sguil 관련

snort 2012. 2. 16. 10:00 |

Snort_SguilHOWTO.pdf



mysql세팅
 mysql -u root -p -e "CREATE DATABASE sguildb"
 mysql -u root -p -D sguildb < /home/[user]/Desktop/sguild-0.7.0/server/sql_scripts/create_sguildb.sql
 mysql -u root -p -e "GRANT ALL PRIVILEGES ON sguildb.* TO sguil; FLUSH PRIVILEGES;


tcl설치
cd unix
./configure --disable-threads
 make
 sudo make install
 sudo rm /usr/bin/tclsh
 sudo rm /usr/bin/tclsh8.5
 sudo cp /usr/local/bin/tclsh8.5 /usr/bin/tclsh8.5
 sudo ln -s /usr/bin/tclsh8.5 /usr/bin/tclsh
 sudo ln -s /usr/bin/tclsh8.5 /usr/bin/tclsh-defaul

mysqltcl설치
./configure
make && make install

tls설치
./configure
make && make install

tclx설치
./configure
make && make install

tcllib설치
./configure
make && make install


sguil설치

sudo mkdir /etc/sguild
 sudo cp sguild.users sguild.conf sguild.queries sguild.access autocat.conf /etc/sguild
 sudo mkdir /etc/sguild/certs
 sudo rm ./sguild.conf
 sudo openssl req -new -x509 -nodes -out /etc/sguild/certs/sguild.pem -keyout /etc/sguild/certs/
sguild.pem -days 365
Country Name (2 letter code) [AU]:US
  State or Province Name (full name) [Some-State]:WV  
  Locality Name (eg, city) []:HUNTINGTON
  Organization Name (eg, company) [Internet Widgits Pty Ltd]:MU
  Organizational Unit Name (eg, section) []:CS       
Jacob!Bills! November!11,!2010!K!v1.0! P a  g  e !|!4  Common Name (eg, YOUR name) []:SRSLYNRDY
  Email Address []:NA
 sudo ln -s /etc/sguild/certs/sguild.pem /etc/sguild/certs/sguild.key
 sudo ./sguild -adduser sguil

 barnyard설치
 ./configure --with-mysql --with-tcl=/usr/local/lib
--with-tcl = tclConfig.sh가 있는 위치

실행시 lib를 찾을 수 없다는 메시지가 나오면 복사해서 넣어라

barnyard conf에서 접속 포트는 sguil이 아니라  snort_agent.tcl임 default : 7735
 http://www.grepler.com/articles/index/3243/mailing.unix.snort

'snort' 카테고리의 다른 글

snort-sms연동(bash)  (0) 2012.04.19
snort 룰설정  (0) 2012.03.21
snorby 설치  (0) 2012.02.14
barnyard2 설치  (0) 2012.02.08
Installing Sagan on CentOS  (0) 2012.02.01
Posted by applicationlayer
:

snorby 설치

snort 2012. 2. 14. 15:20 |
CentOS 5.5 기준
※설치 후 sensor가 올바르게 등록되려면 barnyard를 통해서 이벤트가 쌓여야 한다.

Snorby Installation.pdf

 

'snort' 카테고리의 다른 글

snort 룰설정  (0) 2012.03.21
sguil 관련  (0) 2012.02.16
barnyard2 설치  (0) 2012.02.08
Installing Sagan on CentOS  (0) 2012.02.01
snort 성능  (0) 2012.01.26
Posted by applicationlayer
:

barnyard2 설치

snort 2012. 2. 8. 15:03 |
#####snort.conf 설정변경##########################
두줄추가 (output부분)
#unified
output unified2: filename snort.log, limit 128

########barnyard2 설치(64bit기준)########################################
cd /root/
barnyard2.tar.gz복사
tar zxvf barnyard2-1.8.tar.gz
cd barnyard2-1.8
./configure --with-mysql-libraries=/usr/lib64/mysql/
make
make install
cp etc/barnyard2.conf /etc/snort/
mkdir /var/log/barnyard2
chmod 666 /var/log/barnyard2
touch /var/log/snort/barnyard2.waldo
chown snort:snort /var/log/snort/barnyard2.waldo

########barnyard2 수정#########################################
vi /etc/snort/barnyard2.conf
주석해제
config hostname:        locahost
config interface:       eth0
output database: log, mysql, user=snort password=ahslxj1234 dbname=snort host=localhost

########sid-msg.map최신화######################################
barnyard의 output은 이벤트명을 포함하지 않기 때문에 매칭파일을 사용해야한다.
안그러면 DB에 이벤트명이 제대로 박히지 않는다.

매핑파일 위치: /etc/snort/sid-msg.map

create-sidmap.pl 스크립트를 이용하면 최신룰로 매칭할 수 있다.(검색ㄱㄱ)


########실행#########################################
/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D

참고:
http://gsxbinary.blogspot.com/2010/07/snort-barnyard2-mysql-base-intro.html
http://blog.nielshorn.net/2010/09/snort-barnyard2-base-complete-installation/

 

barnyard2 실행 전후 퍼포먼스 측정

 

 초당 로그기록량 증가

드롭률 감소


로그량이 많을땐 barnyard가 진리다

'snort' 카테고리의 다른 글

sguil 관련  (0) 2012.02.16
snorby 설치  (0) 2012.02.14
Installing Sagan on CentOS  (0) 2012.02.01
snort 성능  (0) 2012.01.26
Snort for Mac OS X  (0) 2011.01.02
Posted by applicationlayer
:

티스토리툴바