Snort3 の検出ログ /var/log/snort/alert_fast.txt を解析して、HTML ファイルを出力。
・注意
ログファイル /var/log/snort/alert_fast.txt
03/28-01:19:50.576984 [**] [1:45749:2] "SERVER-WEBAPP PHPUnit PHP remote
code execution attempt" [**] [Classification: Web Application Attack] [Priority: 1]
[AppID: Firefox] {TCP} xxx.xxx.xxx.xxx:58646 -> xxx.xxx.xxx.xxx:80
03/28-01:41:41.584960 [**] [1:42857:3] "SERVER-WEBAPP MVPower DVR Shell arbitrary
command execution attempt" [**] [Classification: Attempted Administrator Privilege Gain]
[Priority: 1] [AppID: HTTP] {TCP} xxx.xxx.xxx.xxx:40306 -> xxx.xxx.xxx.xxx:80
[AppID: ...] が存在すると、SnortSnarf の発信源/着信先が (no IP) になる
[root]# vim /usr/local/snort/etc/snort/snort.lua
-- 接続元アプリケーションの検出・識別(SnortSnarf 使用時は、コメントアウト)
--[[
appid =
{
-- appid requires this to use appids in rules
app_detector_dir = APPID_PATH,
}
--]]
・インストール
http://sourceforge.net/projects/snortsnarf/ から取得。
[root]# cpan Time::ParseDate
[root]# mkdir /usr/local/snortsnarf
[root]# tar xvfz SnortSnarf-1.0.tar.gz
[root]# cp -v SnortSnarf-1.0/snortsnarf.pl /usr/local/snortsnarf
[root]# cp -vrf SnortSnarf-1.0/include/ /usr/local/snortsnarf
・修正
[root]# vim /usr/local/snortsnarf/snortsnarf.pl
use lib qw(./include); を
use lib qw(/usr/local/snortsnarf/include); に変更
[root]# vim /usr/local/snortsnarf/include/SnortSnarf/HTMLMemStorage.pm
290行目 return $arr->[($first-1)..$end]; # @ を $ に変更
[root]# vim /usr/local/snortsnarf/include/SnortSnarf/HTMLAnomMemStorage.pm
266行目 return $arr->[($first-1)..$end]; # @ を $ に変更
・日本語化
/usr/local/snortsnarf/include/SnortSnarf/HTMLOutput.pm を日本語化する。
文字化け対策
1577 行目 print "<html>\n<head>\n"; の次の行に、
1578 行目 print "<meta charset='utf-8' />\n"; を追加。
出力部分を日本語に変換。文字化けする場合には、utf-8 に変換が必要。
[root]# nkf -w --overwrite /usr/local/snortsnarf/include/SnortSnarf/HTMLOutput.pm
・解析結果出力ディレクトリ作成
# Apache
[root]# mkdir /var/www/html/snortsnarf
[root]# chown apache:apache /var/www/html/snortsnarf
# Nginx
[root]# mkdir /usr/local/nginx/html/snortsnarf
[root]# chown nginx:nginx /usr/local/nginx/html/snortsnarf
# Nginx Chroot
[root]# mkdir /chroot/nginx/usr/local/nginx/html/snortsnarf
[root]# chown nginx:nginx /chroot/nginx/usr/local/nginx/html/snortsnarf
・解析結果へのアクセス制御
ローカルホスト及び LAN 内以外からのアクセスを拒否。
[root]# vim /etc/httpd/conf/httpd.conf
Apache 2.2
<Directory "/var/www/html/snortsnarf">
order deny,allow
deny from all
allow from 127.0.0.1 192.168.1.0/24
</Directory>
Apache 2.4
<Directory "/var/www/html/snortsnarf">
require ip 127.0.0.1 192.168.1.0/24
</Directory>
[root]# vim /usr/local/nginx/conf/nginx.conf
location /snortsnarf/ {
allow 192.168.1.0/24;
deny all;
}
・実行
# Apache
[root]# /usr/local/snortsnarf/snortsnarf.pl
/var/log/snort/alert_fast.txt -d /var/www/html/snortsnarf
# Nginx
[root]# /usr/local/snortsnarf/snortsnarf.pl
/var/log/snort/alert_fast.txt -d /usr/local/nginx/html/snortsnarf/
# Nginx Chroot
[root]# /usr/local/snortsnarf/snortsnarf.pl
/var/log/snort/alert_fast.txt -d /chroot/nginx/usr/local/nginx/html/snortsnarf/
・自動実行
cron にて、6時間毎に実行。
[root]# crontab -e
# Apache
10 */6 * * * /usr/local/snortsnarf/snortsnarf.pl \
/var/log/snort/alert_fast.txt -d /var/www/html/snortsnarf
# Nginx
10 */6 * * * /usr/local/snortsnarf/snortsnarf.pl \
/var/log/snort/alert_fast.txt -d /usr/local/nginx/html/snortsnarf
# Nginx Chroot
10 */6 * * * /usr/local/snortsnarf/snortsnarf.pl \
/var/log/snort/alert_fast.txt -d /chroot/nginx/usr/local/nginx/html/snortsnarf
・解析結果
ブラウザにて、https://localhost/snortsnarf/