2

我已经使用以下配置安装了 snort

#/etc/snort/snort.conf
ipvar HOME_NET 172.16.0.0/22
ipvar EXTERNAL_NET !$HOME_NET
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules

# If you are using reputation preprocessor set these
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

output log_unified2: filename snort.u2, limit 128

我有一个 icmp 规则设置如下

#/etc/snort/rules/icmp.rules
alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)

我开始使用以下内容开始 snort,它开始正常并且正在记录,因为我在alerts和中看到条目snort.u2.timestamp

snort -q -u snort -g snort -c /etc/snort/snort.conf -i ens32 -D

我的banyard2配置文件

#/etc/snort/barnyard2.conf 
config reference_file:      /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config sid_file:            /etc/snort/sid-msg.map
config logdir: /var/log/snort
config hostname:   snort
config interface:  ens32
config daemon
config waldo_file: /var/log/snort/barnyard2.waldo
input unified2
output database: log, mysql, user=root password=support dbname=snorby host=127.0.0.1
# if you want to have to forward alerts also to syslog, uncomment the following 2 lines.
#output alert_syslog_full: sensor_name snortIds1-eth1, local
#output log_syslog_full: sensor_name snortIds1-eth1, local, log_priority LOG_CRIT

我开始使用以下命令

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo

在日志中,我遇到了以下问题,并且没有任何内容写入 mysql。

Sep  1 17:15:22 snort snort[4374]: 
Sep  1 17:15:22 snort snort[4374]: [ Port Based Pattern Matching Memory ]
Sep  1 17:15:22 snort snort[4374]: +- [ Aho-Corasick Summary ] -------------------------------------
Sep  1 17:15:22 snort snort[4374]: | Storage Format    : Full-Q
Sep  1 17:15:22 snort snort[4374]: | Finite Automaton  : DFA
Sep  1 17:15:22 snort snort[4374]: | Alphabet Size     : 256 Chars
Sep  1 17:15:22 snort snort[4374]: | Sizeof State      : Variable (1,2,4 bytes)
Sep  1 17:15:22 snort snort[4374]: | Instances         : 169
Sep  1 17:15:22 snort snort[4374]: |     1 byte states : 159
Sep  1 17:15:22 snort snort[4374]: |     2 byte states : 10
Sep  1 17:15:22 snort snort[4374]: |     4 byte states : 0
Sep  1 17:15:22 snort snort[4374]: | Characters        : 94550
Sep  1 17:15:22 snort snort[4374]: | States            : 72655
Sep  1 17:15:22 snort snort[4374]: | Transitions       : 7856776
Sep  1 17:15:22 snort snort[4374]: | State Density     : 42.2%
Sep  1 17:15:22 snort snort[4374]: | Patterns          : 5205
Sep  1 17:15:22 snort snort[4374]: | Match States      : 5820
Sep  1 17:15:22 snort snort[4374]: | Memory (MB)       : 37.50
Sep  1 17:15:22 snort snort[4374]: |   Patterns        : 0.58
Sep  1 17:15:22 snort snort[4374]: |   Match Lists     : 1.27
Sep  1 17:15:22 snort snort[4374]: |   DFA
Sep  1 17:15:22 snort snort[4374]: |     1 byte states : 0.97
Sep  1 17:15:22 snort snort[4374]: |     2 byte states : 34.39
Sep  1 17:15:22 snort snort[4374]: |     4 byte states : 0.00
Sep  1 17:15:22 snort snort[4374]: +----------------------------------------------------------------
Sep  1 17:15:22 snort snort[4374]: [ Number of patterns truncated to 20 bytes: 319 ]
Sep  1 17:15:22 snort snort[4374]: pcap DAQ configured to passive.
Sep  1 17:15:22 snort snort[4374]: Acquiring network traffic from "ens32".
Sep  1 17:15:22 snort snort[4374]: Initializing daemon mode
Sep  1 17:15:22 snort snort[4375]: Daemon initialized, signaled parent pid: 4374
Sep  1 17:15:22 snort snort[4375]: Reload thread starting...
Sep  1 17:15:22 snort snort[4375]: Reload thread started, thread 0x7f1b35e85700 (4376)
Sep  1 17:15:22 snort snort[4375]: Decoding Ethernet
Sep  1 17:15:22 snort snort[4375]: Checking PID path...
Sep  1 17:15:22 snort snort[4375]: PID path stat checked out ok, PID path set to /var/run/
Sep  1 17:15:22 snort snort[4375]: Writing PID "4375" to file "/var/run//snort_ens32.pid"
Sep  1 17:15:22 snort kernel: device ens32 entered promiscuous mode
Sep  1 17:15:22 snort snort[4375]: Set gid to 40000
Sep  1 17:15:22 snort snort[4375]: Set uid to 40000
Sep  1 17:15:22 snort snort[4375]: 
Sep  1 17:15:22 snort snort[4375]: --== Initialization Complete ==--
Sep  1 17:15:22 snort snort[4375]: Commencing packet processing (pid=4375)
Sep  1 17:15:39 snort barnyard2: +[ Signature Suppress list ]+
----------------------------
Sep  1 17:15:39 snort barnyard2: +[No entry in Signature Suppress List]+
Sep  1 17:15:39 snort barnyard2: ----------------------------
+[ Signature Suppress list ]+
Sep  1 17:15:47 snort barnyard2: Barnyard2 spooler: Event cache size set to [2048]
Sep  1 17:15:47 snort barnyard2: Log directory = /var/log/snort
Sep  1 17:15:47 snort barnyard2: INFO database: Defaulting Reconnect/Transaction Error limit to 10
Sep  1 17:15:47 snort barnyard2: INFO database: Defaulting Reconnect sleep time to 5 second
Sep  1 17:15:47 snort barnyard2: Initializing daemon mode
Sep  1 17:15:47 snort barnyard2: Daemon initialized, signaled parent pid: 4378
Sep  1 17:15:47 snort barnyard2: PID path stat checked out ok, PID path set to /var/run/
Sep  1 17:15:47 snort barnyard2: Writing PID "4379" to file "/var/run//barnyard2_ens32.pid"
Sep  1 17:15:47 snort barnyard2: Daemon parent exiting
Sep  1 17:16:14 snort avahi-daemon[579]: Invalid response packet from host 172.16.0.211.
Sep  1 17:17:15 snort barnyard2: [SignatureReferencePullDataStore()]: No Reference found in database ...
Sep  1 17:17:15 snort barnyard2: database: compiled support for (mysql)
Sep  1 17:17:15 snort barnyard2: database: configured to use mysql
Sep  1 17:17:15 snort barnyard2: database: schema version = 107
Sep  1 17:17:15 snort barnyard2: database:           host = 127.0.0.1
Sep  1 17:17:15 snort barnyard2: database:           user = root
Sep  1 17:17:15 snort barnyard2: database:  database name = snorby
Sep  1 17:17:15 snort barnyard2: database:    sensor name = snort:ens32
Sep  1 17:17:15 snort barnyard2: database:      sensor id = 1
Sep  1 17:17:15 snort barnyard2: database:     sensor cid = 12
Sep  1 17:17:15 snort barnyard2: database:  data encoding = hex
Sep  1 17:17:15 snort barnyard2: database:   detail level = full
Sep  1 17:17:15 snort barnyard2: database:     ignore_bpf = no
Sep  1 17:17:15 snort barnyard2: database: using the "log" facility
Sep  1 17:17:15 snort barnyard2: 
Sep  1 17:17:15 snort barnyard2: --== Initialization Complete ==--
Sep  1 17:17:15 snort barnyard2: Barnyard2 initialization completed successfully (pid=4379)
Sep  1 17:17:15 snort barnyard2: Using waldo file '/var/log/snort/barnyard2.waldo':
    spool directory = /var/log/snort
    spool filebase  = snort.u2
    time_stamp      = 1409587851
    record_idx      = 475
Sep  1 17:17:15 snort barnyard2: Opened spool file '/var/log/snort/snort.u2.1409587851'
Sep  1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep  1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep  1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep  1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep  1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep  1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep  1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep  1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep  1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep  1 17:17:15 snort barnyard2: Closing spool file '/var/log/snort/snort.u2.1409587851'. Read 484 records
Sep  1 17:17:15 snort barnyard2: Opened spool file '/var/log/snort/snort.u2.1409588122'
Sep  1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep  1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep  1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
4

1 回答 1

2

要使 barnyard2 工作,由 snort 创建的 Unified2 输出文件必须包含警报和 PCAP 数据。

因此,在 /etc/snort/snort.conf(或您的 snort 配置所在的任何位置)中,您需要指定output unified2: <filename>(我建议不要使用“snort.log”作为文件名)。

查看 barnyard2 全局变量文件/etc/default/barnyard2/etc/sysconfig/barnyard2注释掉BINARY_LOG设置,并确保日志文件名与您在snort.conf.

重新启动 snort,然后重新启动 barnyard2 以查看您是否启动并运行。

编辑:
无论出于何种原因, BINARY_LOG 设置胜过其他设置,并将导致 snort 仅生成 pcap 日志文件。(尝试运行file /var/log/snort/snort.log.*,您可能会看到这些文件是纯 pcaps(数据包捕获)——这意味着它们不包含 Snort 警报/事件信息。

Barnyard2 仅适用于包含事件和 pcap 信息的日志文件。除非有一些我忽略的设置。去搞清楚。如果您file在一个有效的 barnyard2 Unified2 文件上运行,结果应该只是“数据”或类似性质的东西。

我希望这有帮助。我为此损失了很多时间和头发。

于 2014-09-12T19:39:32.727 回答