/l3/users/ikravchuk/xg-ids/linux2.unix.nt/root :1 :2 :3 :4 :5 :6 :7 :8 :9 :10 :11 :12
[ править ]

Журнал лабораторных работ

Содержание

Журнал

Суббота (06/23/07)

/dev/tty1
13:32:20
#apt-get install oinkmaster
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
  libarchive-tar-perl libcompress-zlib-perl libio-zlib-perl
Suggested packages:
  libio-string-perl
The following NEW packages will be installed:
  libarchive-tar-perl libcompress-zlib-perl libio-zlib-perl oinkmaster
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 215kB of archives.
...
Selecting previously deselected package libio-zlib-perl.
Unpacking libio-zlib-perl (from .../libio-zlib-perl_1.04-1_all.deb) ...
Selecting previously deselected package libarchive-tar-perl.
Unpacking libarchive-tar-perl (from .../libarchive-tar-perl_1.30-2_all.deb) ...
Selecting previously deselected package oinkmaster.
Unpacking oinkmaster (from .../oinkmaster_2.0-1_all.deb) ...
Setting up libcompress-zlib-perl (1.42-2) ...
Setting up libio-zlib-perl (1.04-1) ...
Setting up libarchive-tar-perl (1.30-2) ...
Setting up oinkmaster (2.0-1) ...
13:33:02
#oinkmaster
Error: no output directory specified.
Oinkmaster v2.0, Copyright (C) 2001-2006 Andreas Östling <andreaso@it.su.se>
Usage: oinkmaster -o <outdir> [options]
<outdir> is where to put the new files.
This should be the directory where you store your Snort rules.
Options:
-b <dir>  Backup your old rules into <dir> before overwriting them
-c        Careful mode (dry run) - check for changes but do not update anything
-C <file> Use this configuration file instead of the default
          May be specified multiple times to load multiple files
...
-S <file> Look for new variables in this file in the downloaded archive instead
          of the default (snort.conf). Used in conjunction with -U.
          May be specified multiple times to search multiple files.
-T        Config test - just check configuration file(s) for errors/warnings
-u <url>  Download from this URL instead of URL(s) in the configuration file
          (http|https|ftp|file|scp:// ... .tar.gz|.gz, or dir://<dir>)
          May be specified multiple times to grab multiple rules archives
-U <file> Merge new variables from downloaded snort.conf(s) into <file>
-v        Verbose mode (debug)
-V        Show version and exit
13:33:10
#/etc/
acidbase/            groff/               php4/
acpi/                gtk-2.0/             php5/
aide/                honeypot/            postgresql-common/
alternatives/        icedove/             ppp/
apache/              iceweasel/           rc0.d/
apache2/             init.d/              rc1.d/
apt/                 initramfs-tools/     rc2.d/
bash_completion.d/   ldap/                rc3.d/
calendar/            ld.so.conf.d/        rc4.d/
console/             logcheck/            rc5.d/
...
cron.monthly/        menu/                security/
cron.weekly/         menu-methods/        skel/
dbconfig-common/     modprobe.d/          snort/
default/             modutils/            ssh/
defoma/              mysql/               ssl/
devfs/               nessus/              syslog-ng/
dhcp3/               network/             terminfo/
dictionaries-common/ openoffice/          udev/
dpkg/                opt/                 vim/
emacs/               pam.d/               X11/
/dev/pts/5
13:35:29
#vi /etc/oinkmaster.conf
13:36:37
#vi /etc/oinkmaster.conf
163a164,165
> 
>
13:44:55
#rsync 
http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#
bash: rsync: command not found
13:45:06
#rsync 
http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#
bash: rsync: command not found
13:45:17
#apt-get install rsync
Reading package lists... Done
Building dependency tree... Done
The following NEW packages will be installed:
  rsync
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 261kB of archives.
After unpacking 512kB of additional disk space will be used.
Get:1 http://debian.org.ua etch/main rsync 2.6.9-2 [261kB]
Fetched 261kB in 1s (152kB/s)
Selecting previously deselected package rsync.
(Reading database ... 27777 files and directories currently installed.)
Unpacking rsync (from .../rsync_2.6.9-2_i386.deb) ...
Setting up rsync (2.6.9-2) ...
13:45:32
#rsync 
     --blocking-io           use blocking I/O for the remote shell
     --stats                 give some file-transfer stats
 -8, --8-bit-output          leave high-bit chars unescaped in output
 -h, --human-readable        output numbers in a human-readable format
     --progress              show progress during transfer
 -P                          same as --partial --progress
 -i, --itemize-changes       output a change-summary for all updates
     --out-format=FORMAT     output updates using the specified FORMAT
     --log-file=FILE         log what we're doing to the specified FILE
     --log-file-format=FMT   log updates using the specified FMT
13:45:44
#rsync linux3 /etc/o 
http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#
oinkmaster.conf  openoffice/      opt/
13:45:44
#rsync linux3 /etc/oinkmaster.conf /etc/ 
http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#
Display all 151 possibilities? (y or n)
13:45:44
#rsync linux3 /etc/oinkmaster.conf /etc/oinkmaster.conf 
rsync: link_stat "/root/linux3" failed: No such file or directory (2)
rsync error: some files could not be transferred (code 23) at main.c(977) [sender=2.6.9]
13:46:16
#rsync root@linux3 /etc/oinkmaster.conf /etc/oinkmaster.conf 
rsync: link_stat "/root/root@linux3" failed: No such file or directory (2)
rsync error: some files could not be transferred (code 23) at main.c(977) [sender=2.6.9]
13:46:48
#rsync linux3/etc/oinkmaster.conf /etc/oinkmaster.conf 
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#
rsync: link_stat "/root/linux3/etc/oinkmaster.conf" failed: No such file or directory (2)
rsync error: some files could not be transferred (code 23) at main.c(977) [sender=2.6.9]
13:47:09
#rsync 
rsync: link_stat "/root/linux3/etc/oinkmaster.conf" failed: No such file or directory (2)
rsync error: some files could not be transferred (code 23) at main.c(977) [sender=2.6.9]
13:47:16
#rsync 
     --read-batch=FILE       read a batched update from FILE
     --protocol=NUM          force an older protocol version to be used
 -4, --ipv4                  prefer IPv4
 -6, --ipv6                  prefer IPv6
     --version               print version number
(-h) --help                  show this help (-h works with no other options)
Use "rsync --daemon --help" to see the daemon-mode command-line options.
Please see the rsync(1) and rsyncd.conf(5) man pages for full documentation.
See http://rsync.samba.org/ for updates, bug reports, and answers
rsync error: syntax or usage error (code 1) at main.c(1303) [client=2.6.9]
13:47:25
#rsync | more
13:47:34
#rsync -h
     --only-write-batch=FILE like --write-batch but w/o updating destination
     --read-batch=FILE       read a batched update from FILE
     --protocol=NUM          force an older protocol version to be used
 -4, --ipv4                  prefer IPv4
 -6, --ipv6                  prefer IPv6
     --version               print version number
(-h) --help                  show this help (-h works with no other options)
Use "rsync --daemon --help" to see the daemon-mode command-line options.
Please see the rsync(1) and rsyncd.conf(5) man pages for full documentation.
See http://rsync.samba.org/ for updates, bug reports, and answers
13:47:42
#rsync linux3 /etc/oinkmaster.conf /etc/oinkmaster.conf 
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#
rsync: link_stat "/root/linux3" failed: No such file or directory (2)
rsync error: some files could not be transferred (code 23) at main.c(977) [sender=2.6.9]
13:48:07
#q 
bash: q: command not found
13:48:26
#man rsync
13:49:37
#rsync host:inux3 /etc/oinkmaster.conf /etc/oinkmas 
     --min-size=SIZE         don't transfer any file smaller than SIZE
     --partial               keep partially transferred files
     --partial-dir=DIR       put a partially transferred file into DIR
     --delay-updates         put all updated files into place at transfer's end
 -m, --prune-empty-dirs      prune empty directory chains from the file-list
     --numeric-ids           don't map uid/gid values by user/group name
     --timeout=TIME          set I/O timeout in seconds
 -I, --ignore-times          don't skip files that match in size and mod-time
     --size-only             skip files that match in size
     --modify-window=NUM     compare mod-times with reduced accuracy
^[[CSegmentation fault
13:49:50
#rsync -host:linux3 /etc/oinkmaster.conf /etc/oinkmaster.conf 
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#
rsync: -host:linux3: unknown option
rsync error: syntax or usage error (code 1) at main.c(1318) [client=2.6.9]
13:50:03
#vi /etc/oinkmaster.conf
163c163
< 
---
> url = http://www.snort.org/pub-bin/oinkmaster.cgi/7ebe52b1134522c9b9ff42b8ff69f85ebda7d1d4/snortrules-snapshot-2.3.tar.gz
13:50:51
#oinkmaster -o /etc/snort/r 
http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#
reference.config  rules/
13:50:51
#oinkmaster -o /etc/snort/rules/ 
Loading /etc/oinkmaster.conf
Downloading file from http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz...
/usr/sbin/oinkmaster: Error: could not download from http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz. Output from wget follows:
 --06:52:10--  http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz
           => `/var/run/oinkmaster/oinkmaster.6hzLE0HUPG/url.VXsNKfd2Ag/snortrules.tar.gz'
Resolving www.snort.org... 199.107.65.177
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
06:52:11 ERROR 404: Not Found.
Oink, oink. Exiting...
13:52:11
#vi /etc/oinkmaster.conf
11c11
< url = http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz
---
> #url = http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz
13:53:15
#oinkmaster -o /etc/snort/rules/
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR nirvana 2.0 runtime detection - explore c drive"; flow:to_server,established; content:"|AC|kC|3A 5C|"; reference:url,www.megasecurity.org/trojans/n/nirvana/Nirvana2.0.html; classtype:trojan-activity; sid:10442; rev:1;)
        alert tcp $HOME_NET 2115 -> $EXTERNAL_NET any (msg:"BACKDOOR bugs runtime detection - file manager server-to-client"; flow:from_server,established; flowbits:isset,Bugs_InitConnection; content:"CURDIR "; nocase; reference:url,www.commodon.com/threat/threat-bugs.htm; classtype:trojan-activity; sid:6473; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR a trojan 2.0 runtime detection - get harddisk info"; flow:from_server,established; flowbits:isset,A_Trojan_GetHarddiskInfo; content:"infhd"; depth:5; reference:url,www.spywareguide.com/product_show.php?id=1271; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=611; classtype:trojan-activity; sid:6092; rev:1;)
        alert udp $EXTERNAL_NET any -> $HOME_NET 27184 (msg:"BACKDOOR alvgus 2000 runtime detection"; content:"fe"; depth:2; nocase; flowbits:set,Alvgus_ExecuteCommand; flowbits:noalert; classtype:trojan-activity; sid:6101; rev:1;)
        alert tcp $HOME_NET 9999 -> $EXTERNAL_NET any (msg:"BACKDOOR forced entry v1.1 beta runtime detection"; flow:from_server,established; content:"ForCed"; depth:6; nocase; content:"EnTrY"; distance:0; nocase; content:"|0D 0A 0D 0A 0D 0A|Connection"; distance:0; nocase; content:" Stable"; distance:0; nocase; pcre:"/^ForCed\s+EnTrY\s+\d+\x2E\d+\x2E\d+\x0D\x0A\x0D\x0A\x0D\x0AConnection\s+Stable/
        alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR icmp cmd 1.0 runtime detection - pskill"; itype:0; content:"pskill"; nocase; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077250; classtype:trojan-activity; sid:10108; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR net demon runtime detection - open browser response"; flow:from_server,established; flowbits:isset,NetDemon_OpenBrowser; content:"browseropened|0A|"; depth:14; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4029; classtype:trojan-activity; sid:6315; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 1254 (msg:"BACKDOOR ieva 1.0 runtime detection - swap mouse"; flow:to_server,established; content:"OTHER"; depth:5; nocase; reference:url,www.www.megasecurity.org/trojans/i/ieva/Ieva1.0.html; classtype:trojan-activity; sid:9835; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR reversable ver1.0 runtime detection - initial connection - flowbit set"; flow:to_server,established; content:"PORT="; depth:5; content:"Victim="; distance:0; pcre:"/^PORT\x3D\d+\x2AVictim\x3D/"; flowbits:set,ReVerSaBle_InitConnection; flowbits:noalert; classtype:trojan-activity; sid:7724; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 1023 (msg:"BACKDOOR net runner runtime detection - download file client-to-server"; flow:to_server,established; content:"|0D|Download File"; depth:14; nocase; flowbits:set,NetRunner_Download_File; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077503; classtype:trojan-activity; sid:6120; rev:3;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR fkwp 2.0 runtime detection - icq notification"; flow:to_server,established; uricontent:"folder_id="; nocase; uricontent:"params_count="; nocase; uricontent:"nick_name="; nocase; uricontent:"user_email=fkwp@yahoo.com"; nocase; content:"user_uin="; nocase; content:"friend_nickname="; nocase; content:"friend_contact="; nocase
13:55:07
#vi /etc/snort/snort.conf
13:56:50
#cd /etc/snort/rules/










13:57:07




#ls


attack-responses.rules  dns.rules           icmp.rules        netbios.rules    pop3.rules        sid-msg.map             tftp.rules         web-client.rules
backdoor.rules          dos.rules           imap.rules        nntp.rules       porn.rules        smtp.rules              threshold.conf     web-coldfusion.rules
bad-traffic.rules       experimental.rules  info.rules        oracle.rules     reference.config  snmp.rules              unicode.map        web-frontpage.rules
chat.rules              exploit.rules       local.rules       other-ids.rules  rpc.rules         specific-threats.rules  virus.rules        web-iis.rules
classification.config   finger.rules        misc.rules        p2p.rules        rservices.rules   spyware-put.rules       VRT-License.txt    web-misc.rules
ddos.rules              ftp.rules           multimedia.rules  policy.rules     scan.rules        sql.rules               web-attacks.rules  web-php.rules
deleted.rules           icmp-info.rules     mysql.rules       pop2.rules       shellcode.rules   telnet.rules            web-cgi.rules      x11.rules











13:57:09




#ls -l


-rw-r--r-- 1 root root    4874 2007-06-23 06:54 virus.rules
-rw-r----- 1 root root   17303 2007-06-23 06:54 VRT-License.txt
-rw-r--r-- 1 root root    1375 2007-06-23 06:54 web-attacks.rules
-rw-r--r-- 1 root root  105804 2007-06-23 06:54 web-cgi.rules
-rw-r--r-- 1 root root  632379 2007-06-23 06:54 web-client.rules
-rw-r--r-- 1 root root   13512 2007-06-23 06:54 web-coldfusion.rules
-rw-r--r-- 1 root root   11773 2007-06-23 06:54 web-frontpage.rules
-rw-r--r-- 1 root root   46343 2007-06-23 06:54 web-iis.rules
-rw-r--r-- 1 root root  116916 2007-06-23 06:54 web-misc.rules
-rw-r--r-- 1 root root   40558 2007-06-23 06:54 web-php.rules
-rw-r--r-- 1 root root    1433 2007-06-23 06:54 x11.rules











13:57:24




#/etc/init.d/snort





Usage: /etc/init.d/snort {start|stop|restart|force-restart|reload|force-reload|status|config-check}











13:57:49




#/etc/init.d/snort start





Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#
WARN: /etc/snort/db-pending-config file found
WARN: Snort will not start as its database is not yet configured.
WARN: Please configure the database as described in
WARN: /usr/share/doc/snort-{pgsql,mysql}/README-database.Debian
WARN: and remove /etc/snort/db-pending-config











13:57:58




#/var/log/





bash: /var/log/: is a directory











13:59:24




#cd /var/lo





local/      lock/       log/        lost+found/











13:59:24




#cd /var/log/












/dev/pts/7
13:59:26




#cd /var/log/


http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#











13:59:35




#ls





Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#
acpid     boot        dmesg.0     dpkg.log        honeypot   mail.err   mysql           mysql.log.3.gz  syslog       user.log
aide      btmp        dmesg.1.gz  exim4           installer  mail.info  mysql.err       mysql.pipe      syslog.0     uucp.log
apache    daemon.log  dmesg.2.gz  faillog         kern.log   mail.log   mysql.log       nessus          syslog.1.gz  wtmp
apache2   debug       dmesg.3.gz  fontconfig.log  lastlog    mail.warn  mysql.log.1.gz  news            syslog.2.gz  Xorg.0.log
auth.log  dmesg       dmesg.4.gz  fsck            lpr.log    messages   mysql.log.2.gz  snort           syslog.3.gz  Xorg.0.log.old











/dev/pts/5
13:59:35




#ls


acpid    auth.log    debug       dmesg.2.gz  exim4           honeypot   lpr.log    mail.warn  mysql.log       mysql.pipe  syslog       syslog.3.gz  Xorg.0.log
aide     boot        dmesg       dmesg.3.gz  faillog         installer  mail.err   messages   mysql.log.1.gz  nessus      syslog.0     user.log     Xorg.0.log.old
apache   btmp        dmesg.0     dmesg.4.gz  fontconfig.log  kern.log   mail.info  mysql      mysql.log.2.gz  news        syslog.1.gz  uucp.log
apache2  daemon.log  dmesg.1.gz  dpkg.log    fsck            lastlog    mail.log   mysql.err  mysql.log.3.gz  snort       syslog.2.gz  wtmp











/dev/pts/7
13:59:36




#cd snort















/dev/pts/5
13:59:36




#cat /var/log/snort/alert


http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#











/dev/pts/7
13:59:40




#ls


alert











13:59:41




#cd alert





bash: cd: alert: Not a directory











13:59:42




#ls


alert











13:59:43




#ls -l


total 0
-rw-r----- 1 snort adm 0 2007-06-23 05:55 alert











13:59:44




#ping -f linux3


http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#
PING linux3.unix.nt (192.168.15.200) 56(84) bytes of data.











/dev/pts/5
14:00:12




#ls


acpid    auth.log    debug       dmesg.2.gz  exim4           honeypot   lpr.log    mail.warn  mysql.log       mysql.pipe  syslog       syslog.3.gz  Xorg.0.log
aide     boot        dmesg       dmesg.3.gz  faillog         installer  mail.err   messages   mysql.log.1.gz  nessus      syslog.0     user.log     Xorg.0.log.old
apache   btmp        dmesg.0     dmesg.4.gz  fontconfig.log  kern.log   mail.info  mysql      mysql.log.2.gz  news        syslog.1.gz  uucp.log
apache2  daemon.log  dmesg.1.gz  dpkg.log    fsck            lastlog    mail.log   mysql.err  mysql.log.3.gz  snort       syslog.2.gz  wtmp











14:00:15




#cat /var/log/snort/alert


http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#











14:00:36




#cat /var/log/snort/





cat: /var/log/snort/: Is a directory











14:00:43




#cat /var/log/snort





cat: /var/log/snort: Is a directory











14:00:45




#ps -ef | grep snort


http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#
root      6516  6006  0 07:01 pts/6    00:00:00 grep snort











14:01:03




#/etc/init.d/snort start





Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#
WARN: /etc/snort/db-pending-config file found
WARN: Snort will not start as its database is not yet configured.
WARN: Please configure the database as described in
WARN: /usr/share/doc/snort-{pgsql,mysql}/README-database.Debian
WARN: and remove /etc/snort/db-pending-config











14:01:31




#/etc/init.d/snort start





Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#
WARN: /etc/snort/db-pending-config file found
WARN: Snort will not start as its database is not yet configured.
WARN: Please configure the database as described in
WARN: /usr/share/doc/snort-{pgsql,mysql}/README-database.Debian
WARN: and remove /etc/snort/db-pending-config











14:04:14




#[root@linux2:log]#





PING linux3.unix.nt (192.168.15.200) 56(84) bytes of data.
.
 bash: [root@linux2:log]#: command not found











14:04:52




#zcat /usr/share/doc/snort-mysql/create_mysql.gz


# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
CREATE TABLE `schema` ( vseq        INT      UNSIGNED NOT NULL,
                      ctime       DATETIME NOT NULL,
                      PRIMARY KEY (vseq));
INSERT INTO `schema`  (vseq, ctime) VALUES ('106', now());
CREATE TABLE event  ( sid         INT      UNSIGNED NOT NULL,
                      cid         INT      UNSIGNED NOT NULL,
                      signature   INT      UNSIGNED NOT NULL,
...
INSERT INTO encoding (encoding_type, encoding_text) VALUES (1, 'base64');
INSERT INTO encoding (encoding_type, encoding_text) VALUES (2, 'ascii');
# detail is a lookup table for storing different detail levels
CREATE TABLE detail  (detail_type TINYINT UNSIGNED NOT NULL,
                      detail_text TEXT NOT NULL,
                      PRIMARY KEY (detail_type));
INSERT INTO detail (detail_type, detail_text) VALUES (0, 'fast');
INSERT INTO detail (detail_type, detail_text) VALUES (1, 'full');
# be sure to also use the snortdb-extra tables if you want
# mappings for tcp flags, protocols, and ports











/dev/pts/7
14:05:39




#nmap linux3


22/tcp  open  ssh
25/tcp  open  smtp
53/tcp  open  domain
79/tcp  open  finger
80/tcp  open  http
111/tcp open  rpcbind
113/tcp open  auth
514/tcp open  shell
MAC Address: 00:0A:01:D4:D1:E3 (Sohoware)
Nmap finished: 1 IP address (1 host up) scanned in 0.861 seconds











/dev/pts/5
14:05:44




#zcat /usr/share/doc/snort-mysql/create_mysql.gz | mysql -p snort_log





Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#
Enter password:
ERROR 1049 (42000): Unknown database 'snort_log'











14:06:13




#mysql -p


Your MySQL connection id is 29
Server version: 5.0.32-Debian_7etch1-log Debian etch distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> create database snort_log
    -> ;
Query OK, 1 row affected (0.00 sec)
mysql> exit
Bye











14:07:23




#zcat /usr/share/doc/snort-mysql/create_mysql.gz | mysql -p snort_log


Enter password:











14:07:28




#/etc/init.d/snort start





Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#
WARN: /etc/snort/db-pending-config file found
WARN: Snort will not start as its database is not yet configured.
WARN: Please configure the database as described in
WARN: /usr/share/doc/snort-{pgsql,mysql}/README-database.Debian
WARN: and remove /etc/snort/db-pending-config











14:07:45




#/etc/init.d/snort restart


No snort instance found to be restarted!











14:07:53




#/etc/init.d/snort star





Usage: /etc/init.d/snort {start|stop|restart|force-restart|reload|force-reload|status|config-check}











14:07:58




#/etc/init.d/snort start





WARN: /etc/snort/db-pending-config file found
WARN: Snort will not start as its database is not yet configured.
WARN: Please configure the database as described in
WARN: /usr/share/doc/snort-{pgsql,mysql}/README-database.Debian
WARN: and remove /etc/snort/db-pending-config











14:08:01




#cd /etc/snort/












14:09:50




#ls


classification.config  db-pending-config  gen-msg.map  reference.config  rules  sid-msg.map  snort.conf  snort.debian.conf  threshold.conf  unicode.map











14:09:51




#cat db-pending-config












14:09:59




#rm db-pending-config


http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#











14:10:08




#/etc/init.d/snort start


Starting Network Intrusion Detection System: snort(eth0)No /etc/snort/snort.eth0.conf, defaulting to snort.conf
.











14:10:13




#ps -ef | grep snort


root      6689  6006  0 07:10 pts/6    00:00:00 grep snort











14:10:32




#cd /etc/snort


http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#











14:11:05




#ls


classification.config  gen-msg.map  reference.config  rules  sid-msg.map  snort.conf  snort.debian.conf  threshold.conf  unicode.map











14:11:07




#vi snort.conf










14:14:02




#/etc/init.d/snort restart


Stopping Network Intrusion Detection System: snort(eth0).
Starting Network Intrusion Detection System: snort(eth0)No /etc/snort/snort.eth0.conf, defaulting to snort.conf
.











14:14:11




#ps -ef | grep snort


snort     6734     1 21 07:14 ?        00:00:02 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S HOME_NET=[192.168.0.0/16] -i eth0
root      6741  6006  0 07:14 pts/6    00:00:00 grep snort











14:14:23




#cd /etc/snort












14:14:41




#cd /var/












14:14:45




#log





bash: log: command not found











14:14:48




#ls


backups  cache  lib  local  lock  log  lost+found  mail  opt  run  spool  tmp  www











14:14:51




#xs log





bash: xs: command not found











14:14:57




#cd log


http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#











14:15:00




#ls


acpid    auth.log    debug       dmesg.2.gz  exim4           honeypot   lpr.log    mail.warn  mysql.log       mysql.pipe  syslog       syslog.3.gz  Xorg.0.log
aide     boot        dmesg       dmesg.3.gz  faillog         installer  mail.err   messages   mysql.log.1.gz  nessus      syslog.0     user.log     Xorg.0.log.old
apache   btmp        dmesg.0     dmesg.4.gz  fontconfig.log  kern.log   mail.info  mysql      mysql.log.2.gz  news        syslog.1.gz  uucp.log
apache2  daemon.log  dmesg.1.gz  dpkg.log    fsck            lastlog    mail.log   mysql.err  mysql.log.3.gz  snort       syslog.2.gz  wtmp











14:15:03




#cd snort/


http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#











14:15:17




#ls


alert  tcpdump.log.1182597013  tcpdump.log.1182597251











14:15:18




#cat tcpdump.log.1182597





http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#
cat: tcpdump.log.1182597: No such file or directory











14:15:25




#cat alert


http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#
exit











14:15:37




#cat tcpdump.log.1182597251












14:15:48




#cat tcpdump.log.1182597013












14:15:54




#ps -ef | grep snort


snort     6734     1  2 07:14 ?        00:00:02 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S HOME_NET=[192.168.0.0/16] -i eth0
root      6834  6006  0 07:16 pts/6    00:00:00 grep snort











14:16:03




#ps -ef | grep snort


Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#
snort     6734     1  1 07:14 ?        00:00:02 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S HOME_NET=[192.168.0.0/16] -i eth0
root      6847  6006  0 07:17 pts/6    00:00:00 grep snort











14:17:16




#cd snort/





bash: cd: snort/: No such file or directory











14:17:41




#ps -ef | grep snort


snort     6734     1  1 07:14 ?        00:00:02 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S HOME_NET=[192.168.0.0/16] -i eth0
root      6859  6006  0 07:17 pts/6    00:00:00 grep snort











14:17:43




#cat /var/lo





local/      lock/       log/        lost+found/











14:17:43




#cat /var/log//m





mail.err        mail.log        messages        mysql.err       mysql.log.1.gz  mysql.log.3.gz
mail.info       mail.warn       mysql/          mysql.log       mysql.log.2.gz  mysql.pipe











14:17:43




#cat /var/log//mysql.log


http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#











14:18:08




#cat /var/log//mysql.err


http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#











14:18:16




#cat /var/log/mysql.log


http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#











14:18:30




#cat /var/log/mysql.err












14:18:34




#cat /var/log/messages


Jun 20 01:41:05 s_all@linux1/192.168.15.202 kernel: Checking if this processor honours the WP bit even in supervisor mode... Ok.
Jun 20 01:41:05 s_all@linux1/192.168.15.202 kernel: Calibrating delay using timer specific routine.. 3603.79 BogoMIPS (lpj=7207584)
Jun 20 01:41:05 s_all@linux1/192.168.15.202 kernel: Security Framework v1.0.0 initialized
Jun 20 01:41:05 s_all@linux1/192.168.15.202 kernel: SELinux:  Disabled at boot.
Jun 20 01:41:05 s_all@linux1/192.168.15.202 kernel: Capability LSM initialized
Jun 20 01:41:05 s_all@linux1/192.168.15.202 kernel: Mount-cache hash table entries: 512
Jun 20 01:41:05 s_all@linux1/192.168.15.202 kernel: CPU: Trace cache: 12K uops, L1 D cache: 8K
Jun 20 01:41:05 s_all@linux1/192.168.15.202 kernel: CPU: L2 cache: 128K
Jun 20 01:41:05 s_all@linux1/192.168.15.202 kernel: CPU: Hyper-Threading is disabled
Jun 20 01:41:05 s_all@linux1/192.168.15.202 kernel: Intel machine check architecture supported.
Jun 20 01:41:05 s_all@linux1/192.168.15.202 kernel: Intel machine check reporting enabled on CPU#0.











14:18:52




#ls


http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#
alert  tcpdump.log.1182597013  tcpdump.log.1182597251











14:19:07




#cat alert


http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#









Файлы
  • /var/lo
  • /var/log//m
  • /var/log//mysql.err
  • /var/log//mysql.log
  • /var/log/messages
  • /var/log/mysql.err
  • /var/log/mysql.log
  • /var/log/snort/alert
  • alert
  • db-pending-config
  • tcpdump.log.1182597013
  • tcpdump.log.1182597251
    • /var/lo
    

    >
    local/      lock/       log/        lost+found/

    /var/log//m
    

    >
    mail.err        mail.log        messages        mysql.err       mysql.log.1.gz  mysql.log.3.gz
mail.info       mail.warn       mysql/          mysql.log       mysql.log.2.gz  mysql.pipe

    /var/log//mysql.err
    

    >
    http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#

    /var/log//mysql.log
    

    >
    http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#

    /var/log/messages
    

    >
    Jun 20 01:41:05 s_all@linux1/192.168.15.202 kernel: Checking if this processor honours the WP bit even in supervisor mode... Ok.
Jun 20 01:41:05 s_all@linux1/192.168.15.202 kernel: Calibrating delay using timer specific routine.. 3603.79 BogoMIPS (lpj=7207584)
Jun 20 01:41:05 s_all@linux1/192.168.15.202 kernel: Security Framework v1.0.0 initialized
Jun 20 01:41:05 s_all@linux1/192.168.15.202 kernel: SELinux:  Disabled at boot.
Jun 20 01:41:05 s_all@linux1/192.168.15.202 kernel: Capability LSM initialized
Jun 20 01:41:05 s_all@linux1/192.168.15.202 kernel: Mount-cache hash table entries: 512
Jun 20 01:41:05 s_all@linux1/192.168.15.202 kernel: CPU: Trace cache: 12K uops, L1 D cache: 8K
Jun 20 01:41:05 s_all@linux1/192.168.15.202 kernel: CPU: L2 cache: 128K
Jun 20 01:41:05 s_all@linux1/192.168.15.202 kernel: CPU: Hyper-Threading is disabled
Jun 20 01:41:05 s_all@linux1/192.168.15.202 kernel: Intel machine check architecture supported.
Jun 20 01:41:05 s_all@linux1/192.168.15.202 kernel: Intel machine check reporting enabled on CPU#0.

    /var/log/mysql.err
    

    >
    /var/log/mysql.log
    

    >
    http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#

    /var/log/snort/alert
    

    >
    http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#

    alert
    

    >
    http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#

    db-pending-config
    

    >
    tcpdump.log.1182597013
    

    >
    tcpdump.log.1182597251
    

    >
    Статистика
    Время первой команды журнала13:32:20 2007- 6-23
    Время последней команды журнала14:19:07 2007- 6-23
    Количество командных строк в журнале101
    Процент команд с ненулевым кодом завершения, %23.76
    Процент синтаксически неверно набранных команд, % 5.94
    Суммарное время работы с терминалом *, час 0.78
    Количество командных строк в единицу времени, команда/мин 2.16
    Частота использования команд
    cat17|===============| 15.45%
    rsync15|=============| 13.64%
    ls14|============| 12.73%
    cd13|===========| 11.82%
    /etc/init.d/snort10|=========|  9.09%
    ps6|=====|  5.45%
    vi6|=====|  5.45%
    grep6|=====|  5.45%
    oinkmaster4|===|  3.64%
    mysql3|==|  2.73%
    zcat3|==|  2.73%
    apt-get2|=|  1.82%
    more1||  0.91%
    q1||  0.91%
    /etc/1||  0.91%
    ping1||  0.91%
    man1||  0.91%
    /var/log/1||  0.91%
    [root@linux2:log]#1||  0.91%
    rm1||  0.91%
    nmap1||  0.91%
    xs1||  0.91%
    log1||  0.91%
    ____
    *) Интервалы неактивности длительностью 30 минут и более не учитываются
    Справка
        Для того чтобы использовать LiLaLo, не нужно знать ничего особенного:
    всё происходит само собой.
    Однако, чтобы ведение и последующее использование журналов
    было как можно более эффективным, желательно иметь в виду следующее:
    
      
    
    1.  
    В журнал автоматически попадают все команды, данные в любом терминале системы.
    
      2. 
    
    2. 
    Для того чтобы убедиться, что журнал на текущем терминале ведётся, 
    и команды записываются, дайте команду w.
    В поле WHAT, соответствующем текущему терминалу, 
    должна быть указана программа script.
    
      3. 
    
    3. 
    Команды, при наборе которых были допущены синтаксические ошибки, 
    выводятся перечёркнутым текстом:

      

      


      $ l s-l
      

      bash: l: command not found

      
      		

      

      

      
    
      4. 
    
    4. 
    Если код завершения команды равен нулю, 
    команда была выполнена без ошибок.
    Команды, код завершения которых отличен от нуля, выделяются цветом.

      

      


      $ test 5 -lt 4
      

      		

      

      
    Обратите внимание на то, что код завершения команды может быть отличен от нуля
    не только в тех случаях, когда команда была выполнена с ошибкой.
    Многие команды используют код завершения, например, для того чтобы показать результаты проверки

      
    
      5. 
    
    5. 
    Команды, ход выполнения которых был прерван пользователем, выделяются цветом.

      

      


      $ find / -name abc
      

      find: /home/devi-orig/.gnome2: Keine Berechtigung
find: /home/devi-orig/.gnome2_private: Keine Berechtigung
find: /home/devi-orig/.nautilus/metafiles: Keine Berechtigung
find: /home/devi-orig/.metacity: Keine Berechtigung
find: /home/devi-orig/.inkscape: Keine Berechtigung
^C

      
      		

      

      

      
    
      6. 
    
    6. 
    Команды, выполненные с привилегиями суперпользователя,
    выделяются слева красной чертой.

      

      


      # id
      

      uid=0(root) gid=0(root) Gruppen=0(root)

      
      		

      

      
    
      
    
      7. 
    
    7. 
    Изменения, внесённые в текстовый файл с помощью редактора, 
    запоминаются и показываются в журнале в формате ed.
    Строки, начинающиеся символом "<", удалены, а строки,
    начинающиеся символом ">" -- добавлены.

      

      


      $ vi ~/.bashrc
      

      2a3,5
>    if [ -f /usr/local/etc/bash_completion ]; then
>         . /usr/local/etc/bash_completion
>        fi

      		

      

      
    
      
    
      8. 
    
    8. 
    Для того чтобы изменить файл в соответствии с показанными в диффшоте
    изменениями, можно воспользоваться командой patch.
    Нужно скопировать изменения, запустить программу patch, указав в
    качестве её аргумента файл, к которому применяются изменения,
    и всавить скопированный текст:

      

      


      $ patch ~/.bashrc
      
      		

      

      
    В данном случае изменения применяются к файлу ~/.bashrc
    
      9. 
    
    9. 
    Для того чтобы получить краткую справочную информацию о команде, 
    нужно подвести к ней мышь. Во всплывающей подсказке появится краткое
    описание команды.
    
      
    
      
    Если справочная информация о команде есть, 
    команда выделяется голубым фоном, например: vi.
    Если справочная информация отсутствует,
    команда выделяется розовым фоном, например: notepad.exe.
    Справочная информация может отсутствовать в том случае, 
    если (1) команда введена неверно; (2) если распознавание команды LiLaLo выполнено неверно;
    (3) если информация о команде неизвестна LiLaLo.
    Последнее возможно для редких команд.
    
      10. 
    
    10. 
    Большие, в особенности многострочные, всплывающие подсказки лучше 
    всего показываются браузерами KDE Konqueror, Apple Safari и Microsoft Internet Explorer.
    В браузерах Mozilla и Firefox они отображаются не полностью, 
    а вместо перевода строки выводится специальный символ.
    
      11. 
    
    11. 
    Время ввода команды, показанное в журнале, соответствует времени 
    начала ввода командной строки, которое равно тому моменту, 
    когда на терминале появилось приглашение интерпретатора
    
      12. 
    
    12. 
    Имя терминала, на котором была введена команда, показано в специальном блоке.
    Этот блок показывается только в том случае, если терминал
    текущей команды отличается от терминала предыдущей.
    
      13. 
    
    13. 
    Вывод не интересующих вас в настоящий момент элементов журнала,
    таких как время, имя терминала и других, можно отключить.
    Для этого нужно воспользоваться формой управления журналом
    вверху страницы.
    
      14. 
    
    14. 
    Небольшие комментарии к командам можно вставлять прямо из командной строки.
    Комментарий вводится прямо в командную строку, после символов #^ или #v.
    Символы ^ и v показывают направление выбора команды, к которой относится комментарий:
    ^ - к предыдущей, v - к следующей.
    Например, если в командной строке было введено:

      $ whoami

      

      user

      

      $ #^ Интересно, кто я?

      
    в журнале это будет выглядеть так:
    

      $ whoami

      

      user

      

      

        Интересно, кто я?
       
       
    
      15. 
    
    15. 
    Если комментарий содержит несколько строк,
    его можно вставить в журнал следующим образом:

      $ whoami

      

      user

      

      $ cat > /dev/null #^ Интересно, кто я?

      

      Программа whoami выводит имя пользователя, под которым 
мы зарегистрировались в системе.
-
Она не может ответить на вопрос о нашем назначении 
в этом мире.

      
    В журнале это будет выглядеть так:

      

      


      $ whoami
      

      user

      

      Интересно, кто я?
      
Программа whoami выводит имя пользователя, под которым
      
мы зарегистрировались в системе.
      

      
Она не может ответить на вопрос о нашем назначении
      
в этом мире.
      

      
      		

      

      
    Для разделения нескольких абзацев между собой
    используйте символ "-", один в строке.
    
      

      16. 
    
    16. 
    Комментарии, не относящиеся непосредственно ни к какой из команд, 
    добавляются точно таким же способом, только вместо симолов #^ или #v 
    нужно использовать символы #=
    
      17. 

    
    17. 
    Содержимое файла может быть показано в журнале.
    Для этого его нужно вывести с помощью программы cat.
    Если вывод команды отметить симоволами #!, 
    содержимое файла будет показано в журнале
    в специально отведённой для этого секции.
    
      18. 

    
      
    
    18. 
    Для того чтобы вставить скриншот интересующего вас окна в журнал,
    нужно воспользоваться командой l3shot.
    После того как команда вызвана, нужно с помощью мыши выбрать окно, которое
    должно быть в журнале.
    
      19. 
    
      

    
      
    
    19. 
    Команды в журнале расположены в хронологическом порядке.
    Если две команды давались одна за другой, но на разных терминалах,
    в журнале они будут рядом, даже если они не имеют друг к другу никакого отношения.

      1
    2
3   
    4

      
    Группы команд, выполненных на разных терминалах, разделяются специальной линией.
    Под этой линией в правом углу показано имя терминала, на котором выполнялись команды.
    Для того чтобы посмотреть команды только одного сенса, 
    нужно щёкнуть по этому названию.
    
      20. 
    
      

    

    О программе
        
    
    LiLaLo (L3) расшифровывается как Live Lab Log.
    
    Программа разработана для повышения эффективности обучения Unix/Linux-системам.
    
    (c) Игорь Чубин, 2004-2008
    
    
    
$Id$