2

次の構成でsnortをインストールしました

#/etc/snort/snort.conf
ipvar HOME_NET 172.16.0.0/22
ipvar EXTERNAL_NET !$HOME_NET
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules

# If you are using reputation preprocessor set these
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

output log_unified2: filename snort.u2, limit 128

次のように設定されたicmpルールがあります

#/etc/snort/rules/icmp.rules
alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)

次のコマンドを使用して Snort を開始しますalertssnort.u2.timestamp

snort -q -u snort -g snort -c /etc/snort/snort.conf -i ens32 -D

私のbanyard2設定ファイル

#/etc/snort/barnyard2.conf 
config reference_file:      /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config sid_file:            /etc/snort/sid-msg.map
config logdir: /var/log/snort
config hostname:   snort
config interface:  ens32
config daemon
config waldo_file: /var/log/snort/barnyard2.waldo
input unified2
output database: log, mysql, user=root password=support dbname=snorby host=127.0.0.1
# if you want to have to forward alerts also to syslog, uncomment the following 2 lines.
#output alert_syslog_full: sensor_name snortIds1-eth1, local
#output log_syslog_full: sensor_name snortIds1-eth1, local, log_priority LOG_CRIT

次のコマンドの使用を開始します

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo

ログでは、次の問題が発生し、mysql には何も書き込まれません。

Sep  1 17:15:22 snort snort[4374]: 
Sep  1 17:15:22 snort snort[4374]: [ Port Based Pattern Matching Memory ]
Sep  1 17:15:22 snort snort[4374]: +- [ Aho-Corasick Summary ] -------------------------------------
Sep  1 17:15:22 snort snort[4374]: | Storage Format    : Full-Q
Sep  1 17:15:22 snort snort[4374]: | Finite Automaton  : DFA
Sep  1 17:15:22 snort snort[4374]: | Alphabet Size     : 256 Chars
Sep  1 17:15:22 snort snort[4374]: | Sizeof State      : Variable (1,2,4 bytes)
Sep  1 17:15:22 snort snort[4374]: | Instances         : 169
Sep  1 17:15:22 snort snort[4374]: |     1 byte states : 159
Sep  1 17:15:22 snort snort[4374]: |     2 byte states : 10
Sep  1 17:15:22 snort snort[4374]: |     4 byte states : 0
Sep  1 17:15:22 snort snort[4374]: | Characters        : 94550
Sep  1 17:15:22 snort snort[4374]: | States            : 72655
Sep  1 17:15:22 snort snort[4374]: | Transitions       : 7856776
Sep  1 17:15:22 snort snort[4374]: | State Density     : 42.2%
Sep  1 17:15:22 snort snort[4374]: | Patterns          : 5205
Sep  1 17:15:22 snort snort[4374]: | Match States      : 5820
Sep  1 17:15:22 snort snort[4374]: | Memory (MB)       : 37.50
Sep  1 17:15:22 snort snort[4374]: |   Patterns        : 0.58
Sep  1 17:15:22 snort snort[4374]: |   Match Lists     : 1.27
Sep  1 17:15:22 snort snort[4374]: |   DFA
Sep  1 17:15:22 snort snort[4374]: |     1 byte states : 0.97
Sep  1 17:15:22 snort snort[4374]: |     2 byte states : 34.39
Sep  1 17:15:22 snort snort[4374]: |     4 byte states : 0.00
Sep  1 17:15:22 snort snort[4374]: +----------------------------------------------------------------
Sep  1 17:15:22 snort snort[4374]: [ Number of patterns truncated to 20 bytes: 319 ]
Sep  1 17:15:22 snort snort[4374]: pcap DAQ configured to passive.
Sep  1 17:15:22 snort snort[4374]: Acquiring network traffic from "ens32".
Sep  1 17:15:22 snort snort[4374]: Initializing daemon mode
Sep  1 17:15:22 snort snort[4375]: Daemon initialized, signaled parent pid: 4374
Sep  1 17:15:22 snort snort[4375]: Reload thread starting...
Sep  1 17:15:22 snort snort[4375]: Reload thread started, thread 0x7f1b35e85700 (4376)
Sep  1 17:15:22 snort snort[4375]: Decoding Ethernet
Sep  1 17:15:22 snort snort[4375]: Checking PID path...
Sep  1 17:15:22 snort snort[4375]: PID path stat checked out ok, PID path set to /var/run/
Sep  1 17:15:22 snort snort[4375]: Writing PID "4375" to file "/var/run//snort_ens32.pid"
Sep  1 17:15:22 snort kernel: device ens32 entered promiscuous mode
Sep  1 17:15:22 snort snort[4375]: Set gid to 40000
Sep  1 17:15:22 snort snort[4375]: Set uid to 40000
Sep  1 17:15:22 snort snort[4375]: 
Sep  1 17:15:22 snort snort[4375]: --== Initialization Complete ==--
Sep  1 17:15:22 snort snort[4375]: Commencing packet processing (pid=4375)
Sep  1 17:15:39 snort barnyard2: +[ Signature Suppress list ]+
----------------------------
Sep  1 17:15:39 snort barnyard2: +[No entry in Signature Suppress List]+
Sep  1 17:15:39 snort barnyard2: ----------------------------
+[ Signature Suppress list ]+
Sep  1 17:15:47 snort barnyard2: Barnyard2 spooler: Event cache size set to [2048]
Sep  1 17:15:47 snort barnyard2: Log directory = /var/log/snort
Sep  1 17:15:47 snort barnyard2: INFO database: Defaulting Reconnect/Transaction Error limit to 10
Sep  1 17:15:47 snort barnyard2: INFO database: Defaulting Reconnect sleep time to 5 second
Sep  1 17:15:47 snort barnyard2: Initializing daemon mode
Sep  1 17:15:47 snort barnyard2: Daemon initialized, signaled parent pid: 4378
Sep  1 17:15:47 snort barnyard2: PID path stat checked out ok, PID path set to /var/run/
Sep  1 17:15:47 snort barnyard2: Writing PID "4379" to file "/var/run//barnyard2_ens32.pid"
Sep  1 17:15:47 snort barnyard2: Daemon parent exiting
Sep  1 17:16:14 snort avahi-daemon[579]: Invalid response packet from host 172.16.0.211.
Sep  1 17:17:15 snort barnyard2: [SignatureReferencePullDataStore()]: No Reference found in database ...
Sep  1 17:17:15 snort barnyard2: database: compiled support for (mysql)
Sep  1 17:17:15 snort barnyard2: database: configured to use mysql
Sep  1 17:17:15 snort barnyard2: database: schema version = 107
Sep  1 17:17:15 snort barnyard2: database:           host = 127.0.0.1
Sep  1 17:17:15 snort barnyard2: database:           user = root
Sep  1 17:17:15 snort barnyard2: database:  database name = snorby
Sep  1 17:17:15 snort barnyard2: database:    sensor name = snort:ens32
Sep  1 17:17:15 snort barnyard2: database:      sensor id = 1
Sep  1 17:17:15 snort barnyard2: database:     sensor cid = 12
Sep  1 17:17:15 snort barnyard2: database:  data encoding = hex
Sep  1 17:17:15 snort barnyard2: database:   detail level = full
Sep  1 17:17:15 snort barnyard2: database:     ignore_bpf = no
Sep  1 17:17:15 snort barnyard2: database: using the "log" facility
Sep  1 17:17:15 snort barnyard2: 
Sep  1 17:17:15 snort barnyard2: --== Initialization Complete ==--
Sep  1 17:17:15 snort barnyard2: Barnyard2 initialization completed successfully (pid=4379)
Sep  1 17:17:15 snort barnyard2: Using waldo file '/var/log/snort/barnyard2.waldo':
    spool directory = /var/log/snort
    spool filebase  = snort.u2
    time_stamp      = 1409587851
    record_idx      = 475
Sep  1 17:17:15 snort barnyard2: Opened spool file '/var/log/snort/snort.u2.1409587851'
Sep  1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep  1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep  1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep  1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep  1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep  1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep  1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep  1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep  1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep  1 17:17:15 snort barnyard2: Closing spool file '/var/log/snort/snort.u2.1409587851'. Read 484 records
Sep  1 17:17:15 snort barnyard2: Opened spool file '/var/log/snort/snort.u2.1409588122'
Sep  1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep  1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep  1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
4

1 に答える 1

2

barnyard2 が機能するには、snort によって作成された unified2 出力ファイルにアラートと PCAP データが含まれている必要があります。

そのため、/etc/snort/snort.conf (または Snort 構成がある場所) で指定する必要がありますoutput unified2: <filename>(ファイル名に「snort.log」を使用しないことをお勧めします)。

barnyard2 グローバル変数ファイルを確認する/etc/default/barnyard2/etc/sysconfig/barnyard2、設定をコメント アウトします。BINARY_LOGまた、ログ ファイル名が で使用したものと一致することを確認しますsnort.conf

Snort を再起動してから、barnyard2 を再起動して、稼働しているかどうかを確認します。

編集:
何らかの理由で、BINARY_LOG 設定は他の設定より優先され、snort は pcap ログ ファイルのみを生成します。(実行file /var/log/snort/snort.log.*してみると、ファイルが純粋な pcap (パケット キャプチャ) であることがわかるでしょう。つまり、ファイルには Snort アラート/イベント情報が含まれていません。

Barnyard2 は、イベントと pcap 情報の両方を含むログ ファイルでのみ動作します。私が見落としたいくつかの設定がない限り。図に行きます。file有効な barnyard2 Unified2 ファイルで実行すると、結果は単に「データ」またはその性質のものになるはずです。

これが役立つことを願っています。私はこれで多くの時間と髪の毛を失いました。

于 2014-09-12T19:39:32.727 に答える