{"id":15,"date":"2006-11-05T15:14:00","date_gmt":"2006-11-05T06:14:00","guid":{"rendered":"http:\/\/yokensaka.com\/fedora\/?p=15"},"modified":"2006-11-05T15:14:00","modified_gmt":"2006-11-05T06:14:00","slug":"%e4%b8%8d%e6%ad%a3%e3%82%a2%e3%82%af%e3%82%bb%e3%82%b9%e6%a4%9c%e7%9f%a5%e3%82%b7%e3%82%b9%e3%83%86%e3%83%a0snort","status":"publish","type":"post","link":"http:\/\/yokensaka.com\/fedora\/?p=15","title":{"rendered":"\u4e0d\u6b63\u30a2\u30af\u30bb\u30b9\u691c\u77e5\u30b7\u30b9\u30c6\u30e0(Snort)"},"content":{"rendered":"

\u25a0\u3000FC6<\/b>
\n\u30b5\u30fc\u30d0\u30fc\u3078\u306e\u4e0d\u6b63\u30a2\u30af\u30bb\u30b9\u3092\u691c\u77e5\u3059\u308b\u30b7\u30b9\u30c6\u30e0 Snort<\/a> \u3092\u5c0e\u5165\u3057\u307e\u3059\u3002\u307e\u305f\u3001\u4e0d\u6b63\u30a2\u30af\u30bb\u30b9\u30ed\u30b0\u3092Web\u30d6\u30e9\u30a6\u30b6\u4e0a\u3067\u78ba\u8a8d\u3067\u304d\u308b\u3088\u3046\u306b SnortSnarf \u3082\u5c0e\u5165\u3057\u307e\u3059\u3002\u306a\u304a\u3001Oinkmaster \u3092\u5c0e\u5165\u3057\u3066\u4e0d\u6b63\u30a2\u30af\u30bb\u30b9\u306e\u5224\u65ad\u3092\u3059\u308b\u305f\u3081\u306b\u53c2\u7167\u3059\u308b\u30eb\u30fc\u30eb\u30d5\u30a1\u30a4\u30eb\u306e\u6700\u65b0\u5316\u3092\u81ea\u52d5\u5316\u3057\u307e\u3059\u3002\u4f46\u3057Snort\u306f\u4e0d\u6b63\u306a\u30d1\u30b1\u30c3\u30c8\u306a\u3069\u3092\u691c\u51fa\u3059\u308b\u3060\u3051\u3067\u3042\u308a\u3001\u30d6\u30ed\u30c3\u30af\u306f\u3067\u304d\u307e\u305b\u3093\u3002 Snort\u3092\u5c0e\u5165\u3059\u308c\u3070\u5b89\u5168\u3068\u3044\u3046\u4e8b\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u3002
\n\u203b\u4ee5\u524d\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u3067\u4f5c\u6210\u3055\u308c\u305flog\u304c\u6b8b\u3063\u3066\u3044\u308b\u3068\u8d77\u52d5\u306b\u5931\u6557\u3059\u308b\u3053\u3068\u304c\u3042\u308a\u307e\u3059\u3002\/var\/log\/snort \u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3092\u524a\u9664\u3057\u3066\u304b\u3089\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3066\u4e0b\u3055\u3044\u3002
\n\u25a0\u4ee5\u524d\u306e\u30ed\u30b0\u3092\u524a\u9664<\/b><\/p>\n

[root@linux ~]# rm -r \/var\/log\/snort\n\u4ee5\u524d\u306esnort\u7528\u30ed\u30b0\u30ed\u30c6\u30fc\u30c8\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u3092\u524a\u9664\n[root@linux ~]# rm \/etc\/logrotate.d\/snort<\/pre>\n
\u25a0snort\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u306b\u5fc5\u8981\u306a\u4f9d\u5b58\u30d1\u30c3\u30b1\u30fc\u30b8libpcap\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/b><\/p>\n
[root@linux ~]# yum install libpcap\nLoading \"installonlyn\" plugin\nLoading \"fastestmirror\" plugin\nSetting up Install Process\nSetting up repositories\nlivna                     100% |=========================| 1.1 kB    00:00\ncore                      100% |=========================| 1.1 kB    00:00\nupdates                   100% |=========================|  951 B    00:00\nextras                    100% |=========================| 1.1 kB    00:00\nLoading mirror speeds from cached hostfile\nReading repository metadata in from local files\nprimary.xml.gz            100% |=========================|  94 kB    00:01\n################################################## 264\/264\nprimary.xml.gz            100% |=========================| 250 kB    00:01\n################################################## 846\/846\nParsing package install arguments\nResolving Dependencies\n--> Populating transaction set with selected packages. Please wait.\n---> Downloading header for libpcap to pack into transaction set.\nlibpcap-0.9.4-9.fc6.i386. 100% |=========================|  15 kB    00:00\n---> Package libpcap.i386 14:0.9.4-9.fc6 set to be updated\n--> Running transaction check\nDependencies Resolved\n=========================================================\nPackage                 Arch       Version          Repository        Size\n=========================================================\nInstalling:\nlibpcap                 i386       14:0.9.4-9.fc6   updates            95 k\nTransaction Summary\n=========================================================\nInstall      1 Package(s)\nUpdate       0 Package(s)\nRemove       0 Package(s)\nTotal download size: 95 k\nIs this ok [y\/N]: y\nDownloading Packages:\n(1\/1): libpcap-0.9.4-9.fc 100% |=========================|  95 kB    00:00\nRunning Transaction Test\nFinished Transaction Test\nTransaction Test Succeeded\nRunning Transaction\nInstalling: libpcap                      ######################### [1\/1]\nInstalled: libpcap.i386 14:0.9.4-9.fc6\nComplete!<\/pre>\n
\u25a0snort\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/b>
\nOS\u306fFC6\u306a\u306e\u3067\u3059\u304c\u8272\u3005\u8a66\u3057\u305f\u7d50\u679c\u3001\u73fe\u6642\u70b9\u3067\u306f\u306a\u305c\u304bFC5\u7528\u306esnort-2.6.1.1-1.FC5.i386.rpm\u3057\u304b\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u51fa\u6765\u307e\u305b\u3093\u3067\u3057\u305f\u3002\u4ed6\u306f\u8a2d\u5b9a\u304c\u60aa\u3044\u306e\u304b\u3053\u3068\u3054\u3068\u304f\u8d77\u52d5\u306b\u5931\u6557\u3057\u307e\u3057\u305f\u3002<\/p>\n
[root@linux ~]# rpm -ivh http:\/\/www.snort.org\/dl\/binaries\/linux\/snort-2.6.1.1-1.FC5.i386.rpm\nhttp:\/\/www.snort.org\/dl\/binaries\/linux\/snort-2.6.1.1-1.FC5.i386.rpm \u3092\u53d6\u5f97\u4e2d\n\u6e96\u5099\u4e2d...                   ########################################### [100%]\n1:snort                  ########################################### [100%]\n\u25a0Snort\u8a2d\u5b9a\n[root@linux ~]# vi \/etc\/snort\/snort.conf\u3000\u2190\u3000snort\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u7de8\u96c6\nvar HOME_NET any\n\u2193\nvar HOME_NET 192.168.1.0\/24\u3000\u2190\u3000\u5185\u90e8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30a2\u30c9\u30ec\u30b9\u3092\u6307\u5b9a\nvar EXTERNAL_NET any\n\u2193\nvar EXTERNAL_NET !$HOME_NET\u3000\u2190\u3000\u5185\u90e8\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u3092\u4e0d\u6b63\u30a2\u30af\u30bb\u30b9\u3068\u3057\u3066\u6271\u308f\u306a\u3044<\/pre>\n
\u25a0Snort\u30eb\u30fc\u30eb\u30d5\u30a1\u30a4\u30eb\u5165\u624b<\/b><\/p>\n
[root@linux ~]# wget http:\/\/www.snort.org\/pub-bin\/downloads.cgi\/Download\/vrt_pr\/snortrules-pr-2.4.tar.gz\n--09:28:38--  http:\/\/www.snort.org\/pub-bin\/downloads.cgi\/Download\/vrt_pr\/snortrules-pr-2.4.tar.gz\nwww.snort.org \u3092DNS\u306b\u554f\u3044\u3042\u308f\u305b\u3066\u3044\u307e\u3059... 199.107.65.177\nwww.snort.org|199.107.65.177|:80 \u306b\u63a5\u7d9a\u3057\u3066\u3044\u307e\u3059... \u63a5\u7d9a\u3057\u307e\u3057\u305f\u3002\nHTTP \u306b\u3088\u308b\u63a5\u7d9a\u8981\u6c42\u3092\u9001\u4fe1\u3057\u307e\u3057\u305f\u3001\u5fdc\u7b54\u3092\u5f85\u3063\u3066\u3044\u307e\u3059... 200 OK\n\u9577\u3055: 789097 (771K) [application\/octet-stream]\nSaving to: `snortrules-pr-2.4.tar.gz'\n100%[=============================================>] 789,097      149K\/s   in 6.9s\n09:28:46 (112 KB\/s) - `snortrules-pr-2.4.tar.gz' \u3092\u4fdd\u5b58\u3057\u307e\u3057\u305f [789097\/789097]\n\u30d5\u30a1\u30a4\u30eb\u3092\u5c55\u958b\n[root@linux ~]# tar zxvf snortrules-pr-2.4.tar.gz\n\u30eb\u30fc\u30eb\u30d5\u30a1\u30a4\u30eb\u3092\u6240\u5b9a\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3078\u30b3\u30d4\u30fc\n[root@linux ~]# \/bin\/cp -r rules\/* \/etc\/snort\/rules\/\n\u5c55\u958b\u3057\u3066\u3067\u304d\u305f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3092\u524a\u9664\n[root@linux ~]# rm -rf rules\/ doc\/\n\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u305f\u30d5\u30a1\u30a4\u30eb\u3092\u524a\u9664\n[root@linux ~]# rm -f snortrules-pr-2.4.tar.gz\nsnort\u30eb\u30fc\u30eb\u30d5\u30a1\u30a4\u30eb\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u307e\u3059\n[root@linux ~]# wget http:\/\/www.snort.org\/pub-bin\/downloads.cgi\/Download\/comm_rules\/Community-Rules-2.4.tar.gz\n--09:30:55--  http:\/\/www.snort.org\/pub-bin\/downloads.cgi\/Download\/comm_rules\/Community-Rules-2.4.tar.gz\nwww.snort.org \u3092DNS\u306b\u554f\u3044\u3042\u308f\u305b\u3066\u3044\u307e\u3059... 199.107.65.177\nwww.snort.org|199.107.65.177|:80 \u306b\u63a5\u7d9a\u3057\u3066\u3044\u307e\u3059... \u63a5\u7d9a\u3057\u307e\u3057\u305f\u3002\nHTTP \u306b\u3088\u308b\u63a5\u7d9a\u8981\u6c42\u3092\u9001\u4fe1\u3057\u307e\u3057\u305f\u3001\u5fdc\u7b54\u3092\u5f85\u3063\u3066\u3044\u307e\u3059... 200 OK\n\u9577\u3055: 109695 (107K) [application\/octet-stream]\nSaving to: `Community-Rules-2.4.tar.gz'\n100%[=============================================>] 109,695      112K\/s   in 1.0s\n09:30:57 (112 KB\/s) - `Community-Rules-2.4.tar.gz' \u3092\u4fdd\u5b58\u3057\u307e\u3057\u305f [109695\/109695]\n\u30d5\u30a1\u30a4\u30eb\u3092\u5c55\u958b\n[root@linux ~]# tar zxvf Community-Rules-2.4.tar.gz\n\u30eb\u30fc\u30eb\u30d5\u30a1\u30a4\u30eb\u3092\u6240\u5b9a\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3078\u30b3\u30d4\u30fc\n[root@linux ~]# \/bin\/cp -r rules\/* \/etc\/snort\/rules\/\n\u5c55\u958b\u3057\u3066\u3067\u304d\u305f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3092\u524a\u9664\n[root@linux ~]# rm -rf rules\/ doc\/\n\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u305f\u30d5\u30a1\u30a4\u30eb\u3092\u524a\u9664\n[root@linux ~]# rm -f Community-Rules-2.4.tar.gz<\/pre>\n
\u25a0Snort\u30ed\u30b0\u30ed\u30c6\u30fc\u30c8\u30a8\u30e9\u30fc\u5bfe\u51e6<\/b>
\ncron\u304b\u3089\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u30a8\u30e9\u30fc\u30e1\u30fc\u30eb\u304croot\u5b9b\u306b\u9001\u3089\u308c\u3066\u304f\u308b\u3053\u3068\u306e\u5bfe\u51e6
\nerror: error accessing \/var\/log\/snort\/*: No such file or directory
\nerror: snort:4 glob failed for \/var\/log\/snort\/*\/*log<\/p>\n
[root@linux ~]# vi \/etc\/logrotate.d\/snort\u3000\u2190\u3000snort\u7528\u30ed\u30b0\u30ed\u30c6\u30fc\u30c8\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u7de8\u96c6\n\/var\/log\/snort\/alert \/var\/log\/snort\/*log \/var\/log\/snort\/*\/alert \/var\/log\/snort\/*\/*log  {\u3000\u2190\u3000\u4e0d\u8981\u306a\u90e8\u5206\u3092\u524a\u9664\n\u2193\n\/var\/log\/snort\/alert \/var\/log\/snort\/*log {<\/pre>\n
\u25a0Snort\u306e\u8d77\u52d5<\/b><\/p>\n
[root@linux ~]# \/etc\/rc.d\/init.d\/snortd start\u3000\u2190\u3000snort\u8d77\u52d5\nStarting snort:                                            [  OK  ]\n[root@linux ~]# chkconfig snortd on\u3000\u2190\u3000snort\u81ea\u52d5\u8d77\u52d5\u8a2d\u5b9a\n[root@linux ~]# chkconfig --list snortd\u3000\u2190\u3000snort\u81ea\u52d5\u8d77\u52d5\u8a2d\u5b9a\u78ba\u8a8d\nsnortd          0:off   1:off   2:on    3:on    4:on    5:on    6:off\u3000\u2190\u3000\u30e9\u30f3\u30ec\u30d9\u30eb2\uff5e5\u306eon\u3092\u78ba\u8a8d<\/pre>\n
\u25a0SnortSnarf\u306b\u5fc5\u8981\u306aPerl\u306eTime-modules\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/b><\/p>\n
[root@linux ~]# yum -y install perl-Time-modules\nLoading \"fastestmirror\" plugin\nLoading \"installonlyn\" plugin\nSetting up Install Process\nSetting up repositories\nlivna                     100% |=========================| 1.1 kB    00:00\ncore                      100% |=========================| 1.1 kB    00:00\nupdates                   100% |=========================| 1.2 kB    00:00\nextras                    100% |=========================| 1.1 kB    00:00\nLoading mirror speeds from cached hostfile\nReading repository metadata in from local files\nExcluding Packages in global exclude list\nFinished\nParsing package install arguments\nResolving Dependencies\n--> Populating transaction set with selected packages. Please wait.\n---> Downloading header for perl-Time-modules to pack into transaction set.\nperl-Time-modules-2003.11 100% |=========================| 4.5 kB    00:00\n---> Package perl-Time-modules.noarch 0:2003.1126-4.fc6 set to be updated\n--> Running transaction check\nDependencies Resolved\n============================================================\nPackage                 Arch       Version          Repository        Size\n============================================================\nInstalling:\nperl-Time-modules       noarch     2003.1126-4.fc6  extras             36 k\nTransaction Summary\n============================================================\nInstall      1 Package(s)\nUpdate       0 Package(s)\nRemove       0 Package(s)\nTotal download size: 36 k\nDownloading Packages:\n(1\/1): perl-Time-modules- 100% |=========================|  36 kB    00:00\nRunning Transaction Test\nFinished Transaction Test\nTransaction Test Succeeded\nRunning Transaction\nInstalling: perl-Time-modules            ######################### [1\/1]\nInstalled: perl-Time-modules.noarch 0:2003.1126-4.fc6\nComplete!<\/pre>\n
\u25a0SnortSnarf\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/b>
\nSnort\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u306b\u3088\u3063\u3066\u3001\u5fc5\u8981\u306aSnortSnarf\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u304c\u7570\u306a\u308a\u307e\u3059\u3063\u3066\u3001\u4f55\u304b\u3067\u8aad\u3093\u3060\u3053\u3068\u304c\u3042\u308b\u3093\u3067\u3059\u304c\u3001\u3068\u308a\u3042\u3048\u305a\u6700\u65b0\u7248\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u307e\u3059\u3002<\/p>\n
[root@linux ~]# wget http:\/\/www.snort.org\/dl\/contrib\/data_analysis\/snortsnarf\/SnortSnarf-050314.1.tar.gz\n--09:36:06--  http:\/\/www.snort.org\/dl\/contrib\/data_analysis\/snortsnarf\/SnortSnarf-050314.1.tar.gz\nwww.snort.org \u3092DNS\u306b\u554f\u3044\u3042\u308f\u305b\u3066\u3044\u307e\u3059... 199.107.65.177\nwww.snort.org|199.107.65.177|:80 \u306b\u63a5\u7d9a\u3057\u3066\u3044\u307e\u3059... \u63a5\u7d9a\u3057\u307e\u3057\u305f\u3002\nHTTP \u306b\u3088\u308b\u63a5\u7d9a\u8981\u6c42\u3092\u9001\u4fe1\u3057\u307e\u3057\u305f\u3001\u5fdc\u7b54\u3092\u5f85\u3063\u3066\u3044\u307e\u3059... 200 OK\n\u9577\u3055: 144103 (141K) [application\/x-gzip]\nSaving to: `SnortSnarf-050314.1.tar.gz'\n100%[=============================================>] 144,103     90.3K\/s   in 1.6s\n09:36:08 (90.3 KB\/s) - `SnortSnarf-050314.1.tar.gz' \u3092\u4fdd\u5b58\u3057\u307e\u3057\u305f [144103\/144103]\n[root@linux ~]# tar zxvf SnortSnarf-050314.1.tar.gz\u3000\u2190\u3000\u5c55\u958b\n[root@linux ~]# mkdir \/usr\/local\/snortsnarf\u3000\u2190\u3000SnortSnarf\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u5148\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u4f5c\u6210\n[root@linux ~]# cp SnortSnarf-050314.1\/snortsnarf.pl \/usr\/local\/snortsnarf\/\n\u3000\u2190\u3000snortsnarf.pl\u3092SnortSnarf\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u5148\u3078\u30b3\u30d4\u30fc\n[root@linux ~]# cp -r SnortSnarf-050314.1\/include\/ \/usr\/local\/snortsnarf\/\n\u3000\u2190\u3000include\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3092SnortSnarf\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u5148\u3078\u30b3\u30d4\u30fc\n[root@linux ~]# rm -rf SnortSnarf-050314.1\u3000\u2190\u3000\u5c55\u958b\u3057\u3066\u3067\u304d\u305f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3092\u524a\u9664\n[root@linux ~]# rm -f SnortSnarf-050314.1.tar.gz\u3000\u2190\u3000\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u305f\u30d5\u30a1\u30a4\u30eb\u3092\u524a\u9664<\/pre>\n
\u25a0SnortSnarf\u8a2d\u5b9a<\/b>
\nSnortSnarf\u5b9f\u884c\u6642\u306b\u30a8\u30e9\u30fc\u30e1\u30c3\u30bb\u30fc\u30b8\u304c\u51fa\u529b\u3055\u308c\u308b\u3053\u3068\u306e\u5bfe\u51e6<\/p>\n
SnortSnarf\u306epm\u30d5\u30a1\u30a4\u30eb\u7de8\u96c6\n[root@linux ~]# vi \/usr\/local\/snortsnarf\/include\/SnortSnarf\/HTMLMemStorage.pm\nreturn @arr->[($first-1)..$end];\n\u2193\nreturn @arr[($first-1)..$end];\u3000\u2190\u3000->\u3092\u524a\u9664\nSnortSnarf\u306epm\u30d5\u30a1\u30a4\u30eb\u7de8\u96c6\n[root@linux ~]# vi \/usr\/local\/snortsnarf\/include\/SnortSnarf\/HTMLAnomMemStorage.pm\nreturn @arr->[($first-1)..$end];\n\u2193\nreturn @arr[($first-1)..$end];\u3000\u2190\u3000->\u3092\u524a\u9664<\/pre>\n
\u25a0Web\u30b5\u30fc\u30d0\u30fc\u8a2d\u5b9a<\/b><\/p>\n
SnortSnarf\u306b\u3088\u308bHTML\u51fa\u529b\u5148\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u4f5c\u6210\n[root@linux ~]# mkdir \/var\/www\/snort\nSnortSnarf\u7528Web\u30b5\u30fc\u30d0\u30fc\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u65b0\u898f\u4f5c\u6210\n[root@linux ~]# vi \/etc\/httpd\/conf.d\/snort.conf\nAlias \/snort \/var\/www\/snort\n\u4ee5\u4e0b\u306f\u5185\u90e8\u304b\u3089\u306e\u307f\u30a2\u30af\u30bb\u30b9\u3067\u304d\u308b\u3088\u3046\u306b\u3059\u308b\u5834\u5408\u306e\u307f\n<Location \/snort>\nOrder deny,allow\nDeny from all\nAllow from 127.0.0.1\nAllow from 192.168.1\u3000\u2190\u3000\u5185\u90e8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30a2\u30c9\u30ec\u30b9\u3092\u6307\u5b9a\n<\/Location>\n[root@linux ~]# \/etc\/rc.d\/init.d\/httpd reload\u3000\u2190\u3000Web\u30b5\u30fc\u30d0\u30fc\u8a2d\u5b9a\u53cd\u6620\nhttpd \u3092\u518d\u8aad\u307f\u8fbc\u307f\u4e2d:                                      [  OK  ]<\/pre>\n
\u25a0SnortSnarf\u5b9f\u884c\u30b9\u30af\u30ea\u30d7\u30c8\u4f5c\u6210<\/b><\/p>\n
[root@linux ~]# vi snortsnarf.sh\u3000\u2190\u3000SnortSnarf\u5b9f\u884c\u30b9\u30af\u30ea\u30d7\u30c8\u4f5c\u6210\n#!\/bin\/bash\ncd \/usr\/local\/snortsnarf\nif [ -s \/var\/log\/snort\/alert ]; then\nif [ -s \/var\/log\/snort\/portscan.log ]; then\n.\/snortsnarf.pl -dns -d \/var\/www\/snort \/var\/log\/snort\/alert \/var\/log\/snort\/portscan.log\nelse\n.\/snortsnarf.pl -dns -d \/var\/www\/snort \/var\/log\/snort\/alert\nfi\nfi\nSnortSnarf\u5b9f\u884c\u30b9\u30af\u30ea\u30d7\u30c8\u3078\u5b9f\u884c\u6a29\u9650\u4ed8\u52a0\n[root@linux ~]# chmod 700 snortsnarf.sh<\/pre>\n
\u25a0SnortSnarf\u78ba\u8a8d<\/b><\/p>\n
[root@linux ~]# .\/snortsnarf.sh\u3000\u2190\u3000SnortSnarf\u5b9f\u884c<\/pre>\n
http:\/\/\u30b5\u30fc\u30d0\u30fc\u30a2\u30c9\u30ec\u30b9\/snort\/\u306b\u30a2\u30af\u30bb\u30b9\u3057\u3001\uff62SnortSnarf start page\uff63\u304c\u8868\u793a\u3055\u308c\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3002
\nSnortSnarf-050314.1\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u305f\u306f\u305a\u306a\u306e\u306b\u306a\u305c\u3060\u304b\u30d0\u30fc\u30b8\u30e7\u30f3\u8868\u8a18\u306fSnortSnarf v021111.1\u306b\u306a\u3063\u3066\u307e\u3059\u3002
\n\u25a0SnortSnarf\u65e5\u672c\u8a9e\u5316\u30d5\u30a1\u30a4\u30eb\u53d6\u5f97<\/b>
\n\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3059\u308b\u30d5\u30a1\u30a4\u30eb\u306fSnortSnarf v021111.1\u7528\u306e\u3082\u306e\u306a\u306e\u3067\u3001\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u305fSnortSnarf-050314.1\u3067\u306f\u3046\u307e\u304f\u884c\u304b\u306a\u3044\u306e\u3067\u306f\u3068\u601d\u3063\u305f\u306e\u3067\u3059\u304c\u3001\u30d0\u30fc\u30b8\u30e7\u30f3\u8868\u8a18\u304cSnortSnarf v021111.1\u306b\u306a\u3063\u3066\u307e\u3057\u305f\u306e\u3067\u8a66\u3057\u306b\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3066\u307f\u307e\u3059\u3002<\/p>\n
[root@linux ~]# cd \/usr\/local\/snortsnarf\/include\/SnortSnarf\/\n[root@linux SnortSnarf]# mv HTMLOutput.pm HTMLOutput.pm.org\n[root@linux SnortSnarf]# wget http:\/\/mt-fuji.ddo.jp\/~fujito\/Linux\/secu_soft\/s2\/HTMLOutput.pm\n--09:42:32--  http:\/\/mt-fuji.ddo.jp\/~fujito\/Linux\/secu_soft\/s2\/HTMLOutput.pm\nmt-fuji.ddo.jp \u3092DNS\u306b\u554f\u3044\u3042\u308f\u305b\u3066\u3044\u307e\u3059... 121.82.128.37\nmt-fuji.ddo.jp|121.82.128.37|:80 \u306b\u63a5\u7d9a\u3057\u3066\u3044\u307e\u3059... \u63a5\u7d9a\u3057\u307e\u3057\u305f\u3002\nHTTP \u306b\u3088\u308b\u63a5\u7d9a\u8981\u6c42\u3092\u9001\u4fe1\u3057\u307e\u3057\u305f\u3001\u5fdc\u7b54\u3092\u5f85\u3063\u3066\u3044\u307e\u3059... 200 OK\n\u9577\u3055: 86832 (85K) [text\/plain]\nSaving to: `HTMLOutput.pm'\n100%[=============================================>] 86,832      --.-K\/s   in 0.1s\n09:42:32 (648 KB\/s) - `HTMLOutput.pm' \u3092\u4fdd\u5b58\u3057\u307e\u3057\u305f [86832\/86832]<\/pre>\n
\u25a0SnortSnarf\u65e5\u672c\u8a9e\u5316\u78ba\u8a8d<\/b><\/p>\n
[root@linux SnortSnarf]# cd\n[root@linux ~]# .\/snortsnarf.sh\u3000\u2190\u3000SnortSnarf\u5b9f\u884c<\/pre>\n
http:\/\/\u30b5\u30fc\u30d0\u30fc\u30a2\u30c9\u30ec\u30b9\/snort\/\u306b\u30a2\u30af\u30bb\u30b9\u3057\u3001\uff62SnortSnarf \u30da\u30fc\u30b8\u306e\u958b\u59cb\uff63\u304c\u8868\u793a\u3055\u308c\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3002
\n\u3061\u3083\u3093\u3068\u65e5\u672c\u8a9e\u5316\u3055\u308c\u3066\u307e\u3059\u306e\u3067\u5927\u4e08\u592b\u305d\u3046\u3067\u3059\u306d\u3002
\n\u25a0SnortSnarf\u5b9a\u671f\u81ea\u52d5\u5b9f\u884c\u8a2d\u5b9a<\/b><\/p>\n
[root@linux ~]# crontab -e\u3000\u2190\u3000cron\u7de8\u96c6\n00 * * * * \/root\/snortsnarf.sh\u3000\u2190\u3000SnortSnarf\u30921\u6642\u9593\u3054\u3068\u306b\u5b9f\u884c\u3059\u308b<\/pre>\n
\u25a0\u30eb\u30fc\u30eb\u30d5\u30a1\u30a4\u30eb\u306e\u81ea\u52d5\u66f4\u65b0<\/b><\/p>\n
Oinkmaster\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\n[root@linux ~]# wget http:\/\/www.ip-solutions.net\/~hhoffman\/oinkmaster\/oinkmaster-2.0-0.noarch.rpm\n--09:43:50--  http:\/\/www.ip-solutions.net\/~hhoffman\/oinkmaster\/oinkmaster-2.0-0.noarch.rpm\nwww.ip-solutions.net \u3092DNS\u306b\u554f\u3044\u3042\u308f\u305b\u3066\u3044\u307e\u3059... 66.92.234.67\nwww.ip-solutions.net|66.92.234.67|:80 \u306b\u63a5\u7d9a\u3057\u3066\u3044\u307e\u3059... \u63a5\u7d9a\u3057\u307e\u3057\u305f\u3002\nHTTP \u306b\u3088\u308b\u63a5\u7d9a\u8981\u6c42\u3092\u9001\u4fe1\u3057\u307e\u3057\u305f\u3001\u5fdc\u7b54\u3092\u5f85\u3063\u3066\u3044\u307e\u3059... 200 OK\n\u9577\u3055: 65411 (64K) [application\/x-rpm]\nSaving to: `oinkmaster-2.0-0.noarch.rpm'\n100%[=============================================>] 65,411      51.5K\/s   in 1.2s\n09:43:52 (51.5 KB\/s) - `oinkmaster-2.0-0.noarch.rpm' \u3092\u4fdd\u5b58\u3057\u307e\u3057\u305f [65411\/65411]\n[root@linux ~]# rpm -Uvh oinkmaster-2.0-0.noarch.rpm\n\u6e96\u5099\u4e2d...                   ########################################### [100%]\n1:oinkmaster             ########################################### [100%]\n\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u305f\u30d5\u30a1\u30a4\u30eb\u3092\u524a\u9664\n[root@linux ~]# rm -f oinkmaster-2.0-0.noarch.rpm<\/pre>\n
\u25a0Oinkmaster\u8a2d\u5b9a<\/b><\/p>\n
Oinkmaster\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u7de8\u96c6\n[root@linux ~]# vi \/etc\/oinkmaster.conf\n# Example for Snort 2.4\n# url = http:\/\/www.snort.org\/pub-bin\/oinkmaster.cgi\/<oinkcode>\/snortrules-snapshot-2.4.tar.gz\nurl = http:\/\/www.snort.org\/pub-bin\/downloads.cgi\/Download\/vrt_pr\/snortrules-pr-2.4.tar.gz\u3000\u2190\u3000\u8ffd\u52a0\n# Example for Community rules\n# url = http:\/\/www.snort.org\/pub-bin\/downloads.cgi\/Download\/comm_rules\/Community-Rules.tar.gz\nurl = http:\/\/www.snort.org\/pub-bin\/downloads.cgi\/Download\/comm_rules\/Community-Rules-2.4.tar.gz\u3000\u2190\u3000\u8ffd\u52a0<\/pre>\n
\u25a0Oinkmaster\u78ba\u8a8d<\/b><\/p>\n
[root@linux ~]# oinkmaster.pl -o \/etc\/snort\/rules\/\nLoading \/etc\/oinkmaster.conf\nDownloading file from http:\/\/www.snort.org\/pub-bin\/downloads.cgi\/Download\/vrt_pr\/snortrules-pr-2.4.tar.gz... done.\nArchive successfully downloaded, unpacking... done.\nDownloading file from http:\/\/www.snort.org\/pub-bin\/downloads.cgi\/Download\/comm_rules\/Community-Rules-2.4.tar.gz... done.\nArchive successfully downloaded, unpacking... done.\nSetting up rules structures... done.\nProcessing downloaded rules... disabled 0, enabled 0, modified 0, total=4122\nSetting up rules structures... done.\nComparing new files to the old ones... done.\n[***] Results from Oinkmaster started 20061028 09:46:23 [***]\n[*] Rules modifications: [*]\nNone.\n[*] Non-rule line modifications: [*]\nNone.\n[+] Added files (consider updating your snort.conf to include them if needed): [+]\n-> community-bot.rules\n-> community-deleted.rules\n-> community-dos.rules\n-> community-exploit.rules\n-> community-ftp.rules\n-> community-game.rules\n-> community-icmp.rules\n-> community-imap.rules\n-> community-inappropriate.rules\n-> community-mail-client.rules\n-> community-misc.rules\n-> community-nntp.rules\n-> community-oracle.rules\n-> community-policy.rules\n-> community-sid-msg.map\n-> community-sip.rules\n-> community-smtp.rules\n-> community-sql-injection.rules\n-> community-virus.rules\n-> community-web-attacks.rules\n-> community-web-cgi.rules\n-> community-web-client.rules\n-> community-web-dos.rules\n-> community-web-iis.rules\n-> community-web-misc.rules\n-> community-web-php.rules\n[root@linux ~]# ll \/etc\/snort\/rules\/\u3000\u2190\u3000\u30eb\u30fc\u30eb\u30d5\u30a1\u30a4\u30eb\u304c\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u8a8d\n\u5408\u8a08 2352\n-rw-r--r-- 1 root root  17989 10\u6708 28 09:33 LICENSE\n-rw-r--r-- 1 root root  17334 10\u6708 28 09:30 VRT-License.txt\n-rw-r--r-- 1 root root   5520 10\u6708 28 09:30 attack-responses.rules\n\u30fb\n\u30fb\n\u30fb<\/pre>\n
\u25a0Oinkmaster\u5b9a\u671f\u81ea\u52d5\u5b9f\u884c\u8a2d\u5b9a<\/b><\/p>\n
[root@linux ~]# crontab -e\u3000\u2190\u3000cron\u7de8\u96c6\n00 00 * * * \/usr\/bin\/oinkmaster.pl -o \/etc\/snort\/rules\/ 2>&1|logger -t oinkmaster\n\u6bce\u65e500:00\u306bOinkmaster\u3092\u5b9f\u884c\u3059\u308b<\/pre>\n
\u25b2 \u30da\u30fc\u30b8\u30c8\u30c3\u30d7\u3078<\/a><\/div>\n","protected":false},"excerpt":{"rendered":"
\u25a0\u3000FC6 \u30b5\u30fc\u30d0\u30fc\u3078\u306e\u4e0d\u6b63\u30a2\u30af\u30bb\u30b9\u3092\u691c\u77e5\u3059\u308b\u30b7\u30b9\u30c6\u30e0 Snort \u3092\u5c0e\u5165\u3057\u307e\u3059\u3002\u307e\u305f\u3001\u4e0d\u6b63\u30a2\u30af\u30bb\u30b9\u30ed\u30b0\u3092Web\u30d6\u30e9\u30a6\u30b6\u4e0a\u3067\u78ba\u8a8d\u3067\u304d\u308b\u3088\u3046\u306b SnortSnarf \u3082\u5c0e\u5165\u3057\u307e\u3059\u3002\u306a\u304a\u3001Oinkmaster \u3092\u5c0e\u5165\u3057\u3066\u4e0d\u6b63 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-15","post","type-post","status-publish","format-standard","hentry","category-25-snort"],"_links":{"self":[{"href":"http:\/\/yokensaka.com\/fedora\/index.php?rest_route=\/wp\/v2\/posts\/15","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/yokensaka.com\/fedora\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/yokensaka.com\/fedora\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/yokensaka.com\/fedora\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/yokensaka.com\/fedora\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15"}],"version-history":[{"count":0,"href":"http:\/\/yokensaka.com\/fedora\/index.php?rest_route=\/wp\/v2\/posts\/15\/revisions"}],"wp:attachment":[{"href":"http:\/\/yokensaka.com\/fedora\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/yokensaka.com\/fedora\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/yokensaka.com\/fedora\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}