平行地球: snort+server2008sp2+mssql2008sp3

snort的windows版本，稱為winsnort跟snort一樣，有固定的首頁跟論壇在說明，網路上的中文教學文都是在server2003平台下，官方後來的版本也有支援windows版本的Barnyard2，這要加入他們的論壇才可下載，輸入關鍵字「winsnort」就有了，但後來也沒有支援mssql2008了，但是前端有多種可搭配，這篇主要是說明server2008組合sql2008怎麼用，給微軟使用者看的。

測試環境的部份就windows server2008 sp2 ro R2 版本皆可，ms sql server 2008 sp3 ro R2 版本皆可。

snort版本是用Snort_2_9_2_3_Installer.exe，2.9.3以上的版本都以改為使用Barnyard2，2.9.2.3版本是直接輸出到資料庫，要搭配winpcap 4.1.3 安裝上跟server2003的差不多，只有snort.conf的設定值需調整。

測試環境用好，安裝snort，安裝選單選支援mssql與支援IPv6

下一步，下一步，結束

最後會提示你要安裝winpcap

記得要裝。

使用 cmd c:\snort\bin\snort -W //測試winpcap

主目錄我用預設值C:\snort

snort.conf設定檔在C:\snort\etc\snort.conf

編輯snort.conf

riginal Line(s): ipvar HOME_NET any
Change to: ipvar HOME_NET 192.168.0.0/24 //網域

Original Line(s): var RULE_PATH ../rules
Change to: var RULE_PATH c:\snort\rules //規則放置目錄

Original Line(s): var SO_RULE_PATH ../so_rules
Change to: # var SO_RULE_PATH ../so_rules

Original Line(s): var PREPROC_RULE_PATH ../preproc_rules
Change to: var PREPROC_RULE_PATH c:\snort\preproc_rules //規則放置目錄

//這要新建兩個規則分別是WHITE_LIST.rules and BLACK_LIST.rules

Original Line(s): var WHITE_LIST_PATH ../rules
Change to: var WHITE_LIST_PATH c:\snort\rules

Original Line(s): var BLACK_LIST_PATH ../rules
Change to: var BLACK_LIST_PATH c:\snort\rules

Original Line(s): dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
Change to: dynamicpreprocessor directory c:\snort\lib\snort_dynamicpreprocessor

Original Line(s): dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
Change to: dynamicengine c:\snort\lib\snort_dynamicengine\sf_engine.dll

//加上#符號，就是不要執行這行碼
Original Line(s): dynamicdetection directory /usr/local/lib/snort_dynamicrules
Change to: # dynamicdetection directory /usr/local/lib/snort_dynamicrules

Original Line(s):
preprocessor normalize_ip4
preprocessor normalize_tcp: ips ecn stream
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6

Change to:
# preprocessor normalize_ip4
# preprocessor normalize_tcp: ips ecn stream
# preprocessor normalize_icmp4
# preprocessor normalize_ip6
# preprocessor normalize_icmp6

Original Line(s): # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }
Change to: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }

//資料庫部份

******************************************************************************

Original Line(s): # output database: alert, mssql, dbname='' user='' password='' test host=''

Change to: output database: alert, mssql, dbname='資料庫名稱' user='登入帳號' password='密碼' host='伺服器名稱'

Original Line(s): # output database: log, mssql, dbname='' user='' password='' test host=''

Change to:output database: log, mssql, dbname='資料庫名稱' user='登入帳號' password='密碼' host='伺服器名稱'
******************************************************************************

Original Line(s): include classification.config
Change to: include c:\snort\etc\classification.config

Original Line(s): include reference.config
Change to: include c:\snort\etc\reference.config
Original Line(s):
# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules
# include $PREPROC_RULE_PATH/sensitive-data.rules
Change to:
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
include $PREPROC_RULE_PATH/sensitive-data.rules

Original Line(s): include threshold.conf
Change to: include c:\snort\etc\threshold.conf

來snort的官網抓rules檔，http://www.snort.org/snort-rules，要註冊才可以下載

我是用這版本的rules snortrules-snapshot-2955.tar.gz

解壓縮後，將內部preproc_rules與rules 丟到c:\snort\

c:\snort\rules目錄裡面要新建兩個文件檔WHITE_LIST and BLACK_LIST，在把副檔名改為.rules。

//資料庫部份//要安裝微軟sql2008的管理工具

新增兩個資料庫
一個給alert用
另一個給log用

c:\snort\schemas\create_mssql
把註解拿掉，複製貼上
如果你用匯入，欄位會識別錯誤。

//也可以直接複製下列語法
****************************************************************
CREATE TABLE [schema] ( vseq NUMERIC(10,0) NOT NULL,
ctime DATETIME NOT NULL,
PRIMARY KEY (vseq))
INSERT INTO [schema] (vseq, ctime) VALUES ('107', GETDATE())

CREATE TABLE event ( sid NUMERIC(10,0) NOT NULL , -- FK to sensor.sid
cid NUMERIC(10,0) NOT NULL ,
signature NUMERIC(10,0) NOT NULL , -- FK to signature.sig_id
timestamp DATETIME NOT NULL ,
PRIMARY KEY (sid,cid))
CREATE INDEX IX_event_signature ON event(signature)
CREATE INDEX IX_event_timestamp ON event(timestamp)

CREATE TABLE signature ( sig_id NUMERIC(10,0) IDENTITY(1,1) NOT NULL ,
sig_name VARCHAR(255) NOT NULL,
sig_class_id NUMERIC(10,0), -- FK to sig_class.sig_class_id
sig_priority NUMERIC(10,0),
sig_rev NUMERIC(10,0),
sig_sid NUMERIC(10,0),
sig_gid NUMERIC(10,0),
PRIMARY KEY (sig_id))
CREATE INDEX IX_signature_signame ON signature(sig_name)
CREATE INDEX IX_signature_sigclassid ON signature(sig_class_id)

CREATE TABLE sig_reference ( sig_id NUMERIC(10,0) NOT NULL, -- FK to signature.sig_id
ref_seq NUMERIC(10,0) NOT NULL,
ref_id NUMERIC(10,0) NOT NULL, -- FK to reference.ref_id
PRIMARY KEY(sig_id, ref_seq))

CREATE TABLE reference ( ref_id NUMERIC(10,0) IDENTITY(1,1) NOT NULL,
ref_system_id NUMERIC(10,0) NOT NULL, -- FK to reference_system.ref_system_id
ref_tag VARCHAR(8000) NOT NULL,
PRIMARY KEY (ref_id))

CREATE TABLE reference_system ( ref_system_id NUMERIC(10,0) IDENTITY(1,1) NOT NULL,
ref_system_name VARCHAR(20),
PRIMARY KEY (ref_system_id))

CREATE TABLE sig_class ( sig_class_id NUMERIC(10,0) IDENTITY(1,1) NOT NULL,
sig_class_name VARCHAR(60) NOT NULL,
PRIMARY KEY (sig_class_id))
CREATE INDEX IX_sigclass_sigclassid ON sig_class(sig_class_id)
CREATE INDEX IX_sigclass_sigclassname ON sig_class(sig_class_name)

CREATE TABLE sensor ( sid NUMERIC(10,0) IDENTITY(1,1) NOT NULL ,
hostname VARCHAR(100) ,
interface VARCHAR(100) ,
filter VARCHAR(100) ,
detail INT , -- FK to detail.detail_type
encoding INT , -- FK to encoding.encoding_type
last_cid NUMERIC(10,0) NOT NULL,
PRIMARY KEY (sid))

CREATE TABLE iphdr ( sid NUMERIC(10,0) NOT NULL , -- FK to event.sid, event.cid
cid NUMERIC(10,0) NOT NULL ,
ip_src NUMERIC(10,0) NOT NULL ,
ip_dst NUMERIC(10,0) NOT NULL ,
ip_ver TINYINT ,
ip_hlen TINYINT ,
ip_tos TINYINT ,
ip_len INT ,
ip_id INT ,
ip_flags TINYINT ,
ip_off INT ,
ip_ttl TINYINT ,
ip_proto TINYINT NOT NULL ,
ip_csum INT ,
PRIMARY KEY (sid,cid) )
CREATE INDEX IX_iphdr_ipsrc ON iphdr(ip_src)
CREATE INDEX IX_iphdr_ipdst ON iphdr(ip_dst)

CREATE TABLE tcphdr( sid NUMERIC(10,0) NOT NULL , -- FK to event.sid, event.cid
cid NUMERIC(10,0) NOT NULL ,
tcp_sport INT NOT NULL ,
tcp_dport INT NOT NULL ,
tcp_seq NUMERIC(10,0) ,
tcp_ack NUMERIC(10,0) ,
tcp_off TINYINT ,
tcp_res TINYINT ,
tcp_flags TINYINT NOT NULL , -- FK to protocols (see snortdb-extra)
tcp_win INT ,
tcp_csum INT ,
tcp_urp INT ,
PRIMARY KEY (sid,cid))
CREATE INDEX IX_tcphdr_sport ON tcphdr(tcp_sport)
CREATE INDEX IX_tcphdr_dport ON tcphdr(tcp_dport)
CREATE INDEX IX_tcphdr_tcpflags ON tcphdr(tcp_flags)

CREATE TABLE udphdr( sid NUMERIC(10,0) NOT NULL , -- FK to event.sid, event.cid
cid NUMERIC(10,0) NOT NULL ,
udp_sport INT NOT NULL ,
udp_dport INT NOT NULL ,
udp_len INT ,
udp_csum INT ,
PRIMARY KEY (sid,cid))
CREATE INDEX IX_udphdr_sport ON udphdr(udp_sport)
CREATE INDEX IX_udphdr_dport ON udphdr(udp_dport)

CREATE TABLE icmphdr( sid NUMERIC(10,0) NOT NULL , -- FK to event.sid, event.cid
cid NUMERIC(10,0) NOT NULL ,
icmp_type TINYINT NOT NULL ,
icmp_code TINYINT NOT NULL ,
icmp_csum INT ,
icmp_id INT ,
icmp_seq INT ,
PRIMARY KEY (sid,cid))
CREATE INDEX IX_icmphdr_icmptype ON icmphdr(icmp_type)

CREATE TABLE opt ( sid NUMERIC(10,0) NOT NULL , -- FK to iphdr.sid, iphdr.cid
cid NUMERIC(10,0) NOT NULL , -- or to tcphdr.sid, tcphdr.cid
optid NUMERIC(10,0) NOT NULL ,
opt_proto TINYINT NOT NULL ,
opt_code TINYINT NOT NULL ,
opt_len INT ,
opt_data VARCHAR(8000) ,
PRIMARY KEY (sid,cid,optid))

CREATE TABLE data ( sid NUMERIC(10,0) NOT NULL , -- FK to event.sid, event.cid
cid NUMERIC(10,0) NOT NULL ,
data_payload VARCHAR(8000) ,
PRIMARY KEY (sid,cid))

CREATE TABLE encoding(encoding_type TINYINT NOT NULL ,
encoding_text VARCHAR(50) NOT NULL ,
PRIMARY KEY (encoding_type))
INSERT INTO encoding (encoding_type, encoding_text) VALUES (0, 'hex')
INSERT INTO encoding (encoding_type, encoding_text) VALUES (1, 'base64')
INSERT INTO encoding (encoding_type, encoding_text) VALUES (2, 'ascii')

CREATE TABLE detail (detail_type TINYINT NOT NULL ,
detail_text VARCHAR(50) NOT NULL ,
PRIMARY KEY (detail_type))
INSERT INTO detail (detail_type, detail_text) VALUES (0, 'fast')
INSERT INTO detail (detail_type, detail_text) VALUES (1, 'full')

grant select, insert on [schema] to public
grant select, insert on signature to public
grant select, insert on sig_reference to public
grant select, insert on reference to public
grant select, insert on reference_system to public
grant select, insert on sig_class to public
grant select, insert on data to public
grant select, insert on detail to public
grant select, insert on encoding to public
grant select, insert on event to public
grant select, insert on icmphdr to public
grant select, insert on iphdr to public
grant select, insert on opt to public
grant select, insert on sensor to public
grant select, insert on tcphdr to public
grant select, insert on udphdr to public

**************************************************************************

//測試
cmd c:\snort\bin\snort -T -c snort\etc\snort.conf -i1
-T //測試
-c //載入設定檔
-i //網卡編號

//其他部份都跟server2003版本一樣，請參考網路各教學

平行地球

30.11.13

snort+server2008sp2+mssql2008sp3

沒有留言:

張貼留言

OpenFlow

********************

Ubuntu

**********************