Snort:传感器从barnyard2获取错误数据
我终于拥有了运行snort所需的一切:Snort:传感器从barnyard2获取错误数据,snort,Snort,我终于拥有了运行snort所需的一切: 拉猪肉更新snort规则 tcl,无线程和所有必需的包 mysqltcl Tclx 沙一 传统知识 等等 sguil客户端和服务器 mysql服务器 我正在使用snort_agent.tcl 巴尼亚尔2 我还使用预处理器sfportscan设置了snort.conf: output unified2: filename snort.log_unified, limit 128 preprocessor sfportscan: proto { all
- 拉猪肉更新snort规则
- tcl,无线程和所有必需的包
- mysqltcl
- Tclx
- 沙一
- 传统知识
- 等等
- sguil客户端和服务器
- mysql服务器
- 我正在使用snort_agent.tcl
- 巴尼亚尔2
output unified2: filename snort.log_unified, limit 128
preprocessor sfportscan: proto { all } scan_type { all } memcap { 1000000 } sense_level { high }
这是我运行snort的输出,我已经将其精简到我感兴趣的部分
snort -u sguil -g sguil -l /var/snort/snort_data/sensor1 -c /etc/snort/snort.conf -U -A full -m 122 -i eth0
Loading dynamic engine /usr/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from /usr/lib/snort_dynamicrules...
WARNING: No dynamic libraries found in directory /usr/lib/snort_dynamicrules.
Finished Loading all dynamic detection libs from /usr/lib/snort_dynamicrules
Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/...
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/
Log directory = /var/snort/snort_data/sensor1
...
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: High/Experimental
Memcap (in bytes): 10000000
Number of Nodes: 17391
...
I GET A TON OF THESE
WARNING: /etc/snort/rules/web-attacks.rules(29) GID 1 SID 1328 in rule duplicates previous rule. Ignoring old rule.
...
Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!
ICMP tracking disabled, no ICMP sessions allocated
IP tracking disabled, no IP sessions allocated
WARNING: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
WARNING: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked.
33 out of 1024 flowbits in use.
...
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.2.2 IPv6 GRE (Build 121)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2012 Sourcefire, Inc., et al.
Using libpcap version 1.3.0
Using PCRE version: 8.30 2012-02-04
Using ZLIB version: 1.2.7
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.15 <Build 18>
Preprocessor Object: SF_SSLPP (IPV6) Version 1.1 <Build 4>
Preprocessor Object: SF_FTPTELNET (IPV6) Version 1.2 <Build 13>
Preprocessor Object: SF_IMAP (IPV6) Version 1.0 <Build 1>
Preprocessor Object: SF_SDF (IPV6) Version 1.1 <Build 1>
Preprocessor Object: SF_DNP3 (IPV6) Version 1.1 <Build 1>
Preprocessor Object: SF_REPUTATION (IPV6) Version 1.1 <Build 1>
Preprocessor Object: SF_SMTP (IPV6) Version 1.1 <Build 9>
Preprocessor Object: SF_SSH (IPV6) Version 1.1 <Build 3>
Preprocessor Object: SF_DNS (IPV6) Version 1.1 <Build 4>
Preprocessor Object: SF_SIP (IPV6) Version 1.1 <Build 1>
Preprocessor Object: SF_DCERPC2 (IPV6) Version 1.0 <Build 3>
Preprocessor Object: SF_POP (IPV6) Version 1.0 <Build 1>
Preprocessor Object: SF_MODBUS (IPV6) Version 1.1 <Build 1>
Preprocessor Object: SF_GTP (IPV6) Version 1.1 <Build 1>
Commencing packet processing (pid=4448)
现在我的问题是传感器级别/日志级别。这是我在sensor_agent.tcl控制台中看到的
Checking for PS files in /var/snort/snort_data/quad-ext/portscans.
Unknown barnyard data: [garbled text]
BYCmdRcvd: Barnyard disconnected.
Sending sguild (sock3) SystemMessage {Barnyard disconnected.}
Sending sguild (sock3) BarnyardDisConnect {2015-02-19 00:03:20}
barnyard connected: sock8 127.0.0.1 42223
Unknown barnyard data:
任何帮助都将不胜感激!我只想开始,除了端口扫描之外,我没有任何合理的测试,我想设置端口扫描。为什么要使用snort 2.9.2.2版!???那太老了(3岁以上)。从那时起,有太多的变化,旧版本不再被记录。请下载2.9.7并重新编译和测试。。。在这么旧的版本上运行不会有太多帮助,你甚至在哪里下载了源代码…我在kali linux上。我想这个版本可能更健壮/稳定?我过去常犯错误。新版本是否支持线程化tcl?Tcl在编译和链接init.Tcl中所有合适的库的过程中是一个巨大的痛苦,而我的包管理器却没有抱怨缺少依赖项。我最终使用equips来消除丢失的tcl包。然后把一切联系起来,快乐地跑。现在我只是在配置。我的程序也有很好的文档记录。最大的区别是什么?好的。所以我已经升级了,仍然有未知的谷仓数据问题。在我的sguil0.9.0客户端的系统选项卡中,我不断得到sguild:User已断开连接=/
Checking for PS files in /var/snort/snort_data/quad-ext/portscans.
Unknown barnyard data: [garbled text]
BYCmdRcvd: Barnyard disconnected.
Sending sguild (sock3) SystemMessage {Barnyard disconnected.}
Sending sguild (sock3) BarnyardDisConnect {2015-02-19 00:03:20}
barnyard connected: sock8 127.0.0.1 42223
Unknown barnyard data: