カスタム検索
|
Tweet |
|
|
|
カスタム検索
|
Tweet |
|
|
     |
Snort2.2.0のインストールから設定
Modified: 4 June 2005
テーブルを作るファイルの抽出
snortのソースをインストールします。
MySQLのテーブルを作成するために、ソースを展開し、出てきた"tar.gz"をさらに展開します。展開したフォルダから"schemas"に移動するとデータベースを作る
MySQLを起動する
# service mysqld start MySQLデータベースを初期化中: [ OK ] MySQLを起動中: [ OK ] #rootのパスワードを設定する
# mysqladmin -u root password 'password' : #データベースとテーブルを作成します。
作ったテーブルをの確認します。
snortをインストールします。
"/etc/sysconfig/snort" を以下のように変更します。
# /etc/sysconfig/snort # $Id: snort.sysconfig,v 1.5 2004/06/28 18:21:16 bmc Exp $ # All of these options with the exception of -c, which tells Snort where # the configuration file is, may be specified in that configuration file as # well as the command line. Both the command line and config file options # are listed here for reference. #### General Configuration # What interface should snort listen on? [Pick only 1 of the next 3!] # This is -i {interface} on the command line # This is the snort.conf config interface: {interface} directive INTERFACE=eth0 # # The following two options are not directly supported on the command line # or in the conf file and assume the same Snort configuration for all # instances # # To listen on all interfaces use this: #INTERFACE=ALL # # To listen only on given interfaces use this: #INTERFACE="eth1 eth2 eth3 eth4 eth5" # Where is Snort's configuration file? # -c {/path/to/snort.conf} CONF=/etc/snort/snort.conf # What user and group should Snort drop to after starting? This user and # group should have very few privileges. # -u {user} -g {group} # config set_uid: user # config set_gid: group USER=snort GROUP=snort # Should Snort change the order in which the rules are applied to packets. # Instead of being applied in the standard Alert->Pass->Log order, this will # apply them in Pass->Alert->Log order. # -o # config order: {actions in order} # e.g. config order: log alert pass activation dynamic suspicious redalert #PASS_FIRST=0 PASS_FIRST=1 #### Logging & Alerting # NOTE: NO_PACKET_LOG and BINARY_LOG, ALERTMODE, etc. are mutually # exclusive. Use either NO_PACKET_LOG or any/all of the other logging # options. But the more logging options use you, the slower Snort will run. # Where should Snort log?: # -l {/path/to/logdir} # config logdir: {/path/to/logdir} LOGDIR=/var/log/snort # How should Snort alert? Valid alert modes include fast, full, none, and # unsock. Fast writes alerts to the default "alert" file in a single-line, # syslog style alert message. Full writes the alert to the "alert" file # with the full decoded header as well as the alert message. None turns off # alerting. Unsock is an experimental mode that sends the alert information # out over a UNIX socket to another process that attaches to that socket. # -A {alert-mode} # output alert_{type}: {options} #ALERTMODE=fast ALERTMODE= # Should Snort dump the application layer data when displaying packets in # verbose or packet logging mode. # -d # config dump_payload #DUMP_APP=1 DUMP_APP=0 # Should Snort keep binary (AKA pcap, AKA tcpdump) logs also? This is # recommended as it provides very useful information for investigations. # -b # output log_tcpdump: {log name} #BINARY_LOG=1 BINARY_LOG=0 # Should Snort turn off packet logging? The program still generates # alerts normally. # -N # config nolog NO_PACKET_LOG=0 # Print out the receiving interface name in alerts. # -I # config alert_with_interface_name PRINT_INTERFACE=0 # When dumping the stats, what log file should we look in SYSLOG=/var/log/messages # When dumping the stats, how long to wait to make sure that syslog can # flush data to disk SECS=5 # To add a BPF filter to the command line uncomment the following variable # syntax corresponds to tcpdump(8) #BPF="not host 192.168.1.1" # To use an external BPF filter file uncomment the following variable # syntax corresponds to tcpdump(8) # -F {/path/to/bpf_file} # config bpf_file: /path/to/bpf_file #BPFFILE=/etc/snort/bpf_file
"/etc/snort/snort.conf"のログの出力先を指定します。
#-------------------------------------------------- # http://www.snort.org Snort 2.1.0 Ruleset # Contact: snort-sigs@lists.sourceforge.net #-------------------------------------------------- # $Id: snort.conf,v 1.142.2.2 2004/08/05 18:55:37 jhewlett Exp $ # ################################################### # This file contains a sample snort configuration. # You can take the following steps to create your own custom configuration: # # 1) Set the network variables for your network # 2) Configure preprocessors # 3) Configure output plugins # 4) Customize your rule set # ################################################### : #################################################################### # Step #3: Configure output plugins # # Uncomment and configure the output plugins you decide to use. General # configuration for output plugins is of the form: # # output <name_of_plugin>: <configuration_options> # # alert_syslog: log alerts to syslog # ---------------------------------- # Use one or more syslog facilities as arguments. Win32 can also optionally # specify a particular hostname/port. Under Win32, the default hostname is # '127.0.0.1', and the default port is 514. # # [Unix flavours should use this format...] # output alert_syslog: LOG_AUTH LOG_ALERT # # [Win32 can use any of these formats...] # output alert_syslog: LOG_AUTH LOG_ALERT # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT # log_tcpdump: log packets in binary tcpdump format # ------------------------------------------------- # The only argument is the output file name. # # output log_tcpdump: tcpdump.log # database: log to a variety of databases # --------------------------------------- # See the README.database file for more information about configuring # and using this plugin. # output database: alert, mysql, user=snort password=password dbname=snort host=localhost # output database: alert, postgresql, user=snort dbname=snort # output database: log, odbc, user=snort dbname=snort # output database: log, mssql, dbname=snort user=snort password=test # output database: log, oracle, dbname=snort user=snort password=test # unified: Snort unified binary format alerting and logging # ------------------------------------------------------------- :
コマンドを入力後、すぐに、"<Crtl>"+"C"で停止しました。
# /usr/sbin/snort -v Running in packet dump mode Log directory = /var/log/snort Initializing Network Interface eth0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth0 --== Initialization Complete ==-- -*> Snort! <*- Version 2.2.0 (Build 30) By Martin Roesch (roesch@sourcefire.com, www.snort.org) 06/04-02:49:15.866134 192.168.0.16:1224 -> 192.168.0.61:22 TCP TTL:128 TOS:0x0 ID:7732 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x4EE524B9 Ack: 0xCCEBBB92 Win: 0xFFC7 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/04-02:49:15.866184 192.168.0.61:22 -> 192.168.0.16:1224 TCP TTL:64 TOS:0x10 ID:8551 IpLen:20 DgmLen:432 DF ***AP*** Seq: 0xCCEBBB92 Ack: 0x4EE524B9 Win: 0x16D0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/04-02:49:16.019039 ARP who-has 192.168.0.243 tell 0.0.0.0 06/04-02:49:16.114264 192.168.0.16:1224 -> 192.168.0.61:22 TCP TTL:128 TOS:0x0 ID:7733 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x4EE524B9 Ack: 0xCCEBBD1A Win: 0xFE3F TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/04-02:49:16.114312 192.168.0.61:22 -> 192.168.0.16:1224 TCP TTL:64 TOS:0x10 ID:8552 IpLen:20 DgmLen:676 DF ***AP*** Seq: 0xCCEBBD1A Ack: 0x4EE524B9 Win: 0x16D0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/04-02:49:16.305788 192.168.0.16:1224 -> 192.168.0.61:22 TCP TTL:128 TOS:0x0 ID:7734 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x4EE524B9 Ack: 0xCCEBBF96 Win: 0xFBC3 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/04-02:49:16.305836 192.168.0.61:22 -> 192.168.0.16:1224 TCP TTL:64 TOS:0x10 ID:8553 IpLen:20 DgmLen:592 DF ***AP*** Seq: 0xCCEBBF96 Ack: 0x4EE524B9 Win: 0x16D0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/04-02:49:16.499734 192.168.0.16:1224 -> 192.168.0.61:22 TCP TTL:128 TOS:0x0 ID:7735 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x4EE524B9 Ack: 0xCCEBC1BE Win: 0xFFFF TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/04-02:49:16.499782 192.168.0.61:22 -> 192.168.0.16:1224 TCP TTL:64 TOS:0x10 ID:8554 IpLen:20 DgmLen:592 DF ***AP*** Seq: 0xCCEBC1BE Ack: 0x4EE524B9 Win: 0x16D0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/04-02:49:16.692952 192.168.0.16:1224 -> 192.168.0.61:22 TCP TTL:128 TOS:0x0 ID:7736 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x4EE524B9 Ack: 0xCCEBC3E6 Win: 0xFDD7 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/04-02:49:16.693003 192.168.0.61:22 -> 192.168.0.16:1224 TCP TTL:64 TOS:0x10 ID:8555 IpLen:20 DgmLen:592 DF ***AP*** Seq: 0xCCEBC3E6 Ack: 0x4EE524B9 Win: 0x16D0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =============================================================================== Snort received 13 packets Analyzed: 13(100.000%) Dropped: 0(0.000%) =============================================================================== Breakdown by protocol: TCP: 10 (76.923%) UDP: 0 (0.000%) ICMP: 0 (0.000%) ARP: 1 (7.692%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) =============================================================================== Action Stats: ALERTS: 0 LOGGED: 0 PASSED: 0 =============================================================================== Snort exiting #どんどん流れていけば、パケットがキャプチャされているようですのでOKです。
デーモンとしてsnortを起動しておきます。
# service snortd start Starting snort: [ OK ] #
snortが、MySQLに接続されていることを確認します。
MySQLに接続されておれば、上記のようにsnortのプロセスが見えます。
 |
