简体中文(ZH-CN)English(EN)繁体中文(ZH-TW)日本語(JA)한국어(KO)Melayu(MS)Français(FR)Deutsch(DE)
首頁
文章
問答
課程
專題
下載
遊戲
詞典
最近更新

首頁  >  文章  >  系統教程  >  在 Ubuntu 16.04 上配置 Bro:網路分析的有力工具

在 Ubuntu 16.04 上配置 Bro:網路分析的有力工具

王林
王林轉載
2024-01-04 11:36:451224瀏覽
導讀 Bro 是一個開源的網路分析框架,專注於網路安全監控。這是一項長達 15 年的研究成果,被各大學、研究實驗室、超級電腦中心和許多開放科學界廣泛使用。它主要由柏克萊國際電腦科學研究所和伊利諾大學厄巴納-香檳分校的國家超級電腦應用中心所開發。

网络分析利器:在 Ubuntu 16.04 上安装 Bro
# Bro 的功能包括:

  • Bro 的腳本語言支援針對網站自訂監控策略
  • 針對高效能網路
  • 分析器支援許多協議,可以在應用層面實現高級語義分析
  • 它保留了其所監控的網路的豐富的應用層統計資訊
  • Bro 能夠與其他應用程式介面即時地交換資訊
  • 它的日誌全面地記錄了一切信息,並提供網絡活動的高級存檔

本教學將介紹如何從原始碼構建,並在 Ubuntu 16.04 伺服器上安裝 Bro。

準備工作

Bro 有許多依賴檔:

  • Libpcap (http://www.tcpdump.org)
  • OpenSSL 函式庫 (http://www.openssl.org)
  • BIND8 函式庫
  • Libz
  • Bash (BroControl 所需)
  • Python 2.6 (BroControl 所需)

從原始碼建置還需要:

  • CMake 2.8
  • Make
  • GCC 4.8 or Clang 3.3
  • SWIG
  • GNU Bison
  • Flex
  • Libpcap headers
  • OpenSSL headers
  • zlib headers
開始

首先,透過執行以下命令來安裝所有必要的依賴項:

<span class="com" style="font-family: Consolas, Monaco, monospace;">#</span> <span class="kwd" style="font-family: Consolas, Monaco, monospace;">apt-get</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> install cmake </span><span class="kwd" style="font-family: Consolas, Monaco, monospace;">make</span> <span class="kwd" style="font-family: Consolas, Monaco, monospace;">gcc</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> g</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">++</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> flex bison libpcap</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">-</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">dev libssl</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">-</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">dev python</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">-</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">dev swig zlib1g</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">-</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">dev</span>
安裝定位 IP 地理位置的 GeoIP 資料庫

Bro 使用 GeoIP 的定位地理位置。安裝 IPv4 和 IPv6 版本:

<span class="pln" style="font-family: Consolas, Monaco, monospace;">$ </span><span class="kwd" style="font-family: Consolas, Monaco, monospace;">wget</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> http</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">:</span><span class="com" style="font-family: Consolas, Monaco, monospace;">//geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz</span>
<span class="pln" style="font-family: Consolas, Monaco, monospace;">$wget http</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">:</span><span class="com" style="font-family: Consolas, Monaco, monospace;">//geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz</span>

解壓縮這兩個壓縮套件:

<span class="pln" style="font-family: Consolas, Monaco, monospace;">$ gzip </span><span class="pun" style="font-family: Consolas, Monaco, monospace;">-</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">d </span><span class="typ" style="font-family: Consolas, Monaco, monospace;">GeoLiteCity</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">dat</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">gz</span>
<span class="pln" style="font-family: Consolas, Monaco, monospace;">$ gzip </span><span class="pun" style="font-family: Consolas, Monaco, monospace;">-</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">d </span><span class="typ" style="font-family: Consolas, Monaco, monospace;">GeoLiteCityv6</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">dat</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">gz</span>

將解壓縮後的檔案移到

/usr/share/GeoIP

目錄下:

<span class="com" style="font-family: Consolas, Monaco, monospace;">#</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> mvGeoLiteCity</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">dat </span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">usr</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">share</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="typ" style="font-family: Consolas, Monaco, monospace;">GeoIP</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="typ" style="font-family: Consolas, Monaco, monospace;">GeoIPCity</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">dat</span>
<span class="com" style="font-family: Consolas, Monaco, monospace;">#</span> <span class="kwd" style="font-family: Consolas, Monaco, monospace;">mv</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">GeoLiteCityv6</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">dat </span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">usr</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">share</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="typ" style="font-family: Consolas, Monaco, monospace;">GeoIP</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="typ" style="font-family: Consolas, Monaco, monospace;">GeoIPCityv6</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">dat</span>

現在,可以從原始碼建置 Bro 了。

建構 Bro

最新的 Bro 開發版本可以透過 "git"倉庫取得。執行以下命令:

$ git clone --recursive git://git.bro.org/bro

轉到克隆下來的目錄,然後使用以下命令就可以簡單地建立 Bro:

<span class="pln" style="font-family: Consolas, Monaco, monospace;">$ </span><span class="kwd" style="font-family: Consolas, Monaco, monospace;">cd</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> bro</span>
<span class="pln" style="font-family: Consolas, Monaco, monospace;">$ </span><span class="pun" style="font-family: Consolas, Monaco, monospace;">./</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">configure</span>
<span class="pln" style="font-family: Consolas, Monaco, monospace;">$ </span><span class="kwd" style="font-family: Consolas, Monaco, monospace;">make</span>
make

命令需要一些時間來建立一切。確切的時間取決於伺服器的效能。
可以使用一些參數來執行"configure" 腳本,以指定要建置的依賴關係,特別是"--with-*"選項。

安裝 Bro

在複製的 "bro" 目錄中執行:

<span class="com" style="font-family: Consolas, Monaco, monospace;">#</span> <span class="kwd" style="font-family: Consolas, Monaco, monospace;">make</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> install</span>

預設安裝路徑為"/usr/local/bro"。

配置 Bro

Bro 的設定檔位於 "/usr/local/bro/etcV 目錄下。 這裡有三個檔案:

  • node.cfg,用於設定要監視的單一節點(或多個節點)。
  • broctl.cfg,BroControl 的設定檔。
  • networks.cgf,包含一個使用 CIDR 標記法表示的網路清單。
設定郵件設定

#開啟 "broctl.cfg"設定檔:

<span class="com" style="font-family: Consolas, Monaco, monospace;">#</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> $EDITOR </span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">usr</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="kwd" style="font-family: Consolas, Monaco, monospace;">local</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">bro</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">etc</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">broctl</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">cfg</span>

檢視 "Mail Options"選項,並編輯 "MailTo" 列如下:

<span class="com" style="font-family: Consolas, Monaco, monospace;">#</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">Recipient</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> address </span><span class="kwd" style="font-family: Consolas, Monaco, monospace;">for</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> emails sent out by </span><span class="typ" style="font-family: Consolas, Monaco, monospace;">Bro</span> <span class="kwd" style="font-family: Consolas, Monaco, monospace;">and</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">BroControl</span>
<span class="typ" style="font-family: Consolas, Monaco, monospace;">MailTo</span> <span class="pun" style="font-family: Consolas, Monaco, monospace;">=</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> admin@example</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">com</span>

儲存並關閉。還有許多其他選項,但在大多數情況下,預設值就足夠好了。

選擇要監視的節點

#開箱即用,Bro 被配置為以獨立模式運作。在本教程中,我們就是做一個獨立的安裝,所以沒有必要改變。但是,也請查看 "node.cfg"設定檔:

<span class="com" style="font-family: Consolas, Monaco, monospace;">#</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> $EDITOR </span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">usr</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="kwd" style="font-family: Consolas, Monaco, monospace;">local</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">bro</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">etc</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">node</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">cfg</span>

在 "[bro]" 部分,你應該看到這樣的東西:

<span class="pun" style="font-family: Consolas, Monaco, monospace;">[</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">bro</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">]</span>
<span class="pln" style="font-family: Consolas, Monaco, monospace;">type</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">=</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">standalone</span>
<span class="pln" style="font-family: Consolas, Monaco, monospace;">host</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">=</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">localhost</span>
<span class="kwd" style="font-family: Consolas, Monaco, monospace;">interface</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">=</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">eth0</span>

請確保"inferface" 與 Ubuntu 16.04 伺服器的公網介面相符。
儲存並退出。

配置監視節點的網路

#最後一個要編輯的檔案是 "network.cfg"。使用文字編輯器打開它:

<span class="com" style="font-family: Consolas, Monaco, monospace;">#</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> $EDITOR </span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">usr</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="kwd" style="font-family: Consolas, Monaco, monospace;">local</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">bro</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">etc</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">networks</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">cfg</span>

預設情況下,你應該會看到以下內容:

<span class="com" style="font-family: Consolas, Monaco, monospace;">#</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">List</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> of </span><span class="kwd" style="font-family: Consolas, Monaco, monospace;">local</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> networks </span><span class="kwd" style="font-family: Consolas, Monaco, monospace;">in</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> CIDR notation</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">,</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> optionally followed by a</span>
<span class="com" style="font-family: Consolas, Monaco, monospace;">#</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> descriptive tag</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span>
<span class="com" style="font-family: Consolas, Monaco, monospace;">#</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">For</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> example</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">,</span> <span class="str" style="font-family: Consolas, Monaco, monospace;">"10.0.0.0/8"</span> <span class="kwd" style="font-family: Consolas, Monaco, monospace;">or</span> <span class="str" style="font-family: Consolas, Monaco, monospace;">"fe80::/64"</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> are valid prefixes</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span>
<span style="font-family: Consolas, Monaco, monospace;"> </span>
<span class="lit" style="font-family: Consolas, Monaco, monospace;">10.0</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="lit" style="font-family: Consolas, Monaco, monospace;">0.0</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="lit" style="font-family: Consolas, Monaco, monospace;">8</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">Private</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> IP space</span>
<span class="lit" style="font-family: Consolas, Monaco, monospace;">172.16</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="lit" style="font-family: Consolas, Monaco, monospace;">0.0</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="lit" style="font-family: Consolas, Monaco, monospace;">12</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">Private</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> IP space</span>
<span class="lit" style="font-family: Consolas, Monaco, monospace;">192.168</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="lit" style="font-family: Consolas, Monaco, monospace;">0.0</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="lit" style="font-family: Consolas, Monaco, monospace;">16</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">Private</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> IP space</span>

刪除這三個項目(這只是如何使用此檔案的範例),並輸入伺服器的公用和專用 IP 空間,格式如下:

<span class="pln" style="font-family: Consolas, Monaco, monospace;">X</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">X</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">X</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">X</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">X </span><span class="typ" style="font-family: Consolas, Monaco, monospace;">Public</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> IP space</span>
<span class="pln" style="font-family: Consolas, Monaco, monospace;">X</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">X</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">X</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">X</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">X </span><span class="typ" style="font-family: Consolas, Monaco, monospace;">Private</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> IP space</span>

儲存並退出。

使用 BroControl 管理 Bro 的安裝

管理 Bro 需要使用 BroControl,它支援互動式 shell 和命令列工具兩種形式。啟動該 shell:

<span class="com" style="font-family: Consolas, Monaco, monospace;"># /usr/</span><span class="kwd" style="font-family: Consolas, Monaco, monospace;">local</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">bro</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">bin</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">broctl</span>

要想使用命令列工具,只需將參數傳遞給上一個命令,例如:

<span class="com" style="font-family: Consolas, Monaco, monospace;"># /usr/</span><span class="kwd" style="font-family: Consolas, Monaco, monospace;">local</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">bro</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">bin</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">broctl status</span>

這將透過顯示以下的輸出來檢查 Bro 的狀態:

<span class="typ" style="font-family: Consolas, Monaco, monospace;">Name</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">Type</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">Host</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">Status</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">Pid</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">Started</span>
<span class="pln" style="font-family: Consolas, Monaco, monospace;">bro standalone localhost running </span><span class="lit" style="font-family: Consolas, Monaco, monospace;">6807</span> <span class="lit" style="font-family: Consolas, Monaco, monospace;">20</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">Jul</span> <span class="lit" style="font-family: Consolas, Monaco, monospace;">12</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">:</span><span class="lit" style="font-family: Consolas, Monaco, monospace;">30</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">:</span><span class="lit" style="font-family: Consolas, Monaco, monospace;">50</span>
結論

這是一篇 Bro 的安裝教學。我們使用基於原始程式碼的安裝,因為它是獲得可用的最新版本的最有效的方法,但是該網路分析框架也可以下載預先建置的二進位格式檔案。
下次見!

以上是在 Ubuntu 16.04 上配置 Bro:網路分析的有力工具的詳細內容。更多資訊請關注PHP中文網其他相關文章!

Python bash mail 接口 flex git 数据库 http 网络安全 tcpdump ubuntu gnu
陳述:
本文轉載於:linuxprobe.com。如有侵權,請聯絡admin@php.cn刪除
上一篇:ubuntu的自動休眠功能是什麼? ubuntu v20的自動休眠系統設定技巧下一篇:ubuntu的自動休眠功能是什麼? ubuntu v20的自動休眠系統設定技巧

相關文章

看更多