0.00
0 читателей, 2 топика

ток вырезки Suricata

IDS/IPS (Intrusion Detection/Prevention System)
IDS/IPS (система обнаружения/предотвращения вторжений)

Suricata — barnyard2/sguil-sensor — snortsam — cisco route
The Open Information Security Foundation (OISF) will provide support to Ian Firns (aka “firnsy”), one of the official Barnyard2 maintainers at SecurixLive, to help get a few milestones completed within the Barnyard2 roadmap. Most significantly a Snortsam Output Plugin will be completed to allow both Snort and Suricata users to more easily plug in to Snortsam for distributed blocking and response using Frank Knobbe’s Snortsam project. This will make using Snortsam much easier as it will no longer require patching Snort or Suricata on each upgrade.

Barnyard is a critical piece of Suricata as well as Snort, so this support is beneficial to the community as a whole!

при сборке и нач.старте… лезет

 checking magic.h usability... no
 checking magic.h presence... no
 checking for magic.h... no
 <strong>configure: error: magic.h not found ...</strong>

решение должно быть
yum install file-devel


/usr/local/bin/suricata -c /etc/suricata/suricata.yaml -D -i eth0 --user=suri --group=suri


mkdir -p /var/log/suricata
chown -R root:suri /var/log/suricata
chmod -R 775 /var/log/suricata



[root@suricata suricata]# pwd
/var/log/suricata
[root@suricata suricata]# tail -f http.log stats.log


[root@suricata suricata]# suricata --build-info
23/1/2013 -- 10:03:56 - <Info> - This is Suricata version 1.4 RELEASE
23/1/2013 -- 10:03:56 - <Info> - Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
23/1/2013 -- 10:03:56 - <Info> - 64-bits, Little-endian architecture
23/1/2013 -- 10:03:56 - <Info> - GCC version 4.4.6 20120305 (Red Hat 4.4.6-4), C version 199901
23/1/2013 -- 10:03:56 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
23/1/2013 -- 10:03:56 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
23/1/2013 -- 10:03:56 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
23/1/2013 -- 10:03:56 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
23/1/2013 -- 10:03:56 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
23/1/2013 -- 10:03:56 - <Info> - compiled with libhtp 0.2.11, linked against 0.2.11
[root@suricata suricata]#


30 2 * * * oinkmaster.pl -o /etc/suricata/rules/ -b /etc/suricata/backup 2>&1 |logger -t oinkmaster


freebsd
/usr/ports/security/suricata


linux
yum install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf \
automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev \
pkg-config python libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev \
libnfnetlink0 git-core libtool automake autoconf libmagic-dev -y


интеграция
https://home.regit.org/2012/02/ecosystem-of-suricata/


AS65002# whereis snortsam
snortsam: /usr/ports/security/snortsam


AS65002# whereis barnyard2
barnyard2: /usr/ports/security/barnyard2


танцы

Locate the paths to key Snort files, and make sure the paths are correctly set to point to the appropriate files in /etc/snort
config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map
Find the setting for output logging, uncomment it, and edit it to read:
config logdir: /var/log/barnyard2
Find the lines with hostname and interface declarations, uncomment them, and edit them to read:
config hostname: localhost
config interface: eth0
Find the line for declaring the path to the waldo file and edit it to read:
config waldo_file: /var/log/snort/barnyard2.waldo


ставим это… сенсор sguil
http://sguil.sourceforge.net/

/usr/ports/security/sguil-sensor

TCL_MODULES Install tcl common modules

cd /usr/ports/devel/git
make install clean
git clone http://github.com/Snorby/snorby.git
cd snorby && bundle install


https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Snorby_and_Barnyard2_set_up_guide


в режиме IDS. из 3-х состовляющих Suricata + barnyard2 + snortsam
http://www.corelan.be/index.php/2011/02/27/cheat-sheet-installing-snorby-2-2-with-apache2-and-suricata-with-barnyard2-on-ubuntu-10-x/


собираем под ubuntu в режиме IPS

root@suricata:/var/log/suricata# suricata --build-info
31/1/2013 -- 00:06:40 - <Info> - This is Suricata version 1.4 RELEASE
31/1/2013 -- 00:06:40 - <Info> - Features: NFQ PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW PCRE_JIT
31/1/2013 -- 00:06:40 - <Info> - 64-bits, Little-endian architecture
31/1/2013 -- 00:06:40 - <Info> - GCC version 4.7.2, C version 199901
31/1/2013 -- 00:06:40 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
31/1/2013 -- 00:06:40 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
31/1/2013 -- 00:06:40 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
31/1/2013 -- 00:06:40 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
31/1/2013 -- 00:06:40 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
31/1/2013 -- 00:06:40 - <Info> - compiled with -fstack-protector
31/1/2013 -- 00:06:40 - <Info> - compiled with _FORTIFY_SOURCE=2
31/1/2013 -- 00:06:40 - <Info> - compiled with libhtp 0.2.11, linked against 0.2.11


bridge
apt-get install bridge-utils
<s>#!/bin/bash
 #Снимаем IP адреса с интерфейсов (Они нам не нужны)
 ifconfig eth0 0.0.0.0
 ifconfig eth1 0.0.0.0
 #Создаём бридж интерфейс
 brctl addbr bridge0
 #Добавляем в наш бридж интерфейсы
 brctl addif bridge0 eth0
 brctl addif bridge0 eth1
 #Поднимаем бридж
 ifconfig bridge0 up</s>


iptables
iptables -A INPUT -i lo -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j NFQUEUE
iptables -A FORWARD -i eth2 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j NFQUEUE


route add default gw 195.1.1.1 eth0


root@suricata:~/barnyard2-1.9# apt-get install libprelude-*
Чтение списков пакетов… Готово
Построение дерева зависимостей
Чтение информации о состоянии… Готово
Заметьте, выбирается «libpreludedb0» для регулярного выражения «libprelude-*»
Заметьте, выбирается «libprelude-dev» для регулярного выражения «libprelude-*»
Заметьте, выбирается «libprelude2-dbg» для регулярного выражения «libprelude-*»
Заметьте, выбирается «libpreludedb-dev» для регулярного выражения «libprelude-*»
Заметьте, выбирается «libprelude2» для регулярного выражения «libprelude-*»
Заметьте, выбирается «libpreludedb-perl» для регулярного выражения «libprelude-*»
Заметьте, выбирается «libprelude-perl» для регулярного выражения «libprelude-*»


apt-get install libprelude2-dbg
apt-get install libpreludedb-dev
apt-get install libmysqlclient-dev


возня прекратилась

.........skip
checking for libprelude-config... /usr/bin/libprelude-config
checking for libprelude - version >= 0.9.6... yes
checking for linuxthreads... no
configure: creating ./config.status
config.status: creating Makefile
config.status: creating src/Makefile
config.status: creating src/sfutil/Makefile
config.status: creating src/input-plugins/Makefile
config.status: creating src/output-plugins/Makefile
config.status: creating etc/Makefile
config.status: creating doc/Makefile
config.status: creating rpm/Makefile
config.status: creating schemas/Makefile
config.status: creating m4/Makefile
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands
root@suricata:~/barnyard2-1.9#


в итоге
./configure --prefix=/usr/local \
--enable-prelude \
--enable-aruba \
--enable-gre --enable-64bit-gcc \
--with-mysql-libraries=/usr/lib/x86_64-linux-gnu \
--with-mysql

падает barnyard2

смотрим логи… видим…

root@suricata:~# cat syslog

Aug 23 10:35:17 suricata barnyard2: #012#012+[ Signature Suppress list ]+#012----------------------------
Aug 23 10:35:17 suricata barnyard2: +[No entry in Signature Suppress List]+
Aug 23 10:35:17 suricata barnyard2: ----------------------------#012+[ Signature Suppress list ]+#012
Aug 23 10:35:19 suricata barnyard2: Barnyard2 spooler: Event cache size set to [2048]
Aug 23 10:35:19 suricata barnyard2: Log directory = /var/log/suricata
Aug 23 10:35:19 suricata barnyard2: INFO database: Defaulting Reconnect/Transaction Error limit to 10
Aug 23 10:35:19 suricata barnyard2: INFO database: Defaulting Reconnect sleep time to 5 second
Aug 23 10:35:19 suricata barnyard2: DEBUG => [Alert_FWsam](AlertFWsamSetup) Using alternative file: /usr/local/etc/sid-fwsam.map
Aug 23 10:35:19 suricata barnyard2: INFO => [Alert_FWsam](AlertFWsamSetup) Using sid-map file: /usr/local/etc/sid-fwsam.map
Aug 23 10:35:19 suricata barnyard2: INFO => [Alert_FWsam](FWsamCheckIn) Connected to host .
Aug 23 10:35:19 suricata barnyard2: Initializing daemon mode
Aug 23 10:35:19 suricata barnyard2: Daemon initialized, signaled parent pid: 5471
Aug 23 10:35:19 suricata barnyard2: PID path stat checked out ok, PID path set to /var/run/
Aug 23 10:35:19 suricata barnyard2: Daemon parent exiting
Aug 23 10:35:19 suricata barnyard2: Writing PID "5481" to file "/var/run//barnyard2_p4p1.pid"
............ skip ..........
Aug 23 10:35:25 suricata barnyard2: Node unique name is: suricata:p4p1#012
Aug 23 10:35:36 suricata barnyard2: FATAL ERROR: database mysql_error: Duplicate entry '3927-1' for key 'PRIMARY'#012#011SQL=[INSERT INTO sig_reference (ref_id,sig_id,ref_seq) VALUES ('2626','3927','1');]


вырос дубль… при этом barnyard2 уходит в down
бежим на оф.сайт и забираем последнию версию.
чистим таблицу с sig_reference
DELETE FROM sig_reference;


заново включаем/если выключали
output database: log, mysql, user=snorby password=pwd dbname=snorby host=localhost