Base snort không hiển thị PortScan Traffic & restart banyard2 bị lỗi

Nhóm Hắc Ker Tê — GMT

Chào các bạn và các anh chị em Mình đã cài 5 lần 7 lượt snort theo các hướng dẫn tiếng việc và tiếng anh nhưng đều không hoạt động, qua 1 số lần có kinh nghiệm mình đã làm gần được rồi, mặc dù vấn đề các lỗi thường gặp khi triển khai snort mình đã tham khảo qua hết tất các các bài viết trên này và trên 4rum nhatnghe, nhưng vẫn còn 2 vần đề trục trặc sau mà mình muốn hỏi. Trước tiên Mình xin trình bày toàn bộ quá trình cài đặt snort của mình để mọi người tiện quan sát và xem thử có chỗ nào sai. Mô hình của mình là làm trên máy ảo VmWare, 1 máy ảo CentOS 6.4 i386 em dùng để triển khai Snort, mình dùng bản snort-2.9.5.5, 1 máy Windows XP dùng để test hoạt động của Snort. Lớp mạng mình dùng là 192.168.1.0/24 (máy CentOS có IP 192.168.1.2, máy Win XP có IP 192.168.1.3) Sau khi tiến hành cài các gói phần mềm cần thiết cho việc cài Snort thì mình tiến hành cài Snort theo hướng dẫn của trang snort.org như sau: Các file cài đặt và file rule của snort em để trong /usr/local/src/ Code:

cd /usr/local/src
tar -xzvf snort-2.9.5.5.tar.gz
cd snort-2.9.5.5

Chỗ này mình tham khảo trên mạng nói là các bản snort 2.9.x.x trở lên không nên chạy với –with-mysql ngay từ đầu vì chắc chắn sẽ có lỗi mà chỉ chạy với --with-sourcefire Code:

./configure --enable-sourcefire
make	
make install

Tạo thư mục làm việc của snort là /etc/snort Code:

cd /etc
mkdir –p snort
cd snort

Chép hết các file trong snort-2.9.5.5/etc vừa giải nén được và vào /etc/snort Code:

cp /usr/local/src/snort-2.9.5.5/etc/* .

Bước giải nén và chép các rules Code:

tar -xzvf /usr/local/src/snortrules-snapshot-2955.tar.gz 
cp ./etc/* .
touch /etc/snort/rules/white_list.rules
touch /etc/snort/rules/black_list.rules
mkdir /var/log/snort

Tạo nhóm người dùng và user Code:

groupadd -g 40000 snort
useradd -g snort snort
chown -R snort:snort *
chown -R snort:snort /var/log/snort

Sửa file cấu hình snort.conf các dòng sau Code:

vi /etc/snort/snort.conf

Code:

ipvar HOME_NET 192.168.1.0/24
ipvar EXTERNAL_NET !$HOME_NET
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
output unified2: filename snort.log, limit 128

Code:

cd /usr/local/src
chown -R snort:snort daq-2.0.1
chmod -R 755 daq-2.0.1
chown -R snort:snort snort-2.9.5.5
chmod -R 755 snort-2.9.5.5
chown -R snort:snort snort_dynamicsrc
chmod -R 700 snort_dynamicsrc

Thiết lập snort khởi động cùng hệ thống Code:

cd /usr/local/src/snort-2.9.5.5
cd rpm
cp snortd /etc/init.d
chkconfig --add snortd
ln -s /usr/local/bin/snort snort
cd /usr/local/src/snort-2.9.5.5/rpm/
cp snort.sysconfig /etc/sysconfig/snort
chmod 755 /etc/init.d/snortd
chmod 755 /etc/sysconfig/snort
chmod 755 /var/log/snort
cd /usr/local/lib
chown -R snort:snort snort*
chown -R snort:snort snort_dynamic*
chown -R snort:snort pkgconfig
chmod -R 755 snort*
cd /usr/local/bin
chown -R snort:snort daq-modules-config
chown -R snort:snort u2*
chmod -R 755 daq-modules-config
chmod 755 u2*
chown -R snort:snort snort
chmod -R 755 snort

Kiểm tra hoạt động của snort bằng 1 trong 2 dòng lệnh đưới đây Code:

./snort -T -i eth0 -u snort -g snort -c /etc/snort/snort.conf
./snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

Thấy hiển thị Code:

snort    28765  0.3 28.7 400772 146936 ? Ssl  02:36  0:00 ./snort -A fast -b -d -D -i eth0 -u snort -g snort -c 
/etc/snort/snort.conf -l /var/log/snort
root     28854  0.0  0.1   4356   752 pts/0  S+  02:39  0:00 grep -i snort

Code:

service snortd restart

Thấy hiển thị Code:

Stopping snort:                                            [  OK  ]
Starting snort: Spawning daemon child...
My daemon child 3090 lives...
Daemon parent exiting (0)
                                                           [  OK  ]

Code:

service snortd status

Thấy hiển thị Code:

snort (pid 1886) is running...

Đến bước cài barnyard2-1.9 Code:

cd /usr/local/src
wget http://pear.php.net/go-pear.phar
php go-pear.phar
pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman
tar -xzvf barnyard2-1.9.tar.gz
cd barnyard2-1.9
./configure --with-mysql
make
make install

Copy file cấu hình barnyard2 vào /etc/snort Code:

cp etc/barnyard2.conf /etc/snort/
cp schemas/create_mysql /usr/local/src

Sửa file cấu hình barnyard các dòng sau Code:

vi /etc/snort/barnyard2.conf

Code:

config reference_file: /etc/snort/reference.config
    config classification_file: /etc/snort/classification.config
    config gen_file: /etc/snort/gen-msg.map
    config sid_file: /etc/snort/sid-msg.map
    config hostname: localhost
    config interface: eth0
    output alert_fast: stdout
    output database: log, mysql, user=snort password=123456
    output database: alert, mysql, user=snort password=123456 dbname=snort host=localhost

Thiết lập barnyard khởi động cùng hệ thống Code:

cp rpm/barnyard2 /etc/init.d
chmod +x /etc/init.d/barnyard2
cp rpm/barnyard2.config /etc/sysconfig/barnyard2
chkconfig --add barnyard2
ln -s /usr/local/etc/barnyard2.conf /etc/snort/barnyard.conf
ln -s /usr/local/bin/barnyard2 /usr/bin/
mkdir /var/log/barnyard2
chmod 755 /var/log/barnyard2
touch /var/log/snort/barnyard2.waldo
chown snort.snort /var/log/snort/barnyard2.waldo
cd /etc/init.d
chkconfig barnyard2 on

Ở bước này và các bước sau khi cài xong adodb, base hay tạo CSDL thì Code:

service barnyard2 restart

bị lỗi sau: Code:

Shutting down Snort Output Processor (barnyard2):          [FAILED]
Starting Snort Output Processor (barnyard2):               [  OK  ]

Kiểm tra thêm bằng lệnh Code:

service barnyard2 status

Thấy hiện thị Code:

barnyard2 dead but subsys locked

Bước tạo CSDL cho snort Code:

mysqladmin -u root password 123456
mysql -u root –p
Enter password: 123456
mysql> use mysql;
mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY '123456';
mysql> create database snort;
mysql> grant create, insert, select, delete, update on snort.* to snort@localhost;
mysql> set password for snort@localhost=PASSWORD('123456');
mysql> flush privileges;
mysql> exit;
mysql -p
Enter password:
mysql> show databases;
+--------------------+
| Database            |
+--------------------+
| information_schema|
| mysql                 |
| snort                  |
| test                    |
+--------------------+

Tạo bảng cho snort, Ở bước tạo table này mình không làm theo các cách như trên mạng hay như trong 1 số hướng dẫn như Code:

mysql –u root –p –D snort < /usr/local/src/snort-2.9.5.5/schemas/create_mysql
hay
mysql –u root –p –D snort < /usr/local/src/barnyard2-1.9/schemas/create_mysql

vì thấy các file create_mysql trong các đường dẫn trên có sẵn rồi và cũng có thử cả 2 câu lệnh trên thấy nó báo mysql [-OPTION] [--help] gì đó và không tạo được, thấy trên mạng có 1 cách như dưới và mình làm thử thì đã tạo được bảng. Code:

mysql> use snort;
mysql> source /usr/local/src/create_mysql
mysql> show tables;
+------------------+
| Tables_in_snort  |
+------------------+
| data              |
| detail            |
| encoding       |
| event            |
| icmphdr        |
| iphdr            |
| opt               |
| reference      |
| reference_system|
| schema            |
| sensor             |
| sig_class          |
| sig_reference   |
| signature        |
| tcphdr            |
| udphdr           |
+------------------+

Bước cài base và adodb Code:

cd /var/www/html
tar -xzvf adodb511.tgz
tar -xzvf base-1.4.5.tar.gz
mv base-1.4.5/ base/
cd base
cp base_conf.php.dist base_conf.php

Code:

vi base_conf.php

Sửa các dòng sau Code:

$BASE_urlpath = '/base';
$DBlib_path = '/var/www/html/adodb5';
$DBtype = 'mysql';
$alert_dbname = 'snort';
$alert_host = 'localhost';
$alert_user = 'snort';
$alert_password = '123456';
$archive_exists = 1;
$archive_dbname = 'snort';
$archive_host = 'localhost';
$archive_user = 'snort';
$archive_password = '123456';

chmod 777 /var/www/html/base Code:

vi /etc/sysconfig/barnyard2

sửa dòng Code:

LOG_FILE="snort.log"

Trong quá trình khắc phục 1 số lỗi thì mình đã có chỉnh sửa 1 số file sau nên mình show hết ra lại cho anh em xem xét. Code:

vi /etc/sysconfig/barnyard2

Code:

# Config file for /etc/init.d/barnyard2
LOG_FILE="snort.log"
# You probably don't want to change this, but in case you do
SNORTDIR="/var/log/snort"
INTERFACES="eth0"
# Probably not this either
CONF=/etc/snort/barnyard.conf
EXTRA_ARGS=""

Code:

vi /etc/init.d/barnyard2

Code:

!/bin/sh
#
# Init file for Barnyard2
#
# chkconfig: 2345 40 60
# description:  Barnyard2 is an output processor for snort.
#
# processname: barnyard2
# config: /etc/sysconfig/barnyard2
# config: /etc/snort/barnyard.conf
# pidfile: /var/lock/subsys/barnyard2.pid
source /etc/rc.d/init.d/functions
source /etc/sysconfig/network
### Check that networking is up.
[ "${NETWORKING}" == "no" ] && exit 0
[ -x /usr/sbin/snort ] || exit 1
[ -r /etc/snort/snort.conf ] || exit 1
### Default variables
SYSCONFIG="/etc/sysconfig/barnyard2"
### Read configuration
[ -r "$SYSCONFIG" ] && source "$SYSCONFIG"
RETVAL=0
prog="barnyard2"
desc="Snort Output Processor"
start() {
        echo -n $"Starting $desc ($prog): "
        for INT in $INTERFACES; do
                PIDFILE="/var/lock/subsys/barnyard2-$INT.pid"
                ARCHIVEDIR="$SNORTDIR/$INT/archive"
                WALDO_FILE="$SNORTDIR/$INT/barnyard2.waldo"
                BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR/${INT} -w $WALDO_FILE -f $SNORTDIR/${INT} -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS"
                daemon $prog $BARNYARD_OPTS
        done
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
        return $RETVAL
}
stop() {
        echo -n $"Shutting down $desc ($prog): "
        killproc $prog
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog
        return $RETVAL
}
restart() {
        stop
        start
}
reload() {
        echo -n $"Reloading $desc ($prog): "
        killproc $prog -HUP
        RETVAL=$?
        echo
        return $RETVAL
}
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  restart)
        restart
        ;;
  reload)
        reload
        ;;
  condrestart)
        [ -e /var/lock/subsys/$prog ] && restart
        RETVAL=$?
        ;;
  status)
        status $prog
        RETVAL=$?
        ;;
  dump)
        dump
        ;;
  *)
        echo $"Usage: $0 {start|stop|restart|reload|condrestart|status|dump}"
        RETVAL=1
esac
exit $RETVAL

Code:

vi /etc/init.d/snortd

Code:

#!/bin/sh
# $Id$
#
# snortd         Start/Stop the snort IDS daemon.
#
# chkconfig: 2345 40 60
# description:  snort is a lightweight network intrusion detection tool that \
#                currently detects more than 1100 host and network \
#                vulnerabilities, portscans, backdoors, and more.
#
# Source function library.
. /etc/rc.d/init.d/functions
# Source the local configuration file
. /etc/sysconfig/snort
# Convert the /etc/sysconfig/snort settings to something snort can
# use on the startup line.
if [ "$ALERTMODE"X = "X" ]; then
   ALERTMODE=""
else
   ALERTMODE="-A $ALERTMODE"
fi
if [ "$USER"X = "X" ]; then
   USER="snort"
fi
if [ "$GROUP"X = "X" ]; then
   GROUP="snort"
fi
if [ "$BINARY_LOG"X = "1X" ]; then
   BINARY_LOG="-b"
else
   BINARY_LOG=""
fi
if [ "$CONF"X = "X" ]; then
   CONF="-c /etc/snort/snort.conf"
else
   CONF="-c $CONF"
fi
if [ "$INTERFACE"X = "X" ]; then
   INTERFACE="-i eth0"
else
   INTERFACE="-i $INTERFACE"
fi
if [ "$DUMP_APP"X = "1X" ]; then
   DUMP_APP="-d"
else
   DUMP_APP=""
fi
if [ "$NO_PACKET_LOG"X = "1X" ]; then
   NO_PACKET_LOG="-N"
else
   NO_PACKET_LOG=""
fi
if [ "$PRINT_INTERFACE"X = "1X" ]; then
   PRINT_INTERFACE="-I"
else
   PRINT_INTERFACE=""
fi
if [ "$PASS_FIRST"X = "1X" ]; then
   PASS_FIRST="-o"
else
   PASS_FIRST=""
fi
if [ "$LOGDIR"X = "X" ]; then
   LOGDIR=/var/log/snort
Fi
# These are used by the 'stats' option
if [ "$SYSLOG"X = "X" ]; then
   SYSLOG=/var/log/messages
fi
if [ "$SECS"X = "X" ]; then
   SECS=5
fi
if [ ! "$BPFFILE"X = "X" ]; then
   BPFFILE="-F $BPFFILE"
fi
######################################
# Now to the real heart of the matter:
# See how we were called.
case "$1" in
  start)
        echo -n "Starting snort: "
        cd $LOGDIR
        if [ "$INTERFACE" = "-i ALL" ]; then
           for i in `cat /proc/net/dev|grep eth|awk -F ":" '{ print $1; }'`
           do
                mkdir -p "$LOGDIR/$i"
                chown -R $USER:$GROUP $LOGDIR
                daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF
           done
        else
           # check if more than one interface is given
           if [ `echo $INTERFACE|wc -w` -gt 2 ]; then
              for i in `echo $INTERFACE | sed s/"-i "//`
                do
                  mkdir -p "$LOGDIR/$i"
                  chown -R $USER:$GROUP $LOGDIR
                  daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF
             done
           else
              # Run with a single interface (default)
              daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST $BPFFILE $BPF
           fi
        fi
        touch /var/lock/subsys/snort
        echo
        ;;
stop)
        echo -n "Stopping snort: "
        killproc snort
        rm -f /var/lock/subsys/snort
        echo
        ;;
  reload)
        echo "Sorry, not implemented yet"
        ;;
  restart)
        $0 stop
        $0 start
        ;;
  condrestart)
        [ -e /var/lock/subsys/snort ] && $0 restart
        ;;
  status)
        status snort
        ;;
  stats)
        TC=125                          # Trailing context to grep
        SNORTNAME='snort'               # Process name to look for
        if [ ! -x "/sbin/pidof" ]; then
           echo "/sbin/pidof not present, sorry, I cannot go on like this!"
           exit 1
      fi
        #Grab Snort's PID
        PID=`pidof -o $$ -o $PPID -o %PPID -x ${SNORTNAME}`
        if [ ! -n "$PID" ]; then        # if we got no PID then:
           echo "No PID found: ${SNORTNAME} must not running."
           exit 2
        fi
        echo ""
        echo "*******"
        echo "WARNING:  This feature is EXPERIMENTAL - please report errors!"
        echo "*******"
        echo ""
        echo "You can also run: $0 stats [long | opt]"
        echo ""
        echo "Dumping ${SNORTNAME}'s ($PID) statistics"
        echo "please wait..."
        # Get the date and tell Snort to dump stats as close together in
        # time as possible--not 100%, but it seems to work.
        startdate=`date '+%b %e %H:%M:%S'`
        # This causes the stats to be dumped to syslog
        kill -USR1 $PID
        # Sleep for $SECS secs to give syslog a chance to catch up
        # May need to be adjusted for slow/busy systems
        sleep $SECS

        if [ "$2" = "long" ]; then              # Long format
            egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \
                grep snort.*:
        elif [ "$2" = "opt" ]; then             # OPTimize format
           # Just show stuff useful for optimizing Snort
            egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \
                egrep "snort.*: Snort analyzed |snort.*: dropping|emory .aults:"
        else                                    # Default format
            egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \
                grep snort.*: | cut -d: -f4-
        fi
        ;;
  *)
        echo "Usage: $0 {start|stop|reload|restart|condrestart|status|stats (long|opt)}"
        exit 2
esac
exit 0

Code:

vi /usr/local/etc/barnyard2

Code:

#-------------------------------------------------------------
#  Barnyard2 configuration file
#
#  http://www.securixlive.com/barnyard2
#   
#  Contact: dev@securixlive.com
#-------------------------------------------------------------
#
# This file contains a sample barnyard2 configuration. 
# You can take the following steps to create your own custom configuration:
#
#   1) Configure the variable declarations
#   2) Setup the input plugins
#   3) Setup the output plugins
#
# Step 1: configure the variable declarations
#
# in order to keep from having a commandline that uses every letter in the
# alphabet most configuration options are set here.
# use UTC for timestamps
#
#config utc
# set the appropriate paths to the file(s) your Snort process is using.
#
config reference_file:	    /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config sid_file:	        /etc/snort/sid-msg.map
# define dedicated references similar to that of snort.
#
#config reference: mybugs http://www.mybugs.com/?s=
# define explicit classifications similar to that of snort.
#
#config classification: shortname, short description, priority
# set the directory for any output logging
#
#config logdir: /tmp
# to ensure that any plugins requiring some level of uniqueness in their output
# the alert_with_interface_name, interface and hostname directives are provided.
# An example of usage would be to configure them to the values of the associated
# snort process whose unified files you are reading.
#
# Example:
#   For a snort process as follows:
#     snort -i eth0 -c /etc/snort.conf
#
#   Typical options would be:
#     config hostname:	thor
#     config interface: eth0
#     config alert_with_interface_name
#
config hostname:	localhost
config interface:	eth0
config alert_with_interface_name
# enable printing of the interface name when alerting.
#
#config alert_with_interface_name
# at times snort will alert on a packet within a stream and dump that stream to
# the unified output. barnyard2 can generate output on each packet of that 
# stream or the first packet only.
#
#config alert_on_each_packet_in_stream
# enable daemon mode
#
#config daemon
# make barnyard2 process chroot to directory after initialisation.
#
#config chroot: /var/spool/barnyard2
# specifiy the group or GID for barnyard2 to run as after initialisation.
#
#config set_gid: 999
# specifiy the user or UID for barnyard2 to run as after initialisation.
#
#config set_uid: 999
# specify the directory for the barnyard2 PID file.
#
#config pidpath: /var/run/by2.pid
# enable decoding of the data link (or second level headers).
#
#config decode_data_link
# dump the application data
#
#config dump_payload
# dump the application data as chars only
#
#config dump_chars_only
# enable verbose dumping of payload information in log style output plugins.
#
#config dump_payload_verbose
# enable obfuscation of logged IP addresses.
#
#config obfuscate
# enable the year being shown in timestamps
#
#config show_year
# set the umask for all files created by the barnyard2 process (eg. log files).
#
#config umask: 066
# enable verbose logging
#
#config verbose
# quiet down some of the output
#
#config quiet
# define the full waldo filepath.
#
config waldo_file: /var/log/snort/barnyard2.waldo
# specificy the maximum length of the MPLS label chain
#
#config max_mpls_labelchain_len: 64
# specify the protocol (ie ipv4, ipv6, ethernet) that is encapsulated by MPLS.
#
#config mpls_payload_type: ipv4
# set the reference network or homenet which is predominantly used by the
# log_ascii plugin.
#
#config reference_net: 192.168.0.0/24
#
# CONTINOUS MODE 
#
# set the archive directory for use with continous mode
#
#config archivedir: /tmp
# when in operating in continous mode, only process new records and ignore any
# existing unified files
#
#config process_new_records_only
# Step 2: setup the input plugins
#
# this is not hard, only unified2 is supported ;)
input unified2
# Step 3: setup the output plugins
# alert_cef
#-----------------------------
#
# Purpose:
#  This output module provides the abilty to output alert information to a
# remote network host as well as the local host using the open standard
# Common Event Format (CEF).
#
# Arguments: host=hostname[:port], severity facility
#            arguments should be comma delimited.
#   host		- specify a remote hostname or IP with optional port number
#                 this is only specific to WIN32 (and is not yet fully supported)
#	severity	- as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
#	facility	- as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
#
# Examples:
#	output alert_cef
#	output alert_cef: host=192.168.10.1
#	output alert_cef: host=sysserver.com:1001
#	output alert_cef: LOG_AUTH LOG_INFO
#
# alert_bro
#-----------------------------
# 
# Purpose: Send alerts to a Bro-IDS instance.
#
# Arguments: hostname:port
#
# Examples:
#	output alert_bro: 127.0.0.1:47757
# alert_fast
#-----------------------------
# Purpose: Converts data to an approximation of Snort's "fast alert" mode.
# 
# Arguments: file , stdout
#            arguments should be comma delimited.
#   file - specifiy alert file
#   stdout - no alert file, just print to screen
# 
# Examples:
#   output alert_fast
#   output alert_fast: stdout
#
output alert_fast: stdout
# prelude: log to the Prelude Hybrid IDS system
# ---------------------------------------------
#
# Purpose:
#  This output module provides logging to the Prelude Hybrid IDS system
#
# Arguments: profile=snort-profile
#   snort-profile	- name of the Prelude profile to use (default is snort).
#
# Snort priority to IDMEF severity mappings:
# high < medium < low < info
#
# These are the default mapped from classification.config:
# info   = 4
# low    = 3
# medium = 2
# high   = anything below medium
#
# Examples:
#   output alert_prelude
#   output alert_prelude: profile=snort-profile-name
#
# alert_syslog
#-----------------------------
#
# Purpose:
#  This output module provides the abilty to output alert information to a
# remote network host as well as the local host.
#
# Arguments: host=hostname[:port], severity facility
#            arguments should be comma delimited.
#   host		- specify a remote hostname or IP with optional port number
#                 this is only specific to WIN32 (and is not yet fully supported)
#	severity	- as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
#	facility	- as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
#
# Examples:
#	output alert_syslog
#	output alert_syslog: host=192.168.10.1
#	output alert_syslog: host=sysserver.com:1001
#	output alert_syslog: LOG_AUTH LOG_INFO
#
# log_ascii
#-----------------------------
# 
# Purpose: This output module provides the default packet logging funtionality
#
# Arguments: None.
#   
# Examples:
#   output log_ascii
#
# log_tcpdump
# -------------------------------------------------
#
# Purpose
#  This output module logs packets in binary tcpdump format
#
# Arguments:
#   The only argument is the output file name.
#
# Examples:
#   output log_tcpdump: tcpdump.log
#
# sguil
#-----------------------------
# 
# Purpose: This output module provides logging ability for the sguil interface
# See doc/README.sguil
#
# Arguments: agent_port , sensor_name 
#            arguments should be comma delimited.
#   agent_port	- explicitly set the sguil agent listening port 
#				  (default: 7736)
#   sensor_name - explicitly set the sensor name 
#				  (default: machine hostname)
# 
# Examples:
#   output sguil
#   output sguil: agent_port=7000
#   output sguil: sensor_name=argyle
#   output sguil: agent_port=7000, sensor_name=argyle
#
# database: log to a variety of databases
# ---------------------------------------
#
# Purpose: This output module provides logging ability to a variety of databases
# See doc/README.database for additional information.
#
# Examples:
#   output database: log, mysql, user=root password=test dbname=db host=localhost
output database: log, mysql, user=snort password=123456 dbname=snort host=localhost
#   output database: alert, postgresql, user=snort dbname=snort
#   output database: log, odbc, user=snort dbname=snort
#   output database: log, mssql, dbname=snort user=snort password=test
#   output database: log, oracle, dbname=snort user=snort password=test

Code:

vi /etc/snort/rules/local.rules

Có các rule tự tạo Code:

#-------------
     # LOCAL RULES
     #-------------
     alert tcp any any -> 192.168.1.2/24 any (msg:"Testing ScanPort 80"; sid:10000        01;)
     alert tcp 192.168.1.3/24 any -> 192.168.1.2/24 any (msg:"Testing ScanPort 22"        ; sid:1000002;)
     alert ip any any -> any any (msg:"IP Testing Rule"; sid:1000003;)
     alert icmp any any -> any any (msg:"ICMP Testing Rule"; sid:1000004;)
     alert tcp any any -> any any (msg:"TCP Testing Rule"; sid:1000005;)
     alert udp any any -> any any (msg:"UDP Testing Rule"; sid:1000006;)
     alert tcp 192.168.1.3/24 any -> any 80 (msg:"ScanPort 80"; sid:1000007;)
     alert tcp 192.168.1.3/24 any -> any 22 (msg:"ScanPort 22"; sid:1000008;)sid:1000008;)

Kiêm tra hoạt động của banyard2 bằng câu lệnh Code:

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort/ -f snort.log -w /var/log/snort/barnyard2.waldo
hoặc
barnyard2 -c /etc/snort/barnyard2.conf -f merged.log -d /var/log/snort

Thấy chạy ra nhiều nội dung nhưng đến dòng Code:

Opened spool file '/var/log/snort//snort.log.1384864281'
Waiting for new data

Thì thấy đứng lại rất lâu, chắc đang chạy tiếp Kiểm tra hoạt động của snort Code:

snort -c /etc/snort/snort.conf -i eth0 -u snort -g snort
hoặc
snort -u snort -g snort -d -c /etc/snort/snort.conf

Thấy chạy nhưng đến dòng này Code:

Commencing packet processing (pid=5633)

Thì thấy đứng rất lâu chắc nó đang chạy tiếp. Code:

ls -l /var/log/snort

Thấy nội dung Code:

total 19376
-rw-r--r--. 1 root  root  11473353 Nov 19 04:29 alert
-rwxr-xr-x. 1 snort snort     2056 Nov 19 04:26 barnyard2.waldo
-rwxr-xr-x. 1 root  root         0 Nov 18 00:47 snort.alert
-rwxr-xr-x. 1 root  root         0 Nov 18 00:47 snort.log
-rw-------. 1 snort snort    10368 Nov 18 18:55 snort.log.1384829558
-rw-------. 1 snort snort     2511 Nov 18 19:01 snort.log.1384829740
-rw-------. 1 snort snort   412009 Nov 18 19:12 snort.log.1384830271
-rw-------. 1 snort snort   342686 Nov 18 19:24 snort.log.1384830766
-rw-------. 1 snort snort   264727 Nov 18 19:34 snort.log.1384831550
-rw-------. 1 snort snort  1048649 Nov 18 19:51 snort.log.1384832827
-rw-------. 1 snort snort    12114 Nov 18 20:03 snort.log.1384833256
-rw-------. 1 snort snort    37632 Nov 19 01:38 snort.log.1384853634
-rw-------. 1 snort snort  1825550 Nov 19 01:58 snort.log.1384853921
-rw-------. 1 snort snort  4365676 Nov 19 04:29 snort.log.1384855103
-rw-------. 1 snort snort     5922 Nov 19 04:25 snort.log.1384863836
-rw-------. 1 snort snort     2710 Nov 19 04:26 snort.log.1384863949
-rw-------. 1 root  root      1300 Nov 19 04:29 snort.log.1384864116

Kiểm tra lại hoạt động của snort Code:

./snort -T -i eth0 -u snort -g snort -c /etc/snort/snort.conf

Thấy chạy ra nhiều nội dung và kết thúc là Code:

Snort successfully validated the configuration!
Snort exiting

Code:

ps aux | grep -i "snort"

Thấy hiển thị nội dung Code:

snort     4062  0.3  0.9 400764  5016 ?        Ssl  03:48   0:10 /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
root      5383  0.0  1.1  14588  6108 ?        Ss   04:23   0:00 barnyard2 -c /etc/snort/barnyard2.conf -f merged.log -d /var/log/snort -D
snort     5388  0.9  0.7 400704  3760 pts/0    Tl   04:23   0:10 snort -c /etc/snort/snort.conf -i eth0 -u snort -g snort
snort     5475  1.1  0.7 400480  3592 pts/0    Tl   04:25   0:10 snort -u snort -g snort -d -c /etc/snort/snort.conf
root      5545  0.0  2.0  28604 10576 pts/0    T    04:28   0:00 snort -dev -l /var/log/snort/
snort     5633  1.7 28.5 400764 145928 pts/0   Tl   04:31   0:10 snort -u snort -g snort -d -c /etc/snort/snort.conf
root      5657  2.3  1.2  14568  6560 pts/0    T    04:32   0:11 barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort/ -f snort.log -w /var/log/snort/barnyard2.waldo
root      5748  3.3  1.2  14568  6576 pts/0    T    04:35   0:11 barnyard2 -c /etc/snort/barnyard2.conf -f merged.log -d /var/log/snort
root      5868  2.0  0.1   4356   724 pts/0    D+   04:40   0:00 grep -i snort

Vấn đề thứ 2 mình muốn hỏi là sao đã thực hiện scanport bằng nmap, advance port scan, superscan4 như hình dưới

Base không hiển thị portscan traffic hay TCP

Latest posts for the topic "Base snort không hiển thị PortScan Traffic & restart banyard2 bị lỗi"

Base snort không hiển thị PortScan Traffic & restart banyard2 bị lỗi

Base snort không hiển thị PortScan Traffic & restart banyard2 bị lỗi

Base snort không hiển thị PortScan Traffic & restart banyard2 bị lỗi

Base snort không hiển thị PortScan Traffic & restart banyard2 bị lỗi

Base snort không hiển thị PortScan Traffic & restart banyard2 bị lỗi

Base snort không hiển thị PortScan Traffic & restart banyard2 bị lỗi

Base snort không hiển thị PortScan Traffic & restart banyard2 bị lỗi