snort 브라우저로 보기 위한 snortsnarf 설치하기

snort의 로그를 웹상에서 볼수 있는 snortsnarf 설치하는 방법을 기술한 글.

snort 브라우저로 보기 위한 snortsnarf 설치하기

snortsnarf를 설치하기 위해서는 perl이 설치 되어 있어야 합니다.
http://www.silicondefense.com/software/snortsnarf/index.htm 에서 최신버전을 다운 받는다.
(현재 SnortSnarf-021111.1.tar.gz 최신버전)


[root@dream rpm]# tar xvfz SnortSnarf-021111.1.tar.gz
[root@dream rpm]# cd SnortSnarf-021111.1
[root@dream SnortSnarf-021111.1]# cd include/
[root@dream include]# cp * /usr/lib/perl5/site_perl/5.8.0/
[root@dream include]# cd ..
[root@dream SnortSnarf-021111.1]# cd cgi
[root@dream cgi]# cp * /home/card/html/cgi-bin/


card라는 곳이 현재 httpd의 최상위 디렉토리임..
httpd.conf에서 cgi-bin으로 지정된 디렉토리명..
ScriptAlias /cgi-bin/ "/home/card/html/cgi-bin/"


[root@dream cgi]# cd ..
[root@dream SnortSnarf-021111.1]# cp snortsnarf.pl /home/admin/html
[root@dream SnortSnarf-021111.1]# cd /home/admin/html
[root@dream html]# ./snortsnarf.pl -rulesdir /usr/local/snort-1.9.1 -rulesfile /usr/local/snort-1.9.1/etc/snort.conf -d /home/admin/html/snort /var/log/snort/alert /var/log/snort/portscan.log

Can't locate Time/ParseDate.pm in @INC (@INC contains: ./include /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl . /usr/lib/perl5/site_perl/5.8.0/SnortSnarf) at /usr/lib/perl5/site_perl/5.8.0/SnortSnarf/TimeFilters.pm line 18.
BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.8.0/SnortSnarf/TimeFilters.pm line 18.
Compilation failed in require at /usr/lib/perl5/site_perl/5.8.0/SnortSnarf/Filter.pm line 19.
BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.8.0/SnortSnarf/Filter.pm line 19.
Compilation failed in require at ./snortsnarf.pl line 87.
BEGIN failed--compilation aborted at ./snortsnarf.pl line 87.



이와 같은 에러가 보이지 않는다면.. 제대로 설치가 다 된것이다.
하지만 거의 이 에러가 날겁니다.

이것은 Time::ParseDate 가 설치되지 않아서 그런것이다..
이 문제를 해결하기 위해서는 아래와 같이 Time::ParseDate를 설치해야 합니다.
설치하는 방법엔 직접 설치하는 방법과 사이트에 가서 소스 파일을 가지고와서 카피해 두는 방법이 있습니다.

1. 직접 설치하기


[root@dream SnortSnarf]# perl -MCPAN -e shell

/usr/lib/perl5/5.8.0/CPAN/Config.pm initialized.


CPAN is the world-wide archive of perl resources. It consists of about
100 sites that all replicate the same contents all around the globe.
Many countries have at least one CPAN site already. The resources
found on CPAN are easily accessible with the CPAN.pm module. If you
want to use CPAN.pm, you have to configure it properly.

If you do not want to enter a dialog now, you can answer 'no' to this
question and I'll try to autoconfigure. (Note: you can revisit this
dialog anytime later by typing 'o conf init' at the cpan prompt.)

Are you ready for manual configuration? [yes] no

[color='oliver']yes를 입력하면.. 수동으로 설정을 잡는 것이고.. no를 하면 자동으로 설정을 잡아준다..
아래는 no를 했을경우 자동으로 경로를 잡는 내용입니다..[/color]

-------------------------------------------------------------------------------
The following questions are intended to help you with the
configuration. The CPAN module needs a directory of its own to cache
important index files and maybe keep a temporary mirror of CPAN files.
This may be a site-wide directory or a personal directory.

I see you already have a directory
/root/.cpan
Shall we use it as the general CPAN build and cache directory?

CPAN build and cache directory? [/root/.cpan]

중간 생략 ......
Your favorite WAIT server?
[wait://ls6-www.informatik.uni-dortmund.de:1404]

commit: wrote /usr/lib/perl5/5.8.0/CPAN/Config.pm

cpan shell -- CPAN exploration and modules installation (v1.61)
ReadLine support available (try 'install Bundle::CPAN')
-------------------------------------------------------------------------------------


설정이 끝나면 아래와 같이 프럼프트가 뜨는데.. 이곳에다 install Time::ParseDate 를 입력한다..


cpan> install Time:ParseDate <== 하면 perl.org에 가서 해당 파일을 받아서 자동으로 설치를 한다.
CPAN: Storable loaded ok
Going to read /root/.cpan/Metadata
Database was generated on Tue, 11 Mar 2003 08:41:21 GMT
Running install for module Time::ParseDate
Running make for M/MU/MUIR/modules/Time-modules-2003.0211.tar.gz
CPAN: LWP::UserAgent loaded ok
Fetching with LWP:
ftp://ftp.perl.org/pub/CPAN/authors/id/M/MU/MUIR/modules/Time-modules-2003.0211.tar.gz
CPAN: Digest::MD5 loaded ok
Fetching with LWP:
ftp://ftp.perl.org/pub/CPAN/authors/id/M/MU/MUIR/modules/CHECKSUMS
Checksum for /root/.cpan/sources/authors/id/M/MU/MUIR/modules/Time-modules-2003.0211.tar.gz ok
..... 중간 생략.......
Appending installation info to /usr/lib/perl5/5.8.0/i386-linux-thread-multi/perllocal.pod
/usr/bin/make install -- OK

cpan> quit
Lockfile removed.



[root@dream 5.8.0]# find /usr/lib/perl5/ -name 'ParseDate.pm' -print
/usr/lib/perl5/site_perl/5.8.0/Time/ParseDate.pm <=== 정상적으로 설치되어 있는 것을 볼수 있을것이다..



[root@dream html]# ./snortsnarf.pl -rulesdir /usr/local/snort-1.9.1 -rulesfile /usr/local/snort-1.9.1/etc/snort.conf -d /home/admin/html/snort /var/log/snort/alert /var/log/snort/portscan.log
Using an array as a reference is deprecated at /usr/lib/perl5/site_perl/5.8.0/SnortSnarf/HTMLMemStorage.pm line 290.
Using an array as a reference is deprecated at /usr/lib/perl5/site_perl/5.8.0/SnortSnarf/HTMLAnomMemStorage.pm line 266.
could not open /usr/local/snort-1.9.1/snort.conf to read rules from -- skipping
could not open /usr/local/snort-1.9.1/snort.conf to read rules from -- skipping
could not open /usr/local/snort-1.9.1/snort.conf to read rules from -- skipping
could not open /usr/local/snort-1.9.1/snort.conf to read rules from -- skipping
could not open /usr/local/snort-1.9.1/snort.conf to read rules from -- skipping
could not open /usr/local/snort-1.9.1/snort.conf to read rules from -- skipping
SnortFileInput: input file /var/log/snort/portscan.log exists but is length 0; skipping it



2. 카피해서 가지고 오기

구버전이거나 Time:ParseDate가 제대로 설치가 안된다면.. 직접 사이트에서 가서 카피해 와도 된다.

http://search.cpan.org/dist/Time-modules/
이곳에 가면..

Time::CTime format times ala POSIX asctime 99.062201
Time::DaysInMonth simply report the number of days in a month 99.1117
Time::JulianDay Julian calendar manipulations 99.061501
Time::ParseDate date parsing both relative and absolute 2003.0211
Time::Timezone

5개의 모듈이 있다.. 각각을 클릭해 들어가 Source 를 클릭하면 소스가 보이는데.. 카피해서
동일한 파일명으로 생성해서
/usr/lib/perl5/각 버전/Time 밑으로 카피해 준다..

그리고 snortsnarf.pl 를 실행하면.. Time:PasrseDate에 관한 에러는 잡을수 있다.

옵션 설명

-rulesdir : 룰의 디렉토리명
-rulesfile : snort.conf 파일의 위치
-d : 로그파일이 있는 위치

이제 이것을 cron으로 돌려서 주기적으로 html화를 시켜 주어야 한다.
하지만, 로그기록이 많이 질수록 시스템의 부하를 많이 주기 때문에.. cron 주기 시간을 되도록 길게 잡아 주는 것이 좋다.


[root@dream html]# vi snort.cron
./snortsnarf.pl -rulesdir /usr/local/snort-1.9.1 -rulesfile /usr/local/snort-1.9.1/etc/snort.conf -d /home/admin/html/snort /var/log/snort/alert /var/log/snort/portscan.log

[root@dream html]# vi /etc/crontab
50 6 * * * root /home/card/html/snort.cron>/dev/null 2>&1

매일 6시 50분에 실행을 한다.



모든 설치가 끝나고 브라우저로 가면.. 아래와 같이 snort의 기록 들을 웹상에서 볼수 있게 될것이다.