Chinaunix
标题:
EasyIDS snort with 2 sensors
[打印本页]
作者:
ac57
时间:
2008-11-28 16:20
标题:
EasyIDS snort with 2 sensors
在网上找到一个开源的IDS集成——easyids,它把 CentOS(4.6),snort,base,ntop,web界面管理等都自动集和在一起,如果只有单独一个网络要监听,从它网站下载ISO,自动装上,配下管理用的网卡就能使了,还可以通过 Web 编辑 rules 很方便。 它的网站是\r\n
http://www.skynet-solutions.net/easyids/
大家感兴趣的可以先看看。\r\n\r\n我的试验情况就不同了,我监听了两个网段,需要两个sensor,所以我在它的基础上做了些修改,需要监听多网段的朋友也可以交流下。\r\n网卡的配置就不说了。\r\n\r\n首先关闭 snort 和 barnyard服务,休改init.d下的 snort 服务脚本,\r\n\r\n它源文件是\r\n\r\n#!/bin/sh\r\n#\r\n# chkconfig: 2345 99 82\r\n# description: Starts and stops the snort intrusion detection system\r\n#\r\n# config: /etc/snort/snort.conf\r\n# processname: snort\r\n\r\n# Source function library\r\n. /etc/rc.d/init.d/functions\r\n\r\nBASE=snort\r\nDAEMON=\"-D\"\r\nINTERFACE=\"-i eth1\"\r\nCONF=\"/etc/snort/snort.conf\"\r\nUSER=\"-u snort -g snort\"\r\n\r\n# Check that $BASE exists.\r\n[ -f /usr/local/bin/$BASE ] || exit 0\r\n\r\n# Source networking configuration.\r\n. /etc/sysconfig/network\r\n\r\n# Check that networking is up.\r\n[ ${NETWORKING} = \"no\" ] && exit 0\r\n\r\nRETVAL=0\r\n# See how we were called.\r\ncase \"$1\" in\r\n start)\r\n if [ -n \"`/sbin/pidof $BASE`\" ]; then\r\n echo -n $\"$BASE: already running\"\r\n echo \"\"\r\n exit $RETVAL\r\n fi\r\n echo -n \"Starting snort service: \"\r\n /usr/local/bin/$BASE $INTERFACE $USER -c $CONF $DAEMON\r\n sleep 1\r\n action \"\" /sbin/pidof $BASE\r\n RETVAL=$?\r\n [ $RETVAL -eq 0 ] && touch /var/lock/subsys/snort\r\n ;;\r\n stop)\r\n echo -n \"Shutting down snort service: \"\r\n killproc $BASE\r\n RETVAL=$?\r\n echo\r\n [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/snort\r\n ;;\r\n restart|reload)\r\n $0 stop\r\n $0 start\r\n RETVAL=$?\r\n ;;\r\n status)\r\n status $BASE\r\n RETVAL=$?\r\n ;;\r\n *)\r\n echo \"Usage: snort {start|stop|restart|reload|status}\"\r\n exit 1\r\nesac\r\n\r\nexit $RETVAL\r\n\r\n\r\n我的修改\r\n#!/bin/sh\r\n。。。。。。\r\nINTERFACE1=\"-i eth1\"\r\nINTERFACE2=\"-i eth2\"\r\n。。。。。。\r\n start)\r\n。。。。。\r\n\r\n /usr/local/bin/$BASE $INTERFACE1 $USER -c $CONF -l /var/log/snort/eth1/ $DAEMON\r\n /usr/local/bin/$BASE $INTERFACE2 $USER -c $CONF -l /var/log/snort/eth2/ $DAEMON\r\n。。。。。\r\n\r\n当然要在 /var/log/snort/下建 eth1、eth2目录,所有者改为 snort ,这样 分别把snort监听两个网卡输出的log分离便于barnyard处理,还可以修改CONF为两个不同路径的snort.conf,这样修改相应的snort.conf,两个网段可以采不同的rules\r\n\r\n其次是barnyard\r\n源文件是\r\n#!/bin/sh\r\n#\r\n# chkconfig: 2345 99 82\r\n# description: Starts and stops the barnyard fast output system \r\n#\r\n# config: /etc/snort/barnyard.conf\r\n# processname: barnyard\r\n\r\n# Source function library\r\n. /etc/rc.d/init.d/functions\r\n\r\nBASE=barnyard\r\nDAEMON=\"-D\"\r\nGENMAP=\"/etc/snort/gen-msg.map\"\r\nSIDMAP=\"/etc/snort/sid-msg.map\"\r\nWALDO=\"/etc/snort/bylog.waldo\"\r\nCONF=\"/etc/snort/barnyard.conf\"\r\nLOGDIR=\"/var/log/snort\"\r\nLOGFILE=\"snort.log\"\r\n\r\n# Check that $BASE exists.\r\n[ -f /usr/local/bin/$BASE ] || exit 0\r\n\r\n# Source networking configuration.\r\n. /etc/sysconfig/network\r\n\r\n# Check that networking is up.\r\n[ ${NETWORKING} = \"no\" ] && exit 0\r\n\r\nRETVAL=0\r\n# See how we were called.\r\ncase \"$1\" in\r\n start)\r\n if [ -n \"`/sbin/pidof $BASE`\" ]; then\r\n echo -n $\"$BASE: already running\"\r\n echo \"\"\r\n exit $RETVAL\r\n fi\r\n echo -n \"Starting barnyard service: \"\r\n /usr/local/bin/$BASE -c $CONF -g $GENMAP -s $SIDMAP -d $LOGDIR -f $LOGFILE -w $WALDO $DAEMON\r\n sleep 1\r\n action \"\" /sbin/pidof $BASE\r\n RETVAL=$?\r\n [ $RETVAL -eq 0 ] && touch /var/lock/subsys/barnyard\r\n ;;\r\n stop)\r\n echo -n \"Shutting down barnyard service: \"\r\n killproc $BASE\r\n RETVAL=$?\r\n echo\r\n [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/barnyard\r\n ;;\r\n restart|reload)\r\n $0 stop\r\n $0 start\r\n RETVAL=$?\r\n ;;\r\n status)\r\n status $BASE\r\n RETVAL=$?\r\n ;;\r\n *)\r\n echo \"Usage: barnyard {start|stop|restart|reload|status}\"\r\n exit 1\r\nesac\r\n\r\nexit $RETVAL\r\n\r\n我的修改\r\n\r\n#!/bin/sh\r\n。。。。。。\r\nWALDO1=\"/etc/snort/eth1/bylog.waldo\"\r\nWALDO2=\"/etc/snort/eth2/bylog.waldo\"\r\nCONF1=\"/etc/snort/eth1/barnyard.conf\"\r\nCONF2=\"/etc/snort/eth2/barnyard.conf\"\r\nLOGDIR1=\"/var/log/snort/eth1\"\r\nLOGDIR2=\"/var/log/snort/eth2\"\r\n。。。。。。\r\n start)\r\n。。。。。\r\n\r\n /usr/local/bin/$BASE -X /var/run/by_eth1.pid -c $CONF1 -g $GENMAP -s $SIDMAP -d $LOGDIR1 -f $LOGFILE -w $WALDO1 $DAEMON\r\n /usr/local/bin/$BASE -X /var/run/by_eth2.pid -c $CONF2 -g $GENMAP -s $SIDMAP -d $LOGDIR2 -f $LOGFILE -w $WALDO2 $DAEMON\r\n。。。。。\r\n\r\n因为barnyard.conf 中只能设唯一的Interface作为 Sensor, 我在/etc/snort/ 下建 eth1、eth2,copy barnyard.conf和bylog.waldo到里面,修改eth1的barnyard.conf, config interface: eth1和output alert_acid_db: mysql, sensor_id 1,修改eth2中的barnyard.conf,config interface: eth2和output alert_acid_db: mysql, sensor_id 2,还要修改两个bylog.walo,我们先执行 snort -i eth1 -u snort -g snort -c /var/snort/snort.conf -l /var/log/snort/eth1/ -v ,ctrl + C 结束,在执行 snort -i eth2 -u snort -g snort -c /var/snort/snort.conf -l /var/log/snort/eth2/ -v ,ctrl + C 结束。\r\n会在 /var/log/snort/eth1 和 /var/log/snort/eth2 下生成 如 snort.log.1227597433的文件,那eth1的bylog.walo为\r\n/var/log/snort/eth1\r\nsnort.log\r\n1227597433\r\n0\r\neth2的bylog.walo修改类似。\r\n\r\n重新启动 snort 和 barnyard 服务,这样snort 就可以监听两个sensor, 更多sensor 修改类似,多加几个 interface 而已,不过好像最多能监控4个 sensor,如果超过四个,我建议把几个监听网卡做 bonding 。
欢迎光临 Chinaunix (http://bbs.chinaunix.net/)
Powered by Discuz! X3.2