Snort を実行するために必要なものがすべて揃っています。
- ポークを引っ張って Snort ルールを更新
- スレッド化されていない tcl と必要なすべてのパッケージ
- mysqltcl
- Tclx
- しゃ1
- たこ
- 等..
- sguil クライアントとサーバー
- mysql サーバー
- 私はsnort_agent.tclを使用しています
- 納屋2
また、プリプロセッサ sfportscan を使用して snort.conf を設定しました。
output unified2: filename snort.log_unified, limit 128
preprocessor sfportscan: proto { all } scan_type { all } memcap { 1000000 } sense_level { high }
これがSnortの実行からの出力です。興味のあるビットにそれを取り除きました
snort -u sguil -g sguil -l /var/snort/snort_data/sensor1 -c /etc/snort/snort.conf -U -A full -m 122 -i eth0
Loading dynamic engine /usr/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from /usr/lib/snort_dynamicrules...
WARNING: No dynamic libraries found in directory /usr/lib/snort_dynamicrules.
Finished Loading all dynamic detection libs from /usr/lib/snort_dynamicrules
Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/...
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/
Log directory = /var/snort/snort_data/sensor1
...
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: High/Experimental
Memcap (in bytes): 10000000
Number of Nodes: 17391
...
I GET A TON OF THESE
WARNING: /etc/snort/rules/web-attacks.rules(29) GID 1 SID 1328 in rule duplicates previous rule. Ignoring old rule.
...
Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!
ICMP tracking disabled, no ICMP sessions allocated
IP tracking disabled, no IP sessions allocated
WARNING: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
WARNING: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked.
33 out of 1024 flowbits in use.
...
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.2.2 IPv6 GRE (Build 121)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2012 Sourcefire, Inc., et al.
Using libpcap version 1.3.0
Using PCRE version: 8.30 2012-02-04
Using ZLIB version: 1.2.7
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.15 <Build 18>
Preprocessor Object: SF_SSLPP (IPV6) Version 1.1 <Build 4>
Preprocessor Object: SF_FTPTELNET (IPV6) Version 1.2 <Build 13>
Preprocessor Object: SF_IMAP (IPV6) Version 1.0 <Build 1>
Preprocessor Object: SF_SDF (IPV6) Version 1.1 <Build 1>
Preprocessor Object: SF_DNP3 (IPV6) Version 1.1 <Build 1>
Preprocessor Object: SF_REPUTATION (IPV6) Version 1.1 <Build 1>
Preprocessor Object: SF_SMTP (IPV6) Version 1.1 <Build 9>
Preprocessor Object: SF_SSH (IPV6) Version 1.1 <Build 3>
Preprocessor Object: SF_DNS (IPV6) Version 1.1 <Build 4>
Preprocessor Object: SF_SIP (IPV6) Version 1.1 <Build 1>
Preprocessor Object: SF_DCERPC2 (IPV6) Version 1.0 <Build 3>
Preprocessor Object: SF_POP (IPV6) Version 1.0 <Build 1>
Preprocessor Object: SF_MODBUS (IPV6) Version 1.1 <Build 1>
Preprocessor Object: SF_GTP (IPV6) Version 1.1 <Build 1>
Commencing packet processing (pid=4448)
ポートスキャンの実行方法は次のとおりです
nmap -p1-65535 -sV -sS -O [sensor ip]
今、私の問題はセンサーレベル/ロギングレベルにあります。これは私の sensor_agent.tcl コンソールに表示されるものです
Checking for PS files in /var/snort/snort_data/quad-ext/portscans.
Unknown barnyard data: [garbled text]
BYCmdRcvd: Barnyard disconnected.
Sending sguild (sock3) SystemMessage {Barnyard disconnected.}
Sending sguild (sock3) BarnyardDisConnect {2015-02-19 00:03:20}
barnyard connected: sock8 127.0.0.1 42223
Unknown barnyard data:
どんな助けでも大歓迎です!とにかく始めたいのですが、とにかくセットアップしたいポートスキャンを除いて、合理的なテストは実際にはありません。