Warning: file_get_contents(/data/phpspider/zhask/data//catemap/1/visual-studio-2012/2.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Snort:传感器从barnyard2获取错误数据_Snort - Fatal编程技术网
Fatal编程技术网
  • snort/
  • Snort:传感器从barnyard2获取错误数据

Snort:传感器从barnyard2获取错误数据

Snort:传感器从barnyard2获取错误数据,snort,Snort,我终于拥有了运行snort所需的一切: 拉猪肉更新snort规则 tcl,无线程和所有必需的包 mysqltcl Tclx 沙一 传统知识 等等 sguil客户端和服务器 mysql服务器 我正在使用snort_agent.tcl 巴尼亚尔2 我还使用预处理器sfportscan设置了snort.conf: output unified2: filename snort.log_unified, limit 128 preprocessor sfportscan: proto { all

我终于拥有了运行snort所需的一切:

  • 拉猪肉更新snort规则
  • tcl,无线程和所有必需的包
    • mysqltcl
    • Tclx
    • 沙一
    • 传统知识
    • 等等
  • sguil客户端和服务器
  • mysql服务器
  • 我正在使用snort_agent.tcl
  • 巴尼亚尔2
我还使用预处理器sfportscan设置了snort.conf:

output unified2: filename snort.log_unified, limit 128
preprocessor sfportscan: proto { all } scan_type { all } memcap { 1000000 } sense_level { high }
这是我运行snort的输出,我已经将其精简到我感兴趣的部分

snort -u sguil -g sguil -l /var/snort/snort_data/sensor1 -c /etc/snort/snort.conf -U -A full -m 122 -i eth0

Loading dynamic engine /usr/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from /usr/lib/snort_dynamicrules...
WARNING: No dynamic libraries found in directory /usr/lib/snort_dynamicrules.
  Finished Loading all dynamic detection libs from /usr/lib/snort_dynamicrules
Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/...
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
  Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/
Log directory = /var/snort/snort_data/sensor1

...

Portscan Detection Config:
Detect Protocols:  TCP UDP ICMP IP
Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: High/Experimental
Memcap (in bytes): 10000000
Number of Nodes:   17391

...

I GET A TON OF THESE

WARNING: /etc/snort/rules/web-attacks.rules(29) GID 1 SID 1328 in rule duplicates previous rule. Ignoring old rule.

...


Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!
ICMP tracking disabled, no ICMP sessions allocated
IP tracking disabled, no IP sessions allocated
WARNING: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
WARNING: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked.
33 out of 1024 flowbits in use.


...


    --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.2.2 IPv6 GRE (Build 121)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2012 Sourcefire, Inc., et al.
           Using libpcap version 1.3.0
           Using PCRE version: 8.30 2012-02-04
           Using ZLIB version: 1.2.7

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.15  <Build 18>
           Preprocessor Object: SF_SSLPP (IPV6)  Version 1.1  <Build 4>
           Preprocessor Object: SF_FTPTELNET (IPV6)  Version 1.2  <Build 13>
           Preprocessor Object: SF_IMAP (IPV6)  Version 1.0  <Build 1>
           Preprocessor Object: SF_SDF (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_DNP3 (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_REPUTATION (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_SMTP (IPV6)  Version 1.1  <Build 9>
           Preprocessor Object: SF_SSH (IPV6)  Version 1.1  <Build 3>
           Preprocessor Object: SF_DNS (IPV6)  Version 1.1  <Build 4>
           Preprocessor Object: SF_SIP (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_DCERPC2 (IPV6)  Version 1.0  <Build 3>
           Preprocessor Object: SF_POP (IPV6)  Version 1.0  <Build 1>
           Preprocessor Object: SF_MODBUS (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_GTP (IPV6)  Version 1.1  <Build 1>
Commencing packet processing (pid=4448)
现在我的问题是传感器级别/日志级别。这是我在sensor_agent.tcl控制台中看到的

Checking for PS files in /var/snort/snort_data/quad-ext/portscans.
Unknown barnyard data: [garbled text]
BYCmdRcvd: Barnyard disconnected.
Sending sguild (sock3) SystemMessage {Barnyard disconnected.}
Sending sguild (sock3) BarnyardDisConnect {2015-02-19 00:03:20}
barnyard connected: sock8 127.0.0.1 42223
Unknown barnyard data:
任何帮助都将不胜感激!我只想开始,除了端口扫描之外,我没有任何合理的测试,我想设置端口扫描。

为什么要使用snort 2.9.2.2版!???那太老了(3岁以上)。从那时起,有太多的变化,旧版本不再被记录。请下载2.9.7并重新编译和测试。。。在这么旧的版本上运行不会有太多帮助,你甚至在哪里下载了源代码…我在kali linux上。我想这个版本可能更健壮/稳定?我过去常犯错误。新版本是否支持线程化tcl?Tcl在编译和链接init.Tcl中所有合适的库的过程中是一个巨大的痛苦,而我的包管理器却没有抱怨缺少依赖项。我最终使用equips来消除丢失的tcl包。然后把一切联系起来,快乐地跑。现在我只是在配置。我的程序也有很好的文档记录。最大的区别是什么?好的。所以我已经升级了,仍然有未知的谷仓数据问题。在我的sguil0.9.0客户端的系统选项卡中,我不断得到sguild:User已断开连接=/ 
Checking for PS files in /var/snort/snort_data/quad-ext/portscans.
Unknown barnyard data: [garbled text]
BYCmdRcvd: Barnyard disconnected.
Sending sguild (sock3) SystemMessage {Barnyard disconnected.}
Sending sguild (sock3) BarnyardDisConnect {2015-02-19 00:03:20}
barnyard connected: sock8 127.0.0.1 42223
Unknown barnyard data: