發佈於

安裝 Barnyard2 / Base / Adodb – For Suricata

參考網頁:
Suricata + Barnyard + BASE 安裝 – Neverland

底下參考自:讓Snort開始運作,Information Security 資安人科技網

Barnyard是一套用來讀取 Snort 統一輸出報表(Unified output)並將之轉存到資料庫的特製工具,並且會直接監視資料庫連線來預防資料的流失。統一輸出報表是 Snort3 種輸出報表的其中一個選項,它透過減輕 Snort  引擎中的有效負荷的傳輸(payload translation)來增快處理速度。

1. 安裝所需套件
# yum install git libtool libnet libnet-devel mariadb-devel daq-devel libyaml-devel file-devel libcap-ng-devel libpcap-devel libdnet-devel

2. 切換目錄
# cd /usr/local/src

3. 使用 git 下載 barnyard2
# git clone https://github.com/firnsy/barnyard2.git barnyard2
Cloning into ‘barnyard2’…
remote: Counting objects: 1292, done.
remote: Total 1292 (delta 0), reused 0 (delta 0), pack-reused 1292
Receiving objects: 100% (1292/1292), 1.04 MiB | 601.00 KiB/s, done.
Resolving deltas: 100% (896/896), done.[@more@]
4. 切換目錄
# cd barnyard2

5. 進行設定
# ./autogen.sh
Found libtoolize
libtoolize: putting auxiliary files in `.’.
libtoolize: copying file `./ltmain.sh’
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4′.
libtoolize: copying file `m4/libtool.m4′
libtoolize: copying file `m4/ltoptions.m4′
libtoolize: copying file `m4/ltsugar.m4′
libtoolize: copying file `m4/ltversion.m4′
libtoolize: copying file `m4/lt~obsolete.m4′
autoreconf: Entering directory `.’
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal –force -I m4
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize –copy –force
libtoolize: putting auxiliary files in `.’.
libtoolize: copying file `./ltmain.sh’
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4′.
libtoolize: copying file `m4/libtool.m4′
libtoolize: copying file `m4/ltoptions.m4′
libtoolize: copying file `m4/ltsugar.m4′
libtoolize: copying file `m4/ltversion.m4′
libtoolize: copying file `m4/lt~obsolete.m4′
autoreconf: running: /usr/bin/autoconf –force
autoreconf: running: /usr/bin/autoheader –force
autoreconf: running: automake –add-missing –copy –force-missing
configure.ac:11: installing ‘./config.guess’
configure.ac:11: installing ‘./config.sub’
configure.ac:8: installing ‘./install-sh’
configure.ac:8: installing ‘./missing’
autoreconf: Leaving directory `.’
You can now run “./configure” and then “make”.

6. 進行編譯及安裝
# ./configure –with-mysql –with-mysql-libraries=/usr/lib64/mysql
# make && make install

7. 複製檔案到相對應目錄
# cp /usr/local/src/barnyard2/rpm/barnyard2.config /etc/sysconfig/barnyard2
# cp /usr/local/src/barnyard2/rpm/barnyard2 /etc/init.d/

8. 更改檔案給予執行權限
# chmod +x /etc/init.d/barnyard2

9. 設定開機時啟動 barnyard2
# chkconfig –add barnyard2

10. 建立連結
# ln -s /usr/local/etc/barnyard2.conf /etc/suricata/barnyard2.conf
# ln -s /usr/local/bin/barnyard2 /usr/bin/

11. 建立目錄
# mkdir -p /var/log/snort/eth0/archive/

12. 修改 /etc/init.d/barnyard2
# sed -i -e “s@Snort Output Processor@Suricata Output Processor@”   /etc/init.d/barnyard2
# sed -i -e “s@BARNYARD_OPTS=@#BARNYARD_OPTS=@”   /etc/init.d/barnyard2
# sed -i -e “/daemon/iBARNYARD_OPTS=”-D -c /etc/suricata/barnyard2.conf -d /var/log/suricata -w /var/log/suricata/barnyard2.waldo -l /var/log/suricata -a /var/log/suricata -f unified2.alert -X /var/lock/subsys/barnyard2.pid”” /etc/init.d/barnyard2d2

13. 修改 /etc/sysconfig/barnyard2
# sed -i -e “s@LOG_FILE=@#LOG_FILE=@”   /etc/sysconfig/barnyard2
# sed -i -e “/LOG_FILE=”snort_unified.log”/aLOG_FILE=”unified2.log“”   /etc/sysconfig/barnyard2
# sed -i -e “s@CONF@#CONF@” /etc/sysconfig/barnyard2
# sed -i -e “s@SNORTDIR@#SNORTDIR@” /etc/sysconfig/barnyard2
# sed -i -e “/Probably not this either/aCONF=/etc/suricata/barnyard2.conf” /etc/sysconfig/barnyard2
# sed -i -e “/#SNORTDIR/aSNORTDIR=”/var/log/suricata”” /etc/sysconfig/barnyard2

14. 修改 /etc/suricata/barnyard2.conf
# cp /etc/suricata/barnyard2.conf /etc/suricata/barnyard2.conf.$(date +%F)
# sed -i ‘s@/etc/snort/reference.config@/etc/suricata/rules/reference.config@’ /etc/suricata/barnyard2.conf
# sed -i ‘s@/etc/snort/classification.config@/etc/suricata/rules/classification.config@’ /etc/suricata/barnyard2.conf
# sed -i ‘s@/etc/snort/gen-msg.map@/etc/suricata/rules/gen-msg.map@’ /etc/suricata/barnyard2.conf
# sed -i ‘s@/etc/snort/sid-msg.map@/etc/suricata/rules/sid-msg.map@’ /etc/suricata/barnyard2.conf
# sed -i -e “/database: log to a variety of databases/aoutput database: log, mysql, user=barnyard2 password=123456 dbname=suricatadb host=localhost” /etc/suricata/barnyard2.conf

15. 修改 /etc/suricata/suricata.yaml
# vim /etc/suricata/suricata.yaml
  – unified2-alert:
      enabled: yes
      filename: unified2.alert

16. 建立資料庫及設定設用者帳號密碼
# /usr/bin/mysql -u root -p
MariaDB [(none)]> create database snortdb;
MariaDB [(none)]> grant all privileges on snortdb.* to barnyard2@localhost identified by ‘123456’;
MariaDB [(none)]> flush privileges;

17. 匯入資料
# /usr/bin/mysql suricatadb -ubarnyard2 -p123456 < /usr/local/src/barnyard2/schemas/create_mysql

18. 進行測試
# /usr/local/bin/barnyard2 -T -c /etc/suricata/barnyard2.conf -d /var/log/suricata -w /var/log/suricata/barnyard2.waldo -l /var/log/suricata -a /var/log/suricata -f unified2.alert -X /var/lock/subsys/barnyard2.pid

19. 如果有無法啟動的狀況
# vim /etc/systemd/system/barnyard2.service
[Unit]
Description=Barnyard2 Dedicated Unified2 Spooler
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata/ -w /var/log/suricata/barnyard2.waldo -l /var/log/suricata -a /var/log/suricata -f unified2.alert -X /var/lock/subsys/barnyard2.pid

[Install]
WantedBy=multi-user.target

20. 建立目錄及改變目錄擁有者群組
# mkdir /var/log/barnyard2
# chown -R suricata:suricata /var/log/barnyard2

21. 設定開機時啟動
# systemctl enable barnyard2.service
Created symlink from /etc/systemd/system/multi-user.target.wants/barnyard2.service to /etc/systemd/system/barnyard2.service.

22. 啟動並檢查
# systemctl start barnyard2
# systemctl status barnyard2.service
● barnyard2.service – Barnyard2 Dedicated Unified2 Spooler
   Loaded: loaded (/etc/systemd/system/barnyard2.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2017-03-01 19:06:47 CST; 1min 18s ago
 Main PID: 630 (barnyard2)
   CGroup: /system.slice/barnyard2.service
           mq630 /usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata/ -f unified2.alert

Mar 01 19:07:24 ids barnyard2[630]: database:  data encoding = hex
Mar 01 19:07:24 ids barnyard2[630]: database:   detail level = full
Mar 01 19:07:24 ids barnyard2[630]: database:     ignore_bpf = no
Mar 01 19:07:24 ids barnyard2[630]: database: using the “log” facility
Mar 01 19:07:24 ids barnyard2[630]: –== Initialization Complete ==–
Mar 01 19:07:24 ids barnyard2[630]: ______   -*> Barnyard2 <*-
Mar 01 19:07:24 ids barnyard2[630]: / ,,_    Version 2.1.14 (Build 337)
Mar 01 19:07:24 ids barnyard2[630]: |o”  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
Mar 01 19:07:24 ids barnyard2[630]: + ”” +  (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com>
Mar 01 19:07:24 ids barnyard2[630]: Waiting for new spool file

23 安裝 Base + adodb (Web UI)
# cd /usr/local/src
# wget http://nchc.dl.sourceforge.net/project/adodb/adodb-php5-only/adodb-518-for-php5/adodb518a.tgz
# wget http://nchc.dl.sourceforge.net/project/secureideas/BASE/base-1.4.5/base-1.4.5.tar.gz
# tar zxvf base-1.4.5.tar.gz -C /var/www/html
# mv /var/www/html/base-1.4.5 /var/www/html/base
# chmod a+w /var/www/html/base
# tar zxvf adodb518a.tgz -C /var/www/html
# chmod a+w /var/www/html/adodb5
# 修改 /etc/php.ini
# vim /etc/php.ini
date.timezone = “Asia/Taipei”
error_reporting = E_ALL & ~E_NOTICE
找到
; UNIX: “/path1:/path2”
;include_path = “.:/php/includes”
底下增加一行
include_path => .:/usr/share/pear:/usr/share/php

24. 重新啟動 Web Server
# systemctl restart httpd

25. 更改目錄權限
# chmod a-w /var/www/html/base
# chmod a-w /var/www/html/adodb5

發佈於

在 CentOS 7.x 上安裝 Suricata 入侵偵測系統

Suricata 和 Snort 一樣,都是入侵偵測系統,二者之間的差異可以參考:
Snort vs Suricata – Aanval Wiki

Suricata 官方網站:https://oisf.net/suricata/
參考網站:
浮雲雅築: [研究] Suricata 3.0 入侵偵測系統安裝 (CentOS 7.2 x64)
如何在 Linux 系統上安裝 Suricata 入侵檢測系統 – 每日頭條
Building an IDS on CentOS using Suricata
CentOS Installation – Suricata – Open Information Security Foundation
IT Security through Open Source : Suricata – wildcard rule loading

1. 利用 epel 套件庫安裝 Suricata
# yum install suricata –enablerepo=epel[@more@]2. 下載 rules 並解壓縮
# wget http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
# tar xvzf suricata/emerging.rules.tar.gz -C /etc/suricata

3. 測試設定檔 /etc/suricata/suricata.yaml
# /sbin/suricata -T -c /etc/suricata/suricata.yaml -i eth0
1/3/2017 — 14:50:53 – <Info> – Running suricata under test mode
1/3/2017 — 14:50:53 – <Notice> – This is Suricata version 3.2.1 RELEASE
1/3/2017 — 14:50:56 – <Notice> – Configuration provided was successfully loaded. Exiting.

如果沒有做第二步驟,會有一些 Warning
# /sbin/suricata -T -c /etc/suricata/suricata.yaml -i eth0
1/3/2017 — 14:16:50 – <Info> – Running suricata under test mode
1/3/2017 — 14:16:50 – <Notice> – This is Suricata version 3.2.1 RELEASE
1/3/2017 — 14:16:50 – <Warning> – [ERRCODE: SC_ERR_NO_RULES(42)] – No rule files match the pattern /etc/suricata/rules/botcc.rules
1/3/2017 — 14:19:04 – <Warning> – [ERRCODE: SC_ERR_NO_RULES(42)] – No rule files match the pattern /etc/suricata/rules/ciarmy.rules
1/3/2017 — 14:19:32 – <Warning> – [ERRCODE: SC_ERR_NO_RULES(42)] – No rule files match the pattern /etc/suricata/rules/compromised.rules
1/3/2017 — 14:20:18 – <Warning> – [ERRCODE: SC_ERR_NO_RULES(42)] – No rule files match the pattern /etc/suricata/rules/drop.rules


4. 因為使用 systemctl 一直無法正常啟動
# mv /usr/lib/systemd/system/suricata.service /root

5. 所以自行建立啟動檔 /etc/init.d/suricatd
# vim /etc/init.d/suricatad
#!/bin/sh
# $Id$
#
# suricatad         Start/Stop the suricata IDS daemon.
#
# chkconfig: 2345 40 60
# description:  Suricata is a lightweight network intrusion detection tool that
#                currently detects more than 1100 host and network
#                vulnerabilities, portscans, backdoors, and more.
#

# Source function library.
. /etc/rc.d/init.d/functions

# See how we were called.
case “$1” in
  start)
        echo -n “Starting Suricata: “
                daemon PCAP_FRAMES=max /sbin/suricata -D -c /etc/suricata/suricata.yaml -i eth0
        ;;
  stop)
        echo -n “Stopping Suricata: “
        killproc suricata
        echo
        ;;
  restart)
        $0 stop
        $0 start
        ;;
  status)
        status suricata
        ;;
  *)
        echo “Usage: $0 {start|stop|restart|status|}”
        exit 1
esac

exit 0

6. 設定檔案權限
# chmod +x /etc/init.d/suricatad

7. 設定開機時啟動
# chkconfig –add suricatad
# /etc/init.d/suricatad start
# /etc/init.d/suricatad status
● suricatad.service – SYSV: Suricata is a lightweight network intrusion detection tool that currently detects more than 1100 host and network vulnerabilities, portscans, backdoors, and more.
   Loaded: loaded (/etc/rc.d/init.d/suricatad; bad; vendor preset: disabled)
   Active: active (running) since Wed 2017-03-01 15:10:45 CST; 3min 58s ago
     Docs: man:systemd-sysv-generator(8)
   CGroup: /system.slice/suricatad.service
           mq311 /sbin/suricata -D -c /etc/suricata/suricata.yaml -i eth0

Mar 01 15:10:45 ids systemd[1]: Starting SYSV: Suricata is a lightweight network intrusion detection tool that currently detects more than 1100 host and network vulnerabilities, portscans, back…s, and more….
Mar 01 15:10:45 ids suricatad[308]: Starting Suricata: 1/3/2017 — 07:10:45 – <Notice> – This is Suricata version 3.2.1 RELEASE
Mar 01 15:10:45 ids suricatad[308]: [  OK  ]
Mar 01 15:10:45 ids systemd[1]: Started SYSV: Suricata is a lightweight network intrusion detection tool that currently detects more than 1100 host and network vulnerabilities, portscans, backdoors, and more..
Hint: Some lines were ellipsized, use -l to show in full.

發佈於

安裝 Barnyard2 / Base / Adodb – For Snort

參考網頁:
浮雲雅築: [研究] Snort 2.9.6.2 + Barnyard 2.13 安裝 (CentOS 6.5 x64) 快速安裝程式
Startup script timeout (Centos 7) · Issue #141 · firnsy/barnyard2 · GitHub

底下參考自:讓Snort開始運作,Information Security 資安人科技網

Barnyard是一套用來讀取 Snort 統一輸出報表(Unified output)並將之轉存到資料庫的特製工具,並且會直接監視資料庫連線來預防資料的流失。統一輸出報表是 Snort3 種輸出報表的其中一個選項,它透過減輕 Snort  引擎中的有效負荷的傳輸(payload translation)來增快處理速度。

1. 安裝所需套件
# yum install git libtool libnet libnet-devel mariadb-devel daq-devel libyaml-devel file-devel libcap-ng-devel libpcap-devel libdnet-devel

2. 切換目錄
# cd /usr/local/src

3. 使用 git 下載 barnyard2
# git clone https://github.com/firnsy/barnyard2.git barnyard2
Cloning into ‘barnyard2’…
remote: Counting objects: 1292, done.
remote: Total 1292 (delta 0), reused 0 (delta 0), pack-reused 1292
Receiving objects: 100% (1292/1292), 1.04 MiB | 601.00 KiB/s, done.
Resolving deltas: 100% (896/896), done.[@more@]
4. 切換目錄
# cd barnyard2

5. 進行設定
# ./autogen.sh
Found libtoolize
libtoolize: putting auxiliary files in `.’.
libtoolize: copying file `./ltmain.sh’
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4′.
libtoolize: copying file `m4/libtool.m4′
libtoolize: copying file `m4/ltoptions.m4′
libtoolize: copying file `m4/ltsugar.m4′
libtoolize: copying file `m4/ltversion.m4′
libtoolize: copying file `m4/lt~obsolete.m4′
autoreconf: Entering directory `.’
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal –force -I m4
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize –copy –force
libtoolize: putting auxiliary files in `.’.
libtoolize: copying file `./ltmain.sh’
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4′.
libtoolize: copying file `m4/libtool.m4′
libtoolize: copying file `m4/ltoptions.m4′
libtoolize: copying file `m4/ltsugar.m4′
libtoolize: copying file `m4/ltversion.m4′
libtoolize: copying file `m4/lt~obsolete.m4′
autoreconf: running: /usr/bin/autoconf –force
autoreconf: running: /usr/bin/autoheader –force
autoreconf: running: automake –add-missing –copy –force-missing
configure.ac:11: installing ‘./config.guess’
configure.ac:11: installing ‘./config.sub’
configure.ac:8: installing ‘./install-sh’
configure.ac:8: installing ‘./missing’
autoreconf: Leaving directory `.’
You can now run “./configure” and then “make”.

6. 進行編譯及安裝
# ./configure –with-mysql –with-mysql-libraries=/usr/lib64/mysql
# make && make install

7. 複製檔案到相對應目錄
# cp /usr/local/src/barnyard2/rpm/barnyard2.config /etc/sysconfig/barnyard2
# cp /usr/local/src/barnyard2/rpm/barnyard2 /etc/init.d/

8. 更改檔案給予執行權限
# chmod +x /etc/init.d/barnyard2

9. 設定開機時啟動 barnyard2
# chkconfig –add barnyard2

10. 建立連結
# ln -s /usr/local/etc/barnyard2.conf /etc/snort/barnyard2.conf
# ln -s /usr/local/bin/barnyard2 /usr/bin/

11. 建立目錄
# mkdir -p /var/log/snort/eth0/archive/

12. 修改 /etc/init.d/barnyard2
# sed -i -e “s@BARNYARD_OPTS=@#BARNYARD_OPTS=@”   /etc/init.d/barnyard2
# sed -i -e “/BARNYARD_OPTS=”-D -c $CONF/aBARNYARD_OPTS=”-D -c /etc/snort/barnyard2.conf -d /var/log/snort -w /var/log/snort/barnyard2.waldo -l /var/log/snort -a /var/log/snort -f snort.log -X /var/lock/subsys/barnyard2-eth0.pid””   /etc/init.d/barnyard2

13. 修改 /etc/sysconfig/barnyard2
# sed -i -e “s@LOG_FILE=@#LOG_FILE=@”   /etc/sysconfig/barnyard2
# sed -i -e “/LOG_FILE=”snort_unified.log”/aLOG_FILE=”snort.log””   /etc/sysconfig/barnyard2

14. 修改 /etc/sysconfig/snort
# sed -i -e “s@ALERTMODE=fast@#ALERTMODE=fast@”    /etc/sysconfig/snort
# sed -i -e “s@BINARY_LOG=1@#BINARY_LOG=1@”    /etc/sysconfig/snort

15. 修改 /etc/snort/barnyard2.conf
# sed -i -e “s@config sid_file@# config sid_file@” /etc/snort/barnyard2.conf
# sed -i -e “/config sid_file/aconfig sid_file: /etc/snort/etc/sid-msg.map” /etc/snort/barnyard2.conf
# sed -i -e “/database: log to a variety of databases/aoutput database: log, mysql, user=barnyard2 password=123456 dbname=snort host=localhost” /etc/snort/barnyard2.conf

16. 修改 /etc/snort/snort.conf
# sed -i -e “s@output unified2@#output unified2@”    /etc/snort/snort.conf
# sed -i -e “/output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types/aoutput unified2: filename snort.log, limit 128”   /etc/snort/snort.conf

17. 建立資料庫及設定設用者帳號密碼
# /usr/bin/mysql -u root -p
MariaDB [(none)]> create database snortdb;
MariaDB [(none)]> grant all privileges on snortdb.* to barnyard2@localhost identified by ‘123456’;
MariaDB [(none)]> flush privileges;

19. 匯入資料
# /usr/bin/mysql snortdb -ubarnyard2 -p123456 < /usr/local/src/barnyard2/schemas/create_mysql

20. 進行測試
# /usr/local/bin/barnyard2 -T -c /etc/snort/barnyard2.conf -d /var/log/snort -w /var/log/snort/barnyard2.waldo -l /var/log/snort -a /var/log/snort -f snort.log -X /var/lock/subsys/barnyard2-eth0.pid

如果有無法啟動的狀況
# vim /etc/systemd/system/barnyard2.service
[Unit]
Description=Barnyard2 Dedicated Unified2 Spooler
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort/ -f snort.log

[Install]
WantedBy=multi-user.target

# systemctl enable barnyard2.service
Created symlink from /etc/systemd/system/multi-user.target.wants/barnyard2.service to /etc/systemd/system/barnyard2.service.
# systemctl start barnyard2

21. 安裝 Base + adodb (Web UI)
# cd /usr/local/src
# wget http://nchc.dl.sourceforge.net/project/adodb/adodb-php5-only/adodb-518-for-php5/adodb518a.tgz
# wget http://nchc.dl.sourceforge.net/project/secureideas/BASE/base-1.4.5/base-1.4.5.tar.gz
# tar zxvf base-1.4.5.tar.gz -C /var/www/html
# mv /var/www/html/base-1.4.5 /var/www/html/base
# chmod a+w /var/www/html/base
# tar zxvf adodb518a.tgz -C /var/www/html
# chmod a+w /var/www/html/adodb5
# 修改 /etc/php.ini
# vim /etc/php.ini
date.timezone = “Asia/Taipei”
error_reporting = E_ALL & ~E_NOTICE
找到
; UNIX: “/path1:/path2”
;include_path = “.:/php/includes”
底下增加一行
include_path => .:/usr/share/pear:/usr/share/php

22. 重新啟動 Web Server
# systemctl restart httpd

23. 安裝過程畫面





24. 更改目錄權限
# chmod a-w /var/www/html/base
# chmod a-w /var/www/html/adodb5

發佈於

利用 PulledPork 來更新 Snort Rule

參考網站:
Setting up Snort – Part 4 – Installing PulledPork · Don Mizutani
How To Install Snort NIDS On CentOS 7 | Unixmen

# yum install git
# git clone https://github.com/shirkdog/pulledpork.git
# cd pulledpork/
# cp pulledpork.pl /usr/local/bin
# chmod +x /usr/local/bin/pulledpork.pl
# cp -v etc/*.conf /etc/snort
‘etc/disablesid.conf’ -> ‘/etc/snort/disablesid.conf’
‘etc/dropsid.conf’ -> ‘/etc/snort/dropsid.conf’
‘etc/enablesid.conf’ -> ‘/etc/snort/enablesid.conf’
‘etc/modifysid.conf’ -> ‘/etc/snort/modifysid.conf’
‘etc/pulledpork.conf’ -> ‘/etc/snort/pulledpork.conf’
# mkdir /etc/snort/rules/iplists
# touch /etc/snort/rules/iplists/default.blacklist[@more@]
安裝所須套件
# yum install perl-libwww-perl perl-Crypt-SSLeay perl-Sys-Syslog perl-Archive-Tar perl-LWP-Protocol-https
Test pulledPork Configuration
# /usr/local/bin/pulledpork.pl -V

修改設定檔 /etc/snort/pulledpork.conf
# egrep -v ‘^#|^$’ /etc/snort/pulledpork.conf
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|Oinkcode
rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community
rule_url=http://talosintelligence.com/feeds/ip-filter.blf|IPBLACKLIST|open
rule_url=https://snort.org/downloads/community/|opensource.tar.gz|Opensource
ignore=deleted.rules,experimental.rules,local.rules
temp_path=/tmp
rule_path=/etc/snort/rules/snort.rules
local_rules=/etc/snort/rules/local.rules
sid_msg=/etc/snort/etc/sid-msg.map
sid_msg_version=1
sid_changelog=/var/log/sid_changes.log
sorule_path=/usr/local/lib/snort_dynamicrules/
snort_path=/sbin/snort
config_path=/etc/snort/snort.conf
distro=RHEL-6-0
black_list=/etc/snort/rules/iplists/default.blacklist
IPRVersion=/etc/snort/rules/iplists
snort_control=/usr/bin/snort_control
enablesid=/etc/snort/enablesid.conf
dropsid=/etc/snort/dropsid.conf
disablesid=/etc/snort/disablesid.conf
modifysid=/etc/snort/modifysid.conf
version=0.7.3

進行更新
# /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

    https://github.com/shirkdog/pulledpork
      _____ ____
     `—-,    )
      `–==  /    PulledPork v0.7.3 – Making signature updates great again!
       `–==/
     .-~~~~-.Y|_  Copyright (C) 2009-2016 JJ Cummings
  @_/        /  66_  cummingsj@gmail.com
    |          _(“)
        /-| ||’–‘  Rules give me wings!
      _  _
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checking latest MD5 for snortrules-snapshot-2990.tar.gz….
        They Match
        Done!
Checking latest MD5 for community-rules.tar.gz….
        They Match
        Done!
IP Blacklist download of http://talosintelligence.com/feeds/ip-filter.blf….
Reading IP List…
Checking latest MD5 for opensource.tar.gz….
        They Match
        Done!
Blacklist version is unchanged, not updating!
Writing /var/log/sid_changes.log….
        Done

No Rule Changes

No IP Blacklist Changes

Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!

加入工作排程
# crontab -e
01 04 * * * /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l > /dev/null 2>&1

發佈於

在 CentOS 7.x 上安裝 snort

snort 官方網站:https://www.snort.org/

1. 下載官方網站提供套件:
# wget https://www.snort.org/downloads/snort/daq-2.0.6-1.centos7.x86_64.rpm
# wget https://www.snort.org/downloads/snort/snort-2.9.9.0-1.centos7.x86_64.rpm

[@more@]參考網站:
浮雲雅築: [研究] Snort 2.9.8.0 安裝 + 快速安裝程式 (CentOS 7.2 x64)

2. 安裝套件
# yum install libpcap-devel libdnet-devel libnghttp2-devel

如果沒有先安裝上述套件,直接安裝 daq 和 snort 會出現錯誤訊息
# rpm -ivh daq-2.0.6-1.centos7.x86_64.rpm
error: Failed dependencies:
        libpcap.so.1()(64bit) is needed by daq-2.0.6-1.x86_64
# rpm -ivh snort-2.9.9.0-1.centos7.x86_64.rpm
error: Failed dependencies:
        libdnet.so.1()(64bit) is needed by snort-1:2.9.9.0-1.x86_64
        libnghttp2.so.14()(64bit) is needed by snort-1:2.9.9.0-1.x86_64
        libpcap.so.1()(64bit) is needed by snort-1:2.9.9.0-1.x86_64
        libsfbpf.so.0()(64bit) is needed by snort-1:2.9.9.0-1.x86_64

3. 進行安裝
# rpm -ivh daq-2.0.6-1.centos7.x86_64.rpm snort-2.9.9.0-1.centos7.x86_64.rpm

4. 註冊並下載 rules
https://www.snort.org/downloads/#rule-downloads

5 解壓縮 rules
# tar xvzf snortrules-snapshot-2990.tar.gz -C /etc/snort

6. 產生黑/白名單
# cp /etc/snort/snort.conf /etc/snort/snort.conf.$(date +%F)
# sed -i ‘s|../rules|rules|’ /etc/snort/snort.conf
# touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules

# sed -i “s|var BLACK_LIST_PATH|#var BLACK_LIST_PATH|” /etc/snort/snort.conf
# sed -i “/var BLACK_LIST_PATH/avar BLACK_LIST_PATH /etc/snort/rules” /etc/snort/snort.conf
# touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules
# sed -i “s|var WHITE_LIST_PATH|#var WHITE_LIST_PATH|”   /etc/snort/snort.conf
# sed -i “/var WHITE_LIST_PATH/avar WHITE_LIST_PATH /etc/snort/rules” /etc/snort/snort.conf

7. 修改設定檔 /etc/snort/snort.conf
# sed -i ‘s/^dynamicdetection/#dynamicdetection/’ /etc/snort/snort.conf

# mkdir -p /usr/local/lib/snort_dynamicrules

8. 檢查設定檔是否正確
# snort -T -c /etc/snort/snort.conf
……
Snort successfully validated the configuration!
Snort exiting

9. 啟動 snort
# systemctl start snortd
or
# /etc/init.d/snortd start

10. 檢查啟動狀態
# /etc/init.d/snortd status
● snortd.service – SYSV: snort is a lightweight network intrusion detection tool that currently detects more than 1100 host and network vulnerabilities, portscans, backdoors, and more.
   Loaded: loaded (/etc/rc.d/init.d/snortd; bad; vendor preset: disabled)
   Active: active (running) since Fri 2017-02-24 21:57:01 CST; 6s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 429 ExecStart=/etc/rc.d/init.d/snortd start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/snortd.service
           mq435 /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

Feb 24 21:57:01 fb snort[435]:            Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
Feb 24 21:57:01 fb snort[435]:            Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
Feb 24 21:57:01 fb snort[435]:            Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
Feb 24 21:57:01 fb snort[435]:            Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
Feb 24 21:57:01 fb snort[435]:            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
Feb 24 21:57:01 fb snort[435]:            Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
Feb 24 21:57:01 fb snort[435]:            Preprocessor Object: SF_POP  Version 1.0  <Build 1>
Feb 24 21:57:01 fb snort[435]:            Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
Feb 24 21:57:01 fb snort[435]:            Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
Feb 24 21:57:01 fb snort[435]: Commencing packet processing (pid=435)

# ps aux | grep snort | grep -v grep
snort      435  0.0 80.3 810840 421080 ?       Ssl  21:57   0:00 /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

發佈於

Snort Rule 更新

原本用來擔任入侵偵測系統的主機,是透過 oinkmaster 來更新 Snort Rule,不過最近(其實應該有一段時間了,只是自己懶惰,沒有積極處理),常常會在信箱收到如下的錯誤訊息:

 http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2860.tar.gzResolving www.snort.org… 23.23.143.164
Connecting to www.snort.org|23.23.143.164|:80… connected.
HTTP request sent, awaiting response… 403 Forbidden
2013-09-07 23:30:03 ERROR 403: Forbidden.

猜想可能是 Snort Rule 下載的路徑已經做了更改,所以登入 Snort 官方網站,終於找到了解決方式:[@more@]

修改 /etc/snort/oinkmaster.conf(路徑可能會依安裝的方式而有不同)
# vim /etc/snort/oinkmaster.conf
url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode here>/snortrules-snapshot-2931.tar.gz

紅字的部分就是 oinkcode 碼

進行測試
# /usr/local/bin/oinkmaster.pl -C /etc/snort/oinkmaster.conf -o /etc/snort/rules/
Loading /etc/snort/oinkmaster.conf
Downloading file from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2931.tar.gz…



  -> protocol-ftp.rules
    -> protocol-icmp.rules
    -> protocol-imap.rules
    -> protocol-nntp.rules
    -> protocol-pop.rules
    -> protocol-rpc.rules
    -> protocol-scada.rules
    -> protocol-services.rules
    -> protocol-snmp.rules
    -> protocol-telnet.rules
    -> protocol-tftp.rules
    -> protocol-voip.rules
    -> pua-adware.rules
    -> pua-other.rules
    -> pua-p2p.rules
    -> pua-toolbars.rules
    -> server-apache.rules
    -> server-iis.rules
    -> server-mail.rules
    -> server-mssql.rules
    -> server-mysql.rules
    -> server-oracle.rules
    -> server-other.rules
    -> server-samba.rules
    -> server-webapp.rules

OK,收工了!