Gem::Specification.new do |s| s.name = %q{dm-active_model} s.version = "1.2.1"
(...)
WARNING: Invalid .gemspec format in '/home/snorby/ruby/gems/1.8/specifications/dm-active_model-1.2.1.gemspec' Could not find dm-active_model-1.2.1 in any of the sources Run `bundle install` to install missing gems.
Q: How can I re-create the database in Snorby? A: You can cd into the snorby root dir and run the following command: `RAILS_ENV=production bundle exec rake snorby:hard_reset`
--== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/opt/snort-2.9.4/etc/barnyard2.conf" Found pid path directive (/var/run/barnyard2/barnyard2.pid) Barnyard2 spooler: Event cache size set to [2048] Log directory = /var/log/barnyard2 INFO database: Defaulting Reconnect/Transaction Error limit to 10 INFO database: Defaulting Reconnect sleep time to 5 second Checking PID path... WARNING: /var/run/barnyard2/barnyard2.pid is invalid, trying /var/run... Previous Error, errno=2, (No such file or directory) WARNING: _PATH_VARRUN is invalid, trying /var/log... WARNING: /var/log/ is invalid, logging Snort PID path to log directory (/var/log/barnyard2) Writing PID "4472" to file "/var/log/barnyard2//barnyard2_eth0.pid" Node unique name is: firewall:eth0
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM data WHERE sid='1';] database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM event WHERE sid='1';] database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM icmphdr WHERE sid='1';] database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM iphdr WHERE sid='1';] database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM opt WHERE sid='1';] database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM tcphdr WHERE sid='1';] database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM udphdr WHERE sid='1';] [ClassificationPullDataStore()]: No Classification found in database ... [SignaturePullDataStore()]: No signature found in database ... [SystemPullDataStore()]: No System found in database ... [ReferencePullDataStore()]: No Reference found in database ...
[SignatureReferencePullDataStore()]: No Reference found in database ... database: compiled support for (mysql) database: configured to use mysql database: schema version = 107 database: host = localhost database: user = snorby_prod database: database name = snorby_prod database: sensor name = firewall:eth0 database: sensor id = 1 database: sensor cid = 1 database: data encoding = hex database: detail level = full database: ignore_bpf = no database: using the "log" facility
--== Initialization Complete ==--
______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.12 (Build 321) |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/ + '''' + (C) Copyright 2008-2013 Ian Firns
WARNING: Unable to open waldo file '/var/log/snort/barnyard2.waldo' (No such file or directory) Waiting for new spool file
$ perl pulledpork.pl Type of arg 1 to keys must be hash (not hash element) at pulledpork.pl line 1165, near "})" BEGIN not safe after errors--compilation aborted at pulledpork.pl line 1773.
Checking latest MD5 for snortrules-snapshot-2940.tar.gz.... Rules tarball download of snortrules-snapshot-2940.tar.gz.... They Match Done! Checking latest MD5 for community-rules.tar.gz.... Rules tarball download of community-rules.tar.gz.... They Match Done! IP Blacklist download of http://labs.snort.org/feeds/ip-filter.blf.... Reading IP List... Checking latest MD5 for opensource.gz.... Rules tarball download of opensource.gz.... They Match Done! Prepping rules from community-rules.tar.gz for work.... Done! Prepping rules from snortrules-snapshot-2940.tar.gz for work.... Done! Prepping rules from opensource.gz for work.... Done! Reading rules... Generating Stub Rules.... An error occurred: WARNING: ip4 normalizations disabled because not inline.
An error occurred: WARNING: tcp normalizations disabled because not inline.
An error occurred: WARNING: icmp4 normalizations disabled because not inline.
An error occurred: WARNING: ip6 normalizations disabled because not inline.
An error occurred: WARNING: icmp6 normalizations disabled because not inline.
OJO! El siguiente supuesto error HTTP 500 se produce cuando no estan configuradas las variables de entorno para utilizar el proxy... Creo q' es mas bien un error de conexion, erroneamente reportado como http 500...
Checking latest MD5 for snortrules-snapshot-2940.tar.gz.... Error 500 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2940.tar.gz.md5 at /opt/pulledpork/pulledpork.pl line 463. main::md5file('c5539228505ca4be0c6ed822da8c2a25fe37f8ad', 'snortrules-snapshot-2940.tar.gz', '/tmp/', 'https://www.snort.org/reg-rules/') called at /opt/pulledpork/pulledpork.pl line 1847
diff --git a/snort/snort.conf b/snort/snort.conf index 3aaed31..e7ceb8f 100644 --- a/snort/snort.conf +++ b/snort/snort.conf @@ -110,8 +110,8 @@ var PREPROC_RULE_PATH ../preproc_rules # not relative to snort.conf like the above variables # This is completely inconsistent with how other vars work, BUG 89986 # Set the absolute path appropriately -var WHITE_LIST_PATH ../rules -var BLACK_LIST_PATH ../rules +var WHITE_LIST_PATH /etc/snort/rules +var BLACK_LIST_PATH /etc/snort/rules
################################################### # Step #2: Configure the decoder. For more information, see README.decode @@ -523,8 +523,10 @@ preprocessor reputation: \ # output alert_unified2: filename snort.alert, limit 128, nostamp # output log_unified2: filename snort.log, limit 128, nostamp
Para que Snort (instalado desde RPMs compilados desde SRPMs) arranque desde los scripts de inicio de la misma manera que arrancaría si lo compilamos desde tgz, hay que modificar /etc/sysconfig/snort:
1. Comentar ALERTMODE # ALERTMODE=fast
2. Cambiar BINARY_LOG BINARY_LOG=0
De todas las opciones que prové, ninguna genera el dump en "snort.u2."!
Config File Variable Debug /opt/pulledpork/etc/pulledpork.conf sid_msg_version = 1 distro = RHEL-6-0 sorule_path = /usr/local/lib/snort_dynamicrules/ version = 0.7.0 temp_path = /tmp IPRVersion = /etc/snort/iplists snort_path = /usr/sbin/snort ignore = deleted.rules,experimental.rules,local.rules sid_changelog = /var/log/snort/sid_changes.log local_rules = /etc/snort/rules/local.rules config_path = /etc/snort/snort.conf black_list = /etc/snort/iplists/default.blacklist rule_path = /etc/snort/rules/snort.rules sid_msg = /etc/snort/sid-msg.map rule_url = ARRAY(0x164d4c0) MISC (CLI and Autovar) Variable Debug: arch Def is: x86-64 Config Path is: /opt/pulledpork/etc/pulledpork.conf Distro Def is: RHEL-6-0 Disabled policy specified local.rules path is: /etc/snort/rules/local.rules No Download Flag is Set Rules file is: /etc/snort/rules/snort.rules sid changes will be logged to: /var/log/snort/sid_changes.log sid-msg.map Output Path is: /etc/snort/sid-msg.map Snort Version is: 2.9.5.0 Snort Config File: /etc/snort/snort.conf Snort Path is: /usr/sbin/snort SO Output Path is: /usr/local/lib/snort_dynamicrules/ Will process SO rules Verbose Flag is Set Base URL is: https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|c5539228505ca4be0c6ed822da8c2a25fe37f8ad https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|c5539228505ca4be0c6ed822da8c2a25fe37f8ad https://www.snort.org/reg-rules/|opensource.gz|c5539228505ca4be0c6ed822da8c2a25fe37f8ad file /tmp//snortrules-snapshot-2950.tar.gz does not exist! at /opt/pulledpork/pulledpork.pl line 1926.
GUIs
ReplyDelete----
http://blog.snort.org/2011/01/guis-for-snort.html
A Comparison of 3 Popular Snort GUIs
ReplyDelete------------------------------------
http://blog.snort.org/2011/10/comparison-of-3-popular-snort-guis.html
Snorby
ReplyDelete------
Open Source y mantenido...
shttps://snorby.org/
Squert
ReplyDelete------
Open Source, actualizado el año pasado:
http://www.squertproject.org/home
Ossim - AlienVault
ReplyDelete------------------
http://communities.alienvault.com/
Instalacion de Snorby
ReplyDelete---------------------
$ export GEM_HOME=/home/snorby/ruby/gems/1.8
$ export GEM_PATH=/home/snorby/ruby/gems/1.8
$ gem install bundler
$ export PATH=/home/snorby/ruby/gems/1.8/bin:$PATH
Error al intentar iniciar Snorby
ReplyDelete--------------------------------
$ bundle exec rake snorby:setup
WARNING: # 1.2.3"]>
# -*- encoding: utf-8 -*-
Gem::Specification.new do |s|
s.name = %q{dm-active_model}
s.version = "1.2.1"
(...)
WARNING: Invalid .gemspec format in '/home/snorby/ruby/gems/1.8/specifications/dm-active_model-1.2.1.gemspec'
Could not find dm-active_model-1.2.1 in any of the sources
Run `bundle install` to install missing gems.
Error al intentar iniciar Snorby
ReplyDelete--------------------------------
Según `http://stackoverflow.com/questions/12019452/invalid-gemspec-when-trying-to-exec-rake`, el problema es que *NO* se está usando Ruby 1.9
Compilar ruby y rubygems
ReplyDelete------------------------
$ tar xzf ruby-1.9.3-p392.tar.gz
$ tar xzf rubygems-1.8.25.tgz
$ cd ruby-1.9.3-p392
$ ./configure --prefix=/opt/ruby-1.9.3-p392
$ make
$ make install
$ cd ../rubygems-1.8.25
$ export GEM_HOME=/opt/ruby-1.9.3-p392/lib
$ export GEM_PATH=/opt/ruby-1.9.3-p392/lib
$ ruby setup.rb --prefix=/opt/rubygems-1.8.25
$ cat /opt/ruby.settings
export PATH=/opt/ruby-1.9.3-p392/bin:/opt/rubygems-1.8.25/bin:$PATH
export GEM_HOME=/opt/ruby-1.9.3-p392/lib
export GEM_PATH=/opt/ruby-1.9.3-p392/lib
Y luego, instalar `bundler`
Delete$ gem install bundler
$ mysql *************
ReplyDeletemysql> GRANT ALL PRIVILEGES ON snorby_dev.* TO 'snorby_dev'@'localhost';
Query OK, 0 rows affected (0.07 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.03 sec)
Snorby EBook
ReplyDelete------------
https://github.com/Snorby/snorby/wiki/Snorby-E-Book
Setup de produccion
ReplyDelete-------------------
$ bundle exec rake snorby:setup RAILS_ENV=production
Deploy
ReplyDelete------
Método recomendado:
- https://www.phusionpassenger.com/
Deploy de Rails
ReplyDelete---------------
- http://rubyonrails.org/deploy
+ unicorn - http://unicorn.bogomips.org/
Instalación Unicorn+Snorby
ReplyDelete--------------------------
https://www.corelan.be/index.php/2011/02/27/cheat-sheet-installing-snorby-2-2-with-apache2-and-suricata-with-barnyard2-on-ubuntu-10-x/
http://unicorn.bogomips.org/examples/unicorn.conf.rb
Init script: https://gist.github.com/hgdeoro/5100058
Security Onion: Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring)
ReplyDelete--------------
http://securityonion.blogspot.com.ar/
Q: How can I re-create the database in Snorby?
ReplyDeleteA: You can cd into the snorby root dir and run the following command: `RAILS_ENV=production bundle exec rake snorby:hard_reset`
https://groups.google.com/forum/?fromgroups=#!topic/snorby/iWui_rUVeOU
http://polaris.umuc.edu/~sgantz/Barnyard.html
ReplyDelete(...) These instructions therefore cover installing Barnyard2, adjusting output settings in snort.conf, configuring Barnyard2’s operating parameters in barnyard2.conf, and running Barnyard2 (...)
Snort -> Barnyard2 -> Snorby
ReplyDelete----------------------------
https://github.com/Snorby/snorby/wiki/Installing-Barnyard2
$ ./configure --prefix=/opt/snort-2.9.4 --with-mysql
ReplyDelete(...)
checking for mysql...
**********************************************
ERROR: unable to find mysqlclient library (libmysqlclient.*)
checked in the following places
/usr
/usr/lib
/usr/mysql
/usr/mysql/lib
/usr/lib/mysql
/usr/local
/usr/local/lib
/usr/local/mysql
/usr/local/mysql/lib
/usr/local/lib/mysql
**********************************************
SOLUCION:
- http://techinterplay.com/how-to-fix-the-error-unable-to-find-mysqlclient-library-libmysqlclient.html
$ ./configure --prefix=/opt/snort-2.9.4 --with-mysql --with-mysql-libraries=/usr/lib64/mysql
Arrancó! ...iba a poner "Funcionó!", pero todavía no estoy seguro si estará funcionando :-D
ReplyDelete$ barnyard2 -v -c /opt/snort-2.9.4/etc/barnyard2.conf -d /var/log/snort -f merged.log -w /var/log/snort/barnyard2.waldo --pid-path=/var/run/barnyard2/barnyard2.pid
Found pid path directive (/var/run/barnyard2/barnyard2.pid)
Running in Continuous mode
--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/opt/snort-2.9.4/etc/barnyard2.conf"
Found pid path directive (/var/run/barnyard2/barnyard2.pid)
Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/barnyard2
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
Checking PID path...
WARNING: /var/run/barnyard2/barnyard2.pid is invalid, trying /var/run...
Previous Error, errno=2, (No such file or directory)
WARNING: _PATH_VARRUN is invalid, trying /var/log...
WARNING: /var/log/ is invalid, logging Snort PID path to log directory (/var/log/barnyard2)
Writing PID "4472" to file "/var/log/barnyard2//barnyard2_eth0.pid"
Node unique name is: firewall:eth0
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM data WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM event WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM icmphdr WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM iphdr WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM opt WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM tcphdr WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM udphdr WHERE sid='1';]
[ClassificationPullDataStore()]: No Classification found in database ...
[SignaturePullDataStore()]: No signature found in database ...
[SystemPullDataStore()]: No System found in database ...
[ReferencePullDataStore()]: No Reference found in database ...
[SignatureReferencePullDataStore()]: No Reference found in database ...
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = localhost
database: user = snorby_prod
database: database name = snorby_prod
database: sensor name = firewall:eth0
database: sensor id = 1
database: sensor cid = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility
--== Initialization Complete ==--
______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.12 (Build 321)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' + (C) Copyright 2008-2013 Ian Firns
WARNING: Unable to open waldo file '/var/log/snort/barnyard2.waldo' (No such file or directory)
Waiting for new spool file
ES `-f snort.log`
ReplyDelete$ barnyard2 -v -c /opt/snort-2.9.4/etc/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo --pid-path=/var/run/barnyard2
Snort -> Barnyard2 -> Snorby
ReplyDeletehttp://www.securixlive.com/barnyard2/faq.php#q1
Snort *NO* genera archivo unified2
ReplyDelete----------------------------------
El script de inicio lo iniciaba asi:
$ /opt/snort-2.9.4/bin/snort -A fast -b -d -i eth0 -u snort -g snort -c /opt/snort-2.9.4/etc/snort.conf -l /var/log/snort -x
Resulta que quitandole el '-A xxxx' y el '-b' funcionó. En varios foros aparece lo de quitarle el '-A xxxx'...
$ /opt/snort-2.9.4/bin/snort -d -i eth0 -u snort -g snort -c /opt/snort-2.9.4/etc/snort.conf -l /var/log/snort -x
#
ReplyDelete# Snort
#
$ /opt/snort-2.9.4/bin/snort -i eth0 -u snort -g snort -c /opt/snort-2.9.4/etc/snort.conf -x
$ cat /opt/snort-2.9.4/etc/snort.conf
output unified2: filename snort.u2, limit 128
#
# Barnyard2
#
$ barnyard2 -v -c /opt/snort-2.9.4/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo
$ cat /opt/snort-2.9.4/etc/barnyard2.conf
config waldo_file: /var/log/snort/barnyard2.waldo
input unified2
output alert_fast: stdout
output database: alert, mysql, user=******** password=******** dbname=******** host=localhost
#
# Resultado
#
$ ls -lh /var/log/snort/
total 32M
-rw-r--r--. 1 root root 32M Mar 13 15:50 alert
-rw-------. 1 snort snort 2.1K Mar 13 15:52 barnyard2.waldo
-rw-------. 1 snort snort 45K Mar 13 15:51 snort.u2.1363200690
#
# MySql (ANTES)
#
mysql> select * from event;
Empty set (0.00 sec)
#
# MySql (DESPUES)
#
mysql> select * from event;
+-----+-----+-----------+-------------------+-------------+---------+-------------+------------------+---------------------+-----+
| sid | cid | signature | classification_id | users_count | user_id | notes_count | number_of_events | timestamp | id |
+-----+-----+-----------+-------------------+-------------+---------+-------------+------------------+---------------------+-----+
| 1 | 4 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-13 15:51:49 | 1 |
| 1 | 5 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-13 15:51:49 | 2 |
| 1 | 6 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-13 15:51:49 | 3 |
| 1 | 7 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-13 15:51:49 | 4 |
| 1 | 8 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-13 15:51:49 | 5 |
| 1 | 9 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-13 15:51:49 | 6 |
(...)
Cuando en Snorby aparece:
ReplyDeleteThe Snorby worker is not currently running.
la solución está en https://github.com/Snorby/snorby/issues/21.
Básicamente:
cd /var/www/snorby && /usr/local/bin/ruby script/delayed_job start
cd /var/www/snorby && /usr/local/bin/rails runner 'Snorby::Jobs::SensorCacheJob.new(false).perform; Snorby::Jobs::DailyCacheJob.new(false).perform'
Pulled Pork
ReplyDelete- Instalación: http://www.rivy.org/2013/03/updating-snort-rules-using-pulled-pork/
Luego de bajar de SVN y configurar:
Delete$ perl pulledpork.pl
Type of arg 1 to keys must be hash (not hash element) at pulledpork.pl line 1165, near "})"
BEGIN not safe after errors--compilation aborted at pulledpork.pl line 1773.
ERROR!
Es un bug, le pasa a muchos: https://code.google.com/p/pulledpork/issues/detail?id=127
El problema fue introducido en rev.254 de SVN: https://code.google.com/p/pulledpork/source/detail?r=254
DOC:
Deletehttps://code.google.com/p/pulledpork/wiki/FAQ
http://www.rivy.org/2013/03/updating-snort-rules-using-pulled-pork/
http://seclists.org/snort/2011/q2/429
http://vrt-blog.snort.org/2009/01/using-vrt-certified-shared-object-rules.html
http://nachum234.no-ip.org/security/snort/001-snort-installation-on-centos-6-2/
http://nachum234.no-ip.org/security/snort/104-configure-snort-automatic-rules-updating-with-pulledpork/
Solución: instalar perl :-(
Delete$ curl -L http://install.perlbrew.pl > perlbrew.pl
$ chmod +x perlbrew.pl
$ ./perlbrew.pl
## Download the latest perlbrew
## Installing perlbrew
perlbrew is installed: ~/perl5/perlbrew/bin/perlbrew
perlbrew root (~/perl5/perlbrew) is initialized.
Append the following piece of code to the end of your ~/.bash_profile and start a
new shell, perlbrew should be up and fully functional from there:
source ~/perl5/perlbrew/etc/bashrc
Simply run `perlbrew` for usage details.
Happy brewing!
## Installing patchperl
## Done.
$ perlbrew install --notest stable
DeleteFetching perl 5.18.0 as /home/snort/perl5/perlbrew/dists/perl-5.18.0.tar.bz2
(...)
$ perlbrew list
Deleteperl-5.18.0
$ perlbrew use perl-5.18.0
$ cpan
cpan[2]> install Net::SSLeay
cpan[3]> install Archive::Tar
cpan[4]> install LWP::Protocol::https
cpan[1]> install Crypt::SSLeay
DeleteSI!
Delete$ perl /opt/pulledpork/pulledpork.pl -c /opt/pulledpork/etc/pulledpork.conf
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cummingsj@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for snortrules-snapshot-2940.tar.gz....
Rules tarball download of snortrules-snapshot-2940.tar.gz....
They Match
Done!
Checking latest MD5 for community-rules.tar.gz....
Rules tarball download of community-rules.tar.gz....
They Match
Done!
IP Blacklist download of http://labs.snort.org/feeds/ip-filter.blf....
Reading IP List...
Checking latest MD5 for opensource.gz....
Rules tarball download of opensource.gz....
They Match
Done!
Prepping rules from community-rules.tar.gz for work....
Done!
Prepping rules from snortrules-snapshot-2940.tar.gz for work....
Done!
Prepping rules from opensource.gz for work....
Done!
Reading rules...
Generating Stub Rules....
An error occurred: WARNING: ip4 normalizations disabled because not inline.
An error occurred: WARNING: tcp normalizations disabled because not inline.
An error occurred: WARNING: icmp4 normalizations disabled because not inline.
An error occurred: WARNING: ip6 normalizations disabled because not inline.
An error occurred: WARNING: icmp6 normalizations disabled because not inline.
Done
Reading rules...
Reading rules...
Writing Blacklist File /opt/snort-2.9.4/etc/iplists/default.blacklist....
Writing Blacklist Version 859267684 to /opt/snort-2.9.4/etc/iplistsIPRVersion.dat....
Setting Flowbit State....
Enabled 28 flowbits
Done
Writing /opt/snort-2.9.4/etc/rules/snort.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /opt/snort-2.9.4/etc/sid-msg.map....
Done
Writing /var/log/snort/sid_changes.log....
Done
Rule Stats...
New:-------17931
Deleted:---0
Enabled Rules:----4592
Dropped Rules:----0
Disabled Rules:---13338
Total Rules:------17930
IP Blacklist Stats...
Total IPs:-----2498
Done
Please review /var/log/snort/sid_changes.log for additional details
Fly Piggy Fly!
OJO! El siguiente supuesto error HTTP 500 se produce cuando no estan configuradas las variables de entorno para utilizar el proxy... Creo q' es mas bien un error de conexion, erroneamente reportado como http 500...
Deletebash-4.1$ perl /opt/pulledpork/pulledpork.pl -c /opt/pulledpork/etc/pulledpork.conf
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cummingsj@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for snortrules-snapshot-2940.tar.gz....
Error 500 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2940.tar.gz.md5 at /opt/pulledpork/pulledpork.pl line 463.
main::md5file('c5539228505ca4be0c6ed822da8c2a25fe37f8ad', 'snortrules-snapshot-2940.tar.gz', '/tmp/', 'https://www.snort.org/reg-rules/') called at /opt/pulledpork/pulledpork.pl line 1847
INSTALACION DESDE SRC.RPM
ReplyDeletehttp://wiki.centos.org/HowTos/RebuildSRPM
http://www.owlriver.com/tips/non-root/
----------
$ rpmbuild --showrc
$ mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
$ echo '%_topdir %(echo $HOME)/rpmbuild' > ~/.rpmmacros
$ rpmbuild --rebuild daq-2.0.0-1.src.rpm
$ ls -l rpmbuild/RPMS/x86_64/
total 400
-rw-rw-r--. 1 hgdeoro hgdeoro 142924 jul 17 16:21 daq-2.0.0-1.x86_64.rpm
-rw-rw-r--. 1 hgdeoro hgdeoro 264140 jul 17 16:21 daq-debuginfo-2.0.0-1.x86_64.rpm
$ sudo rpm -i rpmbuild/RPMS/x86_64/daq-2.0.0-1.x86_64.rpm
$ rpmbuild --rebuild snort-2.9.5-1.src.rpm
$ sudo rpm -i rpmbuild/RPMS/x86_64/snort-2.9.5-1.x86_64.rpm
Luego de agregar 2 reglas en rules y ajustar la configuracion:
DeleteJul 17 17:24:31 firewall snort[2573]: +++++++++++++++++++++++++++++++++++++++++++++++++++
Jul 17 17:24:31 firewall snort[2573]: Initializing rule chains...
Jul 17 17:24:31 firewall snort[2573]: 2 Snort rules read
Jul 17 17:24:31 firewall snort[2573]: 2 detection rules
Jul 17 17:24:31 firewall snort[2573]: 0 decoder rules
Jul 17 17:24:31 firewall snort[2573]: 0 preprocessor rules
Jul 17 17:24:31 firewall snort[2573]: 2 Option Chains linked into 2 Chain Headers
Jul 17 17:24:31 firewall snort[2573]: 0 Dynamic rules
Jul 17 17:24:31 firewall snort[2573]: +++++++++++++++++++++++++++++++++++++++++++++++++++
Ajustes de configuracion:
diff --git a/snort/snort.conf b/snort/snort.conf
index 3aaed31..e7ceb8f 100644
--- a/snort/snort.conf
+++ b/snort/snort.conf
@@ -110,8 +110,8 @@ var PREPROC_RULE_PATH ../preproc_rules
# not relative to snort.conf like the above variables
# This is completely inconsistent with how other vars work, BUG 89986
# Set the absolute path appropriately
-var WHITE_LIST_PATH ../rules
-var BLACK_LIST_PATH ../rules
+var WHITE_LIST_PATH /etc/snort/rules
+var BLACK_LIST_PATH /etc/snort/rules
###################################################
# Step #2: Configure the decoder. For more information, see README.decode
@@ -523,8 +523,10 @@ preprocessor reputation: \
# output alert_unified2: filename snort.alert, limit 128, nostamp
# output log_unified2: filename snort.log, limit 128, nostamp
+output unified2: filename snort.u2, limit 128
+
# syslog
-# output alert_syslog: LOG_AUTH LOG_ALERT
+output alert_syslog: LOG_AUTH LOG_ALERT
Luego de actualizar a un snort mas nuevo, y basado en RPM, Snort dejo de generar las alertas en "snort.u2", y por lo tanto barnyard no las lee!
ReplyDeleteLos archivos de log a generar percen ser ignoados:
/etc/snort/snort.conf
output alert_unified2: filename au2_snort.alert, limit 128, nostamp
output log_unified2: filename lu2_snort.log, limit 128, nostamp
output unified2: filename u2_snort.u2, limit 128
output alert_syslog: LOG_AUTH LOG_ALERT
Y los archivos que se generan son:
$ ls -lhart /var/log/snort/
(...) ===> archivos viejos
-rw-------. 1 snort snort 243K jul 24 11:31 snort.log.1374646506
drwxr-xr-x. 2 snort snort 4,0K jul 24 11:32 .
-rw-------. 1 snort snort 93K jul 24 11:42 snort.log.1374676276
-rw-r--r--. 1 root root 519K jul 24 11:42 alert
Los formatos de los archivos (del snort nuevo y del viejo):
$ file alert snort.log.1374676276 snort.u2.1374087517
// alertas, en texto plano:
alert: ASCII text
// dump del nuevo snort -> tcpdump
snort.log.1374676276: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 1514)
// dump del snort anterior (el q' andaba bien con baryard): DATA!
snort.u2.1374087517: data
Modificando /etc/sysconfig/snort, para que quede:
DeleteBINARY_LOG=0
Ahora se genera:
$ ls -lahrt
-rw-------. 1 snort snort 11K jul 24 11:48 lu2_snort.log
-rw-r--r--. 1 root root 590K jul 24 11:48 alert
y el tipo de datos del archivo es 'data' (como antes)...
$ file lu2_snort.log
lu2_snort.log: data
Algo parecido (quiza lo mismo):
Delete- http://seclists.org/snort/2012/q4/408
[root@firewall snort]# grep BINARY /etc/sysconfig/snort
Delete# NOTE: NO_PACKET_LOG and BINARY_LOG, ALERTMODE, etc. are mutually
BINARY_LOG=0
[root@firewall snort]# ps auxf | grep --color -C 2 -i snort
root 26783 0.0 0.1 108432 2036 pts/0 S 11:24 0:00 \_ -bash
root 30211 7.0 0.0 110336 1112 pts/0 R+ 12:05 0:00 \_ ps auxf
root 30212 0.0 0.0 103236 864 pts/0 S+ 12:05 0:00 \_ grep --color -C 2 -i snort
ntp 1282 0.0 0.0 25936 1448 ? Ss Jul17 0:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
root 1318 0.0 0.1 108164 1552 ? S Jul17 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --pid-file=/var/run/mysqld/mysqld.pid --basedir=/usr --user=mysql
--
root 2070 0.0 0.0 4060 588 tty5 Ss+ Jul17 0:00 /sbin/mingetty /dev/tty5
root 2074 0.0 0.0 4060 592 tty6 Ss+ Jul17 0:00 /sbin/mingetty /dev/tty6
snort 4701 0.0 3.9 110892 59832 ? Ss Jul17 1:54 /opt/snort-2.9.4/bin/barnyard2 -D -c /opt/snort-2.9.4/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo
snort 30197 0.1 4.9 408920 74748 ? Ssl 12:04 0:00 /usr/sbin/snort -A fast -d -D -i eth1 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
[root@firewall snort]# cat /etc/snort/snort.conf | egrep -v ^# | grep output
output unified2: filename snort.u2, limit 128
output alert_syslog: LOG_AUTH LOG_ALERT
[root@firewall snort]# ls -lhart | tail
(...)
drwxr-xr-x. 2 snort snort 4,0K jul 24 12:04 .
-rw-------. 1 snort snort 11K jul 24 12:06 snort.log.1374678292
-rw-r--r--. 1 root root 812K jul 24 12:06 alert
[root@firewall snort]# file snort.log.1374678292
snort.log.1374678292: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 1514)
[root@firewall snort]# grep BINARY /etc/sysconfig/snort
Delete# NOTE: NO_PACKET_LOG and BINARY_LOG, ALERTMODE, etc. are mutually
BINARY_LOG=0
[root@firewall snort]# cat /etc/snort/snort.conf | egrep -v ^# | grep output
output log_unified2: filename lu2_snort.log, limit 128, nostamp
output alert_syslog: LOG_AUTH LOG_ALERT
[root@firewall snort]# ps auxf | grep --color -C 2 -i snort
root 26783 0.0 0.1 108432 2040 pts/0 S 11:24 0:00 \_ -bash
root 31042 0.0 0.0 110340 1112 pts/0 R+ 12:13 0:00 \_ ps auxf
root 31043 0.0 0.0 103236 864 pts/0 S+ 12:13 0:00 \_ grep --color -C 2 -i snort
ntp 1282 0.0 0.0 25936 1448 ? Ss Jul17 0:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
root 1318 0.0 0.1 108164 1552 ? S Jul17 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --pid-file=/var/run/mysqld/mysqld.pid --basedir=/usr --user=mysql
--
root 2070 0.0 0.0 4060 588 tty5 Ss+ Jul17 0:00 /sbin/mingetty /dev/tty5
root 2074 0.0 0.0 4060 592 tty6 Ss+ Jul17 0:00 /sbin/mingetty /dev/tty6
snort 4701 0.0 3.9 110892 59832 ? Ss Jul17 1:54 /opt/snort-2.9.4/bin/barnyard2 -D -c /opt/snort-2.9.4/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo
snort 31033 0.0 4.9 408784 74628 ? Ssl 12:13 0:00 /usr/sbin/snort -A fast -d -D -i eth1 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
[root@firewall snort]# ls -lhart | tail
-rw-rw-r--. 1 snort snort 0 jul 24 03:15 sid_changes.log
-rw-r--r--. 1 root root 739K jul 24 03:15 alert-20130724.gz
-rw-rw-r--. 1 snort snort 20 jul 24 03:15 sid_changes.log-20130724.gz
-rw-------. 1 snort snort 243K jul 24 11:31 snort.log.1374646506
-rw-------. 1 snort snort 128K jul 24 11:47 snort.log.1374676276
-rw-------. 1 snort snort 59K jul 24 12:04 snort.log.1374677897
drwxr-xr-x. 2 snort snort 4,0K jul 24 12:04 .
-rw-------. 1 snort snort 52K jul 24 12:13 snort.log.1374678292
-rw-------. 1 snort snort 4,5K jul 24 12:13 lu2_snort.log
-rw-r--r--. 1 root root 883K jul 24 12:13 alert
[root@firewall snort]# file snort.log.1374678292 lu2_snort.log
snort.log.1374678292: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 1514)
lu2_snort.log: data
Ya está, Snort ya genera el archivo en el formato unified2 SIN dump...
ReplyDeleteEl problema ahora es que el archivo lo llama snort.u2, SIN el timestamp, y barnyard2 espera el timestamp!
SOLUCIONADO!
ReplyDeletePara que Snort (instalado desde RPMs compilados desde SRPMs) arranque desde los scripts de inicio de la misma manera que arrancaría si lo compilamos desde tgz, hay que modificar /etc/sysconfig/snort:
1. Comentar ALERTMODE
# ALERTMODE=fast
2. Cambiar BINARY_LOG
BINARY_LOG=0
De todas las opciones que prové, ninguna genera el dump en "snort.u2."!
Por las dudas, con el seteo recién descripto, el snort.conf debe contener:
Delete(...)
output unified2: filename snort.u2, limit 128
(...)
COMO CREAR RPM PARA barnyard2
ReplyDelete// [~]$ rm ~/rpmbuild/SOURCES/v2-1.13.tar.gz
// [~]$ rm -rf ~/rpmbuild/BUILD/barnyard2-2-1.13/
[~]$ mkdir -p ~/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
[~]$ unzip /tmp/barnyard2-2-1.13.zip
[~]$ mv barnyard2-2-1.13 barnyard2-1.13
[~]$ cd barnyard2-1.13/
[barnyard2-1.13]$ ./autogen.sh
[barnyard2-1.13]$ ./configure --with-mysql --with-mysql-libraries=/usr/lib64 --with-mysql-includes=/usr/include
[barnyard2-1.13]$ cd ..
[~]$ tar -czf ~/rpmbuild/SOURCES/v2-1.13.tar.gz barnyard2-1.13
[~]$ rpmbuild -bs barnyard2-1.13/rpm/barnyard2.spec
[~]$ rpmbuild --rebuild --with mysql /home/hgdeoro/rpmbuild/SRPMS/barnyard2-1.13-1.el6.src.rpm
PulledPork + Snort 2.9.5.0 = no funciona
ReplyDelete- http://seclists.org/snort/2013/q3/61
[root@firewall pulledpork]# ./pulledpork.sh
perl-5.18.0
==========
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cummingsj@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Config File Variable Debug /opt/pulledpork/etc/pulledpork.conf
sid_msg_version = 1
distro = RHEL-6-0
sorule_path = /usr/local/lib/snort_dynamicrules/
version = 0.7.0
temp_path = /tmp
IPRVersion = /etc/snort/iplists
snort_path = /usr/sbin/snort
ignore = deleted.rules,experimental.rules,local.rules
sid_changelog = /var/log/snort/sid_changes.log
local_rules = /etc/snort/rules/local.rules
config_path = /etc/snort/snort.conf
black_list = /etc/snort/iplists/default.blacklist
rule_path = /etc/snort/rules/snort.rules
sid_msg = /etc/snort/sid-msg.map
rule_url = ARRAY(0x164d4c0)
MISC (CLI and Autovar) Variable Debug:
arch Def is: x86-64
Config Path is: /opt/pulledpork/etc/pulledpork.conf
Distro Def is: RHEL-6-0
Disabled policy specified
local.rules path is: /etc/snort/rules/local.rules
No Download Flag is Set
Rules file is: /etc/snort/rules/snort.rules
sid changes will be logged to: /var/log/snort/sid_changes.log
sid-msg.map Output Path is: /etc/snort/sid-msg.map
Snort Version is: 2.9.5.0
Snort Config File: /etc/snort/snort.conf
Snort Path is: /usr/sbin/snort
SO Output Path is: /usr/local/lib/snort_dynamicrules/
Will process SO rules
Verbose Flag is Set
Base URL is: https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|c5539228505ca4be0c6ed822da8c2a25fe37f8ad https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|c5539228505ca4be0c6ed822da8c2a25fe37f8ad https://www.snort.org/reg-rules/|opensource.gz|c5539228505ca4be0c6ed822da8c2a25fe37f8ad
file /tmp//snortrules-snapshot-2950.tar.gz does not exist!
at /opt/pulledpork/pulledpork.pl line 1926.