参考:
http://sublimerobots.com/2017/01/snort-2-9-9-x-ubuntu-installing-snort/ (2017新版)
http://sublimerobots.com/2015/12/snort-2-9-8-x-on-ubuntu-part-1/ (2015旧版)
➜ barnyard2-master /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D [3:06:46]
Spawning daemon child...
My daemon child 53485 lives...
Daemon parent exiting (0)
➜ barnyard2-master barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort
Running in Continuous mode
--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+
Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/barnyard2
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
[ClassificationPullDataStore()]: No Classification found in database ...
[SignaturePullDataStore()]: No signature found in database ...
[SystemPullDataStore()]: No System found in database ...
[ReferencePullDataStore()]: No Reference found in database ...
[SignatureReferencePullDataStore()]: No Reference found in database ...
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = localhost
database: user = snort
database: database name = snort
database: sensor name = kali:NULL
database: sensor id = 1
database: sensor cid = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility
--== Initialization Complete ==--
______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.14 (Build 337)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' + (C) Copyright 2008-2013 Ian Firns
WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/barnyard2.waldo'
Opened spool file '/var/log/snort/snort.u2.1493147217'
Waiting for new data
不要着急在树莓派上发包然后等待barnyard2去处理,本身在我高配的kali2虚拟机上barnyard2启动都要好久(至少2分钟吧)。处理第一个包的时候已经过了半个小时了。虽然包是在十几分钟的时候发的。
➜ repos journalctl -f -u barnyard2 [16:40:56]
-- Logs begin at Wed 2017-04-26 04:32:11 CST. --
Apr 28 16:40:50 kali systemd[1]: Started Barnyard2 Daemon.
Apr 28 16:40:50 kali barnyard2[41387]: Running in Continuous mode
Apr 28 16:40:50 kali barnyard2[41387]:
Apr 28 16:40:50 kali barnyard2[41387]: --== Initializing Barnyard2 ==--
Apr 28 16:40:50 kali barnyard2[41387]: Initializing Input Plugins!
Apr 28 16:40:50 kali barnyard2[41387]: Initializing Output Plugins!
Apr 28 16:40:50 kali barnyard2[41387]: Parsing config file "/etc/snort/barnyard2.conf"
Apr 28 16:40:50 kali barnyard2[41387]:
+[ Signature Suppress list ]+
----------------------------
Apr 28 16:40:50 kali barnyard2[41387]: +[No entry in Signature Suppress List]+
Apr 28 16:40:50 kali barnyard2[41387]: ----------------------------
+[ Signature Suppress list ]+
Apr 28 16:42:44 kali barnyard2[41387]: WARNING: invalid Reference spec '2015-0666'. Ignored
Apr 28 16:42:49 kali barnyard2[41387]: Barnyard2 spooler: Event cache size set to [2048]
Apr 28 16:42:49 kali barnyard2[41387]: Log directory = /var/log/barnyard2
Apr 28 16:42:49 kali barnyard2[41387]: INFO database: Defaulting Reconnect/Transaction Error limit to 10
Apr 28 16:42:49 kali barnyard2[41387]: INFO database: Defaulting Reconnect sleep time to 5 second
Apr 28 16:42:49 kali barnyard2[41387]: Initializing daemon mode
Apr 28 16:42:49 kali barnyard2[41387]: Daemon initialized, signaled parent pid: 1
Apr 28 16:42:49 kali barnyard2[41387]: PID path stat checked out ok, PID path set to /var/run/
Apr 28 16:42:49 kali barnyard2[41387]: Writing PID "41387" to file "/var/run//barnyard2_NULL.pid"
Apr 28 17:14:03 kali barnyard2[41387]: database: compiled support for (mysql)
Apr 28 17:14:03 kali barnyard2[41387]: database: configured to use mysql
Apr 28 17:14:03 kali barnyard2[41387]: database: schema version = 107
Apr 28 17:14:03 kali barnyard2[41387]: database: host = localhost
Apr 28 17:14:03 kali barnyard2[41387]: database: user = snort
Apr 28 17:14:03 kali barnyard2[41387]: database: database name = snort
Apr 28 17:14:03 kali barnyard2[41387]: database: sensor name = kali:NULL
Apr 28 17:14:03 kali barnyard2[41387]: database: sensor id = 1
Apr 28 17:14:03 kali barnyard2[41387]: database: sensor cid = 5
Apr 28 17:14:03 kali barnyard2[41387]: database: data encoding = hex
Apr 28 17:14:03 kali barnyard2[41387]: database: detail level = full
Apr 28 17:14:03 kali barnyard2[41387]: database: ignore_bpf = no
Apr 28 17:14:03 kali barnyard2[41387]: database: using the "log" facility
Apr 28 17:14:03 kali barnyard2[41387]:
Apr 28 17:14:03 kali barnyard2[41387]: --== Initialization Complete ==--
Apr 28 17:14:03 kali barnyard2[41387]: Barnyard2 initialization completed successfully (pid=41387)
Apr 28 17:14:03 kali barnyard2[41387]: Using waldo file '/var/log/snort/barnyard2.waldo':
spool directory = /var/log/snort
spool filebase = snort.u2
time_stamp = 1493152162
record_idx = 8
Apr 28 17:14:03 kali barnyard2[41387]: Opened spool file '/var/log/snort/snort.u2.1493152162'
Apr 28 17:14:03 kali barnyard2[41387]: Closing spool file '/var/log/snort/snort.u2.1493152162'. Read 8 records
Apr 28 17:14:03 kali barnyard2[41387]: Opened spool file '/var/log/snort/snort.u2.1493152669'
Apr 28 17:14:04 kali barnyard2[41387]: Waiting for new data
而我的树莓派就慢一些了。
4月 28 18:55:49 snort-ids systemd[1]: Started Barnyard2 Daemon.
4月 28 18:55:49 snort-ids barnyard2[23757]: Running in Continuous mode
4月 28 18:55:49 snort-ids barnyard2[23757]:
4月 28 18:55:49 snort-ids barnyard2[23757]: --== Initializing Barnyard2 ==--
4月 28 18:55:49 snort-ids barnyard2[23757]: Initializing Input Plugins!
4月 28 18:55:49 snort-ids barnyard2[23757]: Initializing Output Plugins!
4月 28 18:55:49 snort-ids barnyard2[23757]: Parsing config file "/etc/snort/barnyard2.conf"
4月 28 18:55:49 snort-ids barnyard2[23757]:
+[ Signature Suppress list ]+
----------------------------
4月 28 18:55:49 snort-ids barnyard2[23757]: +[No entry in Signature Suppress List]+
4月 28 18:55:49 snort-ids barnyard2[23757]: ----------------------------
+[ Signature Suppress list ]+
4月 28 19:04:43 snort-ids barnyard2[23757]: WARNING: invalid Reference spec '2015-0666'. Ignored
4月 28 19:04:55 snort-ids barnyard2[23757]: Barnyard2 spooler: Event cache size set to [2048]
4月 28 19:04:55 snort-ids barnyard2[23757]: Log directory = /var/log/barnyard2
4月 28 19:04:55 snort-ids barnyard2[23757]: INFO database: Defaulting Reconnect/Transaction Error limit to 10
4月 28 19:04:55 snort-ids barnyard2[23757]: INFO database: Defaulting Reconnect sleep time to 5 second
4月 28 19:04:55 snort-ids barnyard2[23757]: Initializing daemon mode
4月 28 19:04:55 snort-ids barnyard2[23757]: Daemon initialized, signaled parent pid: 1
4月 28 19:04:55 snort-ids barnyard2[23757]: PID path stat checked out ok, PID path set to /var/run/
4月 28 19:04:55 snort-ids barnyard2[23757]: Writing PID "23757" to file "/var/run//barnyard2_NULL.pid"
是说怎么在我的kali2虚拟机里和树莓派上的不一样呢。虚拟机里用的是master分支(也就是新版本),而树莓派里用的是老版本的。看到这个才知道barnyard2在新版本中给一个.h文件里面的ref_system_id
变量加上了反单引号,这才是问题所在。
➜ output-plugins grep "ref_system_id" spo_database_cache.h [18:59:09]
#define PGSQL_SQL_SELECT_SPECIFIC_REFERENCE_SYSTEM "SELECT `ref_system_id` FROM reference_system WHERE ref_system_name = E'%s';"
#define PGSQL_SQL_INSERT_SPECIFIC_REF "INSERT INTO reference (`ref_system_id`,ref_tag) VALUES ('%u',E'%s');"
#define PGSQL_SQL_SELECT_SPECIFIC_REF "SELECT ref_id FROM reference WHERE `ref_system_id` = '%u' AND ref_tag = E'%s';"
#define SQL_SELECT_SPECIFIC_REFERENCE_SYSTEM "SELECT `ref_system_id` FROM reference_system WHERE ref_system_name = '%s';"
#define SQL_INSERT_SPECIFIC_REF "INSERT INTO reference (`ref_system_id`,ref_tag) VALUES ('%u','%s');"
#define SQL_SELECT_SPECIFIC_REF "SELECT ref_id FROM reference WHERE `ref_system_id` = '%u' AND ref_tag = '%s';"
#define SQL_SELECT_ALL_REFERENCE_SYSTEM "SELECT `ref_system_id`, ref_system_name FROM reference_system;"
#define SQL_SELECT_ALL_REF "SELECT ref_id, `ref_system_id`, ref_tag FROM reference; "
➜ output-plugins pwd [18:59:20]
/root/snort_src/barnyard2-master/src/output-plugins