search

joanbono / Snorter

Snort + Barnyard2 + Pulledpork → The easy way!
https://joanbono.github.io/Snorter
GNU General Public License v3.0
165 stars 32 forks source link

Added OpenAppID feature. #16

Closed rbshadow closed 7 years ago

rbshadow commented 7 years ago

Integrating OpenAppID ( Application Detector Package )

Log directory: /var/log/snort/ Run Command: sudo u2openappid /var/log/snort/appstats-u2.log.1393807981 ( Your log id should not be the same )

Output: { Sample }

statTime="1393807860",appName="chrome",txBytes="6043",rxBytes="111267" statTime="1393807860",appName="dns",txBytes="8708",rxBytes="38103" statTime="1393807860",appName="http",txBytes="200399",rxBytes="1444070" statTime="1393807860",appName="cnn.com",txBytes="198478",rxBytes="1557970" statTime="1393807860",appName="doubleclick",txBytes="5543",rxBytes="2598" statTime="1393807860",appName="truste",txBytes="1829",rxBytes="12208" statTime="1393807860",appName="washington_time",txBytes="2210",rxBytes="1401"

rbshadow commented 7 years ago

Thank you very much.... I will make the change insha Allah. Give me time..

joanbono commented 7 years ago

Hei @rbshadow , are you working on this?

rbshadow commented 7 years ago

Hey @joanbono bro actually I was in EiD vacation :). Today I am back in my workstation. Hope within some days I can complete.

joanbono commented 7 years ago

Hei bro @rbshadow

I'll pushed all the fixes to the devel branch, please, test the installation. Run as follows:

./Snorter -i $INTERFACE -o $OINKCODE -a

So, the -a flag will install the OpenAppID 😄

Test it and let me know.

I'm going to close this PR.

rbshadow commented 7 years ago

Hi @joanbono bro. I will let you know after a test. Thank you for awesome work.

rbshadow commented 7 years ago

Option doesn't work for. sudo ./Snorter_Ubuntu-14.04.sh -i eth0 -a --enabled-open-appid

UPDATED by @joanbono: I've deleted the screenshot because there appears your Oinkcode

rbshadow commented 7 years ago

Also for sudo ./Snorter_Ubuntu-14.04.sh -i eth0 -a Nghttp doesn't install first. It must be installed first before snort. I am trying to fix it. I tried several times but failed. It works perfectly when functions put in the main function serially. But if I put with a statement like if [ -z $OPENAPPID ] ; then nghttp_install fi doesn't work also in main function.

joanbono commented 7 years ago

I think I know whats going wrong. I'll try to fix it now. Stay tuned.

joanbono commented 7 years ago

Now the Snorter main function is:

function snort_install() {

    echo -ne "\n\t${CYAN}[i] INFO:${NOCOLOR} Installing dependencies.\n\n"
    sudo apt-get install -y --force-yes build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev git locate vim 

    #Downloading DAQ and SNORT
    cd $HOME && mkdir snort_src && cd snort_src
    echo -ne "\n\t${CYAN}[i] INFO:${NOCOLOR} Downloading ${BOLD}$DAQ${NOCOLOR}.\n\n"
    wget --no-check-certificate -P $HOME/snort_src https://snort.org/downloads/snort/$DAQ.tar.gz
    echo -ne "\n\t${CYAN}[i] INFO:${NOCOLOR} Downloading ${BOLD}$SNORT${NOCOLOR}.\n\n"
    wget --no-check-certificate -P $HOME/snort_src https://snort.org/downloads/snort/$SNORT.tar.gz

    if [ -z "${OPENAPPID}" ] ; then
        nghttp_install
    fi

    #Installing DAQ
    cd $HOME/snort_src/
    echo -ne "\n\t${CYAN}[i] INFO:${NOCOLOR} Installing ${BOLD}$DAQ${NOCOLOR}.\n\n"
    tar xvfz $DAQ.tar.gz
    mv $HOME/snort_src/daq-*/ $HOME/snort_src/daq                     
    cd $HOME/snort_src/daq
    ./configure && make && sudo make install 
    echo -ne "\n\t${GREEN}[+] INFO:${NOCOLOR} ${BOLD}$DAQ${NOCOLOR} installed successfully.\n\n"

    #Installing SNORT
    cd $HOME/snort_src/
    echo -ne "\n\t${CYAN}[i] INFO:${NOCOLOR} Installing ${BOLD}$SNORT${NOCOLOR}.\n\n"
    tar xvfz $SNORT.tar.gz > /dev/null 2>&1
    rm -r *.tar.gz > /dev/null 2>&1
    mv snort-*/ snort           
    cd snort
    ./configure --enable-sourcefire $OPENAPPID
    make 
    sudo make install
    echo -ne "\n\t${GREEN}[+] INFO:${NOCOLOR} ${BOLD}$SNORT${NOCOLOR} installed successfully.\n\n"
    cd ..

    sudo ldconfig
    sudo ln -s /usr/local/bin/snort /usr/sbin/snort

    #Adding SNORT user and group for running SNORT
    echo -ne "\n\t${CYAN}[i] INFO:${NOCOLOR} Adding user and group ${BOLD}SNORT${NOCOLOR}.\n\n"
    sudo groupadd snort
    sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
    sudo mkdir /etc/snort > /dev/null 2>&1
    sudo mkdir /etc/snort/rules > /dev/null 2>&1
    sudo mkdir /etc/snort/preproc_rules > /dev/null 2>&1
    sudo touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules /etc/snort/rules/local.rules > /dev/null 2>&1
    sudo mkdir /var/log/snort > /dev/null 2>&1
    sudo mkdir /usr/local/lib/snort_dynamicrules > /dev/null 2>&1
    sudo chmod -R 5775 /etc/snort > /dev/null 2>&1
    sudo chmod -R 5775 /var/log/snort > /dev/null 2>&1
    sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules > /dev/null 2>&1
    sudo chown -R snort:snort /etc/snort > /dev/null 2>&1
    sudo chown -R snort:snort /var/log/snort > /dev/null 2>&1
    sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules > /dev/null 2>&1

    sudo cp ~/snort_src/snort/etc/*.conf* /etc/snort > /dev/null 2>&1
    sudo cp ~/snort_src/snort/etc/*.map /etc/snort > /dev/null 2>&1

    sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

    echo -ne "\n\t${CYAN}[i] INFO:${NOCOLOR} /var/log/snort and /etc/snort created and configurated.\n\n"
    sudo /usr/local/bin/snort -V
    echo -ne "\n\t${GREEN}[+] INFO:${NOCOLOR} ${BOLD}SNORT${NOCOLOR} is successfully installed and configurated!"

    if [ -z "${OPENAPPID}" ] ; then
        install_openappid
    fi
}

So, dependecies and folders are installed before install nghttp and also Snort.

Could you test it now, @rbshadow ??

Run:

./Snorter_Ubuntu-14.04.sh -i $INTERFACE -o $OINKCODE -a
rbshadow commented 7 years ago

Bro @joanbono I already tried as like your mentioned main function before your changes. But same things happen. Again I tried with your code now. It also doesn't work.

joanbono commented 7 years ago

Got the error:

The main function now is:

function snort_install() {

    echo -ne "\n\t${CYAN}[i] INFO:${NOCOLOR} Installing dependencies.\n\n"
    sudo apt-get install -y --force-yes build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev git locate vim 

    #Downloading DAQ and SNORT
    cd $HOME && mkdir snort_src && cd snort_src
    echo -ne "\n\t${CYAN}[i] INFO:${NOCOLOR} Downloading ${BOLD}$DAQ${NOCOLOR}.\n\n"
    wget --no-check-certificate -P $HOME/snort_src https://snort.org/downloads/snort/$DAQ.tar.gz
    echo -ne "\n\t${CYAN}[i] INFO:${NOCOLOR} Downloading ${BOLD}$SNORT${NOCOLOR}.\n\n"
    wget --no-check-certificate -P $HOME/snort_src https://snort.org/downloads/snort/$SNORT.tar.gz

    if [ ! -z "${OPENAPPID}" ] ; then
        nghttp_install
    fi

    #Installing DAQ
    cd $HOME/snort_src/
    echo -ne "\n\t${CYAN}[i] INFO:${NOCOLOR} Installing ${BOLD}$DAQ${NOCOLOR}.\n\n"
    tar xvfz $DAQ.tar.gz
    mv $HOME/snort_src/daq-*/ $HOME/snort_src/daq                     
    cd $HOME/snort_src/daq
    ./configure && make && sudo make install 
    echo -ne "\n\t${GREEN}[+] INFO:${NOCOLOR} ${BOLD}$DAQ${NOCOLOR} installed successfully.\n\n"

    #Installing SNORT
    cd $HOME/snort_src/
    echo -ne "\n\t${CYAN}[i] INFO:${NOCOLOR} Installing ${BOLD}$SNORT${NOCOLOR}.\n\n"
    tar xvfz $SNORT.tar.gz > /dev/null 2>&1
    rm -r *.tar.gz > /dev/null 2>&1
    mv snort-*/ snort           
    cd snort
    ./configure --enable-sourcefire $OPENAPPID
    make 
    sudo make install
    echo -ne "\n\t${GREEN}[+] INFO:${NOCOLOR} ${BOLD}$SNORT${NOCOLOR} installed successfully.\n\n"
    cd ..

    sudo ldconfig
    sudo ln -s /usr/local/bin/snort /usr/sbin/snort

    #Adding SNORT user and group for running SNORT
    echo -ne "\n\t${CYAN}[i] INFO:${NOCOLOR} Adding user and group ${BOLD}SNORT${NOCOLOR}.\n\n"
    sudo groupadd snort
    sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
    sudo mkdir /etc/snort > /dev/null 2>&1
    sudo mkdir /etc/snort/rules > /dev/null 2>&1
    sudo mkdir /etc/snort/preproc_rules > /dev/null 2>&1
    sudo touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules /etc/snort/rules/local.rules > /dev/null 2>&1
    sudo mkdir /var/log/snort > /dev/null 2>&1
    sudo mkdir /usr/local/lib/snort_dynamicrules > /dev/null 2>&1
    sudo chmod -R 5775 /etc/snort > /dev/null 2>&1
    sudo chmod -R 5775 /var/log/snort > /dev/null 2>&1
    sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules > /dev/null 2>&1
    sudo chown -R snort:snort /etc/snort > /dev/null 2>&1
    sudo chown -R snort:snort /var/log/snort > /dev/null 2>&1
    sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules > /dev/null 2>&1

    sudo cp ~/snort_src/snort/etc/*.conf* /etc/snort > /dev/null 2>&1
    sudo cp ~/snort_src/snort/etc/*.map /etc/snort > /dev/null 2>&1

    sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

    echo -ne "\n\t${CYAN}[i] INFO:${NOCOLOR} /var/log/snort and /etc/snort created and configurated.\n\n"
    sudo /usr/local/bin/snort -V
    echo -ne "\n\t${GREEN}[+] INFO:${NOCOLOR} ${BOLD}SNORT${NOCOLOR} is successfully installed and configurated!"

    if [ ! -z "${OPENAPPID}" ] ; then
        install_openappid
    fi
}

So now will install the OpenAppID if the flag -a is set:

    if [ ! -z "${OPENAPPID}" ] ; then
        install_openappid
    fi

Test it, please, @rbshadow .

Run now:

./Snorter_Ubuntu-14.04.sh -i $INTERFACE -o $OINKCODE -a
joanbono commented 7 years ago

Closing this PR, will work all this in an issue.