Instalando o Barnyard2 (Snort) no CentOS 7 – Continuação
Por Spawnzao em 18/08/2014 - 5,994 views
Dando continuidade ao artigo anterior (Instalando o Snort (NIDS) no CentOS 7), vamos agora instalar o Barnyard2, responsável por vigiar a inclusão de novos registros no arquivo de log do Snort e enviá-los para um Banco de Dados, no nosso caso vamos utilizar o Mysql ou MariaDB no CentOS 7.
Vamos instalar as dependências:
yum install mariadb-devel mariadb-server
Criar uma pasta temporária para compilar o Barnyard2:
mkdir /usr/local/src/snort cd /usr/local/src/snort
Baixar o Source do Barnyard2 via git:
git clone https://github.com/firnsy/barnyard2.git barnyard2
Entrar no diretório, compilar e instalar:
cd barnyard2/ ./autogen.sh ./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql make && make install
Agora vamos copiar os arquivos necessários para seus corretos diretórios e acertar suas permissões.
cp rpm/barnyard2 /etc/init.d/ cp rpm/barnyard2.config /etc/sysconfig/barnyard2 cp /usr/local/etc/barnyard2.conf /etc/snort/barnyard.conf cp /usr/local/bin/barnyard2 /usr/bin/ chmod +x /etc/init.d/barnyard2 chkconfig --add barnyard2 systemctl daemon-reload mkdir /var/log/snort/archive chown snort:snort /var/log/snort -R chown snort:snort /etc/snort -R
Agora vamos configurar o /etc/snort/barnyard.conf:
# to ensure that any plugins requiring some level of uniqueness in their output
# the alert_with_interface_name, interface and hostname directives are provided.
# An example of usage would be to configure them to the values of the associated
# snort process whose unified files you are reading.
#
# Example:
# For a snort process as follows:
# snort -i eth0 -c /etc/snort.conf
#
# Typical options would be:
# config hostname: thor
# config interface: eth0
# config alert_with_interface_name
#
config hostname: saturno
config interface: em2…
# alert_fast
# —————————————————————————-
# Purpose: Converts data to an approximation of Snort’s “fast alert” mode.
#
# Arguments: file, stdout
# arguments should be comma delimited.
# file – specifiy alert file
# stdout – no alert file, just print to screen
#
# Examples:
# output alert_fast
# output alert_fast: stdout
#
#output alert_fast: stdout…
# database: log to a variety of databases
# —————————————————————————-
#
# Purpose: This output module provides logging ability to a variety of databases
# See doc/README.database for additional information.
#
# Examples:
# output database: log, mysql, user=root password=test dbname=db host=localhost
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, odbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test
# output database: log, oracle, dbname=snort user=snort password=test
#
output database: log, mysql, user=snort password=snort dbname=snort host=localhost
Vamos configurar o /etc/sysconfig/snort:
#ALERTMODE=fast
Vamos configurar o arquivo /etc/sysconfig/barnyard2:
# Config file for /etc/init.d/barnyard2
LOG_FILE=”alert.log”# You probably don’t want to change this, but in case you do
SNORTDIR=”/var/log/snort”
INTERFACES=”eth1″# Probably not this either
CONF=/etc/snort/barnyard.confEXTRA_ARGS=”-u snort -g snort”
Alterar o arquivo /etc/init.d/barnyard2:
ARCHIVEDIR=”$SNORTDIR/archive”
WALDO_FILE=”$SNORTDIR/barnyard2.waldo”
BARNYARD_OPTS=”-D -c $CONF -d $SNORTDIR -w $WALDO_FILE -l $SNORTDIR -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS”
Vamos iniciar o Banco de Dados MariaDB:
systemctl start mariadb.service
Não vou entrar no mérito de configurar segurança no Banco de Dados, estou utilizando sem senha:
mysql -u root MariaDB [(none)]> create database snort; MariaDB [(none)]> create user 'snort'@'localhost' identified by 'snort'; MariaDB [(none)]> grant all on snort.* to 'snort'@'localhost' identified by 'snort'; MariaDB [(none)]> flush privileges; MariaDB [(none)]> exit
Vamos Criar as tabelas do Snort:
mysql -u root -D snort < /usr/local/src/snort/barnyard2/schemas/create_mysql
Agora vamos inciar o serviço do Barnyard:
service barnyard2 start
Até a próxima.