barnyard2+suricata+snorby
【Barnyard2安装】
#yum install -y gcc flex bison zlib libpcap tcpdump gcc-c++ pcre* zlib* libdnet libdnet-devel libyaml-devel file file-devel libtool libpcap libpcap-devel
下载daq并安装
#wget https://snort.org/downloads/snort/daq-2.0.6.tar.gz
#tar zxvf daq-2.0.6.tar.gz
#cd daq-2.0.6
#./configure && make && make install
下载libdnet并安装
#wget http://prdownloads.sourceforge.net/libdnet/libdnet-1.11.tar.gz
#tar zxvf libdnet-1.11.tar.gz
#cd libdnet-1.11
#./configure && make && make install
下载Barnyard2并安装
#cd ..
#wget -O barnyard2.zip --no-check-certificate https://codeload.github.com/firnsy/barnyard2/zip/master
#unzip barnyard2.zip
#cd barnyard2-master/
#./autogen.sh
#./configure --with-mysql-libraries=/usr/lib64/mysql/ #编译安装
#make && make install
【下载Suricata并安装】
#wget https://www.openinfosecfoundation.org/download/suricata-4.1.5.tar.gz
#tar zxvf suricata-1.4.5.tar.gz
#./configure
#make
#make install
#ldconfig
配置Barnyard 2
#把Barnyard 2安装源文件中的etc/barnyard2.conf文件拷贝到Suricata的配置目录下
#mkdir /etc/suricata #创建一个目录
#cd barnyard2-master/
#cp etc/barnyard2.conf /etc/suricata/
#创建barnyard2日志目录/var/log/barnyard2
#mkdir /var/log/barnyard2
配置Suricata
创建Suricata配置目录和日志目录
#mkdir /var/log/suricata
把规则文件拷贝到Suricata配置目录下(这里首先,我们要下载下,规则库需要定期更新)
#wget http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
#tar zxvf emerging.rules.tar.gz
#cp -R rules/ /etc/suricata/
#cp /usr/local/src/nids/suricata-4.1.5/suricata-update/tests/gen-msg.map /etc/suricata/
把Suricata安装源文件中的suricata.yaml、classification.config、reference.config文件拷贝到Suricata的配置目录下
#cd /opt/suricata-1.4.7
#cp suricata.yaml classification.config reference.config threshold.config /etc/suricata/
cp /opt/suricata-1.4.7/threshold.config /etc/suricata/
编辑并修改barnyard2.conf文件
vim /etc/suricata/barnyard2.conf
找到下面的内容
config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map
更改为的内容如下:
config reference_file: /etc/suricata/reference.config
config classification_file: /etc/suricata/classification.config
config gen_file: /etc/suricata/gen-msg.map
config sid_file: /etc/suricata/rules/sid-msg.map
同时在文件的末尾添加如下行。
output database: log, mysql, user=ids password=oral dbname=ids host=localhost
如果已经安装了snorby的话,snorby会自动创建数据库和表结构,所以直接使用snorby即可。
output database: log, mysql, user=root password=oral dbname=snorby host=localhost
找到“config hostname”和“config interface”,按照你的实际情况修改
config hostname: PgHook-001 #这里是hostname,随便改
config interface: eth0 #这里是镜像端口所在的网卡编辑suricata.yaml文件
vi /etc/suricata/suricata.yaml
找到HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
这一行,根据实际的网络情况来修改,在这里我修改为
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,59.151.0.0/12]"
HOME_NET为IP地址组,可以在规则中直接调用,例如:
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Photuris Reserved"; icode:0; itype:40; classtype:misc-activity; sid:2100429; rev:7;)
找到
default-rule-path: /usr/local/etc/suricata/rules
改成
default-rule-path: /etc/suricata/rules
找到
default-log-dir: /usr/local/var/log/suricata/
改成
default-log-dir: /var/log/suricata/
找到
#default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
把前面的注释去掉
outputs选项下有很多可以输出的配置选项,包括警告、检测的数据包、产生的结果等。在配置的过程中并不需要开启每一种输出,根据自己的需求进行配置,只开启unified2.alert即可,将fast.log等其他项修改为no。
- unified2-alert:
enabled: yes
filename: unified2.alert
找到
outputs:
- console:
enabled: yes
- file:
enabled: no
filename: /var/log/suricata.log
- syslog:
enabled: no
facility: local5
format: "[%i] <%d> -- "
改成:
outputs:
- console:
enabled: no
- file:
enabled: yes
filename: /var/log/suricata.log
- syslog:
enabled: no
facility: local5
format: "[%i] <%d> -- "
只需要输出到file,不需要终端和syslog。
找到
classification-file: /usr/local/etc/suricata/classification.config
reference-config-file: /usr/local/etc/suricata/reference.config
改成
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config
找到
#pid-file: /var/run/suricata.pid
把前面的#号去掉
找到rule-files,把下面的
emerging-icmp.rules 和emerging-virus.rules
删除掉。
找到
#threshold-file: /etc/suricata/threshold.config
把#号去掉【Snorby安装】
1)初始化安装软件包
#yum -y install libyaml libyaml-devel gcc gcc-c++ make file file-devel git libxslt-devel curl curl-devel ImageMagic ImageMagic-devel
#yum -y install mysql mysql-libs mysql-server mysql-devel
#yum -y install httpd httpd-devel apr-utils php php-common php-cli php-pear php-curl php-mcrypt php-pecl php-devel php-mysql
#ln -sf /usr/lib64/mysql /usr/lib/mysql
2)安装Ruby:
rvm安装
$ curl -L get.rvm.io | bash -s stable
#source /etc/profile
修改 RVM 的 Ruby 安装源到国内的 淘宝镜像服务器,这样能提高安装速度
#cd /usr/local/rvm/config/
# sed -i -e 's/ftp\.ruby-lang\.org\/pub\/ruby/ruby\.taobao\.org\/mirrors\/ruby/g' db
#/usr/local/rvm/bin/rvm install 2.3.8
查看安装的ruby版本:
#rvm list
选择版本:
#rvm use 1.9.3
查看所有版本
#rvm list known
查看默认gem源
# gem sources
*** CURRENT SOURCES ***
https://rubygems.org/
删除默认gem源并添加淘宝的源
#gem sources -r http://rubygems.org/
#gem sources -a http://gems.ruby-china.com/
更新缓存
#gem sources -u
安装bundler和snorby
[root@localhost suricata-4.1.5]# pwd
/usr/local/src/nids/suricata-4.1.5
#gem install bundler
#git clone git://github.com/Snorby/snorby.git
#cd snorby
下面需要修改一些文件:
1.修改文件 Gemfile
把
gem 'rake', '0.9.2'
改成
gem 'rake', '> 0.9.2'
2.修改文件 Gemfile.lock
把
rake (0.9.2)
改成
rake(0.9.2.2)
3.创建snorby_config.yml和database.yml两个文件
cp config/snorby_config.yml.example config/snorby_config.yml
cp config/database.yml.example config/database.yml
4.把你的mysql的root用户的密码
输入到
database.yml里面去。
5.修改snorby_config.yml,
把
time_zone前面的注释去掉,并
把
UTC
改为
Asia/Shanghai执行如下命令开始安装:
#bundle install
#rake snorby:setup
会创建snorby数据库
*********************************************
IDS系统搭建完毕!
*********************************************
【启动】
1>启动barnyard2
#/usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo -D
#-c为加载配置文件
#-d用于指定suricata产生的二进制文件保存目录
#-f 二进制文件特征
#-w 书签文件,用户记录读取了多少行
#-D 后台运行
2>启动suricata
/usr/local/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 -D
启动suricata的-i参数是镜像流量的网卡
告警文件查看:/var/log/suricata
3>启动snorby
[root@localhost snorby]# pwd
/usr/local/src/nids/suricata-4.1.5/snorby
#nohup rails server -e production &
默认监听3000端口
指定端口启动
#nohup rails server -p8080 -e production &
浏览器输入:
http://ip:3000
默认用户名密码:
snorby@example.com/snorby
【Exception1】
[root@localhost barnyard2-master]# ./autogen.sh
Found libtoolize
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal -I m4 --output=aclocal.m4t
This Perl not built to support threads
Compilation failed in require at /usr/share/automake-1.11/Automake/ChannelDefs.pm line 23.
BEGIN failed--compilation aborted at /usr/share/automake-1.11/Automake/ChannelDefs.pm line 26.
Compilation failed in require at /usr/share/automake-1.11/Automake/Configure_ac.pm line 26.
BEGIN failed--compilation aborted at /usr/share/automake-1.11/Automake/Configure_ac.pm line 26.
Compilation failed in require at /usr/bin/aclocal line 39.
BEGIN failed--compilation aborted at /usr/bin/aclocal line 39.
autoreconf: aclocal failed with exit status: 255
You can now run "./configure" and then "make".
[root@localhost barnyard2-master]# perl -V | grep thread
useithreads=undef, usemultiplicity=undef
解决方法:
[root@localhost barnyard2-master]# yum reinstall perl
0x04、下载Suricata并安装
Suricata需要依赖yaml,首先安装yaml
下载yaml:
wget http://pyyaml.org/download/libyaml/yaml-0.1.4.tar.gz
tar zxvf yaml-0.1.4.tar.gz
./configure
make
make install
【exception2:】
#gpg2 --keyserver hkp://pool.sks-keyservers.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB
来源:oschina
链接:https://my.oschina.net/u/922703/blog/3123456