snorby_test

参考：
http://sublimerobots.com/2015/12/snort-2-9-8-x-on-ubuntu-part-3/

cqq@kali:/etc/snort$ sudo /usr/sbin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
04/17-04:51:02.052102  [**] [1:527:8] BAD-TRAFFIC same SRC/DST [**] [Classification: Potentially Bad Traffic] [Priority: 2] {IGMP} 0.0.0.0 -> 224.0.0.1
04/17-04:51:36.958016  [**] [1:368:6] ICMP PING BSDtype [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.10.247 -> 192.168.10.141
04/17-04:51:36.958016  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.10.247 -> 192.168.10.141
04/17-04:51:36.958016  [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.10.247 -> 192.168.10.141
04/17-04:51:36.958016  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.10.247 -> 192.168.10.141
04/17-04:51:36.958158  [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.10.141 -> 192.168.10.247
04/17-04:51:36.958158  [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.10.141 -> 192.168.10.247
04/17-04:51:37.963323  [**] [1:368:6] ICMP PING BSDtype [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.10.247 -> 192.168.10.141
04/17-04:51:37.963323  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.10.247 -> 192.168.10.141
04/17-04:51:37.963323  [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.10.247 -> 192.168.10.141
04/17-04:51:37.963323  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.10.247 -> 192.168.10.141
04/17-04:51:37.963442  [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.10.141 -> 192.168.10.247

真过瘾，得行！

➜  Notes/snorty_install_process master ✓ ping 192.168.10.141                                                                      [19:59:59]
PING 192.168.10.141 (192.168.10.141): 56 data bytes
64 bytes from 192.168.10.141: icmp_seq=0 ttl=64 time=2.025 ms
64 bytes from 192.168.10.141: icmp_seq=1 ttl=64 time=2.175 ms
64 bytes from 192.168.10.141: icmp_seq=2 ttl=64 time=2.220 ms
64 bytes from 192.168.10.141: icmp_seq=3 ttl=64 time=2.163 ms
64 bytes from 192.168.10.141: icmp_seq=4 ttl=64 time=2.238 ms
64 bytes from 192.168.10.141: icmp_seq=5 ttl=64 time=1.881 ms
64 bytes from 192.168.10.141: icmp_seq=6 ttl=64 time=1.463 ms
64 bytes from 192.168.10.141: icmp_seq=7 ttl=64 time=2.446 ms
64 bytes from 192.168.10.141: icmp_seq=8 ttl=64 time=1.212 ms
64 bytes from 192.168.10.141: icmp_seq=9 ttl=64 time=1.873 ms
64 bytes from 192.168.10.141: icmp_seq=10 ttl=64 time=3.027 ms
64 bytes from 192.168.10.141: icmp_seq=11 ttl=64 time=2.107 ms
^C
--- 192.168.10.141 ping statistics ---
12 packets transmitted, 12 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 1.212/2.069/3.027/0.439 ms

...

^C*** Caught Int-Signal

然后看到/var/log/snort里面也有新的文件了

cqq@kali:/etc/snort$ cd /var/log/snort
cqq@kali:/var/log/snort$ ls
snort.log.1492375835
cqq@kali:/var/log/snort$ vi snort.log.1492375835
cqq@kali:/var/log/snort$ sudo vi snort.log.1492375835
[sudo] cqq 的密码：
cqq@kali:/var/log/snort$ head -5 snort.log.1492375835
head: 无法打开'snort.log.1492375835' 读取数据: 权限不够
cqq@kali:/var/log/snort$ sudo head -5 snort.log.1492375835
�ò��6��X��<<^
             r,�HF� @��d�X��X@�bb�'���_�\��ET@�
         ���
         �+��X��Xe�


          !"#$%&'()*+,-./01234567X��X@�bb�'���_�\��ET@�
          ���

Use of uninitialized value $arch in regexp compilation at /usr/local/bin/pulledpork.pl line 310.
Use of uninitialized value $arch in regexp compilation at /usr/local/bin/pulledpork.pl line 310.
    Reading rules...
Cleanup....
    removed 168 temporary snort files or directories from /tmp/tha_rules!
Writing Blacklist File /etc/snort/rules/iplists/black_list.rules....
Writing Blacklist Version 959984185 to /etc/snort/rules/iplistsIPRVersion.dat....
Setting Flowbit State....
    Enabled 124 flowbits
    Done
Writing /etc/snort/rules/snort.rules....
    Done
Generating sid-msg.map....
    Done
Writing v2 /etc/snort/sid-msg.map....
    Done
Writing /var/log/sid_changes.log....
    Done
Rule Stats...
    New:-------55416
    Deleted:---0
    Enabled Rules:----29851
    Dropped Rules:----0
    Disabled Rules:---25565
    Total Rules:------55416
IP Blacklist Stats...
    Total IPs:-----21762

Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!

记得要开启snorty啊！！！

 cqq@snort-ids  /var/www/html/snorby   master ●  sudo bundle exec rails server -e production                                   [5:17:40]
 [sudo] cqq 的密码：
 对不起，请重试。
 [sudo] cqq 的密码：
 => Booting Thin
 => Rails 3.2.22 application starting in production on http://0.0.0.0:3000
 => Call with -d to detach
 => Ctrl-C to shutdown server
 /var/www/tmp/snorby/vendor/cache/ruby/2.3.0/gems/actionpack-3.2.22/lib/action_dispatch/http/mime_type.rb:102: warning: already initialized constant Mime::PDF
 /var/www/tmp/snorby/vendor/cache/ruby/2.3.0/gems/actionpack-3.2.22/lib/action_dispatch/http/mime_type.rb:102: warning: previous definition of PDF was here
 Thin web server (v1.6.3 codename Protein Powder)
 Maximum connections set to 1024
 Listening on 0.0.0.0:3000, CTRL+C to stop

查看某进程启动时间。

 cqq@snort-ids  /var/log/snort  ps -p 406 -o lstart                                                                             [16:09:13]
                 STARTED
Fri Apr 21 04:46:24 2017

碰到的错误

cqq@snort-ids:~/repos/snort_src/barnyard2-2-1.14-336$ sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo
Running in Continuous mode

    --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"


+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+

Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/barnyard2
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
[ClassificationPullDataStore()]: No Classification found in database ...
[SignaturePullDataStore()]: No signature found in database ...

[CacheSynchronize()],INFO: No system was found in cache (from signature map file), will not process or synchronize informations found in the database

得到错误。

rpc_decode arguments:
    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
    alert_fragments: INACTIVE
    alert_large_fragments: INACTIVE
    alert_incomplete: INACTIVE
    alert_multiple_requests: INACTIVE
ERROR size 628 != 564
ERROR: Failed to initialize dynamic preprocessor: SF_MODBUS version 1.1.1 (-2)
Fatal Error, Quitting..

解决方式。
Try deleting the old preprocessors and reinstalling Snort. Looks like you have an old preprocessor with a new version
of Snort.
参考：http://seclists.org/snort/2012/q3/628
只好重新安装snort。

./configure --enable-sourcefire && make && sudo make install

也许这锅是因为，开始我先用apt安装的snort(2.9.7)然后又通过源码安装(2.9.9)，就形成了这样的局面。

重新安装了一下snort,修改了/etc/snort/snort.conf，将/usr/lib/xxx改成了/usr/local/lib/xxx

|     1 byte states : 3.37
|     2 byte states : 193.06
|     4 byte states : 140.04
+----------------------------------------------------------------
[ Number of patterns truncated to 20 bytes: 12419 ]
pcap DAQ configured to passive.
Acquiring network traffic from "eth0".

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.9.0 GRE (Build 56)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.8.1
           Using PCRE version: 8.39 2016-06-14
           Using ZLIB version: 1.2.8

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 3.0  <Build 1>
           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
           Preprocessor Object: SF_POP  Version 1.0  <Build 1>
           Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
           Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
           Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
           Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
           Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
           Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>

Snort successfully validated the configuration!
Snort exiting