ток вырезки Suricata

IDS/IPS (Intrusion Detection/Prevention System)
IDS/IPS (система обнаружения/предотвращения вторжений)

Suricata — barnyard2/sguil-sensor — snortsam — cisco route
The Open Information Security Foundation (OISF) will provide support to Ian Firns (aka “firnsy”), one of the official Barnyard2 maintainers at SecurixLive, to help get a few milestones completed within the Barnyard2 roadmap. Most significantly a Snortsam Output Plugin will be completed to allow both Snort and Suricata users to more easily plug in to Snortsam for distributed blocking and response using Frank Knobbe’s Snortsam project. This will make using Snortsam much easier as it will no longer require patching Snort or Suricata on each upgrade.

Barnyard is a critical piece of Suricata as well as Snort, so this support is beneficial to the community as a whole!

при сборке и нач.старте… лезет

 checking magic.h usability... no
 checking magic.h presence... no
 checking for magic.h... no
 <strong>configure: error: magic.h not found ...</strong>

решение должно быть
yum install file-devel


/usr/local/bin/suricata -c /etc/suricata/suricata.yaml -D -i eth0 --user=suri --group=suri


mkdir -p /var/log/suricata
chown -R root:suri /var/log/suricata
chmod -R 775 /var/log/suricata



[root@suricata suricata]# pwd
/var/log/suricata
[root@suricata suricata]# tail -f http.log stats.log


[root@suricata suricata]# suricata --build-info
23/1/2013 -- 10:03:56 - <Info> - This is Suricata version 1.4 RELEASE
23/1/2013 -- 10:03:56 - <Info> - Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
23/1/2013 -- 10:03:56 - <Info> - 64-bits, Little-endian architecture
23/1/2013 -- 10:03:56 - <Info> - GCC version 4.4.6 20120305 (Red Hat 4.4.6-4), C version 199901
23/1/2013 -- 10:03:56 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
23/1/2013 -- 10:03:56 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
23/1/2013 -- 10:03:56 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
23/1/2013 -- 10:03:56 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
23/1/2013 -- 10:03:56 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
23/1/2013 -- 10:03:56 - <Info> - compiled with libhtp 0.2.11, linked against 0.2.11
[root@suricata suricata]#


30 2 * * * oinkmaster.pl -o /etc/suricata/rules/ -b /etc/suricata/backup 2>&1 |logger -t oinkmaster


freebsd
/usr/ports/security/suricata


linux
yum install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf \
automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev \
pkg-config python libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev \
libnfnetlink0 git-core libtool automake autoconf libmagic-dev -y


интеграция
https://home.regit.org/2012/02/ecosystem-of-suricata/


AS65002# whereis snortsam
snortsam: /usr/ports/security/snortsam


AS65002# whereis barnyard2
barnyard2: /usr/ports/security/barnyard2


танцы

Locate the paths to key Snort files, and make sure the paths are correctly set to point to the appropriate files in /etc/snort
config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map
Find the setting for output logging, uncomment it, and edit it to read:
config logdir: /var/log/barnyard2
Find the lines with hostname and interface declarations, uncomment them, and edit them to read:
config hostname: localhost
config interface: eth0
Find the line for declaring the path to the waldo file and edit it to read:
config waldo_file: /var/log/snort/barnyard2.waldo


ставим это… сенсор sguil
http://sguil.sourceforge.net/

/usr/ports/security/sguil-sensor

TCL_MODULES Install tcl common modules

cd /usr/ports/devel/git
make install clean
git clone http://github.com/Snorby/snorby.git
cd snorby && bundle install


https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Snorby_and_Barnyard2_set_up_guide


в режиме IDS. из 3-х состовляющих Suricata + barnyard2 + snortsam
http://www.corelan.be/index.php/2011/02/27/cheat-sheet-installing-snorby-2-2-with-apache2-and-suricata-with-barnyard2-on-ubuntu-10-x/


собираем под ubuntu в режиме IPS

root@suricata:/var/log/suricata# suricata --build-info
31/1/2013 -- 00:06:40 - <Info> - This is Suricata version 1.4 RELEASE
31/1/2013 -- 00:06:40 - <Info> - Features: NFQ PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW PCRE_JIT
31/1/2013 -- 00:06:40 - <Info> - 64-bits, Little-endian architecture
31/1/2013 -- 00:06:40 - <Info> - GCC version 4.7.2, C version 199901
31/1/2013 -- 00:06:40 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
31/1/2013 -- 00:06:40 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
31/1/2013 -- 00:06:40 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
31/1/2013 -- 00:06:40 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
31/1/2013 -- 00:06:40 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
31/1/2013 -- 00:06:40 - <Info> - compiled with -fstack-protector
31/1/2013 -- 00:06:40 - <Info> - compiled with _FORTIFY_SOURCE=2
31/1/2013 -- 00:06:40 - <Info> - compiled with libhtp 0.2.11, linked against 0.2.11


bridge
apt-get install bridge-utils
<s>#!/bin/bash
 #Снимаем IP адреса с интерфейсов (Они нам не нужны)
 ifconfig eth0 0.0.0.0
 ifconfig eth1 0.0.0.0
 #Создаём бридж интерфейс
 brctl addbr bridge0
 #Добавляем в наш бридж интерфейсы
 brctl addif bridge0 eth0
 brctl addif bridge0 eth1
 #Поднимаем бридж
 ifconfig bridge0 up</s>


iptables
iptables -A INPUT -i lo -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j NFQUEUE
iptables -A FORWARD -i eth2 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j NFQUEUE


route add default gw 195.1.1.1 eth0


root@suricata:~/barnyard2-1.9# apt-get install libprelude-*
Чтение списков пакетов… Готово
Построение дерева зависимостей
Чтение информации о состоянии… Готово
Заметьте, выбирается «libpreludedb0» для регулярного выражения «libprelude-*»
Заметьте, выбирается «libprelude-dev» для регулярного выражения «libprelude-*»
Заметьте, выбирается «libprelude2-dbg» для регулярного выражения «libprelude-*»
Заметьте, выбирается «libpreludedb-dev» для регулярного выражения «libprelude-*»
Заметьте, выбирается «libprelude2» для регулярного выражения «libprelude-*»
Заметьте, выбирается «libpreludedb-perl» для регулярного выражения «libprelude-*»
Заметьте, выбирается «libprelude-perl» для регулярного выражения «libprelude-*»


apt-get install libprelude2-dbg
apt-get install libpreludedb-dev
apt-get install libmysqlclient-dev


возня прекратилась

.........skip
checking for libprelude-config... /usr/bin/libprelude-config
checking for libprelude - version >= 0.9.6... yes
checking for linuxthreads... no
configure: creating ./config.status
config.status: creating Makefile
config.status: creating src/Makefile
config.status: creating src/sfutil/Makefile
config.status: creating src/input-plugins/Makefile
config.status: creating src/output-plugins/Makefile
config.status: creating etc/Makefile
config.status: creating doc/Makefile
config.status: creating rpm/Makefile
config.status: creating schemas/Makefile
config.status: creating m4/Makefile
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands
root@suricata:~/barnyard2-1.9#


в итоге
./configure --prefix=/usr/local \
--enable-prelude \
--enable-aruba \
--enable-gre --enable-64bit-gcc \
--with-mysql-libraries=/usr/lib/x86_64-linux-gnu \
--with-mysql

Динамическая маршрутизация в FreeBSD с BIRD, Quagga

under


http://subnets.ru/wrapper.php?p=7
http://subnets.ru/blog/?p=1728
http://subnets.ru/blog/?p=19


http://subnets.ru/forum/viewtopic.php?f=3&t=371&start=30

hostname AS123456
password zebra
enable password zebra
log file /var/log/bgpd.log
router bgp 123456
bgp router-id 173.45.248.98
bgp log-neighbor-changes
no synchronization
network 48.151.4.0/23
neighbor 173.45.248.97 remote-as 45975
neighbor 178.45.248.97 next-hop-self
neighbor 178.45.248.97 route-map ROSTELEKOM_IN in
neighbor 178.45.248.97 route-map ROSTELEKOM_OUT out
!
ip prefix-list bogons description bogus nets
ip prefix-list bogons seq 15 permit 0.0.0.0/8 le 32
ip prefix-list bogons seq 20 permit 127.0.0.0/8 le 32
ip prefix-list bogons seq 30 permit 10.0.0.0/8 le 32
ip prefix-list bogons seq 35 permit 172.16.0.0/12 le 32
ip prefix-list bogons seq 40 permit 192.168.0.0/16 le 32
ip prefix-list bogons seq 45 permit 169.254.0.0/16 le 32
ip prefix-list bogons seq 50 permit 224.0.0.0/4 le 32
ip prefix-list bogons seq 55 permit 240.0.0.0/4 le 32
ip prefix-list default description default route
ip prefix-list default seq 10 permit 0.0.0.0/0
ip prefix-list our-CIDR-blocks seq 5 permit 48.151.4.0/23 le 32
ip prefix-list upstream-out seq 10 permit 48.151.4.0/23
!
ip as-path access-list 1 permit _6451[2-9]_
ip as-path access-list 1 permit _645[2-9][0-9]_
ip as-path access-list 1 permit _64[6-9][0-9][0-9]_
ip as-path access-list 1 permit _65[0-9][0-9][0-9]_
!
route-map ROSTELEKOM_IN deny 100
match as-path 1
!
route-map ROSTELEKOM_IN deny 110
match ip address prefix-list bogons
!
route-map ROSTELEKOM_IN deny 115
match ip address prefix-list default
!
route-map ROSTELEKOM_IN deny 120
match ip address prefix-list our-CIDR-blocks
!
route-map ROSTELEKOM_IN permit 200
set local-preference 100
!
route-map ROSTELEKOM_OUT permit 100
match ip address prefix-list upstream-out
!
route-map ROSTELEKOM_OUT deny 200



gw# vtysh

Hello, this is Quagga (version 0.99.21).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

gw#
  clear        Reset functions
  configure    Configuration from vty interface
  copy         Copy from one file to another
  debug        Enable debug messages for specific or all part.
  disable      Turn off privileged mode command
  end          End current mode and change to enable mode
  exit         Exit current mode and down to previous mode
  list         Print command list
  no           Negate a command or set its defaults
  ping         Send echo messages
  quit         Exit current mode and down to previous mode
  show         Show running system information
  ssh          Open an ssh connection
  start-shell  Start UNIX shell
  telnet       Open a telnet connection
  terminal     Set terminal line parameters
  traceroute   Trace route to destination
  undebug      Disable debugging functions (see also 'debug')
  write        Write running configuration to memory, network, or terminal
gw#


получить список подсетей из кваги и залить по ftp

#!/bin/bash
# получить список подсетей AS и залить на фтп
file=/tmp/zebra/peering_as_subnets
echo "sh ip ro bgp" | vtysh | grep 127,0,0.1 | awk {'print $2'} > $file
echo "send $file" | pftp lt.lan
rm $file

zabbix 2.4 чистый debian 8.1

root@zabbix2:~/zabbix-2.4.6# apt-get install libsnmp-dev libgsnmp-dev snmptrapd 


checking pkg-config is at least version 0.9.0... yes
checking for net-snmp-config... no
configure: error: Invalid Net-SNMP directory - unable to find net-snmp-config
root@zabbix2:~/zabbix-2.4.6# apt-get install net-snmp-devel

 apt-get install libsnmp-dev



checking for SSH2 support... no
configure: error: SSH2 library not found


root@zabbix2:~/zabbix-2.4.6# apt-get install libssh-dev libssh2-1-dev



checking for OPENIPMI support... no
configure: error: Invalid OPENIPMI directory - unable to find ipmiif.h

root@zabbix2:~/zabbix-2.4.6# apt-get install openipmi
root@zabbix2:~/zabbix-2.4.6# apt-get install libopenipmi-dev


checking for curl-config... no
configure: error: Curl library not found

root@zabbix2:~/zabbix-2.4.6# apt-get install curl
root@zabbix2:~/zabbix-2.4.6# apt-get install libcurl4-openssl-dev


Читать дальше →

Dlink DGS-3100-48

Был старенький DGS-3100-48 работал с 2008 года без особых проблем. Решил обновится с Prom v. 1.00.04, FW-2.00.29 до FW-3.60.28 и Prom v. 1.01.05.

Но вылезло ряд проблем. Полное зависание DGS-3100-48 при обращение на Web UI, даже переставал пинговаться.

Читать дальше →

добавление модуля в php

PHP
стоит уже настроенный php. необходимо добавить еще модуль, без пересборки всего php.
развернем необходимый архив в нашем случаи php-5.3.6.tar.bz2
и далее

# cd php-5.3.6/ext/bcmath
# phpize
# ./configure
# make && make install

все, проверяем.

# php -m|grep bcm
bcmath
#

ipmi + zabbix2

в логах забыли и это явно видим
84769:20121003:224912.723 SNMP monitoring:           YES
 84769:20121003:224912.723 IPMI monitoring:            NO
 84769:20121003:224912.723 WEB monitoring:            YES
.................................
 84794:20121003:224912.855 server #25 started [ipmi poller #1]
.................................
 84794:20121003:224945.195 enabling IPMI checks on host [ipmi.***.ru]: host became available
 84789:20121003:224948.227 item [ipmi.****.ru:baseboard_temp] became not supported: Support for IPMI checks was not compiled in


ставим

cd /usr/ports/sysutils/ipmitool
make install clean


./configure --enable-server ....... \
.................. \
--with-openipmi


сругалось…

checking for OPENIPMI support... no
configure: error: Invalid OPENIPMI directory - unable to find ipmiif.h


идем в
cd /usr/ports/sysutils/openipmi
make install clean
rehash


повторяем сборку заббикса

Enable server:         yes
  Server details:
    With database:         MySQL
    WEB Monitoring via:    cURL
    Native Jabber:         no
    SNMP:                  net-snmp
    IPMI:                  openipmi
    SSH:                   no


zabbix_server.conf
StartIPMIPollers=1


в итоге в логах
45126:20121003:233144.802 Starting Zabbix Server. Zabbix 2.0.0 (revision 27675).
 45126:20121003:233144.802 ****** Enabled features ******
 45126:20121003:233144.802 SNMP monitoring:           YES
 45126:20121003:233144.802 IPMI monitoring:           YES
 45126:20121003:233144.802 WEB monitoring:            YES
 45126:20121003:233144.802 Jabber notifications:       NO
 45126:20121003:233144.802 Ez Texting notifications:  YES
 45126:20121003:233144.802 ODBC:                       NO
 45126:20121003:233144.802 SSH2 support:               NO
 45126:20121003:233144.802 IPv6 support:              YES
 45126:20121003:233144.802 ******************************
.............................
 45151:20121003:233144.984 server #25 started [ipmi poller #1]


ставим новый билд zabbix на ubuntu

checking for net-snmp-config... /usr/bin/net-snmp-config
checking for main in -lnetsnmp... yes
checking for localname in struct snmp_session... yes
checking for SSH2 support... no
configure: error: SSH2 library not found


ставим для убунту
apt-get install libssh2-1-dev libssh2-php

21404:20130320:093530.685 Starting Zabbix Server. Zabbix 2.0.5 (revision 33558).
 21404:20130320:093530.685 ****** Enabled features ******
 21404:20130320:093530.685 SNMP monitoring:           YES
 21404:20130320:093530.685 IPMI monitoring:            NO
 21404:20130320:093530.685 WEB monitoring:            YES
 21404:20130320:093530.685 Jabber notifications:       NO
 21404:20130320:093530.685 Ez Texting notifications:  YES
 21404:20130320:093530.685 ODBC:                       NO
 21404:20130320:093530.685 SSH2 support:              YES
 21404:20130320:093530.685 IPv6 support:              YES
 21404:20130320:093530.685 ******************************


ставим с IPMI monitoring
сругалось
checking for SSH2 support... yes
checking for OPENIPMI support... no
configure: error: Invalid OPENIPMI directory - unable to find ipmiif.h


ставим
apt-get install openipmi libopenipmi-dev


собираем, видим.
Configuration:

  Detected OS:           linux-gnu
  Install path:          /usr/local
  Compilation arch:      linux

  Compiler:              gcc
  Compiler flags:        -g -O2  -I/usr/include/mysql -DBIG_JOINS=1  -fno-strict-aliasing  -g       -I/usr/local/include -I/usr/lib/perl/5.14/CORE -I. -I/usr/include  -I/usr/include -I/usr/include

  Enable server:         yes
  Server details:
    With database:         MySQL
    WEB Monitoring via:    cURL
    Native Jabber:         no
    SNMP:                  net-snmp
    IPMI:                  openipmi
    SSH:                   yes
    ODBC:                  no
    Linker flags:          -rdynamic      -L/usr/lib/x86_64-linux-gnu      -L/usr/lib/x86_64-linux-gnu  -L/usr/lib  -L/usr/lib -L/usr/lib -L/usr/lib
    Libraries:             -lm -lrt  -lresolv    -lmysqlclient       -lcurl  -lnetsnmp -lcrypto  -lnetsnmp -lcrypto -lssh2 -lOpenIPMI -lOpenIPMIposix

  Enable proxy:          no

  Enable agent:          yes
  Agent details:
    Linker flags:          -rdynamic     -L/usr/lib/x86_64-linux-gnu
    Libraries:             -lm -lrt  -lresolv    -lcurl

  Enable Java gateway:   no

  LDAP support:          no
  IPv6 support:          yes

***********************************************************
*            Now run 'make install'                       *
*                                                         *
*            Thank you for using Zabbix!                  *
*              <http://www.zabbix.com>                    *
***********************************************************


все. собираем и радуемся жизни.
в консоли
service zabbix-server restart
zabbix-server stop/waiting
zabbix-server start/running, process 8201

и смотрим лог

cat ./zabbix_server.log
8201:20130320:095130.101 Zabbix Server stopped. Zabbix 2.0.5 (revision 33558).
 16429:20130320:095417.461 Starting Zabbix Server. Zabbix 2.0.5 (revision 33558).
 16429:20130320:095417.461 ****** Enabled features ******
 16429:20130320:095417.461 SNMP monitoring:           YES
 16429:20130320:095417.461 IPMI monitoring:           YES
 16429:20130320:095417.461 WEB monitoring:            YES
 16429:20130320:095417.461 Jabber notifications:       NO
 16429:20130320:095417.461 Ez Texting notifications:  YES
 16429:20130320:095417.461 ODBC:                       NO
 16429:20130320:095417.461 SSH2 support:              YES
 16429:20130320:095417.461 IPv6 support:              YES
 16429:20130320:095417.461 ******************************
 16431:20130320:095417.566 server #1 started [configuration syncer #1]

ubuntu pure-ftpd

многие спрашиваю как под ubuntu настраивать pure-ftpd.
ответ прост.

как такового файла pure-ftpd.conf нет. вместо него используется набор файлов в /etc/pure-ftpd.

чтобы понять что к чему — читаем ман по pure-ftpd-wrapper