Set timeScreensaverAdd them 1 card mang (1 card la host only de
test rule, 1 card de download cac goi cai
dat)=================Snort===================# Cai dat cac goi can
thietyum install -y wget gcc flex bison zlib zlib-devel libpcap
libpcap-devel pcre pcre-devel tcpdump mysql mysql-server
mysql-devel git libtool curl man# Tao thu muc tmp (thu muc download
va cai dat)mkdir tmp && cd tmp# Download va cai dat libdnet
(ko nen copy tat ca roi paste, download se kho, nen down tung cai
1)wget
http://pkgs.repoforge.org/libdnet/libdnet-1.11-1.1.el3.rf.x86_64.rpmwget
http://pkgs.repoforge.org/libdnet/libdnet-devel-1.11-1.1.el3.rf.x86_64.rpmrpm
-i libdnet-1.11-1.1.el3.rf.x86_64.rpm rpm -i
libdnet-devel-1.11-1.1.el3.rf.x86_64.rpm# Cai dat DAQ va Snortyum
install -y
https://www.snort.org/downloads/snort/daq-2.0.2-1.centos6.x86_64.rpmyum
install -y
https://www.snort.org/downloads/snort/snort-2.9.6.2-1.centos6.x86_64.rpm#
Download va giai nen Commynity Rulewget
https://www.snort.org/downloads/community/community-rules.tar.gztar
-xvf community-rules.tar.gz -C /etc/snort/rules# Download va giai
nen snortrule (download cham thi co the download truc tiep tren
snort.org va copy vao may ao de cai dat)wget
https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=13cc5a9081d2e31a4e1ab1224b3985aeaeffc0d9
(lay oinkcode tren snort.org)tar -xvf
snortrules-snapshot-2962.tar.gz -C /etc/snort/rules (neu download
bang wget thi khai giai nen chu y ten file)mv
/etc/snort/rules/rules/* /etc/snort/rules/rmdir
/etc/snort/rules/rules# Thay doi user so huu thu muccd
/etc/snortchown -R snort:snort *# Chinh sua file snort.confcd
/etc/snortvi snort.conf---------------------45: ipvar HOME_NET any
#or set to a network such as 172.21.0.0/1648: ipvar EXTERNAL_NET
!$HOME_NET104: var RULE_PATH /etc/snort/rules105: var SO_RULE_PATH
/etc/snort/rules/so_rules106: var PREPROC_RULE_PATH
/etc/snort/rules/preproc_rules109: var WHITE_LIST_PATH
/etc/snort/rules110: var BLACK_LIST_PATH /etc/snort/rules506:
whitelist $WHITE_LIST_PATH/whitelist.rules, \507: blacklist
$BLACK_LIST_PATH/blacklist.rules516: output unified2: filename
snort.log, limit 128---------------------# Tao them cac file bi
thieumkdir /usr/local/lib/snort_dynamicrulestouch
/etc/snort/rules/whitelist.rules# Cau lenh can
thiet/sbin/ldconfigupdatedb# Test snortsnort -T -i eth0 -u snort -g
snort -c /etc/snort/snort.conf# Neu ko cau hinh buoc nay thi
barnyard se ko xuat log vao databasevi
/etc/sysconfig/snort-----------:69 #ALERTMODE:81
#BINARY_LOG-----------=============PulledPork========================#
Cai dat cac goi can thietcd /home/hoanggiang/tmpyum -y install
perl-libwww-perl perl-Crypt-SSLeay perl-Archive-Tar# Download va
giai nen PullPorkwget
https://pulledpork.googlecode.com/files/pulledpork-0.7.0.tar.gztar
-zxf pulledpork-0.7.0.tar.gzcd pulledpork-0.7.0cp pulledpork.pl
/usr/sbin ; chmod 755 /usr/sbin/pulledpork.plcp etc/* /etc/snort/#
Chinh sua file cau hinh Pullporkvi
/etc/snort/pulledpork.conf-----------------------------------------
(lay oinkcode tren snort.org va thay vao 2 cho o dong 19 va 26)72:
rule_path=/etc/snort/rules/snort.rules79:
out_path=/etc/snort/rules/87:
local_rules=/etc/snort/rules/local.rules90:
sid_msg=/etc/snort/sid-msg.map113: snort_path=/usr/sbin/snort117:
config_path=/etc/snort/snort.conf131: distro=Centos-5-4139:
black_list=/etc/snort/rules/blacklist.rules148:
#IPRVersion=/usr/local/etc/snort/rules/iplists151:
snort_control=/usr/bin/snort_control194:
enablesid=/etc/snort/enablesid.conf195:
dropsid=/etc/snort/dropsid.conf196:
disablesid=/etc/snort/disablesid.conf197:
modifysid=/etc/snort/modifysid.conf-----------------------------------------#
Test PullPorkpulledpork.pl -vv -c /etc/snort/pulledpork.conf -T -l#
Cai dat thoi gian cap nhatvi /etc/crontab----------------------0 0
* * * root /usr/sbin/pulledpork.pl -c
/etc/snort/pulledpork.conf----------------------================Barnyard2===========================#
Download, giai nen va cai dat Barnyardcd /home/hoanggiang/tmpmkdir
/var/log/barnyard2mkdir /usr/local/src/firnsy-barnyard2 &&
cd /usr/local/src/firnsy-barnyard2wget
https://github.com/firnsy/barnyard2/archive/v2-1.13.tar.gztar -zxvf
v2-1.13.tar.gzcd barnyard2-2-1.13autoreconf -fvi -I
./m4./autogen.sh./configure --with-mysql
--with-mysql-libraries=/usr/lib64/mysql/makemake installvi
/usr/local/etc/barnyard2.conf-------------------------------------------30
config sid_file: /etc/snort/sid-msg.map54 config logdir:
/var/log/snort70 config hostname: Snort71 config interface: eth085
config daemon141 config waldo_file:
/etc/snort/barnyard2-log.waldo175 input unified2output
alert_full316 output log_tcpdump: tcpdump.log348 output
database:log, mysql, user=snort password=snort dbname=snort
host=localhost-------------------------------------------cp
/usr/local/etc/barnyard2.conf /etc/snort/barnyard2.conf# Cau hinh
de barnyard khoi dong nhu 1 dich vucd
/usr/local/src/firnsy-barnyard2/barnyard2-2-1.13 cp rpm/barnyard2
/etc/init.d/ chmod +x /etc/init.d/barnyard2cp rpm/barnyard2.config
/etc/sysconfig/barnyard2 chkconfig --add barnyard2 chkconfig
barnyard2 onvi /etc/init.d/barnyard2
-----------------------------16: PATH=/usr/local/bin:${PATH}38:
ARCHIVEDIR="$SNORTDIR/archive"39:
WALDO_FILE="$SNORTDIR/barnyard2-log.waldo"40: BARNYARD_OPTS="-D -c
$CONF -d $SNORTDIR/ -w $WALDO_FILE -l $SNORTDIR -a $ARCHIVEDIR -f
$LOG_FILE -X $PIDFILE $EXTRA_ARGS"41: echo $prog
$BARNYARD_OPTS-----------------------------vi
/etc/sysconfig/barnyard2----------------------------LOG_FILE="snort.log"SNORTDIR="/var/log/snort"INTERFACES="eth0"CONF=/etc/snort/barnyard2.conEXTRA_ARGS=""----------------------------#
Cai dat co so du lieuservice mysqld
start/usr/bin/mysql_secure_installationmysql -u root -pcreate
database snort;grant all on snort.* to snort@localhost;set password
for snort@localhost=password('snort');use snort;source
/usr/local/src/firnsy-barnyard2/barnyard2-2-1.13/schemas/create_mysqlshow
tables;flush privileges;exitchkconfig --add mysqldchkconfig mysqld
ontouch /etc/snort/barnyard2-log.waldo# Viet 1 rule don gian de
kiem tra kha nang hoat dong cua snort va barnyard, mysqlalert icmp
any any -> any any (msg:"Co nguoi dang ping"; sid: 1000001; rev:
1;)# Download va giai nen oinkmaster. chay cau lenh sau (update
sidmap cua cac rule moi tao, neu ko barnyard se ko hien thi duoc
msg)./create-sidmap.pl /etc/snort/rules > /etc/snort/sid-msg.map
# khoi dong barnyardservice barnyard2 startbarnyard2 -c
/etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w
/etc/snort/barnyard2-log.waldo -D (chay o che do nay ta co the
debug loi va thay doi duoc 1 so tuy chon, chu y o lan dau chay
debug, ta phai co lenh -w /etc/snort/barnyard2-log.waldo)# Khoi
dong snort (o buoc nay ta se gap loi blacklist.rules chua biet
nguyen nhan vi sao, ta phai tao 1 file blacklist.rules khac)mv
/etc/snort/rules/blacklist.rules
/etc/snort/rules/black_list.rulestouch
/etc/snort/rules/blacklist.rulesservice snortd start# Kiem tra xem
barnyard co xuat du lieu vao database ko. count khac 0mysql -u root
-puse snort;select count(*) from
event;==========================Snorby=================# Cai dat
cac goi can thietyum -y groupinstall "Development Tools"yum install
-y openssl-devel readline-devel libxml2-devel libxslt-devel mysql
mysql-devel mysql-libs mysql-server urw-fonts libX11-devel
libXext-devel qconf fontconfig-devel libXrender-devel unzip# Cai
dat ImageMagickcd /home/hoanggiang/tmpwget
ftp://ftp.fifi.org/pub/ImageMagick/ImageMagick-6.8.9-8.tar.gztar
-xvf ImageMagick-6.8.9-8.tar.gzcd
ImageMagick-6.8.9-8./configuremakemake installldconfig
/usr/local/lib# Cai dat cac goi can thietyum -y install xz
urw-fonts libXext openssl-devel libXrender# Cai dat wkhtmltoxcd
/home/hoanggiang/tmpwget
http://sourceforge.net/projects/wkhtmltopdf/files/0.12.1/wkhtmltox-0.12.1_linux-centos6-amd64.rpmrpm
-Uvh wkhtmltox-0.12.1_linux-centos6-amd64.rpm# Test
wkhtmltoxwkhtmltopdf http://www.google.com google.pdf# Cai dat cac
goi can thietyum -y install libxslt-devel libxml2-devel gdbm-devel
libffi-devel zlib-devel openssl-devel libyaml-devel readline-devel
curl-devel openssl-devel pcre-devel git memcached-devel
valgrind-devel mysql-devel ImageMagick-develwget
http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpmwget
http://rpms.famillecollet.com/enterprise/remi-release-6.rpmrpm -Uvh
remi-release-6*.rpm epel-release-6*.rpmcurl -L get.rvm.io | bash -s
stablesource /etc/profile.d/rvm.shrvm install 1.9.3 (Phien ban nay
ko con duoc duy tri, xem cac phien ban duoc duy tri tai
http://bugs.ruby-lang.org/projects/ruby/wiki/ReleaseEngineering)rvm
use 1.9.3 --defaultrvm rubygems currentgem install rails yum -y
install httpdservice httpd startchkconfig --add httpdchkconfig
httpd ongem install passenger yum install curl-devel
httpd-develpassenger-install-apache2-module gem install bundlercd
/var/www/htmlmkdir snorbycd snorbywget -O snorby.zip
--no-check-certificate
https://github.com/Snorby/snorby/archive/master.zipunzip
snorby.zipmv snorby-master/* /var/www/html/snorbymysql -u root
-pcreate database snorby;create user 'snorby'@'localhost'
identified by 'snorby';grant all on snorby.* to
snorby@localhost;flush privileges;exitcp
config/database.yml.example config/database.ymlvi
config/database.yml-------------------:8 username: snorby:9
password: "snorby"-------------------vi
Gemfile----------------------:8 gem 'rake', '> 0.9.2':16 gem
'thin':88 # gem 'thin'----------------------vi
Gemfile.lock-------------------265: rake
(0.9.2.2)-------------------cp config/snorby_config.yml.example
config/snorby_config.ymlyum -y install java-1.6.0-openjdk-devel
java-1.6.0-openjdkyum -y install httpd-devel apr-devel
apr-util-develbundle installgem update --systemRAILS_ENV=production
bundle exec rake snorby:setup#Testrails server thin -e
productionUsing a web browser, browse to the URL of your server
using port 3000 http://ip-address:3000#Auto Start Snorbyvi
/etc/sysconfig/selinux-------------SELINUX=disabled-------------rebootCopy
the following to httpd.conf:vi
/etc/httpd/conf/httpd.conf----------------------------------:202
LoadModule passenger_module
/usr/local/rvm/gems/ruby-1.9.3-p547/gems/passenger-4.0.50/buildout/apache2/mod_passenger.so
PassengerRoot
/usr/local/rvm/gems/ruby-1.9.3-p547/gems/passenger-4.0.50
PassengerDefaultRuby
/usr/local/rvm/gems/ruby-1.9.3-p547/wrappers/ruby
----------------------------------#Add the VirtualHost for Snorby
in httpd.conf:--------------------------------- Servername SnortIPS
DocumentRoot /var/www/html/snorby/public AllowOverride all Order
allow,deny Allow from all Options -MultiViews
----------------------------------# Change the ownership of the
Snorby directory in /var/www/html:chown -R apache:apache
/var/www/html/snorby# Modify the barnyard2.conf file to output to
the snorby database:vi /etc/snort/barnyard2.confModify or add the
output database:output database: log, mysql, user=snorby
password=snorby dbname=snorby host=localhost# Modify IPTABLESAdd a
rule to allow port 80 through IPTABLES:iptables -I INPUT -p tcp
--dport 80 -m state --state=NEW,ESTABLISHED,RELATED -j
ACCEPT/sbin/service iptables save===========1 vai luu y khi su dung
snorby============- De lay duoc database ta phai vao
Administrator->Worker & Job Queue->Start worker. Tro lai
dashboard ta thay do thi da xuat hien- De hien thi thoi gian dung
tren do thi ta vao Settings->Time zone->Current
Password->Update Settings- De hien thi Severity con tuy thuoc
vao rule. Ta phai xac dinh muc do nguy hiem bang cach them cac
option classtype hoac priority- Doi khi ta phai xoa cac file trong
/var/log/snort de tranh truong hop barnyard log lai tat ca cac file
log lam mat thoi gianva khi nay ta dung lenh "rm -rf *" dong nghia
voi viec file barnyard2-log.waldobi mat.Ta chi viec khoi dong lai
barnyard va doimot luc la file waldo nay se xuat hien tro lai.- Neu
ta ping nhieu qua. Database co the se full va ko the log len snorby
duoc (cai nay ko chac chan lam vi chua test ky). Khi nayta co the
khac phuc bang cach xoa du lieu trong bang event cua database
snorby di bang cau lenh "delete from event;" (nho la phai vao db
snorby)===============Add NIC=================Add Network Adapter
cho VMtouch ifcfg-eth1#them cac thong so co
banDEVICE=eth1HWADDR=00:0C:29:B3:55:44 (MAC phai trung voi MAC cua
eth1 khi go lenh ifconfig
-a)TYPE=EthernetONBOOT=yesNM_CONTROLLED=yesBOOTPROTO=dhcp===============Chuyen
sang che do Inline=================#eth0 va
eth1BOOTPROTO=noneBRIDGE=br0touch ifcfg-br0# them cac thong so co
banDEVICE=br0TYPE=BridgeONBOOT=yesBOOTPROTO=noneservice network
restart (neu br0 ok thi coi nhu cau hinh dung)reboot# Chay snort
trong che do inlinesnort c /etc/snort/snort.conf i eth0:eth1 Q
--daq afpacket --daq-mode inline --daq-var buffer_size_mb=256 (chu
y dau "-" khi copy)# Thuc te khi chay dong lenh tren snort se tu
dong chay trong che do inline. do do ta ko can phai bridge 2 cong
eth0 va eth1# Trong che do inline snort su dung daq de xu li goi
tin ma ko can den iptables. tuy nhien de chan 1 ip thi ta co the su
dung snortsam de thong bao iptables chan
ip==============SnortSam====================================#Tai
libtool http://ftpmirror.gnu.org/libtool/libtool -2.4.2.tar.gz tar
xzvf libtool-2.4.2.tar.gzcd libtool-2.4.2./configure
--prefix=/usrmake && make install#Tai snortsam
http://www.snortsam.net/files/snortsam/snortsam-src-2.70.tar.gz tar
xzvf snortsam-src-2.70.tar.gzcd snortsamchmod +x makesnortsam.s
h./makesnortsam.sh#Vao link
http://www.snortsam.net/files/snort-plugin/snortsam-2.9.5.3-1.diff.gz#Copy
doan code#tao 1 file moi dat ten la snortsam-2.9.5.3-1.diff#paste
doan code vua copy vao#Luu lai#Vao thu muc giai nen snortcd
/home/hoanggiang/tmp/snort-2.9.6.1patch -p1 <
/snortsam-2.9.5.3-1.diffsh ./autojunk.sh./configure
--enable-sourcefiremake && make install#Copy tap tin nhi
phan cua snortsam vao /usr/local/bincp snortsam/snortsam
/usr/local/bin# Cau hinh snortsamcp
snortsam/conf/snortsam.conf.example /etc/snortsam.confvi
/etc/snortsam.conf---------------accept /, (ket noi voi snort)fwsam
(ket noi voi fw checkpoint)iptables (ket noi voi iptables tren
chinh host cai snortsam)cisconullroute (ket noi voi router
cisco)---------------# Cau hinh lai
snort---------------------output alert_fwsam: {SnortSam
Station}:{port}/{password}---------------------# Them vao cuoi moi
rule "fwsam: who, times;"==============Tan cong Dos va rule phat
hien===============# Tao tool tan cong- Cai dat may ao backtrack-
vao trang http://ha.ckers.org/slowloris/slowloris.pl copy toan bo
va paste vao 1 file dat ten la slowloris.pl- Tan cong bang lenh
"./slowloris -dns [IP]"- Rule phat hien tan cong"alert tcp any any
-> any any (msg:"DOS by Slowloris Tool"; content:"GET /";
depth:10; content:"User-Agent\: Mozilla/4.0 (compatible\; MSIE
7.0\; Windows NT 5.1\; Trident/4.0"; offset:10; depth:100;
sid:1000003; rev:2;)"==============Mot so lenh thao tac voi csdl
mysql can dung================select * from (Hien thi bang)update
set where (Thay doi gia tri trong bang)==============Routing
through linux====================#Dat dia chi 2 card mang#Bat tinh
nang dinh tuyenvi /etc/sysctl.conf----------net.ipv4.ip_forward =
1----------echo "1">/proc/sys/net/ipv4/ip_forward#Mo ta thong
tin dinh tuyenroute add -net -n [network/netmask] dev eth0route add
-net -n [network/netmask] dev eth1#2 lenh tren mo ta rang: muon den
mang nay thi phai ra cong nay#Kiem tra dinh tuyen bang lenh route
hoac netstat -rn# Sua iptables# them dong sau-A OUTPUT -p icmp -j
ACCEPT
