Centos6

使用 barnyard2 設置 snort 2.9.x

  • September 10, 2014

這些網際網路上的指南已經過時了,而且它所依賴的軟體也不是最新的 PHP5.5。我已經用 ACID 和 ADODB 做了一些 hack,以使部分 gui 工作。我已按照此指南設置 barnyard2 http://sathisharthars.wordpress.com/2014/05/03/configuring-snort-with-barnyard-snortreport-acid-in-ubuntu-14-04/我試圖遵循其他 guid 但無法成功啟動 snort 和 barnayrd 並使 ACID gui 工作並產生任何結果。https://www.google.co.uk/search?q=start+snort+with+barnyard2&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a&channel=sb&gfe_rd= cr&ei=yPXMU7OvCKfY8gfn2IGADQ

我在使用 snort 時遇到的問題

 /usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth0 /usr/local/bin/barnyard2 -c /etc/snort/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D

上面的行因選項而失敗w

 FATAL ERROR: Invalid option: w.

如果我把 w 拿出來,我會得到下一個錯誤

 FATAL ERROR: /etc/snort/etc/barnyard2.conf(27) Unknown config directive: reference_file.

我無法開始打鼾。

我啟動 barnyard2 並在日誌文件中看到以下錯誤

barnyard2 -c /etc/snort/etc/barnyard2.conf -f merged.log

WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/barnyard2.waldo'
Jul 21 12:04:18 website-dev barnyard2: ERROR: Unable to open directory '' (No such file or directory)
Jul 21 12:04:18 website-dev barnyard2: ERROR: Unable to find the next spool file!

經過相當多的黑客攻擊以使其與 php5.5 兼容後,我設法在 apache 上傳入 ACID

  • 使用 vm centos 7 64 位最小安裝
  • 禁用 selinex 和防火牆

systemctl 停止防火牆

systemctl 禁用防火牆

yum update -y yum install gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel libdnet libdnet-devel tcpdump wget net-tools mariadb-server -y

  rpm -ivh libdnet-debuginfo-1.12-6.el6.x86_64.rpm
  cd /usr/local/src
  wget https://www.snort.org/downloads/snort/snort-2.9.6.2.tar.gz
  wget https://www.snort.org/downloads/snort/daq-2.0.2.tar.gz

  # install daq
  tar -zxvf daq-2.0.2.tar.gz
  cd daq-2.0.2
  ./configure
  make
  make install
  cd /usr/local/lib
  ldconfig -v /usr/local/lib

  # install snort
  cd /usr/local/src/snort-2.9.6.2
  ./configure --enable-sourcefire
  make
  make install
  cd /usr/local/lib
  ldconfig -v /usr/local/lib

  cd /etc
  mkdir -p snort
  cd snort
  cp /usr/local/src/snort-2.9.6.2/etc/* .
  # get latest rule set
  wget https://www.snort.org/downloads/registered/snortrules-snapshot-2962.tar.gz
  tar -zxvf snortrules-snapshot-2962.tar.gz
  cp ./etc/* .
  touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules

  #configure
  groupadd -g 40000 snort
  useradd snort -u 40000 -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort
  chown -R snort:snort *
  chown -R snort:snort /var/log/snort
  • 修改 snort.conf
  • ** var RULE_PATH /etc/snort/rules
  • ** ipvar HOME_NET 192.168.1.0/24
  • ** ipvar EXTERNAL_NET !$HOME_NET
  • ** var SO_RULE_PATH /etc/snort/so_rules
  • ** var PREPROC_RULE_PATH /etc/snort/preproc_rules
  • ** var WHITE_LIST_PATH /etc/snort/rules
  • ** var BLACK_LIST_PATH /etc/snort/rules
  • 配置 ==
    cd /usr/local/src
    chown -R snort:snort *
    chmod -R 700 *
    chown -R snort:snort snort_dynamicsrc
    chmod -R 700 snort_dynamicsrc
    cd /usr/local/lib
    chown -R snort:snort snort*
    chown -R snort:snort pkgconfig
    chmod -R 700 snort*
    chmod -R 700 pkgconfig
    chown -R snort:snort daq-modules-config
    chown -R snort:snort u2*
    chmod -R 700 daq-modules-config
    chmod 700 u2*
    cd /etc
    chown -R snort:snort snort
    chmod -R 700 snort
    mkdir -p /usr/local/lib/snort_dynamicrules
    chown -R snort:snort /usr/local/lib/snort_dynamicrules
    chmod -R 700 /usr/local/lib/snort_dynamicrules

snort -q -u snort -g snort -c /etc/snort/snort.conf -i ens34 -D

ethtool -G ens34 接收 4096

引用自:https://serverfault.com/questions/614141