Centos6.6安装Snort+Barnyard+Pulledpork+Snorby

Installing Snort, Barnyard,

Pulledpork and Snorby on CentOS 6.6

Snort is an open source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort output is in binary format(unified2), so we need a tool to parse this binary format. For this task we use Barnyard2, which is an open source interpreter for Snort unified2 binary output files. Its primary use is allowing Snort to write to disk in an efficient manner and leaving the task of parsing binary data into various formats to a separate process that will not cause Snort to miss network traffic. Snort needs rules and periodically have to update them. Here comes Pulledpork, a perl script that keeps Snort’s rules updated. Finally we need a nice front-end in order to analyze easier the alerts that Snort

produces. For this purpose we will installSnorby, a ruby on rails web application for network security monitoring that interfaces with current popular intrusion detection systems (Snort, Suricata and Sagan). The basic fundamental concepts behind Snorby are simplicity, organization and power(you can find a demo hereusrername: demo@snorby.org password: snorby). We will install 2.9.7.2 version of Snort which is the latest version. Configuring Snort and all the other stuff that is required is a boring job. So @petkoutroumpisand I made a simple bash script that automate all the process. You can find the bash script atgithub. Nevertheless below is step by step the full installation.

Before begin with the installation disable selinux

vi /etc/selinux/config and change the line SELINUX=enforcing

to

SELINUX=disabled

andrebboot.

Install some prerequisite packages.

yum -y install vim wget man make gcc flex bison

zlibzlib-devellibpcaplibpcap-develpcrepcre-develtcpdumpgcc-c++ mysql-server

mysqlmysql-devellibtoolperl-libwww-perlperl-Archive-Tar perl-Crypt-SSLeaygitgcc libxml2 libxml2-devel libxsltlibxslt-develhttpd

curl-develhttpd-develapr-develapr-util-devellibXrenderfontconfiglibXext ruby-devel unzip xz

Now we will install libdnet and daq from source:

cd /usr/local/src wget

http://sourceforge.net/projects/libdnet/files/libdnet/libdnet-

1.11/libdnet-1.11.tar.gz tar -zxvf libdnet-1.11.tar.gz cd libdnet-1.11

./configure --with-pic make

sudo make install cd /usr/local/src

wget https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz tar -zxvf daq-2.0.4.tar.gz cd daq-2.0.4 ./configure make

sudo make install

It’s time to install Snort:

cd /usr/local/src

wget https://snort.org/downloads/snort/snort-2.9.7.2.tar.gz tar -zxvf snort-2.9.7.2.tar.gz cd snort-2.9.7.2

./configure --enable-sourcefire make

sudo make install

Issue the commands below to config snort properly:

sudomkdir -p /etc/snort/rules sudomkdir -p /var/log/snort/eth0 sudomkdir /var/log/barnyard2

sudomkdir -p /usr/local/lib/snort_dynamicrules sudomkdir /etc/snort/rules/iplists

sudo touch /etc/snort/rules/iplists/default.blacklist sudo touch /etc/snort/rules/black_list.rules sudo touch /etc/snort/rules/white_list.rules sudo touch /etc/snort/rules/local.rules

sudo touch /var/log/snort/eth0/barnyard2.waldo sudo touch /etc/snort/sid-msg.map cd /usr/local/src/snort-2.9.7.2 sudocpetc/* /etc/snort sudogroupadd -g 40000 snort

sudouseradd snort -u 40000 -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort cd /etc/snort

sudochown -R snort:snort *

sudochown -R snort:snort /var/log/snort

We have to modify the following variables in our /etc/snort/snort.conf file. This assumes that the network we are going to monitor is 192.168.0.0/24.

? ? ? ? ? ? ?

var RULE_PATH /etc/snort/rules ipvar HOME_NET 192.168.1.0/24 ipvar EXTERNAL_NET !$HOME_NET var SO_RULE_PATH /etc/snort/so_rules

var PREPROC_RULE_PATH /etc/snort/preproc_rules var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules

Or you can give the following two commands to change the /etc/snort/snort.conf file:

sudosed -i -e '/^include \\$RULE_PATH/s/^/#/' -e '/^var RULE_PATH/s/\\.\\.\\/rules/\\/etc\\/snort\\/rules/' -e '/^var SO_RULE/s/\\.\\.\\/so_rules/so_rules/' \\

-e '/^var PREPROC/s/\\.\\.\\/.*/preproc_rules/' -e '/^var WHITE/s/\\.\\..*/\\/etc\\/snort\\/rules/' -e '/^var BLACK/s/\\.\\..*/\\/etc\\/snort\\/rules/' \\

-e '/# unified2/a output unified2: filename snort.log, limit 128' -e '/^dynamicdetection/s/^/#/' -e '/^ipvar HOME_NET/s/any/192.168.0.0\\/24/' \\

-e '/^ipvar EXTERNAL_NET/s/any/!\\$HOME_NET/' /etc/snort/snort.conf

sudosed -i -e '/#include.*local\\.rules/s/#//' /etc/snort/snort.conf

Continue with some more configurations for snort:

cd /usr/local/src

sudochown -R snort:snort daq-2.0.4 sudochown -R snort:snort snort-2.9.7.2 sudochown -R snort:snortsnort_dynamicsrc sudochmod -R 700 daq-2.0.4 sudochmod -R 700 snort-2.9.7.2 sudochmod -R 700 snort_dynamicsrc cd snort-2.9.7.2

sudocp rpm/snortd /etc/init.d/snort

sudocp rpm/snort.sysconfig /etc/sysconfig/snort sudochmod 700 /etc/init.d/snort sudochmod 700 /etc/sysconfig/snort cd /usr/sbin

sudo ln -s /usr/local/bin/snort snort

sudocp /etc/sysconfig/snort /etc/sysconfig/snort_default sudosed -i -e '/PASS_FIRST/s/^/#/' -e '/^ALERTMODE/s/^/#/' -e '/^DUMP_APP/s/^/#/' -e '/^BINARY_LOG/s/^/#/' -e

'/^NO_PACKET_LOG/s/^/#/' -e '/^PRINT_INTERFACE/s/^/#/' /etc/sysconfig/snort cd /var/log

sudochmod 700 snort

sudochown -R snort:snort snort cd /usr/local/lib

sudochown -R snort:snort snort*

sudochown -R snort:snortsnort_dynamic* sudochown -R snort:snortpkgconfig

百度搜索“77cn”或“免费范文网”即可找到本站免费阅读全部范文。收藏本站方便下次阅读，免费范文网，提供经典小说综合文库Centos6.6安装Snort+Barnyard+Pulledpork+Snorby在线全文阅读。