宜蘭縣教育支援平台 會員登入 會員註冊 我的i教書

« 上一篇 | 下一篇 »

參考網頁:
Suricata + Barnyard + BASE 安裝 – Neverland

底下參考自:讓Snort開始運作,Information Security 資安人科技網

Barnyard是一套用來讀取 Snort 統一輸出報表(Unified output)並將之轉存到資料庫的特製工具,並且會直接監視資料庫連線來預防資料的流失。統一輸出報表是 Snort3 種輸出報表的其中一個選項,它透過減輕 Snort  引擎中的有效負荷的傳輸(payload translation)來增快處理速度。

1. 安裝所需套件
# yum install git libtool libnet libnet-devel mariadb-devel daq-devel libyaml-devel file-devel libcap-ng-devel libpcap-devel libdnet-devel

2. 切換目錄
# cd /usr/local/src

3. 使用 git 下載 barnyard2
# git clone https://github.com/firnsy/barnyard2.git barnyard2
Cloning into 'barnyard2'...
remote: Counting objects: 1292, done.
remote: Total 1292 (delta 0), reused 0 (delta 0), pack-reused 1292
Receiving objects: 100% (1292/1292), 1.04 MiB | 601.00 KiB/s, done.
Resolving deltas: 100% (896/896), done.


4. 切換目錄
# cd barnyard2

5. 進行設定
# ./autogen.sh
Found libtoolize
libtoolize: putting auxiliary files in `.'.
libtoolize: copying file `./ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force -I m4
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --copy --force
libtoolize: putting auxiliary files in `.'.
libtoolize: copying file `./ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'
autoreconf: running: /usr/bin/autoconf --force
autoreconf: running: /usr/bin/autoheader --force
autoreconf: running: automake --add-missing --copy --force-missing
configure.ac:11: installing './config.guess'
configure.ac:11: installing './config.sub'
configure.ac:8: installing './install-sh'
configure.ac:8: installing './missing'
autoreconf: Leaving directory `.'
You can now run "./configure" and then "make".

6. 進行編譯及安裝
# ./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql
# make && make install

7. 複製檔案到相對應目錄
# cp /usr/local/src/barnyard2/rpm/barnyard2.config /etc/sysconfig/barnyard2
# cp /usr/local/src/barnyard2/rpm/barnyard2 /etc/init.d/

8. 更改檔案給予執行權限
# chmod +x /etc/init.d/barnyard2

9. 設定開機時啟動 barnyard2
# chkconfig --add barnyard2

10. 建立連結
# ln -s /usr/local/etc/barnyard2.conf /etc/suricata/barnyard2.conf
# ln -s /usr/local/bin/barnyard2 /usr/bin/

11. 建立目錄
# mkdir -p /var/log/snort/eth0/archive/

12. 修改 /etc/init.d/barnyard2
# sed -i -e "s@Snort Output Processor@Suricata Output Processor@"   /etc/init.d/barnyard2
# sed -i -e "s@BARNYARD_OPTS=@#BARNYARD_OPTS=@"   /etc/init.d/barnyard2
# sed -i -e "/daemon/iBARNYARD_OPTS=\"-D -c \/etc\/suricata\/barnyard2.conf -d \/var\/log\/suricata -w \/var\/log\/suricata\/barnyard2.waldo -l \/var\/log\/suricata -a \/var\/log\/suricata -f unified2.alert -X \/var\/lock\/subsys\/barnyard2.pid\"" /etc/init.d/barnyard2d2

13. 修改 /etc/sysconfig/barnyard2
# sed -i -e "s@LOG_FILE=@#LOG_FILE=@"   /etc/sysconfig/barnyard2
# sed -i -e "/LOG_FILE=\"snort_unified.log\"/aLOG_FILE=\"unified2.log\""   /etc/sysconfig/barnyard2
# sed -i -e "s@CONF@#CONF@" /etc/sysconfig/barnyard2
#
sed -i -e "s@SNORTDIR@#SNORTDIR@" /etc/sysconfig/barnyard2
# sed -i -e "/Probably not this either/aCONF=\/etc\/suricata\/barnyard2.conf" /etc/sysconfig/barnyard2
# sed -i -e "/#SNORTDIR/aSNORTDIR=\"/var\/log\/suricata\"" /etc/sysconfig/barnyard2

14. 修改 /etc/suricata/barnyard2.conf
# cp /etc/suricata/barnyard2.conf /etc/suricata/barnyard2.conf.$(date +%F)
# sed -i 's@/etc/snort/reference.config@/etc/suricata/rules/reference.config@' /etc/suricata/barnyard2.conf
# sed -i 's@/etc/snort/classification.config@/etc/suricata/rules/classification.config@' /etc/suricata/barnyard2.conf
# sed -i 's@/etc/snort/gen-msg.map@/etc/suricata/rules/gen-msg.map@' /etc/suricata/barnyard2.conf
# sed -i 's@/etc/snort/sid-msg.map@/etc/suricata/rules/sid-msg.map@' /etc/suricata/barnyard2.conf
# sed -i -e "/database: log to a variety of databases/aoutput database: log, mysql, user=barnyard2 password=123456 dbname=suricatadb host=localhost" /etc/suricata/barnyard2.conf

15. 修改 /etc/suricata/suricata.yaml
# vim /etc/suricata/suricata.yaml
  - unified2-alert:
      enabled: yes
      filename: unified2.alert

16. 建立資料庫及設定設用者帳號密碼
# /usr/bin/mysql -u root -p
MariaDB [(none)]> create database snortdb;
MariaDB [(none)]> grant all privileges on snortdb.* to barnyard2@localhost identified by '123456';
MariaDB [(none)]> flush privileges;

17. 匯入資料
# /usr/bin/mysql suricatadb -ubarnyard2 -p123456 < /usr/local/src/barnyard2/schemas/create_mysql

18. 進行測試
# /usr/local/bin/barnyard2 -T -c /etc/suricata/barnyard2.conf -d /var/log/suricata -w /var/log/suricata/barnyard2.waldo -l /var/log/suricata -a /var/log/suricata -f unified2.alert -X /var/lock/subsys/barnyard2.pid

19. 如果有無法啟動的狀況
# vim /etc/systemd/system/barnyard2.service
[Unit]
Description=Barnyard2 Dedicated Unified2 Spooler
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata/ -w /var/log/suricata/barnyard2.waldo -l /var/log/suricata -a /var/log/suricata -f unified2.alert -X /var/lock/subsys/barnyard2.pid

[Install]
WantedBy=multi-user.target

20. 建立目錄及改變目錄擁有者群組
# mkdir /var/log/barnyard2
# chown -R suricata:suricata /var/log/barnyard2

21. 設定開機時啟動
# systemctl enable barnyard2.service
Created symlink from /etc/systemd/system/multi-user.target.wants/barnyard2.service to /etc/systemd/system/barnyard2.service.

22. 啟動並檢查
# systemctl start barnyard2
# systemctl status barnyard2.service
● barnyard2.service - Barnyard2 Dedicated Unified2 Spooler
   Loaded: loaded (/etc/systemd/system/barnyard2.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2017-03-01 19:06:47 CST; 1min 18s ago
 Main PID: 630 (barnyard2)
   CGroup: /system.slice/barnyard2.service
           mq630 /usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata/ -f unified2.alert

Mar 01 19:07:24 ids barnyard2[630]: database:  data encoding = hex
Mar 01 19:07:24 ids barnyard2[630]: database:   detail level = full
Mar 01 19:07:24 ids barnyard2[630]: database:     ignore_bpf = no
Mar 01 19:07:24 ids barnyard2[630]: database: using the "log" facility
Mar 01 19:07:24 ids barnyard2[630]: --== Initialization Complete ==--
Mar 01 19:07:24 ids barnyard2[630]: ______   -*> Barnyard2 <*-
Mar 01 19:07:24 ids barnyard2[630]: / ,,_  \  Version 2.1.14 (Build 337)
Mar 01 19:07:24 ids barnyard2[630]: |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
Mar 01 19:07:24 ids barnyard2[630]: + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com>
Mar 01 19:07:24 ids barnyard2[630]: Waiting for new spool file


23 安裝 Base + adodb (Web UI)
# cd /usr/local/src
# wget http://nchc.dl.sourceforge.net/project/adodb/adodb-php5-only/adodb-518-for-php5/adodb518a.tgz
# wget http://nchc.dl.sourceforge.net/project/secureideas/BASE/base-1.4.5/base-1.4.5.tar.gz
# tar zxvf base-1.4.5.tar.gz -C /var/www/html
# mv /var/www/html/base-1.4.5 /var/www/html/base
# chmod a+w /var/www/html/base
# tar zxvf adodb518a.tgz -C /var/www/html
# chmod a+w /var/www/html/adodb5
# 修改 /etc/php.ini
# vim /etc/php.ini
date.timezone = "Asia/Taipei"
error_reporting = E_ALL & ~E_NOTICE
找到
; UNIX: "/path1:/path2"
;include_path = ".:/php/includes"
底下增加一行
include_path => .:/usr/share/pear:/usr/share/php

24. 重新啟動 Web Server
# systemctl restart httpd

25. 更改目錄權限
# chmod a-w /var/www/html/base
# chmod a-w /var/www/html/adodb5




 
 
 
用LINE傳送

發表迴響

 暱稱 (必填)

 悄悄話

 標題

 個人網頁

 電子郵件

authimage 
 認證碼 (必填)