English | Vietnamese
 

banner

[Rule] Rules  [Home] Main Forum  [Portal] Portal  
[Members] Member Listing  [Statistics] Statistics  [Search] Search  [Reading Room] Reading Room 
[Register] Register   [Login] Loginhttp  | https  ]
 
Forum Index Thảo luận hệ điều hành *nix Base snort không hiển thị PortScan Traffic & restart banyard2 bị lỗi  XML
  [Question]   Base snort không hiển thị PortScan Traffic & restart banyard2 bị lỗi 19/11/2013 21:04:49 (+0700) | #1 | 279039
Nhóm Hắc Ker Tê
Member
[Minus]    0    [Plus]
Joined: 11/11/2013 03:38:33
Messages: 8
Offline
[Profile] [PM]
Chào các bạn và các anh chị em
Mình đã cài 5 lần 7 lượt snort theo các hướng dẫn tiếng việc và tiếng anh nhưng đều không hoạt động, qua 1 số lần có kinh nghiệm mình đã làm gần được rồi, mặc dù vấn đề các lỗi thường gặp khi triển khai snort mình đã tham khảo qua hết tất các các bài viết trên này và trên 4rum nhatnghe, nhưng vẫn còn 2 vần đề trục trặc sau mà mình muốn hỏi.
Trước tiên Mình xin trình bày toàn bộ quá trình cài đặt snort của mình để mọi người tiện quan sát và xem thử có chỗ nào sai.
Mô hình của mình là làm trên máy ảo VmWare, 1 máy ảo CentOS 6.4 i386 em dùng để triển khai Snort, mình dùng bản snort-2.9.5.5, 1 máy Windows XP dùng để test hoạt động của Snort. Lớp mạng mình dùng là 192.168.1.0/24 (máy CentOS có IP 192.168.1.2, máy Win XP có IP 192.168.1.3) Sau khi tiến hành cài các gói phần mềm cần thiết cho việc cài Snort thì mình tiến hành cài Snort theo hướng dẫn của trang snort.org như sau:
Các file cài đặt và file rule của snort em để trong /usr/local/src/
Code:
cd /usr/local/src
tar -xzvf snort-2.9.5.5.tar.gz
cd snort-2.9.5.5

Chỗ này mình tham khảo trên mạng nói là các bản snort 2.9.x.x trở lên không nên chạy với –with-mysql ngay từ đầu vì chắc chắn sẽ có lỗi mà chỉ chạy với --with-sourcefire
Code:
./configure --enable-sourcefire
make	
make install

Tạo thư mục làm việc của snort là /etc/snort
Code:
cd /etc
mkdir –p snort
cd snort

Chép hết các file trong snort-2.9.5.5/etc vừa giải nén được và vào /etc/snort
Code:
cp /usr/local/src/snort-2.9.5.5/etc/* .

Bước giải nén và chép các rules
Code:
tar -xzvf /usr/local/src/snortrules-snapshot-2955.tar.gz 
cp ./etc/* .
touch /etc/snort/rules/white_list.rules
touch /etc/snort/rules/black_list.rules
mkdir /var/log/snort

Tạo nhóm người dùng và user
Code:
groupadd -g 40000 snort
useradd -g snort snort
chown -R snort:snort *
chown -R snort:snort /var/log/snort

Sửa file cấu hình snort.conf các dòng sau
Code:
vi /etc/snort/snort.conf

Code:
ipvar HOME_NET 192.168.1.0/24
ipvar EXTERNAL_NET !$HOME_NET
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
output unified2: filename snort.log, limit 128

Code:
cd /usr/local/src
chown -R snort:snort daq-2.0.1
chmod -R 755 daq-2.0.1
chown -R snort:snort snort-2.9.5.5
chmod -R 755 snort-2.9.5.5
chown -R snort:snort snort_dynamicsrc
chmod -R 700 snort_dynamicsrc

Thiết lập snort khởi động cùng hệ thống
Code:
cd /usr/local/src/snort-2.9.5.5
cd rpm
cp snortd /etc/init.d
chkconfig --add snortd
ln -s /usr/local/bin/snort snort
cd /usr/local/src/snort-2.9.5.5/rpm/
cp snort.sysconfig /etc/sysconfig/snort
chmod 755 /etc/init.d/snortd
chmod 755 /etc/sysconfig/snort
chmod 755 /var/log/snort
cd /usr/local/lib
chown -R snort:snort snort*
chown -R snort:snort snort_dynamic*
chown -R snort:snort pkgconfig
chmod -R 755 snort*
cd /usr/local/bin
chown -R snort:snort daq-modules-config
chown -R snort:snort u2*
chmod -R 755 daq-modules-config
chmod 755 u2*
chown -R snort:snort snort
chmod -R 755 snort

Kiểm tra hoạt động của snort bằng 1 trong 2 dòng lệnh đưới đây
Code:
./snort -T -i eth0 -u snort -g snort -c /etc/snort/snort.conf
./snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

Thấy hiển thị
Code:
snort    28765  0.3 28.7 400772 146936 ? Ssl  02:36  0:00 ./snort -A fast -b -d -D -i eth0 -u snort -g snort -c 
/etc/snort/snort.conf -l /var/log/snort
root     28854  0.0  0.1   4356   752 pts/0  S+  02:39  0:00 grep -i snort

Code:
service snortd restart

Thấy hiển thị
Code:
Stopping snort:                                            [  OK  ]
Starting snort: Spawning daemon child...
My daemon child 3090 lives...
Daemon parent exiting (0)
                                                           [  OK  ]

Code:
service snortd status

Thấy hiển thị
Code:
snort (pid 1886) is running...

Đến bước cài barnyard2-1.9
Code:
cd /usr/local/src
wget http://pear.php.net/go-pear.phar
php go-pear.phar
pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman
tar -xzvf barnyard2-1.9.tar.gz
cd barnyard2-1.9
./configure --with-mysql
make
make install

Copy file cấu hình barnyard2 vào /etc/snort
Code:
cp etc/barnyard2.conf /etc/snort/
cp schemas/create_mysql /usr/local/src

Sửa file cấu hình barnyard các dòng sau
Code:
vi /etc/snort/barnyard2.conf

Code:
config reference_file: /etc/snort/reference.config
    config classification_file: /etc/snort/classification.config
    config gen_file: /etc/snort/gen-msg.map
    config sid_file: /etc/snort/sid-msg.map
    config hostname: localhost
    config interface: eth0
    output alert_fast: stdout
    output database: log, mysql, user=snort password=123456
    output database: alert, mysql, user=snort password=123456 dbname=snort host=localhost

Thiết lập barnyard khởi động cùng hệ thống
Code:
cp rpm/barnyard2 /etc/init.d
chmod +x /etc/init.d/barnyard2
cp rpm/barnyard2.config /etc/sysconfig/barnyard2
chkconfig --add barnyard2
ln -s /usr/local/etc/barnyard2.conf /etc/snort/barnyard.conf
ln -s /usr/local/bin/barnyard2 /usr/bin/
mkdir /var/log/barnyard2
chmod 755 /var/log/barnyard2
touch /var/log/snort/barnyard2.waldo
chown snort.snort /var/log/snort/barnyard2.waldo
cd /etc/init.d
chkconfig barnyard2 on

Ở bước này và các bước sau khi cài xong adodb, base hay tạo CSDL thì Code:
service barnyard2 restart
bị lỗi sau:
Code:
Shutting down Snort Output Processor (barnyard2):          [FAILED]
Starting Snort Output Processor (barnyard2):               [  OK  ]

Kiểm tra thêm bằng lệnh
Code:
service barnyard2 status

Thấy hiện thị
Code:
barnyard2 dead but subsys locked

Bước tạo CSDL cho snort
Code:
mysqladmin -u root password 123456
mysql -u root –p
Enter password: 123456
mysql> use mysql;
mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY '123456';
mysql> create database snort;
mysql> grant create, insert, select, delete, update on snort.* to snort@localhost;
mysql> set password for snort@localhost=PASSWORD('123456');
mysql> flush privileges;
mysql> exit;
mysql -p
Enter password:
mysql> show databases;
+--------------------+
| Database            |
+--------------------+
| information_schema|
| mysql                 |
| snort                  |
| test                    |
+--------------------+

Tạo bảng cho snort, Ở bước tạo table này mình không làm theo các cách như trên mạng hay như trong 1 số hướng dẫn như
Code:
mysql –u root –p –D snort < /usr/local/src/snort-2.9.5.5/schemas/create_mysql
hay
mysql –u root –p –D snort < /usr/local/src/barnyard2-1.9/schemas/create_mysql

vì thấy các file create_mysql trong các đường dẫn trên có sẵn rồi và cũng có thử cả 2 câu lệnh trên thấy nó báo mysql [-OPTION] [--help] gì đó và không tạo được, thấy trên mạng có 1 cách như dưới và mình làm thử thì đã tạo được bảng.
Code:
mysql> use snort;
mysql> source /usr/local/src/create_mysql
mysql> show tables;
+------------------+
| Tables_in_snort  |
+------------------+
| data              |
| detail            |
| encoding       |
| event            |
| icmphdr        |
| iphdr            |
| opt               |
| reference      |
| reference_system|
| schema            |
| sensor             |
| sig_class          |
| sig_reference   |
| signature        |
| tcphdr            |
| udphdr           |
+------------------+

Bước cài base và adodb
Code:
cd /var/www/html
tar -xzvf adodb511.tgz
tar -xzvf base-1.4.5.tar.gz
mv base-1.4.5/ base/
cd base
cp base_conf.php.dist base_conf.php

Code:
vi base_conf.php

Sửa các dòng sau
Code:
$BASE_urlpath = '/base';
$DBlib_path = '/var/www/html/adodb5';
$DBtype = 'mysql';
$alert_dbname = 'snort';
$alert_host = 'localhost';
$alert_user = 'snort';
$alert_password = '123456';
$archive_exists = 1;
$archive_dbname = 'snort';
$archive_host = 'localhost';
$archive_user = 'snort';
$archive_password = '123456';

chmod 777 /var/www/html/base
Code:
vi /etc/sysconfig/barnyard2

sửa dòng
Code:
LOG_FILE="snort.log"

Trong quá trình khắc phục 1 số lỗi thì mình đã có chỉnh sửa 1 số file sau nên mình show hết ra lại cho anh em xem xét.
Code:
vi /etc/sysconfig/barnyard2

Code:
# Config file for /etc/init.d/barnyard2
LOG_FILE="snort.log"
# You probably don't want to change this, but in case you do
SNORTDIR="/var/log/snort"
INTERFACES="eth0"
# Probably not this either
CONF=/etc/snort/barnyard.conf
EXTRA_ARGS=""

Code:
vi /etc/init.d/barnyard2

Code:
!/bin/sh
#
# Init file for Barnyard2
#
# chkconfig: 2345 40 60
# description:  Barnyard2 is an output processor for snort.
#
# processname: barnyard2
# config: /etc/sysconfig/barnyard2
# config: /etc/snort/barnyard.conf
# pidfile: /var/lock/subsys/barnyard2.pid
source /etc/rc.d/init.d/functions
source /etc/sysconfig/network
### Check that networking is up.
[ "${NETWORKING}" == "no" ] && exit 0
[ -x /usr/sbin/snort ] || exit 1
[ -r /etc/snort/snort.conf ] || exit 1
### Default variables
SYSCONFIG="/etc/sysconfig/barnyard2"
### Read configuration
[ -r "$SYSCONFIG" ] && source "$SYSCONFIG"
RETVAL=0
prog="barnyard2"
desc="Snort Output Processor"
start() {
        echo -n $"Starting $desc ($prog): "
        for INT in $INTERFACES; do
                PIDFILE="/var/lock/subsys/barnyard2-$INT.pid"
                ARCHIVEDIR="$SNORTDIR/$INT/archive"
                WALDO_FILE="$SNORTDIR/$INT/barnyard2.waldo"
                BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR/${INT} -w $WALDO_FILE -f $SNORTDIR/${INT} -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS"
                daemon $prog $BARNYARD_OPTS
        done
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
        return $RETVAL
}
stop() {
        echo -n $"Shutting down $desc ($prog): "
        killproc $prog
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog
        return $RETVAL
}
restart() {
        stop
        start
}
reload() {
        echo -n $"Reloading $desc ($prog): "
        killproc $prog -HUP
        RETVAL=$?
        echo
        return $RETVAL
}
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  restart)
        restart
        ;;
  reload)
        reload
        ;;
  condrestart)
        [ -e /var/lock/subsys/$prog ] && restart
        RETVAL=$?
        ;;
  status)
        status $prog
        RETVAL=$?
        ;;
  dump)
        dump
        ;;
  *)
        echo $"Usage: $0 {start|stop|restart|reload|condrestart|status|dump}"
        RETVAL=1
esac
exit $RETVAL

Code:
vi /etc/init.d/snortd

Code:
#!/bin/sh
# $Id$
#
# snortd         Start/Stop the snort IDS daemon.
#
# chkconfig: 2345 40 60
# description:  snort is a lightweight network intrusion detection tool that \
#                currently detects more than 1100 host and network \
#                vulnerabilities, portscans, backdoors, and more.
#
# Source function library.
. /etc/rc.d/init.d/functions
# Source the local configuration file
. /etc/sysconfig/snort
# Convert the /etc/sysconfig/snort settings to something snort can
# use on the startup line.
if [ "$ALERTMODE"X = "X" ]; then
   ALERTMODE=""
else
   ALERTMODE="-A $ALERTMODE"
fi
if [ "$USER"X = "X" ]; then
   USER="snort"
fi
if [ "$GROUP"X = "X" ]; then
   GROUP="snort"
fi
if [ "$BINARY_LOG"X = "1X" ]; then
   BINARY_LOG="-b"
else
   BINARY_LOG=""
fi
if [ "$CONF"X = "X" ]; then
   CONF="-c /etc/snort/snort.conf"
else
   CONF="-c $CONF"
fi
if [ "$INTERFACE"X = "X" ]; then
   INTERFACE="-i eth0"
else
   INTERFACE="-i $INTERFACE"
fi
if [ "$DUMP_APP"X = "1X" ]; then
   DUMP_APP="-d"
else
   DUMP_APP=""
fi
if [ "$NO_PACKET_LOG"X = "1X" ]; then
   NO_PACKET_LOG="-N"
else
   NO_PACKET_LOG=""
fi
if [ "$PRINT_INTERFACE"X = "1X" ]; then
   PRINT_INTERFACE="-I"
else
   PRINT_INTERFACE=""
fi
if [ "$PASS_FIRST"X = "1X" ]; then
   PASS_FIRST="-o"
else
   PASS_FIRST=""
fi
if [ "$LOGDIR"X = "X" ]; then
   LOGDIR=/var/log/snort
Fi
# These are used by the 'stats' option
if [ "$SYSLOG"X = "X" ]; then
   SYSLOG=/var/log/messages
fi
if [ "$SECS"X = "X" ]; then
   SECS=5
fi
if [ ! "$BPFFILE"X = "X" ]; then
   BPFFILE="-F $BPFFILE"
fi
######################################
# Now to the real heart of the matter:
# See how we were called.
case "$1" in
  start)
        echo -n "Starting snort: "
        cd $LOGDIR
        if [ "$INTERFACE" = "-i ALL" ]; then
           for i in `cat /proc/net/dev|grep eth|awk -F ":" '{ print $1; }'`
           do
                mkdir -p "$LOGDIR/$i"
                chown -R $USER:$GROUP $LOGDIR
                daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF
           done
        else
           # check if more than one interface is given
           if [ `echo $INTERFACE|wc -w` -gt 2 ]; then
              for i in `echo $INTERFACE | sed s/"-i "//`
                do
                  mkdir -p "$LOGDIR/$i"
                  chown -R $USER:$GROUP $LOGDIR
                  daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF
             done
           else
              # Run with a single interface (default)
              daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST $BPFFILE $BPF
           fi
        fi
        touch /var/lock/subsys/snort
        echo
        ;;
stop)
        echo -n "Stopping snort: "
        killproc snort
        rm -f /var/lock/subsys/snort
        echo
        ;;
  reload)
        echo "Sorry, not implemented yet"
        ;;
  restart)
        $0 stop
        $0 start
        ;;
  condrestart)
        [ -e /var/lock/subsys/snort ] && $0 restart
        ;;
  status)
        status snort
        ;;
  stats)
        TC=125                          # Trailing context to grep
        SNORTNAME='snort'               # Process name to look for
        if [ ! -x "/sbin/pidof" ]; then
           echo "/sbin/pidof not present, sorry, I cannot go on like this!"
           exit 1
      fi
        #Grab Snort's PID
        PID=`pidof -o $$ -o $PPID -o %PPID -x ${SNORTNAME}`
        if [ ! -n "$PID" ]; then        # if we got no PID then:
           echo "No PID found: ${SNORTNAME} must not running."
           exit 2
        fi
        echo ""
        echo "*******"
        echo "WARNING:  This feature is EXPERIMENTAL - please report errors!"
        echo "*******"
        echo ""
        echo "You can also run: $0 stats [long | opt]"
        echo ""
        echo "Dumping ${SNORTNAME}'s ($PID) statistics"
        echo "please wait..."
        # Get the date and tell Snort to dump stats as close together in
        # time as possible--not 100%, but it seems to work.
        startdate=`date '+%b %e %H:%M:%S'`
        # This causes the stats to be dumped to syslog
        kill -USR1 $PID
        # Sleep for $SECS secs to give syslog a chance to catch up
        # May need to be adjusted for slow/busy systems
        sleep $SECS

        if [ "$2" = "long" ]; then              # Long format
            egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \
                grep snort.*:
        elif [ "$2" = "opt" ]; then             # OPTimize format
           # Just show stuff useful for optimizing Snort
            egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \
                egrep "snort.*: Snort analyzed |snort.*: dropping|emory .aults:"
        else                                    # Default format
            egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \
                grep snort.*: | cut -d: -f4-
        fi
        ;;
  *)
        echo "Usage: $0 {start|stop|reload|restart|condrestart|status|stats (long|opt)}"
        exit 2
esac
exit 0

Code:
vi /usr/local/etc/barnyard2

Code:
#-------------------------------------------------------------
#  Barnyard2 configuration file
#
#  http://www.securixlive.com/barnyard2
#   
#  Contact: <a href="mailto:dev@securixlive.com">dev@securixlive.com</a>
#-------------------------------------------------------------
#
# This file contains a sample barnyard2 configuration. 
# You can take the following steps to create your own custom configuration:
#
#   1) Configure the variable declarations
#   2) Setup the input plugins
#   3) Setup the output plugins
#
# Step 1: configure the variable declarations
#
# in order to keep from having a commandline that uses every letter in the
# alphabet most configuration options are set here.
# use UTC for timestamps
#
#config utc
# set the appropriate paths to the file(s) your Snort process is using.
#
config reference_file:	    /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config sid_file:	        /etc/snort/sid-msg.map
# define dedicated references similar to that of snort.
#
#config reference: mybugs http://www.mybugs.com/?s=
# define explicit classifications similar to that of snort.
#
#config classification: shortname, short description, priority
# set the directory for any output logging
#
#config logdir: /tmp
# to ensure that any plugins requiring some level of uniqueness in their output
# the alert_with_interface_name, interface and hostname directives are provided.
# An example of usage would be to configure them to the values of the associated
# snort process whose unified files you are reading.
#
# Example:
#   For a snort process as follows:
#     snort -i eth0 -c /etc/snort.conf
#
#   Typical options would be:
#     config hostname:	thor
#     config interface: eth0
#     config alert_with_interface_name
#
config hostname:	localhost
config interface:	eth0
config alert_with_interface_name
# enable printing of the interface name when alerting.
#
#config alert_with_interface_name
# at times snort will alert on a packet within a stream and dump that stream to
# the unified output. barnyard2 can generate output on each packet of that 
# stream or the first packet only.
#
#config alert_on_each_packet_in_stream
# enable daemon mode
#
#config daemon
# make barnyard2 process chroot to directory after initialisation.
#
#config chroot: /var/spool/barnyard2
# specifiy the group or GID for barnyard2 to run as after initialisation.
#
#config set_gid: 999
# specifiy the user or UID for barnyard2 to run as after initialisation.
#
#config set_uid: 999
# specify the directory for the barnyard2 PID file.
#
#config pidpath: /var/run/by2.pid
# enable decoding of the data link (or second level headers).
#
#config decode_data_link
# dump the application data
#
#config dump_payload
# dump the application data as chars only
#
#config dump_chars_only
# enable verbose dumping of payload information in log style output plugins.
#
#config dump_payload_verbose
# enable obfuscation of logged IP addresses.
#
#config obfuscate
# enable the year being shown in timestamps
#
#config show_year
# set the umask for all files created by the barnyard2 process (eg. log files).
#
#config umask: 066
# enable verbose logging
#
#config verbose
# quiet down some of the output
#
#config quiet
# define the full waldo filepath.
#
config waldo_file: /var/log/snort/barnyard2.waldo
# specificy the maximum length of the MPLS label chain
#
#config max_mpls_labelchain_len: 64
# specify the protocol (ie ipv4, ipv6, ethernet) that is encapsulated by MPLS.
#
#config mpls_payload_type: ipv4
# set the reference network or homenet which is predominantly used by the
# log_ascii plugin.
#
#config reference_net: 192.168.0.0/24
#
# CONTINOUS MODE 
#
# set the archive directory for use with continous mode
#
#config archivedir: /tmp
# when in operating in continous mode, only process new records and ignore any
# existing unified files
#
#config process_new_records_only
# Step 2: setup the input plugins
#
# this is not hard, only unified2 is supported ;)
input unified2
# Step 3: setup the output plugins
# alert_cef
#-----------------------------
#
# Purpose:
#  This output module provides the abilty to output alert information to a
# remote network host as well as the local host using the open standard
# Common Event Format (CEF).
#
# Arguments: host=hostname[:port], severity facility
#            arguments should be comma delimited.
#   host		- specify a remote hostname or IP with optional port number
#                 this is only specific to WIN32 (and is not yet fully supported)
#	severity	- as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
#	facility	- as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
#
# Examples:
#	output alert_cef
#	output alert_cef: host=192.168.10.1
#	output alert_cef: host=sysserver.com:1001
#	output alert_cef: LOG_AUTH LOG_INFO
#
# alert_bro
#-----------------------------
# 
# Purpose: Send alerts to a Bro-IDS instance.
#
# Arguments: hostname:port
#
# Examples:
#	output alert_bro: 127.0.0.1:47757
# alert_fast
#-----------------------------
# Purpose: Converts data to an approximation of Snort's "fast alert" mode.
# 
# Arguments: file <file>, stdout
#            arguments should be comma delimited.
#   file - specifiy alert file
#   stdout - no alert file, just print to screen
# 
# Examples:
#   output alert_fast
#   output alert_fast: stdout
#
output alert_fast: stdout
# prelude: log to the Prelude Hybrid IDS system
# ---------------------------------------------
#
# Purpose:
#  This output module provides logging to the Prelude Hybrid IDS system
#
# Arguments: profile=snort-profile
#   snort-profile	- name of the Prelude profile to use (default is snort).
#
# Snort priority to IDMEF severity mappings:
# high < medium < low < info
#
# These are the default mapped from classification.config:
# info   = 4
# low    = 3
# medium = 2
# high   = anything below medium
#
# Examples:
#   output alert_prelude
#   output alert_prelude: profile=snort-profile-name
#
# alert_syslog
#-----------------------------
#
# Purpose:
#  This output module provides the abilty to output alert information to a
# remote network host as well as the local host.
#
# Arguments: host=hostname[:port], severity facility
#            arguments should be comma delimited.
#   host		- specify a remote hostname or IP with optional port number
#                 this is only specific to WIN32 (and is not yet fully supported)
#	severity	- as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
#	facility	- as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
#
# Examples:
#	output alert_syslog
#	output alert_syslog: host=192.168.10.1
#	output alert_syslog: host=sysserver.com:1001
#	output alert_syslog: LOG_AUTH LOG_INFO
#
# log_ascii
#-----------------------------
# 
# Purpose: This output module provides the default packet logging funtionality
#
# Arguments: None.
#   
# Examples:
#   output log_ascii
#
# log_tcpdump
# -------------------------------------------------
#
# Purpose
#  This output module logs packets in binary tcpdump format
#
# Arguments:
#   The only argument is the output file name.
#
# Examples:
#   output log_tcpdump: tcpdump.log
#
# sguil
#-----------------------------
# 
# Purpose: This output module provides logging ability for the sguil interface
# See doc/README.sguil
#
# Arguments: agent_port <port>, sensor_name <name>
#            arguments should be comma delimited.
#   agent_port	- explicitly set the sguil agent listening port 
#				  (default: 7736)
#   sensor_name - explicitly set the sensor name 
#				  (default: machine hostname)
# 
# Examples:
#   output sguil
#   output sguil: agent_port=7000
#   output sguil: sensor_name=argyle
#   output sguil: agent_port=7000, sensor_name=argyle
#
# database: log to a variety of databases
# ---------------------------------------
#
# Purpose: This output module provides logging ability to a variety of databases
# See doc/README.database for additional information.
#
# Examples:
#   output database: log, mysql, user=root password=test dbname=db host=localhost
output database: log, mysql, user=snort password=123456 dbname=snort host=localhost
#   output database: alert, postgresql, user=snort dbname=snort
#   output database: log, odbc, user=snort dbname=snort
#   output database: log, mssql, dbname=snort user=snort password=test
#   output database: log, oracle, dbname=snort user=snort password=test

Code:
vi /etc/snort/rules/local.rules

Có các rule tự tạo
Code:
#-------------
     # LOCAL RULES
     #-------------
     alert tcp any any -> 192.168.1.2/24 any (msg:"Testing ScanPort 80"; sid:10000        01;)
     alert tcp 192.168.1.3/24 any -> 192.168.1.2/24 any (msg:"Testing ScanPort 22"        ; sid:1000002;)
     alert ip any any -> any any (msg:"IP Testing Rule"; sid:1000003;)
     alert icmp any any -> any any (msg:"ICMP Testing Rule"; sid:1000004;)
     alert tcp any any -> any any (msg:"TCP Testing Rule"; sid:1000005;)
     alert udp any any -> any any (msg:"UDP Testing Rule"; sid:1000006;)
     alert tcp 192.168.1.3/24 any -> any 80 (msg:"ScanPort 80"; sid:1000007;)
     alert tcp 192.168.1.3/24 any -> any 22 (msg:"ScanPort 22"; sid:1000008;)sid:1000008;)

Kiêm tra hoạt động của banyard2 bằng câu lệnh
Code:
barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort/ -f snort.log -w /var/log/snort/barnyard2.waldo
hoặc
barnyard2 -c /etc/snort/barnyard2.conf -f merged.log -d /var/log/snort

Thấy chạy ra nhiều nội dung nhưng đến dòng
Code:
Opened spool file '/var/log/snort//snort.log.1384864281'
Waiting for new data

Thì thấy đứng lại rất lâu, chắc đang chạy tiếp
Kiểm tra hoạt động của snort
Code:
snort -c /etc/snort/snort.conf -i eth0 -u snort -g snort
hoặc
snort -u snort -g snort -d -c /etc/snort/snort.conf

Thấy chạy nhưng đến dòng này
Code:
Commencing packet processing (pid=5633)

Thì thấy đứng rất lâu chắc nó đang chạy tiếp.
Code:
ls -l /var/log/snort

Thấy nội dung
Code:
total 19376
-rw-r--r--. 1 root  root  11473353 Nov 19 04:29 alert
-rwxr-xr-x. 1 snort snort     2056 Nov 19 04:26 barnyard2.waldo
-rwxr-xr-x. 1 root  root         0 Nov 18 00:47 snort.alert
-rwxr-xr-x. 1 root  root         0 Nov 18 00:47 snort.log
-rw-------. 1 snort snort    10368 Nov 18 18:55 snort.log.1384829558
-rw-------. 1 snort snort     2511 Nov 18 19:01 snort.log.1384829740
-rw-------. 1 snort snort   412009 Nov 18 19:12 snort.log.1384830271
-rw-------. 1 snort snort   342686 Nov 18 19:24 snort.log.1384830766
-rw-------. 1 snort snort   264727 Nov 18 19:34 snort.log.1384831550
-rw-------. 1 snort snort  1048649 Nov 18 19:51 snort.log.1384832827
-rw-------. 1 snort snort    12114 Nov 18 20:03 snort.log.1384833256
-rw-------. 1 snort snort    37632 Nov 19 01:38 snort.log.1384853634
-rw-------. 1 snort snort  1825550 Nov 19 01:58 snort.log.1384853921
-rw-------. 1 snort snort  4365676 Nov 19 04:29 snort.log.1384855103
-rw-------. 1 snort snort     5922 Nov 19 04:25 snort.log.1384863836
-rw-------. 1 snort snort     2710 Nov 19 04:26 snort.log.1384863949
-rw-------. 1 root  root      1300 Nov 19 04:29 snort.log.1384864116

Kiểm tra lại hoạt động của snort
Code:
./snort -T -i eth0 -u snort -g snort -c /etc/snort/snort.conf

Thấy chạy ra nhiều nội dung và kết thúc là
Code:
Snort successfully validated the configuration!
Snort exiting

Code:
ps aux | grep -i "snort"

Thấy hiển thị nội dung
Code:
snort     4062  0.3  0.9 400764  5016 ?        Ssl  03:48   0:10 /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
root      5383  0.0  1.1  14588  6108 ?        Ss   04:23   0:00 barnyard2 -c /etc/snort/barnyard2.conf -f merged.log -d /var/log/snort -D
snort     5388  0.9  0.7 400704  3760 pts/0    Tl   04:23   0:10 snort -c /etc/snort/snort.conf -i eth0 -u snort -g snort
snort     5475  1.1  0.7 400480  3592 pts/0    Tl   04:25   0:10 snort -u snort -g snort -d -c /etc/snort/snort.conf
root      5545  0.0  2.0  28604 10576 pts/0    T    04:28   0:00 snort -dev -l /var/log/snort/
snort     5633  1.7 28.5 400764 145928 pts/0   Tl   04:31   0:10 snort -u snort -g snort -d -c /etc/snort/snort.conf
root      5657  2.3  1.2  14568  6560 pts/0    T    04:32   0:11 barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort/ -f snort.log -w /var/log/snort/barnyard2.waldo
root      5748  3.3  1.2  14568  6576 pts/0    T    04:35   0:11 barnyard2 -c /etc/snort/barnyard2.conf -f merged.log -d /var/log/snort
root      5868  2.0  0.1   4356   724 pts/0    D+   04:40   0:00 grep -i snort

Vấn đề thứ 2 mình muốn hỏi là sao đã thực hiện scanport bằng nmap, advance port scan, superscan4 như hình dưới






Base không hiển thị portscan traffic hay TCP
















NHÓM HẮC KER TÊ - LÚC THÌ ĐI HẮC LÚC THÌ ĐI HÁT ^_^
[Up] [Print Copy]
  [Question]   Base snort không hiển thị PortScan Traffic & restart banyard2 bị lỗi 20/11/2013 20:40:10 (+0700) | #2 | 279048
Nhóm Hắc Ker Tê
Member
[Minus]    0    [Plus]
Joined: 11/11/2013 03:38:33
Messages: 8
Offline
[Profile] [PM]
Bạn nào biết xem giúp với. hic
NHÓM HẮC KER TÊ - LÚC THÌ ĐI HẮC LÚC THÌ ĐI HÁT ^_^
[Up] [Print Copy]
  [Question]   Base snort không hiển thị PortScan Traffic & restart banyard2 bị lỗi 23/11/2013 15:46:48 (+0700) | #3 | 279062
Nhóm Hắc Ker Tê
Member
[Minus]    0    [Plus]
Joined: 11/11/2013 03:38:33
Messages: 8
Offline
[Profile] [PM]
Anh em đâu cả rồi, vào xem giúp mình tí
NHÓM HẮC KER TÊ - LÚC THÌ ĐI HẮC LÚC THÌ ĐI HÁT ^_^
[Up] [Print Copy]
  [Question]   Base snort không hiển thị PortScan Traffic & restart banyard2 bị lỗi 25/11/2013 11:21:12 (+0700) | #4 | 279074
Nhóm Hắc Ker Tê
Member
[Minus]    0    [Plus]
Joined: 11/11/2013 03:38:33
Messages: 8
Offline
[Profile] [PM]
trình bày kỹ thế mà không anh em nào xem giúp cái
NHÓM HẮC KER TÊ - LÚC THÌ ĐI HẮC LÚC THÌ ĐI HÁT ^_^
[Up] [Print Copy]
  [Question]   Base snort không hiển thị PortScan Traffic & restart banyard2 bị lỗi 06/01/2014 10:07:59 (+0700) | #5 | 279412
HarryS
Member
[Minus]    0    [Plus]
Joined: 17/08/2010 07:39:49
Messages: 12
Offline
[Profile] [PM]
Để xem nào.
[Up] [Print Copy]
  [Question]   Base snort không hiển thị PortScan Traffic & restart banyard2 bị lỗi 05/03/2014 18:01:26 (+0700) | #6 | 279921
kicktx
Member
[Minus]    0    [Plus]
Joined: 16/12/2013 22:06:54
Messages: 2
Offline
[Profile] [PM]
có bác nào biết khắc phuc lỗi khi install snort không a? Em đã install và configure libpcap và libpcre rồi sao vẫn bi lỗi này. Help me!
Error! Libpcre Library not found
[Up] [Print Copy]
  [Question]   Base snort không hiển thị PortScan Traffic & restart banyard2 bị lỗi 14/03/2014 02:53:29 (+0700) | #7 | 280011
lightsea90
Member
[Minus]    0    [Plus]
Joined: 28/01/2013 03:35:38
Messages: 2
Offline
[Profile] [PM]
@Nhóm HKT:
- Snort của bạn chạy hoàn toàn bình thường.
- Bạn chạy quá nhiều Snort instance. Mỗi instance ứng với một process của Snort ở dưới. Theo như tôi đếm được là 4. Tương tự với barnyard2 bạn cũng chạy đến 2 process. Lưu ý chỉ chạy 1 tiến trình cho mỗi loại Snort và barnyard2 thôi.

Code:
snort     4062  0.3  0.9 400764  5016 ?        Ssl  03:48   0:10 /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
root      5383  0.0  1.1  14588  6108 ?        Ss   04:23   0:00 barnyard2 -c /etc/snort/barnyard2.conf -f merged.log -d /var/log/snort -D
snort     5388  0.9  0.7 400704  3760 pts/0    Tl   04:23   0:10 snort -c /etc/snort/snort.conf -i eth0 -u snort -g snort
snort     5475  1.1  0.7 400480  3592 pts/0    Tl   04:25   0:10 snort -u snort -g snort -d -c /etc/snort/snort.conf
root      5545  0.0  2.0  28604 10576 pts/0    T    04:28   0:00 snort -dev -l /var/log/snort/
snort     5633  1.7 28.5 400764 145928 pts/0   Tl   04:31   0:10 snort -u snort -g snort -d -c /etc/snort/snort.conf
root      5657  2.3  1.2  14568  6560 pts/0    T    04:32   0:11 barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort/ -f snort.log -w /var/log/snort/barnyard2.waldo
root      5748  3.3  1.2  14568  6576 pts/0    T    04:35   0:11 barnyard2 -c /etc/snort/barnyard2.conf -f merged.log -d /var/log/snort
root      5868  2.0  0.1   4356   724 pts/0    D+   04:40   0:00 grep -i snort

- Vấn đề portscan: để detect được tấn công portscan, bạn cần kích hoạt preprocessor sfportscan của Snort trong file snort.conf, đơn giản là uncomment nó (nếu cần) rồi restart lại Snort. Output của nó có 2 dạng là log dạng text hoặc unified2. Định dạng không giống các alert thông thường của Snort. Chi tiết bạn tìm hiểu ở đây:
Code:
http://manual.snort.org/node78.html


@kicktx: libpcre có thể được cài đặt qua yum hoặc apt-get (nếu bạn dùng Linux).
[Up] [Print Copy]
[digg] [delicious] [google] [yahoo] [technorati] [reddit] [stumbleupon]
Go to: 
 Users currently in here 
3 Anonymous

Powered by JForum - Extended by HVAOnline
 hvaonline.net  |  hvaforum.net  |  hvazone.net  |  hvanews.net  |  vnhacker.org
1999 - 2013 © v2012|0504|218|