良玉的博客 点点滴滴,积水成河_良玉的博客_页游、手游linux运维工程师之路

snort2.9.6.2+barnyard2+ACID的安装、使用

Centos6.4 64位,snort版本是2.9.6.2
Acid+Adodb+Jpgraph, ACID(Analysis Console for Incident Databases)是snort使用的标准分析员控制台软件
在这里下载acid-0.9.6b23.tar.gz       http://acidlab.sourceforge.net/acid-0.9.6b23.tar.gz
在这里下载jpgraph-3.5.0b1.tar.gz     http://jpgraph.net/download/download.php?p=5
然后开始安装
# tar xvf acid-0.9.6b23.tar.gz
# tar xvf jpgraph-3.5.0b1.tar.gz
# tar xvf adodb518a.tgz
# mv adodb5 adodb
# mv jpgraph-3.5.0b1 jpgraph
并拷贝到/var/www/html(去掉目录名中的版本号)
# vim acid/acid_conf.php
修改以下内容:
$DBlib_path = "../adodb";
$alert_dbname   = "snort";
$alert_host     = "localhost";
$alert_port     = "";
$alert_user     = "snort";
$alert_password = "123456";
/* Archive DB connection parameters */
$archive_dbname   = "snort";
$archive_host     = "localhost";
$archive_port     = "";
$archive_user     = "snort";
$archive_password = "123456";
$ChartLib_path = "../jpgraph/src";
snort版本是2.9.6.2,已经用barnyard2-master来代替连接数据库了
下载 https://codeload.github.com/firnsy/barnyard2/zip/master
#unzip barnyard2-master.zip
#cd barnyard2-master
#sh autogen.sh
#./configure --with-mysql --with-mysql-libraries=/usr/local/mysql/lib/
#make
#make install
#cp rpm/barnyard2 /etc/init.d/
#chmod +x /etc/init.d/barnyard2
#cp rpm/barnyard2.config /etc/sysconfig/barnyard2
#chkconfig --add barnyard2
#ln -s /usr/local/etc/barnyard2.conf /etc/snort/etc/barnyard.conf
#ln -s /usr/local/bin/barnyard2 /usr/bin/
#mkdir -p /var/log/snort/eth0/archive/
因为 /etc/init.d/barnyard2 中 snort 为 /usr/sbin/snort,但是现在安装的是 /usr/local/bin/snort
# whereis snort
snort: /etc/snort /usr/local/bin/snort /usr/local/lib/snort
# ln -s  /usr/local/bin/snort   /usr/sbin/snort
#vim /etc/init.d/barnyard2
BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR/${INT} -w $WALDO_FILE -L $SNORTDIR/${INT} -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS"
修改:
BARNYARD_OPTS="-D -c /etc/snort/etc/barnyard.conf -d /var/log/snort -w /var/log/snort/barnyard2.waldo -l /var/log/snort -a /var/log/snort -f snort.log -X /var/lock/subsys/barnyard2-eth0.pid"
大写 -L 改成小写 -l,因为官方写错了,没有-L参数
原来设置的 -d 和 -l 都输出到 /var/log/snort/eth0, -a 输出到  /var/log/snort/eth0/archive ,但安裝 snort 的是输出到 /var/log/snort
# vim /etc/sysconfig/barnyard2 
修改
LOG_FILE="snort.u2" 
CONF=/etc/snort/etc/barnyard.conf
与/etc/snort/etc/snort.conf保持一致
[root@localhost snort-2.9.6.2]# cp ./rpm/snort.sysconfig /etc/sysconfig/snort
# vim /etc/sysconfig/snort
修改: 
CONF=/etc/snort/etc/snort.conf
#ALERTMODE=fast
#BINARY_LOG=1
# barnyard2

  ______   -*> Barnyard2 <*-
/ ,,_  \  Version 2.1.13 (Build 327)
|o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com>

USAGE: barnyard2 [-options] <filter options>
Gernal Options:
        -c <file>  Use configuration file <file>
        -C <file>  Read the classification map from <file>
        -D         Run barnyard2 in background (daemon) mode
        -e         Display the second layer header info
        -F         Turn off fflush() calls after binary log writes
        -g <gname> Run barnyard2 gid as <gname> group (or gid) after initialization
        -G <file>  Read the gen-msg map from <file>
        -h <name>  Define the hostname <name>. For logging purposes only
        -i <if>    Define the interface <if>. For logging purposes only
        -I         Add Interface name to alert output
        -l <ld>    Log to directory <ld>
        -m <umask> Set umask = <umask>
        -O         Obfuscate the logged IP addresses
        -q         Quiet. Don't show banner and status report
        -r <id>    Include 'id' in barnyard2_intf<id>.pid file name
        -R <file>  Read the reference map from <file>
        -S <file>  Read the sid-msg map from <file>
        -t <dir>   Chroots process to <dir> after initialization
        -T         Test and report on the current barnyard2 configuration
        -u <uname> Run barnyard2 uid as <uname> user (or uid) after initialization
        -U         Use UTC for timestamps
        -v         Be verbose
        -V         Show version number
        -y         Include year in timestamp in the alert and log files
        -?         Show this information

Continual Processing Options:
        -a <dir>   Archive processed files to <dir>
        -f <base>  Use <base> as the base filename pattern
        -d <dir>   Spool files from <dir>
        -n         Only process new events
        -w <file>  Enable bookmarking using <file>

Batch Processing Mode Options:
        -o         Enable batch processing mode

Longname options and their corresponding single char version
   --disable-alert-on-each-packet-in-stream  Alert once per event
   --event-cache-size <integer>      Set Spooler MAX event cache size
   --reference <file>                Same as -R
   --classification <file>           Same as -C
   --gen-msg <file>                  Same as -G
   --sid-msg <file>                  Same as -S
   --process-new-records-only        Same as -n
   --pid-path <dir>                  Specify the directory for the barnyard2 PID file
   --help                            Same as -?
   --version                         Same as -V
   --create-pidfile                  Create PID file, even when not in Daemon mode
   --nolock-pidfile                  Do not try to lock barnyard2 PID file


Uh, you need to tell me to do something...

ERROR: Fatal Error, Quitting..
Barnyard2 exiting
===============================================================================
Record Totals:
   Records:           0
   Events:           0 (0.000%)
   Packets:           0 (0.000%)
   Unknown:           0 (0.000%)
   Suppressed:           0 (0.000%)
===============================================================================
Packet breakdown by protocol (includes rebuilt packets):
      ETH: 0          (0.000%)
  ETHdisc: 0          (0.000%)
     VLAN: 0          (0.000%)
     IPV6: 0          (0.000%)
  IP6 EXT: 0          (0.000%)
  IP6opts: 0          (0.000%)
  IP6disc: 0          (0.000%)
      IP4: 0          (0.000%)
  IP4disc: 0          (0.000%)
    TCP 6: 0          (0.000%)
    UDP 6: 0          (0.000%)
    ICMP6: 0          (0.000%)
  ICMP-IP: 0          (0.000%)
      TCP: 0          (0.000%)
      UDP: 0          (0.000%)
     ICMP: 0          (0.000%)
  TCPdisc: 0          (0.000%)
  UDPdisc: 0          (0.000%)
  ICMPdis: 0          (0.000%)
     FRAG: 0          (0.000%)
   FRAG 6: 0          (0.000%)
      ARP: 0          (0.000%)
    EAPOL: 0          (0.000%)
  ETHLOOP: 0          (0.000%)
      IPX: 0          (0.000%)
    OTHER: 0          (0.000%)
  DISCARD: 0          (0.000%)
InvChkSum: 0          (0.000%)
   S5 G 1: 0          (0.000%)
   S5 G 2: 0          (0.000%)
    Total: 0        
===============================================================================
建立snort数据库
mysql -p123456 -uroot snort < ./barnyard2-master/schemas/create_mysql
mysql> create database snort;
mysql> use snort;
mysql> source ../schemas/create_mysql;
mysql>grant all on snort to snort@localhost identified by  "123456";
mysql> flush privileges;
先开启snort
# snort -usnort -gsnort -i eth0 -c /etc/snort/etc/snort.conf -A fast -l /var/log/snort/
然后开启barnyard2 
# /etc/init.d/barnyard2 start
Starting Snort Output Processor (barnyard2):               [FAILED]
报错查看message
Aug  6 13:19:52 localhost barnyard2[47539]:         --== Initializing Barnyard2 ==--
Aug  6 13:19:52 localhost barnyard2[47539]: Initializing Input Plugins!
Aug  6 13:19:52 localhost barnyard2[47539]: Initializing Output Plugins!
Aug  6 13:19:52 localhost barnyard2[47539]: Parsing config file "/etc/snort/etc/barnyard.conf"
Aug  6 13:19:52 localhost barnyard2[47539]: ERROR: Unable to open Reference file '/etc/snort/reference.config' (No such file or directory)
Aug  6 13:19:52 localhost barnyard2[47539]: ERROR: Unable to open Classification file '/etc/snort/classification.config' (No such file or directory)
路径错了,再去修改/etc/snort/etc/barnyard.conf里的路径问题:
config reference_file:      /etc/snort/etc/reference.config
config classification_file: /etc/snort/etc/classification.config
config gen_file:            /etc/snort/etc/gen-msg.map
config sid_file:            /etc/snort/etc/sid-msg.map
config logdir: /var/log/barnyard2
config hostname:   localhost
config interface:  eth0
config waldo_file: /var/log/snort/barnyard2.waldo
并加入:
output database: log, mysql, user=snort password=123456 dbname=snort host=localhost
然后再开启
# /etc/init.d/barnyard2 start
Starting Snort Output Processor (barnyard2):   [  OK  ]
然后进入网页http://192.168.10.71/acid/acid_main.php
出现以下错误
The underlying database snort@localhost appears to be incomplete/invalid.
The database version is valid, but the ACID DB structure (table: acid_ag) is not present. Use the Setup page to configure and optimize the DB.
说明数据库版本是正确的,权限和数据库里的表不正确,点setup page发现table漏了
发现acid下有sql,导入进数据库
[root@localhost acid]# mysql -p123456 -uroot snort <create_acid_tbls_mysql.sql
好了


留言列表
发表评论
来宾的头像