20160824 Snort on CentOS6.X (수정)

■ sniffer mode - 네트워크 트래픽을 실시간적으로 분석하는 경우

        run-time options:

        -v verbose

        -d dump package payloads

        -x dump entire package in hex

        -a display arp packages

        -e display link layer data

■ TCP/IP packet headers 출력

        [TERM2] # ping 168.126.63.1

# snort -v        (# snort -v -c /etc/snort/snort.conf -l /var/log/snort)

headers 와 data 부분 출력

# snort -dv      (# snort -dv -c /etc/snort/snort.conf -l /var/log/snort)

data link layer headers 출력

# snort -dev     (# snort -dev -c /etc/snort/snort.conf -l /var/log/snort)

■ log mode - 출력 내용을 로그에 저장

command line options

-l dump packages into log directory

-b log packages in binary (tcpdump) format

예제

# snort -dev -b -l /var/log/snort -c /etc/snort/snort.conf

# snort -dev -b -l /var/log/snort -h 192.168.20.0/24 -c /etc/snort/snort.conf

■ NIDS mode

# snort -d -h 192.168.20.0/24 -l /var/log/snort -c /etc/snort/snort.conf -A fast

-A fast : Fast alert mode

-A full

-A unsock

-A none

-A console(screen)

-A cmg(custom mode)

[예제]

fast mode

# snort -c /etc/snort/snort.conf -l /var/log/snort -A fast

full mode

# snort -c /etc/snort/snort.conf -l /var/log/snort -A full -D

checking log files

# ls -l /var/log/snort

# cat alert

# cat snort.log.1389675205

# tcpdump -nr /var/log/snort/snort.log.13897656

■ barnyard configuration

■ MySQL configuration

■ barnyard & snort startup

■ BASE installation

■ BASE configuration

[ snort ---> barnyard2 ---> BASE ---> MySQL ]

■ barnyard2 - github.com/firnsy/barnyard2

● a dedicated spooler for Snort's unified2 binary output format

● an output system for snort, it reads the binary logs from snort using the unified2 format.

● It will resend the information of this logs to a database backend

■ BASE: Basic Analysis and Security Engine

● provides a web front-end to query and analyze the alerts coming from Snort.

● The alerts will send to MySQL database, this feature is provided by barnyard2.

● http://base.professionallyevil.com/

① Barnyard installation

# vi /etc/hosts

..... (중략) ..... 192.168.20.203   ids.example.com  ids 192.168.10.203   nic2

# mkdir -p /snort

# cd /snort

# wget --no-check-certificate \

https://github.com/firnsy/barnyard2/archive/master.zip \

-O master.zip

-> 출력내용 생략

# unzip master.zip

-> 출력내용 생략

# cd barnyard2-master

# ls

autogen.sh    COPYING  etc      m4           README         rpm      src configure.ac  doc      LICENSE  Makefile.am  RELEASE.NOTES  schemas  tools

        (자동) # ./autogen.sh       /* update configuration files */

        (수동) # autoconf -f -v -i -I ./m4

        (주의) 선수 패키지 - 아래 패키지가 없는 경우에는 반드시 설치해야 한다.

        autogen.sh 스크립트를 실행하기 전에 반드시 확인한다.

        (RedHat 계열) # yum -y install autoconf libtool automake

        (Debian 계열) # apt-get install autoconf libtool automake

# yum -y install autoconf libtool automake

# ./autogen.sh

Found libtoolize libtoolize: putting auxiliary files in `.'. libtoolize: copying file `./ltmain.sh' libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'. libtoolize: copying file `m4/libtool.m4' libtoolize: copying file `m4/ltoptions.m4' libtoolize: copying file `m4/ltsugar.m4' libtoolize: copying file `m4/ltversion.m4' libtoolize: copying file `m4/lt~obsolete.m4' autoreconf: Entering directory `.' autoreconf: configure.ac: not using Gettext autoreconf: running: aclocal --force -I m4 autoreconf: configure.ac: tracing autoreconf: running: libtoolize --copy --force libtoolize: putting auxiliary files in `.'. libtoolize: copying file `./ltmain.sh' libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'. libtoolize: copying file `m4/libtool.m4' libtoolize: copying file `m4/ltoptions.m4' libtoolize: copying file `m4/ltsugar.m4' libtoolize: copying file `m4/ltversion.m4' libtoolize: copying file `m4/lt~obsolete.m4' autoreconf: running: /usr/bin/autoconf --force autoreconf: running: /usr/bin/autoheader --force autoreconf: running: automake --add-missing --copy --force-missing configure.ac:11: installing `./config.guess' configure.ac:11: installing `./config.sub' configure.ac:8: installing `./install-sh' configure.ac:8: installing `./missing' autoreconf: Leaving directory `.' You can now run "./configure" and then "make".

# ./configure --help | egrep '(mysql|lib)'

--with-mysql=DIR               Support for MySQL   --with-mysql-libraries=DIR     MySQL library directory

# yum -y install mysql mysql-devel

# ln -s /usr/lib64/mysql/libmysqlclient.so.16.0.0 /usr/lib/libmysqlclient.so.16.0.0

# ln -s /usr/lib64/mysql/libmysqlclient_r.so.16.0.0 /usr/lib/libmysqlclient_r.so.16.0.0

# cd /snort/barnyard2-master

# ./configure --with-mysql --with-mysql-libraries=/usr/lib64

# make

# make install

# cp /snort/barnyard2-master/etc/barnyard2.conf /etc/snort

# cp /snort/barnyard2-master/schemas/create_mysql /usr/local/src

# mkdir -p /var/log/barnyard2     /* 이전에 디렉토리를 생성했었다. */

# chown -R snort:snort /var/log/barnyard2

# cp /snort/snort-*/etc/gen-msg.map /etc/snort

② barnyard configuration

# vi /etc/snort/barnyard2.conf

[수정전] 227: output alert_fast: stdout 351: #output database: log, mysql, user=root password=test dbname=db host=localhost [수정후] 227: output alert_fast 351: output database: log, mysql, user=snort password=snort dbname=snort host=localhost

-> 주석 제거 및 수정

③ Setup the MySQL Server

(주의) 반드시 Local에서 작업을 진행한다.

# yum -y install mysql-server

-> 출력 내용 생략

# chkconfig mysqld on

# service mysqld start

MySQL 데이타베이스 초기화 중:  Installing MySQL system tables... OK Filling help tables... OK   To start mysqld at boot time you have to copy support-files/mysql.server to the right place for your system   PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER ! To do so, start the server, then issue the following commands:   /usr/bin/mysqladmin -u root password 'new-password' /usr/bin/mysqladmin -u root -h ids.example.com password 'new-password'   Alternatively you can run: /usr/bin/mysql_secure_installation   which will also give you the option of removing the test databases and anonymous user created by default.  This is strongly recommended for production servers.   See the manual for more instructions.   You can start the MySQL daemon with: cd /usr ; /usr/bin/mysqld_safe &   You can test the MySQL daemon with mysql-test-run.pl cd /usr/mysql-test ; perl mysql-test-run.pl   Please report any problems with the /usr/bin/mysqlbug script!                                                              [  OK  ] mysqld (을)를 시작 중:                                     [  OK  ]

# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL       SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!     In order to log into MySQL to secure it, we'll need the current password for the root user.  If you've just installed MySQL, and you haven't set the root password yet, the password will be blank, so you should just press enter here.   Enter current password for root (enter for none): <ENTER> OK, successfully used password, moving on...   Setting the root password ensures that nobody can log into the MySQL root user without the proper authorisation.   Set root password? [Y/n] Y New password: (soldesk1.) Re-enter new password: (soldesk1.) Password updated successfully! Reloading privilege tables..  ... Success!     By default, a MySQL installation has an anonymous user, allowing anyone to log into MySQL without having to have a user account created for them.  This is intended only for testing, and to make the installation go a bit smoother.  You should remove them before moving into a production environment.   Remove anonymous users? [Y/n] Y  ... Success!   Normally, root should only be allowed to connect from 'localhost'.  This ensures that someone cannot guess at the root password from the network.   Disallow root login remotely? [Y/n] Y  ... Success!   By default, MySQL comes with a database named 'test' that anyone can access.  This is also intended only for testing, and should be removed before moving into a production environment.   Remove test database and access to it? [Y/n] Y  - Dropping test database...  ... Success!  - Removing privileges on test database...  ... Success!   Reloading the privilege tables will ensure that all changes made so far will take effect immediately.   Reload privilege tables now? [Y/n] Y  ... Success!   Cleaning up...       All done!  If you've completed all of the above steps, your MySQL installation should now be secure.   Thanks for using MySQL!

# mysql -u root -p

Enter password: (soldesk1.) Welcome to the MySQL monitor.  Commands end with ; or \g. Your MySQL connection id is 21 Server version: 5.1.73 Source distribution   Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.   Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.   Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> create database snort; Query OK, 1 row affected (0.00 sec)   mysql> grant all on snort.* to snort@localhost; Query OK, 0 rows affected (0.00 sec)       /* mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost; */ mysql> set password for snort@localhost=password('snort'); Query OK, 0 rows affected (0.00 sec)   mysql> show databases; +--------------------+ | Database           | +--------------------+ | information_schema | | mysql              | | snort              | +--------------------+ 3 rows in set (0.00 sec)   mysql> use snort; Database changed mysql> source /usr/local/src/create_mysql     <- from barnyard2 ..... (중략) ..... Query OK, 1 row affected (0.00 sec)   Query OK, 1 row affected (0.00 sec)   Query OK, 1 row affected (0.00 sec)   Query OK, 0 rows affected (0.01 sec)   Query OK, 1 row affected (0.00 sec)   Query OK, 1 row affected (0.00 sec) mysql> show tables; +------------------+ | Tables_in_snort  | +------------------+ | data             | | detail           | | encoding         | | event            | | icmphdr          | | iphdr            | | opt              | | reference        | | reference_system | | schema           | | sensor           | | sig_class        | | sig_reference    | | signature        | | tcphdr           | | udphdr           | +------------------+ 16 rows in set (0.00 sec)   mysql> flush privileges; Query OK, 0 rows affected (0.00 sec)   mysql> exit

④ Start snort using the command

        (자동) # service snortd restart

        (수동) # snort -d -A full -u snort -g snort -c /etc/snort/snort.conf -i eth0 &

# service snortd restart

Stopping snort:                                            [실패] Starting snort: Spawning daemon child... My daemon child 22470 lives... Daemon parent exiting (0)                                                            [  OK  ]

# ls -l /var/log/snort

-> (주의) snort:snort 으로 안되어 있는 파일이 있다면 chown 명령어를 통해 설정을 바꿔야 한다.

        # chown -R snort:snort /var/log/snort

[TERM2] 다른 터미널에서 수행

# barnyard2 -c /etc/snort/barnyard2.conf \

-d /var/log/snort -f snort.log \

-w /etc/snort/bylog.waldo \

-C /etc/snort/classification.config

Running in Continuous mode           --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/etc/snort/barnyard2.conf"     +[ Signature Suppress list ]+ ---------------------------- +[No entry in Signature Suppress List]+ ---------------------------- +[ Signature Suppress list ]+   Barnyard2 spooler: Event cache size set to [2048] Log directory = /var/log/barnyard2 INFO database: Defaulting Reconnect/Transaction Error limit to 10 INFO database: Defaulting Reconnect sleep time to 5 second [ClassificationPullDataStore()]: No Classification found in database ... [SignaturePullDataStore()]: No signature found in database ... [SystemPullDataStore()]: No System found in database ... [ReferencePullDataStore()]: No Reference found in database ... [SignatureReferencePullDataStore()]: No Reference found in database ... database: compiled support for (mysql) database: configured to use mysql database: schema version = 107 database:           host = localhost database:           user = snort database:  database name = snort database:    sensor name = ids.example.com:NULL database:      sensor id = 1 database:     sensor cid = 1 database:  data encoding = hex database:   detail level = full database:     ignore_bpf = no database: using the "log" facility           --== Initialization Complete ==--     ______   -*> Barnyard2 <*-  / ,,_  \  Version 2.1.14 (Build 337)  |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/  + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com>   WARNING: Unable to open waldo file '/etc/snort/bylog.waldo' (No such file or directory) Opened spool file '/var/log/snort/snort.log.1464866678' Closing spool file '/var/log/snort/snort.log.1464866678'. Read 0 records Opened spool file '/var/log/snort/snort.log.1464866810' Closing spool file '/var/log/snort/snort.log.1464866810'. Read 0 records Opened spool file '/var/log/snort/snort.log.1464870215' Waiting for new data

-> 약간 실행 시간이 걸리기 때문에 기다린다.

-> 약 5분 ~ 10분정도

⑤ check mysql

# mysql -u root -p

Enter password: (soldesk1.) Welcome to the MySQL monitor.  Commands end with ; or \g. Your MySQL connection id is 12 Server version: 5.1.73 Source distribution   Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.   Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.   Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.   mysql> use snort; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A   Database changed mysql> select count(*) from event; +----------+ | count(*) | +----------+ |        0 |          <---- barnyard2 프로그램이 /var/log/snort/<snort log> 파일을 읽어 들 +----------+              event count가 늘어난다. 1 row in set (0.00 sec)   mysql> exit

[참고]

https://www.youtube.com/watch?v=II80tzwEuFk

BASE Installation

① Prerequisite program installation

# yum install libxml2 \

php \

php-gd \

php-cli \

php-mysql \

php-pear \

php-pear-Log \

php-dba \

php-dbase \

php-odbc \

php-pear-Image-Graph

② php editing - BASE Log level

# vi /etc/php.ini

[수정전] 513: error_reporting = E_ALL & ~E_DEPRECATED [수정후] 513: error_reporting = E_ALL & ~E_NOTICE

-> 내용 수정

# service httpd restart

httpd 를 정지 중:                                          [실패] httpd (을)를 시작 중:                                      [  OK  ]

# tail -f /var/log/httpd/error_log

-> 에러 메세지를 확인하고 적당한 설정을 변경한다.

-> <CTRL + C> 끊는다.

③ BASE and Adodb download

# cd /snort

# wget --no-check-certificate \

http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz

-> 출력 내용 생략

# tar xvzf base-1.4.5.tar.gz

-> 출력 내용 생략

# cp -r base-1.4.5 /var/www/html/base

# chown -R apache:apache /var/www/html/base

# chmod 777 /var/www/html/base

④ Adodb(a database abstraction library for PHP)

download http://sourceforge.net/projects/adodb/

# cd /snort

# wget --no-check-certificate http://sourceforge.net/projects/adodb/files/latest/download

-> 출력 내용 생략

# file download

# mv download adodb.tar.gz

# tar xvzf adodb.tar.gz

-> 출력 내용 생략

# mkdir /var/www/lib

# cp -r adodb5 /var/www/lib

# chown -R apache:apache /var/www/lib/adodb5/

⑤ BASE configuration

# firefox http://192.168.20.203/base &

Settings	Step 1 of 5
-> continue	Pick a Language : english Path to ADODB : /var/www/lib/adodb5 -> continue

Step 2 of 5	Step 3 of 5
Database Name : snort Database Host : localhost Database User Name : root Database Password : soldesk1. -> continue	Admin User Name : soldesk Password : soldesk1. Full Name : soldesk -> continue

Step 4 of 5	Step 4 of 5
-> Create BASE AG	-> Now continue to step 5 to login

Step 5 of 5
	!!! Complete !!!   Blank Page