PACKET support:                       yes
  PF_RING support:                         no
  NFQueue support:                         yes
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no
  DAG enabled:                             no
  Napatech enabled:                        no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  hiredis support:                         no
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             yes
  libluajit:                               no
  libgeoip:                                no
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  CUDA enabled:                            no

  Suricatasc install:                      yes

  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no
  Profiling enabled:                       no
  Profiling locks enabled:                 no
  Coccinelle / spatch:                     no

Generic build parameters:
  Installation prefix:                     /usr
  Configuration directory:                 /etc/suricata/
  Log directory:                           /var/log/suricata/

  --prefix                                 /usr
  --sysconfdir                             /etc
  --localstatedir                          /var

  Host:                                    x86_64-unknown-linux-gnu
  Compiler:                                gcc (exec name) / gcc (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -g -O2 -march=native
  PCAP_CFLAGS
  SECCFLAGS

To build and install run 'make' and 'make install'.

You can run 'make install-conf' if you want to install initial configuration
files to /etc/suricata/. Running 'make install-full' will install configuration
and rules and provide you a ready-to-run suricata.

To install Suricata into /usr/bin/suricata, have the config in
/etc/suricata and use /var/log/suricata as log dir, use:
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/

[root@centos1 suricata-3.0]#

make
make install-full
ldconfig

[root@localhost suricata-3.0]# make install-full

/usr/bin/wget -qO - http://rules.emergingthreats.net/open/suricata-2.0/emerging.rules.tar.gz | tar -x -z -C "/etc/suricata/" -f -

You can now start suricata by running as root something like '/usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0'.

If a library like libhtp.so is not found, you can run suricata with:
'LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0'.

While rules are installed now, it's highly recommended to use a rule manager for maintaining rules.
The two most common are Oinkmaster and Pulledpork. For a guide see:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster
[root@centos1 suricata-3.0]#


先檢查網路卡名稱是甚麼 ( 結果是  eno16777736,不是 eth0)
(CentOS 7 最小安裝時,不安裝 ifconfig 的)

[root@centos1 suricata-3.0]# ip addr sh
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:5b:fe:f1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.128.101/24 brd 192.168.128.255 scope global eno16777736
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe5b:fef1/64 scope link
       valid_lft forever preferred_lft forever
[root@centos1 suricata-3.0]#

如果少執行 ldconfig 會出現下面錯誤

[root@centos1 suricata-3.0]# /usr/bin/suricata
/usr/bin/suricata: error while loading shared libraries: libhtp-0.5.18.so.1: cannot open shared object file: No such file or directory


看有甚麼參數

[root@centos1 suricata-3.0]# /usr/bin/suricata
Suricata 3.0
USAGE: /usr/bin/suricata [OPTIONS] [BPF FILTER]

        -c <path>                            : path to configuration file
        -T                                   : test configuration file (use with -c)
        -i <dev or ip>                       : run in pcap live mode
        -F <bpf filter file>                 : bpf filter file
        -r <path>                            : run in pcap file/offline mode
        -q <qid>                             : run in inline nfqueue mode
        -s <path>                            : path to signature file loaded in addition to suricata.yaml settings (optional)
        -S <path>                            : path to signature file loaded exclusively (optional)
        -l <dir>                             : default log directory
        -D                                   : run as daemon
        -k [all|none]                        : force checksum check (all) or disabled it (none)
        -V                                   : display Suricata version
        -v[v]                                : increase default Suricata verbosity
        --list-app-layer-protos              : list supported app layer protocols
        --list-keywords[=all|csv|<kword>]    : list keywords implemented by the engine
        --list-runmodes                      : list supported runmodes
        --runmode <runmode_id>               : specific runmode modification the engine should run.  The argument
                                               supplied should be the id for the runmode obtained by running
                                               --list-runmodes
        --engine-analysis                    : print reports on analysis of different sections in the engine and exit.
                                               Please have a look at the conf parameter engine-analysis on what reports
                                               can be printed
        --pidfile <file>                     : write pid to this file
        --init-errors-fatal                  : enable fatal failure on signature init error
        --disable-detection                  : disable detection engine
        --dump-config                        : show the running configuration
        --build-info                         : display build information
        --pcap[=<dev>]                       : run in pcap mode, no value select interfaces from suricata.yaml
        --pcap-buffer-size                   : size of the pcap buffer value from 0 - 2147483647
        --af-packet[=<dev>]                  : run in af-packet mode, no value select interfaces from suricata.yaml
        --user <user>                        : run suricata as this user after init
        --group <group>                      : run suricata as this group after init
        --erf-in <path>                      : process an ERF file
        --unix-socket[=<file>]               : use unix socket to control suricata work
        --set name=value                     : set a configuration value


To run the engine with default configuration on interface eth0 with signature file "signatures.rules", run the command as:

/usr/bin/suricata -c suricata.yaml -s signatures.rules -i eth0

[root@centos1 suricata-3.0]#


# 顯示版本

[root@centos1 ~]# /usr/bin/suricata -V
This is Suricata version 3.0 RELEASE
[root@centos1 ~]#

# 測試設定檔案  /etc/suricata//suricata.yaml

[root@centos1 ~]# /usr/bin/suricata -T -c /etc/suricata//suricata.yaml -i  eno16777736
22/2/2016 -- 16:44:29 - <Info> - Running suricata under test mode
22/2/2016 -- 16:44:29 - <Notice> - This is Suricata version 3.0 RELEASE
22/2/2016 -- 16:44:33 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/app-layer-events.rules
[root@centos1 ~]#

Warning,不理會。

# 測試輸出到檔案

vi  /etc/suricata//suricata.yaml

找到這些敘述,預設只會輸出結果到 console 畫面,可把 file 的 enabled 從 no 改為 yes,就會輸出到 /var/log/suricata.log

  outputs:
  - console:
      enabled: yes
      # type: json
  - file:
      enabled: yes
      filename: /var/log/suricata/suricata.log
      # type: json
  - syslog:
      enabled: no
      facility: local5
      format: "[%i] <%d> -- "
      # type: json


# 以前景方式執行 (要結束就 Ctrl-C 中斷)

[root@localhost ~]# /usr/bin/suricata -c /etc/suricata//suricata.yaml -i eno16777736

22/2/2016 -- 16:46:28 - <Notice> - This is Suricata version 3.0 RELEASE
22/2/2016 -- 16:46:31 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/app-layer-events.rules
22/2/2016 -- 16:46:34 - <Warning> - [ERRCODE: SC_ERR_PCAP_CREATE(21)] - Using Pcap capture with GRO or LRO activated can lead to capture problems.
22/2/2016 -- 16:46:34 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.

(按下 Ctrl-C 中斷)

22/2/2016 -- 16:46:38 - <Notice> - Signal Received.  Stopping engine.
22/2/2016 -- 16:46:38 - <Notice> - Stats for 'eno16777736':  pkts: 6, drop: 0 (0.00%), invalid chksum: 4



# 以背景 (daemon) 方式執行 (多 -D 參數)

/usr/bin/suricata -D -c /etc/suricata//suricata.yaml -i eno16777736

背景方式( -D 參數) 執行的中斷比較麻煩,先用找出 PID 再用 kill 砍掉

[root@centos1 ~]# /usr/bin/suricata -D -c /etc/suricata//suricata.yaml -i eno16777736
22/2/2016 -- 16:47:39 - <Error> - [ERRCODE: SC_ERR_MISSING_CONFIG_PARAM(118)] - NO logging compatible with daemon mode selected, suricata won't be able to log. Please update  'logging.outputs' in the YAML.
22/2/2016 -- 16:47:39 - <Notice> - This is Suricata version 3.0 RELEASE

[root@centos1 ~]# ps aux | grep suricata
root      19429 73.4 33.4 781228 334968 ?       Ssl  16:47   0:06 /usr/bin/suricata -D -c /etc/suricata//suricata.yaml -i eno16777736
root      19437  0.0  0.0 112644   960 pts/0    S+   16:47   0:00 grep --color=auto suricata

[root@centos1 ~]# kill -9 19429

[root@centos1 ~]# ps aux | grep suricata
root      19439  0.0  0.0 112644   956 pts/0    R+   16:48   0:00 grep --color=auto suricata
[root@centos1 ~]#


# 攻擊測試

目前 suricata 電腦 (192.168.128.51) 上情況

[root@localhost ~]# ls  -al  /var/log/suricata
total 44
drwxr-xr-x. 4 root root    91 Feb 22 16:46 .
drwxr-xr-x. 7 root root  4096 Feb 22 16:41 ..
drwxr-xr-x. 2 root root     6 Feb 22 16:41 certs
-rw-r--r--. 1 root root 20773 Feb 22 16:47 eve.json
-rw-r--r--. 1 root root  9602 Feb 22 16:47 fast.log
drwxr-xr-x. 2 root root     6 Feb 22 16:41 files
-rw-r--r--. 1 root root     0 Feb 22 16:46 http.log
-rw-r--r--. 1 root root  2507 Feb 22 16:47 stats.log

[root@localhost ~]#

安裝 Web Server ,並 關閉防火牆
yum  -y  install  httpd
service  httpd  start
service  firewalld  stop

另外找一台主機來攻擊 ( nikto 好像無法對自己攻擊,所以必須另外找一台)
192.168.128.101 是安裝 Suricata 的主機

cd   /usr/local
yum -y install wget  perl
wget  http://www.cirt.net/nikto/nikto-current.tar.gz
tar zxvf nikto-current.tar.gz
cd nikto-*
chmod +x nikto.pl
./nikto.pl -h 192.168.128.101

[root@centos2 nikto-2.1.5]# ./nikto.pl -h 192.168.128.101
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.128.101
+ Target Hostname:    192.168.128.101
+ Target Port:        80
+ Start Time:         2016-02-22 16:51:25 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.6 (CentOS)
+ Server leaks inodes via ETags, header found with file /, fields: 0x1321 0x5058a1e728280
+ The anti-clickjacking X-Frame-Options header is not present.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2016-02-22 16:51:33 (GMT8) (8 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
[root@centos2 nikto-2.1.5]#

現在 suricata 電腦上情況

[root@centos1 ~]# ls  -al  /var/log/suricata
total 10316
drwxr-xr-x. 4 root root      91 Feb 22 16:46 .
drwxr-xr-x. 8 root root    4096 Feb 22 16:49 ..
drwxr-xr-x. 2 root root       6 Feb 22 16:41 certs
-rw-r--r--. 1 root root 6806272 Feb 22 16:52 eve.json
-rw-r--r--. 1 root root   91897 Feb 22 16:52 fast.log
drwxr-xr-x. 2 root root       6 Feb 22 16:41 files
-rw-r--r--. 1 root root 1236665 Feb 22 16:52 http.log
-rw-r--r--. 1 root root    4225 Feb 22 16:52 stats.log

可以看到某些 log 檔案大小變大了。

rule 管理可考慮 Oinkmaster and Pulledpork
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster

(完)

相關

[研究] Suricata 3.0 入侵偵測系統安裝 (CentOS 7.2 x64)
http://shaurong.blogspot.com/2016/02/suricata-30-centos-72-x64_22.html


[研究] Suricata 2.0.11 入侵偵測系統安裝 (CentOS 7.2 x64)
[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式

*********************************************************************************

這幾篇是相關的

[研究] Suricata 1.4.6 入侵偵測系統安裝 (CentOS 6.4 x64)
[研究] Suricata 1.4.6 快速安裝程式 (CentOS 6.4 x64)

[研究] Barnyard2 for Suricata 1.4.6 安裝 (CentOS 6.4 x64)
[研究] Barnyard2 for Suricata 1.4.6 快速安裝程式 (CentOS 6.4 x64)

[研究] Suricata 1.4.6 + Barnyard + BASE 安裝 (CentOS 6.4 x64)

*********************************************************************************

2016年2月21日 星期日

[研究] Suricata 2.0.11 入侵偵測系統安裝 (CentOS 7.2 x64)

[研究] Suricata 2.0.11 入侵偵測系統安裝 (CentOS 7.2 x64)

2016-02-21

官方網站
http://oisf.net/suricata/

教學
http://suricata-ids.org/docs/
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_Installation

Suricata IDS 是一種入侵偵測系統(intrusion Detection Systems, IDS)。

Snort vs Suricata 比較
http://wiki.aanval.com/wiki/Snort_vs_Suricata
Suricata 最大優於 Snort 特點是支援 Multi-Threads

Quantitative Analysis of Intrusion Detection Systems: Snort and Suricata
http://people.clarkson.edu/~jmatthew/publications/SPIE_SnortSuricata_2013.pdf
(這裡有效能圖比較,為了方便辨識,小弟上了點顏色)

(下圖) 預設組態,在 2,3,4 cores 時候,Suricata 效能遠超過 Snort


(下圖) Suricata 的 CPU 使用率比 Snort 低

(下圖) CPU cores 不大於4個時,Suricata 的 RAM 用量較高,超過8個時候,Snort暴增




安裝
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_Installation

su root

rpm -Uvh https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm

yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel \

  zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make \
  libnetfilter_queue-devel lua-devel

cd /usr/local/src
wget http://www.openinfosecfoundation.org/download/suricata-2.0.11.tar.gz
tar zxvf suricata-2.0.11.tar.gz
cd suricata-2.0.11
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua

[root@localhost suricata-2.0.11]# ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua
...(略)
Suricata Configuration:
  AF_PACKET support:                       yes
  PF_RING support:                         no
  NFQueue support:                         yes
  NFLOG support:                           no
  IPFW support:                            no
  DAG enabled:                             no
  Napatech enabled:                        no
  Unix socket enabled:                     yes
  Detection enabled:                       yes

  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             yes
  libluajit:                               no
  libgeoip:                                no
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  CUDA enabled:                            no

  Suricatasc install:                      yes

  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no
  Profiling enabled:                       no
  Profiling locks enabled:                 no
  Coccinelle / spatch:                     no

Generic build parameters:
  Installation prefix (--prefix):          /usr
  Configuration directory (--sysconfdir):  /etc/suricata/
  Log directory (--localstatedir) :        /var/log/suricata/

  Host:                                    x86_64-unknown-linux-gnu
  GCC binary:                              gcc
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no

To build and install run 'make' and 'make install'.

You can run 'make install-conf' if you want to install initial configuration
files to /etc/suricata/. Running 'make install-full' will install configuration
and rules and provide you a ready-to-run suricata.

To install Suricata into /usr/bin/suricata, have the config in
/etc/suricata and use /var/log/suricata as log dir, use:
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/

[root@localhost suricata-2.0.11]#

make
make install-full
ldconfig

[root@localhost suricata-2.0.11]# make install-full

/usr/bin/wget -qO - http://rules.emergingthreats.net/open/suricata-2.0/emerging.rules.tar.gz | tar -x -z -C "/etc/suricata/" -f -

You can now start suricata by running as root something like '/usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0'.

If a library like libhtp.so is not found, you can run suricata with:
'LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0'.

While rules are installed now, it's highly recommended to use a rule manager for maintaining rules.
The two most common are Oinkmaster and Pulledpork. For a guide see:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster
[root@localhost suricata-2.0.11]#

先檢查網路卡名稱是甚麼 ( 結果是  eno16777736,不是 eth0)

[root@localhost ~]# ip addr sh
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:d2:dc:64 brd ff:ff:ff:ff:ff:ff
    inet 192.168.128.51/24 brd 192.168.128.255 scope global eno16777736
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fed2:dc64/64 scope link
       valid_lft forever preferred_lft forever
[root@localhost ~]#

看有甚麼參數

[root@localhost suricata-2.0.11]#  /usr/bin/suricata
Suricata 2.0.11
USAGE: /usr/bin/suricata [OPTIONS] [BPF FILTER]

        -c <path>                            : path to configuration file
        -T                                   : test configuration file (use with -c)
        -i <dev or ip>                       : run in pcap live mode
        -F <bpf filter file>                 : bpf filter file
        -r <path>                            : run in pcap file/offline mode
        -q <qid>                             : run in inline nfqueue mode
        -s <path>                            : path to signature file loaded in addition to suricata.yaml settings (optional)
        -S <path>                            : path to signature file loaded exclusively (optional)
        -l <dir>                             : default log directory
        -D                                   : run as daemon
        -k [all|none]                        : force checksum check (all) or disabled it (none)
        -V                                   : display Suricata version
        -v[v]                                : increase default Suricata verbosity
        --list-app-layer-protos              : list supported app layer protocols
        --list-keywords[=all|csv|<kword>]    : list keywords implemented by the engine
        --list-runmodes                      : list supported runmodes
        --runmode <runmode_id>               : specific runmode modification the engine should run.  The argument
                                               supplied should be the id for the runmode obtained by running
                                               --list-runmodes
        --engine-analysis                    : print reports on analysis of different sections in the engine and exit.
                                               Please have a look at the conf parameter engine-analysis on what reports
                                               can be printed
        --pidfile <file>                     : write pid to this file
        --init-errors-fatal                  : enable fatal failure on signature init error
        --disable-detection                  : disable detection engine
        --dump-config                        : show the running configuration
        --build-info                         : display build information
        --pcap[=<dev>]                       : run in pcap mode, no value select interfaces from suricata.yaml
        --pcap-buffer-size                   : size of the pcap buffer value from 0 - 2147483647
        --af-packet[=<dev>]                  : run in af-packet mode, no value select interfaces from suricata.yaml
        --user <user>                        : run suricata as this user after init
        --group <group>                      : run suricata as this group after init
        --erf-in <path>                      : process an ERF file
        --unix-socket[=<file>]               : use unix socket to control suricata work
        --set name=value                     : set a configuration value


To run the engine with default configuration on interface eth0 with signature file "signatures.rules", run the command as:

/usr/bin/suricata -c suricata.yaml -s signatures.rules -i eth0


[root@localhost suricata-2.0.11]#

# 顯示版本

[root@localhost suricata-2.0.11]#  /usr/bin/suricata  -V
This is Suricata version 2.0.11 RELEASE


# 測試設定檔案  /etc/suricata//suricata.yaml

[root@localhost suricata-2.0.11]# /usr/bin/suricata -T -c /etc/suricata//suricata.yaml -i  eno16777736
22/2/2016 -- 07:38:16 - <Info> - Running suricata under test mode
22/2/2016 -- 07:38:16 - <Notice> - This is Suricata version 2.0.11 RELEASE
[root@localhost suricata-2.0.11]#

# 測試輸出到檔案

vi  /etc/suricata//suricata.yaml

找到這些敘述,預設只會輸出結果到 console 畫面,可把 file 的 enabled 從 no 改為 yes,就會輸出到 /var/log/suricata.log

  outputs:
  - console:
      enabled: yes
  - file:
      enabled: yes
      filename: /var/log/suricata.log
  - syslog:
      enabled: no
      facility: local5
      format: "[%i] <%d> -- "

# 以前景方式執行 (要結束就 Ctrl-C 中斷)

[root@localhost suricata-2.0.11]# /usr/bin/suricata -c /etc/suricata//suricata.yaml -i eno16777736
22/2/2016 -- 07:27:42 - <Notice> - This is Suricata version 2.0.11 RELEASE
22/2/2016 -- 07:27:49 - <Warning> - [ERRCODE: SC_ERR_PCAP_CREATE(21)] - Using Pcap capture with GRO or LRO activated can lead to capture problems.
22/2/2016 -- 07:27:49 - <Notice> - all 2 packet processing threads, 3 management threads initialized, engine started.

(按下 Ctrl-C 中斷)

22/2/2016 -- 07:32:09 - <Notice> - Signal Received.  Stopping engine.
22/2/2016 -- 07:32:10 - <Notice> - Stats for 'eno16777736':  pkts: 14, drop: 0 (0.00%), invalid chksum: 4
[root@localhost suricata-2.0.11]#


# 以背景 (daemon) 方式執行 (多 -D 參數)

/usr/bin/suricata -D -c /etc/suricata//suricata.yaml -i eno16777736

背景方式( -D 參數) 執行的中斷比較麻煩,先用找出 PID 再用 kill 砍掉

[root@localhost suricata-2.0.11]# /usr/bin/suricata -D -c /etc/suricata//suricata.yaml -i eno16777736
22/2/2016 -- 07:40:04 - <Error> - [ERRCODE: SC_ERR_MISSING_CONFIG_PARAM(118)] - NO logging compatible with daemon mode selected, suricata won't be able to log. Please update  'logging.outputs' in the YAML.
22/2/2016 -- 07:40:04 - <Notice> - This is Suricata version 2.0.11 RELEASE

[root@localhost suricata-2.0.11]# ps aux | grep suricata
root      16748 41.0 19.8 764912 402760 ?       Ssl  07:40   0:05 /usr/bin/suricata -D -c /etc/suricata//suricata.yaml -i eno16777736
root      16755  0.0  0.0 112644   960 pts/0    S+   07:40   0:00 grep --color=auto suricata

[root@localhost suricata-2.0.11]# kill -9 16748

[root@localhost suricata-2.0.11]# ps aux | grep suricata
root      16757  0.0  0.0 112644   960 pts/0    R+   07:40   0:00 grep --color=auto suricata
[root@localhost suricata-2.0.11]#

# 攻擊測試

目前 suricata 電腦 (192.168.128.51) 上情況

[root@localhost suricata-2.0.11]# ls  -al  /var/log/suricata
total 204
drwxr-xr-x. 4 root root   4096 Feb 22 07:40 .
drwxr-xr-x. 7 root root   4096 Feb 22 07:22 ..
drwxr-xr-x. 2 root root      6 Feb 22 07:22 certs
-rw-r--r--. 1 root root  12382 Feb 22 07:40 eve.json
-rw-r--r--. 1 root root   6929 Feb 22 07:40 fast.log
drwxr-xr-x. 2 root root      6 Feb 22 07:22 files
-rw-r--r--. 1 root root      0 Feb 22 07:27 http.log
-rw-r--r--. 1 root root 158100 Feb 22 07:40 stats.log
-rw-r--r--. 1 root root   1176 Feb 22 07:32 unified2.alert.1456097269
-rw-r--r--. 1 root root      0 Feb 22 07:38 unified2.alert.1456097901
-rw-r-----. 1 root root   8286 Feb 22 07:40 unified2.alert.1456098009
[root@localhost suricata-2.0.11]#

安裝 Web Server ,並 關閉防火牆
yum  -y  install  httpd
service  httpd  start
service  firewalld  stop

另外找一台主機來攻擊 ( nikto 好像無法對自己攻擊,所以必須另外找一台)

cd   /usr/local
wget  http://www.cirt.net/nikto/nikto-current.tar.gz
tar zxvf nikto-current.tar.gz
cd nikto-*
chmod +x nikto.pl
./nikto.pl -h 192.168.128.51



[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.51
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.128.51
+ Target Hostname:    192.168.128.51
+ Target Port:        80
+ Start Time:         2016-02-21 23:44:35 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.6 (CentOS)
+ Server leaks inodes via ETags, header found with file /, fields: 0x1321 0x5058a1e728280
+ The anti-clickjacking X-Frame-Options header is not present.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2016-02-21 23:44:43 (GMT8) (8 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
[root@localhost nikto-2.1.5]#


現在 suricata 電腦上情況


[root@localhost suricata-2.0.11]# ls  -al  /var/log/suricata                    total 10968
drwxr-xr-x. 4 root root    4096 Feb 22 07:51 .
drwxr-xr-x. 8 root root    4096 Feb 22 07:43 ..
drwxr-xr-x. 2 root root       6 Feb 22 07:22 certs
-rw-r--r--. 1 root root 5349804 Feb 22 07:51 eve.json
-rw-r--r--. 1 root root  106500 Feb 22 07:51 fast.log
drwxr-xr-x. 2 root root       6 Feb 22 07:22 files
-rw-r--r--. 1 root root 1222131 Feb 22 07:51 http.log
-rw-r--r--. 1 root root  166258 Feb 22 07:51 stats.log
-rw-r--r--. 1 root root    1176 Feb 22 07:32 unified2.alert.1456097269
-rw-r--r--. 1 root root       0 Feb 22 07:38 unified2.alert.1456097901
-rw-r-----. 1 root root    8286 Feb 22 07:40 unified2.alert.1456098009
-rw-r-----. 1 root root  267364 Feb 22 07:51 unified2.alert.1456098674
[root@localhost suricata-2.0.11]#

可以看到多了一個檔案,表示成功了。

rule 管理可考慮 Oinkmaster and Pulledpork
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster

(完)

相關
[研究] Suricata 2.0.11 入侵偵測系統安裝 (CentOS 7.2 x64)
[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式

*********************************************************************************

這幾篇是相關的

[研究] Suricata 1.4.6 入侵偵測系統安裝 (CentOS 6.4 x64)
[研究] Suricata 1.4.6 快速安裝程式 (CentOS 6.4 x64)

[研究] Barnyard2 for Suricata 1.4.6 安裝 (CentOS 6.4 x64)
[研究] Barnyard2 for Suricata 1.4.6 快速安裝程式 (CentOS 6.4 x64)

[研究] Suricata 1.4.6 + Barnyard + BASE 安裝 (CentOS 6.4 x64)

*********************************************************************************

2016年2月19日 星期五

[研究] Zmap 1.2.1 (yum)安裝 (CentOS 6.7 x64)

[研究] Zmap 1.2.1 (yum)安裝 (CentOS 6.7 x64)

2014-10-18

https://zmap.io/

安裝
https://zmap.io/download.html

使用
https://zmap.io/documentation.html

照 Zmap 官方網站,應該可用 yum 安裝,實際上不行

[root@localhost ~]# yum  -y  install  zmap
Loaded plugins: fastestmirror, refresh-packagekit, security
Setting up Install Process
base                                                     | 3.7 kB     00:00
base/primary_db                                          | 4.6 MB     00:00
extras                                                   | 3.4 kB     00:00
extras/primary_db                                        |  34 kB     00:00
updates                                                  | 3.4 kB     00:00
updates/primary_db                                       | 3.9 MB     00:00
No package zmap available.
Error: Nothing to do
[root@localhost ~]#


****************************************

換方法安裝

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum  -y  install  zmap

安裝成功,測試

[root@localhost ~]# zmap -V
zmap 1.2.1

[root@localhost ~]# zmap -p 80  192.168.0.0/16
Feb 19 17:11:15.489 [INFO] zmap: output module: csv
Feb 19 17:11:15.490 [WARN] csv: no output file selected. no results will be provided.
 0:00 0%; send: 0 0 p/s (0 p/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hits: 0.00%
 0:01 11%; send: 46286 46.3 Kp/s (45.7 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hits: 0.00%
 0:02 21%; send: 65536 done (46.1 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hits: 0.00%
 0:03 32%; send: 65536 done (46.1 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hits: 0.00%
 0:04 43%; send: 65536 done (46.1 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hits: 0.00%
 0:05 53% (5s left); send: 65536 done (46.1 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hits: 0.00%
 0:06 64% (4s left); send: 65536 done (46.1 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hits: 0.00%
 0:07 74% (3s left); send: 65536 done (46.1 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hits: 0.00%
 0:08 85% (2s left); send: 65536 done (46.1 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hits: 0.00%
 0:09 96% (1s left); send: 65536 done (46.1 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hits: 0.00%
Feb 19 17:11:25.520 [INFO] zmap: completed

[root@localhost ~]#


其他用法請參考

(完)

相關

[研究] Zmap 1.2.1 (yum)安裝 (CentOS 6.7 x64)
http://shaurong.blogspot.com/2016/02/zmap-121-yum-centos-67-x64.html

[研究] Zmap 1.2.1 安裝 (CentOS 7.0 x64)
http://shaurong.blogspot.com/2014/10/zmap-121-centos-70-x64.html

[研究] Zmap 1.2.1安裝 (CentOS 6.5 x64)
http://shaurong.blogspot.com/2014/10/zmap-121-centos-65-x64.html

2016年2月18日 星期四

[研究] snort-2.9.8.0.tar.gz (CentOS 7.2 x64) 快速安裝程式

[研究] snort-2.9.8.0.tar.gz (CentOS 7.2 x64) 快速安裝程式

2016-02-18

下面這篇用 rpm 方式安裝 snort 其實比較快速簡便

[研究] Snort 2.9.8.0 安裝 + 快速安裝程式 (CentOS 7.2 x64)
http://shaurong.blogspot.com/2016/02/snort-2980-centos-72-x64.html

但是測試和 Barnyard 2.13 搭配有問題,所以又研究用 .tar.gz 方式安裝 snort,寫了這篇。
( 因為 rpm 安裝的沒有 /usr/local/src/snort-2.9.8.0/rpm/snort.sysconfig  檔案,是否還有其他問題不知)

官方網站
https://www.snort.org/

連上
http://dl.fedoraproject.org/pub/epel/7/x86_64/e/
看看 epel-release-7-5.noarch.rpm 是否存在,或更新版本為
epel-release-7-6.noarch.rpm
epel-release-7-7.noarch.rpm
...
下方的快速安裝程式的這一行或許要修改
rpm  -Uvh  http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm

參考
http://shaurong.blogspot.tw/2012/12/snort-294targz-centos-63-x86.html
http://manual.snort.org/
http://www.snort.org/docs
http://s3.amazonaws.com/snort-org/www/assets/202/snort2953_centos6x.pdf

snort-2.9.8.0.tar.gz 和 daq-2.0.6.tar.gz 下載網址
http://www.snort.org/
https://www.snort.org/downloads/snort/daq-2.0.6-1.centos7.x86_64.rpm
https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
https://www.snort.org/downloads/snort/snort-2.9.8.0.tar.gz

libdnet-1.11.tar.gz 下載網址
http://libdnet.sourceforge.net/

PS:後來發現這裡有 libdnet-1.12.tar.gz,官方網站搬家?
https://code.google.com/p/libdnet/downloads/list

rules 下載網址 (免費註冊,右上角點 Sign In,登入後才能下載)
http://www.snort.org/
https://www.snort.org/downloads/community/community-rules.tar.gz
https://www.snort.org/downloads/registered/snortrules-snapshot-2980.tar.gz

( 不可用 wget 下載,用瀏覽器下載後,用 WinSCP 丟到 CentOS 上)

Subscriber Release 是花錢訂閱才能下載的,跳過不看
Registered User Release 免費註冊,登入後才能下載

請自己手動下載下面檔案,放到 /usr/local/src 目錄
libdnet-1.12.tar.gz
daq-2.0.5.tar.gz
snort-2.9.8.0.tar.gz
snortrules-snapshot-2980.tar.gz

snort在版本2.9.3開始不再支援MySQL,好像可以靠 Barnyard2解決,ADOdb 和 BASE 小弟在本篇也暫不討論,有機會再說。

Database output is dead. R.I.P.
Wednesday, July 18, 2012
http://blog.snort.org/2012/07/database-output-is-dead-rip.html

Barnyard 2 官方網站
http://www.securixlive.com/
https://github.com/firnsy/barnyard2

ADOdb 官方網站
http://adodb.sourceforge.net/
http://sourceforge.net/projects/adodb/files/adodb-php5-only/
(最後更新為 2015-12-27,檔案 adodb-520-for-php5 )

BASE 官方網站 (Basic Analysis and Security Engine)
http://base.secureideas.net/
http://sourceforge.net/projects/secureideas/files/BASE/
(最後更新為 v1.4.5 版 May 2010-03-05)

安裝參考
https://www.snort.org/documents
Getting SNORT working in CentOS 6.x/7.x and VirtualBox 4.x.x

先確認目前網路卡名稱


[root@localhost ~]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.128.158  netmask 255.255.255.0  broadcast 192.168.128.255
        inet6 fe80::20c:29ff:fed6:f1fd  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:d6:f1:fd  txqueuelen 1000  (Ethernet)
        RX packets 677410  bytes 954720766 (910.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 340378  bytes 28929160 (27.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 94  bytes 5512 (5.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 94  bytes 5512 (5.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@localhost ~]#


快速安裝程式內容(實際測試可用),請先用  su  root 切換成 root 執行
chmod   +x   snort2.9.8.0_centos7.2x64.sh
./snort2.9.8.0_centos7.2x64.sh


#!/bin/bash
echo -e "\033[31m"
echo -e "Program : snort2.9.8.0_centos7.2x64.sh "
echo -e "snort-2.9.8.0.tar.gz Install Shell Script (CentOS 7.2 x64) "
echo -e "by Shau-Rong Lu 2016-02-18 "
echo -e "\033[0m"

yum -y install gcc gcc-c++ flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel tcpdump libdnet libdnet-devel

rpm  -Uvh  https://www.snort.org/downloads/snort/daq-2.0.6-1.centos7.x86_64.rpm

cd  /usr/local/src
wget  https://www.snort.org/downloads/snort/snort-2.9.8.0.tar.gz

if [ ! -s snortrules-snapshot-2980.tar.gz]; then
  echo "Can not find  /usr/local/src/snortrules-snapshot-2980.tar.gz"
  exit
fi

tar zxvf snort-2.9.8.0.tar.gz
cd /usr/local/src/snort-2.9.8.0
./configure
make
make install

mkdir -p /etc/snort
cd /usr/local/src
tar xzvf /usr/local/src/snortrules-snapshot-2980.tar.gz -C /etc/snort
touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules

groupadd -g 40000 snort
useradd snort -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort
cd /etc/snort
chown -R snort:snort *
chown -R snort:snort /var/log/snort

cp /etc/snort/etc/* /etc/snort/.

sed -i -e "s@var RULE_PATH@#var RULE_PATH@"   /etc/snort/snort.conf
sed -i -e "/var RULE_PATH/avar RULE_PATH /etc/snort/rules"   /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var RULE_PATH"

sed -i -e "s@var SO_RULE_PATH@#var SO_RULE_PATH@"   /etc/snort/snort.conf
sed -i -e "/var SO_RULE_PATH/avar SO_RULE_PATH /etc/snort/so_rules"   /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var SO_RULE_PATH"

sed -i -e "s@var PREPROC_RULE_PATH@#var PREPROC_RULE_PATH@"   /etc/snort/snort.conf
sed -i -e "/var PREPROC_RULE_PATH/avar PREPROC_RULE_PATH /etc/snort/preproc_rules"   /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var PREPROC_RULE_PATH"

sed -i -e "s@var WHITE_LIST_PATH@#var WHITE_LIST_PATH@"   /etc/snort/snort.conf
sed -i -e "/var WHITE_LIST_PATH/avar WHITE_LIST_PATH /etc/snort/rules"   /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var WHITE_LIST_PATH"

sed -i -e "s@var BLACK_LIST_PATH@#var BLACK_LIST_PATH@"   /etc/snort/snort.conf
sed -i -e "/var BLACK_LIST_PATH/avar BLACK_LIST_PATH /etc/snort/rules"   /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var BLACK_LIST_PATH"

mkdir -p /usr/local/lib/snort_dynamicrules
chown -R snort:snort /usr/local/lib/snort_dynamicrules
chmod -R 700 /usr/local/lib/snort_dynamicrules

snort -T -c /etc/snort/snort.conf -i eno16777736 -g snort -u snort
if [ "$?" != "0" ]; then
  echo "Snort Test Failed !"
  exit
fi

ps aux | grep snort

# snort-2.9.8.0.tar.gz 中的 snortd 用了會失敗,所以下面自己做一個
#cp  /usr/local/src/snort-2.9.8.0/rpm/snortd  /etc/init.d/.
#chmod +x /etc/init.d/snortd
#cp /root/snort-2.9.8.0/rpm/snort.sysconfig /etc/sysconfig/snort
#ln -s /usr/local/bin/snort /usr/sbin/snort

mv  /etc/init.d/snortd   /etc/init.d/snortd.old

echo '#!/bin/bash'  > /etc/init.d/snortd

echo ""  >> /etc/init.d/snortd
echo "# chkconfig: 345 99 01"  >> /etc/init.d/snortd
echo "# description: Snort startup script"  >> /etc/init.d/snortd
echo "# 345 - levels to configure"  >> /etc/init.d/snortd
echo "# 99 - startup order"  >> /etc/init.d/snortd
echo "# 01 - stop order"  >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo ". /etc/rc.d/init.d/functions "  >> /etc/init.d/snortd
#echo "INTERFACE=eth0" >> /etc/init.d/snortd
echo "INTERFACE=eno16777736" >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo "case \"\$1\" in " >> /etc/init.d/snortd
echo "start)" >> /etc/init.d/snortd
echo "  echo -n \"Starting Snort: \"" >> /etc/init.d/snortd
echo "  daemon PCAP_FRAMES=max /usr/local/bin/snort -D -i \$INTERFACE -c /etc/snort/snort.conf" >> /etc/init.d/snortd
echo "  echo" >> /etc/init.d/snortd
echo "  ;;" >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo "stop)" >> /etc/init.d/snortd
echo "  echo -n \"Stopping Snort: \"" >> /etc/init.d/snortd
echo "  killproc snort" >> /etc/init.d/snortd
echo "  echo" >> /etc/init.d/snortd
echo "  ;;" >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo "restart)" >> /etc/init.d/snortd
echo "  \$0 stop" >> /etc/init.d/snortd
echo "  \$0 start" >> /etc/init.d/snortd
echo "  ;;" >> /etc/init.d/snortd
echo "status)" >> /etc/init.d/snortd
echo "  status snort" >> /etc/init.d/snortd
echo "  ;;" >> /etc/init.d/snortd
echo "*)" >> /etc/init.d/snortd
echo "  echo \"Usage: $0 {start|stop|restart|status}\"" >> /etc/init.d/snortd
echo "  exit 1" >> /etc/init.d/snortd
echo "  esac" >> /etc/init.d/snortd
echo "  exit 0" >> /etc/init.d/snortd

chmod +x /etc/init.d/snortd
chkconfig  --add  snortd
chkconfig  snortd on
service  snortd  start

# 確認 (用 service snortd status 的不夠可靠)
ps aux | grep snort

echo "You can service httpd restart, then use N-Stalker Free Edition (http://nstalker.com/products/free/download-free-edition) on MS-Windows to attack WebSite "
echo ""
echo "or Nikto (http://www.cirt.net/nikto2) on another Linux to attack WebSite"
echo "  wget http://www.cirt.net/nikto/nikto-current.tar.gz"
echo "  tar zxvf nikto-current.tar.gz"
echo "  cd nikto-*"
echo "  chmod +x nikto.pl"
echo "  ./nikto.pl -h xxx.xxx.xxx.xxx"


看到下面訊息,表示快速安裝程式成功


[root@localhost snort]# snort -T -c /etc/snort/snort.conf -i eno16777736 -g snort -u snort

...(略)

Snort successfully validated the configuration!
Snort exiting
[root@localhost snort]#


測試 (啟動需要點時間)


[root@localhost snort]# service snortd start
Starting snortd (via systemctl):                           [  OK  ]

[root@localhost snort]# service snortd status
â— snortd.service - SYSV: Snort startup script
   Loaded: loaded (/etc/rc.d/init.d/snortd)
   Active: active (running) since Thu 2016-02-18 14:09:25 CST; 4s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 25956 ExecStop=/etc/rc.d/init.d/snortd stop (code=exited, status=0/SUCCESS)
  Process: 26110 ExecStart=/etc/rc.d/init.d/snortd start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/snortd.service
           â””─26167 /usr/local/bin/snort -D -i eno16777736 -c /etc/snort/snort...

Feb 18 14:09:25 localhost.localdomain snort[26167]:            Preprocessor O...
Feb 18 14:09:25 localhost.localdomain snort[26167]:            Preprocessor O...
Feb 18 14:09:25 localhost.localdomain snort[26167]:            Preprocessor O...
Feb 18 14:09:25 localhost.localdomain snort[26167]:            Preprocessor O...
Feb 18 14:09:25 localhost.localdomain snort[26167]:            Preprocessor O...
Feb 18 14:09:25 localhost.localdomain snort[26167]:            Preprocessor O...
Feb 18 14:09:25 localhost.localdomain snort[26167]:            Preprocessor O...
Feb 18 14:09:25 localhost.localdomain snort[26167]:            Preprocessor O...
Feb 18 14:09:25 localhost.localdomain snort[26167]:            Preprocessor O...
Feb 18 14:09:25 localhost.localdomain snort[26167]: Commencing packet process...
Hint: Some lines were ellipsized, use -l to show in full.

[root@localhost snort]# ps aux | grep snort
root      26167  0.0 23.8 786532 446072 ?       Ssl  14:09   0:00 /usr/local/bin/snort -D -i eno16777736 -c /etc/snort/snort.conf
root      26243  0.0  0.0 112644   960 pts/0    S+   14:09   0:00 grep --color=auto snort
[root@localhost snort]#



準備當被攻擊主機


[root@localhost snort]# yum  -y  install  httpd
[root@localhost snort]# service httpd restart


防火牆暫時關閉


[root@localhost ~]# service firewalld stop


先看一下 snort 目前 log,其中 alert 為 0 byte


[root@localhost snort]# ls -al /var/log/snort
total 20
drwx------.  3 snort snort 4096 Feb 18 14:16 .
drwxr-xr-x. 20 root  root  4096 Feb 18 14:17 ..
-rw-r--r--.  1 root  root     0 Feb 18 14:03 alert
-rw-r--r--.  1 snort snort   18 Nov 20 13:02 .bash_logout
-rw-r--r--.  1 snort snort  193 Nov 20 13:02 .bash_profile
-rw-r--r--.  1 snort snort  231 Nov 20 13:02 .bashrc
drwxr-xr-x.  4 snort snort   37 Feb 17 19:49 .mozilla
-rw-------.  1 snort snort    0 Feb 18 14:04 snort_eno16777736.pid.lck
-rw-------.  1 root  root     0 Feb 18 14:03 snort.log.1455775427
-rw-------.  1 root  root     0 Feb 18 14:16 snort.log.1455776207
[root@localhost snort]#


另外找一台主機來攻擊 ( nikto 好像無法對自己攻擊,所以必須另外找一台)
192.168.128.133 是安裝 snort 主機
192.168.128.134 是安裝 nikto 主機


[root@localhost ~]# cd  /usr/local
[root@localhost ~]# wget http://www.cirt.net/nikto/nikto-current.tar.gz
[root@localhost ~]# tar zxvf nikto-current.tar.gz
[root@localhost ~]# cd nikto-*
[root@localhost nikto-2.1.5]# chmod +x nikto.pl
[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.133
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.128.133
+ Target Hostname:    192.168.128.133
+ Target Port:        80
+ Start Time:         2016-02-18 22:22:40 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.6 (CentOS)
+ Server leaks inodes via ETags, header found with file /, fields: 0x1321 0x5058a1e728280
+ The anti-clickjacking X-Frame-Options header is not present.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2016-02-18 22:22:47 (GMT8) (7 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested



回到原來安裝 snort 主機,可以看到 alert 檔案從 0 byte 變成不是 0 bytes,表示 snort 有正常運作


[root@localhost snort]# ls -al /var/log/snort
total 48
drwx------.  3 snort snort  4096 Feb 18 14:16 .
drwxr-xr-x. 20 root  root   4096 Feb 18 14:17 ..
-rw-r--r--.  1 root  root    387 Feb 18 14:22 alert
-rw-r--r--.  1 snort snort    18 Nov 20 13:02 .bash_logout
-rw-r--r--.  1 snort snort   193 Nov 20 13:02 .bash_profile
-rw-r--r--.  1 snort snort   231 Nov 20 13:02 .bashrc
drwxr-xr-x.  4 snort snort    37 Feb 17 19:49 .mozilla
-rw-------.  1 snort snort     0 Feb 18 14:04 snort_eno16777736.pid.lck
-rw-------.  1 root  root      0 Feb 18 14:03 snort.log.1455775427
-rw-------.  1 root  root  22754 Feb 18 14:22 snort.log.1455776207
[root@localhost snort]#


測試成功。

(完)

[研究] snort-2.9.8.0.tar.gz (CentOS 7.2 x64) 快速安裝程式
http://shaurong.blogspot.com/2016/02/snort-2980targz-centos-72-x64.html

[研究] Snort 2.9.8.0 安裝 + 快速安裝程式 (CentOS 7.2 x64)
http://shaurong.blogspot.com/2016/02/snort-2980-centos-72-x64.html

[研究] Snort 2.9.7.0 + Barnyard 2.13 安裝 (CentOS 6.6 x64) 快速安裝程式
http://shaurong.blogspot.com/2015/02/snort-2970-barnyard-213-centos-66-x64.html

[研究] snort-2.9.6.2.tar.gz (CentOS 6.5 x64) 快速安裝程式