主页 / unix / 问题 / 435823
Accepted
Adrian
Asked: 2018-04-06 09:27:18 +0800 CST

snort 中缺少 SID 消息映射文件的谷仓

  • 772

我安装了 snort(当前版本 2.9.7.0-5)然后编译 Barnyard2 版本 2.1.14(构建 337)。首先尝试: 

sudo ./barnyard2 -c ../etc/barnyard2.conf -o /var/log/snort/snort.alert

我明白了Unable to open SID file '/etc/snort/sid-msg.map' (No such file or directory)。这是真的, /etc/snort/sid-msg.map 确实丢失了。我尝试使用现有的 /etc/snort/community-sid-msg.map 但后来我得到: 

ERROR: [ParseSidMapLine()]: Unknown sidmap file version [0]

我错过了什么或者我应该怎么做才能让它工作?

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.4 LTS
Release:    16.04
Codename:   xenial
snort

1 个回答

  1. Best Answer

    似乎 /etc/snort/community-sid-msg.map 是可用的,但只有在删除包含的注释后,例如: 

    cd ~
sudo grep -v -P "^#" /etc/snort/community-sid-msg.map > community-sid-msg-no-comments.map
# dir required by barnyard2 at runtime
sudo mkdir /var/log/barnyard2
# comment the line "config sid_file: /etc/snort/sid-msg.map" in your barnyard2/etc/barnyard2.conf
sudo ~/apps/opt/barnyard2/bin/barnyard2 -c ~/apps/opt/barnyard2/etc/barnyard2.conf -S community-sid-msg-no-comments.map -o -q /var/log/snort/snort.log

    虽然工作输出还不是很完整。此行是示例输出: 

    04/05-23:18:39.268639  [**] [1:485:4] Snort Alert [1:485:4] [**] [Classification: Misc activity] [Priority: 3] {ICMP} 46.223.181.179 -> 188.26.13.70

    而等效的更好的是: 

    04/05-23:18:39.268639  [**] [1:485:4] ICMP Destination Unreachable Communication Administratively Prohibited [**] [Classification: Misc activity] [Priority: 3] {ICMP} 46.223.181.179 -> 188.26.13.70

    第二行(更好的一行)是使用生成的 sid 文件生成的: 

    python ~/compile/py-idstools/idstools/scripts/gensidmsgmap.py /etc/snort/rules/ > sid-msg-v1.map

    从https://github.com/jasonish/py-idstools/tree/master/idstools/scripts获取 gensidmsgmap.py 。

    • 0

相关问题