zoukankan      html  css  js  c++  java
  • ubuntu1804 snort base

    1.环境准备

    apt安装

    sudo apt-get update -y
    sudo apt-get dist-upgrade -y
    sudo apt-get install -y zlib1g-dev liblzma-dev openssl libssl-dev
    sudo apt-get install -y build-essential bison flex
     
    sudo apt-get install -y libpcap-dev libpcre3-dev libdumbnet-dev libnghttp2-dev
    sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool
    sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl libwww-perl 
     
    sudo add-apt-repository ppa:ondrej/php
    sudo apt-get update -y
    sudo apt-get install -y apache2 libapache2-mod-php5.6 php5.6 php5.6-common php5.6-gd php5.6-cli php5.6-xml php5.6-mysql
    sudo apt-get install -y php-pear libphp-adodb

    wget从网站下载压缩包

    wget https://www.snort.org/downloads/archive/snort/daq-2.0.6.tar.gz
    wget https://www.snort.org/downloads/archive/snort/snort-2.9.9.0.tar.gz
    wget https://github.com/firnsy/barnyard2/archive/v2-1.13.tar.gz -O barnyard2-2-1.13.tar.gz
    wget https://github.com/shirkdog/pulledpork/archive/v0.7.3.tar.gz -O pulledpork-v0.7.3.tar.gz
    wget https://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-520-for-php5/adodb-5.20.8.tar.gz
    wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz

    2.开始安装

    (1)安装daq

    tar -xvzf daq-2.0.6.tar.gz
    cd daq-2.0.6
    ./configure
    sudo make
    sudo make install

    (2)安装snort

    tar -xvzf snort-2.9.9.tar.gz
    cd snort-2.9.9
    ./configure --enable-sourcefire
    make
    sudo make install

    测试

    snort -V

    创建用户环境

    # Create the snort user and group:
    sudo groupadd snort
    sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
    # Create the Snort directories:
    sudo mkdir /etc/snort
    sudo mkdir /etc/snort/rules
    sudo mkdir /etc/snort/rules/iplists
    sudo mkdir /etc/snort/preproc_rules
    sudo mkdir /usr/local/lib/snort_dynamicrules
    sudo mkdir /etc/snort/so_rules
    # Create some files that stores rules and ip lists
    sudo touch /etc/snort/rules/iplists/black_list.rules
    sudo touch /etc/snort/rules/iplists/white_list.rules
    sudo touch /etc/snort/rules/local.rules
    sudo touch /etc/snort/sid-msg.map
    # Create our logging directories:
    sudo mkdir /var/log/snort
    sudo mkdir /var/log/snort/archived_logs
    # Adjust permissions:
    sudo chmod -R 5775 /etc/snort
    sudo chmod -R 5775 /var/log/snort
    sudo chmod -R 5775 /var/log/snort/archived_logs
    sudo chmod -R 5775 /etc/snort/so_rules
    sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
    # Change Ownership on folders:
    sudo chown -R snort:snort /etc/snort
    sudo chown -R snort:snort /var/log/snort
    sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

    复制配置文件

    cd ~/snort-2.9.9/etc/
    sudo cp *.conf* /etc/snort
    sudo cp *.map /etc/snort
    sudo cp *.dtd /etc/snort
    cd ~/snort-2.9.9/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/
    sudo cp * /usr/local/lib/snort_dynamicpreprocessor/

    注释掉snort.conf中引用的规则文件,换为PulledPork

    sudo sed -i "s/include $RULE\_PATH/#include $RULE\_PATH/" /etc/snort/snort.conf

    修改snort.conf的配置

    sudo vi /etc/snort/snort.conf
    #第45行,ipvar HOME_NET修改为本机的内部网络
    ipvar HOME_NET 192.168.89.138/24
    #第104行,设置以下配置文件路径
    var RULE_PATH /etc/snort/rules
    var SO_RULE_PATH /etc/snort/so_rules
    var PREPROC_RULE_PATH /etc/snort/preproc_rules
    var WHITE_LIST_PATH /etc/snort/rules/iplists
    var BLACK_LIST_PATH /etc/snort/rules/iplists
    #第521行添加
    # output unified2: filename merged.log, l imit 128, nostamp, mpls event types, vlan event types }
    output unified2: filename snort.u2, limit 128
    #第546行取消注释,启用local.rules文件
    include $RULE_PATH/local.rules

    添加本地规则

    sudo vi /etc/snort/rules/local.rules
    alert icmp any any -> $HOME_NET any (msg:"ICMP Test detected!!!"; classtype:icmp-event; sid:10000001; rev:001; GID:1; )
    sudo vi /etc/snort/sid-msg.map
    1 || 10000001 || 001 || icmp-event || 0 || ICMP Test detected || url,tools.ietf.org/html/rfc792

    测试配置文件

    sudo snort -T -c /etc/snort/snort.conf -i eth1

    测试功能,此时从外面ping网口ens32的IP,snort会记录受到攻击,信息保存在/var/log/snort中,文件名为snort.log.xxx

    sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i ens32

    3.安装Barnyard2

    解压编译

    tar zxvf barnyard2-2-1.13.tar.gz
    cd barnyard2-2-1.13
    autoreconf -fvi -I ./
    # Choose ONE of these two commands to run
    ./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu
    ./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu
    sudo make
    sudo make install

    测试

    barnyard2 -V

    配置文件

    sudo cp ~/barnyard2-2-1.13/etc/barnyard2.conf /etc/snort/
    # the /var/log/barnyard2 folder is never used or referenced
    # but barnyard2 will error without it existing
    sudo mkdir /var/log/barnyard2
    sudo chown snort.snort /var/log/barnyard2
    sudo touch /var/log/snort/barnyard2.waldo
    sudo chown snort.snort /var/log/snort/barnyard2.waldo

    配置数据库

    ubuntu@ubuntu:~$ mysql -u root -p
    mysql> create database snort;
    mysql> use snort;
    mysql> source ~/barnyard2-2-1.13/schemas/create_mysql;
    mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY '123456';
    mysql> grant create, insert, select, delete, update on snort.* to 'snort'@'localhost';
    mysql> exit;

    添加数据库位置

    sudo vi /etc/snort/barnyard2.conf
    #在末尾添加数据库配置
    output database: log, mysql, user=snort password=123456 dbname=snort host=localhost sensor name=sensor01

    测试,开启snort,并向ens32发送ping数据包

    sudo snort -q -u snort -g snort -c /etc/snort/snort.conf -i ens32
    # 开启barnyard2,将日志信息存入数据库
    # 1.连续处理模式,设置barnyard2.waldo为书签
    sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort
    # 2.文件处理模式,处理单个日志文件
    sudo barnyard2 -c /etc/snort/barnyard2.conf -o /var/log/snort/snort.u2.xxx
    # 查看数据库条目数量,看是否增加
    mysql -u snort -p -D snort -e "select count(*) from event"

    4.安装PulledPork

    解压安装

    tar xzvf pulledpork-v0.7.3.tar.gz
    cd pulledpork-v0.7.3/
    sudo cp pulledpork.pl /usr/local/bin
    sudo chmod +x /usr/local/bin/pulledpork.pl
    sudo cp etc/*.conf /etc/snort

    测试

    ubuntu@ubuntu:~$ pulledpork.pl -V
    PulledPork v0.7.3 - Making signature updates great again!

    配置文件更改

    sudo vi /etc/snort/pulledpork.conf
    #第19行:输入注册账户生成的oinkcode,若没有则注释掉
    #第29行:取消注释可下载针对新兴威胁的规则
    #第74行:更改为:
    rule_path = /etc/snort/rules/snort.rules
    #第89行:更改为:
    local_rules = /etc/snort/rules/local.rules
    #第92行:更改为:
    sid_msg = /etc/snort/sid-msg.map
    #第96行:更改为:
    sid_msg_version = 2
    #第119行:更改为:
    config_path = /etc/snort/snort.conf
    #第133行:更改为:
    distro = Ubuntu-12-04
    #第141行:更改为:
    black_list = /etc/snort/rules/iplists/black_list.rules
    #第150行:更改为:
    IPRVersion = /etc/snort/rules/iplists
    sudo vi /etc/snort/snort.conf
    #第548行添加
    include $RULE_PATH/snort.rules

    更新测试规则

    sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l
    sudo snort -T -c /etc/snort/snort.conf -i ens32

    5.创建服务

    snort服务

    #创建服务配置文件
    sudo vi /lib/systemd/system/snort.service
    [Unit]
    Description=Snort NIDS Daemon
    After=syslog.target network.target
    [Service]
    Type=simple
    Restart=always
    ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth1
    [Install]
    WantedBy=multi-user.target
     
    #设置开机启动
    sudo systemctl enable snort
     
    #启动服务
    sudo systemctl start snort
     
    #检查服务状态
    sudo systemctl status snort

    Barnyard2服务

    #创建服务配置文件
    sudo vi /lib/systemd/system/barnyard2.service
    [Unit]
    Description=Barnyard2 Daemon
    After=syslog.target network.target
    [Service]
    Type=simple
    Restart=always
    ExecStart=/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -q -w /var/log/snort/barnyard2.waldo -g snort -u snort -D -a /var/log/snort/archived_logs --pid-path=/var/run
    [Install]
    WantedBy=multi-user.target
     
    #设置开机启动
    sudo systemctl enable barnyard2
     
    #启动服务
    sudo systemctl start barnyard2
     
    #检查服务状态
    sudo systemctl status barnyard2

    6.安装BASE

    解压后获得网站目录,移到apache2目录

    tar xzvf base-1.4.5.tar.gz
    sudo mv base-1.4.5 /var/www/html/base/

    配置

    cd /var/www/html/base
    sudo cp base_conf.php.dist base_conf.php
     
    sudo vi /var/www/html/base/base_conf.php
    $BASE_Language = 'chinese'; # line 27
    $BASE_urlpath = '/base'; # line 50
    $DBlib_path = '/usr/share/php/adodb/'; #line 80
    $alert_dbname = 'snort'; # line 102
    $alert_host = 'localhost';
    $alert_port = '';
    $alert_user = 'snort';
    $alert_password = '123456'; # line 106
    // $graph_font_name = "Verdana";
    // $graph_font_name = "DejaVuSans";
    // $graph_font_name = "Image_Graph_Font";
    $graph_font_name = "";
     
    sudo chown -R www-data:www-data /var/www/html/base
    sudo chmod o-r /var/www/html/base/base_conf.php
     
    sudo service apache2 restart

    测试

    浏览器输入localhost/base

     点击Create BASE AG

  • 相关阅读:
    GitLab的基础使用-汉化配置
    GitLab的基础使用-数据备份与恢复
    Apache Hadoop集群扩容实战案例
    Hadoop 集群-完全分布式模式(Fully-Distributed Mode)
    HDFS参数调优总结
    网站压力测试 工具webbench
    2013年十大必知的大数据分析公司
    做电子商务网上开店应该读的书
    教你用大功率路由器覆盖3平方公里的WiFi广告
    中央推进城镇化建设 六行业分享25万亿蛋糕
  • 原文地址:https://www.cnblogs.com/hua-sheng/p/13258278.html
Copyright © 2011-2022 走看看