'mysql'에 해당되는 글 57건

  1. 2014.07.08 SnortDLP - an open source DLP solution utilizing snort
  2. 2013.11.05 Configuring OSSEC with MySQL and Analogi
  3. 2012.07.12 webhoneypot: Web Application Honeypot
2014. 7. 8. 19:08

SnortDLP - an open source DLP solution utilizing snort



SnortDLP a.k.a. "Pig Pen" is an open source data loss prevention project that utilizes Snort to detect the exfiltration of sensitive data.


Web based application

  • Written in PHP and utilizes a MySQL backend for cross operating system portability
  • Administrative login to protect unauthorized access
  • Determines a unique fingerprint for
    • free text
    • individual documents
    • each document in a repository of sensitive documents
    • database tables (future)
  • Supports plain text documents (including doc, ppt, etc) and emails
  • Generates Perl-compatible regular expressions (PCREs) and automatically adds a custom snort rule for each document or file
  • Detects and alerts administrators through a Snort interface
  • Flagging and carving out zip/pdf files based on file headers
    • Office 2007 (docx, pptx, xlsx) support
    • PDF support


  • Email integration


-python -- version?
-pexpect for python (already installed on ubuntu I believe)
-tcpxtract 1.0.1
apt-get install libxml-libxml-perl
apt-get install libarchive-any-perl
libextractor -> apt-get install extract

-in /etc/sudoers
-- under: # User privilege specification
-- add: www-data ALL=NOPASSWD: /bin/mount, /bin/umount, /bin/mkdir, /bin/rmdir

출처 : https://code.google.com/p/snortdlp/

Trackback 0 Comment 0
2013. 11. 5. 19:57

Configuring OSSEC with MySQL and Analogi


I have been using OSSEC for a while now but I always used only plain text logs. While this is not bad, it does not scale really well. I started looking into a way to do it right(tm). I knew OSSEC was compatible with MySQL, and since 2.7 has been released, it gave me an excuse to play with it again.

You will need to enable MySQL in OSSEC (not enabled by default), grab the source then do the following. Note that if upgrading an existing installation, you might want to save the registered client keys, the file to back up is: /var/ossec/etc/client.keys

cd ossec-hids-2.7/src
make setdb
cd ..

After you have completed the installation, you need to configure your MySQL server, I used the official documentation to do it. Here is my run down of it:

$ mysql -u root -p
mysql> create database ossec;
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossecuser@<ossec ip>;
mysql> set password for ossecuser@<ossec ip>=PASSWORD('ossecpass');
mysql> flush privileges;
mysql> quit
mysql -u root -p ossec < ./src/os_dbd/mysql.schema

You just now need to edit /var/ossec/etc/ossec.conf and add a new section within the config:


And at last, enable MySQL and restart the service:

/var/ossec/bin/ossec-control enable database
/var/ossec/bin/ossec-control restart

Analogi is a web interface replacement to ossec-wui which is now very dated and spurts too many false positive. To install analogi, go to the main project page and clone it using git:

It is up to you to protect that folder on your webserver as this has potential security risks, I am using NGINX, so here is my setup:

location /ossec/analogi {
        auth_basic "Restricted Access";
        auth_basic_user_file htpasswd-file;

You then need to rename the config file and change the SQL information

mv db_ossec.php.new db_ossec.php

You should now be able to see information gathered from different clients straight into MySQL and using Analogi.

출처 : www.frlinux.eu

Trackback 0 Comment 0
2012. 7. 12. 19:14

webhoneypot: Web Application Honeypot


webhoneypot is a DShield Web Application Honeypot offering this honeypot for users to capture automated web application exploits. It is a very simple “semi interactive” honeypot implemented in PHP.

webhoneypot project is used to develop the honeypot. Do not use this code to install a honeypot unless you are interested in helping development.

Prerequisitesfor installing webhoneypot.

  • dshield.org account
  • Publicly routable IP address that can receive requests on TCP port 80. Dynamic IP addresses are ok, but you should sign up with a dynamic dns provider like dyndns so that you can provide a constant hostname.
  • Linux or Windows machine with a webserver, PHP5 support and the curl extension installed.

 webhoneypot installation section should also be applicable to nearly any LAMP (Linux, Apache, MySQL, PHP) application platform, but the exact paths are taken from Fedora Core, and will need to be altered to match your environment.

Installation is very easy

  1. Extract the archive file honeypot.tgz ( webhoneypot ) to a temporary directory or into the directory for a virtual host that you plan to create.
  2. Edit etcconfig.local and edit the userid (userid=…) and password (password=…) to match your account information for your Dshield login; If you provide the password, the script automatically converts it into a hashed password replacing the password entry. Also, complete the full path to the location where you will be keeping your log files (logdir=…) if different from the default location logs/.
  3. Edit your apache configuration file /etc/httpd/httpd.conf ??
  4. Now copy the four folders and contents into the appropriate folders
  5. Set the appropriate permissions. The userid that your webserver runs under — usually apache — will need read permissions to the template folder. Use the chown command to make apache the owner of the templates folder, then use the chmod command to give the apache user read access to the files. (chmod + r) The apache user will also need write access to the logs folder. Once again change the owner to apache with the chown command and give apache write access with chmod + w.
  6. Test the site. Open a webbrowser and navigate to your webhoneypot site. You should be get back the default template which states that you are using the demo server and welcome to phpmyadmin. Try http://[webhoneypot ip or dns name]/robots.txt and you should get back template 104 which is a robots.txt file. If you get an error instead the most common problems are an incorrect path in one of your configuration files, a permissions problem writing to the logfile, or you did not install the curl extension that is required to post the results back to Dshield. You should be able to determine which one it is by the webpage returned from the server or your logfile if you have one.
  7. Check your logfile. If everything is operating properly, you should see the details of which templates are being matched, and the client request successfully posted to http://isc1.sans.org/weblogs/post.html.
  8. Once you have completed your testing list any operational honeypots under your DShield profile page.
  9. Log in to your account, go to the “my info” page and use the link provided to activate webhoneypot .

Download webhoneypot:

webhoneypot v0.1.r123 – webhoneypot.0.1.r123.tgz

출처 : PenTestIT

Trackback 1 Comment 0