Beruflich Dokumente
Kultur Dokumente
Screensaver
Add them 1 card mang (1 card la host only de test rule, 1 card de download cac g
oi cai dat)
=================Snort===================
# Cai dat cac goi can thiet
yum install -y wget gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pc
re-devel tcpdump mysql mysql-server mysql-devel git libtool curl man
# Tao thu muc tmp (thu muc download va cai dat)
mkdir tmp && cd tmp
# Download va cai dat libdnet (ko nen copy tat ca roi paste, download se kho, ne
n down tung cai 1)
wget http://pkgs.repoforge.org/libdnet/libdnet-1.11-1.1.el3.rf.x86_64.rpm
wget http://pkgs.repoforge.org/libdnet/libdnet-devel-1.11-1.1.el3.rf.x86_64.rpm
rpm -i libdnet-1.11-1.1.el3.rf.x86_64.rpm
rpm -i libdnet-devel-1.11-1.1.el3.rf.x86_64.rpm
# Cai dat DAQ va Snort
yum install -y https://www.snort.org/downloads/snort/daq-2.0.2-1.centos6.x86_64.
rpm
yum install -y https://www.snort.org/downloads/snort/snort-2.9.6.2-1.centos6.x86
_64.rpm
# Download va giai nen Commynity Rule
wget https://www.snort.org/downloads/community/community-rules.tar.gz
tar -xvf community-rules.tar.gz -C /etc/snort/rules
# Download va giai nen snortrule (download cham thi co the download truc tiep tr
en snort.org va copy vao may ao de cai dat)
wget https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=13cc5a
9081d2e31a4e1ab1224b3985aeaeffc0d9 (lay oinkcode tren snort.org)
tar -xvf snortrules-snapshot-2962.tar.gz -C /etc/snort/rules (neu download bang
wget thi khai giai nen chu y ten file)
mv /etc/snort/rules/rules/* /etc/snort/rules/
rmdir /etc/snort/rules/rules
# Thay doi user so huu thu muc
cd /etc/snort
chown -R snort:snort *
# Chinh sua file snort.conf
cd /etc/snort
vi snort.conf
--------------------45: ipvar HOME_NET any #or set to a network such as 172.21.0.0/16
48: ipvar EXTERNAL_NET !$HOME_NET
104: var RULE_PATH /etc/snort/rules
105: var SO_RULE_PATH /etc/snort/rules/so_rules
106: var PREPROC_RULE_PATH /etc/snort/rules/preproc_rules
109: var WHITE_LIST_PATH /etc/snort/rules
110: var BLACK_LIST_PATH /etc/snort/rules
506: whitelist $WHITE_LIST_PATH/whitelist.rules, \
507: blacklist $BLACK_LIST_PATH/blacklist.rules
516: output unified2: filename snort.log, limit 128
---------------------
INTERFACES="eth0"
CONF=/etc/snort/barnyard2.con
EXTRA_ARGS=""
---------------------------# Cai dat co so du lieu
service mysqld start
/usr/bin/mysql_secure_installation
mysql -u root -p
create database snort;
grant all on snort.* to snort@localhost;
set password for snort@localhost=password('snort');
use snort;
source /usr/local/src/firnsy-barnyard2/barnyard2-2-1.13/schemas/create_mysql
show tables;
flush privileges;
exit
chkconfig --add mysqld
chkconfig mysqld on
touch /etc/snort/barnyard2-log.waldo
# Viet 1 rule don gian de kiem tra kha nang hoat dong cua snort va barnyard, mys
ql
alert icmp any any -> any any (msg:"Co nguoi dang ping"; sid: 1000001; rev: 1;)
# Download va giai nen oinkmaster. chay cau lenh sau (update sidmap cua cac rule
moi tao, neu ko barnyard se ko hien thi duoc msg)
./create-sidmap.pl /etc/snort/rules > /etc/snort/sid-msg.map
# khoi dong barnyard
service barnyard2 start
barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/sn
ort/barnyard2-log.waldo -D (chay o che do nay ta co the debug loi va thay doi du
oc 1 so tuy chon, chu y o lan dau chay debug, ta phai co lenh -w /etc/snort/barn
yard2-log.waldo)
# Khoi dong snort (o buoc nay ta se gap loi blacklist.rules chua biet nguyen nha
n vi sao, ta phai tao 1 file blacklist.rules khac)
mv /etc/snort/rules/blacklist.rules /etc/snort/rules/black_list.rules
touch /etc/snort/rules/blacklist.rules
service snortd start
# Kiem tra xem barnyard co xuat du lieu vao database ko. count khac 0
mysql -u root -p
use snort;
select count(*) from event;
==========================Snorby=================
# Cai dat cac goi can thiet
yum -y groupinstall "Development Tools"
yum install -y openssl-devel readline-devel libxml2-devel libxslt-devel mysql my
sql-devel mysql-libs mysql-server urw-fonts libX11-devel libXext-devel qconf fon
tconfig-devel libXrender-devel unzip
# Cai dat ImageMagick
cd /home/hoanggiang/tmp
wget ftp://ftp.fifi.org/pub/ImageMagick/ImageMagick-6.8.9-8.tar.gz
tar -xvf ImageMagick-6.8.9-8.tar.gz
cd ImageMagick-6.8.9-8
./configure
make
make install
ldconfig /usr/local/lib
# Cai dat cac goi can thiet
yum -y install xz urw-fonts libXext openssl-devel libXrender
# Cai dat wkhtmltox
cd /home/hoanggiang/tmp
wget http://sourceforge.net/projects/wkhtmltopdf/files/0.12.1/wkhtmltox-0.12.1_l
inux-centos6-amd64.rpm
rpm -Uvh wkhtmltox-0.12.1_linux-centos6-amd64.rpm
# Test wkhtmltox
wkhtmltopdf http://www.google.com google.pdf
# Cai dat cac goi can thiet
yum -y install libxslt-devel libxml2-devel gdbm-devel libffi-devel zlib-devel op
enssl-devel libyaml-devel readline-devel curl-devel openssl-devel pcre-devel git
memcached-devel valgrind-devel mysql-devel ImageMagick-devel
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm
curl -L get.rvm.io | bash -s stable
source /etc/profile.d/rvm.sh
rvm install 1.9.3 (Phien ban nay ko con duoc duy tri, xem cac phien ban duoc duy
tri tai http://bugs.ruby-lang.org/projects/ruby/wiki/ReleaseEngineering)
rvm use 1.9.3 --default
rvm rubygems current
gem install rails
yum -y install httpd
service httpd start
chkconfig --add httpd
chkconfig httpd on
gem install passenger
yum install curl-devel httpd-devel
passenger-install-apache2-module
gem install bundler
cd /var/www/html
mkdir snorby
cd snorby
wget -O snorby.zip --no-check-certificate https://github.com/Snorby/snorby/archi
ve/master.zip
unzip snorby.zip
mv snorby-master/* /var/www/html/snorby
mysql -u root -p
create database snorby;
create user 'snorby'@'localhost' identified by 'snorby';
grant all on snorby.* to snorby@localhost;
flush privileges;
exit
cp config/database.yml.example config/database.yml
vi config/database.yml
------------------:8 username: snorby
:9 password: "snorby"
------------------vi Gemfile
---------------------:8 gem 'rake', '> 0.9.2'
:16 gem 'thin'
:88 # gem 'thin'
---------------------vi Gemfile.lock
------------------265: rake (0.9.2.2)
------------------cp config/snorby_config.yml.example config/snorby_config.yml
yum -y install java-1.6.0-openjdk-devel java-1.6.0-openjdk
yum -y install httpd-devel apr-devel apr-util-devel
bundle install
gem update --system
RAILS_ENV=production bundle exec rake snorby:setup
#Test
rails server thin -e production
Using a web browser, browse to the URL of your server using port 3000
address:3000
http://ip-
<VirtualHost *:80>
Servername SnortIPS
DocumentRoot /var/www/html/snorby/public
<Directory /var/www/html/snorby/public>
AllowOverride all
Order allow,deny
Allow from all
Options -MultiViews
</Directory>
</VirtualHost>
---------------------------------# Change the ownership of the Snorby directory in /var/www/html:
chown -R apache:apache /var/www/html/snorby
# Modify the barnyard2.conf file to output to the snorby database:
vi /etc/snort/barnyard2.conf
Modify or add the output database:
output database: log, mysql, user=snorby password=snorby dbname=snorby host=loca
lhost
# Modify IPTABLES
Add a rule to allow port 80 through IPTABLES:
iptables -I INPUT -p tcp --dport 80 -m state --state=NEW,ESTABLISHED,RELATED -j
ACCEPT
/sbin/service iptables save
===========1 vai luu y khi su dung snorby============
- De lay duoc database ta phai vao Administrator->Worker & Job Queue->Start work
er. Tro lai dashboard ta thay do thi da xuat hien
- De hien thi thoi gian dung tren do thi ta vao Settings->Time zone->Current Pas
sword->Update Settings
- De hien thi Severity con tuy thuoc vao rule. Ta phai xac dinh muc do nguy hiem
bang cach them cac option classtype hoac priority
- Doi khi ta phai xoa cac file trong /var/log/snort de tranh truong hop barnyard
log lai tat ca cac file log lam mat thoi gian
va khi nay ta dung lenh "rm -rf *" dong nghia voi viec file barnyard2-log.waldo
bi mat.Ta chi viec khoi dong lai barnyard va doi
mot luc la file waldo nay se xuat hien tro lai.
- Neu ta ping nhieu qua. Database co the se full va ko the log len snorby duoc (
cai nay ko chac chan lam vi chua test ky). Khi nay
ta co the khac phuc bang cach xoa du lieu trong bang event cua database snorby d
i bang cau lenh "delete from event;" (nho la phai vao db snorby)
===============Add NIC=================
Add Network Adapter cho VM
touch ifcfg-eth1
#them cac thong so co ban
DEVICE=eth1
HWADDR=00:0C:29:B3:55:44 (MAC phai trung voi MAC cua eth1 khi go lenh ifconfig a)
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
cisconullroute
---------------