Add files via upload

scripts/Snorby/setup.sh

@@ -0,0 +1,157 @@
+#!/usr/bin/env bash
+# author: ym2011
+# date: 2016-11-21
+# version: 0.0.2
+echo "it will install snorby,suricata,barnyard2 automately. so take a coffee/n"
+
+yum install epel-release
+sleep 120
+# install dependences
+yum -y install gcc-c++ patch readline readline-devel zlib zlib-devel git-core libyaml-devel libffi-devel openssl-devel make libpcap-devel pcre-devel libyaml-devel file-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar libnetfilter_queue-devel lua-devel mysql-devel fontconfig-devel libX11-devel libXrender-devel libxml2-devel libxslt-devel qconf
+
+# dwonload and install ImageMagick
+cd /opt/
+wget --no-check-certificate -t 50 https://www.imagemagick.org/download/ImageMagick-6.9.6-5.tar.gz
+tar zxvf ImageMagick-6.9.6-5.tar.gz && cd ImageMagick-6.9.6-5
+sleep 10
+./configure && make && make install
+sleep 10
+ldconfig /usr/local/lib
+
+# dwonload and install yaml
+cd /opt/
+wget --no-check-certificate -t 50 http://pyyaml.org/download/libyaml/yaml-0.1.4.tar.gz
+tar zxvf yaml-0.1.4.tar.gz && cd yaml-0.1.4
+./configure && make && make install
+
+# dwonload and install libhtp
+cd /opt/
+wget --no-check-certificate -t 50 -O libhtp-0.5.20.tar.gz https://codeload.github.com/OISF/libhtp/tar.gz/0.5.20 
+tar zxvf libhtp-0.5.20.tar.gz && cd libhtp-0.5.20
+./autogen.sh
+./configure && make && make install
+
+# configure mysql
+# yum install mysql mysql-devel mysql*
+service mysqld start
+chkconfig mysqld on       
+/usr/bin/mysqladmin -u root password 'yymm2011@!@'
+
+# install ruby
+cd /opt/
+curl -L get.rvm.io | bash -s stable
+sleep 10
+command curl -sSL https://rvm.io/mpapis.asc | gpg2 --import -
+source /etc/profile.d/rvm.sh
+sleep 10
+rvm install 2.0.0
+ruby -v
+
+gem install bundler
+
+# dwonload and install snorby
+cd /opt/ && git clone git://github.com/Snorby/snorby.git && cd snorby
+
+# 修改文件Gemfile,把gem 'rake', '0.9.2'   改成  gem 'rake', '> 0.9.2'
+# sed -i 's/0.9.2/>0.9.2.2/g' Gemfile
+
+# 修改文件Gemfile.lock,把 rake (0.9.2)  改成  rake(0.9.2.2)
+# sed -i 's/\(0.9.2\)/0.9.2.2/g' Gemfile.lock
+
+# 创建snorby_config.yml和database.yml两个文件
+cp config/snorby_config.yml.example config/snorby_config.yml
+cp config/database.yml.example config/database.yml
+ 
+# 修改snorby_config.yml，把time_zone前面的注释去掉，并把UTC改为Asia/Shanghai
+# 打开database.yml 把里面 mysql的账号密码修改成我们设置的账号密码（root/ ym2011@2011my)
+sed -i 's/root/snorbyroot/g 'config/database.yml 
+sed -i 's/Enter Password Here/ym2011@2011my/g' config/database.yml
+# 进入snorby目录，执行如下命令开始安装：
+# 因为我们不需要postgreSQL, 所以要删除该库，否则编译会出错。
+sed -i '/dm-postgres-adapter/d' Gemfile
+bundle install
+
+# 设置iptables
+# /etc/init.d/iptables stop	#关闭防火墙，其他主机可以访问http://ip:3000
+iptables -I INPUT -p tcp --dport 3000 -m state --state=NEW,ESTABLISHED,RELATED -j ACCEPT
+
+# dwonload and install barnyard2
+cd /opt/ && wget wget --no-check-certificate -t 50 -O barnyard2-2-1.13.tar.gz https://codeload.github.com/firnsy/barnyard2/tar.gz/v2-1.13
+tar xvfz barnyard2-2-1.13.tar.gz && cd barnyard2-2-1.13/
+./autogen.sh
+./configure --with-mysql-libraries=/usr/lib64/mysql/ --with-mysql=/usr/bin/mysql
+make && make install
+
+
+# dwonload and install Suricata 
+cd /opt/ && wget -t 50 http://www.openinfosecfoundation.org/download/suricata-3.1.tar.gz
+tar -xvzf suricata-3.1.tar.gz && cd suricata-3.1
+./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua
+make && make install-full
+
+# configure Suricata、Barnyard 2
+#把Barnyard 2安装源文件中的etc/barnyard2.conf文件拷贝到Suricata的配置目录
+cd /opt/barnyard2-2-1.13
+cp ./etc/barnyard2.conf /etc/suricata/
+
+#创建barnyard2日志目录/var/log/barnyard2
+mkdir /var/log/barnyard2
+
+# 修改barnyard2.conf
+# 把 默认的snort文件配置改成 suricata
+sed -i 's/snort/suricata/g' /etc/suricata/barnyard2.conf
+sed -i 's/gen-msg.map/rules\/gen-msg.map/g' /etc/suricata/barnyard2.conf
+sed -i 's/sid-msg.map/rules\/sid-msg.map/g' /etc/suricata/barnyard2.conf
+
+# 把数据信息添加到barnyard2.conf  //已完成
+sed -i '$a output database: log, mysql, user=snorbroot password=ym2011@2011my dbname=snorby host=localhost' /etc/suricata/barnyard2.conf
+
+#找到“config hostname”和“config interface”，eth0是镜像端口所在的网卡，按照你的实际情况修改.(unfinished)
+#匹配到该字符串，在匹配行的下面添加新的一行字符串
+sed -i -e '/#config hostname:   thor/a\config hostname:   ym/' /etc/suricata/barnyard2.conf
+sed -i -e '/#config interface:  eth0/a\config interface:  eth0/' /etc/suricata/barnyard2.conf
+sed -i -e '/#config waldo_file/a\config waldo_file: /var/log/suricata/suricata.waldo' /etc/suricata/barnyard2.conf
+
+# 编辑suricata.yaml文件
+touch /var/log/suricata/suricata.waldo
+
+# 修改日志格式文件:
+#匹配到该字符串，在匹配行的下面添加新的一行字符串
+sed -i -e '/default-log-format/a\  default-log-format: "[%i] %t -(%f:%l) <%d> (%n) -- "' /etc/suricata/suricata.yaml
+
+# 找到#pid-file: /var/run/suricata.pid把前面的#号去掉
+#匹配到该字符串，在匹配行的下面添加新的一行字符串
+sed -i -e '/pid-file/a\pid-file: /var/run/suricata.pid' /etc/suricata/suricata.yaml
+
+# 启用 threshold，找到#threshold-file: /etc/suricata/threshold.config
+#匹配到该字符串threshold-file，在匹配行的下面添加新的一行字符串
+sed -i -e '/threshold-file/a\threshold-file: /etc/suricata/threshold.config' /etc/suricata/suricata.yaml
+
+# 开启syslog 功能, 在/etc/suricata/suricata.yaml ， 找到：
+# 匹配并替换在字符串/var/log/suricata/suricata.log/，Step 4之间的内容，把enabled: no 改成 enabled: yes
+sed -i -e '\/var\/log\/suricata\/suricata.log/,/Step 4/s/no/yes/g' /etc/suricata/suricata.yaml
+
+# 开启unified2 logging in the suricata yaml:
+# 匹配并替换在字符串unified2-alert， unified2.alert之间的内容，把enabled: no 改成 enabled: yes
+sed -i -e '/unified2-alert/,/unified2.alert/s/no/yes/g' /etc/suricata/suricata.yaml
+
+echo "you should do the following steps on your own~~*_*~~~"
+echo " the password of root in mysql is /yymm2011@!@"
+echo " mysql -u root -p "
+echo " create user 'snorbyroot'@'localhost' IDENTIFIED BY 'ym2011@2011my'; "
+echo " grant all privileges on snorby.* to 'snorbyroot'@'localhost' with grant option; "
+echo " flush privileges; "
+echo " please run the file: start-ids.sh to start the service "
+echo " have fun ! "
+
+
+
+
+
+
+
+
+
+
+
+

scripts/Snorby/start_ids.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+echo "==========================================================================================="
+echo "it will start the snorby  first, and then will start barnyard2 and suricata later"
+echo "please wait for a minute"
+echo "if there are any problems, please check the barnyard2.conf and  "
+cd /opt/snorby && rake snorby:setup && rails server -e production &
+# cd snorby && rake snorby:setup && rails server -d -e production
+
+/usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo –D &
+
+LD_LIBRARY_PATH=/usr/local/lib /usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0 -D &
+
+echo " the service have started, please http://yourip:3000 on your browser, the ip is the machine where you install snorby. "
+echo " have fun !!"
+echo "==========================================================================================="

scripts/Snorby/stop_ids.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+echo "==========================================================================================="
+echo "it will stop the snorby  first, and then will stop barnyard2 and suricata later"
+echo "please wait for a minute"
+
+kill -9 `ps -ef | grep /bin/ruby | grep rails | awk '{print $2}'`
+
+kill -9 `ps -ef | grep /usr/local/bin/barnyard2 | awk '{print $2}'`
+
+kill -9 `ps -ef | grep /usr/bin/suricata | awk '{print $2}'`
+
+echo " the service have stop, if you want to restart the snorby + barnyard2 + suricata once, please run :./start-ids.sh "
+echo " Bye"
+echo "==========================================================================================="