Snort + Barbyard2 + Snorby環境搭建

 一、環境

ubuntu-14.04.5

daq-2.0.7

Snort-2.9.15.1

Barbyard2

snorby

Mysql

Docker

二、架構

 

 三、安裝步驟

 Ubuntu配置

　　若是是剛安裝好的Ubuntu系統，須要執行下面的步驟，不然能夠忽略，視本身實際環境而定。

sudo apt-get update
sudo apt-get dist-upgrade -y
sudo apt-get install -y openssh-server
sudo reboot

 安裝snort依賴

 　　snort運行前提已安裝：pcap、PCRE、Libdnet、DAQ。

sudo apt-get install -y build-essential
sudo apt-get install -y libpcap-dev libpcre3-dev libdumbnet-dev
sudo apt-get install -y bison flex
mkdir ~/snort_src
cd ~/snort_src

 安裝DAQ (Data AcQuisition library)

cd ~/snort_src
wget https://snort.org/downloads/snort/daq-2.0.7.tar.gz
tar -xvzf daq-2.0.7.tar.gz
cd daq-2.0.7
./configure
make
sudo make install

sudo apt-get install -y zlib1g-dev liblzma-dev openssl libssl-dev

Ubuntu 16 執行（Ubuntu 14 不執行）
sudo apt-get install -y libnghttp2-dev

Ubuntu 14 執行（Ubuntu 16 不執行）
sudo apt-get install -y autoconf libtool pkg-config
cd ~/snort_src
wget https://github.com/nghttp2/nghttp2/releases/download/v1.17.0/nghttp2-1.17.0.tar.gz
tar -xzvf nghttp2-1.17.0.tar.gz
cd nghttp2-1.17.0
autoreconf -i --force
automake
autoconf
./configure --enable-lib-only
make
sudo make install

安裝snort

cd ~/snort_src
wget https://snort.org/downloads/snort/snort-2.9.15.1.tar.gz
tar -xvzf snort-2.9.15.1.tar.gz
cd snort-2.9.15.1
./configure --enable-sourcefire
make
sudo make install

 後續配置

sudo ldconfig
sudo ln -s /usr/local/bin/snort /usr/sbin/snort

　　若是咱們不想使用root運行snort，咱們須要建立一個其它帳戶。咱們建立一些文件和目錄供snort使用，而且爲這些文件和目錄設置權限。snort包含如下文件夾：/etc/snort包含配置文件和規則文件。/var/log/snort/包含alert日誌。/usr/local/lib/snort_dynamicrules/下包含其餘規則。

# Create the snort user and group:
sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

# Create the Snort directories:
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/rules/iplists
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules

# Create some files that stores rules and ip lists
sudo touch /etc/snort/rules/iplists/black_list.rules
sudo touch /etc/snort/rules/iplists/white_list.rules
sudo touch /etc/snort/rules/local.rules
sudo touch /etc/snort/sid-msg.map

# Create our logging directories:
sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs

# Adjust permissions:
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort/so_rules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules

# Change Ownership on folders:
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

cd ~/snort_src/snort-2.9.15.1/etc/
sudo cp *.conf* /etc/snort
sudo cp *.map /etc/snort
sudo cp *.dtd /etc/snort
cd ~/snort_src/snort-2.9.15.1/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/
sudo cp * /usr/local/lib/snort_dynamicpreprocessor/

sudo sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf

sudo vi /etc/snort/snort.conf

　　更改第45行信息爲本身主機地址。

ipvar HOME_NET 10.0.0.0/24

　　更改第104行信息以下：

var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules

更改第110行信息以下：
var WHITE_LIST_PATH /etc/snort/rules/iplists
var BLACK_LIST_PATH /etc/snort/rules/iplists

　　將第546行註釋去掉。

include $RULE_PATH/local.rules

 安裝Barnyard2

sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool

　　更改/etc/snort/snort.conf第521行爲以下：

# unified2
# Recommended for most installs
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
output unified2: filename snort.u2, limit 128

cd ~/snort_src
wget https://github.com/firnsy/barnyard2/archive/master.tar.gz -O barnyard2-Master.tar.gz
tar zxvf barnyard2-Master.tar.gz
cd barnyard2-master
autoreconf -fvi -I ./m4

sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h
sudo ldconfig

./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu
make
sudo make install

sudo cp ~/snort_src/barnyard2-master/etc/barnyard2.conf /etc/snort/
# the /var/log/barnyard2 folder is never used or referenced
# but barnyard2 will error without it existing
sudo mkdir /var/log/barnyard2
sudo chown snort.snort /var/log/barnyard2

sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort.snort /var/log/snort/barnyard2.waldo

　　在/etc/snort/barnyard2.conf配置文件最後一行添加，數據庫爲snort，若是安裝了snorby，能夠設置爲snorby。

output database: log, mysql, user=Mysql用戶名 password=MySql密碼 dbname=snort host=localhost sensor name=sensor01

sudo chmod o-r /etc/snort/barnyard2.conf

　　運行指令

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u root

 安裝snorby

　　Ubuntu安裝Docker可使用安裝腳本自動安裝，安裝完成後可使用Docker.

curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun

　　docker安裝完畢後安裝snorby。

docker pull troptop/docker-snorby

　　配置docker鏡像參數，參數含義參考： 連接

docker run -d --name snorby -p 80:80 --env="MYSQL_HOST=database_ip" --env="MYSQL_USER=snorby" --env="MYSQL_PASSWORD=snorby" --env="MYSQL_DBNAME=snorby" --env="INSTALLDB" --env="MYSQL_ADMIN=root" --env="MYSQL_ADMINPASS=rootpassword" troptop/docker-snorby

　　進入docker系統，查看log文件夾下的development.log，看web服務是否運行成功。

docker exec –it snorby bash

　　最後在瀏覽器中訪問docker網關地址便可登陸snorby。

 問題

'aclocal-1.15' is missing on your system

cd ~/snort_src
wget http://ftp.gnu.org/gnu/automake/automake-1.15.tar.gz
tar -xvzf automake-1.15
cd automake-1.15
./configure --docdir=/usr/share/doc/automake-1.15
make
sudo make install

Autoconf 2.65 or better is required

 

wget http://ftp.gnu.org/gnu/autoconf/autoconf-2.68.tar.gz
tar xzf autoconf-2.68.tar.gz
cd autoconf-2.68
./configure
make
sudo make install

LuaJIT library not found.

 

sudo wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
sudo tar -zxvf LuaJIT-2.0.5.tar.gz
cd LuaJIT-2.0.5/
make 
sudo make install

possibly undefined macro:AC_PROG_LIBTOOL

#將系統擁有的/usr/share/aclocal中文件拷貝到重複安裝路徑
cp -rf /usr/share/aclocal/* /usr/local/share/aclocal/

數據庫連不上

一、數據庫不容許遠程鏈接。

mysql> grant all on *.* to root@'%' identified by '123456' with grant option; 
flush privileges;

二、更改mysql的配置文件。

# Instead of skip-networking the default is now to listen only on
 46 # localhost which is more compatible and is not less secure.
 47 bind-address            = 127.0.0.1  # 更改成主機地址。

/etc/init.d/mysql restart   # 重啓Mysql服務。

坑

　　automake版本變化。在編譯daq的時候要求automake1.15，而後在snort編譯的時候要求automake1.13.4，若是不切換的話會編譯不過去。