Solaris User

Solaris¤Ësnort¤ò¥¤¥ó¥¹¥È¡¼¥ë

¥Õ¥ê¡¼¤Î¥Í¥Ã¥È¥ï¡¼¥¯¿¯Æþ¸¡ÃÎ¥·¥¹¥Æ¥à(NIDS: Network Intrution Ditection System)¤Ç¤¢¤ëSnort¤ò¥¤¥ó¥¹¥È¡¼¥ë¤·¤Þ¤·¤ç¤¦¡£
°Ê²¼¤Ç¤ÏSPARC/Solaris9¤Ësnort-2.0.1¤ò¥¤¥ó¥¹¥È¡¼¥ë¤·¤Æ¤¤¤Þ¤¹¡£

¤Þ¤º¤Ï Solaris9¥·¥¹¥Æ¥à¤Î´Ä¶­¤Î³Îǧ¡£

# prtdiag -v System Configuration: Sun Microsystems sun4u Sun Blade 100 (UltraSPARC-IIe) System clock frequency: 84 MHZ Memory size: 640MB ==================== CPUs ================== E$ CPU CPU Temperature CPU Freq Size Implementation Mask Die Amb. Location --- -------- ---------- ------------------- ----- 0 502 MHz 256KB SUNW,UltraSPARC-IIe 1.4 59C 27C +-board/cpu0 =================== IO Devices ============== Bus Freq Brd Type MHz Slot Name Model --- ---- ---- ---------- -------------------- 0 pci 33 +s/system-board isa/isadma (dma) 0 pci 33 +s/system-board isa/su (serial) 0 pci 33 +s/system-board isa/su (serial) 0 pci 33 +s/system-board pci108e,1101 (network) SUNW,pci-eri 0 pci 33 +s/system-board pciclass,0c0010 (firewire) 0 pci 33 +s/system-board pci10b9,5451 (sound) 0 pci 33 +s/system-board pci10b9,5229 (ide) 0 pci 33 +s/system-board SUNW,m64B (display) ATY,RageXL ============== Memory Configuration ============= Segment Table: --------------------------------------------- Base Address Size Interleave Factor Contains --------------------------------------------- 0x0 128MB 1 chassis/system-board/DIMM0 0x20000000 512MB 1 chassis/system-board/DIMM1 =============== usb Devices ==================== Name Port# ------------ ----- keyboard 2 mouse 4 ============== Environmental Status ============ Fan Speeds: --------------------------------------- Location Sensor Speed --------------------------------------- +stem-fan-slot system-fan 100% Temperature sensors: ----------------------------------------------- Location Sensor Temperature Lo LoWarn HiWarn Hi Status ----------------------------------------------- +em-board/cpu0 Die 59C -10C 0C 85C 90C okay +em-board/cpu0 Ambient 27C -10C 0C 40C 60C okay =============== HW Revisions ============== ASIC Revisions: --------------- ebus: Rev 1 System PROM revisions: ---------------------- OBP 4.5.9 2002/02/07 02:12 Sun Blade 100 POST 2.0.1 2001/08/23 17:13 #

ºÇÄã¸ÂɬÍפʥ½¥Õ¥È¥¦¥§¥¢

¡¦snortËÜÂÎ
¡¦pcap¥é¥¤¥Ö¥é¥ê(snort¤ò¥¤¥ó¥¹¥È¡¼¥ë¤¿¤á¤ËɬÍס¢´û¤ËÆþ¤Ã¤Æ¤¤¤ë¾ì¹ç¤ÏÉÔÍ×)

¤½¤ì¤¾¤ì°Ê²¼¤Î¥µ¥¤¥È¤«¤éÆþ¼ê¤Ç¤­¤Þ¤¹¡£

http://www.snort.org/
 (snort-2.0.1.tar.gz)
http://sunsite.sut.ac.jp/sun/solbin/
 (libpcap-0.7.2-sol9-sparc-local.gz)


¢£ snort¤Î¥³¥ó¥Ñ¥¤¥ë¡¦¥¤¥ó¥¹¥È¡¼¥ë

pcap¥é¥¤¥Ö¥é¥ê¤Î³Îǧ¡Ê¥¤¥ó¥¹¥È¡¼¥ë¤µ¤ì¤Æ¤Ê¤«¤Ã¤¿¤épkgadd¤Ç¥¤¥ó¥¹¥È¡¼¥ë) # pkginfo | grep libpcap application SMClibpcap                       lpcap # cd /var/tmp/snort-test # ls snort-2.0.1.tar.gz # gunzip snort-2.0.1.tar.gz # tar xvf snort-2.0.1.tar ... # ls snort-2.0.1      snort-2.0.1.tar # cd snort-2.0.1 # ls COPYING        acconfig.h     configure      install-sh     src ChangeLog      aclocal.m4     configure.in   missing        templates LICENSE        config.guess   contrib        mkinstalldirs Makefile.am    config.h.in    doc            rules Makefile.in    config.sub     etc            snort.8 # ./configure ...(¤³¤³¤Ç¤Ïmysql¤È¤ÎÏ¢·È¤ò¹Í¤¨¤Æ¤¤¤Ê¤¤¤Î¤Ç¥ª¥×¥·¥ç¥ó¤ò»ØÄꤷ¤Ê¤¤) # make ... Making all in doc Making all in etc Making all in rules Making all in templates Making all in contrib # make install Making install in src Making install in win32 Making install in output-plugins Making install in detection-plugins Making install in preprocessors Making install in parser /bin/sh ../mkinstalldirs /usr/local/bin   .././install-sh -c snort /usr/local/bin/snort Making install in doc Making install in etc Making install in rules Making install in templates Making install in contrib /bin/sh ./mkinstalldirs /usr/local/man/man8  ./install-sh -c -m 644 ./snort.8 /usr/local/man/man8/snort.8 ================= ¥Õ¥¡¥¤¥ë¤Î¥³¥Ô¡¼ ================= # mkdir /usr/local/snort # ls COPYING               config.h.in           install-sh ChangeLog             config.log            missing LICENSE               config.status         mkinstalldirs Makefile              config.status.lineno  rules Makefile.am           config.sub            snort.8 Makefile.in           configure             src acconfig.h            configure.in          stamp-h1 aclocal.m4            contrib               templates config.guess          doc config.h              etc # cp -pr contrib doc etc rules templates src /usr/local/snort ================= snort.conf¤ÎÊÔ½¸ ================= # cd /usr/local/snort/etc # ls Makefile               gen-msg.map            sid-msg.map Makefile.am            generators             snort.conf Makefile.in            reference.config classification.config  sid # vi snort.conf ... var HOME_NET 192.168.1.3¡¡# <-- ¸¡ÃΤ¹¤ëÈϰϤò»ØÄê(¤³¤³¤Ç¤Ï¼«¥·¥¹¥Æ¥à¤Î¤ß) ... preprocessor portscan: $HOME_NET 4 3 portscan.log  # <-- ¥³¥á¥ó¥È³°¤·Í­¸ú²½ ===================== ¥é¥¤¥Ö¥é¥ê¤Î¥Á¥§¥Ã¥¯ ===================== # ldd /usr/local/bin/snort     libm.so.1 =>     /usr/lib/libm.so.1     libsocket.so.1 =>     /usr/lib/libsocket.so.1     libnsl.so.1 =>     /usr/lib/libnsl.so.1     libc.so.1 =>     /usr/lib/libc.so.1     libdl.so.1 =>     /usr/lib/libdl.so.1     libmp.so.2 =>     /usr/lib/libmp.so.2     /usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1 mysql¤Ê¤É¾¤Î¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤ÈÏ¢·È¤µ¤»¤Æ¥³¥ó¥Ñ¥¤¥ë¤·¤¿¤È¤­¤Ï¥é¥¤¥Ö¥é¥ê¥Ñ¥¹¤¬ÉÔŬÀÚ¤Çsnortµ¯Æ°»þ¤Ë¥¨¥é¡¼¤Ë¤Ê¤ë¤³¤È¤¬¤¢¤ë¡£ÂнèË¡¤Ï¤³¤Á¤é¡£ =============================== Snort¼Â¹Ô¥æ¡¼¥¶/¥°¥ë¡¼¥×¤ÎºîÀ® =============================== # useradd snort # groupadd snort ================================= ¥í¥°¥Õ¥¡¥¤¥ë³ÊǼ¥Ç¥£¥ì¥¯¥È¥êºîÀ® ================================= # mkdir /var/log/snort # chown snort:snort snort ============ Snort¤Îµ¯Æ° ============ # /usr/local/bin/snort -u snort -g snort -d -D -i eri0 -c /usr/local/snort/etc/snort.conf ¤Á¤Ê¤ß¤Ë³Æ¥ª¥×¥·¥ç¥ó¤ÎÀâÌÀ¤Ï°Ê²¼¤ÎÄÌ¤ê ¡¡-d : verbose ¤â¤·¤¯¤Ï packet logging ¥â¡¼¥É¤Ç¥Ñ¥±¥Ã¥È¤òɽ¼¨¤¹¤ë¤È¤­¤Ï¥¢¥×¥ê¥±¡¼¥·¥ç¥óÁؤΥǡ¼¥¿¤Þ¤Ç½ÐÎÏ ¡¡-D : ¥Ç¡¼¥â¥ó¥â¡¼¥É¤Çµ¯Æ° ¡¡-i : ¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤Î»ØÄê ¡¡-c : ¥³¥ó¥Õ¥£¥°¥ì¡¼¥·¥ç¥ó¥Õ¥¡¥¤¥ë¤Î»ØÄê # tail /var/adm/messages ... ... [ID 702911 daemon.notice] Snort initialization completed successfully ¾åµ­¤Î¤è¤¦¤Ê¥á¥Ã¥»¡¼¥¸¤¬½Ð¤Æ¤¤¤ì¤ÐOK ================================ Snort¤Î¼«Æ°¼Â¹Ô¥¹¥¯¥ê¥×¥È¤ÎºîÀ® ================================ ¥Ç¥Õ¥©¥ë¥È¤Ç¥Æ¥ó¥×¥ì¡¼¥È¥Õ¥¡¥¤¥ë/usr/local/snort/contrib/S99snort¤¬ÍÑ°Õ¤µ¤ì¤Æ¤¤¤ë¤¬¡¢Solaris¸þ¤±¤Î¥Õ¥¡¥¤¥ë¤Ç¤Ï¤Ê¤¤¤Î¤Ç°Ê²¼¤Î¤è¤¦¤Ë¼«ºî¤¹¤ë¡£ ¤Á¤Ê¤ß¤Ësnort¤Î¥×¥í¥»¥¹ID¤Ï/var/run°Ê²¼¤Ë¥¤¥ó¥¿¥Õ¥§¡¼¥¹Ì¾(eri0)¤ò´Þ¤ó¤À·Á¼°¤Ç³ÊǼ¤µ¤ì¤Æ¤¤¤ë¡£(Solaris8°Ê¹ß¤Ê¤é pkill snort ¤Ç¤â½½Ê¬¤À¤±¤É¤Í) # vi /etc/init.d/snort ---------------------------------------- #!/sbin/sh SnortBin=/usr/local/bin ConfDir=/usr/local/snort/etc RuleDir=/usr/local/snort/rules case "$1" in 'start')         [ -f $ConfDir/snort.conf ] && $SnortBin/snort -u snort -g snort -d -D -i eri0 -c $ConfDir/snort.conf     echo "snort starting."         ;; 'stop')         kill `cat /var/run/snort_eri0.pid`     echo "snort stopping."         ;; *)         echo "Usage: $0 { start | stop }"         exit 1) esac exit 0 ------------------------------------------ ¾åµ­¥¹¥¯¥ê¥×¥È¤ò»ÈÍѤ·¤¿snort¤ÎÄä»ß¡¦µ¯Æ° # /etc/init.d/snort stop snort stopping. # tail /var/adm/messages ... ... [ID 702911 daemon.notice] Snort exiting ¾åµ­¤Î¤è¤¦¤Ê¥á¥Ã¥»¡¼¥¸¤¬½Ð¤Æ¤¤¤ì¤ÐOK ¤¢¤È¤Ï°Ê²¼¤Î¤è¤¦¤Ê¹½À®¤Ç¥Ï¡¼¥É¥ê¥ó¥¯¤òºîÀ®¤·¤Æ¡¢¥ê¥Ö¡¼¥È»þ¤â¼«Æ°Åª¤Ësnort¤¬¼Â¹Ô¤µ¤ì¤ë¤è¤¦¤Ë¤·¤Æ¤ª¤¯¡£(K01snort¤Ïɬ¿Ü¤Ç¤Ï¤Ê¤¤¤¬¤¢¤Ã¤¿Êý¤¬¥¹¥Þ¡¼¥È) # ls -i /etc/init.d/snort     451347 /etc/init.d/snort # find /etc -inum 451347 /etc/init.d/snort /etc/rc0.d/K01snort /etc/rc1.d/K01snort /etc/rc2.d/K01snort /etc/rc3.d/S99snort /etc/rcS.d/K01snort

¤³¤ì¤ÇsnortñÂΤΥ¤¥ó¥¹¥È¡¼¥ë¡¦ÀßÄê¤Ï½ªÎ»¤Ç¤¹¡£ ¤¢¤È¤Ï¥í¥°¤Î´ÉÍý¤¬ÌäÂê¤Ë¤Ê¤ê¤Þ¤¹¡£ ¤´Â¸¤¸¤ÎÄ̤ꡢsnort¤Î¥í¥°¥Õ¥¡¥¤¥ë¤ÏÈó¾ï¤ËËÄÂç¤ÊÎ̤ˤʤ뤳¤È¤¬Â¿¤¯¡¢¥Æ¥­¥¹¥È¥Ù¡¼¥¹¤Î¥í¥°¥Õ¥¡¥¤¥ë¤òÄê´üŪ¤Ë¥Á¥§¥Ã¥¯¤¹¤ë¤Î¤Ïº¤Æñ¤Ç¤¹¡£ ¤½¤³¤Çsnort¤Î½ÐÎϤ¹¤ë¥í¥°¤ò½¸·×¤·¤Æ¡¢¤È¤Æ¤â¸«¤ä¤¹¤¤HTML¥Õ¥¡¥¤¥ë¤ËÊÑ´¹¤·¤Æ¤¯¤ì¤ëSnortSnarf¤ò¥¤¥ó¥¹¥È¡¼¥ë¤·¤Þ¤·¤ç¤¦¡£ ¤½¤Î¾¤Ë¤â¤ä¤äÆñÅÙ¤¬¹â¤¤¤Ç¤¹¤¬mysql¤Ê¤É¤Î¥Ç¡¼¥¿¥Ù¡¼¥¹¥µ¡¼¥Ð¤ÈÏ¢·È¤·¤Æ¥ê¥¢¥ë¥¿¥¤¥à¤Ë¸úΨŪ¤Ë¥í¥°¤Î¥Á¥§¥Ã¥¯¤ò²Äǽ¤Ë¤¹¤ëÊýË¡¤â¤¢¤ê¤Þ¤¹¡£(ACID¤Çsnort¤Î¥í¥°´ÉÍý with mysql »²¾È)

¡Ú¥¢¥ó¥±¡¼¥È¡Û
¤³¤Îµ­»ö¤Ï¤¿¤á¤Ë¤Ê¤ê¤Þ¤·¤¿¤«¡©
¡¡¡¡¡¡¤Ï¤¤¡¡¡¡/¡¡¡¡¤¤¤¤¤¨