1、環境
ubuntu-14.04.5
daq-2.0.7
Snort-2.9.15.1
Barbyard2
snorby
Mysql
Docker
2、架構
3、安裝步驟
Ubuntu配置
如果是剛安裝好的Ubuntu系統,需要執行下面的步驟,否則可以忽略,視自己實際環境而定。
sudo apt-get update sudo apt-get dist-upgrade -y sudo apt-get install -y openssh-server sudo reboot
安裝snort依賴
snort運行前提已安裝:pcap、PCRE、Libdnet、DAQ。
sudo apt-get install -y build-essential sudo apt-get install -y libpcap-dev libpcre3-dev libdumbnet-dev sudo apt-get install -y bison flex mkdir ~/snort_src cd ~/snort_src
安裝DAQ (Data AcQuisition library)
cd ~/snort_src wget https://snort.org/downloads/snort/daq-2.0.7.tar.gz tar -xvzf daq-2.0.7.tar.gz cd daq-2.0.7 ./configure make sudo make install
sudo apt-get install -y zlib1g-dev liblzma-dev openssl libssl-dev
Ubuntu 16 執行(Ubuntu 14 不執行) sudo apt-get install -y libnghttp2-dev
Ubuntu 14 執行(Ubuntu 16 不執行) sudo apt-get install -y autoconf libtool pkg-config cd ~/snort_src wget https://github.com/nghttp2/nghttp2/releases/download/v1.17.0/nghttp2-1.17.0.tar.gz tar -xzvf nghttp2-1.17.0.tar.gz cd nghttp2-1.17.0 autoreconf -i --force automake autoconf ./configure --enable-lib-only make sudo make install
安裝snort
cd ~/snort_src wget https://snort.org/downloads/snort/snort-2.9.15.1.tar.gz tar -xvzf snort-2.9.15.1.tar.gz cd snort-2.9.15.1 ./configure --enable-sourcefire make sudo make install
后續配置
sudo ldconfig sudo ln -s /usr/local/bin/snort /usr/sbin/snort
如果我們不想使用root運行snort,我們需要創建一個其它賬戶。我們創建一些文件和目錄供snort使用,並且為這些文件和目錄設置權限。snort包含以下文件夾:/etc/snort包含配置文件和規則文件。/var/log/snort/包含alert日志。/usr/local/lib/snort_dynamicrules/下包含其他規則。
# Create the snort user and group: sudo groupadd snort sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort # Create the Snort directories: sudo mkdir /etc/snort sudo mkdir /etc/snort/rules sudo mkdir /etc/snort/rules/iplists sudo mkdir /etc/snort/preproc_rules sudo mkdir /usr/local/lib/snort_dynamicrules sudo mkdir /etc/snort/so_rules # Create some files that stores rules and ip lists sudo touch /etc/snort/rules/iplists/black_list.rules sudo touch /etc/snort/rules/iplists/white_list.rules sudo touch /etc/snort/rules/local.rules sudo touch /etc/snort/sid-msg.map # Create our logging directories: sudo mkdir /var/log/snort sudo mkdir /var/log/snort/archived_logs # Adjust permissions: sudo chmod -R 5775 /etc/snort sudo chmod -R 5775 /var/log/snort sudo chmod -R 5775 /var/log/snort/archived_logs sudo chmod -R 5775 /etc/snort/so_rules sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules # Change Ownership on folders: sudo chown -R snort:snort /etc/snort sudo chown -R snort:snort /var/log/snort sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules cd ~/snort_src/snort-2.9.15.1/etc/ sudo cp *.conf* /etc/snort sudo cp *.map /etc/snort sudo cp *.dtd /etc/snort cd ~/snort_src/snort-2.9.15.1/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/ sudo cp * /usr/local/lib/snort_dynamicpreprocessor/ sudo sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf
sudo vi /etc/snort/snort.conf
更改第45行信息為自己主機地址。
ipvar HOME_NET 10.0.0.0/24
更改第104行信息如下:
var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules 更改第110行信息如下: var WHITE_LIST_PATH /etc/snort/rules/iplists var BLACK_LIST_PATH /etc/snort/rules/iplists
將第546行注釋去掉。
include $RULE_PATH/local.rules
安裝Barnyard2
sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool
更改/etc/snort/snort.conf第521行為如下:
# unified2 # Recommended for most installs # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types output unified2: filename snort.u2, limit 128
cd ~/snort_src wget https://github.com/firnsy/barnyard2/archive/master.tar.gz -O barnyard2-Master.tar.gz tar zxvf barnyard2-Master.tar.gz cd barnyard2-master autoreconf -fvi -I ./m4
sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h sudo ldconfig
./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu make sudo make install
sudo cp ~/snort_src/barnyard2-master/etc/barnyard2.conf /etc/snort/ # the /var/log/barnyard2 folder is never used or referenced # but barnyard2 will error without it existing sudo mkdir /var/log/barnyard2 sudo chown snort.snort /var/log/barnyard2 sudo touch /var/log/snort/barnyard2.waldo sudo chown snort.snort /var/log/snort/barnyard2.waldo
在/etc/snort/barnyard2.conf配置文件最后一行添加,數據庫為snort,如果安裝了snorby,可以設置為snorby。
output database: log, mysql, user=Mysql用戶名 password=MySql密碼 dbname=snort host=localhost sensor name=sensor01
sudo chmod o-r /etc/snort/barnyard2.conf
運行指令
sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u root
安裝snorby
Ubuntu安裝Docker可以使用安裝腳本自動安裝,安裝完成后可以使用Docker.
curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
docker安裝完畢后安裝snorby。
docker pull troptop/docker-snorby
配置docker鏡像參數,參數含義參考:
鏈接
docker run -d --name snorby -p 80:80 --env="MYSQL_HOST=database_ip" --env="MYSQL_USER=snorby" --env="MYSQL_PASSWORD=snorby" --env="MYSQL_DBNAME=snorby" --env="INSTALLDB" --env="MYSQL_ADMIN=root" --env="MYSQL_ADMINPASS=rootpassword" troptop/docker-snorby
進入docker系統,查看log文件夾下的development.log,看web服務是否運行成功。
docker exec –it snorby bash
最后在瀏覽器中訪問docker網關地址即可登錄snorby。
問題
'aclocal-1.15' is missing on your system
cd ~/snort_src wget http://ftp.gnu.org/gnu/automake/automake-1.15.tar.gz tar -xvzf automake-1.15 cd automake-1.15 ./configure --docdir=/usr/share/doc/automake-1.15 make sudo make install
Autoconf 2.65 or better is required
wget http://ftp.gnu.org/gnu/autoconf/autoconf-2.68.tar.gz tar xzf autoconf-2.68.tar.gz cd autoconf-2.68 ./configure make sudo make install
LuaJIT library not found.
sudo wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz sudo tar -zxvf LuaJIT-2.0.5.tar.gz cd LuaJIT-2.0.5/ make sudo make install
possibly undefined macro:AC_PROG_LIBTOOL
#將系統擁有的/usr/share/aclocal中文件拷貝到重復安裝路徑 cp -rf /usr/share/aclocal/* /usr/local/share/aclocal/
數據庫連不上
1、數據庫不允許遠程連接。
mysql> grant all on *.* to root@'%' identified by '123456' with grant option; flush privileges;
2、更改mysql的配置文件。
# Instead of skip-networking the default is now to listen only on 46 # localhost which is more compatible and is not less secure. 47 bind-address = 127.0.0.1 # 更改為主機地址。
/etc/init.d/mysql restart # 重啟Mysql服務。
坑
automake版本變化。在編譯daq的時候要求automake1.15,然后在snort編譯的時候要求automake1.13.4,如果不切換的話會編譯不過去。
