Cấu hình snort 2.9 window

Bc 1: Thc hin Update Repositoryrpm -Uhv http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.i686.rpm (c th search theo tng giai on c th)Bc 2: Ci t cc gi cn thit cho snort#yum -y install libdnet libdnet-devel libpcap libpcap-devel daq gcc make flex bison pcre pcredevel zlib zlib-devel#yum install -y mysql-server mysql-devel php-mysql php-adodb php-pear php-gd httpd wget pcre pcre-develBc 3: Start dch v http, mysql#service httpd start#chkconfig httpd on#service mysqld start#chkconfig mysqld onDown cc gi sau & lu ti DesktopCc file ci t ring sauSet eth0 :ifconfig eth0 promisclibdnet-1.12.tgz-> ./configure --with-pic make && make installcd /usr/local/lib ldconfig -v /usr/local/liblibpcap-1.7.2.tar.gz-> ./configure make && make installcd /usr/local/lib ldconfig -v /usr/local/libpcre-8.36.tar.gz

Install, configure daq - Snort & Test Install daq-2.0.4.tar & Snort 2.9.7.0cd /usr/local/srctar -zxvf /root/Desktop/daq-2.0.4.tar.gztar -zxvf /root/Desktop/snort-2.9.7.2.tar.gz

cd daq-2.0.4 && ./configure && make && make installcd /usr/local/lib ldconfig -v /usr/local/lib cd .. cd snort-2.9.7.2 && ./configure --enable-sourcefiremake && make installcd /usr/local/lib ldconfig -v /usr/local/lib

mkdir /etc/snort to th mc snort nm trong th mc /etccd /etc/snort di chuyn ti th mc /etc/snort

cp /usr/local/src/snort-2.9.7.2/etc/* .coppy ton b th mc /usr/local/src/snort-2.9.7.2/etc/ . ( coppy ton b n th mc /etc/snort)

Set mode interface cho eth0:Ifconfig eth0 promisc

Install Snortrules-snapshot-2972

cd /etc/snorttar -zvxf /usr/local/src/snortrules-snapshot-2972.tar.gz

touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules ( to ra 2 file mi l white_list.rules & black_list.rules nm trong th mc /etc/snort/rules )

To user Snort , group, cp quyn

[[email protected] snort]# groupadd -g 40000 snort To thm mt group/ - g l ch s ch s nhm ngi dng ch s ny l duy nht v phi ln hn 500, v ln hn ch s c trn h thng.Gi tr t 0-499 ch dng cho cc nhm h thnguseradd snort -u 40000 -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snortcd /etc/snortchown -R snort:snort *chown -R snort:snort /var/log/snort

Sa file Snort.confvi /etc/snort/snort.confipvar HOME_NET any > ipvar HOME_NET 192.168.x.xipvar EXTERNAL_NET any > ipvar EXTERNAL_NET !$HOME_NETvar RULE_PATH ../rules > var SO_RULE_PATH /etc/snort/rulesvar SO_RULE_PATH ../so_rules > var SO_RULE_PATH /etc/snort/so_rulesvar PREPROC_RULE_PATH ../preproc_rules > var PREPROC_RULE_PATH /etc/snort/preproc_rulesvar WHITE_LIST_PATH ../rules > 109 var WHITE_LIST_PATH /etc/snort/rulesvar BLACK_LIST_PATH ../rules > 110 var BLACK_LIST_PATH /etc/snort/rulesLine #521 - add this line output unified2: filename snort.log, limit 128 Phn quyn Snort & Start snortcd /usr/local/srcchown -R snort:snort daq-2.0.4chown -R 755 daq-2.0.4chown -R snort:snort snort-2.9.7.2chown -R 755 snort-2.9.7.2mkdir -p /usr/local/lib/snort_dynamicrules chown -R snort:snort /usr/local/lib/snort_dynamicruleschmod -R 755 /usr/local/lib/snort_dynamicrulescd /usr/local/src/snort-2.9.7.2/rpm

#cp /tmp/snort-2.9.7.2/rpm/snortd /etc/init.d/snort#cp /tmp/snort-2.9.7.2/rpm/snort.sysconfig /etc/sysconfig/snort#cp /tmp/snort-2.9.7.2/etc/reference.config /etc/snort/chmod 777 /etc/init.d/snortchkconfig --add /etc/init.d/snortchkconfig snort onservice snort startcd /usr/sbinln -s /usr/local/bin/snort snort To mt lin kt mm (symbolic link) ca file snort binary n /usr/sbin/snort, tp tin snort binary nm ng dn /usr/local/bin/snort

Nu ko c directory /var/log ta tocd /var/logmkdir snort chmod 777 snortchown -R snort:snort snort

cd /usr/local/libchown -R snort:snort snort*chown -R snort:snort snort_dynamic*chown -R snort:snort pkgconfigchown -R 777 snort*chown -R 777 pkgconfig

cd /usr/local/binchown -R snort:snort daq-modules-configchown -R snort:snort u2*chown -R 777 daq-modules-config chown 777 u2*

cd /etcchown -R snort:snort snortchown -R 777 snort

Test Snortcd /usr/local/binsnort -T -i eht0 -u snort -g snort -c /etc/snort/snort.confNu xy ra li :ERROR: /etc/snort/snort.conf(249) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such file or directory.To th mc dynamicrulesmkdir -p /usr/local/lib/snort_dynamicrulescp /usr/local/src/so_rules/precompiled/RHEL-6-0/i386/2.9.7.2/*so /usr/local/lib/snort_dynamicrulescat /etc/snort/so_rules/*.rules >> /etc/snort/rules/so-rules.ruleschown -R snort:snort /usr/local/lib/snort_dynamicruleschown -R 777 /usr/local/lib/snort_dynamicrulesTEST lisnort -T -i eht0 -u snort -g snort -c /etc/snort/snort.conf -- Ok

service snort start/stop/restart

Add rule# vi /etc/snort/rules/local.rules

alert icmp any any -> $HOME_NET any (msg:"Co Nguoi Ping"; sid:1000003;rev:1;)drop icmp any any -> any any (itype:0;msg:"Chan Ping";sid:1000002;)alert icmp any any -> $HOME_NET 81 (msg:"Scanning Port 81"; sid:1000001;rev:1;)alert tcp any any -> $HOME_NET 22 (msg:"Scanning Port 22"; sid:1000002;rev:1;)alert icmp any any -> any any (msg:"UDP Tesing Rule"; sid:1000006;rev:1;)alert tcp any any -> $HOME_NET 80 (msg:"HTTP Test!!!"; classtype:not-suspicious; sid:1000005; rev:1;)

Test c ch hot ngsnort -c /etc/snort/snort.conf -i eth0 -A console Trng hp bo li nh di y th vo li file snort.conf chnh sa li dng th (n) nh thng bo

Thng bo Bo Thnh Cng !

Xem File Log Cnh bo snortCc cnh bo s c lu li di dng file LOG nm trong th mc cd /var/log/snort

Cu hnh Snort Inline - De Test

Chun b 1 my Centos 6.5 Chun b 1 my Attacker 2 Card mng.1 card WAN NAT - 1 card LAN (host)NAT card LAN ra card WAN cho bn ngoi ping cvi /etc/sysctl.confecho 1 > /proc/sys/net/ipv4/ip_forwardiptables -t nat -A PREROUTING -i eth0 -p tcp --dport 7 -j DNAT --to 192.168.1.10:7Configure the Inline Packet Normalization to be enabled. If running Snort in passive mode (IDS),comment/disable Inline Packet Normalization:## Keep these unchanged. If they are commented out, then uncomment them.preprocessor normalize_ip4preprocessor normalize_tcp: ips ecn streampreprocessor normalize_icmp4preprocessor normalize_ip6preprocessor normalize_icmp62. Configure Snort Policy mode to run in inline (IPS):## Under Step #2: add the following lineconfig policy_mode:inline3. Configure DAQ variables to run AFPacket in inline (IPS) mode:## Configure DAQ variables for AFPacketconfig daq: afpacketconfig daq_mode: inlineconfig daq_dir: /usr/local/lib/daqconfig daq_var: buffer_size_mb=128

Xem Kim tra

/usr/local/bin/snort -i eth0:eth2 -A console -c /etc/snort/snort.conf -l /var/log/snort/ -QThnh cng chn port pingThm rules chn nmapvi /etc/snort/rules/local.rule

#------------- # LOCAL RULES #------------- alert tcp any any -> 192.168.1.2/24 any (msg:"Testing ScanPort 80"; sid:1000001;) alert tcp 192.168.1.3/24 any -> 192.168.1.2/24 any (msg:"Testing ScanPort 22"; sid:1000002;) alert ip any any -> any any (msg:"IP Testing Rule"; sid:1000003;) alert icmp any any -> any any (msg:"ICMP Testing Rule"; sid:1000004;) alert tcp any any -> any any (msg:"TCP Testing Rule"; sid:1000005;) alert udp any any -> any any (msg:"UDP Testing Rule"; sid:1000006;) alert tcp 192.168.1.3/24 any -> any 80 (msg:"ScanPort 80"; sid:1000007;) alert tcp 192.168.1.3/24 any -> any 22 (msg:"ScanPort 22"; sid:1000008;)sid:1000008;)

Snort pht hin v chn >>>> Thnh cng2.Ci t BASE & barnyard2Buoc 1: Ci t cc gi ph thuc# pear channel-update pear.php.net# pear install Numbers_Roman# pear install channel://pear.php.net/Image_Canvas-0.3.5# pear install channel://pear.php.net/Image_Graph-0.8.0Buoc 2: Cu hnh MySQLmysqladmin -u root password 123456# mysql -u root -pmysql> create database snort;Query OK, 1 row affected (0.00 sec)mysql> grant select,insert,update,delete,create on snort.* to [email protected];Query OK, 0 rows affected (0.06 sec)mysql> set password for [email protected]=PASSWORD('123456');Query OK, 0 rows affected (0.00 sec)mysql>exitBuoc 3: Cu hnh file snort #vi /etc/snort/snort.conf709:output unified2: filename snort.u2, limit 128Buoc 4: Ci t barnyard2#cd /tmp ; wget http://master.dl.sourceforge.net/project/snortsnortsam/barnyard2-1.9.tar.gz# cd /tmp ; wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz# tar -xzvf barnyard2-1.9.tar.gz# cd barnyard2-1.9# ./configure --with-mysql# make && make install# cp etc/barnyard2.conf /etc/snort/# mysql -u snort -p123456 snort < schemas/create_mysql # touch /etc/snort/barnyard2.waldo# chmod 777 /etc/snort/barnyard2.waldo# chown snort:snort /etc/snort/barnyard2.waldo

Buoc 5: Chnh sa file cu hnh barnyard26#mkdir /var/log/barnyard2#chown snort:snort /var/log/barnyard2/# vi /etc/snort/barnyard2.conf29:config reference_file: /etc/snort/reference.config30:config classification_file: /etc/snort/classification.config31:config gen_file: /etc/snort/etc/gen-msg.map32:config sid_file: /etc/snort/etc/sid-msg.map44:config logdir: /var/log/barnyard260:config hostname: localhost61:config interface: eth065:config alert_with_interface_name164:input unified2318:output database: alert, mysql, user=snort password=123456 dbname=snorthost=localhostBuoc 6:Chnh sa file init script cho barnyard2# vi /etc/init.d/snort(Thm vo cui file ni dung sau)BARNYARD2=/usr/local/bin/barnyard2start(){[ -x $SNORTD ] || exit 5echo -n $"Starting $prog: "daemon --pidfile=$PID_FILE $SNORTD $LINK_LAYER $NO_PACKET_LOG$DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l$LOGDIR $PASS_FIRST $BPFFILE $BPF && success || failureRETVAL=$?$BARNYARD2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w/etc/snort/barnyard2.waldo -u snort -g snort -D7[ $RETVAL -eq 0 ] && touch $lockfileechoreturn $RETVAL}stop(){echo -n $"Stopping $prog: "killproc $SNORTDkillproc $BARNYARD2if [ -e $PID_FILE ]; thenchown -R $USER:$GROUP /var/run/snort_eth0.* && rm -f /var/run/snort_eth0.pi*fiRETVAL=$?if [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ; thentrap TERMkillall $prog 2>/dev/nulltrap TERMfi[ $RETVAL -eq 0 ] && rm -f $lockfileechoreturn $RETVAL}

Restart dich vu snort ()# /etc/init.d/snort restartBuoc 8: Install Base# cd /tmp ; wget http://master.dl.sourceforge.net/project/snortsnortsam/base-1.4.5.tar.gz# tar -xzvf base-1.4.5.tar.gz# cp -r base-1.4.5/ /var/www/base# cd /var/www/base/# cp base_conf.php.dist base_conf.phpBuoc 9: Chnh sa file cu hnh base_conf# vi base_conf.php50:$BASE_urlpath = '/base';80:$DBlib_path = ''/var/www/adodb';102:$alert_dbname = 'snort';103:$alert_host = 'localhost';104:$alert_port = '3306';105:$alert_user = 'snort';106:$alert_password = 123456'';Buoc 10: Cu hnh Apache# vi /etc/httpd/conf.d/base.confAlias /base /var/www/base/

AllowOverride NoneOrder allow,denyAllow from allAuthName "Snort IDS"AuthType BasicAuthUserFile /etc/snort/base.passwdRequire valid-user

Buoc 11: To password truy cp vo web Base#htpasswd -c /etc/snort/base.passwd snortadminBuoc 12: To file log barnyard2 #mkdir /var/log/barnyard2/#chown -R snort:snort /var/log/barnyard2/Buoc 13: Download adodb v thc hin gn quyn truy cp

# cd /tmp ; wget http://master.dl.sourceforge.net/project/snortsnortsam/adodb519.tar.gz#tar -zxvf adodb519.tar.gz#mv adodb5 /var/www/adodb#chown -R snort:snort /var/www/adodb#chmod -R 775 /var/www/adodbBuoc 14: Restart apache, mysql#service httpd restart#service mysqld restartBuoc 13: Chy snort v barnyard# snort -c /etc/snort/snort.conf -i eth0 -A console

# barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort/ -f snort.u2Buoc 15: ng nhp vo web http://your-ip/base/base_db_setup.phpUser ng nhp snortadmin password 123456. Click create BASE AG103.Ci t SnortSamBuoc 1: Ci t Libtool#yum -y install libtool#cd /tmp ; wget http://master.dl.sourceforge.net/project/snortsnortsam/libtool-2.4.2.tar.gz#tar -zxvf libtool-2.4.2.tar.gz#cd libtool-2.4.2#./configure -prefix=/usr#make && make installBuoc 2: Download SnortSam#cd /tmp ; wget http://master.dl.sourceforge.net/project/snortsnortsam/snortsam-src-2.70.tar.gz#tar -zxvf snortsam-src-2.70.tar.gz# cd snortsam#chmod +x makesnortsam.sh# sh ./makesnortsam.sh# cp snortsam /usr/binBuoc 2: Update cu hnh cho Snort#cd /tmp ; wget http://master.dl.sourceforge.net/project/snortsnortsam/snortsam-2.8.4.1.diff# cd snort-2.8.4.1# patch -p1 < /tmp/snortsam-2.8.4.1.diff#chmod +x autojunk.sh#sh ./autojunk.sh#aclocal -I m4 --install#cp ./m4/libprelude.m4 /usr/share/aclocal#autoreconf -fvi -I ./m4#aclocal#autoheader11#automake --add-missing#autoconf# autoreconf --force --install#./configure --enable-zlib-enable-sourcefire# ./configure --enable-sourcefire --enable-ipv6 --enable-dynamicplugin --with-mysql#make && make installBuoc 4: Cu hnh Snortsam#cp /tmp/snortsam/conf/snortsam.conf.sample /etc/snortsam.conf#vi /etc/snortsam.conf(Chnh sa cc thng s sau, thm vo cui file)accept 192.168.2.0/24logfile /var/log/snortsamloglevel 3daemonfwsam 192.168.2.254iptables eth0Buoc 5:Chnh sa file cu hnh snort.conf#vi /etc/snort/snort.conf(Thm vo dng sau)output alert_fwsam: 192.168.2.254:898Buoc 6: Chnh sa cc rule - Rule pht hin v chng DOS vi dng ping of death#vi /etc/snort/rules/icmp.rulesalert icmp any any -> $HOME_NET any (msg:Phat hien tan cong Ping of Death; dsize:>200;sid: 1000004;fwsam:src, 30 minutes;) - Rule pht hin v chng SCAN bng nmap#vi /etc/snort/rules/scan.rulesalert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flow:stateless;flags:F,12; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:7;fwsam:src,1months;)alert tcp any any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flow:stateless;flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:7;fwsam:src, 1 months;)Buoc 7: Bt tnh nng ip_forward12#echo 1 >/proc/sys/net/ipv4/ip_forward#vi /etc/sysctl.conf7:net.ipv4.ip_forward = 1Bc 8: Tt SELINUX#vi /etc/selinux/config7:SELINUX=disabledBuoc 9: Restart Server#init 6Buoc 10: Start dch v snortsam#snortsam /etc/snortsam.conf13IV- Kch bn test chng trnh Khi ng barnyard2#barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort/ -f snort.u2 - Khi ng Snort#snort -u snort -g snort -c /etc/snort/snort.conf -i eth0 - Khi ng Snortsam#snortsam /etc/snortsam141. Attaker thc hin scan network bng cng c nmapDowload cng c namp t http://nmap.org/dist/nmap-5.21-setup.exeBuoc 1: Thc hin scan mngS dng nmap scan web Server 192.168.2.5Buoc 2:Xem log Snortsam#tail f /var/log/snortsam15Ta thy snortsam kt ni vi firewall iptables kha ip attacker 10.10.10.2Buoc 3: Xem trn giao din web: http://192.168.2.254/base/16Ta thy trn giao din hin ln cnh bo SCAN nmap XMASRule s dng pht hin:alert tcp any any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flow:stateless;flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:7; fwsam:src,2 months;)Vi rule ny th ip ca attacker s b kha trong thi gian l 2 thng.2. Attaker thc hin tn cng DOS Ping of death27 kch bn th nht ip 10.10.10.2 ca attcker b kha v b 1 rule ca snort pht hin. Dovy kch bn ny a ch ip ca my attacker s phi thay i c th tip tc tn cng. Ipca attacker theo bi lab ny s i thnh 10.10.10.10.Dng lnh ifconfig trn Backtrack xem ip:Buoc 1:Attacker s dng cng c hping3 gi nhiu gi tin vi kch thc ln n Web Server.18Buoc 2: Kim tra trn iptablesTa thy iptables kha (DROP) ip 10.10.10.10 ca Attacker.Buoc 4: Xem trn giao din web: http://192.168.2.254/base/Ta thy c cnh bo Ping of Death Detected trn web.Rule c dng pht hin:alert icmp any any -> any any (msg:"Ping of Death Detected"; dsize:>1000; itype:8; icode:0;detection_filter:track by_src, count 30, seconds 1; sid:31047; classtype:denial-of-service;rev:3;fwsam:src, 30 minutes)Ghi ch: Snort c rt nhiu rule pht hin xm nhp. vic test cc rule khc cng tng tnh cc bc trn.

1.ci t wget #yum install wget -y2. thay th flie yum.repos.d #mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup #wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo #yum clean all #yum makecache3. Update file h thng #yum -y update (phin bn mi 6.6)4.ci t epel #yum install epel-release1.Ci t LMAP #yum install httpd mysql-server php php-mysql php-mbstring php-mcrypt mysql-devel 2.Ci t php #yum install mcrypt libmcrypt libmcrypt-devel 3.ci t pear #yum install php-pear #pear upgrade pear #pear channel-update pear.php.net #pear install mail #pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman #pear install mail_mime4.gii nn phpmyadmin

#tar zxvf phpMyAdmin-4.4.6.1-english.tar.gz -C /var/www/html #mv /var/www/html/phpMyAdmin-4.4.6.1-english /var/www/html/phpmyadmin 5. gii nn adodb #tar zxvf adodb519.tar.gz -C /var/www/html #mv /var/www/html/adodb5 /var/www/html/adodb 6. gii nn base #tar zxvf base-1.4.5.tar.gz -C /var/www/html #mv /var/www/html/base-1.4.5 /var/www/html/base 7.sa file php.ini #vi /etc/php.ini error_reporting = E_ALL & ~E_NOTICE 8.sa file phpmyadmin #vi /var/www/html/phpmyadmin/libraries/config.default.php $cfg['blowfish_secret'] = ''; thay bng $cfg['blowfish_secret'] = '123456';9.phn quyn th mc /var/www/html #chown -R apache:apache /var/www/html 10.Ci t adodb5 #chmod 755 /var/www/html/adodb11. Ci t mysql Gii nn barnyard2 #tar zxvf barnyard2-1.9.tar.gz #service mysqld start # mysqladmin -u root password 123456 #mysql -uroot -p >create database snort; >grant create,select,update,insert,delete on snort.* to [email protected] identified by '123456'; >exit #mysql -usnort -p -Dsnort < /tmp/barnyard2-1.9/schemas/create_mysql12.Ci t base #service mysqld start #service httpd start #service iptables stop Truy cp theo ng dn: http://172.16.100.131/base/setup/index.php5.Createe BASE AG

Ci t snort+barnyard21.cc ci cc bin dch #yum install gcc flex bison zlib libpcap tcpdump gcc-c++ pcre* zlib* libdnet libdnet-devel 2.ci t libdnet # tar zxvf libdnet-1.12.tgz # cd libdnet-1.12 # ./configure && make && make install 3.ci t libpcap # tar zxvf libpcap-1.7.2.tar.gz # cd libpcap-1.7.2 # ./configure && make && make install 4.Ci t DAQ # tar zxvf daq-2.0.4.tar.gz # cd daq-2.0.4 # ./configure && make && make install

4.1. Set mode interface cho eth0: #ifconfig eth0 promisc

5.Gii nn snort #tar zxvf snort-2.9.7.2.tar.gz #cd snort-2.9.7.2 # ./configure --enable-sourcefire && make && make install 6. Ci t snortTo cc th mc cn thit #mkdir /etc/snort #mkdir /var/log/snort #mkdir /usr/local/lib/snort_dynamicrules #mkdir /etc/snort/rules #touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules #cp /tmp/snort-2.9.7.2/etc/gen-msg.map threshold.conf classification.config reference.config unicode.map snort.conf /etc/snort Sa file cu hnh snort #vi /etc/snort/snort.conf var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules config logdir/var/log/snort output unified2filename snort.loglimit 128 7.Gii nn #tar zxvf snortrules-snapshot-2972.tar.gz -C /etc/snort/ #cp /etc/snort/etc/sid-msg.map /etc/snort/ 8.Test snort # snort -T -i eth0 -c /etc/snort/snort.conf 9.Ci t barnyard2 #cd /tmp/barnyard2-1.9 # ./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql/ (64 bit) # ./configure --with-mysql (32bit) # make && make install 10. To file v lin kt barnyard2 # mkdir /var/log/barnyard2 # touch /var/log/snort/barnyard2.waldo # cp /tmp/barnyard2-1.9/etc/barnyard2.conf /etc/snortSa file barnyard2.conf # vi /etc/snort/barnyard2.conf config logdir: /var/log/barnyard2 config hostname: localhost config interface:eth0 config waldo_file: /var/log/snort/barnyard2.waldo output database: log, mysql, user=snort password=123456 dbname=snort host=localhost 11.Test barnyard2 # barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo Test rule snort1.add rule vo local.rule #vi /etc/snort/rules/local.rules alert icmp any any -> any any (msg: "IcmP Packet detected";sid:1000001;)2.Khi ng li cc dch v v test snort v barnyard2 #service mysqld start #service httpd start #service iptables stop #barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D #snort -c /etc/snort/snort.conf -i eth0 D # cd /usr/local/lib # snort v # snort -c /etc/snort/snort.conf -l /var/log/snort/ # /usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -g root -D

3.Xem giao din