2012/12/25

在之前8月時有測試到bond的功能
但一直有問題
今天跟工程師聊了一下
才知道一定要使用802.3ad才不會有問題
參考資料如下
http://www.geego.com.tw/tech_support/techdocs_easy-to-increase-network-bandwidth

2012/12/23

以下二個是在linux中可以限制上下傳速度的東東
以避免在ADSL的環境中因為上傳滿載而影响到下傳的速度

wondershaper 針對網卡設限

wondershaper eth0 10000 500
                               下載    上傳

trickle 針對process設限

trickle -u 10 -d 20 firefox


2012/12/22

昨天中午不知道什麼原因lp network突然down而且一直沒起來
雖然之前有一陣子也常常發生
而且還為此寫了一個shell固定檢查網路有沒有問題
如果有就restart network
但看起來好像不是這樣
進主機去看
eth0是有起來的
network 再restart也沒用
好吧 重開機
想不到重開完後還是相同的情況
心想該不會是host os上bridge的process當了吧
init 0關机 清掉process
再boot
恢復正常
什麼怪事都有
@_@

今天鳥哥分享了EPEL這個站
如果有找不到的rpm可以到這裡看看
http://fedoraproject.org/wiki/EPEL

2012/12/21

之前裝了一台ubuntu 12.04
今天要update時發現找不到網站
dns沒解到
手動加到/etc/resolv.conf
重開後竟然又消失了
找了一下才發現必須加到
/etc/network/interfaces

auto eth0 
iface eth0 inet static  
address 192.168.1.2
netmask 255.255.255.0  
gateway 192.168.1.254
dns-nameservers 8.8.8.8 8.8.4.4

感覺上好像是因為一開始先使用dhcp後來再改成static ip的關係
為什麼之前一直沒發現
XD
開dos視窗

systeminfo

可以看到滿多東西

2012/12/20

今年長官有提到要買firewall的需求
找了一下封包產生的軟体預計拿來測throuthput

1. packet builder
http://www.colasoft.com/download/products/download_packet_builder.php

2. iperf
http://35g.tw/blog/2009/08/17/%E7%B6%B2%E8%B7%AF%E6%95%88%E8%83%BD%E6%B8%AC%E8%A9%A6%E5%B7%A5%E5%85%B7-iperf/

iperf的圖形版
http://code.google.com/p/xjperf/

目前看來iperf簡單易用

iperf –c 1.1.1.1 –w 100M –t 120 –i 10

主要是改變w的值
通常在小的值的表現會比較不好
而大的值表現會比較好
但都會有一個極限
如下圖


最近在進行在ubuntu上安裝virtualbox的測試
做為公用區電腦的計畫
剛好在更新完kernel發生一個問題
virtualbox無法啟動
出現必須
/etc/init.d/vboxdrv setup
的訊息
可是在/etc/init.d裡明明就沒有vboxdrv這個檔案
甚至整個hd裡都沒有
找了一下文件
才發現升級kernel時必須連kernel header一起安裝
安裝後再重開virtualbox就正常了

2012/12/16

如果要使用ssh來rsync又不想產生key
可以使用sshpass

http://www.cyberciti.biz/faq/noninteractive-shell-script-ssh-password-provider/

2012/12/13

ubuntu 12.04 要讓php跑起來
除了要apt-get install php5之外
還要apt-get install libapache2-mod-php5
service apache2 restart
才能正常使用

2012/12/11

今天在找如何快速清除snort database的資料

相當方便 只要改天數就好了


DELETE FROM event WHERE timestamp < DATE_SUB(NOW(),INTERVAL 200 DAY);

DELETE FROM data    USING data    LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM iphdr   USING iphdr   LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM icmphdr USING icmphdr LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM tcphdr  USING tcphdr  LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM udphdr  USING udphdr  LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM opt     USING opt     LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;

DELETE FROM acid_event USING acid_event LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM ag USING acid_ag_alert AS ag LEFT OUTER JOIN event AS e ON ag.ag_sid=e.sid AND ag.ag_cid=e.cid WHERE e.sid IS NULL;

OPTIMIZE TABLE event, data, iphdr, icmphdr, tcphdr, udphdr, opt, acid_event, acid_ag_alert;


http://blog.terryburton.co.uk/2007/09/deleting-old-snort-and-base-event-data.html

2012/12/10

2012/12/11後記

升到 barnyard2-1.11 後在base又出現跟之前相同的情況
看不到特徵值的名稱
改了好多東西都沒辦法
而且目前找不到相關文件
改回之前的版本就正常barnyard2-1.9
算了 先改回來
另外
snort 2.9.4-1 一定要把 $SO_RULE_PATH打開
之前的版本預設都不用開
不然事件會都無法偵測且記錄
===========================================
自從12/6升到snort 2.9.4-1的版本後
資料庫的資料就異常的少
剛好今天在snort的blog發現
barnyard2有更新版本(新官網)
看來這個blog的訊息還滿多的(已訂rss)
所以來升級一下看看狀況會不會改善
先備份 /usr/bin/barnyard2及 /etc/barnyard2/barnyard2.conf

升級步驟如下
解壓source後進到目錄

autogen.sh


./configure --bindir=/usr/bin --sysconfdir=/etc/barnyard2 --with-mysql

make && make install

再依照原本的barnyard2.conf改一下

========barnyard2.conf===============


#
#  Barnyard2 example configuration file
#

#
# This file contains a sample barnyard2 configuration.
# You can take the following steps to create your own custom configuration:
#
#   1) Configure the variable declarations
#   2) Setup the input plugins
#   3) Setup the output plugins
#

#
# Step 1: configure the variable declarations
#

# in order to keep from having a commandline that uses every letter in the
# alphabet most configuration options are set here.

# use UTC for timestamps
#
#config utc

# set the appropriate paths to the file(s) your Snort process is using.
#
config reference_file:      /etc/snort/rule/etc/reference.config
config classification_file: /etc/snort/rule/etc/classification.config
config gen_file:            /etc/snort/rule/etc/gen-msg.map
config sid_file:            /etc/snort/rule/etc/sid-msg.map

# Set the event cache size to defined max value before recycling of event occur.
#
#
#config event_cache_size: 4096

# define dedicated references similar to that of snort.
#
#config reference: mybugs http://www.mybugs.com/?s=

# define explicit classifications similar to that of snort.
#
#config classification: shortname, short description, priority

# set the directory for any output logging
#
#config logdir: /tmp

# to ensure that any plugins requiring some level of uniqueness in their output
# the alert_with_interface_name, interface and hostname directives are provided.
# An example of usage would be to configure them to the values of the associated
# snort process whose unified files you are reading.
#
# Example:
#   For a snort process as follows:
#     snort -i eth0 -c /etc/snort.conf
#
#   Typical options would be:
#     config hostname:  thor
#     config interface: eth0
#     config alert_with_interface_name
#
#config hostname:   thor
#config interface:  eth0
config hostname:   localhost
config interface:  eth1

# enable printing of the interface name when alerting.
#
#config alert_with_interface_name

# at times snort will alert on a packet within a stream and dump that stream to
# the unified output. barnyard2 can generate output on each packet of that
# stream or the first packet only.
#
#config alert_on_each_packet_in_stream

# enable daemon mode
#
#config daemon

# make barnyard2 process chroot to directory after initialisation.
#
#config chroot: /var/spool/barnyard2

# specifiy the group or GID for barnyard2 to run as after initialisation.
#
#config set_gid: 999

# specifiy the user or UID for barnyard2 to run as after initialisation.
#
#config set_uid: 999

# specify the directory for the barnyard2 PID file.
#
#config pidpath: /var/run/by2.pid

# enable decoding of the data link (or second level headers).
#
#config decode_data_link

# dump the application data
#
#config dump_payload

# dump the application data as chars only
#
#config dump_chars_only

# enable verbose dumping of payload information in log style output plugins.
#
#config dump_payload_verbose

# enable obfuscation of logged IP addresses.
#
#config obfuscate

# enable the year being shown in timestamps
#
#config show_year

# set the umask for all files created by the barnyard2 process (eg. log files).
#
#config umask: 066

# enable verbose logging
#
#config verbose

# quiet down some of the output
#
#config quiet

# define the full waldo filepath.
#
#config waldo_file: /tmp/waldo

# specificy the maximum length of the MPLS label chain
#
#config max_mpls_labelchain_len: 64

# specify the protocol (ie ipv4, ipv6, ethernet) that is encapsulated by MPLS.
#
#config mpls_payload_type: ipv4

# set the reference network or homenet which is predominantly used by the
# log_ascii plugin.
#
#config reference_net: 192.168.0.0/24

#
# CONTINOUS MODE
#

# set the archive directory for use with continous mode
#
#config archivedir: /tmp

# when in operating in continous mode, only process new records and ignore any
# existing unified files
#
#config process_new_records_only


#
# Step 2: setup the input plugins
#

# this is not hard, only unified2 is supported ;)
input unified2


#
# Step 3: setup the output plugins
#

# alert_cef
# ----------------------------------------------------------------------------
#
# Purpose:
#  This output module provides the abilty to output alert information to a
# remote network host as well as the local host using the open standard
# Common Event Format (CEF).
#
# Arguments: host=hostname[:port], severity facility
#            arguments should be comma delimited.
#   host        - specify a remote hostname or IP with optional port number
#                 this is only specific to WIN32 (and is not yet fully supported)
#   severity    - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
#   facility    - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
#
# Examples:
#   output alert_cef
#   output alert_cef: host=192.168.10.1
#   output alert_cef: host=sysserver.com:1001
#   output alert_cef: LOG_AUTH LOG_INFO
#

# alert_bro
# ----------------------------------------------------------------------------
#
# Purpose: Send alerts to a Bro-IDS instance.
#
# Arguments: hostname:port
#
# Examples:
#   output alert_bro: 127.0.0.1:47757

# alert_fast
# ----------------------------------------------------------------------------
# Purpose: Converts data to an approximation of Snort's "fast alert" mode.
#
# Arguments: file <file>, stdout
#            arguments should be comma delimited.
#   file - specifiy alert file
#   stdout - no alert file, just print to screen
#
# Examples:
#   output alert_fast
#   output alert_fast: stdout
#
output alert_fast: stdout


# prelude: log to the Prelude Hybrid IDS system
# ----------------------------------------------------------------------------
#
# Purpose:
#  This output module provides logging to the Prelude Hybrid IDS system
#
# Arguments: profile=snort-profile
#   snort-profile   - name of the Prelude profile to use (default is snort).
#
# Snort priority to IDMEF severity mappings:
# high < medium < low < info
#
# These are the default mapped from classification.config:
# info   = 4
# low    = 3
# medium = 2
# high   = anything below medium
#
# Examples:
#   output alert_prelude
#   output alert_prelude: profile=snort-profile-name
#


# alert_syslog
# ----------------------------------------------------------------------------
#
# Purpose:
#  This output module provides the abilty to output alert information to local syslog
#
#   severity    - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
#   facility    - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
#
# Examples:
#   output alert_syslog
#   output alert_syslog: LOG_AUTH LOG_INFO
#

# syslog_full
#-------------------------------
# Available as both a log and alert output plugin.  Used to output data via TCP/UDP or LOCAL ie(syslog())
# Arguments:
#      sensor_name $sensor_name         - unique sensor name
#      server $server                   - server the device will report to
#      local                            - if defined, ignore all remote information and use syslog() to send message.
#      protocol $protocol               - protocol device will report over (tcp/udp)
#      port $port                       - destination port device will report to (default: 514)
#      delimiters $delimiters           - define a character that will delimit message sections ex:  "|", will use | as message section delimiters. (default: |)
#      separators $separators           - define field separator included in each message ex: " " ,  will use space as field separator.             (default: [:space:])
#      operation_mode $operaion_mode    - default | complete : default mode is compatible with default snort syslog message, complete prints more information such as the raw packet (hexed)
#      log_priority   $log_priority     - used by local option for syslog priority call. (man syslog(3) for supported options) (default: LOG_INFO)
#      log_facility  $log_facility      - used by local option for syslog facility call. (man syslog(3) for supported options) (default: LOG_USER)

# Usage Examples:
# output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default
# output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete
# output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default
# output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete
# output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514
# output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514
# output alert_syslog_full: sensor_name snortIds1-eth2, local
# output log_syslog_full: sensor_name snortIds1-eth2, local, log_priority LOG_CRIT,log_facility LOG_CRON

# log_ascii
# ----------------------------------------------------------------------------
#
# Purpose: This output module provides the default packet logging funtionality
#
# Arguments: None.
#
# Examples:
#   output log_ascii
#


# log_tcpdump
# ----------------------------------------------------------------------------
#
# Purpose
#  This output module logs packets in binary tcpdump format
#
# Arguments:
#   The only argument is the output file name.
#
# Examples:
#   output log_tcpdump: tcpdump.log
#


# sguil
# ----------------------------------------------------------------------------
#
# Purpose: This output module provides logging ability for the sguil interface
# See doc/README.sguil
#
# Arguments: agent_port <port>, sensor_name <name>
#            arguments should be comma delimited.
#   agent_port  - explicitly set the sguil agent listening port
#                 (default: 7736)
#   sensor_name - explicitly set the sensor name
#                 (default: machine hostname)
#
# Examples:
#   output sguil
#   output sguil: agent_port=7000
#   output sguil: sensor_name=argyle
#   output sguil: agent_port=7000, sensor_name=argyle
#


# database: log to a variety of databases
# ----------------------------------------------------------------------------
#
# Purpose: This output module provides logging ability to a variety of databases
# See doc/README.database for additional information.
#
# Examples:
#   output database: log, mysql, user=root password=test dbname=db host=localhost
#   output database: alert, postgresql, user=snort dbname=snort
#   output database: log, odbc, user=snort dbname=snort
#   output database: log, mssql, dbname=snort user=snort password=test
#   output database: log, oracle, dbname=snort user=snort password=test
#
output database: alert, mysql, user=aaa password=bbb dbname=snort host=127.0.0.1


# alert_fwsam: allow blocking of IP's through remote services
# ----------------------------------------------------------------------------
# output alert_fwsam: <SnortSam Station>:<port>/<key>
#
#  <FW Mgmt Station>:  IP address or host name of the host running SnortSam.
#  <port>:         Port the remote SnortSam service listens on (default 898).
#  <key>:              Key used for authentication (encryption really)
#              of the communication to the remote service.
#
# Examples:
#
# output alert_fwsam: snortsambox/idspassword
# output alert_fwsam: fw1.domain.tld:898/mykey
# output alert_fwsam: 192.168.0.1/borderfw  192.168.1.254/wanfw
#
#

2012/12/08

今天在寫完新的網路支援頁面之後
進到http://www.google.com/intl/zh-TW/analytics/要註冊使用時
發現使用
https://sites.google.com/site/wangluzhiyuan/
竟然無法註冊
必須再加上home(如下)
https://sites.google.com/site/wangluzhiyuan/home
才能註冊成功
留一下記錄

2012/12/05

今天廠商介紹的二套好用的wireless 軟体

http://www.ekahau.com/products/heatmapper/overview.html

http://www.metageek.net/products/inssider/

http://phorum.study-area.org/index.php?topic=60793.0

12/8後記

http://www.metageek.net/docs/wireless-networking-tools/

http://www.meraki.com/products/wireless/wifi-mapper

http://www.netspotapp.com/

http://www.wolfwifi.com/index.html

(AIRMAGNET)
http://www.airmagnet.com

(EKAHAU SITE SURVEY)
http://www.ekahau.com/

(VISIWAVE SITE SURVEY)
http://www.visiwave.com


(MERITECH WIFI NETWORK SURVEY AND DESIGN)
http://www.meritechsolutions.com/



http://www.metageek.net/forums/showthread.php?3412-Top-Wireless-WiFi-Site-Survey-Software

2012/12/04


MySQL 語法匯整

1. 基礎語法

操作功能 SQL 語法
說明
建立資料庫 create database 資料庫名稱;
列出所有資料庫 show databases;
刪除資料庫 drop database 資料庫名稱;
使用資料庫 use 資料庫名稱;
建立資料表 create table 資料表名稱(
sn integer auto_increment primary key,
name char(20),
mail char(50),
home char(50),
messages char(50)
); 常用資料庫資料型態
1. INT (整數)
2. CHAR (1~255字元字串)
3. VARCHAR (不超過255字元不定長度字串)
4. TEXT (不定長度字串最多65535字元)
列出資料表欄位資訊 describe 資料表名稱;
修改資料表欄位 alter table 資料表名稱
charange column 原來欄位名稱
新欄位名稱資料型態;
新增資料表欄位 alter table 資料表名稱 add column 欄位名稱 資料型態;
刪除資料表欄位 alter table 資料表名稱 drop column 欄位名稱;
刪除資料表 drop 資料表名稱;
插入欄位資料 insert into 資料表名稱(欄位1,欄位2,欄位3,欄位4, ...... 欄位N)
values('值1','值2','值3','值4', ...... '值N');
更新修改欄位資料 update 資料表名稱 set 欄位1='值1',欄位2='值2',欄位3='值3',... 欄位N='值N'
where 條件式 (例如 sn='5' 或 name='塔司尼' );
查詢單一欄位資料 select 欄位名 from 資料表名稱;
查詢多個欄位資料 select 欄位名, 欄位名, 欄位名 from 資料表名稱;
查詢欄位資料的唯一值 select distinct 欄位名 from 資料表名稱; 重複值只列一次
查詢所有欄位資料 select * from 資料表名稱;
條件式查詢 select * from 資料表名稱 where 條件式 (例如 sn='5'); (=, <, >, !=)
條件式查詢 and select * from 資料表名稱 where 條件式1 and 條件式2;
條件式查詢 or select * from 資料表名稱 where 條件式1 or 條件式2;
查詢某一範圍 between select * from 資料表名稱 where 欄位名 between 值1 and 值2 值為數字
查詢空值欄位的資料 select * from 資料表名稱 where 欄位名 is null not null
查詢特定筆數資料 select * from 資料表名稱 limit 8, 10; 第9筆開始選取10筆
查詢結果遞增排序 select * from 資料表名稱 order by 欄位名;
查詢結果遞減排序 select * from 資料表名稱 order by 欄位名 desc ;
查詢比對字串列出單一欄位 select 欄位名 from 資料表名稱 where 欄位名 like '%字串%';
查詢比對字串列出所有欄位 select * from 資料表名稱 where 欄位名 like '%字串%';
刪除條件值資料 delete from 資料表名稱 where 條件式 (例如 sn='5' 或 id='91001' );
刪除條件值資料 delete from 資料表名稱 where 條件式1
and 條件式2;
刪除條件值資料 delete from 資料表名稱 where 條件式1 or 條件式2;
比對刪除條件值資料 delete from 資料表名稱 where 欄位名 like '%字串%';

2. 進階語法

操作功能 SQL 語法
說明
列出正在執行的行程。 show processlist;

轉貼自 http://note.drx.tw/2012/12/mysql-syntax.html