2015年4月29日 星期三
2015年4月28日 星期二
[Chrome]新增使用者
[Chrome]新增使用者
這 Google 瀏覽器新增使用者的功能,其實早在 2012/01 就已可以使用。上次到它校去上資訊研習課,才知道有很多人都不知道這功能的好用,So,寫這篇文章來介紹一下吧!
先看這段 Google Chrome 的影片介紹,就可以知道它的用途為何了!
- 同一部電腦,多個使用者(帳號)
例如家中電腦,有好幾個家人要使用,或是一台電腦,我有幾個不同的 Google 帳號要切換、登入。
這功能可以讓每個使用者,都可以有自己的書籤、擴充功能、設定與佈景主題。
- 同一個使用者(帳號),有多台電腦
我有家裡電腦、學校辦公電腦、教學用電腦要使用,我可以新增同一個使用者帳號。這三台電腦的書籤、Chrome 應用程式都會同步。
例如我在家裡新增了新的書籤、新的Chrome 應用程式,到學校開啟 Chrome後,這些資料就會自動同步。
【新增使用者的設定方法】
請看底下的說明(用方向鍵上下左右來換頁)
您
2015年4月21日 星期二
software config database
software config database
gallery232 mainfile.php gallery2
joomla configuration.php joomlapr_wuchi
xoops config.php wcjh
dyna config.inc.php dyna
----------------------------------------------------------
ips-245 snortdb 243 ./nikto.pl -h 163.17.209.245
----------------------------------------------------------
test
mysql
information_schema
gallery232 mainfile.php gallery2
joomla configuration.php joomlapr_wuchi
xoops config.php wcjh
dyna config.inc.php dyna
----------------------------------------------------------
ips-245 snortdb 243 ./nikto.pl -h 163.17.209.245
----------------------------------------------------------
test
mysql
information_schema
[研究] snort-2.9.6.0.tar.gz (CentOS 6.5 x64) 快速安裝程式
[研究] snort-2.9.6.0.tar.gz (CentOS 6.5 x64) 快速安裝程式
[研究] snort-2.9.6.0.tar.gz (CentOS 6.5 x64) 快速安裝程式
2014-02-05
********************************************************************************
這幾篇是相關的
[研究] snort-2.9.6.0.tar.gz (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.com/2014/02/snort-2960targz-centos-65-x64.html
[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式
http://shaurong.blogspot.tw/2013/10/snort-2955targz-centos-64-x64.html
[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式(二)
http://shaurong.blogspot.tw/2013/10/snort-2955targz-centos-64-x64_28.html
[研究] Snort 2.9.5.5 + Barnyard 安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.tw/2013/10/snort-2955-barnyard-centos-64-x64.html
[研究] Snort 2.9.5.5 + Barnyard +BASE 安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.tw/2013/10/snort-2955-barnyard-base-centos-64-x64.html
********************************************************************************
參考
http://manual.snort.org/
http://www.snort.org/docs
http://s3.amazonaws.com/snort-org/www/assets/202/snort296x_centos6x.pdf
snort-2.9.6.0.tar.gz 和 daq-2.0.2.tar.gz 下載網址
http://www.snort.org/snort-downloads?
libdnet-1.11.tar.gz 下載網址 (01-19-2005 後沒更新)
http://libdnet.sourceforge.net/
PS:後來發現這裡有 libdnet-1.12.tgz,官方網站搬家?
https://code.google.com/p/libdnet/downloads/list
下載 snortrules-snapshot-2956.tar.gz
http://www.snort.org/snort-rules/?
Registered User Release 免費註冊,登入後才能下載
Subscriber Release 是花錢訂閱才能下載的
請自己手動下載下面檔案,放到 /usr/local/src 目錄
libdnet-1.12.tgz
daq-2.0.2.tar.gz
snort-2.9.6.0.tar.gz
snortrules-snapshot-2956.tar.gz
snort在版本2.9.3開始不再支援MySQL,可以靠 Barnyard2解決,ADOdb 和 BASE 在本篇不討論。
Barnyard 2 官方網站
http://www.securixlive.com/
ADOdb 官方網站
http://adodb.sourceforge.net/
(最後更新 adodb-518-for-php5 為 2012-09-04 釋出)
BASE 官方網站 (Basic Analysis and Security Engine)
http://base.secureideas.net/
(最後更新為 v1.4.5 版,2010-03-05 釋出)
快速安裝程式內容(實際測試可用),請先用 su root 切換成 root 執行
#!/bin/bash
echo -e "\033[31m"
echo -e "Program : snort2.9.6.0_centos6.5x64.sh "
echo -e "snort-2.9.6.0.tar.gz Install Shell Script (CentOS 6.5 x64) "
echo -e "by Shau-Rong Lu 2014-02-05
echo -e "\033[0m"
yum -y install gcc gcc-c++ flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel tcpdump dos2unix
cd /usr/local/src
if [ ! -s libdnet-1.12.tgz ]; then
echo "Can not find /usr/local/src/libdnet-1.11.tar.gz"
#wget http://downloads.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz?r=http%3A%2F%2Flibdnet.sourceforge.net%2F&ts=1382718432&use_mirror=nchc
wget https://libdnet.googlecode.com/files/libdnet-1.12.tgz
# exit
fi
if [ ! -s daq-2.0.2.tar.gz ]; then
echo "Can not find /usr/local/src/daq-2.0.2.tar.gz"
exit
fi
if [ ! -s snort-2.9.6.0.tar.gz]; then
echo "Can not find /usr/local/src/snort-2.9.6.0.tar.gz"
exit
fi
if [ ! -s snortrules-snapshot-2956.tar.gz]; then
echo "Can not find /usr/local/src/snortrules-snapshot-2956.tar.gz"
exit
fi
tar zxvf libdnet-1.12.tgz
tar zxvf daq-2.0.2.tar.gz
tar zxvf snort-2.9.6.0.tar.gz
cd /usr/local/src/libdnet-1.12
./configure --with-pic
make
make install
cd /usr/local/src/daq-2.0.2
./configure
make
make install
cd /usr/local/src/snort-2.9.6.0
./configure --enable-sourcefire
make
make install
# cd /usr/local/lib
# ldconfig -v /usr/local/lib
mkdir -p /etc/snort
cd /usr/local/src
tar xzvf /usr/local/src/snortrules-snapshot-2956.tar.gz -C /etc/snort
touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules
groupadd -g 40000 snort
useradd snort -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort
cd /etc/snort
chown -R snort:snort *
chown -R snort:snort /var/log/snort
cp /etc/snort/etc/* /etc/snort/.
sed -i -e "s@var RULE_PATH@#var RULE_PATH@" /etc/snort/snort.conf
sed -i -e "/var RULE_PATH/avar RULE_PATH /etc/snort/rules" /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var RULE_PATH"
sed -i -e "s@var SO_RULE_PATH@#var SO_RULE_PATH@" /etc/snort/snort.conf
sed -i -e "/var SO_RULE_PATH/avar SO_RULE_PATH /etc/snort/so_rules" /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var SO_RULE_PATH"
sed -i -e "s@var PREPROC_RULE_PATH@#var PREPROC_RULE_PATH@" /etc/snort/snort.conf
sed -i -e "/var PREPROC_RULE_PATH/avar PREPROC_RULE_PATH /etc/snort/preproc_rules" /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var PREPROC_RULE_PATH"
sed -i -e "s@var WHITE_LIST_PATH@#var WHITE_LIST_PATH@" /etc/snort/snort.conf
sed -i -e "/var WHITE_LIST_PATH/avar WHITE_LIST_PATH /etc/snort/rules" /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var WHITE_LIST_PATH"
sed -i -e "s@var BLACK_LIST_PATH@#var BLACK_LIST_PATH@" /etc/snort/snort.conf
sed -i -e "/var BLACK_LIST_PATH/avar BLACK_LIST_PATH /etc/snort/rules" /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var BLACK_LIST_PATH"
mkdir -p /usr/local/lib/snort_dynamicrules
chown -R snort:snort /usr/local/lib/snort_dynamicrules
chmod -R 700 /usr/local/lib/snort_dynamicrules
snort -T -c /etc/snort/snort.conf
if [ "$?" != "0" ]; then
echo "Snort Test Failed !"
exit
fi
#cp /root/snort-2.9.5.5/rpm/snortd /etc/init.d/.
#chmod +x /etc/init.d/snortd
#cp /root/snort-2.9.5.5/rpm/snort.sysconfig /etc/sysconfig/snort
#ln -s /usr/local/bin/snort /usr/sbin/snort
#rm -fr /etc/init.d/snortd
mv /etc/init.d/snortd /etc/init.d/snortd.old
echo '#!/bin/sh' > /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo "# chkconfig: 345 99 01" >> /etc/init.d/snortd
echo "# description: Snort startup script" >> /etc/init.d/snortd
echo "# 345 - levels to configure" >> /etc/init.d/snortd
echo "# 99 - startup order" >> /etc/init.d/snortd
echo "# 01 - stop order" >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo ". /etc/rc.d/init.d/functions " >> /etc/init.d/snortd
echo "INTERFACE=eth0" >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo "case \"\$1\" in " >> /etc/init.d/snortd
echo "start)" >> /etc/init.d/snortd
echo " echo -n \"Starting Snort: \"" >> /etc/init.d/snortd
echo " daemon PCAP_FRAMES=max /usr/local/bin/snort -D -i \$INTERFACE -c /etc/snort/snort.conf" >> /etc/init.d/snortd
echo " echo" >> /etc/init.d/snortd
echo " ;;" >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo "stop)" >> /etc/init.d/snortd
echo " echo -n \"Stopping Snort: \"" >> /etc/init.d/snortd
echo " killproc snort" >> /etc/init.d/snortd
echo " echo" >> /etc/init.d/snortd
echo " ;;" >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo "restart)" >> /etc/init.d/snortd
echo " \$0 stop" >> /etc/init.d/snortd
echo " \$0 start" >> /etc/init.d/snortd
echo " ;;" >> /etc/init.d/snortd
echo "status)" >> /etc/init.d/snortd
echo " status snort" >> /etc/init.d/snortd
echo " ;;" >> /etc/init.d/snortd
echo "*)" >> /etc/init.d/snortd
echo " echo \"Usage: $0 {start|stop|restart|status}\"" >> /etc/init.d/snortd
echo " exit 1" >> /etc/init.d/snortd
echo " esac" >> /etc/init.d/snortd
echo " exit 0" >> /etc/init.d/snortd
chmod +x /etc/init.d/snortd
chkconfig --add snortd
chkconfig snortd on
service snortd start
echo "You can service httpd restart, then use N-Stalker Free Edition (http://nstalker.com/products/free/download-free-edition) on MS-Windows to attack WebSite "
echo ""
echo "or Nikto (http://www.cirt.net/nikto2) on another Linux to attack WebSite"
echo " wget http://www.cirt.net/nikto/nikto-current.tar.gz"
echo " tar zxvf nikto-current.tar.gz"
echo " cd nikto-*"
echo " chmod +x nikto.pl"
echo " ./nikto.pl -h xxx.xxx.xxx.xxx"
測試
[root@localhost snort]# service snortd start
Starting Snort: PCAP_FRAMES -> 32768 * 4096 / 2 = 67108864 (1600)
Spawning daemon child...
My daemon child 24835 lives...
Daemon parent exiting (0) [ OK ]
[root@localhost snort]#
[root@localhost snort]# service snortd status
snort (pid 24823) is running...
root@localhost snort]# ps aux | grep snort
root 24823 0.1 31.9 646192 323296 ? Ssl 14:10 0:00 /usr/local/bin/snort -D -i eth0 -c /etc/snort/snort.conf
root 24852 0.0 0.0 103244 860 pts/1 S+ 14:10 0:00 grep snort
準備當被攻擊主機
[root@localhost ~]# service httpd restart
Stopping httpd: [FAILED]
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain for ServerName
[ OK ]
防火牆暫時關閉
[root@localhost ~]# service iptables stop
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
[root@localhost ~]#
先看一下 snort 目前 log,其中 alert 為 0 byte
[root@localhost snort]# ls -al /var/log/snort
total 28
drwx------. 4 snort snort 4096 Feb 5 14:10 .
drwxr-xr-x. 14 root root 4096 Feb 5 14:08 ..
-rw-r--r--. 1 root root 0 Feb 5 14:10 alert
-rw-r--r--. 1 snort snort 18 Jul 18 2013 .bash_logout
-rw-r--r--. 1 snort snort 176 Jul 18 2013 .bash_profile
-rw-r--r--. 1 snort snort 124 Jul 18 2013 .bashrc
drwxr-xr-x. 2 snort snort 4096 Nov 12 2010 .gnome2
drwxr-xr-x. 4 snort snort 4096 Jan 28 19:46 .mozilla
-rw-------. 1 root root 0 Feb 5 14:10 snort.log.1391580608
[root@localhost snort]#
另外找一台主機來攻擊 ( nikto 好像無法對自己攻擊,所以必須另外找一台)
[root@localhost ~]# wget http://www.cirt.net/nikto/nikto-current.tar.gz
[root@localhost ~]# tar zxvf nikto-current.tar.gz
[root@localhost ~]# cd nikto-*
[root@localhost nikto-2.1.5]# chmod +x nikto.pl
192.168.128.101 是安裝 Snort 的主機
[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.101
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.128.101
+ Target Hostname: 192.168.128.101
+ Target Port: 80
+ Start Time: 2014-02-05 14:13:07 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 3147117, size: 5108, mtime: 0x438c0358aae80
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2014-02-05 14:13:14 (GMT8) (7 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
[root@localhost nikto-2.1.5]#
回到原來安裝 snort 主機,可以看到 alert 檔案從 0 byte 變成 1512 bytes,表示 snort 有正常運作
[root@localhost snort]# ls -al /var/log/snort
total 36
drwx------. 4 snort snort 4096 Feb 5 14:10 .
drwxr-xr-x. 14 root root 4096 Feb 5 14:08 ..
-rw-r--r--. 1 root root 3158 Feb 5 14:13 alert
-rw-r--r--. 1 snort snort 18 Jul 18 2013 .bash_logout
-rw-r--r--. 1 snort snort 176 Jul 18 2013 .bash_profile
-rw-r--r--. 1 snort snort 124 Jul 18 2013 .bashrc
drwxr-xr-x. 2 snort snort 4096 Nov 12 2010 .gnome2
drwxr-xr-x. 4 snort snort 4096 Jan 28 19:46 .mozilla
-rw-------. 1 root root 1512 Feb 5 14:13 snort.log.1391580608
[root@localhost snort]#
(完)
相關文章
[研究] snort-2.9.6.0.tar.gz (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.com/2014/02/snort-2960targz-centos-65-x64.html
[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式
http://shaurong.blogspot.tw/2013/10/snort-2955targz-centos-64-x64.html
[研究] snort-2.9.4.tar.gz (CentOS 6.3 x86) 快速安裝程式
http://shaurong.blogspot.tw/2012/12/snort-294targz-centos-63-x86.html
[研究] Snort 2.9.0.5 安裝(Fedora 15 x86)
http://shaurong.blogspot.tw/2011/07/snort-2905-fedora-15-x86.html
[研究] N-Stalker Web Application Security Scanner X Free Edition 網站漏洞掃描軟體使用
http://shaurong.blogspot.tw/2013/08/n-stalker-web-application-security.html
[研究] N-Stalker Free Edition 2012 網站漏洞掃描軟體使用教學
http://shaurong.blogspot.tw/2011/07/n-stalker-free-edition-2012.html
[研究] Snort 2.9.0.5 安裝(Fedora 15 x86)
http://forum.icst.org.tw/phpbb/viewtopic.php?t=20240
[研究] Snort 2.9.0.3 (tar.gz)安裝(Fedora 14 x86)
http://forum.icst.org.tw/phpbb/viewtopic.php?t=19216
[研究] Snort 2.8.5.2.tar.gz+MySQL+BASE快速安裝程式(CentOS 5.4)
http://forum.icst.org.tw/phpbb/viewtopic.php?t=17658
[研究]Snort 2.8.5.2.tar.gz+MySQL+BASE快速安裝程式(Fedora 12 x86)
http://forum.icst.org.tw/phpbb/viewtopic.php?t=17672
[教學] [研究] Snort 2.8.1快速安裝程式精簡版(Fedora 8 )
http://forum.icst.org.tw/phpbb/viewtopic.php?t=15042
2014-02-05
********************************************************************************
這幾篇是相關的
[研究] snort-2.9.6.0.tar.gz (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.com/2014/02/snort-2960targz-centos-65-x64.html
[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式
http://shaurong.blogspot.tw/2013/10/snort-2955targz-centos-64-x64.html
[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式(二)
http://shaurong.blogspot.tw/2013/10/snort-2955targz-centos-64-x64_28.html
[研究] Snort 2.9.5.5 + Barnyard 安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.tw/2013/10/snort-2955-barnyard-centos-64-x64.html
[研究] Snort 2.9.5.5 + Barnyard +BASE 安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.tw/2013/10/snort-2955-barnyard-base-centos-64-x64.html
********************************************************************************
參考
http://manual.snort.org/
http://www.snort.org/docs
http://s3.amazonaws.com/snort-org/www/assets/202/snort296x_centos6x.pdf
snort-2.9.6.0.tar.gz 和 daq-2.0.2.tar.gz 下載網址
http://www.snort.org/snort-downloads?
libdnet-1.11.tar.gz 下載網址 (01-19-2005 後沒更新)
http://libdnet.sourceforge.net/
PS:後來發現這裡有 libdnet-1.12.tgz,官方網站搬家?
https://code.google.com/p/libdnet/downloads/list
下載 snortrules-snapshot-2956.tar.gz
http://www.snort.org/snort-rules/?
Registered User Release 免費註冊,登入後才能下載
Subscriber Release 是花錢訂閱才能下載的
請自己手動下載下面檔案,放到 /usr/local/src 目錄
libdnet-1.12.tgz
daq-2.0.2.tar.gz
snort-2.9.6.0.tar.gz
snortrules-snapshot-2956.tar.gz
snort在版本2.9.3開始不再支援MySQL,可以靠 Barnyard2解決,ADOdb 和 BASE 在本篇不討論。
Barnyard 2 官方網站
http://www.securixlive.com/
ADOdb 官方網站
http://adodb.sourceforge.net/
(最後更新 adodb-518-for-php5 為 2012-09-04 釋出)
BASE 官方網站 (Basic Analysis and Security Engine)
http://base.secureideas.net/
(最後更新為 v1.4.5 版,2010-03-05 釋出)
快速安裝程式內容(實際測試可用),請先用 su root 切換成 root 執行
#!/bin/bash
echo -e "\033[31m"
echo -e "Program : snort2.9.6.0_centos6.5x64.sh "
echo -e "snort-2.9.6.0.tar.gz Install Shell Script (CentOS 6.5 x64) "
echo -e "by Shau-Rong Lu 2014-02-05
echo -e "\033[0m"
yum -y install gcc gcc-c++ flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel tcpdump dos2unix
cd /usr/local/src
if [ ! -s libdnet-1.12.tgz ]; then
echo "Can not find /usr/local/src/libdnet-1.11.tar.gz"
#wget http://downloads.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz?r=http%3A%2F%2Flibdnet.sourceforge.net%2F&ts=1382718432&use_mirror=nchc
wget https://libdnet.googlecode.com/files/libdnet-1.12.tgz
# exit
fi
if [ ! -s daq-2.0.2.tar.gz ]; then
echo "Can not find /usr/local/src/daq-2.0.2.tar.gz"
exit
fi
if [ ! -s snort-2.9.6.0.tar.gz]; then
echo "Can not find /usr/local/src/snort-2.9.6.0.tar.gz"
exit
fi
if [ ! -s snortrules-snapshot-2956.tar.gz]; then
echo "Can not find /usr/local/src/snortrules-snapshot-2956.tar.gz"
exit
fi
tar zxvf libdnet-1.12.tgz
tar zxvf daq-2.0.2.tar.gz
tar zxvf snort-2.9.6.0.tar.gz
cd /usr/local/src/libdnet-1.12
./configure --with-pic
make
make install
cd /usr/local/src/daq-2.0.2
./configure
make
make install
cd /usr/local/src/snort-2.9.6.0
./configure --enable-sourcefire
make
make install
# cd /usr/local/lib
# ldconfig -v /usr/local/lib
mkdir -p /etc/snort
cd /usr/local/src
tar xzvf /usr/local/src/snortrules-snapshot-2956.tar.gz -C /etc/snort
touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules
groupadd -g 40000 snort
useradd snort -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort
cd /etc/snort
chown -R snort:snort *
chown -R snort:snort /var/log/snort
cp /etc/snort/etc/* /etc/snort/.
sed -i -e "s@var RULE_PATH@#var RULE_PATH@" /etc/snort/snort.conf
sed -i -e "/var RULE_PATH/avar RULE_PATH /etc/snort/rules" /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var RULE_PATH"
sed -i -e "s@var SO_RULE_PATH@#var SO_RULE_PATH@" /etc/snort/snort.conf
sed -i -e "/var SO_RULE_PATH/avar SO_RULE_PATH /etc/snort/so_rules" /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var SO_RULE_PATH"
sed -i -e "s@var PREPROC_RULE_PATH@#var PREPROC_RULE_PATH@" /etc/snort/snort.conf
sed -i -e "/var PREPROC_RULE_PATH/avar PREPROC_RULE_PATH /etc/snort/preproc_rules" /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var PREPROC_RULE_PATH"
sed -i -e "s@var WHITE_LIST_PATH@#var WHITE_LIST_PATH@" /etc/snort/snort.conf
sed -i -e "/var WHITE_LIST_PATH/avar WHITE_LIST_PATH /etc/snort/rules" /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var WHITE_LIST_PATH"
sed -i -e "s@var BLACK_LIST_PATH@#var BLACK_LIST_PATH@" /etc/snort/snort.conf
sed -i -e "/var BLACK_LIST_PATH/avar BLACK_LIST_PATH /etc/snort/rules" /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var BLACK_LIST_PATH"
mkdir -p /usr/local/lib/snort_dynamicrules
chown -R snort:snort /usr/local/lib/snort_dynamicrules
chmod -R 700 /usr/local/lib/snort_dynamicrules
snort -T -c /etc/snort/snort.conf
if [ "$?" != "0" ]; then
echo "Snort Test Failed !"
exit
fi
#cp /root/snort-2.9.5.5/rpm/snortd /etc/init.d/.
#chmod +x /etc/init.d/snortd
#cp /root/snort-2.9.5.5/rpm/snort.sysconfig /etc/sysconfig/snort
#ln -s /usr/local/bin/snort /usr/sbin/snort
#rm -fr /etc/init.d/snortd
mv /etc/init.d/snortd /etc/init.d/snortd.old
echo '#!/bin/sh' > /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo "# chkconfig: 345 99 01" >> /etc/init.d/snortd
echo "# description: Snort startup script" >> /etc/init.d/snortd
echo "# 345 - levels to configure" >> /etc/init.d/snortd
echo "# 99 - startup order" >> /etc/init.d/snortd
echo "# 01 - stop order" >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo ". /etc/rc.d/init.d/functions " >> /etc/init.d/snortd
echo "INTERFACE=eth0" >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo "case \"\$1\" in " >> /etc/init.d/snortd
echo "start)" >> /etc/init.d/snortd
echo " echo -n \"Starting Snort: \"" >> /etc/init.d/snortd
echo " daemon PCAP_FRAMES=max /usr/local/bin/snort -D -i \$INTERFACE -c /etc/snort/snort.conf" >> /etc/init.d/snortd
echo " echo" >> /etc/init.d/snortd
echo " ;;" >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo "stop)" >> /etc/init.d/snortd
echo " echo -n \"Stopping Snort: \"" >> /etc/init.d/snortd
echo " killproc snort" >> /etc/init.d/snortd
echo " echo" >> /etc/init.d/snortd
echo " ;;" >> /etc/init.d/snortd
echo "" >> /etc/init.d/snortd
echo "restart)" >> /etc/init.d/snortd
echo " \$0 stop" >> /etc/init.d/snortd
echo " \$0 start" >> /etc/init.d/snortd
echo " ;;" >> /etc/init.d/snortd
echo "status)" >> /etc/init.d/snortd
echo " status snort" >> /etc/init.d/snortd
echo " ;;" >> /etc/init.d/snortd
echo "*)" >> /etc/init.d/snortd
echo " echo \"Usage: $0 {start|stop|restart|status}\"" >> /etc/init.d/snortd
echo " exit 1" >> /etc/init.d/snortd
echo " esac" >> /etc/init.d/snortd
echo " exit 0" >> /etc/init.d/snortd
chmod +x /etc/init.d/snortd
chkconfig --add snortd
chkconfig snortd on
service snortd start
echo "You can service httpd restart, then use N-Stalker Free Edition (http://nstalker.com/products/free/download-free-edition) on MS-Windows to attack WebSite "
echo ""
echo "or Nikto (http://www.cirt.net/nikto2) on another Linux to attack WebSite"
echo " wget http://www.cirt.net/nikto/nikto-current.tar.gz"
echo " tar zxvf nikto-current.tar.gz"
echo " cd nikto-*"
echo " chmod +x nikto.pl"
echo " ./nikto.pl -h xxx.xxx.xxx.xxx"
測試
[root@localhost snort]# service snortd start
Starting Snort: PCAP_FRAMES -> 32768 * 4096 / 2 = 67108864 (1600)
Spawning daemon child...
My daemon child 24835 lives...
Daemon parent exiting (0) [ OK ]
[root@localhost snort]#
[root@localhost snort]# service snortd status
snort (pid 24823) is running...
root@localhost snort]# ps aux | grep snort
root 24823 0.1 31.9 646192 323296 ? Ssl 14:10 0:00 /usr/local/bin/snort -D -i eth0 -c /etc/snort/snort.conf
root 24852 0.0 0.0 103244 860 pts/1 S+ 14:10 0:00 grep snort
準備當被攻擊主機
[root@localhost ~]# service httpd restart
Stopping httpd: [FAILED]
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain for ServerName
[ OK ]
防火牆暫時關閉
[root@localhost ~]# service iptables stop
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
[root@localhost ~]#
先看一下 snort 目前 log,其中 alert 為 0 byte
[root@localhost snort]# ls -al /var/log/snort
total 28
drwx------. 4 snort snort 4096 Feb 5 14:10 .
drwxr-xr-x. 14 root root 4096 Feb 5 14:08 ..
-rw-r--r--. 1 root root 0 Feb 5 14:10 alert
-rw-r--r--. 1 snort snort 18 Jul 18 2013 .bash_logout
-rw-r--r--. 1 snort snort 176 Jul 18 2013 .bash_profile
-rw-r--r--. 1 snort snort 124 Jul 18 2013 .bashrc
drwxr-xr-x. 2 snort snort 4096 Nov 12 2010 .gnome2
drwxr-xr-x. 4 snort snort 4096 Jan 28 19:46 .mozilla
-rw-------. 1 root root 0 Feb 5 14:10 snort.log.1391580608
[root@localhost snort]#
另外找一台主機來攻擊 ( nikto 好像無法對自己攻擊,所以必須另外找一台)
[root@localhost ~]# wget http://www.cirt.net/nikto/nikto-current.tar.gz
[root@localhost ~]# tar zxvf nikto-current.tar.gz
[root@localhost ~]# cd nikto-*
[root@localhost nikto-2.1.5]# chmod +x nikto.pl
192.168.128.101 是安裝 Snort 的主機
[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.101
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.128.101
+ Target Hostname: 192.168.128.101
+ Target Port: 80
+ Start Time: 2014-02-05 14:13:07 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 3147117, size: 5108, mtime: 0x438c0358aae80
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2014-02-05 14:13:14 (GMT8) (7 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
[root@localhost nikto-2.1.5]#
回到原來安裝 snort 主機,可以看到 alert 檔案從 0 byte 變成 1512 bytes,表示 snort 有正常運作
[root@localhost snort]# ls -al /var/log/snort
total 36
drwx------. 4 snort snort 4096 Feb 5 14:10 .
drwxr-xr-x. 14 root root 4096 Feb 5 14:08 ..
-rw-r--r--. 1 root root 3158 Feb 5 14:13 alert
-rw-r--r--. 1 snort snort 18 Jul 18 2013 .bash_logout
-rw-r--r--. 1 snort snort 176 Jul 18 2013 .bash_profile
-rw-r--r--. 1 snort snort 124 Jul 18 2013 .bashrc
drwxr-xr-x. 2 snort snort 4096 Nov 12 2010 .gnome2
drwxr-xr-x. 4 snort snort 4096 Jan 28 19:46 .mozilla
-rw-------. 1 root root 1512 Feb 5 14:13 snort.log.1391580608
[root@localhost snort]#
(完)
相關文章
[研究] snort-2.9.6.0.tar.gz (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.com/2014/02/snort-2960targz-centos-65-x64.html
[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式
http://shaurong.blogspot.tw/2013/10/snort-2955targz-centos-64-x64.html
[研究] snort-2.9.4.tar.gz (CentOS 6.3 x86) 快速安裝程式
http://shaurong.blogspot.tw/2012/12/snort-294targz-centos-63-x86.html
[研究] Snort 2.9.0.5 安裝(Fedora 15 x86)
http://shaurong.blogspot.tw/2011/07/snort-2905-fedora-15-x86.html
[研究] N-Stalker Web Application Security Scanner X Free Edition 網站漏洞掃描軟體使用
http://shaurong.blogspot.tw/2013/08/n-stalker-web-application-security.html
[研究] N-Stalker Free Edition 2012 網站漏洞掃描軟體使用教學
http://shaurong.blogspot.tw/2011/07/n-stalker-free-edition-2012.html
[研究] Snort 2.9.0.5 安裝(Fedora 15 x86)
http://forum.icst.org.tw/phpbb/viewtopic.php?t=20240
[研究] Snort 2.9.0.3 (tar.gz)安裝(Fedora 14 x86)
http://forum.icst.org.tw/phpbb/viewtopic.php?t=19216
[研究] Snort 2.8.5.2.tar.gz+MySQL+BASE快速安裝程式(CentOS 5.4)
http://forum.icst.org.tw/phpbb/viewtopic.php?t=17658
[研究]Snort 2.8.5.2.tar.gz+MySQL+BASE快速安裝程式(Fedora 12 x86)
http://forum.icst.org.tw/phpbb/viewtopic.php?t=17672
[教學] [研究] Snort 2.8.1快速安裝程式精簡版(Fedora 8 )
http://forum.icst.org.tw/phpbb/viewtopic.php?t=15042
2015年4月20日 星期一
研究] snort-2.9.6.2.tar.gz (CentOS 6.5 x64) 快速安裝程式
[研究] snort-2.9.6.2.tar.gz (CentOS 6.5 x64) 快速安裝程式
2014-08-26
官方網站
https://www.snort.org/
連上
http://ftp.uninett.no/linux/epel/6/x86_64/
看看 epel-release-6-8.noarch.rpm 是否存在,或更新版本為
epel-release-6-9.noarch.rpm
epel-release-6-10.noarch.rpm
...
下方的快速安裝程式的這一行或許要修改
rpm -Uvh http://ftp.uninett.no/linux/epel/6/x86_64/epel-release-6-8.noarch.rpm
參考
http://shaurong.blogspot.tw/2012/12/snort-294targz-centos-63-x86.html
http://manual.snort.org/
http://www.snort.org/docs
http://s3.amazonaws.com/snort-org/www/assets/202/snort2953_centos6x.pdf
snort-2.9.6.1.tar.gz 和 daq-2.0.2.tar.gz 下載網址
http://www.snort.org/
libdnet-1.11.tar.gz 下載網址
http://libdnet.sourceforge.net/
PS:後來發現這裡有 libdnet-1.12.tar.gz,官方網站搬家?
https://code.google.com/p/libdnet/downloads/list
snortrules-snapshot-2962.tar.gz 下載網址 (免費註冊,右上角點 Sign In,登入後才能下載)
http://www.snort.org/
Subscriber Release 是花錢訂閱才能下載的,跳過不看
Registered User Release 免費註冊,登入後才能下載
請自己手動下載下面檔案,放到 /usr/local/src 目錄
libdnet-1.12.tar.gz
daq-2.0.2.tar.gz
snort-2.9.6.2.tar.gz
snortrules-snapshot-2962.tar.gz
snort在版本2.9.3開始不再支援MySQL,好像可以靠 Barnyard2解決,ADOdb 和 BASE 小弟在本篇也暫不討論,有機會再說。
Database output is dead. R.I.P.
Wednesday, July 18, 2012
http://blog.snort.org/2012/07/database-output-is-dead-rip.html
Barnyard 2 官方網站
http://www.securixlive.com/
ADOdb 官方網站
http://adodb.sourceforge.net/
http://sourceforge.net/projects/adodb/files/adodb-php5-only/
(最後更新為 2014-04-30,檔案 adodb-519-for-php5 )
BASE 官方網站 (Basic Analysis and Security Engine)
http://base.secureideas.net/
http://sourceforge.net/projects/secureideas/files/BASE/
(最後更新為 v1.4.5 版 May 2010-03-05)
快速安裝程式內容(實際測試可用),請先用 su root 切換成 root 執行
看到下面訊息,表示快速安裝程式成功
測試
準備當被攻擊主機
防火牆暫時關閉
先看一下 snort 目前 log,其中 alert 為 0 byte
另外找一台主機來攻擊 ( nikto 好像無法對自己攻擊,所以必須另外找一台)
192.168.128.101 是安裝 snort 主機
192.168.128.201 是安裝 nikto 主機
回到原來安裝 snort 主機,可以看到 alert 檔案從 0 byte 變成不是 0 bytes,表示 snort 有正常運作
測試成功。
(完)
[研究] snort-2.9.6.2.tar.gz (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.com/2014/08/snort-2962targz-centos-65-x64.html
2014-08-26
官方網站
https://www.snort.org/
連上
http://ftp.uninett.no/linux/epel/6/x86_64/
看看 epel-release-6-8.noarch.rpm 是否存在,或更新版本為
epel-release-6-9.noarch.rpm
epel-release-6-10.noarch.rpm
...
下方的快速安裝程式的這一行或許要修改
rpm -Uvh http://ftp.uninett.no/linux/epel/6/x86_64/epel-release-6-8.noarch.rpm
參考
http://shaurong.blogspot.tw/2012/12/snort-294targz-centos-63-x86.html
http://manual.snort.org/
http://www.snort.org/docs
http://s3.amazonaws.com/snort-org/www/assets/202/snort2953_centos6x.pdf
snort-2.9.6.1.tar.gz 和 daq-2.0.2.tar.gz 下載網址
http://www.snort.org/
libdnet-1.11.tar.gz 下載網址
http://libdnet.sourceforge.net/
PS:後來發現這裡有 libdnet-1.12.tar.gz,官方網站搬家?
https://code.google.com/p/libdnet/downloads/list
snortrules-snapshot-2962.tar.gz 下載網址 (免費註冊,右上角點 Sign In,登入後才能下載)
http://www.snort.org/
Subscriber Release 是花錢訂閱才能下載的,跳過不看
Registered User Release 免費註冊,登入後才能下載
請自己手動下載下面檔案,放到 /usr/local/src 目錄
libdnet-1.12.tar.gz
daq-2.0.2.tar.gz
snort-2.9.6.2.tar.gz
snortrules-snapshot-2962.tar.gz
snort在版本2.9.3開始不再支援MySQL,好像可以靠 Barnyard2解決,ADOdb 和 BASE 小弟在本篇也暫不討論,有機會再說。
Database output is dead. R.I.P.
Wednesday, July 18, 2012
http://blog.snort.org/2012/07/database-output-is-dead-rip.html
http://www.securixlive.com/
ADOdb 官方網站
http://adodb.sourceforge.net/
http://sourceforge.net/projects/adodb/files/adodb-php5-only/
(最後更新為 2014-04-30,檔案 adodb-519-for-php5 )
BASE 官方網站 (Basic Analysis and Security Engine)
http://base.secureideas.net/
http://sourceforge.net/projects/secureideas/files/BASE/
(最後更新為 v1.4.5 版 May 2010-03-05)
快速安裝程式內容(實際測試可用),請先用 su root 切換成 root 執行
#!/bin/bash echo -e "\033[31m" echo -e "Program : snort2.9.6.2_centos6.5x64.sh " echo -e "snort-2.9.6.2.tar.gz Install Shell Script (CentOS 6.5 x64) " echo -e "by Shau-Rong Lu 2014-08-26 " echo -e "\033[0m" rpm -Uvh http://ftp.uninett.no/linux/epel/6/i386/epel-release-6-8.noarch.rpm yum -y install gcc gcc-c++ flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel tcpdump libdnet libdnet-devel cd /usr/local/src # if [ ! -s libdnet-1.12.tar.gz ]; then # echo "Can not find /usr/local/src/libdnet-1.12.tar.gz" # wget http://downloads.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz?r=http%3A%2F%2Flibdnet.sourceforge.net%2F&ts=1382718432&use_mirror=nchc # exit # fi if [ ! -s daq-2.0.2.tar.gz ]; then echo "Can not find /usr/local/src/daq-2.0.2.tar.gz" exit fi if [ ! -s snort-2.9.6.2.tar.gz]; then echo "Can not find /usr/local/src/snort-2.9.6.2.tar.gz" exit fi if [ ! -s snortrules-snapshot-2962.tar.gz]; then echo "Can not find /usr/local/src/snortrules-snapshot-2962.tar.gz" exit fi # tar zxvf libdnet-1.11.tar.gz tar zxvf daq-2.0.2.tar.gz tar zxvf snort-2.9.6.2.tar.gz # cd /usr/local/src/libdnet-1.11 # ./configure --with-pic # make # make install cd /usr/local/src/daq-2.0.2 ./configure make make install cd /usr/local/src/snort-2.9.6.2 ./configure --enable-sourcefire make make install # cd /usr/local/lib # ldconfig -v /usr/local/lib mkdir -p /etc/snort cd /usr/local/src tar xzvf /usr/local/src/snortrules-snapshot-2962.tar.gz -C /etc/snort touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules groupadd -g 40000 snort useradd snort -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort cd /etc/snort chown -R snort:snort * chown -R snort:snort /var/log/snort cp /etc/snort/etc/* /etc/snort/. sed -i -e "s@var RULE_PATH@#var RULE_PATH@" /etc/snort/snort.conf sed -i -e "/var RULE_PATH/avar RULE_PATH /etc/snort/rules" /etc/snort/snort.conf cat /etc/snort/snort.conf | grep "var RULE_PATH" sed -i -e "s@var SO_RULE_PATH@#var SO_RULE_PATH@" /etc/snort/snort.conf sed -i -e "/var SO_RULE_PATH/avar SO_RULE_PATH /etc/snort/so_rules" /etc/snort/snort.conf cat /etc/snort/snort.conf | grep "var SO_RULE_PATH" sed -i -e "s@var PREPROC_RULE_PATH@#var PREPROC_RULE_PATH@" /etc/snort/snort.conf sed -i -e "/var PREPROC_RULE_PATH/avar PREPROC_RULE_PATH /etc/snort/preproc_rules" /etc/snort/snort.conf cat /etc/snort/snort.conf | grep "var PREPROC_RULE_PATH" sed -i -e "s@var WHITE_LIST_PATH@#var WHITE_LIST_PATH@" /etc/snort/snort.conf sed -i -e "/var WHITE_LIST_PATH/avar WHITE_LIST_PATH /etc/snort/rules" /etc/snort/snort.conf cat /etc/snort/snort.conf | grep "var WHITE_LIST_PATH" sed -i -e "s@var BLACK_LIST_PATH@#var BLACK_LIST_PATH@" /etc/snort/snort.conf sed -i -e "/var BLACK_LIST_PATH/avar BLACK_LIST_PATH /etc/snort/rules" /etc/snort/snort.conf cat /etc/snort/snort.conf | grep "var BLACK_LIST_PATH" mkdir -p /usr/local/lib/snort_dynamicrules chown -R snort:snort /usr/local/lib/snort_dynamicrules chmod -R 700 /usr/local/lib/snort_dynamicrules snort -T -c /etc/snort/snort.conf if [ "$?" != "0" ]; then echo "Snort Test Failed !" exit fi #cp /root/snort-2.9.6.2/rpm/snortd /etc/init.d/. #chmod +x /etc/init.d/snortd #cp /root/snort-2.9.6.2/rpm/snort.sysconfig /etc/sysconfig/snort #ln -s /usr/local/bin/snort /usr/sbin/snort rm -fr /etc/init.d/snortd echo '#!/bin/bash' > /etc/init.d/snortd echo "" >> /etc/init.d/snortd echo "# chkconfig: 345 99 01" >> /etc/init.d/snortd echo "# description: Snort startup script" >> /etc/init.d/snortd echo "# 345 - levels to configure" >> /etc/init.d/snortd echo "# 99 - startup order" >> /etc/init.d/snortd echo "# 01 - stop order" >> /etc/init.d/snortd echo "" >> /etc/init.d/snortd echo ". /etc/rc.d/init.d/functions " >> /etc/init.d/snortd echo "INTERFACE=eth0" >> /etc/init.d/snortd echo "" >> /etc/init.d/snortd echo "case \"\$1\" in " >> /etc/init.d/snortd echo "start)" >> /etc/init.d/snortd echo " echo -n \"Starting Snort: \"" >> /etc/init.d/snortd echo " daemon PCAP_FRAMES=max /usr/local/bin/snort -D -i \$INTERFACE -c /etc/snort/snort.conf" >> /etc/init.d/snortd echo " echo" >> /etc/init.d/snortd echo " ;;" >> /etc/init.d/snortd echo "" >> /etc/init.d/snortd echo "stop)" >> /etc/init.d/snortd echo " echo -n \"Stopping Snort: \"" >> /etc/init.d/snortd echo " killproc snort" >> /etc/init.d/snortd echo " echo" >> /etc/init.d/snortd echo " ;;" >> /etc/init.d/snortd echo "" >> /etc/init.d/snortd echo "restart)" >> /etc/init.d/snortd echo " \$0 stop" >> /etc/init.d/snortd echo " \$0 start" >> /etc/init.d/snortd echo " ;;" >> /etc/init.d/snortd echo "status)" >> /etc/init.d/snortd echo " status snort" >> /etc/init.d/snortd echo " ;;" >> /etc/init.d/snortd echo "*)" >> /etc/init.d/snortd echo " echo \"Usage: $0 {start|stop|restart|status}\"" >> /etc/init.d/snortd echo " exit 1" >> /etc/init.d/snortd echo " esac" >> /etc/init.d/snortd echo " exit 0" >> /etc/init.d/snortd chmod +x /etc/init.d/snortd chkconfig --add snortd chkconfig snortd on service snortd start echo "You can service httpd restart, then use N-Stalker Free Edition (http://nstalker.com/products/free/download-free-edition) on MS-Windows to attack WebSite " echo "" echo "or Nikto (http://www.cirt.net/nikto2) on another Linux to attack WebSite" echo " wget http://www.cirt.net/nikto/nikto-current.tar.gz" echo " tar zxvf nikto-current.tar.gz" echo " cd nikto-*" echo " chmod +x nikto.pl" echo " ./nikto.pl -h xxx.xxx.xxx.xxx" |
看到下面訊息,表示快速安裝程式成功
--== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.6.2 GRE (Build 77) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.4.0 Using PCRE version: 7.8 2008-09-05 Using ZLIB version: 1.2.3 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 2.1 <Build 1> Preprocessor Object: SF_SDF Version 1.1 <Build 1> Preprocessor Object: SF_DNP3 Version 1.1 <Build 1> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> Preprocessor Object: SF_SIP Version 1.1 <Build 1> Preprocessor Object: SF_SSH Version 1.1 <Build 3> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3> Preprocessor Object: SF_POP Version 1.0 <Build 1> Preprocessor Object: SF_SMTP Version 1.1 <Build 9> Preprocessor Object: SF_IMAP Version 1.0 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> Preprocessor Object: SF_GTP Version 1.1 <Build 1> Preprocessor Object: SF_MODBUS Version 1.1 <Build 1> Preprocessor Object: SF_DNS Version 1.1 <Build 4> Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1> Snort successfully validated the configuration! Snort exiting Starting Snort: PCAP_FRAMES -> 32768 * 4096 / 2 = 67108864 (1600) Spawning daemon child... My daemon child 26660 lives... Daemon parent exiting (0) [ OK ] You can service httpd restart, then use N-Stalker Free Edition (http://nstalker.com/products/free/download-free-edition) on MS-Windows to attack WebSite or Nikto (http://www.cirt.net/nikto2) on another Linux to attack WebSite wget http://www.cirt.net/nikto/nikto-current.tar.gz tar zxvf nikto-current.tar.gz cd nikto-* chmod +x nikto.pl ./nikto.pl -h xxx.xxx.xxx.xxx [root@localhost ~]# |
測試
[root@localhost ~]# service snortd start Starting Snort: PCAP_FRAMES -> 32768 * 4096 / 2 = 67108864 (1600) Spawning daemon child... My daemon child 47656 lives... Daemon parent exiting (0) [ OK ] [root@localhost ~]# service snortd status snort (pid 26660) is running... [root@localhost ~]# ps aux | grep snort root 26660 0.0 17.7 662132 339188 ? Ssl 20:08 0:00 /usr/local/bin/snort -D -i eth0 -c /etc/snort/snort.conf root 47669 0.0 0.0 103252 832 pts/1 S+ 20:11 0:00 grep snort [root@localhost ~]# |
準備當被攻擊主機
| [root@localhost snort]# service httpd restart Stopping httpd: [FAILED] Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain for ServerName [ OK ] [root@localhost snort]# [ OK ] |
防火牆暫時關閉
[root@localhost ~]# service iptables stop iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Unloading modules: [ OK ] [root@localhost ~]# |
先看一下 snort 目前 log,其中 alert 為 0 byte
[root@localhost ~]# ls -al /var/log/snort total 28 drwx------. 4 snort snort 4096 Aug 26 20:08 . drwxr-xr-x. 14 root root 4096 Aug 26 20:08 .. -rw-r--r--. 1 root root 0 Aug 26 20:08 alert -rw-r--r--. 1 snort snort 18 Jul 18 2013 .bash_logout -rw-r--r--. 1 snort snort 176 Jul 18 2013 .bash_profile -rw-r--r--. 1 snort snort 124 Jul 18 2013 .bashrc drwxr-xr-x. 2 snort snort 4096 Nov 12 2010 .gnome2 drwxr-xr-x. 4 snort snort 4096 Aug 18 02:47 .mozilla -rw-------. 1 root root 0 Aug 26 20:08 snort.log.1409054919 [root@localhost ~]# |
另外找一台主機來攻擊 ( nikto 好像無法對自己攻擊,所以必須另外找一台)
192.168.128.101 是安裝 snort 主機
192.168.128.201 是安裝 nikto 主機
[root@localhost ~]# wget http://www.cirt.net/nikto/nikto-current.tar.gz [root@localhost ~]# tar zxvf nikto-current.tar.gz [root@localhost ~]# cd nikto-* [root@localhost nikto-2.1.5]# chmod +x nikto.pl [root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.201 - ***** SSL support not available (see docs for SSL install) ***** - Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 192.168.128.201 + Target Hostname: 192.168.128.201 + Target Port: 80 + Start Time: 2014-08-26 20:14:35 (GMT8) --------------------------------------------------------------------------- + Server: Apache/2.2.15 (CentOS) + The anti-clickjacking X-Frame-Options header is not present. + Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-3268: /icons/: Directory indexing found. + Server leaks inodes via ETags, header found with file /icons/README, inode: 1714765, size: 5108, mtime: 0x438c0358aae80 + OSVDB-3233: /icons/README: Apache default file found. + 6544 items checked: 0 error(s) and 7 item(s) reported on remote host + End Time: 2014-08-26 20:14:42 (GMT8) (7 seconds) --------------------------------------------------------------------------- + 1 host(s) tested [root@localhost nikto-2.1.5]# |
回到原來安裝 snort 主機,可以看到 alert 檔案從 0 byte 變成不是 0 bytes,表示 snort 有正常運作
[root@localhost ~]# ls -al /var/log/snort total 40 drwx------. 4 snort snort 4096 Aug 26 20:08 . drwxr-xr-x. 14 root root 4096 Aug 26 20:08 .. -rw-r--r--. 1 root root 4338 Aug 26 20:14 alert -rw-r--r--. 1 snort snort 18 Jul 18 2013 .bash_logout -rw-r--r--. 1 snort snort 176 Jul 18 2013 .bash_profile -rw-r--r--. 1 snort snort 124 Jul 18 2013 .bashrc drwxr-xr-x. 2 snort snort 4096 Nov 12 2010 .gnome2 drwxr-xr-x. 4 snort snort 4096 Aug 18 02:47 .mozilla -rw-------. 1 root root 2876 Aug 26 20:14 snort.log.1409054919 [root@localhost ~]# |
測試成功。
(完)
[研究] snort-2.9.6.2.tar.gz (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.com/2014/08/snort-2962targz-centos-65-x64.html
[研究] Snort 2.9.6.1 + Barnyard 安裝 (CentOS 6.5 x64)
[研究] Snort 2.9.6.1 + Barnyard 安裝 (CentOS 6.5 x64)
[研究] Snort 2.9.6.1 + Barnyard 安裝 (CentOS 6.5 x64)
2014-06-20
********************************************************************************
這幾篇是相關的 ( 3 大步驟)
[研究] snort-2.9.6.1.tar.gz (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2014/06/snort-2961targz-centos-65-x64.html
[研究] Snort 2.9.6.1 + Barnyard 2.13 安裝 (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-213-centos-65-x64.html
或
[研究] Snort 2.9.6.1 + Barnyard 安裝 (CentOS 6.5 x64)
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-centos-65-x64.html
[研究] Snort 2.9.6.1 + Barnyard + BASE 安裝 (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-base-centos-65-x64_20.html
或
[研究] Snort 2.9.6.1 + Barnyard + BASE 安裝 (CentOS 6.5 x64)
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-base-centos-65-x64.html
********************************************************************************
這篇是參考這篇來修改測試進行
[研究] Snort 2.9.5.5 + Barnyard 安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.tw/2013/10/snort-2955-barnyard-centos-64-x64.html
請先依照下面這篇安裝完成 Snort
[研究] snort-2.9.6.1.tar.gz (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2014/06/snort-2961targz-centos-65-x64.html
開始安裝(請看黃底黑字)
全部用 root 操作省麻煩
su root
# 安裝 mysql 讓 barnyard 輸出 snort資訊到 mysql
# 安裝 git 是為了稍後安裝 Barnyard 使用
# 安裝 httpd、php 方便測試
# 安裝 php-mbstring、php-mcrypt 是稍後安裝 phpMyAdmin 方便測試
yum -y install mysql mysql-devel git libtool mysql-server httpd php php-mysql php-mbstring php-mcrypt
#下載 Barnyad
cd /usr/local/src
git clone https://github.com/firnsy/barnyard2.git barnyard2
cd barnyard2
./autogen.sh
#設定 Barnyard
#在 x86 上
./configure --with-mysql
#在 x86_64 上
./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql
#如果要寫 shell script 可以參考下面
if [ "`uname -a | grep x86_64`" != "" ]; then
echo "x86_64"
./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql
else
echo "x86"
./configure --with-mysql
exit
fi
#安裝 Barnyard
make && make install
#設定啟動檔案
cp rpm/barnyard2 /etc/init.d/
chmod +x /etc/init.d/barnyard2
cp rpm/barnyard2.config /etc/sysconfig/barnyard2
chkconfig --add barnyard2
ln -s /usr/local/etc/barnyard2.conf /etc/snort/barnyard.conf
ln -s /usr/local/bin/barnyard2 /usr/bin/
mkdir -p /var/log/snort/eth0/archive/
# 因為 /etc/init.d/barnyard2 中 snort 程式為 /usr/sbin/snort,但小弟之前安裝到 /usr/local/bin/snort,所以建個 link 讓它可以執行到
ln -s /usr/local/bin/snort /usr/sbin/snort
vi /etc/init.d/barnyard2
#找到OPTSS 這行
...
BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR/${INT} -w $WALDO_FILE -L $SNORTDIR/${INT} -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS"
這行實際上會變成下面,不符需求
-D -c /etc/snort/barnyard.conf -d /var/log/snort -w /var/log/snort/barnyard.waldo -l /var/log/snort/eth0 -a /var/log/snort/eth0/archive -f snort.log -X /var/lock/subsys/barnyard2-eth0.pid
故改為
BARNYARD_OPTS="-D -c /etc/snort/barnyard.conf -d /var/log/snort -w /var/log/snort/barnyard2.waldo -l /var/log/snort -a /var/log/snort -f snort.log -X /var/lock/subsys/barnyard2-eth0.pid"
說明一下,大寫 -L 改為小寫 -l,因為根本無此參數,官方檔案寫錯了
原來設定 -d 和 -l 都輸出到 /var/log/snort/eth0, -a 輸出到 /var/log/snort/eth0/archive ,但小弟之前安裝 snort 的文章是輸出到 /var/log/snort
#相關參數說明
[root@localhost ~]# barnyard2
______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.13 (Build 327)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' + (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com>
USAGE: barnyard2 [-options] <filter options>
Gernal Options:
-c <file> Use configuration file <file>
-C <file> Read the classification map from <file>
-D Run barnyard2 in background (daemon) mode
-e Display the second layer header info
-F Turn off fflush() calls after binary log writes
-g <gname> Run barnyard2 gid as <gname> group (or gid) after initialization
-G <file> Read the gen-msg map from <file>
-h <name> Define the hostname <name>. For logging purposes only
-i <if> Define the interface <if>. For logging purposes only
-I Add Interface name to alert output
-l <ld> Log to directory <ld>
-m <umask> Set umask = <umask>
-O Obfuscate the logged IP addresses
-q Quiet. Don't show banner and status report
-r <id> Include 'id' in barnyard2_intf<id>.pid file name
-R <file> Read the reference map from <file>
-S <file> Read the sid-msg map from <file>
-t <dir> Chroots process to <dir> after initialization
-T Test and report on the current barnyard2 configuration
-u <uname> Run barnyard2 uid as <uname> user (or uid) after initialization
-U Use UTC for timestamps
-v Be verbose
-V Show version number
-y Include year in timestamp in the alert and log files
-? Show this information
Continual Processing Options:
-a <dir> Archive processed files to <dir>
-f <base> Use <base> as the base filename pattern
-d <dir> Spool files from <dir>
-n Only process new events
-w <file> Enable bookmarking using <file>
Batch Processing Mode Options:
-o Enable batch processing mode
Longname options and their corresponding single char version
--disable-alert-on-each-packet-in-stream Alert once per event
--event-cache-size <integer> Set Spooler MAX event cache size
--reference <file> Same as -R
--classification <file> Same as -C
--gen-msg <file> Same as -G
--sid-msg <file> Same as -S
--process-new-records-only Same as -n
--pid-path <dir> Specify the directory for the barnyard2 PID file
--help Same as -?
--version Same as -V
--create-pidfile Create PID file, even when not in Daemon mode
--nolock-pidfile Do not try to lock barnyard2 PID file
Uh, you need to tell me to do something...
ERROR: Fatal Error, Quitting..
Barnyard2 exiting
===============================================================================
Record Totals:
Records: 0
Events: 0 (0.000%)
Packets: 0 (0.000%)
Unknown: 0 (0.000%)
Suppressed: 0 (0.000%)
===============================================================================
Packet breakdown by protocol (includes rebuilt packets):
ETH: 0 (0.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
IPV6: 0 (0.000%)
IP6 EXT: 0 (0.000%)
IP6opts: 0 (0.000%)
IP6disc: 0 (0.000%)
IP4: 0 (0.000%)
IP4disc: 0 (0.000%)
TCP 6: 0 (0.000%)
UDP 6: 0 (0.000%)
ICMP6: 0 (0.000%)
ICMP-IP: 0 (0.000%)
TCP: 0 (0.000%)
UDP: 0 (0.000%)
ICMP: 0 (0.000%)
TCPdisc: 0 (0.000%)
UDPdisc: 0 (0.000%)
ICMPdis: 0 (0.000%)
FRAG: 0 (0.000%)
FRAG 6: 0 (0.000%)
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
InvChkSum: 0 (0.000%)
S5 G 1: 0 (0.000%)
S5 G 2: 0 (0.000%)
Total: 0
===============================================================================
# 重設 barnyard2
chkconfig barnyard2 reset
# 修正 barnyard 和 snort 設定檔案,使其匹配 (都使用 snort.log 當輸出)
# 修改 /etc/sysconfig/barnyard2
[root@localhost ~]# vi /etc/sysconfig/barnyard2
找到 LOG_FILE,修改輸出檔案為 snort.log
...
LOG_FILE="snort.log"
...
# 修改 /etc/snort/snort.conf
[root@localhost ~]# vi /etc/snort/snort.conf
找到 output unified2 這行
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
底下增加一行
output unified2: filename snort.log, limit 128
# 修改 /etc/sysconfig/snort
[root@localhost ~]# cp /usr/local/src/snort-2.9.6.1/rpm/snort.sysconfig /etc/sysconfig/snort
[root@localhost ~]# vi /etc/sysconfig/snort
找到並修改如下 (註解掉兩項)
...
LOGDIR=/var/log/snort/
...
#ALERTMODE=fast
...
#BINARY_LOG=1
...
****************************************
# 處理 mysql
[root@localhost ~]# service mysqld restart
# 替 MySQL 的 root 帳號設定密碼 (除了輸入密碼,其他全部按下 Enter 回答)
[root@localhost ~]# /usr/bin/mysql_secure_installation
...
Enter current password for root (enter for none):
Set root password? [Y/n]
New password: 輸入你自己想要設定的密碼(例如 1234)
Re-enter new password: 再輸入一次密碼(例如 1234)
Password updated successfully!
Reloading privilege tables..
... Success!
# 建立 snortdb 資料庫,存取帳號 barnyard2,密碼 123456,執行 flush privileges; 立刻生效
(不要把 MySQL root 密碼 1234 和 snortdb 密碼 123456 搞混,你可以換成別的密碼,相對應的地方密碼請換掉)
[root@localhost barnyard2]# mysql -u root -p
Enter password: 輸入你自己設定的密碼(例如 1234)
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 11
Server version: 5.1.73 Source distribution
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create database snortdb;
Query OK, 1 row affected (0.00 sec)
mysql> grant all privileges on snortdb.* to barnyard2@localhost identified by '123456';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> exit
Bye
[root@localhost barnyard2]#
#設定 barnyard2 輸出到 mysql
[root@localhost ~]# vi /etc/snort/barnyard.conf
尋找 output database
新建立一行
output database: log, mysql, user=barnyard2 password=123456 dbname=snortdb host=localhost
在 snortdb 資料庫中建立 barnyard 放 snort 結果資料的 table (密碼 123456)
[root@localhost barnyard2]# mysql snortdb -ubarnyard2 -p < /usr/local/src/barnyard2/schemas/create_mysql
Enter password:123456
[root@localhost barnyard2]#
****************************************
重新啟動 snort 和 barnyard2 (建議 snort 先啟動)
重新啟動 snort (因為 snort.conf 修改過)
[root@localhost barnyard2]# service snortd restart
Stopping Snort: [ OK ]
Starting Snort: PCAP_FRAMES -> 32768 * 4096 / 2 = 67108864 (1600)
Spawning daemon child...
My daemon child 52792 lives...
Daemon parent exiting (0)
[ OK ]
[root@localhost barnyard2]#
就算顯示 OK,也建議檢查
[root@localhost barnyard2]# service snortd status
snort (pid 52794) is running...
[root@localhost barnyard2]# ps axu| grep snort
root 52792 0.1 17.5 659112 336120 ? Ssl 16:39 0:00 /usr/local/bin/snort -D -i eth0 -c /etc/snort/snort.conf
root 52798 0.0 0.0 103252 836 pts/1 S+ 16:40 0:00 grep snort
[root@localhost barnyard2]#
如果出現 snort dead but subsys locked,刪除鎖定檔案重新再測試
rm -fr /var/lock/subsys/snort
啟動 barnyard2 (會有點慢)
[root@localhost barnyard2]# service barnyard2 restart
Shutting down Snort Output Processor (barnyard2): [FAILED]
Starting Snort Output Processor (barnyard2): [FAILED]
[root@localhost barnyard2]#
居然 FAILED,待研究 ...
和以前相比
barnyard2 同樣是 2.1.13 (Build 327) 版,編譯沒問題,執行為何出問題 ???
MySQL 從 5.1.69 變成 5.1.73 版 (理論上出問題機率低)
測試一下設定
[root@localhost barnyard2]# barnyard2 -T -c /etc/snort/barnyard.conf -d /var/log/snort -w /var/log/snort/barnyard2.waldo -l /var/log/snort -a /var/log/snort -f snort.log -X /var/lock/subsys/barnyard2-eth0.pid
Running in Test mode
--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard.conf"
+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+
ERROR: Unable to open Generator file "/etc/snort/gen-msg.map": No such file or directory
ERROR: [Barnyard2Init()], failed while processing [/etc/snort/gen-msg.map]
Fatal Error, Quitting..
Barnyard2 exiting
缺檔案,找一下在哪
[root@localhost barnyard2]# find / -name gen-msg.map
/usr/local/src/snort-2.9.6.1/etc/gen-msg.map
拷貝過去
[root@localhost barnyard2]# cp /usr/local/src/snort-2.9.6.1/etc/gen-msg.map /etc/snort/.
再測試一次,正常了
問題解決了 ~
確認一下
[root@localhost barnyard2]# service barnyard2 status
barnyard2 (pid 28646) is running...
[root@localhost barnyard2]# ps aux | grep snort
root 28559 0.0 17.5 659228 336524 ? Ssl 11:02 0:00 /usr/local/bin/snort -D -i eth0 -c /etc/snort/snort.conf
root 28646 8.1 4.7 142956 91388 ? Ss 11:08 0:21 barnyard2 -D -c /etc/snort/barnyard.conf -d /var/log/snort -w /var/log/snort/barnyard2.waldo -l /var/log/snort -a /var/log/snort -f snort.log -X /var/lock/subsys/barnyard2-eth0.pid
root 28671 0.0 0.0 103248 872 pts/1 S+ 11:13 0:00 grep snort
[root@localhost barnyard2]#
****************************************
測試
手動去
http://www.phpmyadmin.net/home_page/downloads.php
網站下載 phpMyAdmin-4.0.10-all-languages.zip 回來安裝,方便稍後檢查是否輸出到 mysql
( phpMyAdmin 4.1.x 和 4.2.x 只支援 MySQL 5.5.0 或更新,不支援 CentOS 6.5 用 yum 安裝的 5.1.x 版,只能下載 4.0.x 版用)
[root@localhost src]# cd /usr/local/src
[root@localhost src]# unzip phpMyAdmin-4.0.10-all-languages.zip -d /var/www/html
[root@localhost src]# mv /var/www/html/phpMyAdmin-4.0.10-all-languages /var/www/html/phpMyAdmin
檢查目前輸出情況
[root@localhost src]# ls -al /var/log/snort
total 40
drwx------. 5 snort snort 4096 Jun 20 11:08 .
drwxr-xr-x. 14 root root 4096 Jun 20 10:55 ..
-rw-r--r--. 1 root root 0 Jun 20 10:49 alert
-rw-------. 1 root root 2056 Jun 20 11:16 barnyard2.waldo
-rw-r--r--. 1 snort snort 18 Jul 18 2013 .bash_logout
-rw-r--r--. 1 snort snort 176 Jul 18 2013 .bash_profile
-rw-r--r--. 1 snort snort 124 Jul 18 2013 .bashrc
drwxr-xr-x. 3 root root 4096 Jun 20 10:56 eth0
drwxr-xr-x. 2 snort snort 4096 Nov 12 2010 .gnome2
drwxr-xr-x. 4 snort snort 4096 Jun 19 22:34 .mozilla
-rw-------. 1 root root 3572 Jun 20 11:16 snort.log.1403233325
[root@localhost src]#
(下圖) 用瀏覽器連上
http://192.168.128.101/phpMyAdmin
網址 (IP 是 mysql + phpMyAdmin 主機的 IP ,帳號密碼為可存取 mysql 資料庫的,例如 root 和 1234 (問你自己) 或 barnyard2 和 123456)
點選 snortdb 資料庫,看目前所有 tables 有幾 筆資料
到另一台主機,進行攻擊 (實測若 nikto.pl 和 snort 同一台,測試無攻擊效果)
[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.102
回 snort 電腦檢查結果
[root@localhost src]# ls -al /var/log/snort
total 44
drwx------. 5 snort snort 4096 Jun 20 11:08 .
drwxr-xr-x. 14 root root 4096 Jun 20 10:55 ..
-rw-r--r--. 1 root root 0 Jun 20 10:49 alert
-rw-------. 1 root root 2056 Jun 20 11:24 barnyard2.waldo
-rw-r--r--. 1 snort snort 18 Jul 18 2013 .bash_logout
-rw-r--r--. 1 snort snort 176 Jul 18 2013 .bash_profile
-rw-r--r--. 1 snort snort 124 Jul 18 2013 .bashrc
drwxr-xr-x. 3 root root 4096 Jun 20 10:56 eth0
drwxr-xr-x. 2 snort snort 4096 Nov 12 2010 .gnome2
drwxr-xr-x. 4 snort snort 4096 Jun 19 22:34 .mozilla
-rw-------. 1 root root 7144 Jun 20 11:24 snort.log.1403233325
[root@localhost src]#
應該會有一個 barnyard2.waldo 檔案存在,snort.log.xxxx 可能不只一個,在每次 snort 重新啟動都會新建立一個,只有新建立的這個 size 會變大
(下圖) 所有 tables 的資料筆數應該增加 ( 請等幾秒按 F5 更新畫面,寫入要花點時間)
alert 檔案在只安裝 snort,沒有安裝 barnyard 時候,每攻擊一次會變大一次,但是目前不會變大了,待研究....
(未完待續....還有 BASE 和 ADODB)
2014-06-20
********************************************************************************
這幾篇是相關的 ( 3 大步驟)
[研究] snort-2.9.6.1.tar.gz (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2014/06/snort-2961targz-centos-65-x64.html
[研究] Snort 2.9.6.1 + Barnyard 2.13 安裝 (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-213-centos-65-x64.html
或
[研究] Snort 2.9.6.1 + Barnyard 安裝 (CentOS 6.5 x64)
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-centos-65-x64.html
[研究] Snort 2.9.6.1 + Barnyard + BASE 安裝 (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-base-centos-65-x64_20.html
或
[研究] Snort 2.9.6.1 + Barnyard + BASE 安裝 (CentOS 6.5 x64)
http://shaurong.blogspot.tw/2014/06/snort-2961-barnyard-base-centos-65-x64.html
********************************************************************************
這篇是參考這篇來修改測試進行
[研究] Snort 2.9.5.5 + Barnyard 安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.tw/2013/10/snort-2955-barnyard-centos-64-x64.html
請先依照下面這篇安裝完成 Snort
[研究] snort-2.9.6.1.tar.gz (CentOS 6.5 x64) 快速安裝程式
http://shaurong.blogspot.tw/2014/06/snort-2961targz-centos-65-x64.html
開始安裝(請看黃底黑字)
全部用 root 操作省麻煩
su root
# 安裝 mysql 讓 barnyard 輸出 snort資訊到 mysql
# 安裝 git 是為了稍後安裝 Barnyard 使用
# 安裝 httpd、php 方便測試
# 安裝 php-mbstring、php-mcrypt 是稍後安裝 phpMyAdmin 方便測試
yum -y install mysql mysql-devel git libtool mysql-server httpd php php-mysql php-mbstring php-mcrypt
#下載 Barnyad
cd /usr/local/src
git clone https://github.com/firnsy/barnyard2.git barnyard2
cd barnyard2
./autogen.sh
#設定 Barnyard
#在 x86 上
./configure --with-mysql
#在 x86_64 上
./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql
#如果要寫 shell script 可以參考下面
if [ "`uname -a | grep x86_64`" != "" ]; then
echo "x86_64"
./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql
else
echo "x86"
./configure --with-mysql
exit
fi
#安裝 Barnyard
make && make install
#設定啟動檔案
cp rpm/barnyard2 /etc/init.d/
chmod +x /etc/init.d/barnyard2
cp rpm/barnyard2.config /etc/sysconfig/barnyard2
chkconfig --add barnyard2
ln -s /usr/local/etc/barnyard2.conf /etc/snort/barnyard.conf
ln -s /usr/local/bin/barnyard2 /usr/bin/
mkdir -p /var/log/snort/eth0/archive/
# 因為 /etc/init.d/barnyard2 中 snort 程式為 /usr/sbin/snort,但小弟之前安裝到 /usr/local/bin/snort,所以建個 link 讓它可以執行到
ln -s /usr/local/bin/snort /usr/sbin/snort
vi /etc/init.d/barnyard2
#找到OPTSS 這行
...
BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR/${INT} -w $WALDO_FILE -L $SNORTDIR/${INT} -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS"
這行實際上會變成下面,不符需求
-D -c /etc/snort/barnyard.conf -d /var/log/snort -w /var/log/snort/barnyard.waldo -l /var/log/snort/eth0 -a /var/log/snort/eth0/archive -f snort.log -X /var/lock/subsys/barnyard2-eth0.pid
故改為
BARNYARD_OPTS="-D -c /etc/snort/barnyard.conf -d /var/log/snort -w /var/log/snort/barnyard2.waldo -l /var/log/snort -a /var/log/snort -f snort.log -X /var/lock/subsys/barnyard2-eth0.pid"
說明一下,大寫 -L 改為小寫 -l,因為根本無此參數,官方檔案寫錯了
原來設定 -d 和 -l 都輸出到 /var/log/snort/eth0, -a 輸出到 /var/log/snort/eth0/archive ,但小弟之前安裝 snort 的文章是輸出到 /var/log/snort
#相關參數說明
[root@localhost ~]# barnyard2
______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.13 (Build 327)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' + (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com>
USAGE: barnyard2 [-options] <filter options>
Gernal Options:
-c <file> Use configuration file <file>
-C <file> Read the classification map from <file>
-D Run barnyard2 in background (daemon) mode
-e Display the second layer header info
-F Turn off fflush() calls after binary log writes
-g <gname> Run barnyard2 gid as <gname> group (or gid) after initialization
-G <file> Read the gen-msg map from <file>
-h <name> Define the hostname <name>. For logging purposes only
-i <if> Define the interface <if>. For logging purposes only
-I Add Interface name to alert output
-l <ld> Log to directory <ld>
-m <umask> Set umask = <umask>
-O Obfuscate the logged IP addresses
-q Quiet. Don't show banner and status report
-r <id> Include 'id' in barnyard2_intf<id>.pid file name
-R <file> Read the reference map from <file>
-S <file> Read the sid-msg map from <file>
-t <dir> Chroots process to <dir> after initialization
-T Test and report on the current barnyard2 configuration
-u <uname> Run barnyard2 uid as <uname> user (or uid) after initialization
-U Use UTC for timestamps
-v Be verbose
-V Show version number
-y Include year in timestamp in the alert and log files
-? Show this information
Continual Processing Options:
-a <dir> Archive processed files to <dir>
-f <base> Use <base> as the base filename pattern
-d <dir> Spool files from <dir>
-n Only process new events
-w <file> Enable bookmarking using <file>
Batch Processing Mode Options:
-o Enable batch processing mode
Longname options and their corresponding single char version
--disable-alert-on-each-packet-in-stream Alert once per event
--event-cache-size <integer> Set Spooler MAX event cache size
--reference <file> Same as -R
--classification <file> Same as -C
--gen-msg <file> Same as -G
--sid-msg <file> Same as -S
--process-new-records-only Same as -n
--pid-path <dir> Specify the directory for the barnyard2 PID file
--help Same as -?
--version Same as -V
--create-pidfile Create PID file, even when not in Daemon mode
--nolock-pidfile Do not try to lock barnyard2 PID file
Uh, you need to tell me to do something...
ERROR: Fatal Error, Quitting..
Barnyard2 exiting
===============================================================================
Record Totals:
Records: 0
Events: 0 (0.000%)
Packets: 0 (0.000%)
Unknown: 0 (0.000%)
Suppressed: 0 (0.000%)
===============================================================================
Packet breakdown by protocol (includes rebuilt packets):
ETH: 0 (0.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
IPV6: 0 (0.000%)
IP6 EXT: 0 (0.000%)
IP6opts: 0 (0.000%)
IP6disc: 0 (0.000%)
IP4: 0 (0.000%)
IP4disc: 0 (0.000%)
TCP 6: 0 (0.000%)
UDP 6: 0 (0.000%)
ICMP6: 0 (0.000%)
ICMP-IP: 0 (0.000%)
TCP: 0 (0.000%)
UDP: 0 (0.000%)
ICMP: 0 (0.000%)
TCPdisc: 0 (0.000%)
UDPdisc: 0 (0.000%)
ICMPdis: 0 (0.000%)
FRAG: 0 (0.000%)
FRAG 6: 0 (0.000%)
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
InvChkSum: 0 (0.000%)
S5 G 1: 0 (0.000%)
S5 G 2: 0 (0.000%)
Total: 0
===============================================================================
# 重設 barnyard2
chkconfig barnyard2 reset
# 修正 barnyard 和 snort 設定檔案,使其匹配 (都使用 snort.log 當輸出)
# 修改 /etc/sysconfig/barnyard2
[root@localhost ~]# vi /etc/sysconfig/barnyard2
找到 LOG_FILE,修改輸出檔案為 snort.log
...
LOG_FILE="snort.log"
...
# 修改 /etc/snort/snort.conf
[root@localhost ~]# vi /etc/snort/snort.conf
找到 output unified2 這行
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
底下增加一行
output unified2: filename snort.log, limit 128
# 修改 /etc/sysconfig/snort
[root@localhost ~]# cp /usr/local/src/snort-2.9.6.1/rpm/snort.sysconfig /etc/sysconfig/snort
[root@localhost ~]# vi /etc/sysconfig/snort
找到並修改如下 (註解掉兩項)
...
LOGDIR=/var/log/snort/
...
#ALERTMODE=fast
...
#BINARY_LOG=1
...
****************************************
# 處理 mysql
[root@localhost ~]# service mysqld restart
# 替 MySQL 的 root 帳號設定密碼 (除了輸入密碼,其他全部按下 Enter 回答)
[root@localhost ~]# /usr/bin/mysql_secure_installation
...
Enter current password for root (enter for none):
Set root password? [Y/n]
New password: 輸入你自己想要設定的密碼(例如 1234)
Re-enter new password: 再輸入一次密碼(例如 1234)
Password updated successfully!
Reloading privilege tables..
... Success!
# 建立 snortdb 資料庫,存取帳號 barnyard2,密碼 123456,執行 flush privileges; 立刻生效
(不要把 MySQL root 密碼 1234 和 snortdb 密碼 123456 搞混,你可以換成別的密碼,相對應的地方密碼請換掉)
[root@localhost barnyard2]# mysql -u root -p
Enter password: 輸入你自己設定的密碼(例如 1234)
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 11
Server version: 5.1.73 Source distribution
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create database snortdb;
Query OK, 1 row affected (0.00 sec)
mysql> grant all privileges on snortdb.* to barnyard2@localhost identified by '123456';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> exit
Bye
[root@localhost barnyard2]#
#設定 barnyard2 輸出到 mysql
[root@localhost ~]# vi /etc/snort/barnyard.conf
尋找 output database
新建立一行
output database: log, mysql, user=barnyard2 password=123456 dbname=snortdb host=localhost
在 snortdb 資料庫中建立 barnyard 放 snort 結果資料的 table (密碼 123456)
[root@localhost barnyard2]# mysql snortdb -ubarnyard2 -p < /usr/local/src/barnyard2/schemas/create_mysql
Enter password:123456
[root@localhost barnyard2]#
****************************************
重新啟動 snort 和 barnyard2 (建議 snort 先啟動)
重新啟動 snort (因為 snort.conf 修改過)
[root@localhost barnyard2]# service snortd restart
Stopping Snort: [ OK ]
Starting Snort: PCAP_FRAMES -> 32768 * 4096 / 2 = 67108864 (1600)
Spawning daemon child...
My daemon child 52792 lives...
Daemon parent exiting (0)
[ OK ]
[root@localhost barnyard2]#
就算顯示 OK,也建議檢查
[root@localhost barnyard2]# service snortd status
snort (pid 52794) is running...
[root@localhost barnyard2]# ps axu| grep snort
root 52792 0.1 17.5 659112 336120 ? Ssl 16:39 0:00 /usr/local/bin/snort -D -i eth0 -c /etc/snort/snort.conf
root 52798 0.0 0.0 103252 836 pts/1 S+ 16:40 0:00 grep snort
[root@localhost barnyard2]#
如果出現 snort dead but subsys locked,刪除鎖定檔案重新再測試
rm -fr /var/lock/subsys/snort
啟動 barnyard2 (會有點慢)
[root@localhost barnyard2]# service barnyard2 restart
Shutting down Snort Output Processor (barnyard2): [FAILED]
Starting Snort Output Processor (barnyard2): [FAILED]
[root@localhost barnyard2]#
居然 FAILED,待研究 ...
和以前相比
barnyard2 同樣是 2.1.13 (Build 327) 版,編譯沒問題,執行為何出問題 ???
MySQL 從 5.1.69 變成 5.1.73 版 (理論上出問題機率低)
測試一下設定
[root@localhost barnyard2]# barnyard2 -T -c /etc/snort/barnyard.conf -d /var/log/snort -w /var/log/snort/barnyard2.waldo -l /var/log/snort -a /var/log/snort -f snort.log -X /var/lock/subsys/barnyard2-eth0.pid
Running in Test mode
--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard.conf"
+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+
ERROR: Unable to open Generator file "/etc/snort/gen-msg.map": No such file or directory
ERROR: [Barnyard2Init()], failed while processing [/etc/snort/gen-msg.map]
Fatal Error, Quitting..
Barnyard2 exiting
缺檔案,找一下在哪
[root@localhost barnyard2]# find / -name gen-msg.map
/usr/local/src/snort-2.9.6.1/etc/gen-msg.map
拷貝過去
[root@localhost barnyard2]# cp /usr/local/src/snort-2.9.6.1/etc/gen-msg.map /etc/snort/.
再測試一次,正常了
[root@localhost barnyard2]# barnyard2 -T -c /etc/snort/barnyard.conf -d /var/log/snort -w /var/log/snort/barnyard2.waldo -l /var/log/snort -a /var/log/snort -f snort.log -X /var/lock/subsys/barnyard2-eth0.pid
Running in Test mode
--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard.conf"
+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+
Barnyard2 spooler: Event cache size set to [2048]
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
[ClassificationPullDataStore()]: No Classification found in database ...
[SignaturePullDataStore()]: No signature found in database ...
[SystemPullDataStore()]: No System found in database ...
[ReferencePullDataStore()]: No Reference found in database ...
[SignatureReferencePullDataStore()]: No Reference found in database ...
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = localhost
database: user = barnyard2
database: database name = snortdb
database: sensor name = localhost.localdomain:NULL
database: sensor id = 1
database: sensor cid = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility
--== Initialization Complete ==--
______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.13 (Build 327)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' + (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com>
Barnyard2 successfully loaded configuration file!
Barnyard2 exiting
database: Closing connection to database "snortdb"
[root@localhost barnyard2]#
[root@localhost barnyard2]# service barnyard2 restart
Shutting down Snort Output Processor (barnyard2): [ OK ]
Starting Snort Output Processor (barnyard2): [ OK ]
[root@localhost barnyard2]#
問題解決了 ~
確認一下
[root@localhost barnyard2]# service barnyard2 status
barnyard2 (pid 28646) is running...
[root@localhost barnyard2]# ps aux | grep snort
root 28559 0.0 17.5 659228 336524 ? Ssl 11:02 0:00 /usr/local/bin/snort -D -i eth0 -c /etc/snort/snort.conf
root 28646 8.1 4.7 142956 91388 ? Ss 11:08 0:21 barnyard2 -D -c /etc/snort/barnyard.conf -d /var/log/snort -w /var/log/snort/barnyard2.waldo -l /var/log/snort -a /var/log/snort -f snort.log -X /var/lock/subsys/barnyard2-eth0.pid
root 28671 0.0 0.0 103248 872 pts/1 S+ 11:13 0:00 grep snort
[root@localhost barnyard2]#
****************************************
測試
手動去
http://www.phpmyadmin.net/home_page/downloads.php
網站下載 phpMyAdmin-4.0.10-all-languages.zip 回來安裝,方便稍後檢查是否輸出到 mysql
( phpMyAdmin 4.1.x 和 4.2.x 只支援 MySQL 5.5.0 或更新,不支援 CentOS 6.5 用 yum 安裝的 5.1.x 版,只能下載 4.0.x 版用)
[root@localhost src]# cd /usr/local/src
[root@localhost src]# unzip phpMyAdmin-4.0.10-all-languages.zip -d /var/www/html
[root@localhost src]# mv /var/www/html/phpMyAdmin-4.0.10-all-languages /var/www/html/phpMyAdmin
檢查目前輸出情況
[root@localhost src]# ls -al /var/log/snort
total 40
drwx------. 5 snort snort 4096 Jun 20 11:08 .
drwxr-xr-x. 14 root root 4096 Jun 20 10:55 ..
-rw-r--r--. 1 root root 0 Jun 20 10:49 alert
-rw-------. 1 root root 2056 Jun 20 11:16 barnyard2.waldo
-rw-r--r--. 1 snort snort 18 Jul 18 2013 .bash_logout
-rw-r--r--. 1 snort snort 176 Jul 18 2013 .bash_profile
-rw-r--r--. 1 snort snort 124 Jul 18 2013 .bashrc
drwxr-xr-x. 3 root root 4096 Jun 20 10:56 eth0
drwxr-xr-x. 2 snort snort 4096 Nov 12 2010 .gnome2
drwxr-xr-x. 4 snort snort 4096 Jun 19 22:34 .mozilla
-rw-------. 1 root root 3572 Jun 20 11:16 snort.log.1403233325
[root@localhost src]#
(下圖) 用瀏覽器連上
http://192.168.128.101/phpMyAdmin
網址 (IP 是 mysql + phpMyAdmin 主機的 IP ,帳號密碼為可存取 mysql 資料庫的,例如 root 和 1234 (問你自己) 或 barnyard2 和 123456)
點選 snortdb 資料庫,看目前所有 tables 有幾 筆資料
到另一台主機,進行攻擊 (實測若 nikto.pl 和 snort 同一台,測試無攻擊效果)
[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.102
回 snort 電腦檢查結果
[root@localhost src]# ls -al /var/log/snort
total 44
drwx------. 5 snort snort 4096 Jun 20 11:08 .
drwxr-xr-x. 14 root root 4096 Jun 20 10:55 ..
-rw-r--r--. 1 root root 0 Jun 20 10:49 alert
-rw-------. 1 root root 2056 Jun 20 11:24 barnyard2.waldo
-rw-r--r--. 1 snort snort 18 Jul 18 2013 .bash_logout
-rw-r--r--. 1 snort snort 176 Jul 18 2013 .bash_profile
-rw-r--r--. 1 snort snort 124 Jul 18 2013 .bashrc
drwxr-xr-x. 3 root root 4096 Jun 20 10:56 eth0
drwxr-xr-x. 2 snort snort 4096 Nov 12 2010 .gnome2
drwxr-xr-x. 4 snort snort 4096 Jun 19 22:34 .mozilla
-rw-------. 1 root root 7144 Jun 20 11:24 snort.log.1403233325
[root@localhost src]#
應該會有一個 barnyard2.waldo 檔案存在,snort.log.xxxx 可能不只一個,在每次 snort 重新啟動都會新建立一個,只有新建立的這個 size 會變大
(下圖) 所有 tables 的資料筆數應該增加 ( 請等幾秒按 F5 更新畫面,寫入要花點時間)
alert 檔案在只安裝 snort,沒有安裝 barnyard 時候,每攻擊一次會變大一次,但是目前不會變大了,待研究....
(未完待續....還有 BASE 和 ADODB)