snort установка на zentyal 4 (ubuntu)

Linux > snort установка на zentyal 4 (ubuntu)
14.11.2014 16:21:18


Наиболее часто встречающиеся слова в статье:

[aptitude] [install] [apt-get] [upgrade] [libdumbnet1] [libdaq2] [snort-common] [snort-rules-default] [snort-common-libraries] [dpkg-reconfigure]


Статья:

sudo apt-get install aptitude
sudo aptitude update
sudo aptitude upgrade
ставим snort
sudo aptitude install snort libdumbnet1 libdaq2 snort-common snort-rules-default snort-common-libraries
dpkg-reconfigure snort

 

В секцию unified2 (/etc/snort/snort.conf)добавим строку с следующим содержанием:
output unified2: filename snort.log, limit 128

 

Запускаем
service snort start

Проверка

#sudo snort -u snort -g snort -c /etc/snort/snort.conf -i eth0

snort -c /etc/snort/snort.conf -T


ps -A | grep snort

Для обновления правил snort идем на https://www.snort.org/snort-rules/

установка barnyard2: 

cd /usr/local/src/

git clone git://github.com/firnsy/barnyard2.git

apt-get install libtool dh-autoreconf 

cd /usr/local/src/barnyard2/

./autogen.sh

./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu/

make

make install

 

sudo mkdir /var/log/barnyard2

cd /usr/local/src/barnyard2

cp ./rpm/barnyard2.config /etc/default/barnyard2

nano /etc/default/barnyard2 Меняем параметр LOG_FILE="snort.log"

cp ./rpm/barnyard2 /etc/init.d/barnyard2  (правимSYSCONFIG="/etc/default/barnyard2")

chmod +x /etc/init.d/barnyard2

update-rc.d barnyard2 defaults 98 

Modify the barnyard2.conf file to output to the snorby database:

nano /usr/local/etc/barnyard2.conf

Modify or add the output database:

output database: log, mysql, user=snorby password=snorby dbname=snorby host=localhost

 

Zapusk:

barnyard2 -c /etc/snort/barnyard.conf -d /var/log/snort/ -w /var/log/snort/bylog.waldo -f snort.log -u snort -g snort -D

Проверка
ps -A | grep barnyard2

Поставим snorby на Zentyal 4 (ubuntu, debian)

Возможные ошибки

Errors:
ERROR: unable to find mysqlclient library (libmysqlclient.*)
./configure --with-mysql-libraries=/usr/lib64/mysql/
ERROR: Unable to open directory '' (No such
file or directory)
ERROR: Unable to find the next spool file!
Ensure that the waldo file is specified (by the -w option included as a command line argument or in the config file)
WARNING: Can't extract timestamp extension from 'alert'using base ''
Ensure that the unified2 file is specified (by the -f option included as a command line argument or in the config file)
FATAL ERROR: Absdir is not a subset of the logdir
Ensure that the logdir is configured in the Barnyard configuration file
FATAL ERROR: database: mysql_error: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)
Ensure that the MySQL service/daemon is running