ubuntu1804 snort base

1.环境准备

apt安装

sudo apt-get update -y
sudo apt-get dist-upgrade -y
sudo apt-get install -y zlib1g-dev liblzma-dev openssl libssl-dev
sudo apt-get install -y build-essential bison flex
 
sudo apt-get install -y libpcap-dev libpcre3-dev libdumbnet-dev libnghttp2-dev
sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool
sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl libwww-perl 
 
sudo add-apt-repository ppa:ondrej/php
sudo apt-get update -y
sudo apt-get install -y apache2 libapache2-mod-php5.6 php5.6 php5.6-common php5.6-gd php5.6-cli php5.6-xml php5.6-mysql
sudo apt-get install -y php-pear libphp-adodb

wget从网站下载压缩包

wget https://www.snort.org/downloads/archive/snort/daq-2.0.6.tar.gz
wget https://www.snort.org/downloads/archive/snort/snort-2.9.9.0.tar.gz
wget https://github.com/firnsy/barnyard2/archive/v2-1.13.tar.gz -O barnyard2-2-1.13.tar.gz
wget https://github.com/shirkdog/pulledpork/archive/v0.7.3.tar.gz -O pulledpork-v0.7.3.tar.gz
wget https://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-520-for-php5/adodb-5.20.8.tar.gz
wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz

2.开始安装

(1)安装daq

tar -xvzf daq-2.0.6.tar.gz
cd daq-2.0.6
./configure
sudo make
sudo make install

(2)安装snort

tar -xvzf snort-2.9.9.tar.gz
cd snort-2.9.9
./configure --enable-sourcefire
make
sudo make install

测试

snort -V

创建用户环境

# Create the snort user and group:
sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
# Create the Snort directories:
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/rules/iplists
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules
# Create some files that stores rules and ip lists
sudo touch /etc/snort/rules/iplists/black_list.rules
sudo touch /etc/snort/rules/iplists/white_list.rules
sudo touch /etc/snort/rules/local.rules
sudo touch /etc/snort/sid-msg.map
# Create our logging directories:
sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs
# Adjust permissions:
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort/so_rules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
# Change Ownership on folders:
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

复制配置文件

cd ~/snort-2.9.9/etc/
sudo cp *.conf* /etc/snort
sudo cp *.map /etc/snort
sudo cp *.dtd /etc/snort
cd ~/snort-2.9.11/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/
sudo cp * /usr/local/lib/snort_dynamicpreprocessor/

注释掉snort.conf中引用的规则文件,换为PulledPork

sudo sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf

修改snort.conf的配置

sudo vi /etc/snort/snort.conf
#第45行,ipvar HOME_NET修改为本机的内部网络
ipvar HOME_NET 192.168.89.138/24
#第104行,设置以下配置文件路径
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules/iplists
var BLACK_LIST_PATH /etc/snort/rules/iplists
#第521行添加
# output unified2: filename merged.log, l imit 128, nostamp, mpls event types, vlan event types }
output unified2: filename snort.u2, limit 128
#第546行取消注释,启用local.rules文件
include $RULE_PATH/local.rules

添加本地规则

sudo vi /etc/snort/rules/local.rules
alert icmp any any -> $HOME_NET any (msg:"ICMP Test detected!!!"; classtype:icmp-event; sid:10000001; rev:001; GID:1; )
sudo vi /etc/snort/sid-msg.map
1 || 10000001 || 001 || icmp-event || 0 || ICMP Test detected || url,tools.ietf.org/html/rfc792

测试配置文件

sudo snort -T -c /etc/snort/snort.conf -i eth1

测试功能,此时从外面ping网口ens32的IP,snort会记录受到攻击,信息保存在/var/log/snort中,文件名为snort.log.xxx

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i ens32

3.安装Barnyard2

解压编译

tar zxvf barnyard2-2-1.13.tar.gz
cd barnyard2-2-1.13
autoreconf -fvi -I ./
# Choose ONE of these two commands to run
./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu
./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu
sudo make
sudo make install

测试

barnyard2 -V

配置文件

sudo cp ~/barnyard2-2-1.13/etc/barnyard2.conf /etc/snort/
# the /var/log/barnyard2 folder is never used or referenced
# but barnyard2 will error without it existing
sudo mkdir /var/log/barnyard2
sudo chown snort.snort /var/log/barnyard2
sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort.snort /var/log/snort/barnyard2.waldo

配置数据库

ubuntu@ubuntu:~$ mysql -u root -p
mysql> create database snort;
mysql> use snort;
mysql> source ~/barnyard2-2-1.13/schemas/create_mysql;
mysql> CREATE USER snort@localhost IDENTIFIED BY 123456;
mysql> grant create, insert, select, delete, update on snort.* to snort@localhost;
mysql> exit;

添加数据库位置

sudo vi /etc/snort/barnyard2.conf
#在末尾添加数据库配置
output database: log, mysql, user=snort password=123456 dbname=snort host=localhost sensor name=sensor01

测试,开启snort,并向ens32发送ping数据包

sudo snort -q -u snort -g snort -c /etc/snort/snort.conf -i ens32
# 开启barnyard2,将日志信息存入数据库
# 1.连续处理模式,设置barnyard2.waldo为书签
sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort
# 2.文件处理模式,处理单个日志文件
sudo barnyard2 -c /etc/snort/barnyard2.conf -o /var/log/snort/snort.u2.xxx
# 查看数据库条目数量,看是否增加
mysql -u snort -p -D snort -e "select count(*) from event"

4.安装PulledPork

解压安装

tar xzvf pulledpork-v0.7.3.tar.gz
cd pulledpork-v0.7.3/
sudo cp pulledpork.pl /usr/local/bin
sudo chmod +x /usr/local/bin/pulledpork.pl
sudo cp etc/*.conf /etc/snort

测试

ubuntu@ubuntu:~$ pulledpork.pl -V
PulledPork v0.7.3 - Making signature updates great again!

配置文件更改

sudo vi /etc/snort/pulledpork.conf
#第19行:输入注册账户生成的oinkcode,若没有则注释掉
#第29行:取消注释可下载针对新兴威胁的规则
#第74行:更改为:
rule_path = /etc/snort/rules/snort.rules
#第89行:更改为:
local_rules = /etc/snort/rules/local.rules
#第92行:更改为:
sid_msg = /etc/snort/sid-msg.map
#第96行:更改为:
sid_msg_version = 2
#第119行:更改为:
config_path = /etc/snort/snort.conf
#第133行:更改为:
distro = Ubuntu-12-04
#第141行:更改为:
black_list = /etc/snort/rules/iplists/black_list.rules
#第150行:更改为:
IPRVersion = /etc/snort/rules/iplists
sudo vi /etc/snort/snort.conf
#第548行添加
include $RULE_PATH/snort.rules

更新测试规则

sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l
sudo snort -T -c /etc/snort/snort.conf -i ens32

5.创建服务

snort服务

#创建服务配置文件
sudo vi /lib/systemd/system/snort.service
[Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target
[Service]
Type=simple
Restart=always
ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth1
[Install]
WantedBy=multi-user.target
 
#设置开机启动
sudo systemctl enable snort
 
#启动服务
sudo systemctl start snort
 
#检查服务状态
sudo systemctl status snort

Barnyard2服务

#创建服务配置文件
sudo vi /lib/systemd/system/barnyard2.service
[Unit]
Description=Barnyard2 Daemon
After=syslog.target network.target
[Service]
Type=simple
Restart=always
ExecStart=/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -q -w /var/log/snort/barnyard2.waldo -g snort -u snort -D -a /var/log/snort/archived_logs --pid-path=/var/run
[Install]
WantedBy=multi-user.target
 
#设置开机启动
sudo systemctl enable barnyard2
 
#启动服务
sudo systemctl start barnyard2
 
#检查服务状态
sudo systemctl status barnyard2

6.安装BASE

解压后获得网站目录,移到apache2目录

tar xzvf base-1.4.5.tar.gz
sudo mv base-1.4.5 /var/www/html/base/

配置

cd /var/www/html/base
sudo cp base_conf.php.dist base_conf.php
 
sudo vi /var/www/html/base/base_conf.php
$BASE_Language = chinese; # line 27
$BASE_urlpath = /base; # line 50
$DBlib_path = /usr/share/php/adodb/; #line 80
$alert_dbname = snort; # line 102
$alert_host = localhost;
$alert_port = ‘‘;
$alert_user = snort;
$alert_password = 123456; # line 106
// $graph_font_name = "Verdana";
// $graph_font_name = "DejaVuSans";
// $graph_font_name = "Image_Graph_Font";
$graph_font_name = "";
 
sudo chown -R www-data:www-data /var/www/html/base
sudo chmod o-r /var/www/html/base/base_conf.php
 
sudo service apache2 restart

测试

浏览器输入localhost/base

ubuntu1804 snort base

 

 点击Create BASE AG

ubuntu1804 snort base

 

ubuntu1804 snort base

上一篇:将MacOS Catalina 降级为 Mojave


下一篇:Linux下的压缩与解压命令速查