barnyard 缺少来自 snort 的 SID 消息映射文件

tag-icon tag-icon snort
barnyard 缺少来自 snort 的 SID 消息映射文件

我安装了 snort(当前版本 2.9.7.0-5),然后编译了 Barnyard2 版本 2.1.14(Build 337)。首先尝试:

sudo ./barnyard2 -c ../etc/barnyard2.conf -o /var/log/snort/snort.alert

我明白了Unable to open SID file '/etc/snort/sid-msg.map' (No such file or directory)。这是真的, /etc/snort/sid-msg.map 确实丢失了。我尝试使用现有的 /etc/snort/community-sid-msg.map 但后来我得到:

ERROR: [ParseSidMapLine()]: Unknown sidmap file version [0]

我是否遗漏了什么或者我应该做什么才能使其发挥作用?

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.4 LTS
Release:    16.04
Codename:   xenial

答案1

似乎 /etc/snort/community-sid-msg.map 可用,但只有在删除包含注释后才能使用,例如:

cd ~
sudo grep -v -P "^#" /etc/snort/community-sid-msg.map > community-sid-msg-no-comments.map
# dir required by barnyard2 at runtime
sudo mkdir /var/log/barnyard2
# comment the line "config sid_file: /etc/snort/sid-msg.map" in your barnyard2/etc/barnyard2.conf
sudo ~/apps/opt/barnyard2/bin/barnyard2 -c ~/apps/opt/barnyard2/etc/barnyard2.conf -S community-sid-msg-no-comments.map -o -q /var/log/snort/snort.log

虽然工作输出并不完全完整。此行是示例输出:

04/05-23:18:39.268639  [**] [1:485:4] Snort Alert [1:485:4] [**] [Classification: Misc activity] [Priority: 3] {ICMP} 46.223.181.179 -> 188.26.13.70

而等效的更好的方法是:

04/05-23:18:39.268639  [**] [1:485:4] ICMP Destination Unreachable Communication Administratively Prohibited [**] [Classification: Misc activity] [Priority: 3] {ICMP} 46.223.181.179 -> 188.26.13.70

第二行(更好的一行)是使用以下命令生成的 sid 文件生成的:

python ~/compile/py-idstools/idstools/scripts/gensidmsgmap.py /etc/snort/rules/ > sid-msg-v1.map

从以下位置获取 gensidmsgmap.pyhttps://github.com/jasonish/py-idstools/tree/master/idstools/scripts

相关内容