'DAQ'에 해당되는 글 1건

  1. 2013.01.16 Snort + DAQ + PF_RING

Snort + DAQ + PF_RING

snort 2013. 1. 16. 18:19 |

성능이 얼마나 올라갈까

##############################################

======> 트래픽이 높아지니 kernel에러 또는 로그없이 스노트가 멈추는 현상이 발생해서 2.9.4.0으로 교체함. 아직까진 문제 없음. 

2.9.4로 설치시 daq만 2.0으로 재설치하면 나머지 과정은 같다. (pf_ring관련모듈 재컴파일 필요)

최신버전에서는 mysql output을 지원하지 않는다. db저장시 snort-barnyard-mysql 방식을 이용할것

##############################################




환경: CentOS 5.8 / Snort 2.9.2 / 


######기존snort삭제########################

make uninstall

###########################################

파일 다운로드 및 압축해제

# tar xvzf libpcap-1.2.1.tar.gz

# tar xvzf daq-0.6.2.tar.gz

# tar xvzf libdnet-1.12.tar.gz

# tar xvzf pcre-8.30.tar.gz

# tar xvzf snort-2.9.2.2.tar.gz


# cd libpcap-1.2.1

# ./configure

# make

# make install

# cd /usr/lib64/

# rm libpcap.so

# rm libpcap.so.0

# rm libpcap.so.0.9

# ln -s /usr/local/lib/libpcap.so.1.2.1 /usr/lib64/libpcap.so.1.2.1

# ln -s /usr/lib64/libpcap.so.1.2.1 /usr/lib64/libpcap.so.1

# ln -s /usr/lib64/libpcap.so.1 /usr/lib64/libpcap.so


# cd daq-0.6.2

# ./configure

# make

# make install


# cd pcre-8.30

# ./configure

# make

# make install


# cd libdnet-1.12

# ./configure

# make

# make install


# cd snort-2.9.2.2

# ./configure -with-mysql-libraries=/usr/lib64/mysql/ -enable-dynamicplugin -enable-zlib -enable-ipv6  -enable-sourcefire

# make

# make install


중간확인해보기

# snort -V


   ,,_     -*> Snort! <*-

  o"  )~   Version 2.9.2.2 IPv6 GRE (Build 121)

   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team

           Copyright (C) 1998-2012 Sourcefire, Inc., et al.

           Using libpcap version 1.2.1

           Using PCRE version: 8.30 2012-02-04

           Using ZLIB version: 1.2.3



# groupadd snort

# useradd -g snort snort -s /sbin/nologin

# mkdir /etc/snort

# mkdir /etc/snort/rules

# mkdir /etc/snort/so_rules

# mkdir /etc/snort/preproc_rules

# mkdir /var/log/snort

# chown snort:snort /var/log/snort

# mkdir /usr/local/lib/snort_dynamicrules

# cd etc/

# cp * /etc/snort/


####룰파일 다운로드/적용(snort공홈)###########################


# tar xvzf snortrules-snapshot-2921.tar.gz

# cd rules/

# cp * /etc/snort/rules

# cp ../so_rules/precompiled/Centos-5-4/x86-64/2.9.2.1/* /etc/snort/so_rules

# cp ../preproc_rules/* /etc/snort/preproc_rules

***/etc/snort/snort.conf설정은 알아서 바꾸시고....


##PF_RING설치##############################

필요한 프로그램 다운로드 및 설치 (./configure & make & make install)

#tar zxvf autoconf-2.69.tar.gz

#tar zxvf automake-1.9.tar.gz

#tar zxvf libtool-2.4.tar.gz


PF_RING다운로드 / 압축해제

cd PF_RING/kernel

make

make install

insmod ./pf_ring.ko

***커널에 모듈이 올라왔는지 확인

***lsmod |grep pf_ring


cd lib

./configure

make

make install

***/usr/local/lib/libpfring.so파일이 생겼는지 확인


#cd snort/pfring-daq-module

#autoreconf -ivf

#./configure

#make

#make install



##Snort동작 확인#########################################

snort --daq-dir=/usr/local/lib/daq --daq pfring -i eth9 -c /etc/snort/snort.conf -T


참고

http://kezhong.wordpress.com/2012/04/07/install-snort-2-9-2-2-on-centos5-8x86_64/

'snort' 카테고리의 다른 글

이벤트별 DB분류 저장  (0) 2013.01.12
Managing Snort Alerts  (0) 2013.01.11
Snort On Multiple NICs  (0) 2012.11.09
snort 퍼포먼스 모니터링  (0) 2012.09.11
snort-sms연동(bash)  (0) 2012.04.19
Posted by applicationlayer
: