0x01、安装CentOS
2 设置epel源
yum install epel-release
#mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
#wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
#yum clean all
#yum makecache
3 安装依赖包
yum -y install gcc-c++ patch readline readline-devel zlib zlib-devel git-core libyaml-devel libffi-devel openssl-devel make libpcap-devel pcre-devel libyaml-devel file-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar libnetfilter_queue-devel lua-devel mysql-devel fontconfig-devel libX11-devel libXrender-devel libxml2-devel libxslt-devel qconf
0x02 安装重要的依赖包
1 ImageMagick # 成功安装, 另外打开新的一个terminalcd /opt/
wget https://www.imagemagick.org/download/ImageMagick-6.9.6-5.tar.gz
tar xvfz ImageMagick-6.9.6-5.tar.gz && cd ImageMagick-6.9.6-5
./configure && make && make install
ldconfig /usr/local/lib
2 yaml # 成功安装, 另外打开新的一个terminal
cd /opt/
wget http://pyyaml.org/download/libyaml/yaml-0.1.4.tar.gz
tar zxvf yaml-0.1.4.tar.gz && cd yaml-0.1.4
./configure && make && make install
3 libhtp
cd /opt/
wget -O libhtp-0.5.20.tar.gz https://codeload.github.com/OISF/libhtp/tar.gz/0.5.20
tar zxvf libhtp-0.5.20.tar.gz && cd libhtp-0.5.20
./autogen.sh
./configure && make && make install
0x03 mysql 的配置运行
# yum install mysql mysql-devel mysql*service mysqld start #启动mysql服务
chkconfig mysqld on #设置开机启动mysqld服务
mysqladmin -u root password 'youaresb!!!'
0x04 安装Ruby
curl -L get.rvm.io | bash -s stablecommand curl -sSL https://rvm.io/mpapis.asc | gpg2 --import -#导入证书
source /etc/profile.d/rvm.sh
rvm install 2.0.0
# rvm use 2.0.0--default 如果有多个ruby 版本,才使用这条语句。
ruby -v
gem install bundler # 安装bundler
0x05 snorby
# https://github.com/Snorby/snorbycd /opt/
git clone git://github.com/Snorby/snorby.git
cd snorby
# 修改文件Gemfile,把gem 'rake', '0.9.2' 改成 gem 'rake', '> 0.9.2'
sed -i 's/0.9.2/>0.9.2.2/g' Gemfile
#修改文件Gemfile.lock,把 rake (0.9.2) 改成 rake(0.9.2.2)
sed -i 's/\(0.9.2\)/0.9.2.2/g' Gemfile.lock
# 创建snorby_config.yml和database.yml两个文件
cp config/snorby_config.yml.example config/snorby_config.yml
cp config/database.yml.example config/database.yml
# 打开database.yml 把里面 mysql的账号密码修改成我们设置的账号密码(root/ youaresb!!!)
# 修改snorby_config.yml,把time_zone前面的注释去掉,并把UTC改为Asia/Shanghai
sed -i 's/Enter Password Here/ym2011@2011my'/g config/database.yml
# 进入snorby目录,执行如下命令开始安装:
sed -i '/dm-postgres-adapter/d' Gemfile
bundle install
rake snorby:setup
# 设置iptables
/etc/init.d/iptables stop #关闭防火墙,其他主机可以访问http://ip:3000
# iptables -I INPUT -p tcp --dport 3000 -mstate --state=NEW,ESTABLISHED,RELATED -j ACCEPT
# 启动服务:
rails server -e production &
# 在其他主机或者本地主机的浏览器,输入http://ip:3000
# 账号/密码:snorby@example.com/snorby
#######################################################################################
# 以上我们搭建完成了teamserver作为数据收集和展示。
#######################################################################################
0x06、Barnyard2的安装
cd /opt/wget https://codeload.github.com/firnsy/barnyard2/tar.gz/v2-1.13
tar xvfz barnyard2-2-1.13.tar.gz && cd barnyard2-2-1.13/
./autogen.sh
./configure --with-mysql-libraries=/usr/lib64/mysql/ --with-mysql=/usr/bin/mysql
make && make install
0x07 Suricata 的安装
#方式一:cd /opt/
wget http://www.openinfosecfoundation.org/download/suricata-3.1.tar.gz
tar -xvzf suricata-3.1.tar.gz && cd suricata-3.1
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua
make && make install-full
#方式二:yum install suricata
0x08 配置Suricata、Barnyard 2
1 配置Barnyard 2#把Barnyard 2安装源文件中的etc/barnyard2.conf文件拷贝到Suricata的配置目录下
cd /opt/barnyard2-2-1.13
cp ./etc/barnyard2.conf /etc/suricata/
#创建barnyard2日志目录/var/log/barnyard2
mkdir /var/log/barnyard2
# 修改barnyard2.conf
# 把 默认的snort文件配置改成 suricata
sed -i 's/snort/suricata/g' /etc/suricata/barnyard2.conf
sed -i 's/gen-msg.map/\/rules\/gen-msg.map/g' /etc/suricata/barnyard2.conf
sed -i 's/sid-msg.map/\/rules\/sid-msg.map/g' /etc/suricata/barnyard2.conf
# 把数据信息添加到barnyard2.conf //已完成
sed -i '$a output database: log, mysql, user=root password=ym2011@2011my dbname=snorby host=localhost' /etc/suricata/barnyard2.conf
#找到“config hostname”和“config interface”,eth0是镜像端口所在的网卡,按照你的实际情况修改.(unfinished)
sed -i -e '/#config hostname: thor/\a/config hostname: ym/' /etc/suricata/barnyard2.conf
sed -i -e '/#config interface: eth0/\a/config interface: eth0/' /etc/suricata/barnyard2.conf
sed -i -e '/config waldo_file/a\config waldo_file: /var/log/suricata/suricata.waldo' /etc/suricata/barnyard2.conf
2 编辑suricata.yaml文件
touch /var/log/suricata/suricata.waldo
修改日志格式文件:
sed -i -e '/default-log-format/a\ default-log-format: "[%i] %t -(%f:%l) <%d> (%n) -- "' /etc/suricata/suricata.yaml
# 开启syslog 功能, 在/etc/suricata/suricata.yaml , 找到:
sed -i -e '\/var\/log\/suricata\/suricata.log/,/Step 4/s/no/yes/g' /etc/suricata/suricata.yaml
# 开启unified2 logging in the suricata yaml:
sed -i -e '/unified2-alert/,/unified2.alert/s/no/yes/g' /etc/suricata/suricata.yaml
找到#pid-file: /var/run/suricata.pid把前面的#号去掉
sed -i -e '/pid-file/a\pid-file: /var/run/suricata.pid' /etc/suricata/suricata.yaml
# 找到rule-files,把下面的emerging-icmp.rules 和emerging-virus.rules删除掉。(unfinished)
启用 threshold,找到#threshold-file: /etc/suricata/threshold.config
sed -i -e '/threshold-file/a\threshold-file: /etc/suricata/threshold.config' /etc/suricata/suricata.yaml
启动Suricata、Barnyard 2
sudo /usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo –D
LD_LIBRARY_PATH=/usr/local/lib /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0
# sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 -D
# 启动suricata的-i参数是镜像流量的网卡
0x09 官方网站
官方网站:https://suricata-ids.org/
Step one:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_Installation
Step two:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Basic_Setup
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_User_Guide
Step three:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Snorby_and_Barnyard2_set_up_guide
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Rules
完整的脚本下载:
https://github.com/ym2011/penetration/tree/master/scripts/Snorby
欢迎大家分享更好的思路,热切期待^^_^^ !