/l3/users/ikravchuk/xg-ids/linux2.unix.nt/root :1 :2 :3 :4 :5 :6 :7 :8 :9 :10 :11 :12
[ править ]

Журнал лабораторных работ

Содержание

Журнал

Суббота (06/23/07)

/dev/pts/11
14:46:35
#ps -ef| snort 
64 bytes from 192.168.15.201: icmp_seq=127 ttl=64 time=0.291 ms
64 bytes from 192.168.15.201: icmp_seq=128 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=129 ttl=64 time=0.217 ms
64 bytes from 192.168.15.201: icmp_seq=130 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=131 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=132 ttl=64 time=0.208 ms
64 bytes from 192.168.15.201: icmp_seq=133 ttl=64 time=0.235 ms
64 bytes from 192.168.15.201: icmp_seq=134 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=135 ttl=64 time=0.206 ms
64 bytes from 192.168.15.201: icmp_seq=136 ttl=64 time=0.209 ms
...
        -v         Be verbose
        -V         Show version number
        -w         Dump 802.11 management and control frames
        -X         Dump the raw packet data starting at the link layer
        -y         Include year in timestamp in the alert and log files
        -z         Set assurance mode, match on established sesions (for TCP)
        -?         Show this information
<Filter Options> are standard BPF options, as seen in TCPDump
Uh, you need to tell me to do something...
: No such file or directory
14:46:51
#ps -ef | grep snort
64 bytes from 192.168.15.201: icmp_seq=78 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=79 ttl=64 time=0.235 ms
64 bytes from 192.168.15.201: icmp_seq=80 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=81 ttl=64 time=0.252 ms
64 bytes from 192.168.15.201: icmp_seq=82 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=83 ttl=64 time=0.236 ms
64 bytes from 192.168.15.201: icmp_seq=84 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=85 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=86 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=87 ttl=64 time=0.208 ms
...
64 bytes from 192.168.15.201: icmp_seq=217 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=218 ttl=64 time=0.308 ms
64 bytes from 192.168.15.201: icmp_seq=219 ttl=64 time=0.230 ms
64 bytes from 192.168.15.201: icmp_seq=220 ttl=64 time=0.226 ms
64 bytes from 192.168.15.201: icmp_seq=221 ttl=64 time=0.224 ms
64 bytes from 192.168.15.201: icmp_seq=222 ttl=64 time=0.185 ms
64 bytes from 192.168.15.201: icmp_seq=223 ttl=64 time=0.222 ms
64 bytes from 192.168.15.201: icmp_seq=224 ttl=64 time=0.217 ms
snort     7313     1  0 07:33 ?        00:00:02 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.eth0.conf -S HOME_NET=[192.168.0.0/16] -i eth0
root      8290  8100  0 07:47 pts/12   00:00:00 grep snort
14:47:12
#killall -9 snort
64 bytes from 192.168.15.201: icmp_seq=84 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=85 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=86 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=87 ttl=64 time=0.208 ms
64 bytes from 192.168.15.201: icmp_seq=88 ttl=64 time=0.229 ms
64 bytes from 192.168.15.201: icmp_seq=89 ttl=64 time=0.221 ms
64 bytes from 192.168.15.201: icmp_seq=90 ttl=64 time=0.231 ms
64 bytes from 192.168.15.201: icmp_seq=91 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=92 ttl=64 time=0.208 ms
64 bytes from 192.168.15.201: icmp_seq=93 ttl=64 time=0.207 ms
...
64 bytes from 192.168.15.201: icmp_seq=223 ttl=64 time=0.222 ms
64 bytes from 192.168.15.201: icmp_seq=224 ttl=64 time=0.217 ms
64 bytes from 192.168.15.201: icmp_seq=225 ttl=64 time=0.207 ms
64 bytes from 192.168.15.201: icmp_seq=226 ttl=64 time=0.223 ms
64 bytes from 192.168.15.201: icmp_seq=227 ttl=64 time=0.223 ms
64 bytes from 192.168.15.201: icmp_seq=228 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=229 ttl=64 time=0.229 ms
64 bytes from 192.168.15.201: icmp_seq=230 ttl=64 time=0.247 ms
64 bytes from 192.168.15.201: icmp_seq=231 ttl=64 time=0.246 ms
64 bytes from 192.168.15.201: icmp_seq=232 ttl=64 time=0.208 ms
14:47:50
#/etc/init.d/snort start
64 bytes from 192.168.15.201: icmp_seq=88 ttl=64 time=0.229 ms
64 bytes from 192.168.15.201: icmp_seq=89 ttl=64 time=0.221 ms
64 bytes from 192.168.15.201: icmp_seq=90 ttl=64 time=0.231 ms
64 bytes from 192.168.15.201: icmp_seq=91 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=92 ttl=64 time=0.208 ms
64 bytes from 192.168.15.201: icmp_seq=93 ttl=64 time=0.207 ms
64 bytes from 192.168.15.201: icmp_seq=94 ttl=64 time=0.274 ms
64 bytes from 192.168.15.201: icmp_seq=95 ttl=64 time=0.245 ms
64 bytes from 192.168.15.201: icmp_seq=96 ttl=64 time=0.244 ms
64 bytes from 192.168.15.201: icmp_seq=97 ttl=64 time=0.210 ms
...
64 bytes from 192.168.15.201: icmp_seq=227 ttl=64 time=0.223 ms
64 bytes from 192.168.15.201: icmp_seq=228 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=229 ttl=64 time=0.229 ms
64 bytes from 192.168.15.201: icmp_seq=230 ttl=64 time=0.247 ms
64 bytes from 192.168.15.201: icmp_seq=231 ttl=64 time=0.246 ms
64 bytes from 192.168.15.201: icmp_seq=232 ttl=64 time=0.208 ms
64 bytes from 192.168.15.201: icmp_seq=233 ttl=64 time=0.286 ms
64 bytes from 192.168.15.201: icmp_seq=234 ttl=64 time=0.223 ms
64 bytes from 192.168.15.201: icmp_seq=235 ttl=64 time=0.214 ms
Starting Network Intrusion Detection System: snort(eth0).
14:47:56
#ps -ef |grep snort
snort     8317     1 17 07:47 ?        00:00:02 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.eth0.conf -S HOME_NET=[192.168.0.0/16] -i eth0
root      8324  8100  0 07:48 pts/12   00:00:00 grep snort
14:48:11
#vi /etc/snort/snort.eth0.conf
14:51:30
#vim /etc/default/snort
14:51:44
#dpkg-reconfigure snort 
64 bytes from 192.168.15.201: icmp_seq=273 ttl=64 time=0.216 ms
64 bytes from 192.168.15.201: icmp_seq=274 ttl=64 time=0.276 ms
64 bytes from 192.168.15.201: icmp_seq=275 ttl=64 time=0.225 ms
64 bytes from 192.168.15.201: icmp_seq=276 ttl=64 time=0.206 ms
64 bytes from 192.168.15.201: icmp_seq=277 ttl=64 time=0.218 ms
64 bytes from 192.168.15.201: icmp_seq=278 ttl=64 time=0.239 ms
64 bytes from 192.168.15.201: icmp_seq=279 ttl=64 time=0.219 ms
64 bytes from 192.168.15.201: icmp_seq=280 ttl=64 time=0.232 ms
64 bytes from 192.168.15.201: icmp_seq=281 ttl=64 time=0.208 ms
64 bytes from 192.168.15.201: icmp_seq=282 ttl=64 time=0.211 ms
/usr/sbin/dpkg-reconfigure: snort is broken or not fully installed
14:51:51
#apt-get install snort
Preconfiguring packages ...
(Reading database ... 27921 files and directories currently installed.)
Removing snort-mysql ...
Stopping Network Intrusion Detection System: snort(eth0).
Selecting previously deselected package snort.
(Reading database ... 27897 files and directories currently installed.)
Unpacking snort (from .../snort_2.3.3-11_i386.deb) ...
Setting up snort (2.3.3-11) ...
No snort instance found to be stopped!
Starting Network Intrusion Detection System: snort(eth0).
14:52:14
#ps -ef |grep snort
64 bytes from 192.168.15.201: icmp_seq=142 ttl=64 time=0.237 ms
64 bytes from 192.168.15.201: icmp_seq=143 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=144 ttl=64 time=0.229 ms
64 bytes from 192.168.15.201: icmp_seq=145 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=146 ttl=64 time=0.213 ms
64 bytes from 192.168.15.201: icmp_seq=147 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=148 ttl=64 time=0.204 ms
64 bytes from 192.168.15.201: icmp_seq=149 ttl=64 time=0.223 ms
64 bytes from 192.168.15.201: icmp_seq=150 ttl=64 time=0.284 ms
64 bytes from 192.168.15.201: icmp_seq=151 ttl=64 time=0.199 ms
...
64 bytes from 192.168.15.201: icmp_seq=281 ttl=64 time=0.208 ms
64 bytes from 192.168.15.201: icmp_seq=282 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=283 ttl=64 time=0.227 ms
64 bytes from 192.168.15.201: icmp_seq=284 ttl=64 time=0.227 ms
64 bytes from 192.168.15.201: icmp_seq=285 ttl=64 time=0.219 ms
64 bytes from 192.168.15.201: icmp_seq=286 ttl=64 time=0.274 ms
64 bytes from 192.168.15.201: icmp_seq=287 ttl=64 time=0.222 ms
64 bytes from 192.168.15.201: icmp_seq=288 ttl=64 time=0.238 ms
snort     8501     1 23 07:52 ?        00:00:02 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.eth0.conf -S HOME_NET=[192.168.0.0/16] -i eth0
root      8508  8100  0 07:52 pts/12   00:00:00 grep snort
14:52:25
#killall -9 snort










14:52:30




#dpkg-reconfigure snort


64 bytes from 192.168.15.201: icmp_seq=292 ttl=64 time=0.204 ms
64 bytes from 192.168.15.201: icmp_seq=293 ttl=64 time=0.269 ms
64 bytes from 192.168.15.201: icmp_seq=294 ttl=64 time=0.216 ms
64 bytes from 192.168.15.201: icmp_seq=295 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=296 ttl=64 time=0.222 ms
64 bytes from 192.168.15.201: icmp_seq=297 ttl=64 time=0.277 ms
64 bytes from 192.168.15.201: icmp_seq=298 ttl=64 time=0.217 ms
64 bytes from 192.168.15.201: icmp_seq=299 ttl=64 time=0.245 ms
64 bytes from 192.168.15.201: icmp_seq=300 ttl=64 time=0.204 ms
64 bytes from 192.168.15.201: icmp_seq=301 ttl=64 time=0.213 ms
Stopping Network Intrusion Detection System: snort(eth0).











14:53:27




#ps -ef |grep snort


snort     8616     1 31 07:53 ?        00:00:02 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.eth0.conf -S HOME_NET=[192.168.15.201/32] -i eth0
root      8623  8100  0 07:53 pts/12   00:00:00 grep snort











14:53:34




#ps -efww


snort     8616     1 15 07:53 ?        00:00:02 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.eth0.conf -S HOME_NET=[192.168.15.201/32] -i eth0
root      8630  8100  0 07:53 pts/12   00:00:00 grep snort











14:53:42




#ps -efww |grep snort |less













14:53:46




#ps -efww |grep snort |more










14:53:52




#scp linux3:/etc/snort/snort.conf /tmp/snort.conf


64 bytes from 192.168.15.201: icmp_seq=165 ttl=64 time=0.206 ms
64 bytes from 192.168.15.201: icmp_seq=166 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=167 ttl=64 time=0.205 ms
64 bytes from 192.168.15.201: icmp_seq=168 ttl=64 time=0.219 ms
64 bytes from 192.168.15.201: icmp_seq=169 ttl=64 time=0.207 ms
64 bytes from 192.168.15.201: icmp_seq=170 ttl=64 time=0.208 ms
64 bytes from 192.168.15.201: icmp_seq=171 ttl=64 time=0.206 ms
64 bytes from 192.168.15.201: icmp_seq=172 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=173 ttl=64 time=0.216 ms
64 bytes from 192.168.15.201: icmp_seq=174 ttl=64 time=0.213 ms
...
64 bytes from 192.168.15.201: icmp_seq=304 ttl=64 time=0.203 ms
64 bytes from 192.168.15.201: icmp_seq=305 ttl=64 time=0.216 ms
64 bytes from 192.168.15.201: icmp_seq=306 ttl=64 time=0.260 ms
64 bytes from 192.168.15.201: icmp_seq=307 ttl=64 time=0.234 ms
64 bytes from 192.168.15.201: icmp_seq=308 ttl=64 time=0.195 ms
64 bytes from 192.168.15.201: icmp_seq=309 ttl=64 time=0.208 ms
64 bytes from 192.168.15.201: icmp_seq=310 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=311 ttl=64 time=0.223 ms
root@linux3's password:
snort.conf                                                                                                                             100%   27KB  27.1KB/s   00:00











14:54:26




#diff /etc/snort/snort.





64 bytes from 192.168.15.201: icmp_seq=306 ttl=64 time=0.260 ms
64 bytes from 192.168.15.201: icmp_seq=307 ttl=64 time=0.234 ms
64 bytes from 192.168.15.201: icmp_seq=308 ttl=64 time=0.195 ms
64 bytes from 192.168.15.201: icmp_seq=309 ttl=64 time=0.208 ms
64 bytes from 192.168.15.201: icmp_seq=310 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=311 ttl=64 time=0.223 ms
64 bytes from 192.168.15.201: icmp_seq=312 ttl=64 time=0.217 ms
64 bytes from 192.168.15.201: icmp_seq=313 ttl=64 time=0.243 ms
64 bytes from 192.168.15.201: icmp_seq=314 ttl=64 time=0.272 ms
64 bytes from 192.168.15.201: icmp_seq=315 ttl=64 time=0.220 ms
snort.debian.conf  snort.eth0.conf











14:54:26




#diff /etc/snort/snort.





snort.debian.conf  snort.eth0.conf











14:54:26




#diff /etc/snort/snort.eth0.conf /tmp/snort.conf





> #                         will cause false positves with router flap
> #
> # Frag2 uses Generator ID 113 and uses the following SIDS
209,212c209,212
< # SID Event description
< # ----- -------------------
< # 1 Oversized fragment (reassembled frag > 64k bytes)
< # 2 Teardrop-type attack
---
> #  SID     Event description
...
> #   serveronly - reassemble traffic for the server side of a connection only
> #   both - reassemble both sides of a session
> #   noalerts - turn off alerts from the stream reassembly stage of stream4
> #   ports [list] - use the space separated list of ports in [list], "all"
> #                  will turn on reassembly for all ports, "default" will turn
> #                  on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111
> #                  and 513
300c300
< preprocessor http_inspect: global iis_unicode_map unicode.map 1252
---











14:55:06




#wc -l /etc/snort/snort.eth0.conf


690 /etc/snort/snort.eth0.conf











14:55:11




#wc -l /tmp/snort.conf


64 bytes from 192.168.15.201: icmp_seq=175 ttl=64 time=0.237 ms
64 bytes from 192.168.15.201: icmp_seq=176 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=177 ttl=64 time=0.302 ms
64 bytes from 192.168.15.201: icmp_seq=178 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=179 ttl=64 time=0.312 ms
64 bytes from 192.168.15.201: icmp_seq=180 ttl=64 time=0.213 ms
64 bytes from 192.168.15.201: icmp_seq=181 ttl=64 time=0.227 ms
64 bytes from 192.168.15.201: icmp_seq=182 ttl=64 time=0.238 ms
64 bytes from 192.168.15.201: icmp_seq=183 ttl=64 time=0.236 ms
64 bytes from 192.168.15.201: icmp_seq=184 ttl=64 time=0.215 ms
...
64 bytes from 192.168.15.201: icmp_seq=314 ttl=64 time=0.272 ms
64 bytes from 192.168.15.201: icmp_seq=315 ttl=64 time=0.220 ms
64 bytes from 192.168.15.201: icmp_seq=316 ttl=64 time=0.234 ms
64 bytes from 192.168.15.201: icmp_seq=317 ttl=64 time=0.228 ms
64 bytes from 192.168.15.201: icmp_seq=318 ttl=64 time=0.275 ms
64 bytes from 192.168.15.201: icmp_seq=319 ttl=64 time=0.235 ms
64 bytes from 192.168.15.201: icmp_seq=320 ttl=64 time=0.223 ms
64 bytes from 192.168.15.201: icmp_seq=321 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=322 ttl=64 time=0.227 ms
724 /tmp/snort.conf











14:55:16




#ps aux |grep snort


64 bytes from 192.168.15.201: icmp_seq=182 ttl=64 time=0.238 ms
64 bytes from 192.168.15.201: icmp_seq=183 ttl=64 time=0.236 ms
64 bytes from 192.168.15.201: icmp_seq=184 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=185 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=186 ttl=64 time=0.230 ms
64 bytes from 192.168.15.201: icmp_seq=187 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=188 ttl=64 time=0.252 ms
64 bytes from 192.168.15.201: icmp_seq=189 ttl=64 time=0.230 ms
64 bytes from 192.168.15.201: icmp_seq=190 ttl=64 time=0.245 ms
64 bytes from 192.168.15.201: icmp_seq=191 ttl=64 time=0.212 ms
...
64 bytes from 192.168.15.201: icmp_seq=321 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=322 ttl=64 time=0.227 ms
64 bytes from 192.168.15.201: icmp_seq=323 ttl=64 time=0.207 ms
64 bytes from 192.168.15.201: icmp_seq=324 ttl=64 time=0.217 ms
64 bytes from 192.168.15.201: icmp_seq=325 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=326 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=327 ttl=64 time=0.224 ms
64 bytes from 192.168.15.201: icmp_seq=328 ttl=64 time=0.207 ms
snort     8616  1.7 14.1  75032 73060 ?        Ss   07:53   0:02 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.eth0.conf -S HOME_NET=[192.168.15.201/32] -i eth0
root      8697  0.0  0.1   2848   704 pts/12   R+   07:55   0:00 grep snort











14:55:55




#ps aux |grep snort |less













14:56:16




#apt-cache search less


paw-static - Dummy package for smooth upgrades of PAW
pcmciautils - PCMCIA utilities for Linux 2.6
pgf - TeX Portable Graphic Format
plan - X/Motif day planner (dynamically compiled with LessTif2)
pmccabe - McCabe-style function complexity and line counting for C and C++
pmx - A Preprocessor for MusiXTeX
pngnq - tool for optimizing PNG (Portable Network Graphics) images
pngquant - PNG (Portable Network Graphics) image optimising utility
pootle - Web-based translation and translation management tool
postgresql-8.1-slony1 - replication system for PostgreSQL
...
yaird - Yet Another mkInitRD
yforth - A small freeware Forth environment in ANSI C
zd1211-source - Source for the zd1211 wireless driver module
zec - Z-Shell Empire client
zftp - Cernlib's file transfer program
zmakebas - convert text files into ZX Spectrum Basic programs
zope-externaleditor - Zope External Editor
zope-pts - placeless translation service for zope
zopeedit - Helper Application for Zope External Editor
zsh-beta - A shell with lots of features (dev tree)











14:56:35




#apt-get install less


64 bytes from 192.168.15.201: icmp_seq=206 ttl=64 time=0.221 ms
64 bytes from 192.168.15.201: icmp_seq=207 ttl=64 time=0.298 ms
64 bytes from 192.168.15.201: icmp_seq=208 ttl=64 time=0.315 ms
64 bytes from 192.168.15.201: icmp_seq=209 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=210 ttl=64 time=0.216 ms
64 bytes from 192.168.15.201: icmp_seq=211 ttl=64 time=0.213 ms
64 bytes from 192.168.15.201: icmp_seq=212 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=213 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=214 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=215 ttl=64 time=0.273 ms
...
  less
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 111kB of archives.
After unpacking 274kB of additional disk space will be used.
Get:1 http://debian.org.ua etch/main less 394-4 [111kB]
Fetched 111kB in 0s (190kB/s)
Selecting previously deselected package less.
(Reading database ... 27920 files and directories currently installed.)
Unpacking less (from .../archives/less_394-4_i386.deb) ...
Setting up less (394-4) ...











14:56:47




#ps aux |grep snort |less










14:56:50




#ps auxww


snort     8616  1.2 14.1  75032 73060 ?        Ss   07:53   0:02 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.eth0.conf -S HOME_N
64 bytes from 192.168.15.201: icmp_seq=196 ttl=64 time=0.215 ms
ET=[192.168.15.201/32] -i eth0
64 bytes from 192.168.15.201: icmp_seq=197 ttl=64 time=0.216 ms
root      8767  0.0  0.1   2848   708 pts/12   R+   07:56   0:00 grep snort
64 bytes from 192.168.15.201: icmp_seq=198 ttl=64 time=0.216 ms
~
64 bytes from 192.168.15.201: icmp_seq=199 ttl=64 time=0.209 ms
~
64 bytes from 192.168.15.201: icmp_seq=200 ttl=64 time=0.210 ms
...
64 bytes from 192.168.15.201: icmp_seq=335 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=336 ttl=64 time=0.289 ms
64 bytes from 192.168.15.201: icmp_seq=337 ttl=64 time=0.227 ms
64 bytes from 192.168.15.201: icmp_seq=338 ttl=64 time=0.267 ms
64 bytes from 192.168.15.201: icmp_seq=339 ttl=64 time=0.224 ms
64 bytes from 192.168.15.201: icmp_seq=340 ttl=64 time=0.254 ms
64 bytes from 192.168.15.201: icmp_seq=341 ttl=64 time=0.272 ms
64 bytes from 192.168.15.201: icmp_seq=342 ttl=64 time=0.232 ms
64 bytes from 192.168.15.201: icmp_seq=343 ttl=64 time=0.244 ms
64 bytes from 192.168.15.201: icmp_seq=344 ttl=64 time=0.200 ms











14:56:57




#ps auxvv


ERROR: Conflicting format options.
********* simple selection *********  ********* selection by list *********
-A all processes                      -C by command name
-N negate selection                   -G by real group ID (supports names)
-a all w/ tty except session leaders  -U by real user ID (supports names)
-d all except session leaders         -g by session OR by effective group name
-e all processes                      -p by process ID
T  all processes on this terminal     -s processes in the sessions given
a  all w/ tty, including other users  -t by tty
g  OBSOLETE -- DO NOT USE             -u by effective user ID (supports names)
...
-o,o user-defined  -f full            --Group --User --pid --cols --ppid
-j,j job control   s  signal          --group --user --sid --rows --info
-O,O preloaded -o  v  virtual memory  --cumulative --format --deselect
-l,l long          u  user-oriented   --sort --tty --forest --version
-F   extra full    X  registers       --heading --no-heading --context
                    ********* misc options *********
-V,V  show version      L  list format codes  f  ASCII art forest
-m,m,-L,-T,H  threads   S  children in sum    -y change -l format
-M,Z  security data     c  true command name  -c scheduling class
-w,w  wide output       n  numeric WCHAN,UID  -H process hierarchy











14:57:03




#ps auxw


snort     8616  1.1 14.1  75032 73060 ?        Ss   07:53   0:02 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.eth0.conf -S HOME_N
ET=[192.168.15.201/32] -i eth0
root      8786  0.0  0.1   2852   708 pts/12   R+   07:57   0:00 grep snort
~
~
~
~
~
~
~
...
~
~
~
~
~
~
~
~
~
~











14:57:09




#ps auxw &





bash: syntax error near unexpected token `|'











14:57:13




#ps auxw |&





64 bytes from 192.168.15.201: icmp_seq=200 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=201 ttl=64 time=0.207 ms
64 bytes from 192.168.15.201: icmp_seq=202 ttl=64 time=0.221 ms
64 bytes from 192.168.15.201: icmp_seq=203 ttl=64 time=0.221 ms
64 bytes from 192.168.15.201: icmp_seq=204 ttl=64 time=0.206 ms
64 bytes from 192.168.15.201: icmp_seq=205 ttl=64 time=0.236 ms
64 bytes from 192.168.15.201: icmp_seq=206 ttl=64 time=0.221 ms
64 bytes from 192.168.15.201: icmp_seq=207 ttl=64 time=0.298 ms
64 bytes from 192.168.15.201: icmp_seq=208 ttl=64 time=0.315 ms
64 bytes from 192.168.15.201: icmp_seq=209 ttl=64 time=0.210 ms
...
64 bytes from 192.168.15.201: icmp_seq=339 ttl=64 time=0.224 ms
64 bytes from 192.168.15.201: icmp_seq=340 ttl=64 time=0.254 ms
64 bytes from 192.168.15.201: icmp_seq=341 ttl=64 time=0.272 ms
64 bytes from 192.168.15.201: icmp_seq=342 ttl=64 time=0.232 ms
64 bytes from 192.168.15.201: icmp_seq=343 ttl=64 time=0.244 ms
64 bytes from 192.168.15.201: icmp_seq=344 ttl=64 time=0.200 ms
64 bytes from 192.168.15.201: icmp_seq=345 ttl=64 time=0.240 ms
64 bytes from 192.168.15.201: icmp_seq=346 ttl=64 time=0.239 ms
64 bytes from 192.168.15.201: icmp_seq=347 ttl=64 time=0.218 ms
bash: syntax error near unexpected token `&'











14:57:18




#ps auxw 2>&1


snort     8616  1.1 14.1  75032 73060 ?        Ss   07:53   0:02 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.eth0.conf -S HOME_N
ET=[192.168.15.201/32] -i eth0
root      8804  0.0  0.1   2848   704 pts/12   R+   07:57   0:00 grep snort
~
~
~
~
~
~
~
...
~
~
~
~
~
~
~
~
~
~











14:57:25




#ps auxw 2>&1 |grep snort 2>&1


snort     8616  1.0 14.1  75032 73060 ?        Ss   07:53   0:02 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.eth0.conf -S HOME_N
64 bytes from 192.168.15.201: icmp_seq=202 ttl=64 time=0.221 ms
ET=[192.168.15.201/32] -i eth0
64 bytes from 192.168.15.201: icmp_seq=203 ttl=64 time=0.221 ms
root      8812  0.0  0.1   2848   704 pts/12   R+   07:57   0:00 grep snort
64 bytes from 192.168.15.201: icmp_seq=204 ttl=64 time=0.206 ms
~
64 bytes from 192.168.15.201: icmp_seq=205 ttl=64 time=0.236 ms
~
64 bytes from 192.168.15.201: icmp_seq=206 ttl=64 time=0.221 ms
...
64 bytes from 192.168.15.201: icmp_seq=341 ttl=64 time=0.272 ms
64 bytes from 192.168.15.201: icmp_seq=342 ttl=64 time=0.232 ms
64 bytes from 192.168.15.201: icmp_seq=343 ttl=64 time=0.244 ms
64 bytes from 192.168.15.201: icmp_seq=344 ttl=64 time=0.200 ms
64 bytes from 192.168.15.201: icmp_seq=345 ttl=64 time=0.240 ms
64 bytes from 192.168.15.201: icmp_seq=346 ttl=64 time=0.239 ms
64 bytes from 192.168.15.201: icmp_seq=347 ttl=64 time=0.218 ms
64 bytes from 192.168.15.201: icmp_seq=348 ttl=64 time=0.199 ms
64 bytes from 192.168.15.201: icmp_seq=349 ttl=64 time=0.229 ms
64 bytes from 192.168.15.201: icmp_seq=350 ttl=64 time=0.213 ms











14:57:38




#vi /etc/snort/snort.eth0.conf










14:59:29




#/etc/init.d/snort restart


Stopping Network Intrusion Detection System: snort(eth0).
Starting Network Intrusion Detection System: snort(eth0).











14:59:33




#cd /var/log/snort/


64 bytes from 192.168.15.201: icmp_seq=226 ttl=64 time=0.223 ms
64 bytes from 192.168.15.201: icmp_seq=227 ttl=64 time=0.223 ms
64 bytes from 192.168.15.201: icmp_seq=228 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=229 ttl=64 time=0.229 ms
64 bytes from 192.168.15.201: icmp_seq=230 ttl=64 time=0.247 ms
64 bytes from 192.168.15.201: icmp_seq=231 ttl=64 time=0.246 ms
64 bytes from 192.168.15.201: icmp_seq=232 ttl=64 time=0.208 ms
64 bytes from 192.168.15.201: icmp_seq=233 ttl=64 time=0.286 ms
64 bytes from 192.168.15.201: icmp_seq=234 ttl=64 time=0.223 ms
64 bytes from 192.168.15.201: icmp_seq=235 ttl=64 time=0.214 ms
...
64 bytes from 192.168.15.201: icmp_seq=365 ttl=64 time=0.255 ms
64 bytes from 192.168.15.201: icmp_seq=366 ttl=64 time=0.202 ms
64 bytes from 192.168.15.201: icmp_seq=367 ttl=64 time=0.302 ms
64 bytes from 192.168.15.201: icmp_seq=368 ttl=64 time=0.259 ms
64 bytes from 192.168.15.201: icmp_seq=369 ttl=64 time=0.231 ms
64 bytes from 192.168.15.201: icmp_seq=370 ttl=64 time=0.206 ms
64 bytes from 192.168.15.201: icmp_seq=371 ttl=64 time=0.258 ms
64 bytes from 192.168.15.201: icmp_seq=372 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=373 ttl=64 time=0.218 ms
64 bytes from 192.168.15.201: icmp_seq=374 ttl=64 time=0.234 ms











14:59:40




#ls


alert  snort.alert.1182599973  snort.log.1182599973  tcpdump.log.1182597013  tcpdump.log.1182598437  tcpdump.log.1182599534  tcpdump.log.1182599973











14:59:41




#ls -l


total 20
-rw-r----- 1 snort adm  453 2007-06-23 07:43 alert
-rw-r----- 1 root  adm   16 2007-06-23 07:59 snort.alert.1182599973
-rw-r----- 1 root  adm   24 2007-06-23 07:59 snort.log.1182599973
-rw-r----- 1 snort adm   24 2007-06-23 07:10 tcpdump.log.1182597013
-rw-r----- 1 snort adm 1189 2007-06-23 07:43 tcpdump.log.1182598437
-rw-r----- 1 root  adm    0 2007-06-23 07:52 tcpdump.log.1182599534
-rw-r----- 1 root  adm    0 2007-06-23 07:59 tcpdump.log.1182599973











14:59:44




#date


Sat Jun 23 07:59:46 EDT 2007











14:59:46




#ls -l


64 bytes from 192.168.15.201: icmp_seq=245 ttl=64 time=0.242 ms
64 bytes from 192.168.15.201: icmp_seq=246 ttl=64 time=0.247 ms
64 bytes from 192.168.15.201: icmp_seq=247 ttl=64 time=0.241 ms
64 bytes from 192.168.15.201: icmp_seq=248 ttl=64 time=0.217 ms
64 bytes from 192.168.15.201: icmp_seq=249 ttl=64 time=0.315 ms
64 bytes from 192.168.15.201: icmp_seq=250 ttl=64 time=0.170 ms
64 bytes from 192.168.15.201: icmp_seq=251 ttl=64 time=0.225 ms
64 bytes from 192.168.15.201: icmp_seq=252 ttl=64 time=0.224 ms
64 bytes from 192.168.15.201: icmp_seq=253 ttl=64 time=0.259 ms
64 bytes from 192.168.15.201: icmp_seq=254 ttl=64 time=0.207 ms
...
64 bytes from 192.168.15.201: icmp_seq=384 ttl=64 time=0.187 ms
64 bytes from 192.168.15.201: icmp_seq=385 ttl=64 time=0.210 ms
total 20
-rw-r----- 1 snort adm  453 2007-06-23 07:43 alert
-rw-r----- 1 root  adm   16 2007-06-23 07:59 snort.alert.1182599973
-rw-r----- 1 root  adm   24 2007-06-23 07:59 snort.log.1182599973
-rw-r----- 1 snort adm   24 2007-06-23 07:10 tcpdump.log.1182597013
-rw-r----- 1 snort adm 1189 2007-06-23 07:43 tcpdump.log.1182598437
-rw-r----- 1 root  adm    0 2007-06-23 07:52 tcpdump.log.1182599534
-rw-r----- 1 root  adm    0 2007-06-23 07:59 tcpdump.log.1182599973











15:00:42




#date


64 bytes from 192.168.15.201: icmp_seq=241 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=242 ttl=64 time=0.208 ms
64 bytes from 192.168.15.201: icmp_seq=243 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=244 ttl=64 time=0.279 ms
64 bytes from 192.168.15.201: icmp_seq=245 ttl=64 time=0.242 ms
64 bytes from 192.168.15.201: icmp_seq=246 ttl=64 time=0.247 ms
64 bytes from 192.168.15.201: icmp_seq=247 ttl=64 time=0.241 ms
64 bytes from 192.168.15.201: icmp_seq=248 ttl=64 time=0.217 ms
64 bytes from 192.168.15.201: icmp_seq=249 ttl=64 time=0.315 ms
64 bytes from 192.168.15.201: icmp_seq=250 ttl=64 time=0.170 ms
...
64 bytes from 192.168.15.201: icmp_seq=380 ttl=64 time=0.249 ms
64 bytes from 192.168.15.201: icmp_seq=381 ttl=64 time=0.206 ms
64 bytes from 192.168.15.201: icmp_seq=382 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=383 ttl=64 time=0.202 ms
64 bytes from 192.168.15.201: icmp_seq=384 ttl=64 time=0.187 ms
64 bytes from 192.168.15.201: icmp_seq=385 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=386 ttl=64 time=0.275 ms
64 bytes from 192.168.15.201: icmp_seq=387 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=388 ttl=64 time=0.211 ms
Sat Jun 23 08:00:51 EDT 2007











15:00:51




#ls -l


total 20
-rw-r----- 1 snort adm  453 2007-06-23 07:43 alert
-rw-r----- 1 root  adm   16 2007-06-23 07:59 snort.alert.1182599973
-rw-r----- 1 root  adm   24 2007-06-23 07:59 snort.log.1182599973
-rw-r----- 1 snort adm   24 2007-06-23 07:10 tcpdump.log.1182597013
-rw-r----- 1 snort adm 1189 2007-06-23 07:43 tcpdump.log.1182598437
-rw-r----- 1 root  adm    0 2007-06-23 07:52 tcpdump.log.1182599534
-rw-r----- 1 root  adm    0 2007-06-23 07:59 tcpdump.log.1182599973











15:00:55




#ls -l


total 20
-rw-r----- 1 snort adm  453 2007-06-23 07:43 alert
-rw-r----- 1 root  adm   16 2007-06-23 07:59 snort.alert.1182599973
-rw-r----- 1 root  adm   24 2007-06-23 07:59 snort.log.1182599973
-rw-r----- 1 snort adm   24 2007-06-23 07:10 tcpdump.log.1182597013
-rw-r----- 1 snort adm 1189 2007-06-23 07:43 tcpdump.log.1182598437
-rw-r----- 1 root  adm    0 2007-06-23 07:52 tcpdump.log.1182599534
-rw-r----- 1 root  adm    0 2007-06-23 07:59 tcpdump.log.1182599973











15:00:56




#tail -f *





64 bytes from 192.168.15.201: icmp_seq=299 ttl=64 time=0.245 ms
64 bytes from 192.168.15.201: icmp_seq=300 ttl=64 time=0.204 ms
64 bytes from 192.168.15.201: icmp_seq=301 ttl=64 time=0.213 ms
64 bytes from 192.168.15.201: icmp_seq=302 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=303 ttl=64 time=0.225 ms
64 bytes from 192.168.15.201: icmp_seq=304 ttl=64 time=0.203 ms
64 bytes from 192.168.15.201: icmp_seq=305 ttl=64 time=0.216 ms
64 bytes from 192.168.15.201: icmp_seq=306 ttl=64 time=0.260 ms
64 bytes from 192.168.15.201: icmp_seq=307 ttl=64 time=0.234 ms
64 bytes from 192.168.15.201: icmp_seq=308 ttl=64 time=0.195 ms
...
¿
 }ȨÀɨÀ{o
==> snort.log.1182599973 <==
Šàñ¿¿
     }FuuF±
ÔÑET@@™·À¨ÈÀ¨É{o@rÁÉÕ¶† †¥
==> tcpdump.log.1182599973 <==
Ôò¡ê¿
      }FuuF±
ÔÑET@@™·À¨ÈÀ¨É{o@rÁÉÕ¶† †¥











15:02:17




#tail -f *





ÏO† †¥
64 bytes from 192.168.15.201: icmp_seq=366 ttl=64 time=0.202 ms
==> tcpdump.log.1182599973 <==
64 bytes from 192.168.15.201: icmp_seq=367 ttl=64 time=0.302 ms
Ö
bbuuF±es from 192.168.15.201: icmp_seq=368 ttl=64 time=0.259 ms
ÔÑET@@™·À¨ÈÀ¨Éo@ã.168.15.201: icmp_seq=369 ttl=64 time=0.231 ms
64 bytes from 192.168.15.201: icmp_seq=370 ttl=64 time=0.206 ms
64 bytes from 192.168.15.201: icmp_seq=371 ttl=64 time=0.258 ms
64 bytes from 192.168.15.201: icmp_seq=372 ttl=64 time=0.210 ms
...
Õ
 }F¸bbuuF±
ÔÑET@@™·À¨ÈÀ¨Éüo@Œ[ÉÞj† †¥
==> snort.alert.1182599973 <==
Ö
Ö}F¹ç
ȨÀɨÀo
==> snort.log.1182599973 <==
ràñ¿Ö
bbuuF±F¹ç











15:03:49




#ls -l


total 24
-rw-r----- 1 snort adm  453 2007-06-23 07:43 alert
-rw-r----- 1 root  adm  272 2007-06-23 08:02 snort.alert.1182599973
-rw-r----- 1 root  adm  640 2007-06-23 08:02 snort.log.1182599973
-rw-r----- 1 snort adm   24 2007-06-23 07:10 tcpdump.log.1182597013
-rw-r----- 1 snort adm 1189 2007-06-23 07:43 tcpdump.log.1182598437
-rw-r----- 1 root  adm    0 2007-06-23 07:52 tcpdump.log.1182599534
-rw-r----- 1 root  adm  480 2007-06-23 08:02 tcpdump.log.1182599973











15:03:55




#tail -f *





ÏO† †¥æàñ¿æ
64 byte}FÅzbbuuF±uuF±.15.201: icmp_seq=312 ttl=64 time=0.217 ms
ÔÑET@@™·À¨ÈÀ¨É19o@}]cÝlx† †¥: icmp_seq=313 ttl=64 time=0.243 ms
==> tcpdump.log.1182597013 <==icmp_seq=314 ttl=64 time=0.272 ms
Ôò¡êtes from 192.168.15.201: icmp_seq=315 ttl=64 time=0.220 ms
==> tcpdump.log.1182598437 <==icmp_seq=316 ttl=64 time=0.234 ms
M}Fä¼´´MACDADMACDAE¦@ÿØwÀ¨ÉÀ¨ÈPriority Count: 564 time=0.228 ms
Connection Count: 128.15.201: icmp_seq=318 ttl=64 time=0.275 ms
IP Count: 1om 192.168.15.201: icmp_seq=319 ttl=64 time=0.235 ms
Scanner IP Range: 192.168.15.201:192.168.15.20164 time=0.223 ms
...
ȨÀɨÀoæ
        }FÅzæ
             }FÅzȨÀɨÀ o
==> snort.log.1182599973 <==
€­ÞÀÇÿÿêŠàñ¿¿
             }FuuF±
ÔÑET@@™·À¨ÈÀ¨É{o@rÁÉÕ¶† †¥ràñ¿Õ
                               }F¸bbuuF±
ÔÑET@@™·À¨ÈÀ¨Éüo@Œ[ÉÞj† †¥ràñ¿Ö
bbuuF±                         }F¹ç











15:04:57




#ls


alert  snort.alert.1182599973  snort.log.1182599973  tcpdump.log.1182597013  tcpdump.log.1182598437  tcpdump.log.1182599534  tcpdump.log.1182599973











15:05:03




# /etc/snort/





64 bytes from 192.168.15.201: icmp_seq=297 ttl=64 time=0.277 ms
64 bytes from 192.168.15.201: icmp_seq=298 ttl=64 time=0.217 ms
64 bytes from 192.168.15.201: icmp_seq=299 ttl=64 time=0.245 ms
64 bytes from 192.168.15.201: icmp_seq=300 ttl=64 time=0.204 ms
64 bytes from 192.168.15.201: icmp_seq=301 ttl=64 time=0.213 ms
64 bytes from 192.168.15.201: icmp_seq=302 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=303 ttl=64 time=0.225 ms
64 bytes from 192.168.15.201: icmp_seq=304 ttl=64 time=0.203 ms
64 bytes from 192.168.15.201: icmp_seq=305 ttl=64 time=0.216 ms
64 bytes from 192.168.15.201: icmp_seq=306 ttl=64 time=0.260 ms
...
64 bytes from 192.168.15.201: icmp_seq=436 ttl=64 time=0.244 ms
64 bytes from 192.168.15.201: icmp_seq=437 ttl=64 time=0.206 ms
64 bytes from 192.168.15.201: icmp_seq=438 ttl=64 time=0.206 ms
64 bytes from 192.168.15.201: icmp_seq=439 ttl=64 time=0.226 ms
64 bytes from 192.168.15.201: icmp_seq=440 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=441 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=442 ttl=64 time=0.260 ms
64 bytes from 192.168.15.201: icmp_seq=443 ttl=64 time=0.222 ms
64 bytes from 192.168.15.201: icmp_seq=444 ttl=64 time=0.208 ms
bash: /etc/snort/: is a directory











15:05:42




#cd /etc/snort/


64 bytes from 192.168.15.201: icmp_seq=299 ttl=64 time=0.245 ms
64 bytes from 192.168.15.201: icmp_seq=300 ttl=64 time=0.204 ms
64 bytes from 192.168.15.201: icmp_seq=301 ttl=64 time=0.213 ms
64 bytes from 192.168.15.201: icmp_seq=302 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=303 ttl=64 time=0.225 ms
64 bytes from 192.168.15.201: icmp_seq=304 ttl=64 time=0.203 ms
64 bytes from 192.168.15.201: icmp_seq=305 ttl=64 time=0.216 ms
64 bytes from 192.168.15.201: icmp_seq=306 ttl=64 time=0.260 ms
64 bytes from 192.168.15.201: icmp_seq=307 ttl=64 time=0.234 ms
64 bytes from 192.168.15.201: icmp_seq=308 ttl=64 time=0.195 ms
...
64 bytes from 192.168.15.201: icmp_seq=438 ttl=64 time=0.206 ms
64 bytes from 192.168.15.201: icmp_seq=439 ttl=64 time=0.226 ms
64 bytes from 192.168.15.201: icmp_seq=440 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=441 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=442 ttl=64 time=0.260 ms
64 bytes from 192.168.15.201: icmp_seq=443 ttl=64 time=0.222 ms
64 bytes from 192.168.15.201: icmp_seq=444 ttl=64 time=0.208 ms
64 bytes from 192.168.15.201: icmp_seq=445 ttl=64 time=0.233 ms
64 bytes from 192.168.15.201: icmp_seq=446 ttl=64 time=0.265 ms
64 bytes from 192.168.15.201: icmp_seq=447 ttl=64 time=0.273 ms











15:05:50




#vi snort.eth0.conf


513c513
< #output database: log, mysql, user=root password=password dbname=snort_log host=localhost
---
> output database: log, mysql, user=root password=password dbname=snort_log host=localhost









15:07:04




#mysql





64 bytes from 192.168.15.201: icmp_seq=319 ttl=64 time=0.235 ms
64 bytes from 192.168.15.201: icmp_seq=320 ttl=64 time=0.223 ms
64 bytes from 192.168.15.201: icmp_seq=321 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=322 ttl=64 time=0.227 ms
64 bytes from 192.168.15.201: icmp_seq=323 ttl=64 time=0.207 ms
64 bytes from 192.168.15.201: icmp_seq=324 ttl=64 time=0.217 ms
64 bytes from 192.168.15.201: icmp_seq=325 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=326 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=327 ttl=64 time=0.224 ms
64 bytes from 192.168.15.201: icmp_seq=328 ttl=64 time=0.207 ms
...
64 bytes from 192.168.15.201: icmp_seq=458 ttl=64 time=0.225 ms
64 bytes from 192.168.15.201: icmp_seq=459 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=460 ttl=64 time=0.223 ms
64 bytes from 192.168.15.201: icmp_seq=461 ttl=64 time=0.250 ms
64 bytes from 192.168.15.201: icmp_seq=462 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=463 ttl=64 time=0.198 ms
64 bytes from 192.168.15.201: icmp_seq=464 ttl=64 time=0.391 ms
64 bytes from 192.168.15.201: icmp_seq=465 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=466 ttl=64 time=0.287 ms
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)











15:07:19




#mysql -r





ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)











15:07:23




#mysql -p


64 bytes from 192.168.15.201: icmp_seq=384 ttl=64 time=0.187 ms
64 bytes from 192.168.15.201: icmp_seq=385 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=386 ttl=64 time=0.275 ms
64 bytes from 192.168.15.201: icmp_seq=387 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=388 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=389 ttl=64 time=0.223 ms
64 bytes from 192.168.15.201: icmp_seq=390 ttl=64 time=0.218 ms
64 bytes from 192.168.15.201: icmp_seq=391 ttl=64 time=0.251 ms
64 bytes from 192.168.15.201: icmp_seq=392 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=393 ttl=64 time=0.223 ms
...
| sensor              |
| sig_class           |
| sig_reference       |
| signature           |
| tcphdr              |
| udphdr              |
+---------------------+
16 rows in set (0.00 sec)
mysql> exit
Bye











15:08:28




#/etc/init.d/snort restart


64 bytes from 192.168.15.201: icmp_seq=336 ttl=64 time=0.289 ms
64 bytes from 192.168.15.201: icmp_seq=337 ttl=64 time=0.227 ms
64 bytes from 192.168.15.201: icmp_seq=338 ttl=64 time=0.267 ms
64 bytes from 192.168.15.201: icmp_seq=339 ttl=64 time=0.224 ms
64 bytes from 192.168.15.201: icmp_seq=340 ttl=64 time=0.254 ms
64 bytes from 192.168.15.201: icmp_seq=341 ttl=64 time=0.272 ms
64 bytes from 192.168.15.201: icmp_seq=342 ttl=64 time=0.232 ms
64 bytes from 192.168.15.201: icmp_seq=343 ttl=64 time=0.244 ms
64 bytes from 192.168.15.201: icmp_seq=344 ttl=64 time=0.200 ms
64 bytes from 192.168.15.201: icmp_seq=345 ttl=64 time=0.240 ms
...
64 bytes from 192.168.15.201: icmp_seq=475 ttl=64 time=0.228 ms
64 bytes from 192.168.15.201: icmp_seq=476 ttl=64 time=0.304 ms
64 bytes from 192.168.15.201: icmp_seq=477 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=478 ttl=64 time=0.271 ms
64 bytes from 192.168.15.201: icmp_seq=479 ttl=64 time=0.204 ms
64 bytes from 192.168.15.201: icmp_seq=480 ttl=64 time=0.255 ms
64 bytes from 192.168.15.201: icmp_seq=481 ttl=64 time=0.272 ms
64 bytes from 192.168.15.201: icmp_seq=482 ttl=64 time=0.201 ms
Stopping Network Intrusion Detection System: snort(eth0).
Starting Network Intrusion Detection System: snort(eth0).











15:08:37




#cd /aide/base





64 bytes from 192.168.15.201: icmp_seq=338 ttl=64 time=0.267 ms
64 bytes from 192.168.15.201: icmp_seq=339 ttl=64 time=0.224 ms
64 bytes from 192.168.15.201: icmp_seq=340 ttl=64 time=0.254 ms
64 bytes from 192.168.15.201: icmp_seq=341 ttl=64 time=0.272 ms
64 bytes from 192.168.15.201: icmp_seq=342 ttl=64 time=0.232 ms
64 bytes from 192.168.15.201: icmp_seq=343 ttl=64 time=0.244 ms
64 bytes from 192.168.15.201: icmp_seq=344 ttl=64 time=0.200 ms
64 bytes from 192.168.15.201: icmp_seq=345 ttl=64 time=0.240 ms
64 bytes from 192.168.15.201: icmp_seq=346 ttl=64 time=0.239 ms
64 bytes from 192.168.15.201: icmp_seq=347 ttl=64 time=0.218 ms
...
64 bytes from 192.168.15.201: icmp_seq=477 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=478 ttl=64 time=0.271 ms
64 bytes from 192.168.15.201: icmp_seq=479 ttl=64 time=0.204 ms
64 bytes from 192.168.15.201: icmp_seq=480 ttl=64 time=0.255 ms
64 bytes from 192.168.15.201: icmp_seq=481 ttl=64 time=0.272 ms
64 bytes from 192.168.15.201: icmp_seq=482 ttl=64 time=0.201 ms
64 bytes from 192.168.15.201: icmp_seq=483 ttl=64 time=0.264 ms
64 bytes from 192.168.15.201: icmp_seq=484 ttl=64 time=0.228 ms
64 bytes from 192.168.15.201: icmp_seq=485 ttl=64 time=0.214 ms
bash: cd: /aide/base: No such file or directory











15:08:55




#cd /etc/aide/


64 bytes from 192.168.15.201: icmp_seq=339 ttl=64 time=0.224 ms
64 bytes from 192.168.15.201: icmp_seq=340 ttl=64 time=0.254 ms
64 bytes from 192.168.15.201: icmp_seq=341 ttl=64 time=0.272 ms
64 bytes from 192.168.15.201: icmp_seq=342 ttl=64 time=0.232 ms
64 bytes from 192.168.15.201: icmp_seq=343 ttl=64 time=0.244 ms
64 bytes from 192.168.15.201: icmp_seq=344 ttl=64 time=0.200 ms
64 bytes from 192.168.15.201: icmp_seq=345 ttl=64 time=0.240 ms
64 bytes from 192.168.15.201: icmp_seq=346 ttl=64 time=0.239 ms
64 bytes from 192.168.15.201: icmp_seq=347 ttl=64 time=0.218 ms
64 bytes from 192.168.15.201: icmp_seq=348 ttl=64 time=0.199 ms
...
64 bytes from 192.168.15.201: icmp_seq=478 ttl=64 time=0.271 ms
64 bytes from 192.168.15.201: icmp_seq=479 ttl=64 time=0.204 ms
64 bytes from 192.168.15.201: icmp_seq=480 ttl=64 time=0.255 ms
64 bytes from 192.168.15.201: icmp_seq=481 ttl=64 time=0.272 ms
64 bytes from 192.168.15.201: icmp_seq=482 ttl=64 time=0.201 ms
64 bytes from 192.168.15.201: icmp_seq=483 ttl=64 time=0.264 ms
64 bytes from 192.168.15.201: icmp_seq=484 ttl=64 time=0.228 ms
64 bytes from 192.168.15.201: icmp_seq=485 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=486 ttl=64 time=0.287 ms
64 bytes from 192.168.15.201: icmp_seq=487 ttl=64 time=0.222 ms











15:09:07




#ls


aide.conf  aide.conf.d











15:09:09




#cd /etc/acidbase/


64 bytes from 192.168.15.201: icmp_seq=345 ttl=64 time=0.240 ms
64 bytes from 192.168.15.201: icmp_seq=346 ttl=64 time=0.239 ms
64 bytes from 192.168.15.201: icmp_seq=347 ttl=64 time=0.218 ms
64 bytes from 192.168.15.201: icmp_seq=348 ttl=64 time=0.199 ms
64 bytes from 192.168.15.201: icmp_seq=349 ttl=64 time=0.229 ms
64 bytes from 192.168.15.201: icmp_seq=350 ttl=64 time=0.213 ms
64 bytes from 192.168.15.201: icmp_seq=351 ttl=64 time=0.187 ms
64 bytes from 192.168.15.201: icmp_seq=352 ttl=64 time=0.243 ms
64 bytes from 192.168.15.201: icmp_seq=353 ttl=64 time=0.207 ms
64 bytes from 192.168.15.201: icmp_seq=354 ttl=64 time=0.203 ms
...
64 bytes from 192.168.15.201: icmp_seq=484 ttl=64 time=0.228 ms
64 bytes from 192.168.15.201: icmp_seq=485 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=486 ttl=64 time=0.287 ms
64 bytes from 192.168.15.201: icmp_seq=487 ttl=64 time=0.222 ms
64 bytes from 192.168.15.201: icmp_seq=488 ttl=64 time=0.241 ms
64 bytes from 192.168.15.201: icmp_seq=489 ttl=64 time=0.213 ms
64 bytes from 192.168.15.201: icmp_seq=490 ttl=64 time=0.206 ms
64 bytes from 192.168.15.201: icmp_seq=491 ttl=64 time=0.200 ms
64 bytes from 192.168.15.201: icmp_seq=492 ttl=64 time=0.206 ms
64 bytes from 192.168.15.201: icmp_seq=493 ttl=64 time=0.208 ms











15:09:42




#mysql -p


64 bytes from 192.168.15.201: icmp_seq=510 ttl=64 time=0.256 ms
64 bytes from 192.168.15.201: icmp_seq=511 ttl=64 time=0.285 ms
64 bytes from 192.168.15.201: icmp_seq=512 ttl=64 time=0.204 ms
64 bytes from 192.168.15.201: icmp_seq=513 ttl=64 time=0.202 ms
64 bytes from 192.168.15.201: icmp_seq=514 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=515 ttl=64 time=0.203 ms
64 bytes from 192.168.15.201: icmp_seq=516 ttl=64 time=0.195 ms
64 bytes from 192.168.15.201: icmp_seq=517 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=518 ttl=64 time=0.221 ms
64 bytes from 192.168.15.201: icmp_seq=519 ttl=64 time=0.261 ms
...
mysql> select * from event;
Empty set (0.00 sec)
mysql> select * from event;
Empty set (0.00 sec)
mysql> select * from event;
Empty set (0.00 sec)
mysql> select * from event;
Empty set (0.00 sec)
mysql> exit
Bye











15:14:21




#cd /etc/aide/












15:14:26




#mysql -p





64 bytes from 192.168.15.201: icmp_seq=427 ttl=64 time=0.213 ms
64 bytes from 192.168.15.201: icmp_seq=428 ttl=64 time=0.207 ms
64 bytes from 192.168.15.201: icmp_seq=429 ttl=64 time=0.270 ms
64 bytes from 192.168.15.201: icmp_seq=430 ttl=64 time=0.203 ms
64 bytes from 192.168.15.201: icmp_seq=431 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=432 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=433 ttl=64 time=0.228 ms
64 bytes from 192.168.15.201: icmp_seq=434 ttl=64 time=0.257 ms
64 bytes from 192.168.15.201: icmp_seq=435 ttl=64 time=0.223 ms
64 bytes from 192.168.15.201: icmp_seq=436 ttl=64 time=0.244 ms
...
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> us snort_log
    -> ;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'us snort_log' at line 1
mysql> use snort_log;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tablesl
    -> Aborted











15:15:07




#mysql -p





mysql> select * from event;
Empty set (0.00 sec)
mysql> select * from event;
Empty set (0.02 sec)
mysql> select * from event;
Empty set (0.00 sec)
mysql> select * from event;
Empty set (0.00 sec)
mysql> select * from event;
Empty set (0.00 sec)
...
| signature           |
| tcphdr              |
| udphdr              |
+---------------------+
22 rows in set (0.00 sec)
mysql> select * from event
    -> q
    -> exit
    -> quit
    -> Aborted











/dev/pts/3
15:16:50




#vi /etc/snort/













15:16:50




#vi /etc/snort/snort.eth0.conf


513c513
< output database: log, mysql, user=root password=password dbname=snort_log host=localhost
---
> output database: log, mysql, user=root password="password" dbname=snort_log host=localhost









15:20:26




#/etc/init.d/snort restart


Stopping Network Intrusion Detection System: snort(eth0).
Starting Network Intrusion Detection System: snort(eth0).











15:20:48




#/etc/init.d/snort restart


Stopping Network Intrusion Detection System: snort(eth0).
Starting Network Intrusion Detection System: snort(eth0).











15:21:37




#vi /etc/snort/snort.eth0.conf










15:23:22




#vi /etc/snort/snort.eth0.conf










15:23:32




#/etc/init.d/snort restart


Stopping Network Intrusion Detection System: snort(eth0).
Starting Network Intrusion Detection System: snort(eth0).











15:23:36




# vi /etc/snort/snort.eth0.conf










15:25:10




# vi /etc/snort/snort.eth0.conf










/dev/pts/9
15:25:58




#less /etc/snort/snort.













15:25:58




#less /etc/snort/snort.eth0.conf










15:26:52




#tail /var/log/daemon.log


Jun 23 08:28:58 s_all@linux2 snort:     Detect Protocols:  TCP UDP ICMP IP
Jun 23 08:28:58 s_all@linux2 snort:     Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
Jun 23 08:28:58 s_all@linux2 snort:     Sensitivity Level: Low
Jun 23 08:28:58 s_all@linux2 snort:     Memcap (in bytes): 10000000
Jun 23 08:28:58 s_all@linux2 snort:     Number of Nodes:   36900
Jun 23 08:28:58 s_all@linux2 snort:
Jun 23 08:28:58 s_all@linux2 snort: X-Link2State Config:
Jun 23 08:28:58 s_all@linux2 snort:     Ports: 25 691
Jun 23 08:28:58 s_all@linux2 snort: database: 'mysql' support is not compiled into this build of snort
Jun 23 08:28:58 s_all@linux2 snort: FATAL ERROR: If this build of snort was obtained as a binary distribution (e.g., rpm, or Windows), then check for alternate builds that contains the necessary 'mysql' support.  If this build of snort was compiled by you, then re-run the the ./configure script using the '--with-mysql' switch. For non-standard installations of a database, the '--with-mysql=DIR' sy











/dev/pts/3
15:28:55




#/etc/init.d/snort restart


Stopping Network Intrusion Detection System: snort(eth0).
Starting Network Intrusion Detection System: snort(eth0).











15:28:58




#apt-get install snort-mysql


Reading package lists... Done
Building dependency tree... Done
The following packages will be REMOVED:
  snort
The following NEW packages will be installed:
  snort-mysql
0 upgraded, 1 newly installed, 1 to remove and 0 not upgraded.
Need to get 0B/364kB of archives.
After unpacking 28.7kB of additional disk space will be used.
Do you want to continue [Y/n]? y
Preconfiguring packages ...
(Reading database ... 27937 files and directories currently installed.)
Removing snort ...
Stopping Network Intrusion Detection System: snort(eth0).
Selecting previously deselected package snort-mysql.
(Reading database ... 27914 files and directories currently installed.)
Unpacking snort-mysql (from .../snort-mysql_2.3.3-11_i386.deb) ...
Setting up snort-mysql (2.3.3-11) ...
No snort instance found to be stopped!
Starting Network Intrusion Detection System: snort(eth0).











/dev/pts/9
15:29:15




#dpkg -l | grep snoryt















15:29:44




#dpkg -l | grep snort


ii  snort                            2.3.3-11                        Flexible Network Intrusion Detection System
ii  snort-common                     2.3.3-11                        Flexible Network Intrusion Detection System
rc  snort-mysql                      2.3.3-11                        Flexible Network Intrusion Detection System
ii  snort-rules-default              2.3.3-11                        Flexible Network Intrusion Detection System











15:29:45




#tail /var/log/daemon.log


Jun 23 08:32:25 s_all@linux2 snort:     Detect Protocols:  TCP UDP ICMP IP
Jun 23 08:32:25 s_all@linux2 snort:     Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
Jun 23 08:32:25 s_all@linux2 snort:     Sensitivity Level: Low
Jun 23 08:32:25 s_all@linux2 snort:     Memcap (in bytes): 10000000
Jun 23 08:32:25 s_all@linux2 snort:     Number of Nodes:   36900
Jun 23 08:32:25 s_all@linux2 snort:
Jun 23 08:32:25 s_all@linux2 snort: X-Link2State Config:
Jun 23 08:32:25 s_all@linux2 snort:     Ports: 25 691
Jun 23 08:32:25 s_all@linux2 snort: database: 'postgresql' support is not compiled into this build of snort
Jun 23 08:32:25 s_all@linux2 snort: FATAL ERROR: If this build of snort was obtained as a binary distribution (e.g., rpm, or Windows), then check for alternate builds that contains the necessary 'postgresql' support.  If this build of snort was compiled by you, then re-run the the ./configure script using the '--with-postgresql' switch. For non-standard installations of a database, the '--with-pos











/dev/pts/3
15:30:05




# vi /etc/snort/snort.eth0.conf










15:30:35




#/etc/init.d/snort restart


Stopping Network Intrusion Detection System: snort(eth0).
Starting Network Intrusion Detection System: snort(eth0).











15:30:38




#vi /var/log/













15:30:38




#vi /var/log/daemon.log


7089a7090,7092
> Jun 23 08:31:15 s_all@linux2 dhclient: DHCPREQUEST on eth0 to 192.168.15.254 port 67
> Jun 23 08:31:15 s_all@linux2 dhclient: DHCPACK from 192.168.15.254
> Jun 23 08:31:15 s_all@linux2 dhclient: bound to 192.168.15.201 -- renewal in 281 seconds.









15:31:51




# vi /etc/snort/snort.eth0.conf


513,514c513,514
< output database: log, mysql, user=root password="password" dbname=snort_log host=localhost
< output database: alert, mysql, user=root password="password" dbname=snort_log host=localhost
---
> output database: log, mysql, user=root password=password dbname=snort_log host=localhost
> output database: alert, mysql, user=root password=password dbname=snort_log host=localhost









15:32:21




#/etc/init.d/snort restart


Stopping Network Intrusion Detection System: snort(eth0).
Starting Network Intrusion Detection System: snort(eth0)^[[A.











15:32:25




#vi /var/log/daemon.log










/dev/pts/9
15:33:03




#echo http://xgu.ru/wiki/Sneeze | wall












/dev/pts/3
15:33:08




# vi /etc/snort/snort.eth0.conf


515c515
< output database: alert, postgresql, user=snort dbname=snort
---
> #output database: alert, postgresql, user=snort dbname=snort









15:33:33




#/etc/init.d/snort restart


Stopping Network Intrusion Detection System: snort(eth0).
Starting Network Intrusion Detection System: snort(eth0).











15:33:36




#tail -f  /var/log/daemon.log





Jun 23 08:33:38 s_all@linux2 snort: | gen-id=1      sig-id=3273       type=Threshold tracking=src count=5   seconds=2
Jun 23 08:33:38 s_all@linux2 snort: | gen-id=1      sig-id=3542       type=Threshold tracking=src count=5   seconds=2
Jun 23 08:33:38 s_all@linux2 snort: | gen-id=1      sig-id=3543       type=Threshold tracking=src count=5   seconds=2
Jun 23 08:33:38 s_all@linux2 snort: | gen-id=1      sig-id=2923       type=Threshold tracking=dst count=10  seconds=60
Jun 23 08:33:38 s_all@linux2 snort: +-----------------------[suppression]------------------------------------------
Jun 23 08:33:38 s_all@linux2 snort: | none
Jun 23 08:33:38 s_all@linux2 snort: +------------------------------------------------------------------------------
Jun 23 08:33:38 s_all@linux2 snort: Rule application order: ->activation->dynamic->alert->pass->log
Jun 23 08:33:38 s_all@linux2 snort: Log directory = /var/log/snort
Jun 23 08:33:39 s_all@linux2 snort: Snort initialization completed successfully (pid=9702)
...
Jun 23 08:34:36 s_all@linux2 snort: database: mysql_error: Duplicate entry '1-5' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '5', '3', '2007-06-23 08:34:36.744+-04')
Jun 23 08:34:36 s_all@linux2 snort: database: mysql_error: Duplicate entry '1-6' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '6', '4', '2007-06-23 08:34:36.744+-04')
Jun 23 08:34:36 s_all@linux2 snort: database: mysql_error: Duplicate entry '1-7' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '7', '1', '2007-06-23 08:34:36.954+-04')
Jun 23 08:34:36 s_all@linux2 snort: database: mysql_error: Duplicate entry '1-8' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '8', '2', '2007-06-23 08:34:36.954+-04')
Jun 23 08:34:36 s_all@linux2 snort: database: mysql_error: Duplicate entry '1-9' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '9', '5', '2007-06-23 08:34:36.954+-04')
Jun 23 08:34:36 s_all@linux2 snort: database: mysql_error: Duplicate entry '1-10' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '10', '1', '2007-06-23 08:34:36.971+-04')
Jun 23 08:34:36 s_all@linux2 snort: database: mysql_error: Duplicate entry '1-11' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '11', '2', '2007-06-23 08:34:36.971+-04')
Jun 23 08:34:36 s_all@linux2 snort: database: mysql_error: Duplicate entry '1-12' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '12', '1', '2007-06-23 08:34:36.974+-04')
Jun 23 08:34:36 s_all@linux2 snort: database: mysql_error: Duplicate entry '1-13' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '13', '2', '2007-06-23 08:34:36.974+-04')
q











15:35:15




#cd /etc/acidbase/












15:35:55




#ls


apache.conf  base_conf.php  database.php











15:35:56




#cat apache.conf


<IfModule mod_alias.c>
  Alias /acidbase "/usr/share/acidbase"
</IfModule>
<DirectoryMatch /usr/share/acidbase/>
  Options +FollowSymLinks
  AllowOverride None
  order deny,allow
  deny from all
  allow from 127.0.0.0/255.0.0.0
  <IfModule mod_php4.c>
    php_flag magic_quotes_gpc Off
    php_flag track_vars On
    php_value include_path .:/usr/share/php
  </IfModule>
</DirectoryMatch>











15:36:02




#apt-get install acidbase


Reading package lists... Done
Building dependency tree... Done
acidbase is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.











/dev/pts/9
15:38:55




#echo http://xgu.ru/wiki/Sneeze | wall












/dev/pts/3
15:39:47




#cd /tmp/












15:39:52




#wget http://xgu.ru/downloads/sneeze.pl


--08:40:08--  http://xgu.ru/downloads/sneeze.pl
           => `sneeze.pl'
Resolving xgu.ru... 194.150.93.78
Connecting to xgu.ru|194.150.93.78|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7,141 (7.0K) [text/x-perl]
100%[=============================================================================================================================>] 7,141         --.--K/s
08:40:08 (83.41 MB/s) - `sneeze.pl' saved [7141/7141]











15:40:08




#apt-get install libnet-rawip-perl


Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
  libpcap0.7
The following NEW packages will be installed:
  libnet-rawip-perl libpcap0.7
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 139kB of archives.
After unpacking 422kB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://debian.org.ua etch/main libpcap0.7 0.7.2-7 [69.8kB]
Get:2 http://debian.org.ua etch/main libnet-rawip-perl 0.20-2 [69.3kB]
Fetched 139kB in 0s (823kB/s)
Selecting previously deselected package libpcap0.7.
(Reading database ... 27938 files and directories currently installed.)
Unpacking libpcap0.7 (from .../libpcap0.7_0.7.2-7_i386.deb) ...
Selecting previously deselected package libnet-rawip-perl.
Unpacking libnet-rawip-perl (from .../libnet-rawip-perl_0.20-2_i386.deb) ...
Setting up libpcap0.7 (0.7.2-7) ...
Setting up libnet-rawip-perl (0.20-2) ...











15:40:29




#perl /tmp/sneeze.pl





Usage /tmp/sneeze.pl -d <dest host> -f <rule file> [options]
        -c count        Loop X times. -1 == forever. Default is 1.
        -s ip           Spoof this IP as source. Default is your IP.
        -p port         Force use of this source port.
        -i interface    Outbound interface. Default is eth0.
        -x debug        Turn on debugging information.
        -h help         Duh? This is it.









Файлы
  • apache.conf
    • apache.conf
    

    >
    <IfModule mod_alias.c>
  Alias /acidbase "/usr/share/acidbase"
</IfModule>
<DirectoryMatch /usr/share/acidbase/>
  Options +FollowSymLinks
  AllowOverride None
  order deny,allow
  deny from all
  allow from 127.0.0.0/255.0.0.0
  <IfModule mod_php4.c>
    php_flag magic_quotes_gpc Off
    php_flag track_vars On
    php_value include_path .:/usr/share/php
  </IfModule>
</DirectoryMatch>

    Статистика
    Время первой команды журнала14:46:35 2007- 6-23
    Время последней команды журнала15:40:29 2007- 6-23
    Количество командных строк в журнале101
    Процент команд с ненулевым кодом завершения, %11.88
    Процент синтаксически неверно набранных команд, % 1.98
    Суммарное время работы с терминалом *, час 0.90
    Количество командных строк в единицу времени, команда/мин 1.87
    Частота использования команд
    ps18|==============| 14.40%
    vi15|============| 12.00%
    grep12|=========|  9.60%
    /etc/init.d/snort10|========|  8.00%
    ls9|=======|  7.20%
    cd8|======|  6.40%
    mysql6|====|  4.80%
    tail6|====|  4.80%
    less5|====|  4.00%
    apt-get5|====|  4.00%
    diff3|==|  2.40%
    &3|==|  2.40%
    dpkg2|=|  1.60%
    dpkg-reconfigure2|=|  1.60%
    echo2|=|  1.60%
    wc2|=|  1.60%
    12|=|  1.60%
    killall2|=|  1.60%
    wall2|=|  1.60%
    date2|=|  1.60%
    more1||  0.80%
    wget1||  0.80%
    perl1||  0.80%
    snort1||  0.80%
    vim1||  0.80%
    scp1||  0.80%
    /etc/snort/1||  0.80%
    cat1||  0.80%
    apt-cache1||  0.80%
    ____
    *) Интервалы неактивности длительностью 30 минут и более не учитываются
    Справка
        Для того чтобы использовать LiLaLo, не нужно знать ничего особенного:
    всё происходит само собой.
    Однако, чтобы ведение и последующее использование журналов
    было как можно более эффективным, желательно иметь в виду следующее:
    
      
    
    1.  
    В журнал автоматически попадают все команды, данные в любом терминале системы.
    
      2. 
    
    2. 
    Для того чтобы убедиться, что журнал на текущем терминале ведётся, 
    и команды записываются, дайте команду w.
    В поле WHAT, соответствующем текущему терминалу, 
    должна быть указана программа script.
    
      3. 
    
    3. 
    Команды, при наборе которых были допущены синтаксические ошибки, 
    выводятся перечёркнутым текстом:

      

      


      $ l s-l
      

      bash: l: command not found

      
      		

      

      

      
    
      4. 
    
    4. 
    Если код завершения команды равен нулю, 
    команда была выполнена без ошибок.
    Команды, код завершения которых отличен от нуля, выделяются цветом.

      

      


      $ test 5 -lt 4
      

      		

      

      
    Обратите внимание на то, что код завершения команды может быть отличен от нуля
    не только в тех случаях, когда команда была выполнена с ошибкой.
    Многие команды используют код завершения, например, для того чтобы показать результаты проверки

      
    
      5. 
    
    5. 
    Команды, ход выполнения которых был прерван пользователем, выделяются цветом.

      

      


      $ find / -name abc
      

      find: /home/devi-orig/.gnome2: Keine Berechtigung
find: /home/devi-orig/.gnome2_private: Keine Berechtigung
find: /home/devi-orig/.nautilus/metafiles: Keine Berechtigung
find: /home/devi-orig/.metacity: Keine Berechtigung
find: /home/devi-orig/.inkscape: Keine Berechtigung
^C

      
      		

      

      

      
    
      6. 
    
    6. 
    Команды, выполненные с привилегиями суперпользователя,
    выделяются слева красной чертой.

      

      


      # id
      

      uid=0(root) gid=0(root) Gruppen=0(root)

      
      		

      

      
    
      
    
      7. 
    
    7. 
    Изменения, внесённые в текстовый файл с помощью редактора, 
    запоминаются и показываются в журнале в формате ed.
    Строки, начинающиеся символом "<", удалены, а строки,
    начинающиеся символом ">" -- добавлены.

      

      


      $ vi ~/.bashrc
      

      2a3,5
>    if [ -f /usr/local/etc/bash_completion ]; then
>         . /usr/local/etc/bash_completion
>        fi

      		

      

      
    
      
    
      8. 
    
    8. 
    Для того чтобы изменить файл в соответствии с показанными в диффшоте
    изменениями, можно воспользоваться командой patch.
    Нужно скопировать изменения, запустить программу patch, указав в
    качестве её аргумента файл, к которому применяются изменения,
    и всавить скопированный текст:

      

      


      $ patch ~/.bashrc
      
      		

      

      
    В данном случае изменения применяются к файлу ~/.bashrc
    
      9. 
    
    9. 
    Для того чтобы получить краткую справочную информацию о команде, 
    нужно подвести к ней мышь. Во всплывающей подсказке появится краткое
    описание команды.
    
      
    
      
    Если справочная информация о команде есть, 
    команда выделяется голубым фоном, например: vi.
    Если справочная информация отсутствует,
    команда выделяется розовым фоном, например: notepad.exe.
    Справочная информация может отсутствовать в том случае, 
    если (1) команда введена неверно; (2) если распознавание команды LiLaLo выполнено неверно;
    (3) если информация о команде неизвестна LiLaLo.
    Последнее возможно для редких команд.
    
      10. 
    
    10. 
    Большие, в особенности многострочные, всплывающие подсказки лучше 
    всего показываются браузерами KDE Konqueror, Apple Safari и Microsoft Internet Explorer.
    В браузерах Mozilla и Firefox они отображаются не полностью, 
    а вместо перевода строки выводится специальный символ.
    
      11. 
    
    11. 
    Время ввода команды, показанное в журнале, соответствует времени 
    начала ввода командной строки, которое равно тому моменту, 
    когда на терминале появилось приглашение интерпретатора
    
      12. 
    
    12. 
    Имя терминала, на котором была введена команда, показано в специальном блоке.
    Этот блок показывается только в том случае, если терминал
    текущей команды отличается от терминала предыдущей.
    
      13. 
    
    13. 
    Вывод не интересующих вас в настоящий момент элементов журнала,
    таких как время, имя терминала и других, можно отключить.
    Для этого нужно воспользоваться формой управления журналом
    вверху страницы.
    
      14. 
    
    14. 
    Небольшие комментарии к командам можно вставлять прямо из командной строки.
    Комментарий вводится прямо в командную строку, после символов #^ или #v.
    Символы ^ и v показывают направление выбора команды, к которой относится комментарий:
    ^ - к предыдущей, v - к следующей.
    Например, если в командной строке было введено:

      $ whoami

      

      user

      

      $ #^ Интересно, кто я?

      
    в журнале это будет выглядеть так:
    

      $ whoami

      

      user

      

      

        Интересно, кто я?
       
       
    
      15. 
    
    15. 
    Если комментарий содержит несколько строк,
    его можно вставить в журнал следующим образом:

      $ whoami

      

      user

      

      $ cat > /dev/null #^ Интересно, кто я?

      

      Программа whoami выводит имя пользователя, под которым 
мы зарегистрировались в системе.
-
Она не может ответить на вопрос о нашем назначении 
в этом мире.

      
    В журнале это будет выглядеть так:

      

      


      $ whoami
      

      user

      

      Интересно, кто я?
      
Программа whoami выводит имя пользователя, под которым
      
мы зарегистрировались в системе.
      

      
Она не может ответить на вопрос о нашем назначении
      
в этом мире.
      

      
      		

      

      
    Для разделения нескольких абзацев между собой
    используйте символ "-", один в строке.
    
      

      16. 
    
    16. 
    Комментарии, не относящиеся непосредственно ни к какой из команд, 
    добавляются точно таким же способом, только вместо симолов #^ или #v 
    нужно использовать символы #=
    
      17. 

    
    17. 
    Содержимое файла может быть показано в журнале.
    Для этого его нужно вывести с помощью программы cat.
    Если вывод команды отметить симоволами #!, 
    содержимое файла будет показано в журнале
    в специально отведённой для этого секции.
    
      18. 

    
      
    
    18. 
    Для того чтобы вставить скриншот интересующего вас окна в журнал,
    нужно воспользоваться командой l3shot.
    После того как команда вызвана, нужно с помощью мыши выбрать окно, которое
    должно быть в журнале.
    
      19. 
    
      

    
      
    
    19. 
    Команды в журнале расположены в хронологическом порядке.
    Если две команды давались одна за другой, но на разных терминалах,
    в журнале они будут рядом, даже если они не имеют друг к другу никакого отношения.

      1
    2
3   
    4

      
    Группы команд, выполненных на разных терминалах, разделяются специальной линией.
    Под этой линией в правом углу показано имя терминала, на котором выполнялись команды.
    Для того чтобы посмотреть команды только одного сенса, 
    нужно щёкнуть по этому названию.
    
      20. 
    
      

    

    О программе
        
    
    LiLaLo (L3) расшифровывается как Live Lab Log.
    
    Программа разработана для повышения эффективности обучения Unix/Linux-системам.
    
    (c) Игорь Чубин, 2004-2008
    
    
    
$Id$