ossim

  Linux

とりあえずパッケージを作るところまで。
RHEL3 で実行。

wget http://jaist.dl.sourceforge.net/sourceforge/os-sim/os-sim-0.9.7-1.src.rpm

rpmbuild –rebuild os-sim-0.9.7-1.src.rpm
Installing os-sim-0.9.7-1.src.rpm
error: Failed build dependencies:
glib2-devel > 2.0 is needed by os-sim-0.9.7-1
libgda-devel >= 1.0 is needed by os-sim-0.9.7-1
gnet2-devel >= 2.0 is needed by os-sim-0.9.7-1

sudo rpm -Uvh $RPM_SERVER:/RedHat/RPMS/glib2-devel-2.2.3-2.0.i386.rpm

wget http://mirrors.kernel.org/fedora/core/3/i386/os/SRPMS/libgda-1.0.4-3.src.rpm

rpmbuild –rebuild libgda-1.0.4-3.src.rpm
Installing libgda-1.0.4-3.src.rpm
error: Failed build dependencies:
libxslt-devel >= 1.0.9 is needed by libgda-1.0.4-3
mysql-devel is needed by libgda-1.0.4-3
unixODBC-devel is needed by libgda-1.0.4-3

sudo rpm -Uvh $RPM_SERVER:/RedHat/RPMS/libxslt-devel-1.0.33-1.i386.rpm

sudo rpm -Uvh $RPM_SERVER:/RedHat/RPMS/mysql-devel-3.23.58-1.i386.rpm $RPM_SERVER:/RedHat/RPMS/mysql-3.23.58-1.i386.rpm $RPM_SERVER:/RedHat/RPMS/perl-DBD-MySQL-2.1021-3.i386.rpm $RPM_SERVER:/RedHat/RPMS/perl-DBI-1.32-5.i386.rpm

sudo rpm -Uvh $RPM_SERVER:/RedHat/RPMS/unixODBC-devel-2.2.8-2.3.0.2.i386.rpm $RPM_SERVER:/RedHat/RPMS/unixODBC-2.2.8-2.3.0.2.i386.rpm

rpmbuild –rebuild libgda-1.0.4-3.src.rpm
Wrote: $_TOPDIR/RPMS/i386/libgda-1.0.4-3.i386.rpm
Wrote: $_TOPDIR/RPMS/i386/libgda-devel-1.0.4-3.i386.rpm
Wrote: $_TOPDIR/RPMS/i386/gda-mysql-1.0.4-3.i386.rpm
Wrote: $_TOPDIR/RPMS/i386/gda-odbc-1.0.4-3.i386.rpm
Wrote: $_TOPDIR/RPMS/i386/gda-postgres-1.0.4-3.i386.rpm
Wrote: $_TOPDIR/RPMS/i386/libgda-debuginfo-1.0.4-3.i386.rpm

sudo rpm -Uvh $_TOPDIR/RPMS/i386/libgda-devel-1.0.4-3.i386.rpm $_TOPDIR/RPMS/i386/libgda-1.0.4-3.i386.rpm

sudo rpm -Uvh http://www.ossim.net/download/fedora/RPMS.fc2/gnet2-devel-2.0.5-1.fc2.ossim.i386.rpm

rpmbuild –rebuild os-sim-0.9.7-1.src.rpm
Wrote: $_TOPDIR/RPMS/i386/os-sim-0.9.7-1.i386.rpm
Wrote: $_TOPDIR/RPMS/i386/os-sim-agent-0.9.7-1.i386.rpm
Wrote: $_TOPDIR/RPMS/i386/os-sim-perl-0.9.7-1.i386.rpm
Wrote: $_TOPDIR/RPMS/i386/os-sim-framework-0.9.7-1.i386.rpm
Wrote: $_TOPDIR/RPMS/i386/os-sim-scripts-0.9.7-1.i386.rpm
Wrote: $_TOPDIR/RPMS/i386/os-sim-debuginfo-0.9.7-1.i386.rpm


mysql が古かったのでバージョンアップ。

sudo rpm -Uvh $RPM_SERVER:/mysql-3.23.58-2.3.i386.rpm $RPM_SERVER:/mysql-devel-3.23.58-2.3.i386.rpm
sudo rpm -Uvh mysql-server-3.23.58-2.3.i386.rpm

ls /usr/share/doc/snort-2.2.0/contrib/create_mysql

mysql -u root
mysql> ysql> create database snort_db;
Query OK. 1 row affected (0.00 sec)
mysql> grant INSERT.SELECT.UPDATE on snort_db.* TO snort@localhost IDENTIFIED BY ‘passwd’;
Query OK. 0 rows affected (0.01 sec)
mysql> commit;
Query OK. 0 rows affected (0.00 sec)
mysql> quit;

mysql -u root snort_db < /usr/share/doc/snort-2.2.0/contrib/create_mysql cp /usr/share/doc/snort-2.2.0/contrib/snortdb-extra.gz .
gunzip snortdb-extra.gz
mysql -u root snort_db < snortdb-extra sudo cp -p /etc/snort/snort.conf /etc/snort/snort.conf-`date +%Y%m%d%H%M%S` sudo vi /etc/snort/snort.conf
— /etc/snort/snort.conf-20050102044224 2004-12-29 22:57:47.000000000 +0900
+++ /etc/snort/snort.conf 2005-01-02 04:53:18.000000000 +0900
@@ -439.7 +439.7 @@
# output alert_syslog: LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname. LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname:port. LOG_AUTH LOG_ALERT
-output alert_syslog: LOG_AUTH LOG_ALERT
+#output alert_syslog: LOG_AUTH LOG_ALERT

# log_tcpdump: log packets in binary tcpdump format
# ————————————————-
@@ -457.6 +457.7 @@
# output database: log. odbc. user=snort dbname=snort
# output database: log. mssql. dbname=snort user=snort password=test
# output database: log. oracle. dbname=snort user=snort password=test
+output database: log. mysql. user=snort password=passwd dbname=snort_db host=localhost

# unified: Snort unified binary format alerting and logging
# ————————————————————-

sudo /etc/init.d/snortd restart

wget http://jaist.dl.sourceforge.net/sourceforge/adodb/adodb454.tgz
tar zxf adodb454.tgz
sudo cp -r adodb/ /var/www/

ここまで。


sudo mv /var/www/adodb/ /var/www/admin/

wget http://members.chello.se/jpgraph/jpgdownloads/jpgraph-1.17beta2.tgz
tar zxf jpgraph-1.17beta2.tgz
cd jpgraph-1.17beta2/
sudo cp -r src/ /var/www/admin/jpgraph

wget http://acidlab.sourceforge.net/acid-0.9.6b23.tar.gz
tar zxf acid-0.9.6b23.tar.gz
sudo cp -r acid/ /var/www/admin/

mysql -u root snort_db < /var/www/admin/acid/create_acid_tbls_mysql.sql sudo cp -p /var/www/admin/acid/acid_conf.php /var/www/admin/acid/acid_conf.php-`date +%Y%m%d%H%M%S` sudo vi /var/www/admin/acid/acid_conf.php
— /var/www/admin/acid/acid_conf.php-20050102055920 2005-01-02 05:51:59.000000000 +0900
+++ /var/www/admin/acid/acid_conf.php 2005-01-02 06:15:08.000000000 +0900
@@ -9.7 +9.7 @@
* $foo = “c:\tmp” [OK]
* $foo = “c:\tmp\” [WRONG]
*/
-$DBlib_path = “”;
+$DBlib_path = “/var/www/admin/adodb”;

/* The type of underlying alert database
*
@@ -29.11 +29.11 @@
* This information can be gleaned from the Snort database
* output plugin configuration.
*/
-$alert_dbname = “snort_log”;
+$alert_dbname = “snort_db”;
$alert_host = “localhost”;
$alert_port = “”;
-$alert_user = “root”;
-$alert_password = “mypassword”;
+$alert_user = “snort”;
+$alert_password = “passwd”;

/* Archive DB connection parameters */
$archive_dbname = “snort_archive”;
@@ -66.7 +66.7 @@
/* Path to the graphing library
* (Note: DO NOT include a trailing backslash after the directory)
*/
-$ChartLib_path = “”;
+$ChartLib_path = “/var/www/admin/jpgraph/”;

/* File format of charts (‘png’. ‘jpeg’. ‘gif’) */
$chart_file_format = “png”;

sudo rpm -Uvh $RPM_SERVER:/i386/php-mysql-4.3.2-19.ent.i386.rpm

sudo /etc/init.d/httpd reload


ALERTMODE を設定するとログが出ないので、設定せず。
(なんでだろう…)
/etc/sysconfig/snort
-ALERTMODE=fast
+ALERTMODE=

SYSLOG にも出るように設定。
/etc/snort/snort.conf
-#output alert_syslog: LOG_AUTH LOG_ALERT
+output alert_syslog: LOG_AUTH LOG_ALERT


ntop

RPM 作ってインストールする。

sudo rpm -Uvh $RPM_SERVER:/RedHat/RPMS/glib-devel-1.2.10-11.1.i386.rpm

wget http://jaist.dl.sourceforge.net/sourceforge/ntop/ntop-3.0-0.src.rpm
rpm -Uvh ntop-3.0-0.src.rpm
cd ~/RPMBUILD/SPECS/
vi ntop.spec
— ntop.spec.orig 2004-03-22 09:06:22.000000000 +0900
+++ ntop.spec 2005-01-04 02:12:58.000000000 +0900
@@ -3.7 +3.7 @@
Summary: ntop shows the network usage
Name: ntop
Version: 3.0
-Release: 0
+Release: 0.RHEL3.POOH
Source: ntop-3.0.tgz
Source1: ntop.init
Source2: ntop.logrotate

rpmbuild -ba ntop.spec
sudo rpm -Uvh ~/RPMBUILD/RPMS/i386/ntop-3.0-0.RHEL3.POOH.i386.rpm
sudo cp /etc/ntop.conf.sample /etc/ntop.conf

sudo vi /etc/ntop.conf
— /etc/ntop.conf.sample 2005-01-04 02:17:30.000000000 +0900
+++ /etc/ntop.conf 2005-01-04 02
:24:55.000000000 +0900
@@ -65.7 +65.7 @@

## NOTE: For more than casual use. you probably want this.

—daemon
+#–daemon

##—————————————————————————–#

@@ -91.7 +91.7 @@

## -i | –interface tells ntop which network interfaces (NICs) to monitor.
## DEFAULT: The 1st ethernet device. e.g. eth0. i.e. this line:
—interface eth0
+–interface eth0.ppp0.ppp1

## To monitor both eth0 and eth2 but not eth1:
#? –interface eth0.eth2

sudo ntop @/etc/ntop.conf -A
Processing file /etc/ntop.conf for parameters…
Tue Jan 4 02:26:48 2005 Initializing gdbm databases
Tue Jan 4 02:26:48 2005 Now running as requested user ‘ntop’ (***:***)

Please enter the password for the admin user:
Please enter the password again:

sudo vi /etc/ntop.conf
— /etc/ntop.conf.20050104023056 2005-01-04 02:24:55.000000000 +0900
+++ /etc/ntop.conf 2005-01-04 02:31:07.000000000 +0900
@@ -65.7 +65.7 @@

## NOTE: For more than casual use. you probably want this.

-#–daemon
+–daemon

##—————————————————————————–#

sudo /etc/init.d/ntop start

ブラウザで http://localhost:3000/ でみれる。


sudo rpm -Uvh http://www.ossim.net/download/fedora/RPMS.fc2/gnet2-2.0.5-1.fc2.ossim.i386.rpm