[์นจ์ž…ํƒ์ง€์‹œ์Šคํ…œ ์‹ค์Šต] โ‘ก SNORT ํƒ์ง€ ๋กœ๊ทธ๋ฅผ MySQL๋กœ ์—ฐ๋™ํ•˜๊ธฐ (Barnyard2)

2025. 4. 1. 18:00ยท๐Ÿšจ ๋ณด์•ˆ ์‹ค๋ฌด/๋ณด์•ˆ ๊ด€์ œ
728x90

1๏ธโƒฃ ์‹ค์Šต ๊ฐœ์š”

SNORT๋Š” ๋„คํŠธ์›Œํฌ ๊ธฐ๋ฐ˜ ์นจ์ž… ํƒ์ง€ ์‹œ์Šคํ…œ(IDS)์œผ๋กœ, ๋‹ค์–‘ํ•œ ํŠธ๋ž˜ํ”ฝ ํƒ์ง€๊ฐ€ ๊ฐ€๋Šฅํ•˜์ง€๋งŒ ๊ธฐ๋ณธ์ ์œผ๋กœ ๋กœ๊ทธ๋Š” ํ…์ŠคํŠธ ํŒŒ์ผ๋กœ ์ €์žฅ๋œ๋‹ค.
Barnyard2๋Š” SNORT๊ฐ€ ์ƒ์„ฑํ•˜๋Š” binary ๋กœ๊ทธ(unified2 ํฌ๋งท)๋ฅผ ์ฝ์–ด MySQL DB๋กœ ์ €์žฅํ•ด์ฃผ๋Š” ๋„๊ตฌ๋‹ค.
์ด ์‹ค์Šต์—์„œ๋Š” SNORT์˜ ํƒ์ง€ ๊ฒฐ๊ณผ๋ฅผ Barnyard2๋ฅผ ํ†ตํ•ด DB์— ์ €์žฅํ•˜๊ณ , SQLyog๋กœ ์กฐํšŒํ•ด๋ณด๋Š” ์ „ ๊ณผ์ •์„ ์ •๋ฆฌํ–ˆ๋‹ค.


๐Ÿ”น์‹ค์Šต ํ™˜๊ฒฝ

  • ๊ฐ€์ƒํ™”: VirtualBox
  • OS: CentOS 7
  • IDS: SNORT 2.9.20
  • ๋กœ๊ทธ ์ˆ˜์ง‘๊ธฐ: Barnyard2
  • DB: MySQL 8.0
  • ํด๋ผ์ด์–ธํŠธ ํˆด: SQLyog
  • ์›๊ฒฉ ์ ‘์†: PuTTY

 

2๏ธโƒฃ MySQL ์„ค์น˜ ๋ฐ ๊ธฐ๋ณธ ์„ค์ •

  • MySQL 8 ์„ค์น˜๋ฅผ ์œ„ํ•œ ๊ณต์‹ ์ €์žฅ์†Œ๋ฅผ ์ถ”๊ฐ€ํ•œ ํ›„, ``mysql-server ๋ฐ ๊ฐœ๋ฐœ ๊ด€๋ จ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ(mysql-devel)๋ฅผ ์„ค์น˜ํ•œ๋‹ค

๐Ÿ”น1. MySQL ์ €์žฅ์†Œ ๋“ฑ๋ก

rpm -ivh https://dev.mysql.com/get/mysql80-community-release-el7-11.noarch.rpm


๐Ÿ”น2. MySQL ์„œ๋ฒ„ ๋ฐ ๊ฐœ๋ฐœ ํŒจํ‚ค์ง€ ์„ค์น˜

  • MySQL ์„œ๋ฒ„์™€ C API ์—ฐ๋™์„ ์œ„ํ•œ ๊ฐœ๋ฐœ ํŒจํ‚ค์ง€ ์„ค์น˜
yum install mysql-server mysql-devel -y


๐Ÿ”น3. MySQL ์„œ๋น„์Šค ์‹œ์ž‘ ๋ฐ ์ƒํƒœ ํ™•์ธ

  • MySQL ๋ฐ๋ชฌ์„ ์‹คํ–‰ํ•˜๊ณ , ์ •์ƒ ์ž‘๋™ ์—ฌ๋ถ€๋ฅผ ํ™•์ธ
service mysqld start
service mysqld status

 

3๏ธโƒฃ MySQL ๋ณด์•ˆ ์ •์ฑ… ์™„ํ™” (๊ฐœ๋ฐœ์šฉ ์„ค์ •)

๐Ÿ”น1. ํŒจ์Šค์›Œ๋“œ ์ •์ฑ… ๋‚ฎ์ถ”๊ธฐ

  • ๋น„๋ฐ€๋ฒˆํ˜ธ ๋งŒ๋ฃŒ ์ œ๊ฑฐ ๋ฐ ๋ณต์žก๋„ ์š”๊ตฌ ์กฐ๊ฑด ์ œ๊ฑฐ
  • ์™ธ๋ถ€ ์ž ๊ธˆ ๋น„ํ™œ์„ฑํ™” ๋ฐ DNS ํ•ด์ œ
echo >> /etc/my.cnf
echo "default_password_lifetime=0" >> /etc/my.cnf
echo "validate_password.policy=LOW" >> /etc/my.cnf
echo "validate_password.length=6" >> /etc/my.cnf
echo "validate_password.special_char_count=0" >> /etc/my.cnf
echo "validate_password.mixed_case_count=0" >> /etc/my.cnf
echo "validate_password.number_count=0" >> /etc/my.cnf
echo "skip_external_locking" >> /etc/my.cnf
echo "skip_name_resolve " >> /etc/my.cnf

 

  • ``/etc/my.cnf`` ํŒŒ์ผ์—์„œ ์ž‘์„ฑ ๊ฒฐ๊ณผ ํ™•์ธ
vi /etc/my.cnf


๐Ÿ”น2. MySQL ์žฌ์‹œ์ž‘

  • ์„ค์ • ๋ฐ˜์˜์„ ์œ„ํ•œ MySQL ์žฌ์‹œ์ž‘

 

4๏ธโƒฃ MySQL ๊ณ„์ • ์„ค์ • ๋ฐ ์™ธ๋ถ€ ์ ‘์† ํ—ˆ์šฉ

๐Ÿ”น1. ์ž„์‹œ ๋น„๋ฐ€๋ฒˆํ˜ธ ํ™•์ธ

  • ์„ค์น˜ ์‹œ ์ƒ์„ฑ๋œ ์ž„์‹œ root ๋น„๋ฐ€๋ฒˆํ˜ธ ์ถ”์ถœ
grep "temporary password is generated" /var/log/mysqld.log | grep -oP "\S+$"


๐Ÿ”น2. ๋น„๋ฐ€๋ฒˆํ˜ธ ๋ณ€๊ฒฝ ๋ฐ ์™ธ๋ถ€ root ๊ณ„์ • ์ƒ์„ฑ

  • ํŒจ์Šค์›Œ๋“œ ๋งŒ๋ฃŒ ์ƒํƒœ๋กœ ์ ‘์†ํ•˜์—ฌ ๋น„๋ฐ€๋ฒˆํ˜ธ ๋ณ€๊ฒฝ
mysql --connect-expired-password -uroot -p -e \
"alter user 'root'@'localhost' identified with mysql_native_password by 'no1ids';"

 

  • ์™ธ๋ถ€์—์„œ ์ ‘์† ๊ฐ€๋Šฅํ•œ root ๊ณ„์ •์„ ์ƒ์„ฑํ•˜๊ณ  ๋ชจ๋“  ๊ถŒํ•œ ๋ถ€์—ฌ
mysql -uroot -p -e "create user 'root'@'%' identified by 'no1ids';"
mysql -uroot -p -e "alter user 'root'@'%' identified with mysql_native_password by 'no1ids';"
mysql -uroot -p -e "grant all privileges on *.* to 'root'@'%' with grant option;"

 

  • ์ƒ์„ฑํ•œ ํŒจ์Šค์›Œ๋“œ๋กœ ๋กœ๊ทธ์ธ ์ ‘์† ํ…Œ์ŠคํŠธ


๐Ÿ”น3. SQLyog ์ ‘์† ํ…Œ์ŠคํŠธ

  • SQLyog๋ฅผ ํ†ตํ•ด ์›๊ฒฉ ์ ‘์† ๊ฐ€๋Šฅ ์—ฌ๋ถ€ ํ™•์ธ

 

5๏ธโƒฃ Barnyard2 ์„ค์น˜

๐Ÿ”น1. ์†Œ์Šค์ฝ”๋“œ ๋‹ค์šด๋กœ๋“œ ๋ฐ ์••์ถ• ํ•ด์ œ

wget https://github.com/firnsy/barnyard2/archive/master.tar.gz -O barnyard2.tar.gz
tar xvzf barnyard2.tar.gz
cd barnyard2-master


๐Ÿ”น2. ๋นŒ๋“œ ๋ฐ ์„ค์น˜

  • ์ปดํŒŒ์ผ ํ™˜๊ฒฝ ์ค€๋น„ → ๊ตฌ์„ฑ → ์„ค์น˜
mkdir /var/log/barnyard2
touch /var/log/snort/barnyard2.temp
cp /usr/local/etc/barnyard2.conf /etc/snort/

 


๐Ÿ”น3. ๋กœ๊ทธ ๋””๋ ‰ํ† ๋ฆฌ ๋ฐ ์„ค์ • ๋ณต์‚ฌ

  • Barnyard2 ๋กœ๊ทธ ํŒŒ์ผ ์ƒ์„ฑ ๋ฐ ์„ค์ •ํŒŒ์ผ ์œ„์น˜ ์กฐ์ •
mkdir /var/log/barnyard2
touch /var/log/snort/barnyard2.temp
cp /usr/local/etc/barnyard2.conf /etc/snort/


๐Ÿ”น4.  barnyard2.conf ์„ค์ • ์ˆ˜์ •

  • MySQL DB ์—ฐ๊ฒฐ์„ ์œ„ํ•œ ์‚ฌ์šฉ์ž ์ •๋ณด ์ž…๋ ฅ
vi /etc/snort/barnyard2.conf
[๋ณ€๊ฒฝ ์ „]
#Examples:
#	output database: log, mysql, user=root password=test dbname=db host=localhost

[๋ณ€๊ฒฝ ํ›„]
#Examples:
output database: log, mysql, user=root password=no1ids dbname=snort host=localhost

 

 

6๏ธโƒฃ Snort DB ์ƒ์„ฑ ๋ฐ ์Šคํ‚ค๋งˆ ์ ์šฉ

๐Ÿ”น1. ํ…Œ์ด๋ธ” ๊ตฌ์กฐ ์ƒ์„ฑ

  • Barnyard2์—์„œ ์‚ฌ์šฉํ•˜๋Š” ํ…Œ์ด๋ธ” ๊ตฌ์กฐ ์ƒ์„ฑ
cd barnyard2-master/

mysql -u root -p -e "create database snort;"
mysql -u root -p -D snort < schemas/create_mysql


๐Ÿ”น2. ์ƒ์„ฑํ•œ ํ…Œ์ด๋ธ” ํ™•์ธ

  • SQLyog์—์„œ ``Refresh Object Browser``๋ฅผ ํด๋ฆญํ•˜์—ฌ ``snort`` ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค/ํ…Œ์ด๋ธ” ์ƒ์„ฑ ํ™•์ธ

 

7๏ธโƒฃ SNORT ๋ฃฐ ๋ฐ SID ๋งคํ•‘ ์„ค์ •

๐Ÿ”น1. SID ๋ฉ”์‹œ์ง€ ๋งคํ•‘

  • SID์— ํ•ด๋‹นํ•˜๋Š” ๋ฉ”์‹œ์ง€๋ฅผ DB์—์„œ ์‰ฝ๊ฒŒ ํ™•์ธ ๊ฐ€๋Šฅ

 

8๏ธโƒฃ ์‹คํ–‰

๐Ÿ”น1. Barnyard2 ์‹คํ–‰

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f alert.log -w /var/log/snort/barnyard2.tmp

์˜ต์…˜ ์„ค๋ช…
``-c`` ์„ค์ •ํŒŒ์ผ ๊ฒฝ๋กœ
``-d`` ๋กœ๊ทธ ๋””๋ ‰ํ† ๋ฆฌ
``-f`` unified2 ๋กœ๊ทธ ํŒŒ์ผ ์ด๋ฆ„
``-w`` waldo ํŒŒ์ผ ๊ฒฝ๋กœ (์ค‘๋ณต ๋ฐฉ์ง€์šฉ)

๐Ÿ”น2. SNORT ์‹คํ–‰

  • SNORT ์‹คํ–‰ํ•˜์—ฌ ํŠธ๋ž˜ํ”ฝ ํƒ์ง€ ๋Œ€๊ธฐ
  • ๋ฆฌ์†Œ์Šค ํŠน์„ฑ์— ๋”ฐ๋ฅธ NIC ์ด๋ฆ„(``eth1``) ๊ฐ’์€ ํ˜„์žฌ ํ™˜๊ฒฝ์— ๋งž๊ฒŒ ๋ณ€๊ฒฝ
snort -i eth1 -c /etc/snort/snort.conf


๐Ÿ”น3. Ping์œผ๋กœ ํ…Œ์ŠคํŠธ ํŠธ๋ž˜ํ”ฝ ๋ฐœ์ƒ

  • ์™ธ๋ถ€์—์„œ CentOS๋กœ ping → SNORT ํƒ์ง€ → Barnyard2 → DB ์ €์žฅ
ping 192.16856.100

 

  • barnyard ์‹คํ–‰ ์„ธ์…˜์—์„œ ํŠธ๋ž˜ํ”ฝ ํ™•์ธ


๐Ÿ”น4. SQLyog์—์„œ ํƒ์ง€ ๊ฒฐ๊ณผ ํ™•์ธ

  • ``event`` ํ…Œ์ด๋ธ”๊ณผ ``signature`` ํ…Œ์ด๋ธ”์„ ์กฐ์ธํ•˜์—ฌ ํƒ์ง€ ๊ฒฐ๊ณผ ํ™•์ธ
SELECT a.timestamp, b.sig_name
FROM event a, signature b
WHERE a.signature = b.sig_id;


 

728x90

'๐Ÿšจ ๋ณด์•ˆ ์‹ค๋ฌด > ๋ณด์•ˆ ๊ด€์ œ' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

[SNORT] PCRE ์ •๊ทœํ‘œํ˜„์‹ ์‚ฌ์šฉ ๋ฐฉ๋ฒ• (VIM ํ™œ์šฉ)  (0) 2025.04.03
[SNORT] SNORT ์Šคํ‚ค๋งˆ ๊ตฌ์กฐ์™€ ๋ฃฐ ๊ตฌ์„ฑ ๋ฐ ์˜ต์…˜ ์ •๋ณด  (0) 2025.04.02
[์นจ์ž…ํƒ์ง€์‹œ์Šคํ…œ ์‹ค์Šต] โ‘  SNORT ์„ค์น˜ ๋ฐ ping ํŠธ๋ž˜ํ”ฝ ํƒ์ง€ (CentOS)  (0) 2025.04.01
[SOC] SIEM๊ณผ SOAR  (0) 2025.04.01
[SOC] ๋ณด์•ˆ๊ด€์ œ ์‹œ์Šคํ…œ์—์„œ์˜ ๋ณด์•ˆ ์†”๋ฃจ์…˜  (0) 2025.04.01
'๐Ÿšจ ๋ณด์•ˆ ์‹ค๋ฌด/๋ณด์•ˆ ๊ด€์ œ' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€
  • [SNORT] PCRE ์ •๊ทœํ‘œํ˜„์‹ ์‚ฌ์šฉ ๋ฐฉ๋ฒ• (VIM ํ™œ์šฉ)
  • [SNORT] SNORT ์Šคํ‚ค๋งˆ ๊ตฌ์กฐ์™€ ๋ฃฐ ๊ตฌ์„ฑ ๋ฐ ์˜ต์…˜ ์ •๋ณด
  • [์นจ์ž…ํƒ์ง€์‹œ์Šคํ…œ ์‹ค์Šต] โ‘  SNORT ์„ค์น˜ ๋ฐ ping ํŠธ๋ž˜ํ”ฝ ํƒ์ง€ (CentOS)
  • [SOC] SIEM๊ณผ SOAR
WISHee
WISHee
IT์™€ ๋ณด์•ˆ์— ๋Œ€ํ•œ ๊ณต๋ถ€ ๊ธฐ๋ก์„ ์ฐจ๊ณก์ฐจ๊ณก ์Œ“์•„๊ฐ€๋Š” ๊ธฐ์ˆ  ๋ธ”๋กœ๊ทธ ๐Ÿ›ก๏ธ๐Ÿ’ป
  • WISHee
    DevwithWish
    WISHee
  • ์ „์ฒด
    ์˜ค๋Š˜
    ์–ด์ œ
    • ๐ŸŒณ ROOT (128)
      • โ›“๏ธ ๋„คํŠธ์›Œํฌ ๋ณด์•ˆ (10)
        • ๊ธฐ๋ณธ ๊ฐœ๋… (9)
        • ํŒจํ‚ท ๋ถ„์„ (1)
        • ์นจ์ž… ํƒ์ง€ ๋ฐ ๋ฐฉ์ง€ (0)
      • โš™๏ธ ์‹œ์Šคํ…œ ๋ณด์•ˆ (0)
        • ์šด์˜์ฒด์ œ ๋ณด์•ˆ (0)
        • ์ทจ์•ฝ์  ๋ถ„์„ (0)
        • ๋กœ๊ทธ ๋ถ„์„ (0)
      • ๐ŸŒ ์›น ๋ณด์•ˆ (1)
        • OWASP TOP 10 (1)
        • ์›น ์„œ๋ฒ„ ๋ณด์•ˆ (0)
        • ์›น ์ทจ์•ฝ์  ๋ถ„์„ (0)
      • โ˜๏ธ ํด๋ผ์šฐ๋“œ ๋ณด์•ˆ (3)
        • AWS (3)
      • ๐Ÿ” ์•”ํ˜ธํ™” & ์ธ์ฆ (3)
        • ์•”ํ˜ธํ™” ๊ฐœ๋… (2)
        • TLS,SSL (0)
        • ์ธ์ฆ & ์ ‘๊ทผ์ œ์–ด (1)
      • ๐Ÿšจ ๋ณด์•ˆ ์‹ค๋ฌด (30)
        • ๋ณด์•ˆ ๊ด€์ œ (14)
        • ๋ชจ์˜ ํ•ดํ‚น (12)
        • ์ทจ์•ฝ์  ์ง„๋‹จ (3)
        • ๋””์ง€ํ„ธํฌ๋ Œ์‹ (1)
      • ๐Ÿ“š ISMS & ISO27001 (9)
        • ISMS, ISMS-P ์ธ์ฆ (2)
      • ๐Ÿ“ฐ ๋ณด์•ˆ ๋‰ด์Šค & ํŠธ๋ Œ๋“œ (1)
        • ์ตœ์‹  ๋ณด์•ˆ ์ด์Šˆ (1)
        • ์‚ฌ์ด๋ฒ„ ์œ„ํ˜‘ ์ •๋ณด (0)
        • ๋ณด์•ˆ ์ปจํผ๋Ÿฐ์Šค ๋ฆฌ๋ทฐ (0)
      • ๐Ÿ”ฅ SKShieldusRookies (15)
        • Review (3)
        • PBL (0)
        • ๊ณผ์ œ (4)
        • ๋ชจ๋“ˆ ํ”„๋กœ์ ํŠธ (8)
        • ์ตœ์ข… ํ”„๋กœ์ ํŠธ (0)
      • ๐Ÿ—‚๏ธ Project (3)
        • SOAR (0)
        • BlockChain (3)
      • ๐Ÿงฉ Language (23)
        • Java (1)
        • Python (16)
        • Programmers (6)
      • ๐Ÿ‘ฅ ๋ฒ„์ „๊ด€๋ฆฌ & ํ˜‘์—…๋„๊ตฌ (9)
        • Git, GitHub (4)
        • etc (5)
      • ๐Ÿ’œ ์ผ์ƒ (21)
        • Boot Camp (4)
        • Study (6)
        • Travel (8)
        • Study Abroad (3)
  • ๋ธ”๋กœ๊ทธ ๋ฉ”๋‰ด

    • ํ™ˆ
    • ํƒœ๊ทธ
    • ๋ฐฉ๋ช…๋ก
  • ๋งํฌ

    • GitHub
  • ๊ณต์ง€์‚ฌํ•ญ

    • ๋ฐ˜๊ฐ‘์Šต๋‹ˆ๋‹ค!
  • ์ธ๊ธฐ ๊ธ€

  • ํƒœ๊ทธ

    ๋ฆฌ๋ˆ…์Šค๋ณด์•ˆ
    Python
    ๋Ÿฐ๋˜์—ฌํ–‰
    ํŒŒ์ด์ฌ
    ์˜นํ”Œ๋ขฐ๋ฅด
    slack
    ์œˆ๋„์šฐ๋ณด์•ˆ
    ์ •๋ณด๋ณด์•ˆ
    ํŒŒ๋ฆฌ์—ฌํ–‰
    ๋ณด์•ˆ์‹ค์Šต
    ๋ธ”๋ก์ฒด์ธ์‹ค์Šต
    ๊นƒํ—ˆ๋ธŒ
    git
    ํ•œ๋‹ฌ์—ฌํ–‰
    ๋ชจ์˜ํ•ดํ‚น
    ์™€์ด์–ด์ƒคํฌ
    ํ”Œ๋ผ์Šคํฌ
    ํ”„๋กœ๊ทธ๋ž˜๋จธ์Šค
    ์œ ๋Ÿฝํ•œ๋‹ฌ์—ฌํ–‰
    ๋ชฝ์ƒ๋ฏธ์…ธ
    ํ•ด์™ธ์—ฌํ–‰
    sk์‰ด๋”์Šค๋ฃจํ‚ค์ฆˆ
    ํ”„๋ž‘์Šค์—ฌํ–‰
    ์œ ๋Ÿฝ์—ฌํ–‰
    ์ฝ”๋”ฉํ…Œ์ŠคํŠธ
    ํ˜‘์—…๋„๊ตฌ
    Github
    VSCode
    flask
    ์นผ๋ฆฌ๋ฆฌ๋ˆ…์Šค
  • ์ตœ๊ทผ ๋Œ“๊ธ€

  • ์ตœ๊ทผ ๊ธ€

  • 160x600
  • hELLOยท Designed By์ •์ƒ์šฐ.v4.10.3
WISHee
[์นจ์ž…ํƒ์ง€์‹œ์Šคํ…œ ์‹ค์Šต] โ‘ก SNORT ํƒ์ง€ ๋กœ๊ทธ๋ฅผ MySQL๋กœ ์—ฐ๋™ํ•˜๊ธฐ (Barnyard2)
์ƒ๋‹จ์œผ๋กœ

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”