使用 barnyard2 設置 snort 2.9.x
這些網際網路上的指南已經過時了,而且它所依賴的軟體也不是最新的 PHP5.5。我已經用 ACID 和 ADODB 做了一些 hack,以使部分 gui 工作。我已按照此指南設置 barnyard2 http://sathisharthars.wordpress.com/2014/05/03/configuring-snort-with-barnyard-snortreport-acid-in-ubuntu-14-04/我試圖遵循其他 guid 但無法成功啟動 snort 和 barnayrd 並使 ACID gui 工作並產生任何結果。https://www.google.co.uk/search?q=start+snort+with+barnyard2&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a&channel=sb&gfe_rd= cr&ei=yPXMU7OvCKfY8gfn2IGADQ
我在使用 snort 時遇到的問題
/usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth0 /usr/local/bin/barnyard2 -c /etc/snort/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D
上面的行因選項而失敗
w
FATAL ERROR: Invalid option: w.
如果我把 w 拿出來,我會得到下一個錯誤
FATAL ERROR: /etc/snort/etc/barnyard2.conf(27) Unknown config directive: reference_file.
我無法開始打鼾。
我啟動 barnyard2 並在日誌文件中看到以下錯誤
barnyard2 -c /etc/snort/etc/barnyard2.conf -f merged.log WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/barnyard2.waldo' Jul 21 12:04:18 website-dev barnyard2: ERROR: Unable to open directory '' (No such file or directory) Jul 21 12:04:18 website-dev barnyard2: ERROR: Unable to find the next spool file!
經過相當多的黑客攻擊以使其與 php5.5 兼容後,我設法在 apache 上傳入 ACID
- 使用 vm centos 7 64 位最小安裝
- 禁用 selinex 和防火牆
systemctl 停止防火牆
systemctl 禁用防火牆
yum update -y yum install gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel libdnet libdnet-devel tcpdump wget net-tools mariadb-server -y
rpm -ivh libdnet-debuginfo-1.12-6.el6.x86_64.rpm cd /usr/local/src wget https://www.snort.org/downloads/snort/snort-2.9.6.2.tar.gz wget https://www.snort.org/downloads/snort/daq-2.0.2.tar.gz # install daq tar -zxvf daq-2.0.2.tar.gz cd daq-2.0.2 ./configure make make install cd /usr/local/lib ldconfig -v /usr/local/lib # install snort cd /usr/local/src/snort-2.9.6.2 ./configure --enable-sourcefire make make install cd /usr/local/lib ldconfig -v /usr/local/lib cd /etc mkdir -p snort cd snort cp /usr/local/src/snort-2.9.6.2/etc/* . # get latest rule set wget https://www.snort.org/downloads/registered/snortrules-snapshot-2962.tar.gz tar -zxvf snortrules-snapshot-2962.tar.gz cp ./etc/* . touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules #configure groupadd -g 40000 snort useradd snort -u 40000 -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort chown -R snort:snort * chown -R snort:snort /var/log/snort
- 修改 snort.conf
- ** var RULE_PATH /etc/snort/rules
- ** ipvar HOME_NET 192.168.1.0/24
- ** ipvar EXTERNAL_NET !$HOME_NET
- ** var SO_RULE_PATH /etc/snort/so_rules
- ** var PREPROC_RULE_PATH /etc/snort/preproc_rules
- ** var WHITE_LIST_PATH /etc/snort/rules
- ** var BLACK_LIST_PATH /etc/snort/rules
- 配置 ==
cd /usr/local/src chown -R snort:snort * chmod -R 700 * chown -R snort:snort snort_dynamicsrc chmod -R 700 snort_dynamicsrc cd /usr/local/lib chown -R snort:snort snort* chown -R snort:snort pkgconfig chmod -R 700 snort* chmod -R 700 pkgconfig chown -R snort:snort daq-modules-config chown -R snort:snort u2* chmod -R 700 daq-modules-config chmod 700 u2* cd /etc chown -R snort:snort snort chmod -R 700 snort mkdir -p /usr/local/lib/snort_dynamicrules chown -R snort:snort /usr/local/lib/snort_dynamicrules chmod -R 700 /usr/local/lib/snort_dynamicrules
- 從https://www.snort.org/documents獲取啟動腳本
- 需要編輯 stream5 的配置以消除警告,因為有 1mb 限制http://manual.snort.org/node17.html#SECTION00322600000000000000
snort -q -u snort -g snort -c /etc/snort/snort.conf -i ens34 -D
ethtool -G ens34 接收 4096
- 對於 gui 使用 ‘‘‘Snorby’’’ https://snorby.org/