Set time

Screensaver
Add them 1 card mang (1 card la host only de test rule, 1 card de download cac g
oi cai dat)
=================Snort===================
# Cai dat cac goi can thiet
yum install -y wget gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pc
re-devel tcpdump mysql mysql-server mysql-devel git libtool curl man
# Tao thu muc tmp (thu muc download va cai dat)
mkdir tmp && cd tmp
# Download va cai dat libdnet (ko nen copy tat ca roi paste, download se kho, ne
n down tung cai 1)
wget http://pkgs.repoforge.org/libdnet/libdnet-1.11-1.1.el3.rf.x86_64.rpm
wget http://pkgs.repoforge.org/libdnet/libdnet-devel-1.11-1.1.el3.rf.x86_64.rpm
rpm -i libdnet-1.11-1.1.el3.rf.x86_64.rpm
rpm -i libdnet-devel-1.11-1.1.el3.rf.x86_64.rpm
# Cai dat DAQ va Snort
yum install -y https://www.snort.org/downloads/snort/daq-2.0.2-1.centos6.x86_64.
rpm
yum install -y https://www.snort.org/downloads/snort/snort-2.9.6.2-1.centos6.x86
_64.rpm
# Download va giai nen Commynity Rule
wget https://www.snort.org/downloads/community/community-rules.tar.gz
tar -xvf community-rules.tar.gz -C /etc/snort/rules
# Download va giai nen snortrule (download cham thi co the download truc tiep tr
en snort.org va copy vao may ao de cai dat)
wget https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=13cc5a
9081d2e31a4e1ab1224b3985aeaeffc0d9 (lay oinkcode tren snort.org)
tar -xvf snortrules-snapshot-2962.tar.gz -C /etc/snort/rules (neu download bang
wget thi khai giai nen chu y ten file)
mv /etc/snort/rules/rules/* /etc/snort/rules/
rmdir /etc/snort/rules/rules
# Thay doi user so huu thu muc
cd /etc/snort
chown -R snort:snort *
# Chinh sua file snort.conf
cd /etc/snort
vi snort.conf
--------------------45: ipvar HOME_NET any #or set to a network such as 172.21.0.0/16
48: ipvar EXTERNAL_NET !$HOME_NET
104: var RULE_PATH /etc/snort/rules
105: var SO_RULE_PATH /etc/snort/rules/so_rules
106: var PREPROC_RULE_PATH /etc/snort/rules/preproc_rules
109: var WHITE_LIST_PATH /etc/snort/rules
110: var BLACK_LIST_PATH /etc/snort/rules
506: whitelist $WHITE_LIST_PATH/whitelist.rules, \
507: blacklist $BLACK_LIST_PATH/blacklist.rules
516: output unified2: filename snort.log, limit 128
---------------------

# Tao them cac file bi thieu

mkdir /usr/local/lib/snort_dynamicrules
touch /etc/snort/rules/whitelist.rules
# Cau lenh can thiet
/sbin/ldconfig
updatedb
# Test snort
snort -T -i eth0 -u snort -g snort -c /etc/snort/snort.conf
# Neu ko cau hinh buoc nay thi barnyard se ko xuat log vao database
vi /etc/sysconfig/snort
----------:69 #ALERTMODE
:81 #BINARY_LOG
----------=============PulledPork========================
# Cai dat cac goi can thiet
cd /home/hoanggiang/tmp
yum -y install perl-libwww-perl perl-Crypt-SSLeay perl-Archive-Tar
# Download va giai nen PullPork
wget https://pulledpork.googlecode.com/files/pulledpork-0.7.0.tar.gz
tar -zxf pulledpork-0.7.0.tar.gz
cd pulledpork-0.7.0
cp pulledpork.pl /usr/sbin ; chmod 755 /usr/sbin/pulledpork.pl
cp etc/* /etc/snort/
# Chinh sua file cau hinh Pullpork
vi /etc/snort/pulledpork.conf
----------------------------------------<oinkcode> (lay oinkcode tren snort.org va thay vao 2 cho <oinkcode> o dong 19 v
a 26)
72: rule_path=/etc/snort/rules/snort.rules
79: out_path=/etc/snort/rules/
87: local_rules=/etc/snort/rules/local.rules
90: sid_msg=/etc/snort/sid-msg.map
113: snort_path=/usr/sbin/snort
117: config_path=/etc/snort/snort.conf
131: distro=Centos-5-4
139: black_list=/etc/snort/rules/blacklist.rules
148: #IPRVersion=/usr/local/etc/snort/rules/iplists
151: snort_control=/usr/bin/snort_control
194: enablesid=/etc/snort/enablesid.conf
195: dropsid=/etc/snort/dropsid.conf
196: disablesid=/etc/snort/disablesid.conf
197: modifysid=/etc/snort/modifysid.conf
----------------------------------------# Test PullPork
pulledpork.pl -vv -c /etc/snort/pulledpork.conf -T -l
# Cai dat thoi gian cap nhat
vi /etc/crontab
----------------------

0 0 * * * root /usr/sbin/pulledpork.pl -c /etc/snort/pulledpork.conf

---------------------================Barnyard2===========================
# Download, giai nen va cai dat Barnyard
cd /home/hoanggiang/tmp
mkdir /var/log/barnyard2
mkdir /usr/local/src/firnsy-barnyard2 && cd /usr/local/src/firnsy-barnyard2
wget https://github.com/firnsy/barnyard2/archive/v2-1.13.tar.gz
tar -zxvf v2-1.13.tar.gz
cd barnyard2-2-1.13
autoreconf -fvi -I ./m4
./autogen.sh
./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql/
make
make install
vi /usr/local/etc/barnyard2.conf
------------------------------------------30 config sid_file: /etc/snort/sid-msg.map
54 config logdir: /var/log/snort
70 config hostname: Snort
71 config interface: eth0
85 config daemon
141 config waldo_file: /etc/snort/barnyard2-log.waldo
175 input unified2
output alert_full
316 output log_tcpdump: tcpdump.log
348 output database:log, mysql, user=snort password=snort dbname=snort host=loca
lhost
------------------------------------------cp /usr/local/etc/barnyard2.conf /etc/snort/barnyard2.conf
# Cau hinh de barnyard khoi dong nhu 1 dich vu
cd /usr/local/src/firnsy-barnyard2/barnyard2-2-1.13
cp rpm/barnyard2 /etc/init.d/
chmod +x /etc/init.d/barnyard2
cp rpm/barnyard2.config /etc/sysconfig/barnyard2
chkconfig --add barnyard2
chkconfig barnyard2 on
vi /etc/init.d/barnyard2
----------------------------16: PATH=/usr/local/bin:${PATH}
38: ARCHIVEDIR="$SNORTDIR/archive"
39: WALDO_FILE="$SNORTDIR/barnyard2-log.waldo"
40: BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR/ -w $WALDO_FILE -l $SNORTDIR -a $ARC
HIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS"
41: echo $prog $BARNYARD_OPTS
----------------------------vi /etc/sysconfig/barnyard2
---------------------------LOG_FILE="snort.log"
SNORTDIR="/var/log/snort"

INTERFACES="eth0"
CONF=/etc/snort/barnyard2.con
EXTRA_ARGS=""
---------------------------# Cai dat co so du lieu
service mysqld start
/usr/bin/mysql_secure_installation
mysql -u root -p
create database snort;
grant all on snort.* to snort@localhost;
set password for snort@localhost=password('snort');
use snort;
source /usr/local/src/firnsy-barnyard2/barnyard2-2-1.13/schemas/create_mysql
show tables;
flush privileges;
exit
chkconfig --add mysqld
chkconfig mysqld on
touch /etc/snort/barnyard2-log.waldo
# Viet 1 rule don gian de kiem tra kha nang hoat dong cua snort va barnyard, mys
ql
alert icmp any any -> any any (msg:"Co nguoi dang ping"; sid: 1000001; rev: 1;)
# Download va giai nen oinkmaster. chay cau lenh sau (update sidmap cua cac rule
moi tao, neu ko barnyard se ko hien thi duoc msg)
./create-sidmap.pl /etc/snort/rules > /etc/snort/sid-msg.map
# khoi dong barnyard
service barnyard2 start
barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/sn
ort/barnyard2-log.waldo -D (chay o che do nay ta co the debug loi va thay doi du
oc 1 so tuy chon, chu y o lan dau chay debug, ta phai co lenh -w /etc/snort/barn
yard2-log.waldo)
# Khoi dong snort (o buoc nay ta se gap loi blacklist.rules chua biet nguyen nha
n vi sao, ta phai tao 1 file blacklist.rules khac)
mv /etc/snort/rules/blacklist.rules /etc/snort/rules/black_list.rules
touch /etc/snort/rules/blacklist.rules
service snortd start
# Kiem tra xem barnyard co xuat du lieu vao database ko. count khac 0
mysql -u root -p
use snort;
select count(*) from event;
==========================Snorby=================
# Cai dat cac goi can thiet
yum -y groupinstall "Development Tools"
yum install -y openssl-devel readline-devel libxml2-devel libxslt-devel mysql my
sql-devel mysql-libs mysql-server urw-fonts libX11-devel libXext-devel qconf fon
tconfig-devel libXrender-devel unzip
# Cai dat ImageMagick
cd /home/hoanggiang/tmp

wget ftp://ftp.fifi.org/pub/ImageMagick/ImageMagick-6.8.9-8.tar.gz
tar -xvf ImageMagick-6.8.9-8.tar.gz
cd ImageMagick-6.8.9-8
./configure
make
make install
ldconfig /usr/local/lib
# Cai dat cac goi can thiet
yum -y install xz urw-fonts libXext openssl-devel libXrender
# Cai dat wkhtmltox
cd /home/hoanggiang/tmp
wget http://sourceforge.net/projects/wkhtmltopdf/files/0.12.1/wkhtmltox-0.12.1_l
inux-centos6-amd64.rpm
rpm -Uvh wkhtmltox-0.12.1_linux-centos6-amd64.rpm
# Test wkhtmltox
wkhtmltopdf http://www.google.com google.pdf
# Cai dat cac goi can thiet
yum -y install libxslt-devel libxml2-devel gdbm-devel libffi-devel zlib-devel op
enssl-devel libyaml-devel readline-devel curl-devel openssl-devel pcre-devel git
memcached-devel valgrind-devel mysql-devel ImageMagick-devel
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm
curl -L get.rvm.io | bash -s stable
source /etc/profile.d/rvm.sh
rvm install 1.9.3 (Phien ban nay ko con duoc duy tri, xem cac phien ban duoc duy
tri tai http://bugs.ruby-lang.org/projects/ruby/wiki/ReleaseEngineering)
rvm use 1.9.3 --default
rvm rubygems current
gem install rails
yum -y install httpd
service httpd start
chkconfig --add httpd
chkconfig httpd on
gem install passenger
yum install curl-devel httpd-devel
passenger-install-apache2-module
gem install bundler
cd /var/www/html
mkdir snorby
cd snorby
wget -O snorby.zip --no-check-certificate https://github.com/Snorby/snorby/archi
ve/master.zip
unzip snorby.zip
mv snorby-master/* /var/www/html/snorby

mysql -u root -p
create database snorby;
create user 'snorby'@'localhost' identified by 'snorby';
grant all on snorby.* to snorby@localhost;
flush privileges;
exit
cp config/database.yml.example config/database.yml
vi config/database.yml
------------------:8 username: snorby
:9 password: "snorby"
------------------vi Gemfile
---------------------:8 gem 'rake', '> 0.9.2'
:16 gem 'thin'
:88 # gem 'thin'
---------------------vi Gemfile.lock
------------------265: rake (0.9.2.2)
------------------cp config/snorby_config.yml.example config/snorby_config.yml
yum -y install java-1.6.0-openjdk-devel java-1.6.0-openjdk
yum -y install httpd-devel apr-devel apr-util-devel
bundle install
gem update --system
RAILS_ENV=production bundle exec rake snorby:setup
#Test
rails server thin -e production
Using a web browser, browse to the URL of your server using port 3000
address:3000

http://ip-

#Auto Start Snorby

vi /etc/sysconfig/selinux
------------SELINUX=disabled
------------reboot
Copy the following to httpd.conf:
vi /etc/httpd/conf/httpd.conf
---------------------------------:202 LoadModule passenger_module /usr/local/rvm/gems/ruby-1.9.3-p547/gems/passen
ger-4.0.50/buildout/apache2/mod_passenger.so
<IfModule mod_passenger.c>
PassengerRoot /usr/local/rvm/gems/ruby-1.9.3-p547/gems/passenger-4.0.50
PassengerDefaultRuby /usr/local/rvm/gems/ruby-1.9.3-p547/wrappers/ruby
</IfModule>
---------------------------------#Add the VirtualHost for Snorby in httpd.conf:
---------------------------------

<VirtualHost *:80>
Servername SnortIPS
DocumentRoot /var/www/html/snorby/public
<Directory /var/www/html/snorby/public>
AllowOverride all
Order allow,deny
Allow from all
Options -MultiViews
</Directory>
</VirtualHost>
---------------------------------# Change the ownership of the Snorby directory in /var/www/html:
chown -R apache:apache /var/www/html/snorby
# Modify the barnyard2.conf file to output to the snorby database:
vi /etc/snort/barnyard2.conf
Modify or add the output database:
output database: log, mysql, user=snorby password=snorby dbname=snorby host=loca
lhost
# Modify IPTABLES
Add a rule to allow port 80 through IPTABLES:
iptables -I INPUT -p tcp --dport 80 -m state --state=NEW,ESTABLISHED,RELATED -j
ACCEPT
/sbin/service iptables save
===========1 vai luu y khi su dung snorby============
- De lay duoc database ta phai vao Administrator->Worker & Job Queue->Start work
er. Tro lai dashboard ta thay do thi da xuat hien
- De hien thi thoi gian dung tren do thi ta vao Settings->Time zone->Current Pas
sword->Update Settings
- De hien thi Severity con tuy thuoc vao rule. Ta phai xac dinh muc do nguy hiem
bang cach them cac option classtype hoac priority
- Doi khi ta phai xoa cac file trong /var/log/snort de tranh truong hop barnyard
log lai tat ca cac file log lam mat thoi gian
va khi nay ta dung lenh "rm -rf *" dong nghia voi viec file barnyard2-log.waldo
bi mat.Ta chi viec khoi dong lai barnyard va doi
mot luc la file waldo nay se xuat hien tro lai.
- Neu ta ping nhieu qua. Database co the se full va ko the log len snorby duoc (
cai nay ko chac chan lam vi chua test ky). Khi nay
ta co the khac phuc bang cach xoa du lieu trong bang event cua database snorby d
i bang cau lenh "delete from event;" (nho la phai vao db snorby)
===============Add NIC=================
Add Network Adapter cho VM
touch ifcfg-eth1
#them cac thong so co ban
DEVICE=eth1
HWADDR=00:0C:29:B3:55:44 (MAC phai trung voi MAC cua eth1 khi go lenh ifconfig a)
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp

===============Chuyen sang che do Inline=================

#eth0 va eth1
BOOTPROTO=none
BRIDGE=br0
touch ifcfg-br0
# them cac thong so co ban
DEVICE=br0
TYPE=Bridge
ONBOOT=yes
BOOTPROTO=none
service network restart (neu br0 ok thi coi nhu cau hinh dung)
reboot
# Chay snort trong che do inline
snort c /etc/snort/snort.conf i eth0:eth1 Q --daq afpacket --daq-mode inline --daqvar buffer_size_mb=256 (chu y dau "-" khi copy)
# Thuc te khi chay dong lenh tren snort se tu dong chay trong che do inline. do
do ta ko can phai bridge 2 cong eth0 va eth1
# Trong che do inline snort su dung daq de xu li goi tin ma ko can den iptables.
tuy nhien de chan 1 ip thi ta co the su dung snortsam de thong bao iptables cha
n ip
==============SnortSam====================================
#Tai libtool http://ftpmirror.gnu.org/libtool/libtool -2.4.2.tar.gz
tar xzvf libtool-2.4.2.tar.gz
cd libtool-2.4.2
./configure --prefix=/usr
make && make install
#Tai snortsam http://www.snortsam.net/files/snortsam/snortsam-src-2.70.tar.gz
tar xzvf snortsam-src-2.70.tar.gz
cd snortsam
chmod +x makesnortsam.s h
./makesnortsam.sh
#Vao link http://www.snortsam.net/files/snort-plugin/snortsam-2.9.5.3-1.diff.gz
#Copy doan code
#tao 1 file moi dat ten la snortsam-2.9.5.3-1.diff
#paste doan code vua copy vao
#Luu lai
#Vao thu muc giai nen snort
cd /home/hoanggiang/tmp/snort-2.9.6.1
patch -p1 < <pathto>/snortsam-2.9.5.3-1.diff
sh ./autojunk.sh
./configure --enable-sourcefire
make && make install
#Copy tap tin nhi phan cua snortsam vao /usr/local/bin
cp snortsam/snortsam /usr/local/bin
# Cau hinh snortsam
cp snortsam/conf/snortsam.conf.example /etc/snortsam.conf
vi /etc/snortsam.conf
--------------accept <host>/<mask>,<key>
(ket noi voi snort)
fwsam <host>
(ket noi voi fw checkpoint)
iptables <adapter> <logoption> (ket noi voi iptables tren chinh host cai snorts
am)

cisconullroute
---------------

(ket noi voi router cisco)

# Cau hinh lai snort

--------------------output alert_fwsam: {SnortSam Station}:{port}/{password}
--------------------# Them vao cuoi moi rule "fwsam: who, times;"
==============Tan cong Dos va rule phat hien===============
# Tao tool tan cong
- Cai dat may ao backtrack
- vao trang http://ha.ckers.org/slowloris/slowloris.pl copy toan bo va paste vao
1 file dat ten la slowloris.pl
- Tan cong bang lenh "./slowloris -dns [IP]"
- Rule phat hien tan cong
"alert tcp any any -> any any (msg:"DOS by Slowloris Tool"; content:"GET /"; dep
th:10; content:"User-Agent\: Mozilla/4.0 (compatible\; MSIE 7.0\; Windows NT 5.1
\; Trident/4.0"; offset:10; depth:100; sid:1000003; rev:2;)"
==============Mot so lenh thao tac voi csdl mysql can dung================
select * from <table> (Hien thi bang)
update <table> set <column='value'> where <id='value'> (Thay doi gia tri trong
bang)
==============Routing through linux====================
#Dat dia chi 2 card mang
#Bat tinh nang dinh tuyen
vi /etc/sysctl.conf
---------net.ipv4.ip_forward = 1
---------echo "1">/proc/sys/net/ipv4/ip_forward
#Mo ta thong tin dinh tuyen
route add -net -n [network/netmask] dev eth0
route add -net -n [network/netmask] dev eth1
#2 lenh tren mo ta rang: muon den mang nay thi phai ra cong nay
#Kiem tra dinh tuyen bang lenh route hoac netstat -rn
# Sua iptables
# them dong sau
-A OUTPUT -p icmp -j ACCEPT