20160802 Snort
Snort(Sniffer and More)
NIDS on CentOS 6.4/6.5
■ Firewall(방화벽) vs IDS(침입탐지시스템) vs IPS(침입차단시스템)
구분 | IPS(침입차단시스템) | IDS(침입탐지시스템) | F/W(침입차단시스템) |
연결 방법 | In-Line | Mirror(TAP, Switch) | In-Line |
차단 방법 | 자체 | Reset Signal, 방화벽 연동 | 자체 |
on-way attack | 탐지/차단 | 탐지 | 불가능 |
DDoS & Dos | 탐지/차단 | 탐지 | 일부지원 |
서비스 중단 시 장애 극복 | FOD를 통한 장애 극복 | 무관 | HA, Fail Over를 통한 극복 |
실시간 네트워크 세션 감시 | 지원 | 지원 | 지원 |
Worm Virus | 탐지/차단 | 탐지 | 불가능 |
NAT | 지원 안됨 | 지원 안됨 | 지원함 |
다중포트 | 2개 구간 | 8개 구간 | NIC 연결 추가 지원 |
장점 | 모든 패킷에 대해 자체 탐지 및 차단 모듈 지원으로 네트워크 보호 | 모든 패킷에 대해 자체 탐지 모듈 지원으로 네트워크 이상 징후 경고 | 서비스 및 객체 대한 접근 권한 정책을 구체적 규정하는 것이 가능하여 불필요한 서비스 사용 제한 |
단점 | NAT등 방화벽 고유 기능 지원 불가로 사설 네트워크 구성시 제한 | 방화벽과 연동 방어를 통해 차단 가능함(독립적 차단 제하적) | IP와 Port 이외의 복합적으리고 정교한 공격 탐지 불가 |
■ IDS(Intrution Detection System)
Network defense or "protection" model- Planning : policy, rule- Prevention : IPS- Detection : IDS- Response : Email, Alert, Terminate session, report
Intrusion detection is the process of discovering, analyzing, and reporting unauthorized or damaging network or computer activities.
■ IDS(Intrution Detection System) 종류
N-IDS(Network based IDS) Network traffic is monitored by network-based intrusion detection systems.-> Open Source : Snort
H-IDS(Host based IDS)Computer processes are monnitored by host-based intrusion detection systems.-> Open Source : Tripwire
■ Snort(sniffer and more) 소개
Snort is Network Intrusion Detection System (NIDS). Snort can sniff your network and alert you based on his rule DB if there is an attack on your computers network. It is an opensource system that is build from tcpdump (linux sniffer tool).
Snort : an open source netework intrusion prevention and detection system. It uses a rule-based language combining signature, protocol and anomaly inspection methods.
Snort : the most widely deployed intrusion detection and prevention technology and it has become the standard technology worldwide in the industry.
A packet sniffer: capture and display packets from the network with different levels of detail on the console.
Packet logger: log data in text file.
Honeypot monitor: deceiving hostile parties.
A fast, flexible, small-footprint, open-source NIDS developed by the security commnunity.
Lead coder: Marty Roesch, now founder of Sourcefire(www.sourcefire.com).
Initially developed in late 1998 as a sniffer with consistent output, unlike protocol-dependent output of TCPDump.
■ 사용시스템
- centos 6.X(6.4 or 6.5)
1. Snort 설치(Snort Installation)
■ INDEX
---------------------------
■ 시스템 정보 확인
■ snort 관련 패키지 다운로드
■ snort rules 다운로드
■ snort 관련 패키지 컴파일
---------------------------
(1) 시스템 정보 확인
# uname -a
Linux ids.example.com 2.6.32-358.el6.x86_64 #1 SMP Fri Feb 22 00:31:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux |
# cat /etc/redhat-release
CentOS release 6.4 (Final) |
# cat /proc/cpuinfo
processor : 0 vendor_id : AuthenticAMD cpu family : 21 model : 2 model name : AMD FX(tm)-6300 Six-Core Processor stepping : 0 cpu MHz : 3507.009 cache size : 2048 KB physical id : 0 siblings : 6 core id : 0 cpu cores : 6 apicid : 0 initial apicid : 0 fpu : yes fpu_exception : yes cpuid level : 13 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic popcnt aes xsave avx f16c hypervisor lahf_lm cmp_legacy extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw xop fma4 tbm bmi1 ..... (중략) ..... |
# top -n 1 | egrep '(Mem:|Swap:)' (# free)
Mem: 881476k total, 553036k used, 328440k free, 23504k buffers Swap: 4095992k total, 0k used, 4095992k free, 227476k cached |
# df -h (# df -h -T)
Filesystem Size Used Avail Use% Mounted on /dev/mapper/vg_ids-lv_root 36G 3.8G 30G 12% / tmpfs 431M 224K 431M 1% /dev/shm /dev/sda1 485M 38M 423M 9% /boot |
-> LVM(Logical Volume Manager)를 통해 구성이 되어져 있다.
# ifconfig (# ip addr)
eth0 Link encap:Ethernet HWaddr 00:0C:29:45:A1:D8 inet addr:192.168.20.203 Bcast:192.168.20.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe45:a1d8/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:32 errors:0 dropped:0 overruns:0 frame:0 TX packets:17 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:11468 (11.1 KiB) TX bytes:1251 (1.2 KiB)
eth1 Link encap:Ethernet HWaddr 00:0C:29:45:A1:E2 inet addr:192.168.10.203 Bcast:192.168.10.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe45:a1e2/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:19 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2006 (1.9 KiB) TX bytes:468 (468.0 b)
lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:16 errors:0 dropped:0 overruns:0 frame:0 TX packets:16 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:960 (960.0 b) TX bytes:960 (960.0 b) |
(2) snort 관련 패키지 다운로드
■ 다운로드 패키지 목록(Download snort packages)
====================예제========================================
snort-2.9.7.0.tar.gz www.snort.org(최신버전으로 받는다.)
daq-2.0.4.tar.gz www.snort.org(최신버전으로 받는다.)
libpcap-1.6.2.tar.gz www.tcpdump.org(최신버전으로 받는다.)
pcre-8.36.tar.bz2 www.pcre.org(최신버전으로 받는다.)
libdnet-1.12.tgz code.google.com/p/libdnet
================================================================
① 패키지 다운로드 디렉토리 생성
# mkdir /snort && cd /snort
② snort && daq 패키지 다운로드
http://www.snort.org 사이트에 들어 가서 최신 프로그램을 확인한다.
■ 2015년 05월26일 : daq-2.0.5.tar.gz / snort-2.9.7.3.tar.gz
■ 2015년 09월08일 : daq-2.0.6.tar.gz / snort-2.9.7.5.tar.gz
■ 2016년 01월06일 : daq-2.0.6.tar.gz / snort-2.9.8.0.tar.gz
■ 2016년 05월31일 : daq-2.0.6.tar.gz / snort-2.9.8.2.tar.gz
■ 2016년 08월02일 : daq-2.0.6.tar.gz / snort-2.9.8.3.tar.gz
# wget https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz
--2014-12-11 16:31:46-- https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz Resolving www.snort.org... 104.28.25.35, 104.28.24.35, 2400:cb00:2048:1::681c:1823, ... Connecting to www.snort.org|104.28.25.35|:443... connected. ERROR: certificate common name “ssl2000.cloudflare.com” doesn’t match requested host name “www.snort.org”. To connect to www.snort.org insecurely, use ‘--no-check-certificate’. |
# wget --no-check-certificate https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz
--2014-12-11 16:31:46-- https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz Resolving www.snort.org... 104.28.25.35, 104.28.24.35, 2400:cb00:2048:1::681c:1823, ... Connecting to www.snort.org|104.28.25.35|:443... connected. ERROR: certificate common name “ssl2000.cloudflare.com” doesn’t match requested host name “www.snort.org”. To connect to www.snort.org insecurely, use ‘--no-check-certificate’. snort/daq-2.0.4.tar.gzheck-certificate https://www.snort.org/downloads/ --2014-12-11 16:33:44-- https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz Resolving www.snort.org... 104.28.24.35, 104.28.25.35, 2400:cb00:2048:1::681c:1923, ... Connecting to www.snort.org|104.28.24.35|:443... connected. WARNING: certificate common name “ssl2000.cloudflare.com” doesn’t match requested host name “www.snort.org”. HTTP request sent, awaiting response... 302 Found Location: https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/000/830/original/daq-2.0.4.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1418286827&Signature=%2F9yiNQ2GbvnONASKekS4tbVQePM%3D [following] --2014-12-11 16:33:46-- https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/000/830/original/daq-2.0.4.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1418286827&Signature=%2F9yiNQ2GbvnONASKekS4tbVQePM%3D Resolving s3.amazonaws.com... 54.231.244.8 Connecting to s3.amazonaws.com|54.231.244.8|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 495316 (484K) [,binary/octet-stream] Saving to: “daq-2.0.4.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1418286827&Signature=%2F9yiNQ2GbvnONASKekS4tbVQePM=”
100%[=========================================>] 495,316 136K/s in 3.6s
2014-12-11 16:33:50 (136 KB/s) - “daq-2.0.4.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1418286827&Signature=%2F9yiNQ2GbvnONASKekS4tbVQePM=” saved [495316/495316] |
# ls
daq-2.0.4.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1418286827&Signature=%2F9yiNQ2GbvnONASKekS4tbVQePM= |
# rm -rf daq*
#
# wget --no-check-certificate https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz \
-O daq-2.0.4.tar.gz
--2014-12-11 16:37:26-- https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz Resolving www.snort.org... failed: Name or service not known. wget: unable to resolve host address “www.snort.org” snort/daq-2.0.4.tar.gz -O daq-2.0.4.tar.gzps://www.snort.org/downloads/s --2014-12-11 16:37:48-- https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz Resolving www.snort.org... 104.28.24.35, 104.28.25.35, 2400:cb00:2048:1::681c:1923, ... Connecting to www.snort.org|104.28.24.35|:443... connected. WARNING: certificate common name “ssl2000.cloudflare.com” doesn’t match requested host name “www.snort.org”. HTTP request sent, awaiting response... 302 Found Location: https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/000/830/original/daq-2.0.4.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1418287071&Signature=6baO407gh69zPNZDgydKaYKn7p8%3D [following] --2014-12-11 16:37:49-- https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/000/830/original/daq-2.0.4.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1418287071&Signature=6baO407gh69zPNZDgydKaYKn7p8%3D Resolving s3.amazonaws.com... 54.231.244.0 Connecting to s3.amazonaws.com|54.231.244.0|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 495316 (484K) [,binary/octet-stream] Saving to: “daq-2.0.4.tar.gz”
100%[=========================================>] 495,316 110K/s in 4.4s
2014-12-11 16:37:56 (110 KB/s) - “daq-2.0.4.tar.gz” saved [495316/495316] |
# wget --no-check-certificate https://www.snort.org/downloads/snort/snort-2.9.7.0.tar.gz \
-O snort-2.9.7.0.tar.gz
--2014-12-11 16:40:11-- https://www.snort.org/downloads/snort/snort-2.9.7.0.tar.gz Resolving www.snort.org... 104.28.24.35, 104.28.25.35, 2400:cb00:2048:1::681c:1923, ... Connecting to www.snort.org|104.28.24.35|:443... connected. WARNING: certificate common name “ssl2000.cloudflare.com” doesn’t match requested host name “www.snort.org”. HTTP request sent, awaiting response... 302 Found Location: https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/000/819/original/snort-2.9.7.0.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1418287214&Signature=20oRt6vZbNqfINNT8llYTTq3%2Bxc%3D [following] --2014-12-11 16:40:12-- https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/000/819/original/snort-2.9.7.0.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1418287214&Signature=20oRt6vZbNqfINNT8llYTTq3%2Bxc%3D Resolving s3.amazonaws.com... 54.231.244.0 Connecting to s3.amazonaws.com|54.231.244.0|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 6340553 (6.0M) [,binary/octet-stream] Saving to: “snort-2.9.7.0.tar.gz”
100%[=========================================>] 6,340,553 254K/s in 18s
2014-12-11 16:40:31 (340 KB/s) - “snort-2.9.7.0.tar.gz” saved [6340553/6340553] |
③ libpcap 패키지 다운로드
http://www.tcpdump.org 사이트에 접속하여 최신의 패키지를 다운로드 한다.
■ 2015년 05월26일 : libpcap-1.7.3.tar.gz
■ 2015년 09월08일 : libpcap-1.7.4.tar.gz
■ 2016년 01월06일 : libpcap-1.7.4.tar.gz
■ 2016년 05월31일 : libpcap-1.7.4.tar.gz
# wget http://www.tcpdump.org/release/libpcap-1.6.2.tar.gz
--2014-12-11 16:45:01-- http://www.tcpdump.org/release/libpcap-1.6.2.tar.gz Resolving www.tcpdump.org... 192.139.46.66, 69.4.231.52, 132.213.238.6, ... Connecting to www.tcpdump.org|192.139.46.66|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 651237 (636K) [application/x-gzip] Saving to: “libpcap-1.6.2.tar.gz”
100%[=========================================>] 651,237 28.9K/s in 15s
2014-12-11 16:45:16 (43.6 KB/s) - “libpcap-1.6.2.tar.gz” saved [651237/651237] |
④ pcre 패키지 다운로드
http://sourceforge.net/projects/pcre/files/pcre 사이트에 접속하여 최신의 패키지를 다운로드 한다.
■ 2015년 05월26일 : pcre-8.37.tar.gz
■ 2015년 09월08일 : pcre-8.37.tar.gz
■ 2016년 01월06일 : pcre-8.37.tar.gz
■ 2016년 05월31일 : pcre-8.38.tar.gz
# wget http://sourceforge.net/projects/pcre/files/pcre/8.36/pcre-8.36.tar.gz/download
--2014-12-11 16:48:25-- http://sourceforge.net/projects/pcre/files/pcre/8.36/pcre-8.36.tar.gz/download Resolving sourceforge.net... 216.34.181.60 Connecting to sourceforge.net|216.34.181.60|:80... connected. HTTP request sent, awaiting response... 302 Found Location: http://downloads.sourceforge.net/project/pcre/pcre/8.36/pcre-8.36.tar.gz?r=&ts=1418284108&use_mirror=jaist [following] --2014-12-11 16:48:26-- http://downloads.sourceforge.net/project/pcre/pcre/8.36/pcre-8.36.tar.gz?r=&ts=1418284108&use_mirror=jaist Resolving downloads.sourceforge.net... 216.34.181.59 Connecting to downloads.sourceforge.net|216.34.181.59|:80... connected. HTTP request sent, awaiting response... 302 Found Location: http://jaist.dl.sourceforge.net/project/pcre/pcre/8.36/pcre-8.36.tar.gz [following] --2014-12-11 16:48:27-- http://jaist.dl.sourceforge.net/project/pcre/pcre/8.36/pcre-8.36.tar.gz Resolving jaist.dl.sourceforge.net... 150.65.7.130, 2001:df0:2ed:feed::feed Connecting to jaist.dl.sourceforge.net|150.65.7.130|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 2009464 (1.9M) [application/x-gzip] Saving to: “pcre-8.36.tar.gz.1”
100%[=========================================>] 2,009,464 502K/s in 3.9s
2014-12-11 16:48:31 (502 KB/s) - “pcre-8.36.tar.gz.1” saved [2009464/2009464] |
⑤ libdnet 패키지 다운로드
https://code.google.com/p/libdnet/ 사이트에 접속하여 최신의 패키지를 다운로드 한다.
■ 2015년 05월26일 : libdnet-1.12.tgz
■ 2015년 09월08일 : libdnet-1.12.tgz
■ 2016년 01월06일 : libdnet-1.12.tar.gz
■ 2016년 05월31일 : libdnet-1.12.tar.gz
# cd /snort
# wget https://github.com/dugsong/libdnet/archive/libdnet-1.12.tar.gz -O libdnet-1.12.tar.gz
--2016-01-06 22:15:11-- https://github.com/dugsong/libdnet/archive/libdnet-1.12.tar.gz Resolving github.com... 192.30.252.130 Connecting to github.com|192.30.252.130|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://codeload.github.com/dugsong/libdnet/tar.gz/libdnet-1.12 [following] --2016-01-06 22:15:12-- https://codeload.github.com/dugsong/libdnet/tar.gz/libdnet-1.12 Resolving codeload.github.com... 192.30.252.147 Connecting to codeload.github.com|192.30.252.147|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 959945 (937K) [application/x-gzip] Saving to: `libdnet-1.12'
100%[=================================================>] 959,945 295K/s in 3.2s
2016-01-06 22:15:16 (295 KB/s) - `libdnet-1.12' saved [959945/959945] |
# ls
daq-2.0.6.tar.gz libpcap-1.7.4.tar.gz snort-2.9.8.0.tar.gz libdnet-master.zip pcre-8.37.tar.gz |
(3) snort rules 다운로드(Download snort rules packages)
==================================================
oinkmaster-1.2.0.rpm www.rpmfind.net/rpm.pbone.net
snortrules-snapshot-2956.tar.gz www.snort.org
==================================================
■ oinkmaster 파일 다운로드(실습에서는 rpm 파일을 받는다.)
(source code 받는 경우)
# wget http://sourceforge.net/projects/oinkmaster/files/oinkmaster/1.2/oinkmaster-1.2.tar.gz/download
or
(rpm 파일 받는 경우)
# wget ftp://ftp.pbone.net/mirror/ftp.sourceforge.net/pub/sourceforge/s/sn/snortsas/oinkmaster-1.2-0.noarch.rpm
■ snortrules 파일 다운로드
(주의) 반드시 www.snort.org 사이트에 무료계정을 등록한다.
■ 2015년 05월26일 : snortrules-snapshot-2973.tar.gz
■ 2015년 09월08일 : snortrules-snapshot-2975.tar.gz
■ 2016년 01월06일 : snortrules-snapshot-2980.tar.gz
■ 2016년 05월31일 : snortrules-snapshot-2982.tar.gz
# wget --no-check-certificate \
https://www.snort.org/downloads/registered/snortrules-snapshot-2970.tar.gz \
-O snortrules-snapshot-2970.tar.gz
# ls
daq-2.0.4.tar.gz oinkmaster-1.2.tar.gz snortrules-snapshot-2970.tar.gz libdnet-1.12.tgz pcre-8.36.tar.gz libpcap-1.6.2.tar.gz snort-2.9.7.0.tar.gz |
-> (주의) snortrules-snapshot-*.tar.gz 파일은 반드시 file 명령어를 통해 확인해 봐야 한다.
만약 gzip으로 압축된 파일이 아니라고 나오는 경우(HTML document text)에는 직접 받아서
서버에 올려야 한다.
(비정상)
# file snortrules-snopshot-*.tar.gz
snortrules-snapshot-2975.tar.gz: HTML document text
(정상)
# file snortrules-snopshot-*.tar.gz
snortrules-snapshot-2980.tar.gz: gzip compressed data, from Unix, last modified:....
(4) 패키지 검파일(How to compile the packages)
■ 패키지 설치 순서(Package installation order)
==============예제=============
oinkmaster-1.2.tar.gz
snortrules-snapshot-2970.tar.gz
libpcap-1.6.2.tar.gz
pcre-8.36.tar.gz
libdnet-1.12.tgz
daq-2.0.4.tar.gz
snort-2.9.7.0.tar.gz
===============================
■ 패키지 검파일 방법
====================
# tar xvzf <PKG>
# cd <PKG>
# ./configure
# make
# make install
====================
[참고] configure/make/make install
① 선수 패키지 설치
# yum -y install gcc flex bison zlib zlib-devel gcc-c++
Loaded plugins: fastestmirror, refresh-packagekit, security Loading mirror speeds from cached hostfile * base: ftp.kaist.ac.kr * extras: ftp.kaist.ac.kr * updates: ftp.kaist.ac.kr base | 3.7 kB 00:00 extras | 3.4 kB 00:00 updates | 3.4 kB 00:00 Setting up Install Process Package zlib-1.2.3-29.el6.x86_64 already installed and latest version Resolving Dependencies --> Running transaction check ---> Package bison.x86_64 0:2.4.1-5.el6 will be installed ---> Package flex.x86_64 0:2.5.35-9.el6 will be installed ---> Package gcc.x86_64 0:4.4.7-11.el6 will be installed --> Processing Dependency: libgomp = 4.4.7-11.el6 for package: gcc-4.4.7-11.el6.x86_64 --> Processing Dependency: cpp = 4.4.7-11.el6 for package: gcc-4.4.7-11.el6.x86_64 --> Processing Dependency: libgcc >= 4.4.7-11.el6 for package: gcc-4.4.7-11.el6.x86_64 --> Processing Dependency: glibc-devel >= 2.2.90-12 for package: gcc-4.4.7-11.el6.x86_64 --> Processing Dependency: cloog-ppl >= 0.15 for package: gcc-4.4.7-11.el6.x86_64 ---> Package zlib-devel.x86_64 0:1.2.3-29.el6 will be installed --> Running transaction check ---> Package cloog-ppl.x86_64 0:0.15.7-1.2.el6 will be installed --> Processing Dependency: libppl_c.so.2()(64bit) for package: cloog-ppl-0.15.7-1.2.el6.x86_64 --> Processing Dependency: libppl.so.7()(64bit) for package: cloog-ppl-0.15.7-1.2.el6.x86_64 ---> Package cpp.x86_64 0:4.4.7-11.el6 will be installed --> Processing Dependency: libmpfr.so.1()(64bit) for package: cpp-4.4.7-11.el6.x86_64 ---> Package glibc-devel.x86_64 0:2.12-1.149.el6 will be installed --> Processing Dependency: glibc-headers = 2.12-1.149.el6 for package: glibc-devel-2.12-1.149.el6.x86_64 --> Processing Dependency: glibc = 2.12-1.149.el6 for package: glibc-devel-2.12-1.149.el6.x86_64 --> Processing Dependency: glibc-headers for package: glibc-devel-2.12-1.149.el6.x86_64 ---> Package libgcc.x86_64 0:4.4.7-3.el6 will be updated ---> Package libgcc.x86_64 0:4.4.7-11.el6 will be an update ---> Package libgomp.x86_64 0:4.4.7-3.el6 will be updated ---> Package libgomp.x86_64 0:4.4.7-11.el6 will be an update --> Running transaction check ---> Package glibc.x86_64 0:2.12-1.107.el6 will be updated --> Processing Dependency: glibc = 2.12-1.107.el6 for package: glibc-common-2.12-1.107.el6.x86_64 ---> Package glibc.x86_64 0:2.12-1.149.el6 will be an update ---> Package glibc-headers.x86_64 0:2.12-1.149.el6 will be installed --> Processing Dependency: kernel-headers >= 2.2.1 for package: glibc-headers-2.12-1.149.el6.x86_64 --> Processing Dependency: kernel-headers for package: glibc-headers-2.12-1.149.el6.x86_64 ---> Package mpfr.x86_64 0:2.4.1-6.el6 will be installed ---> Package ppl.x86_64 0:0.10.2-11.el6 will be installed --> Running transaction check ---> Package glibc-common.x86_64 0:2.12-1.107.el6 will be updated ---> Package glibc-common.x86_64 0:2.12-1.149.el6 will be an update ---> Package kernel-headers.x86_64 0:2.6.32-504.1.3.el6 will be installed --> Finished Dependency Resolution
Dependencies Resolved
=================================================================================== Package Arch Version Repository Size =================================================================================== Installing: bison x86_64 2.4.1-5.el6 base 637 k flex x86_64 2.5.35-9.el6 base 285 k gcc x86_64 4.4.7-11.el6 base 10 M zlib-devel x86_64 1.2.3-29.el6 base 44 k Installing for dependencies: cloog-ppl x86_64 0.15.7-1.2.el6 base 93 k cpp x86_64 4.4.7-11.el6 base 3.7 M glibc-devel x86_64 2.12-1.149.el6 base 983 k glibc-headers x86_64 2.12-1.149.el6 base 611 k kernel-headers x86_64 2.6.32-504.1.3.el6 updates 3.3 M mpfr x86_64 2.4.1-6.el6 base 157 k ppl x86_64 0.10.2-11.el6 base 1.3 M Updating for dependencies: glibc x86_64 2.12-1.149.el6 base 3.8 M glibc-common x86_64 2.12-1.149.el6 base 14 M libgcc x86_64 4.4.7-11.el6 base 102 k libgomp x86_64 4.4.7-11.el6 base 133 k
Transaction Summary =================================================================================== Install 11 Package(s) Upgrade 4 Package(s)
Total download size: 39 M Downloading Packages: (1/15): bison-2.4.1-5.el6.x86_64.rpm | 637 kB 00:01 (2/15): cloog-ppl-0.15.7-1.2.el6.x86_64.rpm | 93 kB 00:00 (3/15): cpp-4.4.7-11.el6.x86_64.rpm | 3.7 MB 00:09 (4/15): flex-2.5.35-9.el6.x86_64.rpm | 285 kB 00:00 (5/15): gcc-4.4.7-11.el6.x86_64.rpm | 10 MB 00:10 (6/15): glibc-2.12-1.149.el6.x86_64.rpm | 3.8 MB 00:03 (7/15): glibc-common-2.12-1.149.el6.x86_64.rpm | 14 MB 00:09 (8/15): glibc-devel-2.12-1.149.el6.x86_64.rpm | 983 kB 00:00 (9/15): glibc-headers-2.12-1.149.el6.x86_64.rpm | 611 kB 00:00 (10/15): kernel-headers-2.6.32-504.1.3.el6.x86_64.rpm | 3.3 MB 00:03 (11/15): libgcc-4.4.7-11.el6.x86_64.rpm | 102 kB 00:00 (12/15): libgomp-4.4.7-11.el6.x86_64.rpm | 133 kB 00:00 (13/15): mpfr-2.4.1-6.el6.x86_64.rpm | 157 kB 00:00 (14/15): ppl-0.10.2-11.el6.x86_64.rpm | 1.3 MB 00:01 (15/15): zlib-devel-1.2.3-29.el6.x86_64.rpm | 44 kB 00:00 ----------------------------------------------------------------------------------- Total 962 kB/s | 39 MB 00:41 warning: rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 Importing GPG key 0xC105B9DE: Userid : CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key@centos.org> Package: centos-release-6-4.el6.centos.10.x86_64 (@anaconda-CentOS-201303020151.x86_64/6.4) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Updating : libgcc-4.4.7-11.el6.x86_64 1/19 Updating : glibc-2.12-1.149.el6.x86_64 2/19 Updating : glibc-common-2.12-1.149.el6.x86_64 3/19 Updating : libgomp-4.4.7-11.el6.x86_64 4/19 Installing : mpfr-2.4.1-6.el6.x86_64 5/19 Installing : cpp-4.4.7-11.el6.x86_64 6/19 Installing : ppl-0.10.2-11.el6.x86_64 7/19 Installing : cloog-ppl-0.15.7-1.2.el6.x86_64 8/19 Installing : kernel-headers-2.6.32-504.1.3.el6.x86_64 9/19 Installing : glibc-headers-2.12-1.149.el6.x86_64 10/19 Installing : glibc-devel-2.12-1.149.el6.x86_64 11/19 Installing : gcc-4.4.7-11.el6.x86_64 12/19 Installing : bison-2.4.1-5.el6.x86_64 13/19 Installing : flex-2.5.35-9.el6.x86_64 14/19 Installing : zlib-devel-1.2.3-29.el6.x86_64 15/19 Cleanup : libgomp-4.4.7-3.el6.x86_64 16/19 Cleanup : glibc-2.12-1.107.el6.x86_64 17/19 Cleanup : glibc-common-2.12-1.107.el6.x86_64 18/19 Cleanup : libgcc-4.4.7-3.el6.x86_64 19/19 Verifying : glibc-common-2.12-1.149.el6.x86_64 1/19 Verifying : gcc-4.4.7-11.el6.x86_64 2/19 Verifying : glibc-2.12-1.149.el6.x86_64 3/19 Verifying : bison-2.4.1-5.el6.x86_64 4/19 Verifying : glibc-headers-2.12-1.149.el6.x86_64 5/19 Verifying : glibc-devel-2.12-1.149.el6.x86_64 6/19 Verifying : libgcc-4.4.7-11.el6.x86_64 7/19 Verifying : libgomp-4.4.7-11.el6.x86_64 8/19 Verifying : flex-2.5.35-9.el6.x86_64 9/19 Verifying : mpfr-2.4.1-6.el6.x86_64 10/19 Verifying : kernel-headers-2.6.32-504.1.3.el6.x86_64 11/19 Verifying : zlib-devel-1.2.3-29.el6.x86_64 12/19 Verifying : cpp-4.4.7-11.el6.x86_64 13/19 Verifying : ppl-0.10.2-11.el6.x86_64 14/19 Verifying : cloog-ppl-0.15.7-1.2.el6.x86_64 15/19 Verifying : glibc-2.12-1.107.el6.x86_64 16/19 Verifying : glibc-common-2.12-1.107.el6.x86_64 17/19 Verifying : libgomp-4.4.7-3.el6.x86_64 18/19 Verifying : libgcc-4.4.7-3.el6.x86_64 19/19
Installed: bison.x86_64 0:2.4.1-5.el6 flex.x86_64 0:2.5.35-9.el6 gcc.x86_64 0:4.4.7-11.el6 zlib-devel.x86_64 0:1.2.3-29.el6
Dependency Installed: cloog-ppl.x86_64 0:0.15.7-1.2.el6 cpp.x86_64 0:4.4.7-11.el6 glibc-devel.x86_64 0:2.12-1.149.el6 glibc-headers.x86_64 0:2.12-1.149.el6 kernel-headers.x86_64 0:2.6.32-504.1.3.el6 mpfr.x86_64 0:2.4.1-6.el6 ppl.x86_64 0:0.10.2-11.el6
Dependency Updated: glibc.x86_64 0:2.12-1.149.el6 glibc-common.x86_64 0:2.12-1.149.el6 libgcc.x86_64 0:4.4.7-11.el6 libgomp.x86_64 0:4.4.7-11.el6
Complete! |
(4-1) oinkmaster 패키지 설치
# cd /snort
# tar xvzf oinkmaster-1.2.tar.gz
(4-2) snortrules 압축해제
# mkdir snortrules
# mv snortrules-snapshot-2970.tar.gz snortrules
# ls snortrules
(4-3) libpcap 컴파일 & 설치
# tar xvzf libpcap*.tar.gz
# cd libpcap-1.6.2
# ./configure
# make
# make install
[참고] # ./configure --help
[참고] # ./configure > /tmp/libpcap.config 2>&1
[참고] # ./configure && make && make install
[참고] # time ./configure
[참고] # ./configure ; echo $?
(4-4) pcre 컴파일 & 설치
a.tar.gz : # tar xvzf a.tar.gz (# gunzip a.tar.gz ; # tar xvf a.tar)
a.tar.bz2: # tar xvjf a.tar.bz2 (# bunzip2 a.tar.bz2; # tar xvf a.tar)
# cd /snort
# tar xvzf pcre-8.36.tar.gz
# cd pcre-8.36
# ./configure
# make
# make install
(4-5) libdnet 컴파일 & 설치
# cd /snort
# tar xvzf libdnet-1.12.tar.gz
# cd libdnet-1.12
# ./configure
# make
# make install
(4-6) daq 컴파일 & 설치
# cd /snort
# tar xvzf daq-2.0.4.tar.gz
# cd daq-2.0.4
# ./configure
# make
# make install
(4-7) snort 컴파일 & 설치
# cd /snort
# tar xvzf snort-2.9.7.0.tar.gz
# cd snort-2.9.7.0
# ./configure (주의) (snort 2.9.7.5 이상) ./configure --enable-sourcefire
# make
# make install
(5) Test Snort
① interface mode 변경 및 snort 버전 확인
(무선)
- Managed mode ) # airmon-ng stop wlan0
- Monitor mode ) # airmon-ng start wlan0
(유선)
- Non promisc mode ) # ifconfig eth0 -promisc
- promisc mode ) # ifconfig eth0 promisc
# ifconfig eth0 promisc
# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:8D:B0:53 inet addr:192.168.10.203 Bcast:192.168.10.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe8d:b053/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:433 errors:0 dropped:0 overruns:0 frame:0 TX packets:177 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:57168 (55.8 KiB) TX bytes:12204 (11.9 KiB) |
# which snort
/usr/local/bin/snort |
# snort -V
,,_ -*> Snort! <*- o" )~ Version 2.9.7.5 GRE (Build 262) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.7.4 Using PCRE version: 8.37 2015-04-28 Using ZLIB version: 1.2.3 |
or
,,_ -*> Snort! <*- o" )~ Version 2.9.8.2 GRE (Build 335) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.7.4 Using PCRE version: 8.38 2015-11-23 Using ZLIB version: 1.2.3 |
2. 참고
■ 참고 동영상
http://www.youtube.com/watch?v=DYBfCyd6cC0
snort rules generate => tools
snort(IDS) + preventing => IPS
snort -> DB -> WEB => tools
2. snort rules & configuration
① 디렉토리 생성 및 파일 생성
# mkdir -p /etc/snort/rules
# mkdir /var/log/snort /var/log/barnyard2 /usr/local/lib/snort_dynamicrules
# useradd snort /* 사용자가 미리 존재할 수 있다. ids.example.com 설치시 사용자 추가 */
# chown -R snort:snort /etc/snort /var/log/snort /var/log/barnyard2
② setup snort rules
# cd /snort/snortrules
# tar xvzf snortrules-snapshot-*.tar.gz -C /etc/snort /* -C : change directory */
-> 출력 내용 생략
# cp -r /etc/snort/etc/* /etc/snort
# touch /etc/snort/rules/white_list.rules
# touch /etc/snort/rules/black_list.rules
# chown -R snort:snort /etc/snort
#
③ snort main file - snort.conf
# vi /etc/snort/snort.conf
[수정전] 45 ipvar HOME_NET any 104 var RULE_PATH ../rules 105 var SO_RULE_PATH ../so_rules 106 var PREPROC_RULE_PATH ../preproc_rules 109 var WHITE_LIST_PATH ../rules 110 var BLACK_LIST_PATH ../rules 519 # output alert_unified2: filename snort.alert, limit 128, nostamp 520 # output log_unified2: filename snort.log, limit 128, nostamp [수정후] 45 ipvar HOME_NET 192.168.20.0/24 104 var RULE_PATH /etc/snort/rules 105 var SO_RULE_PATH /etc/snort/so_rules 106 var PREPROC_RULE_PATH /etc/snort/preproc_rules 109 var WHITE_LIST_PATH /etc/snort/rules 110 var BLACK_LIST_PATH /etc/snort/rules 519 output alert_unified2: filename snort.alert, limit 128, nostamp 520 output log_unified2: filename snort.log, limit 128, nostamp |
-> 위와 같은 부분을 편집한다.
④ snort init script(EX: startup script)
# cp /snort/snort-*/rpm/snortd /etc/init.d/snortd
# chmod 755 /etc/init.d/snortd
# cat /etc/init.d/snortd | more
..... # Source the local configuration file . /etc/sysconfig/snort ..... if [ "$CONF"X = "X" ]; then CONF="-c /etc/snort/snort.conf" else CONF="-c $CONF" fi ..... if [ "$LOGDIR"X = "X" ]; then LOGDIR=/var/log/snort fi ..... daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF done ..... |
# cp /snort/snort-*/rpm/snort.sysconfig /etc/sysconfig/snort
# cat /etc/sysconfig/snort
-> 확인 정도만 한다.
# ln -s /usr/local/bin/snort /usr/sbin/snort
#
# chown -R snort:snort /var/log/snort
# chown snort:snort /usr/local/bin/snort
[참고] 새로운 서비스 등록 절차
# vi /etc/init.d/snortd
# chmod 700 /etc/init.d/snortd
# chown snort:snort /etc/init.d/snortd
# chkconfig --add snortd
# chkconfig --add snortd
# chkconfig --list snortd
snortd 0:off 1:off 2:on 3:on 4:on 5:on 6:off |
# service snortd start
Starting snort: Spawning daemon child... My daemon child 25853 lives... Daemon parent exiting (0) [ OK ] |
# pgrep -lf snort
25853 /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort |
-A alert-mode
Alert using the specified alert-mode. Valid alert modes include
fast, full, none, and unsock. Fast writes alerts to the default
"alert" file in a single-line, syslog style alert message. Full
writes the alert to the "alert" file with the full decoded
header as well as the alert message. None turns off alerting.
Unsock is an experimental mode that sends the alert information
out over a UNIX socket to another process that attaches to that
socket.
-b Log packets in a tcpdump(1) formatted file. All packets are
logged in their native binary state to a tcpdump formatted log
file named with the snort start timestamp and "snort.log". This
option results in much faster operation of the program
since it doesn’t have to spend time in the packet binary->text
converters. Snort can keep up pretty well with 100Mbps networks
in ’-b’ mode. To choose an alternate name for the binary log
file, use the ’-L’ switch.
-d Dump the application layer data when displaying packets in ver-
bose or packet logging mode.
-D Run Snort in daemon mode. Alerts are sent to
/var/log/snort/alert unless otherwise specified.
-i interface
Sniff packets on interface.
-u user
Change the user/UID Snort runs under to user after initialization.
-g group
Change the group/GID Snort runs under to group after initializa-
tion. This switch allows Snort to drop root privileges after
it’s initialization phase has completed as a security measure.
-c config-file
Use the rules located in file config-file.
-l log-dir
Set the output logging directory to log-dir. All plain text
alerts and packet logs go into this directory. If this option
is not specified, the default logging directory is set to
/var/log/snort.
# service snortd stop
Stopping snort: [ OK ] |
# service snortd status
snort가 정지되었습니다 |
# cd /var/log/snort
# ls -l
-rw-r--r--. 1 root root 0 2016-06-03 12:52 alert -rw-------. 1 snort snort 0 2016-06-03 12:54 snort_eth0.pid.lck |
# chown -R snort:snort /var/log/snort
#
■ sniffer mode - 네트워크 트래픽을 실시간적으로 분석하는 경우
run-time options:
-v verbose
-d dump package payloads
-x dump entire package in hex
-a display arp packages
-e display link layer data
■ TCP/IP packet headers 출력
[TERM2] # ping 168.126.63.1
# snort -v (# snort -v -c /etc/snort/snort.conf -l /var/log/snort)
headers 와 data 부분 출력
# snort -dv (# snort -dv -c /etc/snort/snort.conf -l /var/log/snort)
data link layer headers 출력
# snort -dev (# snort -dev -c /etc/snort/snort.conf -l /var/log/snort)
■ log mode - 출력 내용을 로그에 저장
command line options
-l dump packages into log directory
-b log packages in binary (tcpdump) format
예제
# snort -dev -b -l /var/log/snort -c /etc/snort/snort.conf
# snort -dev -b -l /var/log/snort -h 192.168.20.0/24 -c /etc/snort/snort.conf
■ NIDS mode
# snort -d -h 192.168.20.0/24 -l /var/log/snort -c /etc/snort/snort.conf -A fast
-A fast : Fast alert mode
-A full
-A unsock
-A none
-A console(screen)
-A cmg(custom mode)
[예제]
fast mode
# snort -c /etc/snort/snort.conf -l /var/log/snort -A fast
full mode
# snort -c /etc/snort/snort.conf -l /var/log/snort -A full -D
checking log files
# ls -l /var/log/snort
# cat alert
# cat snort.log.1389675205
# tcpdump -nr /var/log/snort/snort.log.13897656
■ barnyard configuration
■ MySQL configuration
■ barnyard & snort startup
■ BASE installation
■ BASE configuration
[ snort ---> barnyard2 ---> BASE ---> MySQL ]
■ barnyard2 - github.com/firnsy/barnyard2
a dedicated spooler for Snort's unified2 binary output format
an output system for snort, it reads the binary logs from snort using the unified2 format.
It will resend the information of this logs to a database backend
■ BASE: Basic Analysis and Security Engine
provides a web front-end to query and analyze the alerts coming from Snort.
The alerts will send to MySQL database, this feature is provided by barnyard2.
http://base.professionallyevil.com/
① Barnyard installation
# vi /etc/hosts
..... (중략) ..... 192.168.20.203 ids.example.com ids 192.168.10.203 nic2 |
# mkdir -p /snort
# cd /snort
# wget --no-check-certificate \
https://github.com/firnsy/barnyard2/archive/master.zip \
-O master.zip
-> 출력내용 생략
# unzip master.zip
-> 출력내용 생략
# cd barnyard2-master
# ls
autogen.sh COPYING etc m4 README rpm src configure.ac doc LICENSE Makefile.am RELEASE.NOTES schemas tools |
(자동) # ./autogen.sh /* update configuration files */
(수동) # autoconf -f -v -i -I ./m4
(주의) 선수 패키지 - 아래 패키지가 없는 경우에는 반드시 설치해야 한다.
autogen.sh 스크립트를 실행하기 전에 반드시 확인한다.
(RedHat 계열) # yum -y install autoconf libtool automake
(Debian 계열) # apt-get install autoconf libtool automake
# yum -y install autoconf libtool automake
# ./autogen.sh
Found libtoolize libtoolize: putting auxiliary files in `.'. libtoolize: copying file `./ltmain.sh' libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'. libtoolize: copying file `m4/libtool.m4' libtoolize: copying file `m4/ltoptions.m4' libtoolize: copying file `m4/ltsugar.m4' libtoolize: copying file `m4/ltversion.m4' libtoolize: copying file `m4/lt~obsolete.m4' autoreconf: Entering directory `.' autoreconf: configure.ac: not using Gettext autoreconf: running: aclocal --force -I m4 autoreconf: configure.ac: tracing autoreconf: running: libtoolize --copy --force libtoolize: putting auxiliary files in `.'. libtoolize: copying file `./ltmain.sh' libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'. libtoolize: copying file `m4/libtool.m4' libtoolize: copying file `m4/ltoptions.m4' libtoolize: copying file `m4/ltsugar.m4' libtoolize: copying file `m4/ltversion.m4' libtoolize: copying file `m4/lt~obsolete.m4' autoreconf: running: /usr/bin/autoconf --force autoreconf: running: /usr/bin/autoheader --force autoreconf: running: automake --add-missing --copy --force-missing configure.ac:11: installing `./config.guess' configure.ac:11: installing `./config.sub' configure.ac:8: installing `./install-sh' configure.ac:8: installing `./missing' autoreconf: Leaving directory `.' You can now run "./configure" and then "make". |
# ./configure --help | egrep '(mysql|lib)'
--with-mysql=DIR Support for MySQL --with-mysql-libraries=DIR MySQL library directory |
# yum -y install mysql mysql-devel
# ln -s /usr/lib64/mysql/libmysqlclient.so.16.0.0 /usr/lib/libmysqlclient.so.16.0.0
# ln -s /usr/lib64/mysql/libmysqlclient_r.so.16.0.0 /usr/lib/libmysqlclient_r.so.16.0.0
# cd /snort/barnyard2-master
# ./configure --with-mysql --with-mysql-libraries=/usr/lib64
# make
# make install
# cp /snort/barnyard2-master/etc/barnyard2.conf /etc/snort
# cp /snort/barnyard2-master/schemas/create_mysql /usr/local/src
# mkdir -p /var/log/barnyard2 /* 이전에 디렉토리를 생성했었다. */
# chown -R snort:snort /var/log/barnyard2
# cp /snort/snort-*/etc/gen-msg.map /etc/snort
② barnyard configuration
# vi /etc/snort/barnyard2.conf
[수정전] 227: output alert_fast 351: #output database: log, mysql, user=root password=test dbname=db host=localhost [수정후] 227: output alert_fast 351: output database: log, mysql, user=snort password=snort dbname=snort host=localhost |
-> 주석 제거 및 수정
③ Setup the MySQL Server
(주의) 반드시 Local에서 작업을 진행한다.
# yum -y install mysql-server
-> 출력 내용 생략
# chkconfig mysqld on
# service mysqld start
MySQL 데이타베이스 초기화 중: Installing MySQL system tables... OK Filling help tables... OK
To start mysqld at boot time you have to copy support-files/mysql.server to the right place for your system
PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER ! To do so, start the server, then issue the following commands:
/usr/bin/mysqladmin -u root password 'new-password' /usr/bin/mysqladmin -u root -h ids.example.com password 'new-password'
Alternatively you can run: /usr/bin/mysql_secure_installation
which will also give you the option of removing the test databases and anonymous user created by default. This is strongly recommended for production servers.
See the manual for more instructions.
You can start the MySQL daemon with: cd /usr ; /usr/bin/mysqld_safe &
You can test the MySQL daemon with mysql-test-run.pl cd /usr/mysql-test ; perl mysql-test-run.pl
Please report any problems with the /usr/bin/mysqlbug script!
[ OK ] mysqld (을)를 시작 중: [ OK ] |
# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MySQL to secure it, we'll need the current password for the root user. If you've just installed MySQL, and you haven't set the root password yet, the password will be blank, so you should just press enter here.
Enter current password for root (enter for none): <ENTER> OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MySQL root user without the proper authorisation.
Set root password? [Y/n] Y New password: (soldesk1.) Re-enter new password: (soldesk1.) Password updated successfully! Reloading privilege tables.. ... Success!
By default, a MySQL installation has an anonymous user, allowing anyone to log into MySQL without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment.
Remove anonymous users? [Y/n] Y ... Success!
Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] Y ... Success!
By default, MySQL comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment.
Remove test database and access to it? [Y/n] Y - Dropping test database... ... Success! - Removing privileges on test database... ... Success!
Reloading the privilege tables will ensure that all changes made so far will take effect immediately.
Reload privilege tables now? [Y/n] Y ... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MySQL installation should now be secure.
Thanks for using MySQL! |
# mysql -u root -p
Enter password: (soldesk1.) Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 21 Server version: 5.1.73 Source distribution
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> create database snort; Query OK, 1 row affected (0.00 sec)
mysql> grant all on snort.* to snort@localhost; Query OK, 0 rows affected (0.00 sec) /* mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost; */ mysql> set password for snort@localhost=password('snort'); Query OK, 0 rows affected (0.00 sec)
mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | snort | +--------------------+ 3 rows in set (0.00 sec)
mysql> use snort; Database changed mysql> source /usr/local/src/create_mysql <- from barnyard2 ..... (중략) ..... Query OK, 1 row affected (0.00 sec)
Query OK, 1 row affected (0.00 sec)
Query OK, 1 row affected (0.00 sec)
Query OK, 0 rows affected (0.01 sec)
Query OK, 1 row affected (0.00 sec)
Query OK, 1 row affected (0.00 sec) mysql> show tables; +------------------+ | Tables_in_snort | +------------------+ | data | | detail | | encoding | | event | | icmphdr | | iphdr | | opt | | reference | | reference_system | | schema | | sensor | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +------------------+ 16 rows in set (0.00 sec)
mysql> flush privileges; Query OK, 0 rows affected (0.00 sec)
mysql> exit |
④ Start snort using the command
(자동) # service snortd restart
(수동) # snort -d -A full -u snort -g snort -c /etc/snort/snort.conf -i eth0 &
# service snortd restart
Stopping snort: [실패] Starting snort: Spawning daemon child... My daemon child 22470 lives... Daemon parent exiting (0) [ OK ] |
# ls -l /var/log/snort
-> (주의) snort:snort 으로 안되어 있는 파일이 있다면 chown 명령어를 통해 설정을 바꿔야 한다.
# chown -R snort:snort /var/log/snort
[TERM2] 다른 터미널에서 수행
# barnyard2 -c /etc/snort/barnyard2.conf \
-d /var/log/snort -f snort.log \
-w /etc/snort/bylog.waldo \
-C /etc/snort/classification.config
Running in Continuous mode
--== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/etc/snort/barnyard2.conf"
+[ Signature Suppress list ]+ ---------------------------- +[No entry in Signature Suppress List]+ ---------------------------- +[ Signature Suppress list ]+
Barnyard2 spooler: Event cache size set to [2048] Log directory = /var/log/barnyard2 INFO database: Defaulting Reconnect/Transaction Error limit to 10 INFO database: Defaulting Reconnect sleep time to 5 second [ClassificationPullDataStore()]: No Classification found in database ... [SignaturePullDataStore()]: No signature found in database ... [SystemPullDataStore()]: No System found in database ... [ReferencePullDataStore()]: No Reference found in database ... [SignatureReferencePullDataStore()]: No Reference found in database ... database: compiled support for (mysql) database: configured to use mysql database: schema version = 107 database: host = localhost database: user = snort database: database name = snort database: sensor name = ids.example.com:NULL database: sensor id = 1 database: sensor cid = 1 database: data encoding = hex database: detail level = full database: ignore_bpf = no database: using the "log" facility
--== Initialization Complete ==--
______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.14 (Build 337) |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/ + '''' + (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com>
WARNING: Unable to open waldo file '/etc/snort/bylog.waldo' (No such file or directory) Opened spool file '/var/log/snort/snort.log.1464866678' Closing spool file '/var/log/snort/snort.log.1464866678'. Read 0 records Opened spool file '/var/log/snort/snort.log.1464866810' Closing spool file '/var/log/snort/snort.log.1464866810'. Read 0 records Opened spool file '/var/log/snort/snort.log.1464870215' Waiting for new data
|
-> 약간 실행 시간이 걸리기 때문에 기다린다.
-> 약 5분 ~ 10분정도
⑤ check mysql
# mysql -u root -p
Enter password: (soldesk1.) Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 12 Server version: 5.1.73 Source distribution
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use snort; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Database changed mysql> select count(*) from event; +----------+ | count(*) | +----------+ | 0 | <---- barnyard2 프로그램이 /var/log/snort/<snort log> 파일을 읽어 들 +----------+ event count가 늘어난다. 1 row in set (0.00 sec)
mysql> exit |
[참고]
https://www.youtube.com/watch?v=II80tzwEuFk
BASE Installation
① Prerequisite program installation
# yum install libxml2 \
php \
php-gd \
php-cli \
php-mysql \
php-pear \
php-pear-Log \
php-dba \
php-dbase \
php-odbc \
php-pear-Image-Graph
② php editing - BASE Log level
# vi /etc/php.ini
[수정전] 513: error_reporting = E_ALL & ~E_ [수정후] 513: error_reporting = E_ALL & ~E_NOTICE |
-> 내용 수정
# service httpd restart
httpd 를 정지 중: [실패] httpd (을)를 시작 중: [ OK ] |
# tail -f /var/log/httpd/error_log
-> 에러 메세지를 확인하고 적당한 설정을 변경한다.
-> <CTRL + C> 끊는다.
③ BASE and Adodb download
# cd /snort
# wget --no-check-certificate \
http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
-> 출력 내용 생략
# tar xvzf base-1.4.5.tar.gz
-> 출력 내용 생략
# cp -r base-1.4.5 /var/www/html/base
# chown -R apache:apache /var/www/html/base
# chmod 777 /var/www/html/base
④ Adodb(a database abstraction library for PHP)
download http://sourceforge.net/projects/adodb/
# cd /snort
# wget --no-check-certificate http://sourceforge.net/projects/adodb/files/latest/download
-> 출력 내용 생략
# tar xvzf adodb-*.tar.gz
-> 출력 내용 생략
# mkdir /var/www/lib
# cp -r adodb5 /var/www/lib
'모의해킹 침해대응 전문가 과정' 카테고리의 다른 글
| 20160803 소프트웨어 관리 (0) | 2016.08.03 |
|---|---|
| 20160802 웹 방화벽 (0) | 2016.08.02 |
| 20160801 IDS (0) | 2016.08.01 |
| 20160801 TCP Wrapper (0) | 2016.08.01 |
| 20160801 NTP (0) | 2016.08.01 |