Vous êtes ici : Formations en Ligne Gratuites » Catalogue » workbooks » Debian » 11 » LDF400 - Administration de la Sécurité » LDF406 - Sécurité Applicative

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

--- elearning:workbooks:debian:11:sec:l106 [2025/11/30 15:21] – créée admin
+++ elearning:workbooks:debian:11:sec:l106 [2025/12/07 14:09] (Version actuelle) – admin
@@ Ligne 5: / Ligne 5: @@
 Dernière mise-à-jour : ~~LASTMOD~~
-======LDF406 - Balayage des Ports======
+======LDF406 - Sécurité Applicative======
 =====Contenu du Module=====
-  * **LDF406 - Balayage des Ports**
+  * **LDF406 - Sécurité Applicative**
     * Contenu du Module
     * Le Problématique
-      * LAB #1 - Utilisation de nmap et de netcat
+    * Préparation
-        * 1.1 - nmap
+    * Les Outils
-          * Installation
+      * LAB #1 - Netwox
-          * Utilisation
+        * 1.1 - Installation
-          * Fichiers de Configuration
+        * 1.2 - Utilisation
-          * Scripts
+        * 1.3 - Avertissement important
-        * 1.2 - netcat
+      * LAB #2 - Greenbone Vulnerability Management (GVM)
-          * Utilisation
+        * 2.1 - Présentation
-    * Les Contre-Mesures
+        * 2.2 - Préparation
-      * LAB #2 - Mise en place du Système de Détection d'Intrusion Snort
+        * 2.3 - Installation
-        * 2.1 - Installation
+        * 2.4 - Configuration
-        * 2.2 - Configuration de Snort
+        * 2.5 - Utilisation
-          * Editer le fichier /etc/snort/snort.conf
+        * 2.6 - Analyse des Résultats
-        * 2.3 - Utilisation de snort en mode "packet sniffer"
+      * LAB #3 - Sécuriser le Serveur DNS
-        * 2.4 - Utilisation de snort en mode "packet logger"
+        * 3.1 - Le Serveur DNS
-        * 2.5 - Journalisation
+        * 3.2 - Préparation à l'Installation
-      * LAB #3 - Mise en place du Système de Détection et de Prévention d'Intrusion Portsentry
+        * 3.3 - Installation
-        * 3.1 - Installation
+        * 3.4 - Les fichiers de configuration
-        * 3.2 - Configuration
+        * 3.5 - Utilisation
-        * 3.3 - Utilisation
+        * 3.6 - Créer les Pairs de Clefs
+        * 3.7 - Modifier la Configuration de Bind
+        * 3.8 - Signer la Zone
+        * 3.9 - La chaîne de confiance DNS
 =====Le Problématique=====
-Un **Cheval de Troie** est un binaire qui se cache dans un autre. Il est exécuté suite à l'exécution du binaire hôte par la cible ou par un utilisateur. Le but principal du Cheval de Troie est d'ouvrir une //trappe// (//backdoor//). Les Chevaux de Troie les plus connus sont :
+La plupart des failles de sécurité ne sont pas du fait du système d'exploitation mais des applications installées.
-  * Back Orifice 2000 - tcp/8787, tcp/54320-21,
+=====Préparation=====
-  * Backdoor - tcp/1999,
-  * Subseven - tcp/1243, tcp/ 2773, tcp/6711-6713, tcp/7215, tcp/27374, tcp/27573, tcp/54283,
-  * Socket de Troie - tcp/5001, tcp/30303, tcp/50505.
-Le **scan** consiste à balayer les ports d'une machine afin de :
+=====Les Outils=====
-  * connaître les ports qui sont ouverts,
+==== LAB #1 - Netwox ====
-  * déterminer le système d'exploitation,
-  * identifier les services ouverts.
-Plusieurs scanners existent dont :
+Le programme **netwox** est un utilitaire puissant de vérification de la sécurité.
-  * nmap
+===1.1 - Installation===
-  * netcat
-====LAB #1 - Utilisation de nmap et de netcat====
+Netwox s'installe en utilisant APT :
-=== 1.1 - nmap ===
+<code>
+root@debian12:~# cd /tmp
-==Installation==
+root@debian12:/tmp# cd ~
-Sous Debian 12, **nmap** n'est pas installé par défaut :
+root@debian12:~# apt install netwox -y
+</code>
+===1.2 - Utilisation===
 <code>
-root@debian12:~# which nmap
+root@debian12:~# netwox
-root@debian12:~#
+Netwox toolbox version 5.39.0. Netwib library version 5.39.0.
+######################## MAIN MENU #########################
+- leave netwox
+- search tools
+- display help of one tool
+- run a tool selecting parameters on command line
+- run a tool selecting parameters from keyboard
+ a + information
+ b + network protocol
+ c + application protocol
+ d + sniff (capture network packets)
+ e + spoof (create and send packets)
+ f + record (file containing captured packets)
+ g + client
+ h + server
+ i + ping (check if a computer if reachable)
+ j + traceroute (obtain list of gateways)
+ k + scan (computer and port discovery)
+ l + network audit
+ m + brute force (check if passwords are weak)
+ n + remote administration
+ o + tools not related to network
+Select a node (key in 03456abcdefghijklmno):
 </code>
-Installez donc nmap en utilisant APT :
+L'utilisation de **netwox** en mode interactif se fait a l'aide des menus proposés. Dans notre cas, nous souhaitons utiliser un des outils de la section **network audit**. Il convient donc de choisir le menu **l** :
 <code>
-root@debian12:~# apt install nmap
+Select a node (key in 03456abcdefghijklmno): l
+###################### network audit #######################
+- leave netwox
+- go to main menu
+- go to previous menu
+- search tools
+- display help of one tool
+- run a tool selecting parameters on command line
+- run a tool selecting parameters from keyboard
+ a + network audit using Ethernet
+ b + network audit using IP
+ c + network audit using TCP
+ d + network audit using ICMP
+ e + network audit using ARP
+Select a node (key in 0123456abcde):
 </code>
-==Utilisation==
+Choisissez ensuite le menu **c** :
-Pour connaître la liste des ports ouverts sur votre machine virtuelle, saisissez la commande suivante :
+<code>
+Select a node (key in 0123456abcde): c
+################# network audit using TCP ##################
+- leave netwox
+- go to main menu
+- go to previous menu
+- search tools
+- display help of one tool
+- run a tool selecting parameters on command line
+- run a tool selecting parameters from keyboard
+ a - 76:Synflood
+ b - 77:Check if seqnum are predictible
+ c - 78:Reset every TCP packet
+ d - 79:Acknowledge every TCP SYN
+Select a node (key in 0123456abcd):
+</code>
+Notre choix de test s'arrête sur un test du type **Synflood** sur un de nos serveurs internes. Nous choisissons donc le menu **a** :
 <code>
-root@debian12:~# nmap 127.0.0.1
+Select a node (key in 0123456abcd): a
-Starting Nmap 7.93 ( https://nmap.org ) at 2025-11-27 16:48 CET
-Nmap scan report for localhost (127.0.0.1)
-Host is up (0.0000090s latency).
-Not shown: 996 closed tcp ports (reset)
-PORT     STATE SERVICE
-/tcp   open  ssh
-/tcp   open  http
-/tcp  open  ipp
-/tcp open  vnc
-Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
+################# help for tool number 76 ##################
+Title: Synflood
++------------------------------------------------------------------------+
+| This tool sends a lot of TCP SYN packets.                              |
+| It permits to check how a firewall behaves when receiving packets      |
+| which have to be ignored.                                              |
+| Parameter --spoofip indicates how to generate link layer for spoofing. |
+| Values 'best', 'link' or 'raw' are common choices for --spoofip. Here  |
+| is the list of accepted values:                                        |
+|  - 'raw' means to spoof at IP4/IP6 level (it uses system IP stack). If |
+|    a firewall is installed, or on some systems, this might not work.   |
+|  - 'linkf' means to spoof at link level (currently, only Ethernet is   |
+|    supported). The 'f' means to Fill source Ethernet address.          |
+|    However, if source IP address is spoofed, it might be impossible    |
+|    to Fill it. So, linkf will not work: use linkb or linkfb instead.   |
+|  - 'linkb' means to spoof at link level. The 'b' means to left a Blank |
+|    source Ethernet address (0:0:0:0:0:0, do not try to Fill it).       |
+|  - 'linkfb' means to spoof at link level. The 'f' means to try to Fill |
+|    source Ethernet address, but if it is not possible, it is left      |
+|    Blank.                                                              |
+|  - 'rawlinkf' means to try 'raw', then try 'linkf'                     |
+|  - 'rawlinkb' means to try 'raw', then try 'linkb'                     |
+|  - 'rawlinkfb' means to try 'raw', then try 'linkfb'                   |
+|  - 'linkfraw' means to try 'linkf', then try 'raw'                     |
+|  - 'linkbraw' means to try 'linkb', then try 'raw'                     |
+|  - 'linkfbraw' means to try 'linkfb', then try 'raw'                   |
+|  - 'link' is an alias for 'linkfb'                                     |
+|  - 'rawlink' is an alias for 'rawlinkfb'                               |
+|  - 'linkraw' is an alias for 'linkfbraw'                               |
+|  - 'best' is an alias for 'linkraw'. It should work in all cases.      |
+|                                                                        |
+| This tool may need to be run with admin privilege in order to spoof.   |
++------------------------------------------------------------------------+
+Usage: netwox 76 -i ip -p port [-s spoofip]
+Parameters:
+ -i|--dst-ip ip                 destination IP address {5.6.7.8}
+ -p|--dst-port port             destination port number {80}
+ -s|--spoofip spoofip           IP spoof initialization type {linkbraw}
+Example: netwox 76 -i "5.6.7.8" -p "80"
+Example: netwox 76 --dst-ip "5.6.7.8" --dst-port "80"
+Press 'r' or 'k' to run this tool, or any other key to continue
+</code>
+Il convient ensuite d'appuyer sur la touche [r] ou [k] pour lancer l'utilitaire.
+Il est a noter que **netwox**  peut être utilisé sans faire appel au menus interactifs, à condition de connaître le numéro **netwox** du test à lancer:
+  # netwox 76 -i "10.0.2.3" -p "80"
+===1.3 - Avertissement important===
+**netwox** est un outil puissant. Il convient de noter que:
+  * il ne doit pas être installé sur un serveur de production mais sur le poste de l'administrateur,
+  * netwox existe aussi en version Windows(tm),
+  * l'utilisation de netwox à des fins autres que de test est interdite.
+====LAB #2 - Greenbone Vulnerability Management (GVM)====
+===2.1 - Présentation===
+**Greenbone Vulnerability Management (GVM)**, aussi connu sous le nom d'**OpenVAS**, est le successeur libre du scanner **Nessus**, devenu propriétaire. GVM, tout comme Nessus, est un scanner de vulnérabilité qui balaie un hôte ou une plage d'hôtes pour essayer de détecter des failles de sécurité.
+===2.2 - Préparation===
+Mettez SELinux en mode permissive et désactivez-le dans le fichier **/etc/selinux/config** :
+<code>
+[root@centos7 ~]# setenforce permissive
+[root@centos7 ~]# sed -i 's/=enforcing/=disabled/' /etc/selinux/config
+[root@centos7 ~]# reboot
+</code>
+Insérez une règle dans le pare-feu pour permettre la consultation de l'interface HTML du client OpenVAS :
+<code>
+[root@centos7 ~]# firewall-cmd --zone=public --add-port=9443/tcp --permanent
+success
+[root@centos7 ~]# firewall-cmd --reload
+success
+</code>
+===2.3 - Installation===
+Téléchargez et installez **epel-release-7-14.noarch.rpm** :
+<code>
+[root@centos7 ~]# wget https://archives.fedoraproject.org/pub/archive/epel/7/x86_64/Packages/e/epel-release-7-14.noarch.rpm
+--2025-12-01 15:29:01--  https://archives.fedoraproject.org/pub/archive/epel/7/x86_64/Packages/e/epel-release-7-14.noarch.rpm
+Resolving archives.fedoraproject.org (archives.fedoraproject.org)... 38.145.32.23, 38.145.32.22, 38.145.32.24
+Connecting to archives.fedoraproject.org (archives.fedoraproject.org)|38.145.32.23|:443... connected.
+HTTP request sent, awaiting response... 200 OK
+Length: 15608 (15K) [application/x-rpm]
+Saving to: ‘epel-release-7-14.noarch.rpm’
+%[========================================================================================================================================================================>] 15,608      --.-K/s   in 0.03s
+-12-01 15:29:01 (532 KB/s) - ‘epel-release-7-14.noarch.rpm’ saved [15608/15608]
+[root@centos7 ~]# yum localinstall epel-release-7-14.noarch.rpm --nogpgcheck
+</code>
+Installez ensuite **openvas-scanner**, **openvas-manager**, **openvas-gsa** et **openvas-cli** en utilisant yum :
+<code>
+[root@centos7 ~]# yum install openvas-scanner openvas-manager openvas-gsa openvas-cli coreutils openssl
+</code>
+===2.4 - Configuration===
+Les commandes d'OpenVAS sont les suivantes :
+<code>
+[root@centos7 ~]# ls -l /usr/sbin/openvas*
+-rwxr-xr-x. 1 root root   18066 Sep  6  2016 /usr/sbin/openvas-certdata-sync
+-rwxr-xr-x. 1 root root 2182496 Sep  6  2016 /usr/sbin/openvasmd
+-rwxr-xr-x. 1 root root   37993 Sep  6  2016 /usr/sbin/openvas-migrate-to-postgres
+-rwxr-xr-x. 1 root root   11998 Sep  6  2016 /usr/sbin/openvas-mkcert
+-rwxr-xr-x. 1 root root   10976 Sep  6  2016 /usr/sbin/openvas-nvt-sync
+-rwxr-xr-x. 1 root root     766 Sep  6  2016 /usr/sbin/openvas-nvt-sync-cron
+-rwxr-xr-x. 1 root root    2555 Sep  6  2016 /usr/sbin/openvas-portnames-update
+-rwxr-xr-x. 1 root root   38378 Sep  6  2016 /usr/sbin/openvas-scapdata-sync
+-rwxr-xr-x. 1 root root   86640 Sep  6  2016 /usr/sbin/openvassd
+</code>
+  * **/usr/sbin/openvas-mkcert**,
+    * Cette commande permet de générer un certificat SSL,
+  * **/usr/sbin/openvas-nvt-sync**,
+    * Cette commande permet la mise à jour des modules d'extensions de OpenVAS,
+  * **/usr/sbin/openvasd**,
+    * Cette commande lance le serveur OpenVAS.
+Exécutez maintenant la commande **openvas-check-setup** :
+<code>
+[root@centos7 ~]# openvas-check-setup
+openvas-check-setup 2.3.3
+  Test completeness and readiness of OpenVAS-8
+  (add '--v6' or '--v7' or '--v9'
+   if you want to check for another OpenVAS version)
+  Please report us any non-detected problems and
+  help us to improve this check routine:
+  http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
+  Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.
+  Use the parameter --server to skip checks for client tools
+  like GSD and OpenVAS-CLI.
+Step 1: Checking OpenVAS Scanner ...
+        OK: OpenVAS Scanner is present in version 5.0.6.
+        ERROR: No CA certificate file of OpenVAS Scanner found.
+        FIX: Run 'openvas-mkcert'.
+ ERROR: Your OpenVAS-8 installation is not yet complete!
+Please follow the instructions marked with FIX above and run this
+script again.
+If you think this result is wrong, please report your observation
+and help us to improve this check routine:
+http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
+Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.
 </code>
 <WRAP center round important 50%>
-**Important** - Pour connaître les ports ouverts sur une machine distante, la procédure est identique sauf que vous devez utiliser l'adresse IP de votre cible.
+**Important** - Notez l'erreur **ERROR: No CA certificate file of OpenVAS Scanner found.**
 </WRAP>
-==Fichiers de Configuration==
+Créez donc un certificat SSL :
-**nmap** utilise un fichier spécifique pour identifier les ports. Ce fichier est **/usr/share/nmap/nmap-services**:
+<code>
+[root@centos7 ~]# openvas-mkcert
+-------------------------------------------------------------------------------
+			Creation of the OpenVAS SSL Certificate
+-------------------------------------------------------------------------------
+This script will now ask you the relevant information to create the SSL certificate of OpenVAS.
+Note that this information will *NOT* be sent to anybody (everything stays local), but anyone with the ability to connect to your OpenVAS daemon will be able to retrieve this information.
+CA certificate life time in days [1460]: 3650
+Server certificate life time in days [365]: 3650
+Your country (two letter code) [DE]: UK
+Your state or province name [none]: SURREY
+Your location (e.g. town) [Berlin]: ADDLESTONE
+Your organization [OpenVAS Users United]: I2TCH LIMITED
+-------------------------------------------------------------------------------
+			Creation of the OpenVAS SSL Certificate
+-------------------------------------------------------------------------------
+Congratulations. Your server certificate was properly created.
+The following files were created:
+. Certification authority:
+   Certificate = /etc/pki/openvas/CA/cacert.pem
+   Private key = /etc/pki/openvas/private/CA/cakey.pem
+. OpenVAS Server :
+    Certificate = /etc/pki/openvas/CA/servercert.pem
+    Private key = /etc/pki/openvas/private/CA/serverkey.pem
+Press [ENTER] to exit
+[Entrée]
+[root@centos7 ~]#
+</code>
+Exécutez de nouveau la commande **openvas-check-setup** :
 <code>
-root@debian12:~# more /usr/share/nmap/nmap-services
+[root@centos7 ~]# openvas-check-setup
-# THIS FILE IS GENERATED AUTOMATICALLY FROM A MASTER - DO NOT EDIT.
+openvas-check-setup 2.3.3
-# EDIT /nmap-private-dev/nmap-services-all IN SVN INSTEAD.
+  Test completeness and readiness of OpenVAS-8
-# Well known service port numbers -*- mode: fundamental; -*-
+  (add '--v6' or '--v7' or '--v9'
-# From the Nmap Security Scanner ( https://nmap.org/ )
+   if you want to check for another OpenVAS version)
+  Please report us any non-detected problems and
+  help us to improve this check routine:
+  http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
+  Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.
+  Use the parameter --server to skip checks for client tools
+  like GSD and OpenVAS-CLI.
+Step 1: Checking OpenVAS Scanner ...
+        OK: OpenVAS Scanner is present in version 5.0.6.
+        OK: OpenVAS Scanner CA Certificate is present as /etc/pki/openvas/CA/cacert.pem.
+/bin/openvas-check-setup: line 219: redis-server: command not found
+        ERROR: No redis-server installation found.
+        FIX: You should install redis-server for improved scalability and ability to trace/debug the KB
+ ERROR: Your OpenVAS-8 installation is not yet complete!
+Please follow the instructions marked with FIX above and run this
+script again.
+If you think this result is wrong, please report your observation
+and help us to improve this check routine:
+http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
+Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.
+</code>
+<WRAP center round important 50%>
+**Important** - Notez l'erreur **ERROR: No redis-server installation found.**
+</WRAP>
+Installez donc **redis** :
+<code>
+[root@centos7 ~]# yum install redis
+</code>
+Activez les deux lignes suivantes dans le fichier **/etc/redis.conf** :
+<file>
+...
+# unixsocket /tmp/redis.sock
+# unixsocketperm 700...
+</file>
+<code>
+[root@centos7 ~]# sed -i '/^#.*unixsocket/s/^# //' /etc/redis.conf
+</code>
+Ajoutez la ligne **kb_location = /tmp/redis.sock** dans le fichier **/etc/openvas/openvassd.conf** :
+<file>
+...
+# KB test replay :
+kb_dont_replay_scanners = no
+kb_dont_replay_info_gathering = no
+kb_dont_replay_attacks = no
+kb_dont_replay_denials = no
+kb_max_age = 864000
+kb_location = /tmp/redis.sock
+#--- end of the KB section
+...
+</file>
+Activez et démarrez le service **redis** :
+<code>
+[root@centos7 ~]# systemctl enable redis
+Created symlink from /etc/systemd/system/multi-user.target.wants/redis.service to /usr/lib/systemd/system/redis.service.
+[root@centos7 ~]# systemctl start redis
+[root@centos7 ~]# systemctl status redis
+● redis.service - Redis persistent key-value database
+   Loaded: loaded (/usr/lib/systemd/system/redis.service; enabled; vendor preset: disabled)
+  Drop-In: /etc/systemd/system/redis.service.d
+           └─limit.conf
+   Active: active (running) since Mon 2025-12-01 15:45:16 CET; 3s ago
+ Main PID: 13037 (redis-server)
+   CGroup: /system.slice/redis.service
+           └─13037 /usr/bin/redis-server 127.0.0.1:6379
+Dec 01 15:45:16 centos7.fenestros.loc systemd[1]: Starting Redis persistent key-value database...
+Dec 01 15:45:16 centos7.fenestros.loc systemd[1]: Started Redis persistent key-value database.
+</code>
+Exécutez encore une fois la commande **openvas-check-setup** :
+<code>
+[root@centos7 ~]# openvas-check-setup
+...
+Step 1: Checking OpenVAS Scanner ...
+        OK: OpenVAS Scanner is present in version 5.0.6.
+        OK: OpenVAS Scanner CA Certificate is present as /etc/pki/openvas/CA/cacert.pem.
+        OK: redis-server is present in version v=3.2.10.
+        OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock
+        OK: redis-server is running and listening on socket: /tmp/redis.sock.
+        OK: redis-server configuration is OK and redis-server is running.
+        ERROR: The NVT collection is very small.
+        FIX: Run a synchronization script like openvas-nvt-sync or greenbone-nvt-sync.
+...
+</code>
+<WRAP center round important 50%>
+**Important** - Notez l'erreur **ERROR: The NVT collection is very small.**
+</WRAP>
+Téléchargez le script **greenbone-nvt-sync** :
+<code>
+[root@centos7 ~]# wget https://www.dropbox.com/scl/fi/10hf8fpdq2yhd821qb5pk/greenbone-nvt-sync?rlkey=7f4taliexlpg54pa1c1yz8czx&st=tkvnjg55
+[root@centos7 ~]# mv greenbone-nvt-sync?rlkey=7f4taliexlpg54pa1c1yz8czx greenbone-nvt-sync
+</code>
+Si vous ne pouvez pas téléchargez le script **greenbone-nvt-sync**, copiez son contenu ci-dessous et créez-le :
+<code>
+[root@centos7 ~]# vi greenbone-nvt-sync
+[root@centos7 ~]# cat greenbone-nvt-sync
+#!/bin/sh
+# Copyright (C) 2009-2021 Greenbone Networks GmbH
 #
-# $Id: nmap-services 38442 2022-08-31 22:53:46Z dmiller $
+# SPDX-License-Identifier: GPL-2.0-or-later
 #
-# Derived from IANA data and our own research
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
 #
-# This collection of service data is (C) 1996-2020 by Insecure.Com
+# This program is distributed in the hope that it will be useful,
-# LLC.  It is distributed under the Nmap Public Source license as
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# provided in the LICENSE file of the source distribution or at
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# https://svn.nmap.org/nmap/LICENSE .  Note that this license
+# GNU General Public License for more details.
-# requires you to license your own work under a compatable open source
-# license.  If you wish to embed Nmap technology into proprietary
-# software, we sell alternative licenses (contact sales@insecure.com).
-# Dozens of software vendors already license Nmap technology such as
-# host discovery, port scanning, OS detection, and version detection.
-# For more details, see https://nmap.org/book/man-legal.html
 #
-# Fields in this file are: Service name, portnum/protocol, open-frequency, optional comments
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+# This script updates the local Network Vulnerability Tests (NVTs) from the
+# Greenbone Security Feed (GSF) or the Greenbone Community Feed (GCF).
+VERSION=@OPENVAS_VERSION@
+# SETTINGS
+# ========
+# PRIVATE_SUBDIR defines a subdirectory of the NVT directory that is excluded
+# from the feed sync. This is where to place your own NVTs.
+if [ -z "$PRIVATE_SUBDIR" ]
+then
+  PRIVATE_SUBDIR="private"
+fi
+# RSYNC_DELETE controls whether files which are not part of the repository will
+# be removed from the local directory after synchronization. The default value
+# for this setting is
+# "--delete --exclude \"$PRIVATE_SUBDIR/\"",
+# which means that files which are not part of the feed or private directory
+# will be deleted.
+RSYNC_DELETE="--delete --exclude $PRIVATE_SUBDIR/"
+# RSYNC_SSH_OPTS contains options which should be passed to ssh for the rsync
+# connection to the repository.
+RSYNC_SSH_OPTS="-o \"UserKnownHostsFile=/dev/null\" -o \"StrictHostKeyChecking=no\""
+# RSYNC_COMPRESS specifies the compression level to use for the rsync connection.
+RSYNC_COMPRESS="--compress-level=9"
+# RSYNC_CHMOD specifies the permissions to chmod the files to.
+RSYNC_CHMOD="--perms --chmod=Fugo+r,Fug+w,Dugo-s,Dugo+rx,Dug+w"
+# Verbosity flag for rsync. "-q" means a quiet rsync, "-v" a verbose rsync.
+RSYNC_VERBOSE="-q"
+# RSYNC_OPTIONS controls the general parameters for the rsync connection.
+RSYNC_OPTIONS="--links --times --omit-dir-times $RSYNC_VERBOSE --recursive --partial --progress"
+# Script and feed information which will be made available to user through
+# command line options and automated tools.
+# Script name which will be used for logging
+SCRIPT_NAME="greenbone-nvt-sync"
+# Result of selftest () is stored here. If it is not 0, the selftest has failed
+# and the sync script is unlikely to work.
+SELFTEST_FAIL=0
+# Port to use for synchronization. Default value is 24.
+PORT=24
+# Directory where the OpenVAS configuration is located
+OPENVAS_SYSCONF_DIR="@OPENVAS_SYSCONF_DIR@"
+# Directory where the feed update lock file will be placed.
+OPENVAS_FEED_LOCK_PATH="@OPENVAS_FEED_LOCK_PATH@"
+# Location of the GSF Access Key
+ACCESS_KEY="@GVM_ACCESS_KEY_DIR@/gsf-access-key"
+# If ENABLED is set to 0, the sync script will not perform a synchronization.
+ENABLED=1
+# LOG_CMD defines the command to use for logging. To have logger log to stderr
+# as well as syslog, add "-s" here. The logging facility is checked. In case of error
+# all will be logged in the standard error and the socket error check will be
+# disabled.
+LOG_CMD="logger -t $SCRIPT_NAME"
+check_logger () {
+  logger -p daemon.info -t $SCRIPT_NAME "Checking logger" --no-act 1>/dev/null 2>&1
+  if [ $? -gt 0 ]
+  then
+    LOG_CMD="logger -s -t $SCRIPT_NAME"
+    $LOG_CMD -p daemon.warning "The log facility is not working as expected. All messages will be written to the standard error stream."
+  fi
+}
+check_logger
+# Source configuration file if it is readable
+[ -r $OPENVAS_SYSCONF_DIR/greenbone-nvt-sync.conf ] && . $OPENVAS_SYSCONF_DIR/greenbone-nvt-sync.conf
+# NVT_DIR is the place where the NVTs are located.
+if [ -z "$NVT_DIR" ]
+then
+  NVT_DIR="@OPENVAS_NVT_DIR@"
+fi
+log_write () {
+  $LOG_CMD -p daemon.notice $1
+}
+log_debug () {
+  $LOG_CMD -p daemon.debug "$1"
+}
+log_info () {
+  $LOG_CMD -p daemon.info "$1"
+}
+log_notice () {
+  $LOG_CMD -p daemon.notice "$1"
+}
+log_warning () {
+  $LOG_CMD -p daemon.warning "$1"
+}
+log_err () {
+  $LOG_CMD -p daemon.err "$1"
+}
+stderr_write ()
+{
+  echo "$1" > /dev/stderr
+}
+# Read the general information about the feed origin from
+# the file "plugin_feed_info.inc" inside the feed directory.
+get_feed_info ()
+{
+  INFOFILE="$NVT_DIR/plugin_feed_info.inc"
+  if [ -r $INFOFILE ] ; then
+    FEED_VERSION=`grep PLUGIN_SET $INFOFILE | sed -e 's/[^0-9]//g'`
+    FEED_NAME=`awk -F\" '/PLUGIN_FEED/ { print $2 }' $INFOFILE`
+    FEED_VENDOR=`awk -F\" '/FEED_VENDOR/ { print $2 }' $INFOFILE`
+    FEED_HOME=`awk -F\" '/FEED_HOME/ { print $2 }' $INFOFILE`
+    FEED_PRESENT=1
+  else
+    FEED_PRESENT=0
+  fi
+  if [ -z "$FEED_NAME" ] ; then
+    FEED_NAME="Unidentified Feed"
+  fi
+  if [ -z "$FEED_VENDOR" ] ; then
+    FEED_VENDOR="Unidentified Vendor"
+  fi
+  if [ -z "$FEED_HOME" ] ; then
+    FEED_HOME="Unidentified Feed Homepage"
+  fi
+}
+# Prevent that root executes this script
+if [ "`id -u`" -eq "0" ]
+then
+  stderr_write "$0 must not be executed as privileged user root"
+  stderr_write
+  stderr_write "Unlike the actual scanner the sync routine does not need privileges."
+  stderr_write "Accidental execution as root would prevent later overwriting of"
+  stderr_write "files with a non-privileged user."
+  log_err "Denied to run as root"
+  exit 1
+fi
+# Always try to get the information when started.
+# This also ensures variables like FEED_PRESENT are set.
+get_feed_info
+# Determine whether a GSF access key is present. If yes,
+# then use the Greenbone Security Feed. Else use the
+# Greenbone Community Feed.
+if [ -e $ACCESS_KEY ]
+then
+  RESTRICTED=1
+else
+  RESTRICTED=0
+  if [ -z "$COMMUNITY_NVT_RSYNC_FEED" ]; then
+    COMMUNITY_NVT_RSYNC_FEED=rsync://feed.community.greenbone.net:/nvt-feed
+    # An alternative syntax which might work if the above doesn't:
+    # COMMUNITY_NVT_RSYNC_FEED=rsync@feed.community.greenbone.net::/nvt-feed
+  fi
+fi
+RSYNC=`command -v rsync`
+if [ -z "$TMPDIR" ]; then
+  SYNC_TMP_DIR=/tmp
+  # If we have mktemp, create a temporary dir (safer)
+  if [ -n "`which mktemp`" ]; then
+    SYNC_TMP_DIR=`mktemp -t -d greenbone-nvt-sync.XXXXXXXXXX` || { echo "ERROR: Cannot create temporary directory for file download" >&2; exit 1 ; }
+    trap "rm -rf $SYNC_TMP_DIR" EXIT HUP INT TRAP TERM
+  fi
+else
+  SYNC_TMP_DIR="$TMPDIR"
+fi
+# Initialize this indicator variable with default assuming the
+# feed is not up-to-date.
+FEED_CURRENT=0
+# This function uses gos-state-manager to get information about the settings.
+# If gos-state-manager is not installed the values of the settings can not be
+# retrieved.
 #
-tcpmux  1/tcp   0.001995        # TCP Port Service Multiplexer [rfc-1078] | TCP Port Service Multiplexer
+# Input: option
-tcpmux  1/udp   0.001236        # TCP Port Service Multiplexer
+# Output: value as string or empty String if gos-state-manager is not installed
-compressnet     2/tcp   0.000013        # Management Utility
+#         or option not set
-compressnet     2/udp   0.001845        # Management Utility
+get_value ()
-compressnet     3/tcp   0.001242        # Compression Process
+{
-compressnet     3/udp   0.001532        # Compression Process
+  value=""
-unknown 4/tcp   0.000477
+  key=$1
-rje     5/tcp   0.000000        # Remote Job Entry
+  if which gos-state-manager 1>/dev/null 2>&1
-rje     5/udp   0.000593        # Remote Job Entry
+  then
-unknown 6/tcp   0.000502
+    if gos-state-manager get "$key.value" 1>/dev/null 2>&1
-echo    7/sctp  0.000000
+    then
-echo    7/tcp   0.004855
+      value="$(gos-state-manager get "$key.value")"
-echo    7/udp   0.024679
+    fi
-unknown 8/tcp   0.000013
+  fi
-discard 9/sctp  0.000000        # sink null
+  echo "$value"
-discard 9/tcp   0.003764        # sink null
+}
-discard 9/udp   0.015733        # sink null
-unknown 10/tcp  0.000063
+# Creates a restricted access copy of the access key if necessary.
-systat  11/tcp  0.000075        # Active Users
+setup_temp_access_key () {
-systat  11/udp  0.000577        # Active Users
+  if [ -e "$ACCESS_KEY" ]
-unknown 12/tcp  0.000063
+  then
-daytime 13/tcp  0.003927
+    FILE_ACCESS=`stat -c%a "$ACCESS_KEY" | cut -c2-`
-daytime 13/udp  0.004827
+  fi
-unknown 14/tcp  0.000038
+  if [ -n "$FILE_ACCESS" ] && [ "00" != "$FILE_ACCESS" ]
-netstat 15/tcp  0.000038
+  then
-unknown 16/tcp  0.000050
+    TEMP_ACCESS_KEY_DIR=`mktemp -d`
-qotd    17/tcp  0.002346        # Quote of the Day
+    TEMP_ACCESS_KEY="$TEMP_ACCESS_KEY_DIR/gsf-access-key"
-qotd    17/udp  0.009209        # Quote of the Day
+    cp "$ACCESS_KEY" "$TEMP_ACCESS_KEY"
-msp     18/tcp  0.000000        # Message Send Protocol | Message Send Protocol (historic)
+    chmod 400 "$TEMP_ACCESS_KEY"
-msp     18/udp  0.000610        # Message Send Protocol
+  else
-chargen 19/tcp  0.002559        # ttytst source Character Generator | Character Generator
+    TEMP_ACCESS_KEY_DIR=""
-chargen 19/udp  0.015865        # ttytst source Character Generator
+    TEMP_ACCESS_KEY="$ACCESS_KEY"
-ftp-data        20/sctp 0.000000        # File Transfer [Default Data] | FTP
+  fi
---More--(0%)
+}
+# Deletes the read-only copy of the access key.
+cleanup_temp_access_key () {
+  if [ -n "$TEMP_ACCESS_KEY_DIR" ]
+  then
+    rm -rf "$TEMP_ACCESS_KEY_DIR"
+  fi
+  TEMP_ACCESS_KEY_DIR=""
+  TEMP_ACCESS_KEY=""
+}
+is_feed_current () {
+  if [ -z "$FEED_VERSION" ]
+  then
+    log_write "Could not determine feed version."
+    FEED_CURRENT=0
+    return $FEED_CURRENT
+  fi
+  if [ -z "$RSYNC" ]
+  then
+    log_notice "rsync not available, skipping feed version test"
+    FEED_CURRENT=0
+    rm -rf $FEED_INFO_TEMP_DIR
+    cleanup_temp_access_key
+    return 0
+  fi
+  FEED_INFO_TEMP_DIR=`mktemp -d`
+  if [ -e $ACCESS_KEY ]
+  then
+    gsmproxy=$(get_value proxy_feed | sed -r -e 's/^.*\/\///' -e 's/:([0-9]+)$/ \1/')
+    syncport=$(get_value syncport)
+    if [ "$syncport" ]
+    then
+      PORT="$syncport"
+    fi
+    read feeduser < $ACCESS_KEY
+    custid=`awk -F@ 'NR > 1 { exit }; { print $1 }' $ACCESS_KEY`
+    if [ -z "$feeduser" ] || [ -z "$custid" ]
+    then
+      log_err "Could not determine credentials, aborting synchronization."
+      exit 1
+    fi
+    setup_temp_access_key
+    if [ "$gsmproxy" = "proxy_feed" ] || [ -z "$gsmproxy" ]
+    then
+      RSYNC_SSH_PROXY_CMD=""
+    else
+      if [ -e $OPENVAS_SYSCONF_DIR/proxyauth ] && [ -r $OPENVAS_SYSCONF_DIR/proxyauth ]
+      then
+        RSYNC_SSH_PROXY_CMD="-o \"ProxyCommand corkscrew $gsmproxy %h %p $OPENVAS_SYSCONF_DIR/proxyauth\""
+      else
+        RSYNC_SSH_PROXY_CMD="-o \"ProxyCommand corkscrew $gsmproxy %h %p\""
+      fi
+    fi
+    rsync -e "ssh $RSYNC_SSH_OPTS $RSYNC_SSH_PROXY_CMD -p $PORT -i $TEMP_ACCESS_KEY" $RSYNC_OPTIONS $RSYNC_DELETE $RSYNC_COMPRESS $RSYNC_CHMOD "$feeduser"plugin_feed_info.inc $FEED_INFO_TEMP_DIR
+    if [ $? -ne 0 ]
+    then
+      log_err "Error: rsync failed."
+      rm -rf "$FEED_INFO_TEMP_DIR"
+      exit 1
+    fi
+  else
+    # Sleep for five seconds (a previous feed might have been synced a few seconds before) to prevent
+    # IP blocking due to network equipment in between keeping the previous connection too long open.
+    sleep 5
+    log_notice "No Greenbone Security Feed access key found, falling back to Greenbone Community Feed"
+    eval "$RSYNC -ltvrP \"$COMMUNITY_NVT_RSYNC_FEED/plugin_feed_info.inc\" \"$FEED_INFO_TEMP_DIR\""
+    if [ $? -ne 0 ]
+    then
+      log_err "rsync failed, aborting synchronization."
+      rm -rf "$FEED_INFO_TEMP_DIR"
+      exit 1
+    fi
+  fi
+  FEED_VERSION_SERVER=`grep PLUGIN_SET $FEED_INFO_TEMP_DIR/plugin_feed_info.inc | sed -e 's/[^0-9]//g'`
+  if [ -z "$FEED_VERSION_SERVER" ]
+  then
+    log_err "Could not determine server feed version."
+    rm -rf $FEED_INFO_TEMP_DIR
+    cleanup_temp_access_key
+    exit 1
+  fi
+  # Check against FEED_VERSION
+  if [ $FEED_VERSION -lt $FEED_VERSION_SERVER ] ; then
+    FEED_CURRENT=0
+  else
+    FEED_CURRENT=1
+  fi
+  # Cleanup
+  rm -rf "$FEED_INFO_TEMP_DIR"
+  cleanup_temp_access_key
+  return $FEED_CURRENT
+}
+do_rsync_community_feed () {
+  # Sleep for five seconds (a previous feed might have been synced a few seconds before) to prevent
+  # IP blocking due to network equipment in between keeping the previous connection too long open.
+  sleep 5
+  log_notice "Configured NVT rsync feed: $COMMUNITY_NVT_RSYNC_FEED"
+  mkdir -p "$NVT_DIR"
+  eval "$RSYNC -ltvrP $RSYNC_DELETE \"$COMMUNITY_NVT_RSYNC_FEED\" \"$NVT_DIR\" --exclude=plugin_feed_info.inc"
+  if [ $? -ne 0 ] ; then
+    log_err "rsync failed."
+    exit 1
+  fi
+  # Sleep for five seconds (after the above rsync call) to prevent IP blocking due
+  # to network equipment in between keeping the previous connection too long open.
+  sleep 5
+  eval "$RSYNC -ltvrP $RSYNC_DELETE \"$COMMUNITY_NVT_RSYNC_FEED/plugin_feed_info.inc\" \"$NVT_DIR\""
+  if [ $? -ne 0 ] ; then
+    log_err "rsync failed."
+    exit 1
+  fi
+}
+sync_nvts(){
+  if [ $ENABLED -ne 1 ]
+  then
+    log_write "NVT synchronization is disabled, exiting."
+    exit 0
+  fi
+  if [ -e $ACCESS_KEY ]
+  then
+    log_write "Synchronizing NVTs from the Greenbone Security Feed into $NVT_DIR..."
+    if [ $FEED_PRESENT -eq 1 ] ; then
+      FEEDCOUNT=`grep -E "nasl$|inc$" $NVT_DIR/md5sums | wc -l`
+      log_write "Current status: Using $FEED_NAME at version $FEED_VERSION ($FEEDCOUNT NVTs)"
+    else
+      log_write "Current status: No feed installed."
+    fi
+    notsynced=1
+    retried=0
+    mkdir -p "$NVT_DIR"
+    read feeduser < $ACCESS_KEY
+    custid=`awk -F@ 'NR > 1 { exit }; { print $1 }' $ACCESS_KEY`
+    if [ -z "$feeduser" ] || [ -z "$custid" ]
+    then
+      log_err "Could not determine credentials, aborting synchronization."
+      exit 1
+    fi
+    setup_temp_access_key
+    while [ $notsynced -eq 1 ]
+    do
+      gsmproxy=$(get_value proxy_feed | sed -r -e 's/^.*\/\///' -e 's/:([0-9]+)$/ \1/')
+      syncport=$(get_value syncport)
+      if [ "$syncport" ]
+      then
+        PORT="$syncport"
+      fi
+      if [ "$gsmproxy" = "proxy_feed" ] || [ -z "$gsmproxy" ]
+      then
+        RSYNC_SSH_PROXY_CMD=""
+      else
+        if [ -e $OPENVAS_SYSCONF_DIR/proxyauth ] && [ -r $OPENVAS_SYSCONF_DIR/proxyauth ]; then
+          RSYNC_SSH_PROXY_CMD="-o \"ProxyCommand corkscrew $gsmproxy %h %p $OPENVAS_SYSCONF_DIR/proxyauth\""
+        else
+          RSYNC_SSH_PROXY_CMD="-o \"ProxyCommand corkscrew $gsmproxy %h %p\""
+        fi
+      fi
+      rsync -e "ssh $RSYNC_SSH_OPTS $RSYNC_SSH_PROXY_CMD -p $PORT -i $TEMP_ACCESS_KEY" --exclude=plugin_feed_info.inc $RSYNC_OPTIONS $RSYNC_DELETE $RSYNC_COMPRESS $RSYNC_CHMOD $feeduser $NVT_DIR
+      if [ $? -ne 0 ]  ; then
+        log_err "rsync failed, aborting synchronization."
+        exit 1
+      fi
+      rsync -e "ssh $RSYNC_SSH_OPTS $RSYNC_SSH_PROXY_CMD -p $PORT -i $TEMP_ACCESS_KEY" $RSYNC_OPTIONS $RSYNC_DELETE $RSYNC_COMPRESS $RSYNC_CHMOD "$feeduser"plugin_feed_info.inc $NVT_DIR
+      if [ $? -ne 0 ]  ; then
+        log_err "rsync failed, aborting synchronization."
+        exit 1
+      fi
+      eval "cd \"$NVT_DIR\" ; md5sum -c --status \"$NVT_DIR/md5sums\""
+      if [ $? -ne 0 ]  ; then
+        if [ -n "$retried" ]
+        then
+          log_err "Feed integrity check failed twice, aborting synchronization."
+          cleanup_temp_access_key
+          exit 1
+        else
+          log_write "The feed integrity check failed. This may be due to a concurrent feed update or other temporary issues."
+          log_write "Sleeping 15 seconds before retrying ..."
+          sleep 15
+          retried=1
+        fi
+      else
+        notsynced=0
+      fi
+    done
+    cleanup_temp_access_key
+    log_write "Synchronization with the Greenbone Security Feed successful."
+    get_feed_info
+    if [ $FEED_PRESENT -eq 1 ] ; then
+      FEEDCOUNT=`grep -E "nasl$|inc$" $NVT_DIR/md5sums | wc -l`
+      log_write "Current status: Using $FEED_NAME at version $FEED_VERSION ($FEEDCOUNT NVTs)"
+    else
+      log_write "Current status: No feed installed."
+    fi
+  else
+    log_notice "No Greenbone Security Feed access key found, falling back to Greenbone Community Feed"
+    do_rsync_community_feed
+  fi
+}
+do_self_test ()
+{
+  MD5SUM_AVAIL=`command -v md5sum`
+  if [ $? -ne 0 ] ; then
+    SELFTEST_FAIL=1
+    stderr_write "The md5sum binary could not be found."
+  fi
+  RSYNC_AVAIL=`command -v rsync`
+  if [ $? -ne 0 ] ; then
+    SELFTEST_FAIL=1
+    stderr_write "The rsync binary could not be found."
+  fi
+}
+do_describe ()
+{
+  echo "This script synchronizes an NVT collection with the '$FEED_NAME'."
+  echo "The '$FEED_NAME' is provided by '$FEED_VENDOR'."
+  echo "Online information about this feed: '$FEED_HOME'."
+}
+do_feedversion () {
+  if [ $FEED_PRESENT -eq 1 ] ; then
+    echo $FEED_VERSION
+  else
+    stderr_write "The file containing the feed version could not be found."
+    exit 1
+  fi
+}
+do_sync ()
+{
+  do_self_test
+  if [ $SELFTEST_FAIL -ne 0 ] ; then
+    exit $SELFTEST_FAIL
+  fi
+  if [ $FEED_CURRENT -eq 1 ]
+  then
+    log_write "Feed is already current, skipping synchronization."
+  else
+    (
+      chmod +660 $OPENVAS_FEED_LOCK_PATH
+      flock -n 9
+      if [ $? -eq 1 ] ; then
+          log_warning "Another process related to the feed update is already running"
+          exit 1
+      fi
+      date > $OPENVAS_FEED_LOCK_PATH
+      sync_nvts
+      echo -n $OPENVAS_FEED_LOCK_PATH
+    )9>>$OPENVAS_FEED_LOCK_PATH
+  fi
+}
+do_help () {
+  echo "$0: Sync NVT data"
+  echo " --describe     display current feed info"
+  echo " --feedcurrent  just check if feed is up-to-date"
+  echo " --feedversion  display version of this feed"
+  echo " --help         display this help"
+  echo " --identify     display information"
+  echo " --nvtdir dir   set dir as NVT directory"
+  echo " --selftest     perform self-test and set exit code"
+  echo " --verbose      makes the sync process print details"
+  echo " --version      display version"
+  echo ""
+  echo ""
+  echo "Environment variables:"
+  echo "NVT_DIR         where to extract plugins (absolute path)"
+  echo "PRIVATE_SUBDIR  subdirectory of \$NVT_DIR to exclude from synchronization"
+  echo "TMPDIR          temporary directory used to download the files"
+  echo "Note that you can use standard ones as well (e.g. RSYNC_PROXY) for rsync"
+  echo ""
+  exit 0
+}
+while test $# -gt 0; do
+  case "$1" in
+    --version)
+      echo $VERSION
+      exit 0
+      ;;
+    --identify)
+      echo "NVTSYNC|$SCRIPT_NAME|$VERSION|$FEED_NAME|$RESTRICTED|NVTSYNC"
+      exit 0
+      ;;
+    --selftest)
+      do_self_test
+      exit $SELFTEST_FAIL
+      ;;
+    --describe)
+      do_describe
+      exit 0
+      ;;
+    --feedversion)
+      do_feedversion
+      exit 0
+      ;;
+    --help)
+      do_help
+      exit 0
+      ;;
+    --nvt-dir)
+      NVT_DIR="$2"
+      shift
+      ;;
+    --feedcurrent)
+      is_feed_current
+      exit $?
+      ;;
+    --verbose)
+      RSYNC_VERBOSE="-v"
+      ;;
+  esac
+  shift
+done
+do_sync
+exit 0
 </code>
-Le répertoire **/usr/share/nmap** contient d'autres fichiers importants :
+Rendez le script exécutable :
 <code>
-root@debian12:~# ls -l /usr/share/nmap
+[root@centos7 ~]# chmod +x greenbone-nvt-sync
-total 9368
--rw-r--r-- 1 root root   10829 Jan 16  2023 nmap.dtd
--rw-r--r-- 1 root root  824437 Jan 16  2023 nmap-mac-prefixes
--rw-r--r-- 1 root root 5032815 Jan 16  2023 nmap-os-db
--rw-r--r-- 1 root root   21165 Jan 16  2023 nmap-payloads
--rw-r--r-- 1 root root    6845 Jan 16  2023 nmap-protocols
--rw-r--r-- 1 root root   43529 Jan 16  2023 nmap-rpc
--rw-r--r-- 1 root root 2506640 Jan 16  2023 nmap-service-probes
--rw-r--r-- 1 root root 1004557 Jan 16  2023 nmap-services
--rw-r--r-- 1 root root   31936 Jan 16  2023 nmap.xsl
-drwxr-xr-x 3 root root    4096 Nov 27 16:46 nselib
--rw-r--r-- 1 root root   49478 Jan 16  2023 nse_main.lua
-drwxr-xr-x 2 root root   36864 Nov 27 16:46 scripts
 </code>
-Voici la liste des fichiers les plus importants :
+Déplacez le script vers **/usr/sbin/** :
-^ Fichier ^ Description ^
+<code>
-| /usr/share/nmap/nmap-protocols | Contient la liste des protocols reconnus par **nmap**. |
+[root@centos7 ~]# mv greenbone-nvt-sync /usr/sbin
-| /usr/share/nmap/nmap-service-probes | Contient les règles de balayage utilisées par **nmap** pour identifier le service actif sur un port donné. |
+mv: overwrite ‘/usr/sbin/greenbone-nvt-sync’? y
-| /usr/share/nmap/nmap-mac-prefixes | Contient une liste de préfix d'adresses MAC par fabricant reconnu par **nmap**. |
+</code>
-| /usr/share/nmap/nmap-rpc | Contient une liste des services RPC reconnus par **nmap**. |
-==Scripts==
+Devenez l'utilisateur trainee et mettez à jour les modules d'extensions de OpenVAS :
+<code>
+[root@centos7 ~]# su - trainee
+Last login: Mon Dec  1 15:30:45 CET 2025 on pts/0
+[trainee@centos7 ~]$ greenbone-nvt-sync
+...
+Greenbone community feed server - http://feed.community.greenbone.net/
+This service is hosted by Greenbone Networks - http://www.greenbone.net/
+All transactions are logged.
+If you have any questions, please use the Greenbone community portal.
+See https://community.greenbone.net for details.
+By using this service you agree to our terms and conditions.
+Only one sync per time, otherwise the source ip will be temporarily blocked.
+receiving incremental file list
+plugin_feed_info.inc
+100%  322.27kB/s    0:00:00 (xfr#1, to-chk=0/1)
+sent 57 bytes  received 436 bytes  328.67 bytes/sec
+total size is 330  speedup is 0.67
+[trainee@centos7 ~]$ exit
+[root@centos7 ~]#
+</code>
+<WRAP center round important 50%>
+**Important** - En cas d'erreur, relancez simplement la commande.
+</WRAP>
-**nmap** utilise des scripts pour accomplir certaines tâches allant de la découverte simple de ports ouverts jusqu'à l'intrusion :
+Déplacez les plugins vers le répertoire **/var/lib/openvas/plugins** :
 <code>
-root@debian12:~# ls /usr/share/nmap/scripts/
+[root@centos7 ~]# mv /home/trainee/@OPENVAS_NVT_DIR@/* /var/lib/openvas/plugins
-acarsd-info.nse                       fcrdns.nse                              https-redirect.nse               ms-sql-info.nse                 smb-flood.nse
-address-info.nse                      finger.nse                              http-stored-xss.nse              ms-sql-ntlm-info.nse            smb-ls.nse
-afp-brute.nse                         fingerprint-strings.nse                 http-svn-enum.nse                ms-sql-query.nse                smb-mbenum.nse
-afp-ls.nse                            firewalk.nse                            http-svn-info.nse                ms-sql-tables.nse               smb-os-discovery.nse
-afp-path-vuln.nse                     firewall-bypass.nse                     http-title.nse                   ms-sql-xp-cmdshell.nse          smb-print-text.nse
-afp-serverinfo.nse                    flume-master-info.nse                   http-tplink-dir-traversal.nse    mtrace.nse                      smb-protocols.nse
-afp-showmount.nse                     fox-info.nse                            http-trace.nse                   murmur-version.nse              smb-psexec.nse
-ajp-auth.nse                          freelancer-info.nse                     http-traceroute.nse              mysql-audit.nse                 smb-security-mode.nse
-ajp-brute.nse                         ftp-anon.nse                            http-trane-info.nse              mysql-brute.nse                 smb-server-stats.nse
-ajp-headers.nse                       ftp-bounce.nse                          http-unsafe-output-escaping.nse  mysql-databases.nse             smb-system-info.nse
-ajp-methods.nse                       ftp-brute.nse                           http-useragent-tester.nse        mysql-dump-hashes.nse           smb-vuln-conficker.nse
-ajp-request.nse                       ftp-libopie.nse                         http-userdir-enum.nse            mysql-empty-password.nse        smb-vuln-cve2009-3103.nse
-allseeingeye-info.nse                 ftp-proftpd-backdoor.nse                http-vhosts.nse                  mysql-enum.nse                  smb-vuln-cve-2017-7494.nse
-amqp-info.nse                         ftp-syst.nse                            http-virustotal.nse              mysql-info.nse                  smb-vuln-ms06-025.nse
-asn-query.nse                         ftp-vsftpd-backdoor.nse                 http-vlcstreamer-ls.nse          mysql-query.nse                 smb-vuln-ms07-029.nse
-auth-owners.nse                       ftp-vuln-cve2010-4221.nse               http-vmware-path-vuln.nse        mysql-users.nse                 smb-vuln-ms08-067.nse
-auth-spoof.nse                        ganglia-info.nse                        http-vuln-cve2006-3392.nse       mysql-variables.nse             smb-vuln-ms10-054.nse
-backorifice-brute.nse                 giop-info.nse                           http-vuln-cve2009-3960.nse       mysql-vuln-cve2012-2122.nse     smb-vuln-ms10-061.nse
-backorifice-info.nse                  gkrellm-info.nse                        http-vuln-cve2010-0738.nse       nat-pmp-info.nse                smb-vuln-ms17-010.nse
-bacnet-info.nse                       gopher-ls.nse                           http-vuln-cve2010-2861.nse       nat-pmp-mapport.nse             smb-vuln-regsvc-dos.nse
-banner.nse                            gpsd-info.nse                           http-vuln-cve2011-3192.nse       nbd-info.nse                    smb-vuln-webexec.nse
-bitcoin-getaddr.nse                   hadoop-datanode-info.nse                http-vuln-cve2011-3368.nse       nbns-interfaces.nse             smb-webexec-exploit.nse
-bitcoin-info.nse                      hadoop-jobtracker-info.nse              http-vuln-cve2012-1823.nse       nbstat.nse                      smtp-brute.nse
-bitcoinrpc-info.nse                   hadoop-namenode-info.nse                http-vuln-cve2013-0156.nse       ncp-enum-users.nse              smtp-commands.nse
-bittorrent-discovery.nse              hadoop-secondary-namenode-info.nse      http-vuln-cve2013-6786.nse       ncp-serverinfo.nse              smtp-enum-users.nse
-bjnp-discover.nse                     hadoop-tasktracker-info.nse             http-vuln-cve2013-7091.nse       ndmp-fs-info.nse                smtp-ntlm-info.nse
-broadcast-ataoe-discover.nse          hbase-master-info.nse                   http-vuln-cve2014-2126.nse       ndmp-version.nse                smtp-open-relay.nse
-broadcast-avahi-dos.nse               hbase-region-info.nse                   http-vuln-cve2014-2127.nse       nessus-brute.nse                smtp-strangeport.nse
-broadcast-bjnp-discover.nse           hddtemp-info.nse                        http-vuln-cve2014-2128.nse       nessus-xmlrpc-brute.nse         smtp-vuln-cve2010-4344.nse
-broadcast-db2-discover.nse            hnap-info.nse                           http-vuln-cve2014-2129.nse       netbus-auth-bypass.nse          smtp-vuln-cve2011-1720.nse
-broadcast-dhcp6-discover.nse          hostmap-bfk.nse                         http-vuln-cve2014-3704.nse       netbus-brute.nse                smtp-vuln-cve2011-1764.nse
-broadcast-dhcp-discover.nse           hostmap-crtsh.nse                       http-vuln-cve2014-8877.nse       netbus-info.nse                 sniffer-detect.nse
-broadcast-dns-service-discovery.nse   hostmap-robtex.nse                      http-vuln-cve2015-1427.nse       netbus-version.nse              snmp-brute.nse
-broadcast-dropbox-listener.nse        http-adobe-coldfusion-apsa1301.nse      http-vuln-cve2015-1635.nse       nexpose-brute.nse               snmp-hh3c-logins.nse
-broadcast-eigrp-discovery.nse         http-affiliate-id.nse                   http-vuln-cve2017-1001000.nse    nfs-ls.nse                      snmp-info.nse
-broadcast-hid-discoveryd.nse          http-apache-negotiation.nse             http-vuln-cve2017-5638.nse       nfs-showmount.nse               snmp-interfaces.nse
-broadcast-igmp-discovery.nse          http-apache-server-status.nse           http-vuln-cve2017-5689.nse       nfs-statfs.nse                  snmp-ios-config.nse
-broadcast-jenkins-discover.nse        http-aspnet-debug.nse                   http-vuln-cve2017-8917.nse       nje-node-brute.nse              snmp-netstat.nse
-broadcast-listener.nse                http-auth-finder.nse                    http-vuln-misfortune-cookie.nse  nje-pass-brute.nse              snmp-processes.nse
-broadcast-ms-sql-discover.nse         http-auth.nse                           http-vuln-wnr1000-creds.nse      nntp-ntlm-info.nse              snmp-sysdescr.nse
-broadcast-netbios-master-browser.nse  http-avaya-ipoffice-users.nse           http-waf-detect.nse              nping-brute.nse                 snmp-win32-services.nse
-broadcast-networker-discover.nse      http-awstatstotals-exec.nse             http-waf-fingerprint.nse         nrpe-enum.nse                   snmp-win32-shares.nse
-broadcast-novell-locate.nse           http-axis2-dir-traversal.nse            http-webdav-scan.nse             ntp-info.nse                    snmp-win32-software.nse
-broadcast-ospf2-discover.nse          http-backup-finder.nse                  http-wordpress-brute.nse         ntp-monlist.nse                 snmp-win32-users.nse
-broadcast-pc-anywhere.nse             http-barracuda-dir-traversal.nse        http-wordpress-enum.nse          omp2-brute.nse                  socks-auth-info.nse
-broadcast-pc-duo.nse                  http-bigip-cookie.nse                   http-wordpress-users.nse         omp2-enum-targets.nse           socks-brute.nse
-broadcast-pim-discovery.nse           http-brute.nse                          http-xssed.nse                   omron-info.nse                  socks-open-proxy.nse
-broadcast-ping.nse                    http-cakephp-version.nse                iax2-brute.nse                   openflow-info.nse               ssh2-enum-algos.nse
-broadcast-pppoe-discover.nse          http-chrono.nse                         iax2-version.nse                 openlookup-info.nse             ssh-auth-methods.nse
-broadcast-rip-discover.nse            http-cisco-anyconnect.nse               icap-info.nse                    openvas-otp-brute.nse           ssh-brute.nse
-broadcast-ripng-discover.nse          http-coldfusion-subzero.nse             iec-identify.nse                 openwebnet-discovery.nse        ssh-hostkey.nse
-broadcast-sonicwall-discover.nse      http-comments-displayer.nse             ike-version.nse                  oracle-brute.nse                ssh-publickey-acceptance.nse
-broadcast-sybase-asa-discover.nse     http-config-backup.nse                  imap-brute.nse                   oracle-brute-stealth.nse        ssh-run.nse
-broadcast-tellstick-discover.nse      http-cookie-flags.nse                   imap-capabilities.nse            oracle-enum-users.nse           sshv1.nse
-broadcast-upnp-info.nse               http-cors.nse                           imap-ntlm-info.nse               oracle-sid-brute.nse            ssl-ccs-injection.nse
-broadcast-versant-locate.nse          http-cross-domain-policy.nse            impress-remote-discover.nse      oracle-tns-version.nse          ssl-cert-intaddr.nse
-broadcast-wake-on-lan.nse             http-csrf.nse                           informix-brute.nse               ovs-agent-version.nse           ssl-cert.nse
-broadcast-wpad-discover.nse           http-date.nse                           informix-query.nse               p2p-conficker.nse               ssl-date.nse
-broadcast-wsdd-discover.nse           http-default-accounts.nse               informix-tables.nse              path-mtu.nse                    ssl-dh-params.nse
-broadcast-xdmcp-discover.nse          http-devframework.nse                   ip-forwarding.nse                pcanywhere-brute.nse            ssl-enum-ciphers.nse
-cassandra-brute.nse                   http-dlink-backdoor.nse                 ip-geolocation-geoplugin.nse     pcworx-info.nse                 ssl-heartbleed.nse
-cassandra-info.nse                    http-dombased-xss.nse                   ip-geolocation-ipinfodb.nse      pgsql-brute.nse                 ssl-known-key.nse
-cccam-version.nse                     http-domino-enum-passwords.nse          ip-geolocation-map-bing.nse      pjl-ready-message.nse           ssl-poodle.nse
-cics-enum.nse                         http-drupal-enum.nse                    ip-geolocation-map-google.nse    pop3-brute.nse                  sslv2-drown.nse
-cics-info.nse                         http-drupal-enum-users.nse              ip-geolocation-map-kml.nse       pop3-capabilities.nse           sslv2.nse
-cics-user-brute.nse                   http-enum.nse                           ip-geolocation-maxmind.nse       pop3-ntlm-info.nse              sstp-discover.nse
-cics-user-enum.nse                    http-errors.nse                         ip-https-discover.nse            port-states.nse                 stun-info.nse
-citrix-brute-xml.nse                  http-exif-spider.nse                    ipidseq.nse                      pptp-version.nse                stun-version.nse
-citrix-enum-apps.nse                  http-favicon.nse                        ipmi-brute.nse                   puppet-naivesigning.nse         stuxnet-detect.nse
-citrix-enum-apps-xml.nse              http-feed.nse                           ipmi-cipher-zero.nse             qconn-exec.nse                  supermicro-ipmi-conf.nse
-citrix-enum-servers.nse               http-fetch.nse                          ipmi-version.nse                 qscan.nse                       svn-brute.nse
-citrix-enum-servers-xml.nse           http-fileupload-exploiter.nse           ipv6-multicast-mld-list.nse      quake1-info.nse                 targets-asn.nse
-clamav-exec.nse                       http-form-brute.nse                     ipv6-node-info.nse               quake3-info.nse                 targets-ipv6-map4to6.nse
-clock-skew.nse                        http-form-fuzzer.nse                    ipv6-ra-flood.nse                quake3-master-getservers.nse    targets-ipv6-multicast-echo.nse
-coap-resources.nse                    http-frontpage-login.nse                irc-botnet-channels.nse          rdp-enum-encryption.nse         targets-ipv6-multicast-invalid-dst.nse
-couchdb-databases.nse                 http-generator.nse                      irc-brute.nse                    rdp-ntlm-info.nse               targets-ipv6-multicast-mld.nse
-couchdb-stats.nse                     http-git.nse                            irc-info.nse                     rdp-vuln-ms12-020.nse           targets-ipv6-multicast-slaac.nse
-creds-summary.nse                     http-gitweb-projects-enum.nse           irc-sasl-brute.nse               realvnc-auth-bypass.nse         targets-ipv6-wordlist.nse
-cups-info.nse                         http-google-malware.nse                 irc-unrealircd-backdoor.nse      redis-brute.nse                 targets-sniffer.nse
-cups-queue-info.nse                   http-grep.nse                           iscsi-brute.nse                  redis-info.nse                  targets-traceroute.nse
-cvs-brute.nse                         http-headers.nse                        iscsi-info.nse                   resolveall.nse                  targets-xml.nse
-cvs-brute-repository.nse              http-hp-ilo-info.nse                    isns-info.nse                    reverse-index.nse               teamspeak2-version.nse
-daap-get-library.nse                  http-huawei-hg5xx-vuln.nse              jdwp-exec.nse                    rexec-brute.nse                 telnet-brute.nse
-daytime.nse                           http-icloud-findmyiphone.nse            jdwp-info.nse                    rfc868-time.nse                 telnet-encryption.nse
-db2-das-info.nse                      http-icloud-sendmsg.nse                 jdwp-inject.nse                  riak-http-info.nse              telnet-ntlm-info.nse
-deluge-rpc-brute.nse                  http-iis-short-name-brute.nse           jdwp-version.nse                 rlogin-brute.nse                tftp-enum.nse
-dhcp-discover.nse                     http-iis-webdav-vuln.nse                knx-gateway-discover.nse         rmi-dumpregistry.nse            tls-alpn.nse
-dicom-brute.nse                       http-internal-ip-disclosure.nse         knx-gateway-info.nse             rmi-vuln-classloader.nse        tls-nextprotoneg.nse
-dicom-ping.nse                        http-joomla-brute.nse                   krb5-enum-users.nse              rpcap-brute.nse                 tls-ticketbleed.nse
-dict-info.nse                         http-jsonp-detection.nse                ldap-brute.nse                   rpcap-info.nse                  tn3270-screen.nse
-distcc-cve2004-2687.nse               http-litespeed-sourcecode-download.nse  ldap-novell-getpass.nse          rpc-grind.nse                   tor-consensus-checker.nse
-dns-blacklist.nse                     http-ls.nse                             ldap-rootdse.nse                 rpcinfo.nse                     traceroute-geolocation.nse
-dns-brute.nse                         http-majordomo2-dir-traversal.nse       ldap-search.nse                  rsa-vuln-roca.nse               tso-brute.nse
-dns-cache-snoop.nse                   http-malware-host.nse                   lexmark-config.nse               rsync-brute.nse                 tso-enum.nse
-dns-check-zone.nse                    http-mcmp.nse                           llmnr-resolve.nse                rsync-list-modules.nse          ubiquiti-discovery.nse
-dns-client-subnet-scan.nse            http-methods.nse                        lltd-discovery.nse               rtsp-methods.nse                unittest.nse
-dns-fuzz.nse                          http-method-tamper.nse                  lu-enum.nse                      rtsp-url-brute.nse              unusual-port.nse
-dns-ip6-arpa-scan.nse                 http-mobileversion-checker.nse          maxdb-info.nse                   rusers.nse                      upnp-info.nse
-dns-nsec3-enum.nse                    http-ntlm-info.nse                      mcafee-epo-agent.nse             s7-info.nse                     uptime-agent-info.nse
-dns-nsec-enum.nse                     http-open-proxy.nse                     membase-brute.nse                samba-vuln-cve-2012-1182.nse    url-snarf.nse
-dns-nsid.nse                          http-open-redirect.nse                  membase-http-info.nse            script.db                       ventrilo-info.nse
-dns-random-srcport.nse                http-passwd.nse                         memcached-info.nse               servicetags.nse                 versant-info.nse
-dns-random-txid.nse                   http-phpmyadmin-dir-traversal.nse       metasploit-info.nse              shodan-api.nse                  vmauthd-brute.nse
-dns-recursion.nse                     http-phpself-xss.nse                    metasploit-msgrpc-brute.nse      sip-brute.nse                   vmware-version.nse
-dns-service-discovery.nse             http-php-version.nse                    metasploit-xmlrpc-brute.nse      sip-call-spoof.nse              vnc-brute.nse
-dns-srv-enum.nse                      http-proxy-brute.nse                    mikrotik-routeros-brute.nse      sip-enum-users.nse              vnc-info.nse
-dns-update.nse                        http-put.nse                            mmouse-brute.nse                 sip-methods.nse                 vnc-title.nse
-dns-zeustracker.nse                   http-qnap-nas-info.nse                  mmouse-exec.nse                  skypev2-version.nse             voldemort-info.nse
-dns-zone-transfer.nse                 http-referer-checker.nse                modbus-discover.nse              smb2-capabilities.nse           vtam-enum.nse
-docker-version.nse                    http-rfi-spider.nse                     mongodb-brute.nse                smb2-security-mode.nse          vulners.nse
-domcon-brute.nse                      http-robots.txt.nse                     mongodb-databases.nse            smb2-time.nse                   vuze-dht-info.nse
-domcon-cmd.nse                        http-robtex-reverse-ip.nse              mongodb-info.nse                 smb2-vuln-uptime.nse            wdb-version.nse
-domino-enum-users.nse                 http-robtex-shared-ns.nse               mqtt-subscribe.nse               smb-brute.nse                   weblogic-t3-info.nse
-dpap-brute.nse                        http-sap-netweaver-leak.nse             mrinfo.nse                       smb-double-pulsar-backdoor.nse  whois-domain.nse
-drda-brute.nse                        http-security-headers.nse               msrpc-enum.nse                   smb-enum-domains.nse            whois-ip.nse
-drda-info.nse                         http-server-header.nse                  ms-sql-brute.nse                 smb-enum-groups.nse             wsdd-discover.nse
-duplicates.nse                        http-shellshock.nse                     ms-sql-config.nse                smb-enum-processes.nse          x11-access.nse
-eap-info.nse                          http-sitemap-generator.nse              ms-sql-dac.nse                   smb-enum-services.nse           xdmcp-discover.nse
-enip-info.nse                         http-slowloris-check.nse                ms-sql-dump-hashes.nse           smb-enum-sessions.nse           xmlrpc-methods.nse
-epmd-info.nse                         http-slowloris.nse                      ms-sql-empty-password.nse        smb-enum-shares.nse             xmpp-brute.nse
-eppc-enum-processes.nse               http-sql-injection.nse                  ms-sql-hasdbaccess.nse           smb-enum-users.nse              xmpp-info.nse
 </code>
-Les scripts sont regroupés dans des catégories : **auth**, **broadcast**, **brute**, **default**, **discovery**, **dos**, **exploit**, **external**, **fuzzer**, **intrusive**, **malware**, **safe**, **version** and **vuln**.
+Vérifiez ensuite la réussite de la commande précédente :
+<code>
+[root@centos7 ~]# ls -l /var/lib/openvas/plugins/ | more
+total 41280
+drwxr-xr-x.   6 trainee trainee    24576 Dec  1 11:30 2008
+drwxr-xr-x.  14 trainee trainee    65536 Dec  1 11:30 2009
+drwxr-xr-x.  12 trainee trainee    65536 Dec  1 11:30 2010
+drwxr-xr-x.  13 trainee trainee   118784 Dec  1 11:30 2011
+drwxr-xr-x.  14 trainee trainee   102400 Dec  1 11:30 2012
+drwxr-xr-x.  11 trainee trainee    86016 Dec  1 11:30 2013
+drwxr-xr-x.  13 trainee trainee    81920 Dec  1 11:30 2014
+drwxr-xr-x.  15 trainee trainee   118784 Dec  1 11:30 2015
+drwxr-xr-x.  17 trainee trainee   159744 Dec  1 11:30 2016
+drwxr-xr-x.  70 trainee trainee   126976 Dec  1 11:30 2017
+drwxr-xr-x. 288 trainee trainee     8192 Dec  1 11:30 2018
+drwxr-xr-x. 215 trainee trainee     8192 Dec  1 11:30 2019
+drwxr-xr-x. 181 trainee trainee     8192 Dec  1 11:30 2020
+drwxr-xr-x. 154 trainee trainee     8192 Dec  1 11:30 2021
+drwxr-xr-x. 149 trainee trainee     4096 Dec  1 11:30 2022
+drwx------. 136 trainee trainee     4096 Dec  1 11:30 2023
+drwx------. 127 trainee trainee     4096 Dec  1 11:30 2024
+drwx------. 132 trainee trainee     4096 Dec  1 11:30 2025
+-rw-r--r--.   1 trainee trainee     2311 Dec  1 11:08 adaptbb_detect.nasl
+-rw-r--r--.   1 trainee trainee     1786 Dec  1 11:08 afs_version.nasl
+-rw-r--r--.   1 trainee trainee     2448 Dec  1 11:08 amanda_detect.nasl
+-rw-r--r--.   1 trainee trainee     2432 Dec  1 11:08 amanda_version.nasl
+-rw-r--r--.   1 trainee trainee     1492 Dec  1 11:08 aol_installed.nasl
+-rw-r--r--.   1 trainee trainee     2746 Dec  1 11:08 apachehttp_config_defaults.nasl
+-rw-r--r--.   1 trainee trainee     8186 Dec  1 11:08 apache_ofbiz_http_detect.nasl
+-rw-r--r--.   1 trainee trainee     5553 Dec  1 11:08 apache_prds.inc
+-rw-r--r--.   1 trainee trainee     4210 Dec  1 11:08 apache_server_info.nasl
+-rw-r--r--.   1 trainee trainee     4624 Dec  1 11:08 apache_server_status.nasl
+-rw-r--r--.   1 trainee trainee     6726 Dec  1 11:08 apache_SSL_complain.nasl
+-rw-r--r--.   1 trainee trainee     2117 Dec  1 11:08 apache_tomcat_config.nasl
+-rw-r--r--.   1 trainee trainee     2569 Dec  1 11:08 AproxEngine_detect.nasl
+-rw-r--r--.   1 trainee trainee     2496 Dec  1 11:08 arcserve_backup_detect.nasl
+-rw-r--r--.   1 trainee trainee     1937 Dec  1 11:08 arkoon.nasl
+-rw-r--r--.   1 trainee trainee     6878 Dec  1 11:08 asip-status.nasl
+-rw-r--r--.   1 trainee trainee     3797 Dec  1 11:08 atmail_detect.nasl
+drwx------.   9 trainee trainee    20480 Dec  1 11:30 attic
+-rw-r--r--.   1 trainee trainee     1914 Dec  1 11:08 auth_enabled.nasl
+-rw-r--r--.   1 trainee trainee     2016 Dec  1 11:08 aventail_asap_http_detect.nasl
+-rw-r--r--.   1 trainee trainee  1638960 Dec  1 11:08 bad_dsa_ssh_host_keys.txt
+-rw-r--r--.   1 trainee trainee  1638960 Dec  1 11:08 bad_rsa_ssh_host_keys.txt
+-rw-r--r--.   1 trainee trainee    54323 Dec  1 11:08 bad_ssh_host_keys.inc
+-rw-r--r--.   1 trainee trainee    15064 Dec  1 11:08 bad_ssh_keys.inc
+-rw-r--r--.   1 trainee trainee     2507 Dec  1 11:08 barracuda_im_firewall_detect.nasl
+-rw-r--r--.   1 trainee trainee     2827 Dec  1 11:08 base_detect.nasl
+-rw-r--r--.   1 trainee trainee     4464 Dec  1 11:08 basilix_detect.nasl
+-rw-r--r--.   1 trainee trainee     3144 Dec  1 11:08 bgp_detect.nasl
+-rw-r--r--.   1 trainee trainee    23162 Dec  1 11:08 bin.inc
+-rw-r--r--.   1 trainee trainee     2745 Dec  1 11:08 bloofoxCMS_detect.nasl
+-rw-r--r--.   1 trainee trainee     1531 Dec  1 11:08 bluecoat_mgnt_console.nasl
+-rw-r--r--.   1 trainee trainee     2576 Dec  1 11:08 boastMachine_detect.nasl
+-rw-r--r--.   1 trainee trainee     1359 Dec  1 11:08 brother_printers.inc
+-rw-r--r--.   1 trainee trainee     3450 Dec  1 11:08 bugbear.nasl
+-rw-r--r--.   1 trainee trainee     3639 Dec  1 11:08 bugzilla_detect.nasl
+-rw-r--r--.   1 trainee trainee     5301 Dec  1 11:08 byte_func.inc
+--More--
+</code>
+Exécutez de nouveau la commande **openvas-check-setup** :
+<code>
+[root@centos7 ~]# openvas-check-setup
+...
+Step 2: Checking OpenVAS Manager ...
+        OK: OpenVAS Manager is present in version 6.0.9.
+        ERROR: No client certificate file of OpenVAS Manager found.
+        FIX: Run 'openvas-mkcert-client -n -i'
+ ERROR: Your OpenVAS-8 installation is not yet complete!
+...
+</code>
 <WRAP center round important 50%>
-**Important** - Pour plus d'informations concernant ces catégories, consultez cette [[https://nmap.org/man/fr/man-nse.html|page]].
+**Important** - Notez l'erreur **ERROR: No client certificate file of OpenVAS Manager found.**
 </WRAP>
-La catégorie la plus utilisée est **default** qui est appelée par l'utilisation de l'option **-sC**. Cette catégorie contient une liste de scripts par défaut.
+Consultez la signification des options suggérées pour la commande **openvas-mkcert-client** :
 <code>
-root@debian12:~# nmap -v -sC localhost
+[root@centos7 ~]# openvas-mkcert-client --help
-Starting Nmap 7.93 ( https://nmap.org ) at 2025-11-27 16:51 CET
+/bin/openvas-mkcert-client: illegal option -- -
-NSE: Loaded 125 scripts for scanning.
+Usage:
-NSE: Script Pre-scanning.
+  openvas-mkcert-client [OPTION...] - Create SSL client certificates for OpenVAS.
-Initiating NSE at 16:51
-Completed NSE at 16:51, 0.00s elapsed
-Initiating NSE at 16:51
-Completed NSE at 16:51, 0.00s elapsed
-Initiating SYN Stealth Scan at 16:51
-Scanning localhost (127.0.0.1) [1000 ports]
-Discovered open port 22/tcp on 127.0.0.1
-Discovered open port 5900/tcp on 127.0.0.1
-Discovered open port 80/tcp on 127.0.0.1
-Discovered open port 631/tcp on 127.0.0.1
-Completed SYN Stealth Scan at 16:51, 0.03s elapsed (1000 total ports)
-NSE: Script scanning 127.0.0.1.
-Initiating NSE at 16:51
-Completed NSE at 16:51, 2.00s elapsed
-Initiating NSE at 16:51
-Completed NSE at 16:51, 0.00s elapsed
-Nmap scan report for localhost (127.0.0.1)
-Host is up (0.0000090s latency).
-Other addresses for localhost (not scanned): ::1
-Not shown: 996 closed tcp ports (reset)
-PORT     STATE SERVICE
-/tcp   open  ssh
-| ssh-hostkey:
-|   256 738a4166831b9c8af2bfb567ed025c4d (ECDSA)
-|_  256 86dcfbca68069284b2ddb0545cbc4e2b (ED25519)
-/tcp   open  http
-| http-methods:
-|_  Supported Methods: GET POST OPTIONS HEAD
-|_http-title: Apache2 Debian Default Page: It works
-/tcp  open  ipp
-| ssl-cert: Subject: commonName=debian12/organizationName=debian12/stateOrProvinceName=Unknown/countryName=US
-| Subject Alternative Name: DNS:debian12, DNS:debian12.local, DNS:localhost
-| Issuer: commonName=debian12/organizationName=debian12/stateOrProvinceName=Unknown/countryName=US
-| Public Key type: rsa
-| Public Key bits: 2048
-| Signature Algorithm: sha256WithRSAEncryption
-| Not valid before: 2025-11-27T15:51:20
-| Not valid after:  2035-11-25T15:51:20
-| MD5:   508d6d5d71e72656eeda3082e4fcfde0
-|_SHA-1: 0bda6fab805a00a5cdc863da5357a3791a58eca6
-| http-methods:
-|_  Supported Methods: GET HEAD POST OPTIONS
-|_http-title: Home - CUPS 2.4.2
-|_ssl-date: TLS randomness does not represent time
-| http-robots.txt: 1 disallowed entry
-|_/
-/tcp open  vnc
-| vnc-info:
-|   Protocol version: 3.8
-|   Security types:
-|_    VNC Authentication (2)
-NSE: Script Post-scanning.
+Options:
-Initiating NSE at 16:51
+  -h           Display help
-Completed NSE at 16:51, 0.00s elapsed
+  -n           Run non-interactively, create certificates
-Initiating NSE at 16:51
+               and register with the OpenVAS scanner
-Completed NSE at 16:51, 0.00s elapsed
+  -i           Install client certificates for use with OpenVAS manager
-Read data files from: /usr/bin/../share/nmap
-Nmap done: 1 IP address (1 host up) scanned in 2.45 seconds
-           Raw packets sent: 1000 (44.000KB) | Rcvd: 2004 (84.176KB)
 </code>
-<WRAP center round warning 50%>
+Exécutez donc la commande **openvas-mkcert-client -i** :
-**Attention** - La catégorie par défaut **default** contient certains scripts de la catégorie **intrusive**. Vous ne devez donc jamais utiliser cette option sur un réseau sans avoir obtenu un accord au préalable.
+<code>
+[root@centos7 ~]# openvas-mkcert-client -i
+This script will now ask you the relevant information to create the SSL client certificates for OpenVAS.
+Client certificates life time in days [365]: 3650
+Your country (two letter code) [DE]: UK
+Your state or province name [none]: SURREY
+Your location (e.g. town) [Berlin]: ADDLESTONE
+Your organization [none]: I2TCH LIMITED
+Your organizational unit [none]: TRAINING
+**********
+We are going to ask you some question for each client certificate.
+If some question has a default answer, you can force an empty answer by entering a single dot '.'
+*********
+Client certificates life time in days [3650]:
+Country (two letter code) [UK]:
+State or province name [SURREY]:
+Location (e.g. town) [ADDLESTONE]:
+Organization [I2TCH LIMITED]:
+Organization unit [TRAINING]:
+e-Mail []: infos@i2tch.eu
+Generating RSA private key, 4096 bit long modulus
+....++
+.......++
+e is 65537 (0x10001)
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [DE]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []:Email Address []:Using configuration from /tmp/openvas-mkcert-client.13962/stdC.cnf
+Check that the request matches the signature
+Signature ok
+The Subject's Distinguished Name is as follows
+countryName           :PRINTABLE:'UK'
+stateOrProvinceName   :ASN.1 12:'SURREY'
+localityName          :ASN.1 12:'ADDLESTONE'
+organizationName      :ASN.1 12:'I2TCH LIMITED'
+organizationalUnitName:ASN.1 12:'TRAINING'
+commonName            :ASN.1 12:'om'
+emailAddress          :IA5STRING:'infos@i2tch.eu'
+Certificate is to be certified until Jun 17 02:03:34 2028 GMT (3650 days)
+Write out database with 1 new entries
+Data Base Updated
+/bin/openvas-mkcert-client: line 370: [: argument expected
+</code>
+Exécutez encore une fois la commande **openvas-check-setup** :
+<code>
+[root@centos7 ~]# openvas-check-setup
+...
+Step 2: Checking OpenVAS Manager ...
+        OK: OpenVAS Manager is present in version 6.0.9.
+        OK: OpenVAS Manager client certificate is present as /etc/pki/openvas/CA/clientcert.pem.
+        ERROR: No OpenVAS Manager database found. (Tried: /var/lib/openvas/mgr/tasks.db)
+        FIX: Run 'openvasmd --rebuild' while OpenVAS Scanner is running.
+        WARNING: OpenVAS Scanner is NOT running!
+        SUGGEST: Start OpenVAS Scanner (openvassd).
+ ERROR: Your OpenVAS-8 installation is not yet complete!
+...
+</code>
+<WRAP center round important 50%>
+**Important** - Notez l'erreur **ERROR: No OpenVAS Manager database found. (Tried: /var/lib/openvas/mgr/tasks.db).**
 </WRAP>
-==Options de la commande==
+Afin de générer la base de données, OpenVAS Scanner doit être en cours d'exécution. Activez et démarrez donc le service :
-Les options de cette commande sont :
+<code>
+[root@centos7 ~]# systemctl enable openvas-scanner
+Created symlink from /etc/systemd/system/multi-user.target.wants/openvas-scanner.service to /usr/lib/systemd/system/openvas-scanner.service.
+[root@centos7 ~]# systemctl start openvas-scanner
+[root@centos7 ~]# systemctl status openvas-scanner
+● openvas-scanner.service - OpenVAS Scanner
+   Loaded: loaded (/usr/lib/systemd/system/openvas-scanner.service; enabled; vendor preset: disabled)
+   Active: active (running) since Mon 2025-12-01 16:45:47 CET; 12s ago
+  Process: 8889 ExecStart=/usr/sbin/openvassd $SCANNER_PORT $SCANNER_LISTEN $SCANNER_SRCIP (code=exited, status=0/SUCCESS)
+ Main PID: 8890 (openvassd)
+   CGroup: /system.slice/openvas-scanner.service
+           ├─8890 openvassd: Reloaded 1200 of 138097 NVTs (0% / ETA: 22:48)
+           └─8891 openvassd (Loading Handler)
+Dec 01 16:45:47 centos7.fenestros.loc systemd[1]: Starting OpenVAS Scanner...
+Dec 01 16:45:47 centos7.fenestros.loc systemd[1]: Started OpenVAS Scanner.
+</code>
+Construisez maintenant la base de données :
 <code>
-root@debian12:~# nmap --help
+[root@centos7 ~]# openvasmd --rebuild --progress
-Nmap 7.93 ( https://nmap.org )
+Rebuilding NVT cache... done.
-Usage: nmap [Scan Type(s)] [Options] {target specification}
-TARGET SPECIFICATION:
-  Can pass hostnames, IP addresses, networks, etc.
-  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-  -iL <inputfilename>: Input from list of hosts/networks
-  -iR <num hosts>: Choose random targets
-  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
-  --excludefile <exclude_file>: Exclude list from file
-HOST DISCOVERY:
-  -sL: List Scan - simply list targets to scan
-  -sn: Ping Scan - disable port scan
-  -Pn: Treat all hosts as online -- skip host discovery
-  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-  -PO[protocol list]: IP Protocol Ping
-  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
-  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
-  --system-dns: Use OS's DNS resolver
-  --traceroute: Trace hop path to each host
-SCAN TECHNIQUES:
-  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-  -sU: UDP Scan
-  -sN/sF/sX: TCP Null, FIN, and Xmas scans
-  --scanflags <flags>: Customize TCP scan flags
-  -sI <zombie host[:probeport]>: Idle scan
-  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
-  -sO: IP protocol scan
-  -b <FTP relay host>: FTP bounce scan
-PORT SPECIFICATION AND SCAN ORDER:
-  -p <port ranges>: Only scan specified ports
-    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
-  --exclude-ports <port ranges>: Exclude the specified ports from scanning
-  -F: Fast mode - Scan fewer ports than the default scan
-  -r: Scan ports sequentially - don't randomize
-  --top-ports <number>: Scan <number> most common ports
-  --port-ratio <ratio>: Scan ports more common than <ratio>
-SERVICE/VERSION DETECTION:
-  -sV: Probe open ports to determine service/version info
-  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
-  --version-light: Limit to most likely probes (intensity 2)
-  --version-all: Try every single probe (intensity 9)
-  --version-trace: Show detailed version scan activity (for debugging)
-SCRIPT SCAN:
-  -sC: equivalent to --script=default
-  --script=<Lua scripts>: <Lua scripts> is a comma separated list of
-           directories, script-files or script-categories
-  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
-  --script-args-file=filename: provide NSE script args in a file
-  --script-trace: Show all data sent and received
-  --script-updatedb: Update the script database.
-  --script-help=<Lua scripts>: Show help about scripts.
-           <Lua scripts> is a comma-separated list of script-files or
-           script-categories.
-OS DETECTION:
-  -O: Enable OS detection
-  --osscan-limit: Limit OS detection to promising targets
-  --osscan-guess: Guess OS more aggressively
-TIMING AND PERFORMANCE:
-  Options which take <time> are in seconds, or append 'ms' (milliseconds),
-  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-  -T<0-5>: Set timing template (higher is faster)
-  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
-  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
-  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
-      probe round trip time.
-  --max-retries <tries>: Caps number of port scan probe retransmissions.
-  --host-timeout <time>: Give up on target after this long
-  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
-  --min-rate <number>: Send packets no slower than <number> per second
-  --max-rate <number>: Send packets no faster than <number> per second
-FIREWALL/IDS EVASION AND SPOOFING:
-  -f; --mtu <val>: fragment packets (optionally w/given MTU)
-  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-  -S <IP_Address>: Spoof source address
-  -e <iface>: Use specified interface
-  -g/--source-port <portnum>: Use given port number
-  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
-  --data <hex string>: Append a custom payload to sent packets
-  --data-string <string>: Append a custom ASCII string to sent packets
-  --data-length <num>: Append random data to sent packets
-  --ip-options <options>: Send packets with specified ip options
-  --ttl <val>: Set IP time-to-live field
-  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
-  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
-OUTPUT:
-  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
-     and Grepable format, respectively, to the given filename.
-  -oA <basename>: Output in the three major formats at once
-  -v: Increase verbosity level (use -vv or more for greater effect)
-  -d: Increase debugging level (use -dd or more for greater effect)
-  --reason: Display the reason a port is in a particular state
-  --open: Only show open (or possibly open) ports
-  --packet-trace: Show all packets sent and received
-  --iflist: Print host interfaces and routes (for debugging)
-  --append-output: Append to rather than clobber specified output files
-  --resume <filename>: Resume an aborted scan
-  --noninteractive: Disable runtime interactions via keyboard
-  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
-  --webxml: Reference stylesheet from Nmap.Org for more portable XML
-  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
-MISC:
-  -6: Enable IPv6 scanning
-  -A: Enable OS detection, version detection, script scanning, and traceroute
-  --datadir <dirname>: Specify custom Nmap data file location
-  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
-  --privileged: Assume that the user is fully privileged
-  --unprivileged: Assume the user lacks raw socket privileges
-  -V: Print version number
-  -h: Print this help summary page.
-EXAMPLES:
-  nmap -v -A scanme.nmap.org
-  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
-  nmap -v -iR 10000 -Pn -p 80
-SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
 </code>
-===1.2 - netcat ===
+Exécutez de nouveau la commande **openvas-check-setup** :
-**netcat** est un couteau suisse. Il permet non seulement de scanner des ports mais aussi de lancer la connexion lors de la découverte d'un port ouvert.
+<code>
+[root@centos7 ~]# openvas-check-setup
+...
+Step 2: Checking OpenVAS Manager ...
+        OK: OpenVAS Manager is present in version 6.0.9.
+        OK: OpenVAS Manager client certificate is present as /etc/pki/openvas/CA/clientcert.pem.
+        OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
+        OK: Access rights for the OpenVAS Manager database are correct.
+        OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
+        OK: OpenVAS Manager database is at revision 146.
+        OK: OpenVAS Manager expects database at revision 146.
+        OK: Database schema is up to date.
+        OK: OpenVAS Manager database contains information about 45654 NVTs.
+        ERROR: No users found. You need to create at least one user to log in.
+        It is recommended to have at least one user with role Admin.
+        FIX: create a user by running 'openvasmd --create-user=<name> --role=Admin && openvasmd --user=<name> --new-password=<password>'
+...
+</code>
-==Utilisation==
+<WRAP center round important 50%>
+**Important** - Notez l'erreur **ERROR: No users found. You need to create at least one user to log in.**
+</WRAP>
-Dans l'exemple qui suite, un scan est lancé sur le port 80 puis sur le port 25 :
+Créez donc un utilisateur :
 <code>
-root@debian12:~# nc 127.0.0.1 80 -w 1 -vv
+[root@centos7 ~]# openvasmd --create-user=fenestros --role=Admin
-localhost [127.0.0.1] 80 (http) open
+User created with password 'a5b5eaa9-3600-4604-bf20-bc10d7e5455b'.
-[ENTREE] >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Appuyez sur la touche Entrée
-HTTP/1.1 400 Bad Request
-Date: Thu, 27 Nov 2025 15:53:56 GMT
-Server: Apache/2.4.65 (Debian)
-Content-Length: 301
-Connection: close
-Content-Type: text/html; charset=iso-8859-1
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+[root@centos7 ~]# openvasmd --user=fenestros --new-password=fenestros
-<html><head>
+</code>
-<title>400 Bad Request</title>
-</head><body>
+Exécutez encore une fois la commande **openvas-check-setup** :
-<h1>Bad Request</h1>
-<p>Your browser sent a request that this server could not understand.<br />
+<code>
-</p>
+[root@centos7 ~]# openvas-check-setup
-<hr>
+...
-<address>Apache/2.4.65 (Debian) Server at 127.0.0.1 Port 80</address>
+Step 2: Checking OpenVAS Manager ...
-</body></html>
+        OK: OpenVAS Manager is present in version 6.0.9.
- sent 1, rcvd 483
+        OK: OpenVAS Manager client certificate is present as /etc/pki/openvas/CA/clientcert.pem.
+        OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
+        OK: Access rights for the OpenVAS Manager database are correct.
+        OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
+        OK: OpenVAS Manager database is at revision 146.
+        OK: OpenVAS Manager expects database at revision 146.
+        OK: Database schema is up to date.
+        OK: OpenVAS Manager database contains information about 45654 NVTs.
+        OK: At least one user exists.
+        ERROR: No OpenVAS SCAP database found. (Tried: /var/lib/openvas/scap-data/scap.db)
+        FIX: Run a SCAP synchronization script like openvas-scapdata-sync or greenbone-scapdata-sync.
+ ERROR: Your OpenVAS-8 installation is not yet complete!
+...
 </code>
 <WRAP center round important 50%>
-**Important** - Notez que **netcat** se connecte au port 80 qui est ouvert.
+**Important** - Notez l'erreur **ERROR: No OpenVAS SCAP database found. (Tried: /var/lib/openvas/scap-data/scap.db).**
 </WRAP>
-==Options de la commande==
+La prochaine étape donc consiste à récupérer la base SCAP (Security Content Automation Protocol).
-Les options de cette commande sont :
+Créez le fichier **greenbone-feed-sync** :
 <code>
-root@debian12:~# nc -h
+[root@centos7 ~]# vi greenbone-feed-sync
-[v1.10-47]
+[root@centos7 ~]# cat greenbone-feed-sync
-connect to somewhere:   nc [-options] hostname port[s] [ports] ...
+#!/bin/sh
-listen for inbound:     nc -l -p port [-options] [hostname] [port]
+# Copyright (C) 2011-2020 Greenbone Networks GmbH
-options:
+#
-        -c shell commands       as `-e'; use /bin/sh to exec [dangerous!!]
+# SPDX-License-Identifier: AGPL-3.0-or-later
-        -e filename             program to exec after connect [dangerous!!]
+#
-        -b                      allow broadcasts
+# This program is free software: you can redistribute it and/or modify
-        -g gateway              source-routing hop point[s], up to 8
+# it under the terms of the GNU Affero General Public License as
-        -G num                  source-routing pointer: 4, 8, 12, ...
+# published by the Free Software Foundation, either version 3 of the
-        -h                      this cruft
+# License, or (at your option) any later version.
-        -i secs                 delay interval for lines sent, ports scanned
+#
-        -k                      set keepalive option on socket
+# This program is distributed in the hope that it will be useful,
-        -l                      listen mode, for inbound connects
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-        -n                      numeric-only IP addresses, no DNS
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-        -o file                 hex dump of traffic
+# GNU Affero General Public License for more details.
-        -p port                 local port number
+#
-        -r                      randomize local and remote ports
+# You should have received a copy of the GNU Affero General Public License
-        -q secs                 quit after EOF on stdin and delay of secs
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-        -s addr                 local source address
-        -T tos                  set Type Of Service
+# This script synchronizes a GVM installation with the
-        -t                      answer TELNET negotiation
+# feed data from either the Greenbone Security Feed (in
-        -u                      UDP mode
+# case a GSF access key is present) or else from the Greenbone
-        -v                      verbose [use twice to be more verbose]
+# Community Feed.
-        -w secs                 timeout for connects and final net reads
-        -C                      Send CRLF as line-ending
+log_notice () {
-        -z                      zero-I/O mode [used for scanning]
+  $LOG_CMD -p daemon.notice "$1"
-port numbers can be individual or ranges: lo-hi [inclusive];
+}
-hyphens in port names must be backslash escaped (e.g. 'ftp\-data').
+########## SETTINGS
+########## ========
+# PRIVATE_SUBDIR defines a subdirectory of the feed data directory
+# where files not part of the feed or database will not be deleted by rsync.
+if [ -z "$PRIVATE_SUBDIR" ]
+then
+  PRIVATE_SUBDIR="private"
+fi
+# RSYNC_DELETE controls whether files which are not part of the repository will
+# be removed from the local directory after synchronization. The default value
+# for this setting is
+# "--delete --exclude feed.xml --exclude $PRIVATE_SUBDIR/",
+# which means that files which are not part of the feed, feed info or private
+# directory will be deleted.
+RSYNC_DELETE="--delete --exclude feed.xml --exclude \"$PRIVATE_SUBDIR/\""
+# RSYNC_SSH_OPTS contains options which should be passed to ssh for the rsync
+# connection to the repository.
+RSYNC_SSH_OPTS="-o \"UserKnownHostsFile=/dev/null\" -o \"StrictHostKeyChecking=no\""
+# RSYNC_COMPRESS specifies the compression level to use for the rsync connection.
+RSYNC_COMPRESS="--compress-level=9"
+# PORT controls the outgoing TCP port for updates. If PAT/Port-Translation is
+# not used, this should be "24". For some application layer firewalls or gates
+# the value 22 (Standard SSH) is useful. Only change if you know what you are
+# doing.
+PORT=24
+# SCRIPT_NAME is the name the scripts will use to identify itself and to mark
+# log messages.
+SCRIPT_NAME="greenbone-feed-sync"
+# LOG_CMD defines the command to use for logging. To have logger log to stderr
+# as well as syslog, add "-s" here.
+LOG_CMD="logger -t $SCRIPT_NAME"
+# LOCK_FILE is the name of the file used to lock the feed during sync or update.
+if [ -z "$LOCK_FILE" ]
+then
+  LOCK_FILE="@GVM_FEED_LOCK_PATH@"
+fi
+########## GLOBAL VARIABLES
+########## ================
+VERSION=@GVMD_VERSION@
+[ -r "@GVM_SYSCONF_DIR@/greenbone-feed-sync.conf" ] && . "@GVM_SYSCONF_DIR@/greenbone-feed-sync.conf"
+if [ -z "$DROP_USER" ]; then
+  DROP_USER="@GVM_DEFAULT_DROP_USER@"
+fi
+ACCESSKEY="@GVM_ACCESS_KEY_DIR@/gsf-access-key"
+# Note when running as root or restart as $DROP_USER if defined
+if [ $(id -u) -eq 0 ]
+then
+  if [ -z "$DROP_USER" ]
+  then
+    log_notice "Running as root"
+  else
+    log_notice "Started as root, restarting as $DROP_USER"
+    su --shell /bin/sh --command "$0 $*" "$DROP_USER"
+    exit $?
+  fi
+fi
+# Determine whether a GSF access key is present. If yes,
+# then use the Greenbone Security Feed. Else use the
+# Greenbone Community Feed.
+if [ -e $ACCESSKEY ]
+then
+  RESTRICTED=1
+  if [ -z "$FEED_VENDOR" ]; then
+    FEED_VENDOR="Greenbone Networks GmbH"
+  fi
+  if [ -z "$FEED_HOME" ]; then
+    FEED_HOME="https://www.greenbone.net/en/security-feed/"
+  fi
+else
+  RESTRICTED=0
+  if [ -z "$FEED_VENDOR" ]; then
+    FEED_VENDOR="Greenbone Networks GmbH"
+  fi
+  if [ -z "$FEED_HOME" ]; then
+    FEED_HOME="https://community.greenbone.net/t/about-greenbone-community-feed-gcf/1224"
+  fi
+fi
+RSYNC=`command -v rsync`
+# Current supported feed types (for --type parameter)
+FEED_TYPES_SUPPORTED="CERT, SCAP or GVMD_DATA"
+########## FUNCTIONS
+########## =========
+log_debug () {
+  $LOG_CMD -p daemon.debug "$1"
+}
+log_info () {
+  $LOG_CMD -p daemon.info "$1"
+}
+log_warning () {
+  $LOG_CMD -p daemon.warning "$1"
+}
+log_err () {
+  $LOG_CMD -p daemon.err "$1"
+}
+init_feed_type () {
+  if [ -z "$FEED_TYPE" ]
+  then
+    echo "No feed type given to --type parameter"
+    log_err "No feed type given to --type parameter"
+    exit 1
+  elif [ "CERT" = "$FEED_TYPE" ]
+  then
+    [ -r "@GVM_SYSCONF_DIR@/greenbone-certdata-sync.conf" ] && . "@GVM_SYSCONF_DIR@/greenbone-certdata-sync.conf"
+    FEED_TYPE_LONG="CERT data"
+    FEED_DIR="@GVM_CERT_DATA_DIR@"
+    TIMESTAMP="$FEED_DIR/timestamp"
+    SCRIPT_ID="CERTSYNC"
+    if [ -z "$COMMUNITY_CERT_RSYNC_FEED" ]; then
+      COMMUNITY_RSYNC_FEED="rsync://feed.community.greenbone.net:/cert-data"
+      # An alternative syntax which might work if the above doesn't:
+      # COMMUNITY_RSYNC_FEED="rsync@feed.community.greenbone.net::cert-data"
+    else
+      COMMUNITY_RSYNC_FEED="$COMMUNITY_CERT_RSYNC_FEED"
+    fi
+    GSF_RSYNC_PATH="/cert-data"
+    if [ -e $ACCESSKEY ]; then
+      if [ -z "$FEED_NAME" ]; then
+        FEED_NAME="Greenbone CERT Feed"
+      fi
+    else
+      if [ -z "$FEED_NAME" ]; then
+        FEED_NAME="Greenbone Community CERT Feed"
+      fi
+    fi
+  elif [ "SCAP" = "$FEED_TYPE" ]
+  then
+    [ -r "@GVM_SYSCONF_DIR@/greenbone-scapdata-sync.conf" ] && . "@GVM_SYSCONF_DIR@/greenbone-scapdata-sync.conf"
+    FEED_TYPE_LONG="SCAP data"
+    FEED_DIR="@GVM_SCAP_DATA_DIR@"
+    TIMESTAMP="$FEED_DIR/timestamp"
+    SCRIPT_ID="SCAPSYNC"
+    if [ -z "$COMMUNITY_SCAP_RSYNC_FEED" ]; then
+      COMMUNITY_RSYNC_FEED="rsync://feed.community.greenbone.net:/scap-data"
+      # An alternative syntax which might work if the above doesn't:
+      # COMMUNITY_RSYNC_FEED="rsync@feed.community.greenbone.net::scap-data"
+    else
+      COMMUNITY_RSYNC_FEED="$COMMUNITY_SCAP_RSYNC_FEED"
+    fi
+    GSF_RSYNC_PATH="/scap-data"
+    if [ -e $ACCESSKEY ]; then
+      if [ -z "$FEED_NAME" ]; then
+        FEED_NAME="Greenbone SCAP Feed"
+      fi
+    else
+      if [ -z "$FEED_NAME" ]; then
+        FEED_NAME="Greenbone Community SCAP Feed"
+      fi
+    fi
+  elif [ "GVMD_DATA" = "$FEED_TYPE" ]
+  then
+    [ -r "@GVM_SYSCONF_DIR@/greenbone-data-objects-sync.conf" ] && . "@GVM_SYSCONF_DIR@/greenbone-data-objects-sync.conf"
+    FEED_TYPE_LONG="gvmd Data"
+    FEED_DIR="@GVMD_FEED_DIR@"
+    TIMESTAMP="$FEED_DIR/timestamp"
+    SCRIPT_ID="GVMD_DATA_SYNC"
+    if [ -z "$COMMUNITY_GVMD_DATA_RSYNC_FEED" ]; then
+      COMMUNITY_RSYNC_FEED="rsync://feed.community.greenbone.net:/data-objects/gvmd/"
+      # An alternative syntax which might work if the above doesn't:
+      # COMMUNITY_RSYNC_FEED="rsync@feed.community.greenbone.net::data-objects/gvmd/"
+    else
+      COMMUNITY_RSYNC_FEED="$COMMUNITY_GVMD_DATA_RSYNC_FEED"
+    fi
+    GSF_RSYNC_PATH="/data-objects/gvmd/"
+    if [ -e $ACCESSKEY ]; then
+      if [ -z "$FEED_NAME" ]; then
+        FEED_NAME="Greenbone gvmd Data Feed"
+      fi
+    else
+      if [ -z "$FEED_NAME" ]; then
+        FEED_NAME="Greenbone Community gvmd Data Feed"
+      fi
+    fi
+  else
+    echo "Invalid feed type $FEED_TYPE given to --type parameter. Currently supported: $FEED_TYPES_SUPPORTED"
+    log_err "Invalid feed type $FEED_TYPE given to --type parameter. Currently supported: $FEED_TYPES_SUPPORTED"
+    exit 1
+  fi
+}
+write_feed_xml () {
+  if [ -r $TIMESTAMP ]
+  then
+    FEED_VERSION=`cat $TIMESTAMP`
+  else
+    FEED_VERSION=0
+  fi
+  mkdir -p $FEED_DIR
+  echo '<feed id="6315d194-4b6a-11e7-a570-28d24461215b">' > $FEED_DIR/feed.xml
+  echo "<type>$FEED_TYPE</type>" >> $FEED_DIR/feed.xml
+  echo "<name>$FEED_NAME</name>" >> $FEED_DIR/feed.xml
+  echo "<version>$FEED_VERSION</version>" >> $FEED_DIR/feed.xml
+  echo "<vendor>$FEED_VENDOR</vendor>" >> $FEED_DIR/feed.xml
+  echo "<home>$FEED_HOME</home>" >> $FEED_DIR/feed.xml
+  echo "<description>" >> $FEED_DIR/feed.xml
+  echo "This script synchronizes a $FEED_TYPE collection with the '$FEED_NAME'." >> $FEED_DIR/feed.xml
+  echo "The '$FEED_NAME' is provided by '$FEED_VENDOR'." >> $FEED_DIR/feed.xml
+  echo "Online information about this feed: '$FEED_HOME'." >> $FEED_DIR/feed.xml
+  echo "</description>" >> $FEED_DIR/feed.xml
+  echo "</feed>" >> $FEED_DIR/feed.xml
+}
+create_tmp_key () {
+  KEYTEMPDIR=`mktemp -d`
+  cp "$ACCESSKEY" "$KEYTEMPDIR"
+  TMPACCESSKEY="$KEYTEMPDIR/gsf-access-key"
+  chmod 400 "$TMPACCESSKEY"
+}
+remove_tmp_key () {
+  rm -rf "$KEYTEMPDIR"
+}
+set_interrupt_trap () {
+  trap "handle_interrupt $1" 2
+}
+handle_interrupt () {
+  echo "$1:X" >&3
+}
+do_describe () {
+  echo "This script synchronizes a $FEED_TYPE collection with the '$FEED_NAME'."
+  echo "The '$FEED_NAME' is provided by '$FEED_VENDOR'."
+  echo "Online information about this feed: '$FEED_HOME'."
+}
+do_feedversion () {
+  if [ -r $TIMESTAMP ]; then
+      cat $TIMESTAMP
+  fi
+}
+# This function uses gos-state-manager to get information about the settings.
+# gos-state-manager is only available on a Greenbone OS.
+# If gos-state-manager is missing the settings values can not be retrieved.
+#
+# Input: option
+# Output: value as string or empty String if gos-state-manager is not installed
+#         or option not set
+get_value ()
+{
+  value=""
+  key=$1
+  if which gos-state-manager 1>/dev/null 2>&1
+  then
+    if gos-state-manager get "$key.value" 1>/dev/null 2>&1
+    then
+      value="$(gos-state-manager get "$key.value")"
+    fi
+  fi
+  echo "$value"
+}
+is_feed_current () {
+  if [ -r $TIMESTAMP ]
+  then
+    FEED_VERSION=`cat $TIMESTAMP`
+  fi
+  if [ -z "$FEED_VERSION" ]
+  then
+    log_warning "Could not determine feed version."
+    FEED_CURRENT=0
+    return $FEED_CURRENT
+  fi
+  FEED_INFO_TEMP_DIR=`mktemp -d`
+  if [ -e $ACCESSKEY ]
+  then
+    read feeduser < $ACCESSKEY
+    custid_at_host=`head -1 $ACCESSKEY | cut -d : -f 1`
+    if [ -z "$feeduser" ] || [ -z "$custid_at_host" ]
+    then
+      log_err "Could not determine credentials, aborting synchronization."
+      rm -rf "$FEED_INFO_TEMP_DIR"
+      exit 1
+    fi
+    gsmproxy=$(get_value proxy_feed | sed -r -e 's/^.*\/\///' -e 's/:([0-9]+)$/ \1/')
+    syncport=$(get_value syncport)
+    if [ "$syncport" ]
+    then
+      PORT="$syncport"
+    fi
+    if [ -z "$gsmproxy" ] || [ "$gsmproxy" = "proxy_feed" ]
+    then
+      RSYNC_SSH_PROXY_CMD=""
+    else
+      if [ -e $GVM_SYSCONF_DIR/proxyauth ] && [ -r $GVM_SYSCONF_DIR/proxyauth ]; then
+        RSYNC_SSH_PROXY_CMD="-o \"ProxyCommand corkscrew $gsmproxy %h %p $GVM_SYSCONF_DIR/proxyauth\""
+      else
+        RSYNC_SSH_PROXY_CMD="-o \"ProxyCommand corkscrew $gsmproxy %h %p\""
+      fi
+    fi
+    create_tmp_key
+    rsync -e "ssh $RSYNC_SSH_OPTS $RSYNC_SSH_PROXY_CMD -p $PORT -i $TMPACCESSKEY" -ltvrP --chmod=D+x $RSYNC_DELETE $RSYNC_COMPRESS $custid_at_host:$GSF_RSYNC_PATH/timestamp "$FEED_INFO_TEMP_DIR"
+    if [ $? -ne 0 ]
+    then
+      log_err "rsync failed, aborting synchronization."
+      rm -rf "$FEED_INFO_TEMP_DIR"
+      remove_tmp_key
+      exit 1
+    fi
+    remove_tmp_key
+  else
+    # Sleep for five seconds (a previous feed might have been synced a few seconds before) to prevent
+    # IP blocking due to network equipment in between keeping the previous connection too long open.
+    sleep 5
+    log_notice "No Greenbone Security Feed access key found, falling back to Greenbone Community Feed"
+    eval "$RSYNC -ltvrP \"$COMMUNITY_RSYNC_FEED/timestamp\" \"$FEED_INFO_TEMP_DIR\""
+    if [ $? -ne 0 ]
+    then
+      log_err "rsync failed, aborting synchronization."
+      rm -rf "$FEED_INFO_TEMP_DIR"
+      exit 1
+    fi
+  fi
+  FEED_VERSION_SERVER=`cat "$FEED_INFO_TEMP_DIR/timestamp"`
+  if [ -z "$FEED_VERSION_SERVER" ]
+  then
+    log_err "Could not determine server feed version."
+    rm -rf "$FEED_INFO_TEMP_DIR"
+    exit 1
+  fi
+  # Check against FEED_VERSION
+  if [ $FEED_VERSION -lt $FEED_VERSION_SERVER ]; then
+    FEED_CURRENT=0
+  else
+    FEED_CURRENT=1
+  fi
+  # Cleanup
+  rm -rf "$FEED_INFO_TEMP_DIR"
+  return $FEED_CURRENT
+}
+do_help () {
+  echo "$0: Sync feed data"
+  if [ -e $ACCESSKEY ]
+  then
+    echo "GSF access key found: Using Greenbone Security Feed"
+  else
+    echo "No GSF access key found: Using Community Feed"
+  fi
+  echo " --describe      display current feed info"
+  echo " --feedversion   display version of this feed"
+  echo " --help          display this help"
+  echo " --identify      display information"
+  echo " --selftest      perform self-test"
+  echo " --type <TYPE>   choose type of data to sync ($FEED_TYPES_SUPPORTED)"
+  echo " --version       display version"
+  echo ""
+  exit 0
+}
+do_rsync_community_feed () {
+  if [ -z "$RSYNC" ]; then
+    log_err "rsync not found!"
+  else
+    # Sleep for five seconds (after is_feed_current) to prevent IP blocking due to
+    # network equipment in between keeping the previous connection too long open.
+    sleep 5
+    log_notice "Using rsync: $RSYNC"
+    log_notice "Configured $FEED_TYPE_LONG rsync feed: $COMMUNITY_RSYNC_FEED"
+    mkdir -p "$FEED_DIR"
+    eval "$RSYNC -ltvrP $RSYNC_DELETE \"$COMMUNITY_RSYNC_FEED\" \"$FEED_DIR\""
+    if [ $? -ne 0 ]; then
+      log_err "rsync failed. Your $FEED_TYPE_LONG might be broken now."
+      exit 1
+    fi
+  fi
+}
+do_sync_community_feed () {
+  if [ -z "$RSYNC" ]; then
+    log_err "rsync not found!"
+    log_err "No utility available in PATH environment variable to download Feed data"
+    exit 1
+  else
+    log_notice "Will use rsync"
+    do_rsync_community_feed
+  fi
+}
+sync_feed_data(){
+  if [ -e $ACCESSKEY ]
+  then
+    log_notice "Found Greenbone Security Feed subscription file, trying to synchronize with Greenbone $FEED_TYPE_LONG Repository ..."
+    notsynced=1
+    mkdir -p "$FEED_DIR"
+    read feeduser < $ACCESSKEY
+    custid_at_host=`head -1 $ACCESSKEY | cut -d : -f 1`
+    if [ -z "$feeduser" ] || [ -z "$custid_at_host" ]
+    then
+      log_err "Could not determine credentials, aborting synchronization."
+      exit 1
+    fi
+    while [ 0 -ne "$notsynced" ]
+    do
+      gsmproxy=$(get_value proxy_feed | sed -r -e 's/^.*\/\///' -e 's/:([0-9]+)$/ \1/')
+      syncport=$(get_value syncport)
+      if [ "$syncport" ]
+      then
+        PORT="$syncport"
+      fi
+      if [ -z "$gsmproxy" ] || [ "$gsmproxy" = "proxy_feed" ]
+      then
+        RSYNC_SSH_PROXY_CMD=""
+      else
+        if [ -e $GVM_SYSCONF_DIR/proxyauth ] && [ -r $GVM_SYSCONF_DIR/proxyauth ]; then
+          RSYNC_SSH_PROXY_CMD="-o \"ProxyCommand corkscrew $gsmproxy %h %p $GVM_SYSCONF_DIR/proxyauth\""
+        else
+          RSYNC_SSH_PROXY_CMD="-o \"ProxyCommand corkscrew $gsmproxy %h %p\""
+        fi
+      fi
+      create_tmp_key
+      rsync -e "ssh $RSYNC_SSH_OPTS $RSYNC_SSH_PROXY_CMD -p $PORT -i $ACCESSKEY" -ltvrP --chmod=D+x $RSYNC_DELETE $RSYNC_COMPRESS $custid_at_host:$GSF_RSYNC_PATH/ $FEED_DIR
+      if [ 0 -ne "$?" ]; then
+        log_err "rsync failed, aborting synchronization."
+        remove_tmp_key
+        exit 1
+      fi
+      remove_tmp_key
+      notsynced=0
+    done
+    log_notice "Synchronization with the Greenbone $FEED_TYPE_LONG Repository successful."
+  else
+    log_notice "No Greenbone Security Feed access key found, falling back to Greenbone Community Feed"
+    do_sync_community_feed
+  fi
+  write_feed_xml
+}
+do_self_test () {
+  if [ -z "$SELFTEST_STDERR" ]
+  then
+    SELFTEST_STDERR=0
+  fi
+  if [ -z "$RSYNC" ]
+  then
+    if [ 0 -ne $SELFTEST_STDERR ]
+    then
+      echo "rsync not found (required)." 1>&2
+    fi
+    log_err "rsync not found (required)."
+    SELFTEST_FAIL=1
+  fi
+}
+########## START
+########## =====
+while test $# -gt 0; do
+  case "$1" in
+    "--version"|"--identify"|"--describe"|"--feedversion"|"--selftest"|"--feedcurrent")
+      if [ -z "$ACTION" ]; then
+        ACTION="$1"
+      fi
+      ;;
+    "--help")
+      do_help
+      exit 0
+      ;;
+    "--type")
+      FEED_TYPE=$(echo "$2" | tr '[:lower:]-' '[:upper:]_')
+      shift
+      ;;
+  esac
+  shift
+done
+init_feed_type
+write_feed_xml
+case "$ACTION" in
+  --version)
+    echo $VERSION
+    exit 0
+    ;;
+  --identify)
+    echo "$SCRIPT_ID|$SCRIPT_NAME|$VERSION|$FEED_NAME|$RESTRICTED|$SCRIPT_ID"
+    exit 0
+    ;;
+  --describe)
+    do_describe
+    exit 0
+    ;;
+  --feedversion)
+    do_feedversion
+    exit 0
+    ;;
+  --selftest)
+    SELFTEST_FAIL=0
+    SELFTEST_STDERR=1
+    do_self_test
+    exit $SELFTEST_FAIL
+    ;;
+  --feedcurrent)
+    is_feed_current
+    exit $?
+    ;;
+esac
+SELFTEST_FAIL=0
+do_self_test
+if [ $SELFTEST_FAIL -ne 0 ]
+then
+  exit 1
+fi
+is_feed_current
+if [ $FEED_CURRENT -eq 1 ]
+then
+  log_notice "Feed is already current, skipping synchronization."
+  exit 0
+fi
+(
+  chmod +660 $LOCK_FILE
+  flock -n 9
+  if [ $? -eq 1 ]; then
+    log_notice "Sync in progress, exiting."
+    exit 1
+  fi
+  date > $LOCK_FILE
+  sync_feed_data
+  echo -n > $LOCK_FILE
+) 9>>$LOCK_FILE
+exit 0
 </code>
-=====Les Contre-Mesures=====
+Rendez le script exécutable :
-Les contre-mesures incluent l'utilisation d'un **S**ystème de **D**étection d'**I**ntrusion (**SDI** - **N**etwork **I**ntrusion **D**etection **S**ystem ou NIDS en anglais), par exemple **Snort** ou un **S**ystème de **D**étection et de **Prévention** d'**I**ntrusion, par exemple **portsentry**.
+<code>
+[root@centos7 ~]# chmod +x greenbone-feed-sync
+</code>
-====LAB #2 - Mise en place du Système de Détection d'Intrusion Snort====
+Déplacez le script vers **/usr/sbin/** :
-Snort est un **S**ystème de **D**étection d'**I**ntrusion (SDI) qui surveille les requêtes entrantes, vous avertit en cas d'anomalie et enregistre les traces de toute tentative d'intrusion.
+<code>
+[root@centos7 ~]# mv greenbone-feed-sync /usr/sbin/
+</code>
-=== Installation ===
+Créez le répertoire **/var/lib/openvas/scap-data/** :
-Sous Debian 12, **snort** n'est pas installé par défaut. Qui plus est **snort** ne se trouve pas dans les dépôts standards.
+<code>
+[root@centos7 ~]# mkdir /var/lib/openvas/scap-data/
+</code>
-Commencez donc par installer les dépendances de snort à partir des dépôts standards :
+Devenez l'utilisateur trainee et mettez à jour les modules d'extensions de OpenVAS :
 <code>
-root@debian12:~# apt-get install -y build-essential libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev libssl-dev libluajit-5.1-dev pkg-config libhwloc-dev cmake libpcap-dev libdaq-dev libnetfilter-queue-dev libmnl-dev libnghttp2-dev autoconf libtool cmake git
+[root@centos7 ~]# su - trainee
+Last login: Mon Dec  1 17:30:45 CET 2025 on pts/0
+[trainee@centos7 ~]$ touch /var/lib/openvas/scap-data/scap.db
+[trainee@centos7 ~]$ greenbone-feed-sync --type SCAP
+Greenbone community feed server - http://feed.community.greenbone.net/
+This service is hosted by Greenbone Networks - http://www.greenbone.net/
+All transactions are logged.
+If you have any questions, please use the Greenbone community portal.
+See https://community.greenbone.net for details.
+By using this service you agree to our terms and conditions.
+Only one sync per time, otherwise the source ip will be temporarily blocked.
+receiving incremental file list
+timestamp
+100%   12.70kB/s    0:00:00 (xfr#1, to-chk=0/1)
+sent 43 bytes  received 108 bytes  100.67 bytes/sec
+total size is 13  speedup is 0.09
+Greenbone community feed server - http://feed.community.greenbone.net/
+This service is hosted by Greenbone Networks - http://www.greenbone.net/
+All transactions are logged.
+If you have any questions, please use the Greenbone community portal.
+See https://community.greenbone.net for details.
+By using this service you agree to our terms and conditions.
+Only one sync per time, otherwise the source ip will be temporarily blocked.
+receiving incremental file list
+./
+COPYING
+,187 100%    1.13MB/s    0:00:00 (xfr#1, to-chk=26/28)
+nvdcve-2.0-2002.xml
+,533,351 100%   62.30MB/s    0:00:00 (xfr#2, to-chk=25/28)
+nvdcve-2.0-2003.xml
+,744,330 100%   13.55MB/s    0:00:00 (xfr#3, to-chk=24/28)
+nvdcve-2.0-2004.xml
+,416,639 100%   24.47MB/s    0:00:00 (xfr#4, to-chk=23/28)
+nvdcve-2.0-2005.xml
+,701,047 100%   23.22MB/s    0:00:00 (xfr#5, to-chk=22/28)
+nvdcve-2.0-2006.xml
+,320,892 100%   28.82MB/s    0:00:00 (xfr#6, to-chk=21/28)
+nvdcve-2.0-2007.xml
+,567,434 100%   22.08MB/s    0:00:01 (xfr#7, to-chk=20/28)
+nvdcve-2.0-2008.xml
+,775,037 100%   37.41MB/s    0:00:00 (xfr#8, to-chk=19/28)
+nvdcve-2.0-2009.xml
+,996,918 100%   17.06MB/s    0:00:01 (xfr#9, to-chk=18/28)
+nvdcve-2.0-2010.xml
+,684,286 100%   65.87MB/s    0:00:00 (xfr#10, to-chk=17/28)
+nvdcve-2.0-2011.xml
+,905,485 100%   51.13MB/s    0:00:01 (xfr#11, to-chk=16/28)
+nvdcve-2.0-2012.xml
+,859,075 100%  152.18MB/s    0:00:00 (xfr#12, to-chk=15/28)
+nvdcve-2.0-2013.xml
+,064,147 100%   48.94MB/s    0:00:01 (xfr#13, to-chk=14/28)
+nvdcve-2.0-2014.xml
+,694,839 100%   48.34MB/s    0:00:01 (xfr#14, to-chk=13/28)
+nvdcve-2.0-2015.xml
+,671,234 100%  227.33MB/s    0:00:00 (xfr#15, to-chk=12/28)
+nvdcve-2.0-2016.xml
+,692,009 100%  172.29MB/s    0:00:00 (xfr#16, to-chk=11/28)
+nvdcve-2.0-2017.xml
+,948,654 100%  141.52MB/s    0:00:01 (xfr#17, to-chk=10/28)
+nvdcve-2.0-2018.xml
+,761,959 100%  156.30MB/s    0:00:01 (xfr#18, to-chk=9/28)
+nvdcve-2.0-2019.xml
+,685,784 100%  172.95MB/s    0:00:01 (xfr#19, to-chk=8/28)
+nvdcve-2.0-2020.xml
+,835,369 100%  134.53MB/s    0:00:02 (xfr#20, to-chk=7/28)
+nvdcve-2.0-2021.xml
+,673,740 100%  155.72MB/s    0:00:02 (xfr#21, to-chk=6/28)
+nvdcve-2.0-2022.xml
+,192,055 100%  111.53MB/s    0:00:06 (xfr#22, to-chk=5/28)
+nvdcve-2.0-2023.xml
+,785,077 100%   67.83MB/s    0:00:08 (xfr#23, to-chk=4/28)
+nvdcve-2.0-2024.xml
+,757,332 100%   73.89MB/s    0:00:11 (xfr#24, to-chk=3/28)
+nvdcve-2.0-2025.xml
+,360,705 100%  127.96MB/s    0:00:03 (xfr#25, to-chk=2/28)
+official-cpe-dictionary_v2.2.xml
+,852,577 100%  251.59MB/s    0:00:02 (xfr#26, to-chk=1/28)
+timestamp
+100%   12.70kB/s    0:00:00 (xfr#27, to-chk=0/28)
+sent 2,186,887 bytes  received 11,127,079 bytes  117,303.67 bytes/sec
+total size is 5,773,481,175  speedup is 433.64
+[trainee@centos7 ~]$ greenbone-scapdata-sync
+[trainee@centos7 ~]$ exit
 </code>
+<WRAP center round important 50%>
+**Important** - En cas d'erreur, relancez simplement la commande.
+</WRAP>
+Exécutez de nouveau la commande **openvas-check-setup** :
 <code>
-root@debian12:~# mkdir ~/prce2_src && cd ~/prce2_src
+[root@centos7 ~]# openvas-check-setup
+...
+Step 2: Checking OpenVAS Manager ...
+        OK: OpenVAS Manager is present in version 6.0.9.
+        OK: OpenVAS Manager client certificate is present as /etc/pki/openvas/CA/clientcert.pem.
+        OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
+        OK: Access rights for the OpenVAS Manager database are correct.
+        OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
+        OK: OpenVAS Manager database is at revision 146.
+        OK: OpenVAS Manager expects database at revision 146.
+        OK: Database schema is up to date.
+        OK: OpenVAS Manager database contains information about 45654 NVTs.
+        OK: At least one user exists.
+        OK: OpenVAS SCAP database found in /var/lib/openvas/scap-data/scap.db.
+        ERROR: No OpenVAS CERT database found. (Tried: /var/lib/openvas/cert-data/cert.db)
+        FIX: Run a CERT synchronization script like openvas-certdata-sync or greenbone-certdata-sync.
-root@debian12:~/prce2_src# git clone https://github.com/PCRE2Project/pcre2.git
+ ERROR: Your OpenVAS-8 installation is not yet complete!
-Cloning into 'pcre2'...
+...
-remote: Enumerating objects: 21776, done.
+</code>
-remote: Counting objects: 100% (253/253), done.
-remote: Compressing objects: 100% (151/151), done.
-remote: Total 21776 (delta 165), reused 125 (delta 102), pack-reused 21523 (from 3)
-Receiving objects: 100% (21776/21776), 20.79 MiB | 24.50 MiB/s, done.
-Resolving deltas: 100% (18190/18190), done.
+<WRAP center round important 50%>
+**Important** - Notez l'erreur **ERROR: No OpenVAS CERT database found. (Tried: /var/lib/openvas/cert-data/cert.db).**
+</WRAP>
+Créez le fichier **/var/lib/openvas/cert-data/cert.db** :
+<code>
+[root@centos7 ~]# touch /var/lib/openvas/cert-data/cert.db
 </code>
-Téléchargez et désarchivez**snort** :
+Exécutez la commande **openvas-certdata-sync** :
 <code>
-root@debian12:~# mkdir ~/snort_src && cd ~/snort_src
+[root@centos7 ~]# openvas-certdata-sync
+</code>
-root@debian12:~/snort_src# git clone https://github.com/snort3/snort3.git
+Exécutez encore une fois la commande **openvas-check-setup** :
-Cloning into 'snort3'...
-remote: Enumerating objects: 123479, done.
+<code>
-remote: Counting objects: 100% (12563/12563), done.
+[root@centos7 ~]# openvas-check-setup
-remote: Compressing objects: 100% (1891/1891), done.
+openvas-check-setup 2.3.3
-remote: Total 123479 (delta 11060), reused 10812 (delta 10672), pack-reused 110916 (from 5)
+  Test completeness and readiness of OpenVAS-8
-Receiving objects: 100% (123479/123479), 91.19 MiB | 28.36 MiB/s, done.
+  (add '--v6' or '--v7' or '--v9'
-Resolving deltas: 100% (104741/104741), done.
+   if you want to check for another OpenVAS version)
+  Please report us any non-detected problems and
+  help us to improve this check routine:
+  http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
+  Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.
+  Use the parameter --server to skip checks for client tools
+  like GSD and OpenVAS-CLI.
+Step 1: Checking OpenVAS Scanner ...
+        OK: OpenVAS Scanner is present in version 5.0.6.
+        OK: OpenVAS Scanner CA Certificate is present as /etc/pki/openvas/CA/cacert.pem.
+        OK: redis-server is present in version v=3.2.12.
+        OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock
+        OK: redis-server is running and listening on socket: /tmp/redis.sock.
+        OK: redis-server configuration is OK and redis-server is running.
+        OK: NVT collection in /var/lib/openvas/plugins contains 138097 NVTs.
+        WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
+        SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
+        OK: The NVT cache in /var/cache/openvas contains 138097 files for 138097 NVTs.
+Step 2: Checking OpenVAS Manager ...
+        OK: OpenVAS Manager is present in version 6.0.9.
+        OK: OpenVAS Manager client certificate is present as /etc/pki/openvas/CA/clientcert.pem.
+        OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
+        OK: Access rights for the OpenVAS Manager database are correct.
+        OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
+        OK: OpenVAS Manager database is at revision 146.
+        OK: OpenVAS Manager expects database at revision 146.
+        OK: Database schema is up to date.
+        OK: OpenVAS Manager database contains information about 138097 NVTs.
+        OK: At least one user exists.
+        OK: OpenVAS SCAP database found in /var/lib/openvas/scap-data/scap.db.
+        OK: OpenVAS CERT database found in /var/lib/openvas/cert-data/cert.db.
+        OK: xsltproc found.
+Step 3: Checking user configuration ...
+        WARNING: Your password policy is empty.
+        SUGGEST: Edit the /etc/openvas/pwpolicy.conf file to set a password policy.
+Step 4: Checking Greenbone Security Assistant (GSA) ...
+        OK: Greenbone Security Assistant is present in version 6.0.11.
+Step 5: Checking OpenVAS CLI ...
+        OK: OpenVAS CLI version 1.4.4.
+Step 6: Checking Greenbone Security Desktop (GSD) ...
+        SKIP: Skipping check for Greenbone Security Desktop.
+Step 7: Checking if OpenVAS services are up and running ...
+        OK: netstat found, extended checks of the OpenVAS services enabled.
+        OK: OpenVAS Scanner is running and listening on all interfaces.
+        OK: OpenVAS Scanner is listening on port 9391, which is the default port.
+        ERROR: OpenVAS Manager is NOT running!
+        FIX: Start OpenVAS Manager (openvasmd).
+        ERROR: Greenbone Security Assistant is NOT running!
+        FIX: Start Greenbone Security Assistant (gsad).
+ ERROR: Your OpenVAS-8 installation is not yet complete!
+Please follow the instructions marked with FIX above and run this
+script again.
+If you think this result is wrong, please report your observation
+and help us to improve this check routine:
+http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
+Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.
 </code>
-Créez un lien symbolique pour la bibliothèque partagée **/usr/lib64/libdnet.1** :
+<WRAP center round important 50%>
+**Important** - Notez l'erreur **ERROR: Greenbone Security Assistant is NOT running!.**
+</WRAP>
+Activer et démarrer OpenVAS Manager :
 <code>
-[root@centos7 ~]# ln -s /usr/lib64/libdnet.so.1.0.1 /usr/lib64/libdnet.1
+[root@centos7 ~]# systemctl enable openvas-manager
+Created symlink from /etc/systemd/system/multi-user.target.wants/openvas-manager.service to /usr/lib/systemd/system/openvas-manager.service.
+[root@centos7 ~]# systemctl start openvas-manager
+[root@centos7 ~]# systemctl status openvas-manager
+● openvas-manager.service - OpenVAS Manager
+   Loaded: loaded (/usr/lib/systemd/system/openvas-manager.service; enabled; vendor preset: disabled)
+   Active: active (running) since Tue 2025-12-02 11:51:41 CET; 10s ago
+  Process: 12237 ExecStart=/usr/sbin/openvasmd $MANAGER_LISTEN $MANAGER_PORT $SCANNER_LISTEN $SCANNER_PORT $MANAGER_OTP (code=exited, status=0/SUCCESS)
+ Main PID: 12238 (openvasmd)
+   CGroup: /system.slice/openvas-manager.service
+           └─12238 openvasmd
+Dec 02 11:51:41 centos7.fenestros.loc systemd[1]: Starting OpenVAS Manager...
+Dec 02 11:51:41 centos7.fenestros.loc systemd[1]: Started OpenVAS Manager.
 </code>
-Dernièrement, modifiez les permissions sur le répertoire **/var/log/snort** :
+Activer et démarrer le Greenbone Security Assistant :
 <code>
-[root@centos7 ~]# chmod ug+x /var/log/snort
+[root@centos7 ~]# systemctl enable openvas-gsa
+Created symlink from /etc/systemd/system/multi-user.target.wants/openvas-gsa.service to /usr/lib/systemd/system/openvas-gsa.service.
+[root@centos7 ~]# systemctl start openvas-gsa
+[root@centos7 ~]# systemctl status openvas-gsa
+● openvas-gsa.service - OpenVAS Greenbone Security Assistant
+   Loaded: loaded (/usr/lib/systemd/system/openvas-gsa.service; enabled; vendor preset: disabled)
+   Active: active (running) since Tue 2025-12-02 11:53:08 CET; 1s ago
+  Process: 12948 ExecStart=/usr/sbin/gsad $GSA_LISTEN $GSA_PORT $MANAGER_LISTEN $MANAGER_PORT $GNUTLSSTRING (code=exited, status=0/SUCCESS)
+ Main PID: 12949 (gsad)
+   CGroup: /system.slice/openvas-gsa.service
+           ├─12949 /usr/sbin/gsad --port=9443 --mlisten=127.0.0.1 --mport=9390 --gnutls-priorities=SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0
+           └─12950 /usr/sbin/gsad --port=9443 --mlisten=127.0.0.1 --mport=9390 --gnutls-priorities=SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0
+Dec 02 11:53:08 centos7.fenestros.loc systemd[1]: Starting OpenVAS Greenbone Security Assistant...
+Dec 02 11:53:08 centos7.fenestros.loc systemd[1]: Started OpenVAS Greenbone Security Assistant.
 </code>
-==Options de la commande==
+Exécutez encore une fois la commande **openvas-check-setup** :
-Les options de cette commande sont :
+<code>
+[root@centos7 ~]# openvas-check-setup
+openvas-check-setup 2.3.3
+  Test completeness and readiness of OpenVAS-8
+  (add '--v6' or '--v7' or '--v9'
+   if you want to check for another OpenVAS version)
+  Please report us any non-detected problems and
+  help us to improve this check routine:
+  http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
+  Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.
+  Use the parameter --server to skip checks for client tools
+  like GSD and OpenVAS-CLI.
+Step 1: Checking OpenVAS Scanner ...
+        OK: OpenVAS Scanner is present in version 5.0.6.
+        OK: OpenVAS Scanner CA Certificate is present as /etc/pki/openvas/CA/cacert.pem.
+        OK: redis-server is present in version v=3.2.12.
+        OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock
+        OK: redis-server is running and listening on socket: /tmp/redis.sock.
+        OK: redis-server configuration is OK and redis-server is running.
+        OK: NVT collection in /var/lib/openvas/plugins contains 138097 NVTs.
+        WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
+        SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
+        OK: The NVT cache in /var/cache/openvas contains 138097 files for 138097 NVTs.
+Step 2: Checking OpenVAS Manager ...
+        OK: OpenVAS Manager is present in version 6.0.9.
+        OK: OpenVAS Manager client certificate is present as /etc/pki/openvas/CA/clientcert.pem.
+        OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
+        OK: Access rights for the OpenVAS Manager database are correct.
+        OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
+        OK: OpenVAS Manager database is at revision 146.
+        OK: OpenVAS Manager expects database at revision 146.
+        OK: Database schema is up to date.
+        OK: OpenVAS Manager database contains information about 138097 NVTs.
+        OK: At least one user exists.
+        OK: OpenVAS SCAP database found in /var/lib/openvas/scap-data/scap.db.
+        OK: OpenVAS CERT database found in /var/lib/openvas/cert-data/cert.db.
+        OK: xsltproc found.
+Step 3: Checking user configuration ...
+        WARNING: Your password policy is empty.
+        SUGGEST: Edit the /etc/openvas/pwpolicy.conf file to set a password policy.
+Step 4: Checking Greenbone Security Assistant (GSA) ...
+        OK: Greenbone Security Assistant is present in version 6.0.11.
+Step 5: Checking OpenVAS CLI ...
+        OK: OpenVAS CLI version 1.4.4.
+Step 6: Checking Greenbone Security Desktop (GSD) ...
+        SKIP: Skipping check for Greenbone Security Desktop.
+Step 7: Checking if OpenVAS services are up and running ...
+        OK: netstat found, extended checks of the OpenVAS services enabled.
+        OK: OpenVAS Scanner is running and listening on all interfaces.
+        OK: OpenVAS Scanner is listening on port 9391, which is the default port.
+        OK: OpenVAS Manager is running and listening on all interfaces.
+        OK: OpenVAS Manager is listening on port 9390, which is the default port.
+        OK: Greenbone Security Assistant is listening on port 80, which is the default port.
+Step 8: Checking nmap installation ...
+        WARNING: No nmap installation found.
+        SUGGEST: You should install nmap for comprehensive network scanning (see http://nmap.org)
+Step 10: Checking presence of optional tools ...
+        WARNING: Could not find pdflatex binary, the PDF report format will not work.
+        SUGGEST: Install pdflatex.
+        OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
+        OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
+        WARNING: Could not find alien binary, LSC credential package generation for DEB based targets will not work.
+        SUGGEST: Install alien.
+        WARNING: Could not find makensis binary, LSC credential package generation for Microsoft Windows targets will not work.
+        SUGGEST: Install nsis.
+        OK: SELinux is disabled.
+It seems like your OpenVAS-8 installation is OK.
+If you think it is not OK, please report your observation
+and help us to improve this check routine:
+http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
+Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.
+</code>
+<WRAP center round important 50%>
+**Important** - Notez les WARNINGS.
+</WRAP>
+Installez les paquets suggérés :
 <code>
-[root@centos7 ~]# snort --help
+[root@centos7 ~]# yum install nmap texlive-latex-bin-bin alien -y
+</code>
-   ,,_     -*> Snort! <*-
+Exécutez de nouveau la commande **openvas-check-setup** :
-  o"  )~   Version 2.9.11.1 GRE (Build 268)
-   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
-           Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
-           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
-           Using libpcap version 1.5.3
-           Using PCRE version: 8.32 2012-11-30
-           Using ZLIB version: 1.2.7
-USAGE: snort [-options] <filter options>
+<code>
-Options:
+[root@centos7 ~]# openvas-check-setup
-        -A         Set alert mode: fast, full, console, test or none  (alert file alerts only)
+...
-                   "unsock" enables UNIX socket logging (experimental).
+Step 10: Checking presence of optional tools ...
-        -b         Log packets in tcpdump format (much faster!)
+        OK: pdflatex found.
-        -B <mask>  Obfuscated IP addresses in alerts and packet dumps using CIDR mask
+        WARNING: PDF generation failed, most likely due to missing LaTeX packages. The PDF report format will not work.
-        -c <rules> Use Rules File <rules>
+        SUGGEST: Install required LaTeX packages.
-        -C         Print out payloads with character data only (no hex)
+        OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
-        -d         Dump the Application Layer
+        OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
-        -D         Run Snort in background (daemon) mode
+        OK: alien found, LSC credential package generation for DEB based targets is likely to work.
-        -e         Display the second layer header info
+        WARNING: Could not find makensis binary, LSC credential package generation for Microsoft Windows targets will not work.
-        -f         Turn off fflush() calls after binary log writes
+        SUGGEST: Install nsis.
-        -F <bpf>   Read BPF filters from file <bpf>
+        OK: SELinux is disabled.
-        -g <gname> Run snort gid as <gname> group (or gid) after initialization
-        -G <0xid>  Log Identifier (to uniquely id events for multiple snorts)
-        -h <hn>    Set home network = <hn>
-                   (for use with -l or -B, does NOT change $HOME_NET in IDS mode)
-        -H         Make hash tables deterministic.
-        -i <if>    Listen on interface <if>
-        -I         Add Interface name to alert output
-        -k <mode>  Checksum mode (all,noip,notcp,noudp,noicmp,none)
-        -K <mode>  Logging mode (pcap[default],ascii,none)
-        -l <ld>    Log to directory <ld>
-        -L <file>  Log to this tcpdump file
-        -M         Log messages to syslog (not alerts)
-        -m <umask> Set umask = <umask>
-        -n <cnt>   Exit after receiving <cnt> packets
-        -N         Turn off logging (alerts still work)
-        -O         Obfuscate the logged IP addresses
-        -p         Disable promiscuous mode sniffing
-        -P <snap>  Set explicit snaplen of packet (default: 1514)
-        -q         Quiet. Don't show banner and status report
-        -Q         Enable inline mode operation.
-        -r <tf>    Read and process tcpdump file <tf>
-        -R <id>    Include 'id' in snort_intf<id>.pid file name
-        -s         Log alert messages to syslog
-        -S <n=v>   Set rules file variable n equal to value v
-        -t <dir>   Chroots process to <dir> after initialization
-        -T         Test and report on the current Snort configuration
-        -u <uname> Run snort uid as <uname> user (or uid) after initialization
-        -U         Use UTC for timestamps
-        -v         Be verbose
-        -V         Show version number
-        -X         Dump the raw packet data starting at the link layer
-        -x         Exit if Snort configuration problems occur
-        -y         Include year in timestamp in the alert and log files
-        -Z <file>  Set the performonitor preprocessor file path and name
-        -?         Show this information
-<Filter Options> are standard BPF options, as seen in TCPDump
-Longname options and their corresponding single char version
-   --logid <0xid>                  Same as -G
-   --perfmon-file <file>           Same as -Z
-   --pid-path <dir>                Specify the directory for the Snort PID file
-   --snaplen <snap>                Same as -P
-   --help                          Same as -?
-   --version                       Same as -V
-   --alert-before-pass             Process alert, drop, sdrop, or reject before pass, default is pass before alert, drop,...
-   --treat-drop-as-alert           Converts drop, sdrop, and reject rules into alert rules during startup
-   --treat-drop-as-ignore          Use drop, sdrop, and reject rules to ignore session traffic when not inline.
-   --process-all-events            Process all queued events (drop, alert,...), default stops after 1st action group
-   --enable-inline-test            Enable Inline-Test Mode Operation
-   --dynamic-engine-lib <file>     Load a dynamic detection engine
-   --dynamic-engine-lib-dir <path> Load all dynamic engines from directory
-   --dynamic-detection-lib <file>  Load a dynamic rules library
-   --dynamic-detection-lib-dir <path> Load all dynamic rules libraries from directory
-   --dump-dynamic-rules <path>     Creates stub rule files of all loaded rules libraries
-   --dynamic-preprocessor-lib <file>  Load a dynamic preprocessor library
-   --dynamic-preprocessor-lib-dir <path> Load all dynamic preprocessor libraries from directory
-   --dynamic-output-lib <file>  Load a dynamic output library
-   --dynamic-output-lib-dir <path> Load all dynamic output libraries from directory
-   --create-pidfile                Create PID file, even when not in Daemon mode
-   --nolock-pidfile                Do not try to lock Snort PID file
-   --no-interface-pidfile          Do not include the interface name in Snort PID file
-   --disable-attribute-reload-thread Do not create a thread to reload the attribute table
-   --pcap-single <tf>              Same as -r.
-   --pcap-file <file>              file that contains a list of pcaps to read - read mode is implied.
-   --pcap-list "<list>"            a space separated list of pcaps to read - read mode is implied.
-   --pcap-dir <dir>                a directory to recurse to look for pcaps - read mode is implied.
-   --pcap-filter <filter>          filter to apply when getting pcaps from file or directory.
-   --pcap-no-filter                reset to use no filter when getting pcaps from file or directory.
-   --pcap-loop <count>             this option will read the pcaps specified on command line continuously.
-                                   for <count> times.  A value of 0 will read until Snort is terminated.
-   --pcap-reset                    if reading multiple pcaps, reset snort to post-configuration state before reading next pcap.
-   --pcap-reload                   if reading multiple pcaps, reload snort config between pcaps.
-   --pcap-show                     print a line saying what pcap is currently being read.
-   --exit-check <count>            Signal termination after <count> callbacks from DAQ_Acquire(), showing the time it
-                                   takes from signaling until DAQ_Stop() is called.
-   --conf-error-out                Same as -x
-   --enable-mpls-multicast         Allow multicast MPLS
-   --enable-mpls-overlapping-ip    Handle overlapping IPs within MPLS clouds
-   --max-mpls-labelchain-len       Specify the max MPLS label chain
-   --mpls-payload-type             Specify the protocol (ipv4, ipv6, ethernet) that is encapsulated by MPLS
-   --require-rule-sid              Require that all snort rules have SID specified.
-   --daq <type>                    Select packet acquisition module (default is pcap).
-   --daq-mode <mode>               Select the DAQ operating mode.
-   --daq-var <name=value>          Specify extra DAQ configuration variable.
-   --daq-dir <dir>                 Tell snort where to find desired DAQ.
-   --daq-list[=<dir>]              List packet acquisition modules available in dir.  Default is static modules only.
-   --dirty-pig                     Don't flush packets and release memory on shutdown.
-   --cs-dir <dir>                  Directory to use for control socket.
-   --ha-peer                       Activate live high-availability state sharing with peer.
-   --ha-out <file>                 Write high-availability events to this file.
-   --ha-in <file>                  Read high-availability events from this file on startup (warm-start).
-   --suppress-config-log           Suppress configuration information output.
+It seems like your OpenVAS-8 installation is OK.
+...
 </code>
-===Configuration de Snort===
+<WRAP center round important 50%>
+**Important** - Notez la ligne **WARNING: PDF generation failed, most likely due to missing LaTeX packages. The PDF report format will not work.**
+</WRAP>
-Snort a besoin de règles pour fonctionner correctement. Ces règles sont disponibles sous trois formes différentes :
+Pour pouvoir utiliser les rapports au format PDF, installez les paquets suivants :
-  * **Community** - règles de base disponibles à tout le monde,
+<code>
-  * **Registered** - règles disponibles à toute personne possédant un compte gratuit sur le site **[[http://www.snort.org]]**,
+[root@centos7 ~]# yum -y install texlive-collection-fontsrecommended texlive-collection-latexrecommended texlive-changepage texlive-titlesec -y
-  * **Subscription** - règles les plus efficaces disponibles uniquement aux utilisateurs enregistrés **et** abonnés à un plan payant.
+</code>
-Le répertoire rules est donc vide lors de l'installation de Snort :
+Téléchargez ensuite le fichier **comment.sty** vers le répertoire **/usr/share/texlive/texmf-local/tex/latex/comment** et exécutez la commande **texhash** :
 <code>
-[root@centos7 ~]# ls /etc/snort/rules/
+[root@centos7 ~]# mkdir -p /usr/share/texlive/texmf-local/tex/latex/comment
-[root@centos7 ~]#
+[root@centos7 ~]# cd /usr/share/texlive/texmf-local/tex/latex/comment
+[root@centos7 comment]# wget http://mirrors.ctan.org/macros/latex/contrib/comment/comment.sty
+--2025-12-02 13:35:43--  http://mirrors.ctan.org/macros/latex/contrib/comment/comment.sty
+Resolving mirrors.ctan.org (mirrors.ctan.org)... 89.58.7.101, 2a03:4000:5e:d33::1
+Connecting to mirrors.ctan.org (mirrors.ctan.org)|89.58.7.101|:80... connected.
+HTTP request sent, awaiting response... 307 Temporary Redirect
+Location: https://mirror.its.dal.ca/ctan/macros/latex/contrib/comment/comment.sty [following]
+--2025-12-02 13:35:43--  https://mirror.its.dal.ca/ctan/macros/latex/contrib/comment/comment.sty
+Resolving mirror.its.dal.ca (mirror.its.dal.ca)... 192.75.96.254
+Connecting to mirror.its.dal.ca (mirror.its.dal.ca)|192.75.96.254|:443... connected.
+HTTP request sent, awaiting response... 200 OK
+Length: 10197 (10.0K) [application/octet-stream]
+Saving to: ‘comment.sty’
+%[========================================================================================================================================================================>] 10,197      --.-K/s   in 0s
+-12-02 13:35:43 (175 MB/s) - ‘comment.sty’ saved [10197/10197]
+[root@centos7 comment]# chmod 644 comment.sty
+[root@centos7 comment]# texhash
+texhash: Updating /usr/share/texlive/texmf/ls-R...
+texhash: Updating /usr/share/texlive/texmf-config/ls-R...
+texhash: Updating /usr/share/texlive/texmf-dist/ls-R...
+texhash: Updating /usr/share/texlive/texmf-local///ls-R...
+texhash: Updating /usr/share/texlive/texmf-var/ls-R...
+texhash: Done
 </code>
-Téléchargez les règles **Registered** grâce au lien suivant contenant un **oinkcode** :
+Exécutez une dernière fois la commande **openvas-check-setup** :
 <code>
-[root@centos7 ~]# wget https://www.dropbox.com/scl/fi/dkmuxq9j0ftahp4c3rf5p/registered.tar.gz?rlkey=mvs3qdu1kxfz9zs5mt5zy1niz&st=n90pywc2
+[root@centos7 comment]# openvas-check-setup
+...
+Step 10: Checking presence of optional tools ...
+        OK: pdflatex found.
+        OK: PDF generation successful. The PDF report format is likely to work.
+        OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
+        OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
+        OK: alien found, LSC credential package generation for DEB based targets is likely to work.
+        WARNING: Could not find makensis binary, LSC credential package generation for Microsoft Windows targets will not work.
+        SUGGEST: Install nsis.
+        OK: SELinux is disabled.
+It seems like your OpenVAS-8 installation is OK.
+...
 </code>
-Ensuite, saisissez les commandes suivantes :
+<WRAP center round important 50%>
+**Important** - Notez la ligne **WARNING: Could not find makensis binary, LSC credential package generation for Microsoft Windows targets will not work.**
+</WRAP>
+Téléchargez et installez le fichier **mingw32-nsis-3.01-1.el7.x86_64.rpm** :
 <code>
-[root@centos7 ~]# tar -xvf ~/registered.tar.gz -C /etc/snort
+[root@centos7 ~]# cd ~
-[root@centos7 ~]# ls /etc/snort/rules
-app-detect.rules        file-image.rules             netbios.rules            protocol-other.rules     server-samba.rules
+[root@centos7 ~]# wget ftp://ftp.icm.edu.pl/vol/rzm1/linux-oracle-repo/OracleLinux/OL7/developer_EPEL/x86_64/mingw32-nsis-3.01-1.el7.x86_64.rpm
-attack-responses.rules  file-java.rules              nntp.rules               protocol-pop.rules       server-webapp.rules
+--2025-12-02 13:46:26--  ftp://ftp.icm.edu.pl/vol/rzm1/linux-oracle-repo/OracleLinux/OL7/developer_EPEL/x86_64/mingw32-nsis-3.01-1.el7.x86_64.rpm
-backdoor.rules          file-multimedia.rules        oracle.rules             protocol-rpc.rules       shellcode.rules
+           => ‘mingw32-nsis-3.01-1.el7.x86_64.rpm’
-bad-traffic.rules       file-office.rules            os-linux.rules           protocol-scada.rules     smtp.rules
+Resolving ftp.icm.edu.pl (ftp.icm.edu.pl)... 193.219.28.2, 2001:6a0:0:31::2
-blacklist.rules         file-other.rules             os-mobile.rules          protocol-services.rules  snmp.rules
+Connecting to ftp.icm.edu.pl (ftp.icm.edu.pl)|193.219.28.2|:21... connected.
-botnet-cnc.rules        file-pdf.rules               os-other.rules           protocol-snmp.rules      specific-threats.rules
+Logging in as anonymous ... Logged in!
-browser-chrome.rules    finger.rules                 os-solaris.rules         protocol-telnet.rules    spyware-put.rules
+==> SYST ... done.    ==> PWD ... done.
-browser-firefox.rules   ftp.rules                    os-windows.rules         protocol-tftp.rules      sql.rules
+==> TYPE I ... done.  ==> CWD (1) /vol/rzm1/linux-oracle-repo/OracleLinux/OL7/developer_EPEL/x86_64 ... done.
-browser-ie.rules        icmp-info.rules              other-ids.rules          protocol-voip.rules      telnet.rules
+==> SIZE mingw32-nsis-3.01-1.el7.x86_64.rpm ... 1379180
-browser-other.rules     icmp.rules                   p2p.rules                pua-adware.rules         tftp.rules
+==> PASV ... done.    ==> RETR mingw32-nsis-3.01-1.el7.x86_64.rpm ... done.
-browser-plugins.rules   imap.rules                   phishing-spam.rules      pua-other.rules          virus.rules
+Length: 1379180 (1.3M) (unauthoritative)
-browser-webkit.rules    indicator-compromise.rules   policy-multimedia.rules  pua-p2p.rules            voip.rules
-chat.rules              indicator-obfuscation.rules  policy-other.rules       pua-toolbars.rules       VRT-License.txt
+%[========================================================================================================================================================================>] 1,379,180   2.05MB/s   in 0.6s
-content-replace.rules   indicator-scan.rules         policy.rules             rpc.rules                web-activex.rules
-ddos.rules              indicator-shellcode.rules    policy-social.rules      rservices.rules          web-attacks.rules
+-12-02 13:46:28 (2.05 MB/s) - ‘mingw32-nsis-3.01-1.el7.x86_64.rpm’ saved [1379180]
-deleted.rules           info.rules                   policy-spam.rules        scada.rules              web-cgi.rules
-dns.rules               local.rules                  pop2.rules               scan.rules               web-client.rules
+[root@centos7 ~]# yum localinstall mingw32-nsis-3.01-1.el7.x86_64.rpm --nogpgcheck -y
-dos.rules               malware-backdoor.rules       pop3.rules               server-apache.rules      web-coldfusion.rules
+</code>
-experimental.rules      malware-cnc.rules            protocol-dns.rules       server-iis.rules         web-frontpage.rules
-exploit-kit.rules       malware-other.rules          protocol-finger.rules    server-mail.rules        web-iis.rules
+Exécutez une dernière fois la commande **openvas-check-setup** :
-exploit.rules           malware-tools.rules          protocol-ftp.rules       server-mssql.rules       web-misc.rules
-file-executable.rules   misc.rules                   protocol-icmp.rules      server-mysql.rules       web-php.rules
+<code>
-file-flash.rules        multimedia.rules             protocol-imap.rules      server-oracle.rules      x11.rules
+[root@centos7 ~]# openvas-check-setup
-file-identify.rules     mysql.rules                  protocol-nntp.rules      server-other.rules
+...
+Step 10: Checking presence of optional tools ...
+        OK: pdflatex found.
+        OK: PDF generation successful. The PDF report format is likely to work.
+        OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
+        OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
+        OK: alien found, LSC credential package generation for DEB based targets is likely to work.
+        OK: nsis found, LSC credential package generation for Microsoft Windows targets is likely to work.
+        OK: SELinux is disabled.
+It seems like your OpenVAS-8 installation is OK.
+...
+</code>
+===2.5 - Utilisation===
+Retournez à l'accueil de Guacamole. Connectez-vous à la VM **Gateway_10.0.2.40_VNC** avec le compte **trainee** et le mot de passe **a39dae707d**.
+Ouvrez un navigateur web dans la VM et saisissez l'adresse %%https:>//10.0.2.51:9443%%. Vous obtiendrez une fenêtre similaire à celle-ci :
+{{ :elearning:workbooks:centos:6:avance:openvas01.png?600 |}}
+Créez une exception pour le Self Signed Certificate. Vous obtiendrez une fenêtre similaire à celle-ci:
+{{ :elearning:workbooks:centos:6:avance:openvas02.png?600 |}}
+Entrez le nom de votre utilisateur (fenestros) ainsi que son mot de passe (fenestros) et cliquez sur le bouton **Login**. Vous obtiendrez une fenêtre similaire à celle-ci :
+{{ :elearning:workbooks:centos:6:avance:openvas03.png?600 |}}
+Dans la boîte **Quick start**, entrez l'adresse IP 10.0.2.46 et cliquez sur le bouton **Start Scan**. Vous obtiendrez une fenêtre similaire à celle-ci :
+{{ :elearning:workbooks:centos:6:avance:openvas04.png?600 |}}
+<WRAP center round important 50%>
+**Important** - Vous pouvez indiquer un réseau entier de la forme 10.0.2.0/24
+</WRAP>
+===Analyse des Résultats===
+A l'issu de l'analyse, il est possible de consulter les résultats :
+{{ :elearning:workbooks:centos:6:avance:openvas05.png?600 |}}
+ainsi que les détails de celui-ci :
+{{ :elearning:workbooks:centos:6:avance:openvas06.png?600 |}}
+Vous trouverez aussi une **solution** ainsi qu'une évaluation du niveau de risque, **Risk factor**.
+{{ :elearning:workbooks:centos:6:avance:openvas07.png?600 |}}
+{{ :elearning:workbooks:centos:6:avance:openvas08.png?600 |}}
+=====LAB #3 - Sécuriser le Serveur DNS=====
+====3.1 - Le serveur DNS====
+Le principe du DNS est basé sur l'équivalence entre un **FQDN** ( Fully Qualified Domain Name ) et une adresse IP. Les humains retiennent plus facilement des noms tels que www.ittraining.team, tandis que les ordinateurs utilisent des chiffres.
+Le **DNS** ( Domain Name Service ) est né peut après l'introduction des FQDN en 1981.
+Lorsqu'un ordinateur souhaite communiquer avec un autre par le biais de son nom, par exemple avec www.fenestros.com, il envoie une requête à un serveur DNS. Si le serveur DNS a connaissance de la correspondance entre le nom demandé et le numéro IP, il répond directement. Si ce n'est pas le cas, il démarre un processus de **Recursive Lookup**.
+Ce processus tente d'identifier le serveur de domaine responsable pour le **SLD** ( Second Level Domain ) afin de lui passer la requête. Dans notre exemple, il tenterait d'identifier le serveur de domaine responsable de **ittraining.com**.
+Si cette tentative échoue, le serveur DNS cherche le serveur de domaine pour le **TLD** ( Top Level Domain ) dans son cache afin de lui demander l'adresse du serveur responsable du SLD. Dans notre cas il tenterait trouver l'enregistrement pour le serveur de domaine responsable de **.com**
+Si cette recherche échoue, le serveur s'adresse à un **Root Name Server** dont il y en a peu. Si le Root Name Server ne peut pas répondre, le serveur DNS renvoie une erreur à la machine ayant formulé la demande.
+Le serveur DNS sert à faire la résolution de noms. Autrement dit de traduire une adresse Internet telle que **www.ittraining.com **en **numéro IP**.
+====3.2 - Préparation à l'Installation====
+Le serveur DNS nécessite que la machine sur laquelle il est installé possède un nom FQDN et une adresse IP fixe. Il est également important de noter que le service de bind ne démarrera **pas** dans le cas où le fichier **/etc/hosts** comporte une anomalie. Trois étapes préparatoires sont donc nécessaires :
+  * Modification de l'adresse IP de la machine en adresse IP fixe
+  * Définition d'un nom FQDN (Fully Qualified Domain Name)
+  * Vérification du fichier /etc/hosts
+Afin d'étudier ce dernier cas, nous prenons en tant qu'exemple la machine suivante :
+  * **FQDN** - debian12.ittraining.loc
+  * **Adresse IP** - 10.0.2.46
+Vérifiez la configuration de la VM :
+<code>
+root@debian12:~# hostname
+debian12
+root@debian12:~# hostnamectl set-hostname debian12.ittraining.loc
+root@debian12:~# hostname
+debian12.ittraining.loc
+root@debian12:~# nmcli c show
+NAME                UUID                                  TYPE      DEVICE
+ip_fixe             33c26470-0968-4646-a88a-a22f10fab6da  ethernet  ens18
+lo                  c4172990-a224-464f-a1de-9820ca5e83c8  loopback  lo
+Wired connection 1  77c569e6-3176-4c10-8008-40d7634d2504  ethernet  --
+root@debian12:~# ip a
+: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+    inet 127.0.0.1/8 scope host lo
+       valid_lft forever preferred_lft forever
+    inet6 ::1/128 scope host noprefixroute
+       valid_lft forever preferred_lft forever
+: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
+    link/ether 56:a3:fd:18:02:6d brd ff:ff:ff:ff:ff:ff
+    altname enp0s18
+    inet 10.0.2.46/24 brd 10.0.2.255 scope global noprefixroute ens18
+       valid_lft forever preferred_lft forever
+    inet6 fe80::4b88:5cd8:60c9:6e2c/64 scope link noprefixroute
+       valid_lft forever preferred_lft forever
+root@debian12:~# cat /etc/hosts
+.0.0.1       localhost
+.0.2.46       debian12.ittraining.loc debian12
+# The following lines are desirable for IPv6 capable hosts
+::1     localhost ip6-localhost ip6-loopback
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
 </code>
 <WRAP center round important 50%>
-**Important** - Si vous utilisez **snort** régulièrement, vous devez prendre un abonnement sur le site [[http://www.snort.org]] afin de pouvoir télécharger les mises à jour des règles.
+**Important** - La configuration du serveur DNS dépend du nom de votre machine. Dans le cas où vous changeriez ce nom, vous devez reconfigurer votre serveur DNS en éditant les fichiers de configuration directement.
 </WRAP>
-== Editer le fichier /etc/snort/snort.conf ==
+====3.3 - Installation====
-Lancez vi pour éditer le fichier **/etc/snort/snort.conf** :
+Pour installer le serveur DNS, utilisez la commande **APT**:
-Modifiez la ligne qui commence par **ipvar HOME_NET** pour que celle-ci comporte l'adresse de votre réseau :
+<code>
+root@debian12:~# apt install bind9 -y
+root@debian12:~# systemctl status named
+● named.service - BIND Domain Name Server
+     Loaded: loaded (/lib/systemd/system/named.service; enabled; preset: enabled)
+     Active: active (running) since Sun 2025-12-07 11:19:19 CET; 44s ago
+       Docs: man:named(8)
+   Main PID: 32581 (named)
+     Status: "running"
+      Tasks: 26 (limit: 19123)
+     Memory: 116.9M
+        CPU: 215ms
+     CGroup: /system.slice/named.service
+             └─32581 /usr/sbin/named -f -u bind
+Dec 07 11:19:19 debian12.ittraining.loc named[32581]: network unreachable resolving '>
+Dec 07 11:19:19 debian12.ittraining.loc named[32581]: network unreachable resolving '>
+Dec 07 11:19:19 debian12.ittraining.loc named[32581]: network unreachable resolving '>
+Dec 07 11:19:19 debian12.ittraining.loc named[32581]: network unreachable resolving '>
+Dec 07 11:19:19 debian12.ittraining.loc named[32581]: network unreachable resolving '>
+Dec 07 11:19:19 debian12.ittraining.loc named[32581]: network unreachable resolving '>
+Dec 07 11:19:19 debian12.ittraining.loc named[32581]: network unreachable resolving '>
+Dec 07 11:19:19 debian12.ittraining.loc named[32581]: network unreachable resolving '>
+Dec 07 11:19:19 debian12.ittraining.loc named[32581]: managed-keys-zone: Initializing>
+Dec 07 11:19:19 debian12.ittraining.loc named[32581]: managed-keys-zone: Initializing>
+</code>
+===Options de la commande named===
+Les options de cette commande sont :
+<code>
+root@debian12:~# named help
+usage: named [-4|-6] [-c conffile] [-d debuglevel] [-D comment] [-E engine]
+             [-f|-g] [-L logfile] [-n number_of_cpus] [-p port] [-s]
+             [-S sockets] [-t chrootdir] [-u username] [-U listeners]
+             [-X lockfile] [-m {usage|trace|record}]
+             [-M fill|nofill]
+usage: named [-v|-V|-C]
+named: extra command line arguments
+</code>
+====3.4 - Les fichiers de configuration====
+Sous Debian12, les fichiers de configuration de **bind9** se trouvent dans **/etc/bind** :
+<code>
+root@debian12:~# ls -l /etc/bind
+total 48
+-rw-r--r-- 1 root root 2928 Oct 22 17:38 bind.keys
+-rw-r--r-- 1 root root  255 Oct 22 17:38 db.0
+-rw-r--r-- 1 root root  271 Oct 22 17:38 db.127
+-rw-r--r-- 1 root root  237 Oct 22 17:38 db.255
+-rw-r--r-- 1 root root  353 Oct 22 17:38 db.empty
+-rw-r--r-- 1 root root  270 Oct 22 17:38 db.local
+-rw-r--r-- 1 root bind  458 Oct 22 17:38 named.conf
+-rw-r--r-- 1 root bind  498 Oct 22 17:38 named.conf.default-zones
+-rw-r--r-- 1 root bind  165 Oct 22 17:38 named.conf.local
+-rw-r--r-- 1 root bind  846 Oct 22 17:38 named.conf.options
+-rw-r----- 1 bind bind  100 Dec  7 11:19 rndc.key
+-rw-r--r-- 1 root root 1317 Oct 22 17:38 zones.rfc1918
+</code>
+===named.conf===
+Le fichier de configuration principal du serveur DNS Bind est **/etc/bind/named.conf** :
+<code>
+root@debian12:~# cat /etc/bind/named.conf
+// This is the primary configuration file for the BIND DNS server named.
+//
+// Please read /usr/share/doc/bind9/README.Debian for information on the
+// structure of BIND configuration files in Debian, *BEFORE* you customize
+// this configuration file.
+//
+// If you are just adding zones, please do that in /etc/bind/named.conf.local
+include "/etc/bind/named.conf.options";
+include "/etc/bind/named.conf.local";
+include "/etc/bind/named.conf.default-zones";
+</code>
+Les directives **include**, incluent les fichiers suivants dans la configuration :
+<code>
+root@debian12:~# cat /etc/bind/named.conf.options
+options {
+        directory "/var/cache/bind";
+        // If there is a firewall between you and nameservers you want
+        // to talk to, you may need to fix the firewall to allow multiple
+        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+        // If your ISP provided one or more IP addresses for stable
+        // nameservers, you probably want to use them as forwarders.
+        // Uncomment the following block, and insert the addresses replacing
+        // the all-0's placeholder.
+        // forwarders {
+        //      0.0.0.0;
+        // };
+        //========================================================================
+        // If BIND logs error messages about the root key being expired,
+        // you will need to update your keys.  See https://www.isc.org/bind-keys
+        //========================================================================
+        dnssec-validation auto;
+        listen-on-v6 { any; };
+};
+</code>
+<code>
+root@debian12:~# cat /etc/bind/named.conf.local
+//
+// Do any local configuration here
+//
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+</code>
+<code>
+root@debian12:~# cat /etc/bind/named.conf.default-zones
+// prime the server with knowledge of the root servers
+zone "." {
+        type hint;
+        file "/usr/share/dns/root.hints";
+};
+// be authoritative for the localhost forward and reverse zones, and for
+// broadcast zones as per RFC 1912
+zone "localhost" {
+        type master;
+        file "/etc/bind/db.local";
+};
+zone "127.in-addr.arpa" {
+        type master;
+        file "/etc/bind/db.127";
+};
+zone "0.in-addr.arpa" {
+        type master;
+        file "/etc/bind/db.0";
+};
+zone "255.in-addr.arpa" {
+        type master;
+        file "/etc/bind/db.255";
+};
+</code>
+===Les Sections de Zone===
+**La Valeur Type**
+Maintenant, étudions les sections de zones. La valeur "type" peut prendre plusieurs valeurs:
+  * **master**
+    * Ce type définit le serveur DNS comme serveur maître ayant **autorité** sur la zone concernée.
+  * **slave**
+    * Ce type définit le serveur DNS comme serveur esclave pour la zone concernée. Ceci implique que la zone est une réplication d'une zone maîtresse. Un type de zone esclave contiendra aussi une directive **masters** indiquant les adresses IP des serveurs DNS maîtres.
+  * **stub**
+    * Ce type définit le serveur DNS comme serveur esclave pour la zone concernée mais uniquement pour les **enregistrements** de type **NS**.
+  *  **forward**
+    * Ce type définit le serveur DNS comme serveur de transit pour la zone concernée. Ceci implique que toute requête est retransmise vers un autre serveur.
+  * **hint**
+    * Ce type définit la zone concernée comme une zone racine. Ceci implique que lors du démarrage du serveur, cette zone est utilisée pour récupérer les adresses des serveurs DNS racine.
+La valeur "notify" est utilisée pour indiquer si non ( no ) ou oui ( yes ) les autres serveurs DNS sont informés de changements dans la zone.
+**La Valeur File**
+La deuxième directive dans une section de zone comporte la valeur **file**. Il indique l'emplacement du fichier de zone.
+===Exemples de Sections de Zone===
+Chaque section de zone, à l'exception de la zone "." est associée avec une section de zone inversée.
+La zone "." est configurée dans le fichier **/usr/share/dns/root.hints** :
 <file>
 ...
-ipvar HOME_NET 10.0.2.0/24
+zone "." {
+        type hint;
+        file "/usr/share/dns/root.hints";
+};
 ...
 </file>
-Dans le cas où vous êtes connecté à deux ou à plusieurs réseaux directement, la ligne devrait prendre la forme suivante :
+La section de zone fait correspondre un nom avec une adresse IP tandis que la section de zone inversée fait l'inverse. La section inversée a un nom d'un syntaxe spécifique :
-  ipvar HOME_NET [adresse_réseau_1 ( p.e. 10.0.2.0/24 ), adresse_réseau_2 ( p.e. 10.0.0.0/8 )]
+<file>
+adresse_réseau_inversée.in-addr.arpa.
+</file>
-Vérifiez la présence de les lignes qui commencent par **var RULE_PATH**, **Var SO_RULE_PATH** et **var PREPROC_RULE_PATH**. Celles-ci comportent les chemin relatifs des répertoires **rules** :
+Par exemple dans le fichier ci-dessus nous trouvons les quatre sections suivantes :
 <file>
 ...
-var RULE_PATH /etc/snort/rules
+zone "localhost" {
-var SO_RULE_PATH ../so_rules
+        type master;
-var PREPROC_RULE_PATH ../preproc_rules
+        file "/etc/bind/db.local";
+};
+zone "127.in-addr.arpa" {
+        type master;
+        file "/etc/bind/db.127";
+};
+zone "0.in-addr.arpa" {
+        type master;
+        file "/etc/bind/db.0";
+};
+zone "255.in-addr.arpa" {
+        type master;
+        file "/etc/bind/db.255";
+};
 ...
 </file>
-Modifiez les deux lignes suivantes afin d'utiliser des chemins absolus :
+===Sections de Zones de votre Machine===
+Afin de configurer notre serveur correctement, il est necéssaire d'ajouter à ce fichier deux sections supplémentaires :
+  * La zone correspondante à notre domaine, ici appelée "ittraining.loc". Celle-ci fait correspondre le nom de la machine avec son adresse IP:
 <file>
 ...
-var WHITE_LIST_PATH /etc/snort/rules
+zone "ittraining.loc" {
-var BLACK_LIST_PATH /etc/snort/rules
+    type master;
+    file "/etc/bind/zones/ittraining.loc";
+    forwarders { };
+};
 ...
 </file>
-Décommentez la ligne qui commence par **ooutput unified2** concernant la journalisation et supprimez le mot **nostamp** :
+  * La zone à notre domaine mais dans le sens inverse. A savoir le fichier **db.2.0.10.hosts** qui fait correspondre notre adresse IP avec le nom de la machine.
 <file>
 ...
-# unified2
+zone "2.0.10.in-addr.arpa" {
-# Recommended for most installs
+    type master;
-output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types
+    file "/etc/bind/zones/db.2.0.10.hosts";
+    forwarders { };
+};
 ...
 </file>
-Commentez ensuite la ligne commençant par **dynamicdetection directory** :
+Ajoutez donc ces deux sections au fichier **/etc/bind/named.conf.default-zones** :
 <code>
-# path to dynamic rules libraries
+root@debian12:~# vi /etc/bind/named.conf.default-zones
-# dynamicdetection directory /usr/local/lib/snort_dynamicrules
+root@debian12:~# cat /etc/bind/named.conf.default-zones
+// prime the server with knowledge of the root servers
+zone "." {
+        type hint;
+        file "/usr/share/dns/root.hints";
+};
+// be authoritative for the localhost forward and reverse zones, and for
+// broadcast zones as per RFC 1912
+zone "localhost" {
+        type master;
+        file "/etc/bind/db.local";
+};
+zone "127.in-addr.arpa" {
+        type master;
+        file "/etc/bind/db.127";
+};
+zone "0.in-addr.arpa" {
+        type master;
+        file "/etc/bind/db.0";
+};
+zone "255.in-addr.arpa" {
+        type master;
+        file "/etc/bind/db.255";
+};
+zone "ittraining.loc" {
+    type master;
+    file "/etc/bind/zones/ittraining.loc";
+    forwarders { };
+};
+zone "2.0.10.in-addr.arpa" {
+    type master;
+    file "/etc/bind/zones/db.2.0.10.hosts";
+    forwarders { };
+};
 </code>
-Créez ensuite les deux fichiers ci-dessous :
+===Les fichiers de zone===
+La fichiers de zone sont composées de lignes d'une forme:
+|  nom  |  TTL  |  classe  |  type  |  donnée  |
+où
+  * **nom**
+    * Le nom DNS.
+  * **TTL**
+    * La durée de vie en cache de cet enregistrement.
+  * **classe**
+    * Le réseau de transport utilisé. Dans notre cas, le réseau est du TCP. La valeur est donc IN.
+  * **type**
+    * Le type d'enregistrement:
+      * SOA - Start of Authority - se trouve au début du fichier et contient des informations générales
+      * NS - Name Server  - le nom du serveur de nom
+      * A - Address - indique une résolution de nom vers une adresse IP. Ne se trouve que dans les fichiers **.hosts**
+      * PTR - %%PoinTeR%% - indique une résolution d'une adresse IP vers un nom. Ne se trouve que dans les fichiers inversés.
+      * MX - Mail eXchange - le nom d'un serveur de mail.
+      * CNAME - Canonical Name - un alias d'une machine.
+      * HINFO - Hardware Info - fournit des informations sur le matériel de la machine
+  * **donnée**
+    * La donnée de la ressource:
+      * Une adresse IP pour un enregistrement de type A
+      * Un nom de machine pour un eregistrement de type PTR
+==ittraining.loc==
+Ce fichier se trouve dans /etc/bind/zones. C'est le fichier qui définit la correspondance du nom de la machine **debian12.ittraining.loc** avec son numéro IP, à savoir le **10.0.2.46**. On définit dans ce fichier les machines qui doivent être appelées par leur nom :
 <code>
-[root@centos7 ~]# touch /etc/snort/rules/white_list.rules
+root@debian12:~# mkdir /etc/bind/zones
-[root@centos7 ~]# touch /etc/snort/rules/black_list.rules
+root@debian12:~# vi /etc/bind/zones/ittraining.loc
+root@debian12:~# cat /etc/bind/zones/ittraining.loc
+$TTL 3D
+@       IN     SOA     debian12.ittraining.loc. root.debian12.ittraining.loc. (
+               2025120701       ; Serial
+H   ; Refresh
+H   ; Retry
+W  ; Expire
+D)  ; Minimum TTL
+               IN      NS      debian12.ittraining.loc.
+localhost                   A              127.0.0.1
+dnsmaster                   IN      CNAME  debian12.ittraining.loc.
+debian12.ittraining.loc.    IN      A      10.0.2.46
+ftp IN CNAME debian12.ittraining.loc.
+www IN CNAME debian12.ittraining.loc.
+mail IN CNAME debian12.ittraining.loc.
+news IN CNAME debian12.ittraining.loc.
 </code>
-Modifiez maintenant le fichier **/etc/sysconfig/snort** :
+<WRAP center round important 50%>
+**Important** - Notez le point à la fin de chaque nom de domaine. Notez bien le remplacement du caractère @ dans l'adresse email de l'administrateur de mail par le caractère "."
+</WRAP>
+La première ligne de ce fichier commence par une ligne semblable à celle-ci:
 <file>
-...
+$TTL 3D
-#### General Configuration
+</file>
-# What interface should snort listen on?  [Pick only 1 of the next 3!]
+Cette ligne indique aux autres serveurs DNS pendant combien de temps ils doivent garder en cache les enregistrements de cette zone. La durée peut s'exprimer en jours (**D**), en heures (**H**) ou en secondes (**S**).
-# This is -i {interface} on the command line
-# This is the snort.conf config interface: {interface} directive
+La deuxième ligne définit une **classe** **IN**ternet, un **SOA** (Start Of Authority), le nom du serveur primaire et l'adresse de l'administrateur de mail :
-# INTERFACE=eth0
-INTERFACE=enp0s3
+<file>
-#
+@       IN     SOA     debian12.ittraining.loc. root.debian12.ittraining.loc. (
-# The following two options are not directly supported on the command line
-# or in the conf file and assume the same Snort configuration for all
-# instances
-...
 </file>
-Vérifiez le fichier de configuration :
+Le caractère **@** correspond au nom de la zone et est une abréviation pour le nom de la zone décrit par le fichier de la zone, soit dans ce cas db.**ittraining.loc**.hosts, et présent dans le fichier /etc/bind/named.conf.default-zones :
-<code>
+<file>
-[root@centos7 ~]# snort -T -c /etc/snort/snort.conf
+zone "ittraining.loc" {
-...
+    type master;
-        --== Initialization Complete ==--
+    file "/etc/bind/zones/ittraining.loc";
+    forwarders { };
+};
+</file>
-   ,,_     -*> Snort! <*-
+Le **numéro de série** doit être modifié chaque fois que le fichier est changé. Il faut noter que dans le cas de plusieurs changements dans la même journée il est nécessaire d'incrémenter les deux derniers chiffres du numéro de série. Par exemple, dans le cas de deux changements en date du 07/12/2025, le premier fichier comportera une ligne Serial avec la valeur 2025120701 tandis que le deuxième changement comportera le numéro de série 2025120702 :
-  o"  )~   Version 2.9.9.0 GRE (Build 56)
-   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
-           Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
-           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
-           Using libpcap version 1.5.3
-           Using PCRE version: 8.32 2012-11-30
-           Using ZLIB version: 1.2.7
-           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 3.0  <Build 1>
+<file>
-           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
+2025120701       ; Serial
-           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
+</file>
-           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
-           Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
-           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
-           Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
-           Preprocessor Object: SF_POP  Version 1.0  <Build 1>
-           Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
-           Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
-           Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
-           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
-           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
-           Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
-           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
-Snort successfully validated the configuration!
+La ligne suivante indique le temps de rafraîchissement, soit 8 heures. Ce temps correspond à la durée entre les mises à jour d'un autre serveur :
-Snort exiting
-</code>
-=== Utilisation de snort en mode "packet sniffer" ===
+<file>
+H ; Refresh
+</file>
-Pour visualiser les paquets à l'aide de snort, saisissez la commande suivante :
+La ligne suivante indique le temps entre de nouveaux essaies de mise à jour d'un autre serveur dans le cas où la durée du Refresh a été dépassée :
-<code>
+<file>
-[root@centos7 ~]# snort -vde -c /etc/snort/snort.conf -l /var/log/snort
+H ; Retry
+</file>
+La ligne suivante indique le temps d'expiration, c'est-à-dire la durée d'autorité de l'enregistrement. Cette directive est utilisée seulement par un serveur esclave :
+<file>
+W ; Expire
+</file>
+La ligne suivante indique le temps minimum pour la valeur TTL, soit un jour:
+<file>
+D) ; Minimum TTL
+</file>
+Cette ligne identifie notre serveur de noms :
+<file>
+IN NS debian12.ittraining.loc.
+</file>
+Dans le cas où notre serveur était également un serveur mail. Nous trouverions aussi une entrée du type SMTP (MX) :
+<file>
+IN MX 10 mail.ittraining.loc.
+</file>
+Ci-dessous on définit avec une entrée du type A, les machines que l'on souhaite appeler par leur nom, à savoir **debian12.ittraining.loc** et **localhost** :
+<file>
+localhost                   A              127.0.0.1
 ...
-[root@centos7 ~]# ^C
+debian12.ittraining.loc.    IN      A      10.0.2.46
-</code>
+</file>
-<WRAP center round important 50%>
+Ci-dessous on définit des **Alias** avec des entrées du type CNAME. Les alias servent à identifier une machine.
-**Important** - Notez l'utilisation de la combinaison de touches <key>^</key><key>c</key> pour arrêter la visualisation des paquets.
-</WRAP>
-Pour surveiller une interface réseau en particulier, saisissez la commande suivante :
+<file>
+dnsmaster                   IN      CNAME  debian12.ittraining.loc.
+</file>
+Nous pourrions aussi trouver ici des entrées telles:
+<file>
+ftp IN CNAME debian12.ittraining.loc.
+www IN CNAME debian12.ittraining.loc.
+mail IN CNAME debian12.ittraining.loc.
+news IN CNAME debian12.ittraining.loc.
+</file>
+==db.2.0.10.hosts==
+Ce fichier se trouve dans /etc/bind/zones/. C'est le fichier qui définit la correspondance de l'adresse IP de la machine, à savoir le **10.0.2.46** avec le nom **debian12.ittraining.loc**. Le chiffre **46** dans la dernière ligne correspond au 10.0.2.**46**:
 <code>
-[root@centos7 ~]# snort -vd -i enp0s3 -c /etc/snort/snort.conf
+root@debian12:~# vi /etc/bind/zones/db.2.0.10.hosts
-...
-[root@centos7 ~]# ^C
+root@debian12:~# cat /etc/bind/zones/db.2.0.10.hosts
+$TTL 3D
+@       IN      SOA     debian12.ittraining.loc.        debian12.ittraining.loc. (
+                2025120701 ; Serial
+   ; Refresh
+    ; Retry
+  ; Expire
+) ; Minimum TTL
+                NS      debian12.ittraining.loc.
+       IN      PTR     debian12.ittraining.loc.
 </code>
-=== Utilisation de snort en mode "packet logger" ===
+Modifiez maintenant les permissions sur les fichiers de configuration :
-Pour rediriger la sortie à l'écran vers le fichier log **/var/log/snort**, saisissez la commande suivante :
 <code>
-[root@centos7 ~]# snort -de -l /var/log/snort -c /etc/snort/snort.conf
+root@debian12:~# ls -l /etc/bind/zones/*
-...
+-rw-r--r-- 1 root bind 362 Dec  7 12:16 /etc/bind/zones/db.2.0.10.hosts
-[root@centos7 ~]# ^C
+-rw-r--r-- 1 root bind 634 Dec  7 12:06 /etc/bind/zones/ittraining.loc
+root@debian12:~# chmod g+w /etc/bind/zones/*
+root@debian12:~# ls -l /etc/bind/zones/*
+-rw-rw-r-- 1 root bind 362 Dec  7 12:16 /etc/bind/zones/db.2.0.10.hosts
+-rw-rw-r-- 1 root bind 634 Dec  7 12:06 /etc/bind/zones/ittraining.loc
 </code>
-===Journalisation===
+====3.5 - Utilisation====
-Constatez le contenu de **/var/log/snort** :
+Modifiez maintenant le fichier **/etc/resolv.conf** afin d'utiliser votre propre serveur DNS :
 <code>
-[root@centos7 ~]# ls /var/log/snort/
+root@debian12:~# vi /etc/resolv.conf
-merged.log  snort.log.1501937132  snort.log.1501937470  snort.log.1501943548
+root@debian12:~# cat /etc/resolv.conf
+# Generated by NetworkManager
+search ittraining.loc
+nameserver 127.0.0.1
+nameserver 8.8.8.8
 </code>
-Constatez le contenu du fichier de journalisation :
+Dernièrement, redémarrez le service named :
 <code>
-[root@centos7 ~]# tail /var/log/snort/snort.log.1501943548
+root@debian12:~# systemctl restart named
-����;���3P����օY&��RT5'�E���@@��
-�Ҡ��3��;P����I�N��yE��K��=��!�ޚ�UKuD}�[�c���K��۸3��uNý�@�Mo(9�ٮ���c��n��]��`G�����LJ� ��օYJZ'��RT5EL=j@%2
-����;���3P��..����jV���
-                            ������]l�S�����W�h���օYO<'��RT5E(=k@%U
-����_��������օY���RT5'�E���@@�k
-�Ҡ����_P�����G}&2�!̴������I�����AR��!�F|�?��A��"X��-V_�Љ4����"��Ab�Ъ����bb�}�K�Dd[root@centos7 ~]# ى���]Xh-et����qB������
+root@debian12:~# systemctl status named
+● named.service - BIND Domain Name Server
+     Loaded: loaded (/lib/systemd/system/named.service; enabled; preset: enabled)
+     Active: active (running) since Sun 2025-12-07 12:19:11 CET; 7s ago
+       Docs: man:named(8)
+   Main PID: 32731 (named)
+     Status: "running"
+      Tasks: 18 (limit: 19123)
+     Memory: 109.1M
+        CPU: 86ms
+     CGroup: /system.slice/named.service
+             └─32731 /usr/sbin/named -f -u bind
+Dec 07 12:19:11 debian12.ittraining.loc named[32731]: network unreachable resolving './DNSKEY/IN': 2801:1b8:10::b#53
+Dec 07 12:19:11 debian12.ittraining.loc named[32731]: network unreachable resolving './NS/IN': 2801:1b8:10::b#53
+Dec 07 12:19:11 debian12.ittraining.loc named[32731]: network unreachable resolving './DNSKEY/IN': 2001:500:1::53#53
+Dec 07 12:19:11 debian12.ittraining.loc named[32731]: network unreachable resolving './NS/IN': 2001:500:1::53#53
+Dec 07 12:19:11 debian12.ittraining.loc named[32731]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
+Dec 07 12:19:11 debian12.ittraining.loc named[32731]: network unreachable resolving './NS/IN': 2001:500:2f::f#53
+Dec 07 12:19:11 debian12.ittraining.loc named[32731]: network unreachable resolving './DNSKEY/IN': 2001:503:c27::2:30#53
+Dec 07 12:19:11 debian12.ittraining.loc named[32731]: network unreachable resolving './NS/IN': 2001:503:c27::2:30#53
+Dec 07 12:19:12 debian12.ittraining.loc named[32731]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
+Dec 07 12:19:12 debian12.ittraining.loc named[32731]: managed-keys-zone: Key 38696 for zone . is now trusted (acceptance timer complete)
 </code>
-Ce fichier étant au format **PCAP binaire**, vous pouvez le lire avec la commande suivante :
+Testez maintenant votre serveur :
 <code>
-[root@centos7 ~]# snort -r /var/log/snort/snort.log.1501943548 | more
+root@debian12:/etc/bind/zones# nslookup debian12.ittraining.loc
+Server:         127.0.0.1
+Address:        127.0.0.1#53
+Name:   debian12.ittraining.loc
+Address: 10.0.2.46
+root@debian12:~# dig ittraining.loc
+; <<>> DiG 9.18.41-1~deb12u1-Debian <<>> ittraining.loc
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51890
+;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 1232
+; COOKIE: 74a7e4078e44bf490100000069356348f4e348254883e231 (good)
+;; QUESTION SECTION:
+;ittraining.loc.                        IN      A
+;; AUTHORITY SECTION:
+ittraining.loc.         86400   IN      SOA     debian12.ittraining.loc. root.debian12.ittraining.loc. 2025120701 28800 7200 2419200 86400
+;; Query time: 0 msec
+;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
+;; WHEN: Sun Dec 07 12:21:44 CET 2025
+;; MSG SIZE  rcvd: 121
+root@debian12:~# dig -x 10.0.2.46
+; <<>> DiG 9.18.41-1~deb12u1-Debian <<>> -x 10.0.2.46
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5254
+;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 1232
+; COOKIE: b019ecafc27e897601000000693563584aff28c151c1bd67 (good)
+;; QUESTION SECTION:
+;46.2.0.10.in-addr.arpa.                IN      PTR
+;; ANSWER SECTION:
+.2.0.10.in-addr.arpa. 259200  IN      PTR     debian12.ittraining.loc.
+;; Query time: 0 msec
+;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
+;; WHEN: Sun Dec 07 12:22:00 CET 2025
+;; MSG SIZE  rcvd: 116
 </code>
-Notez que ce fichier peut aussi être lu par la commande **tcpdump** :
+<WRAP center round important 50%>
+**Important** - Notez l'utilisation de l'option **-x** de la commande **dig** pour tester la zone à l'envers.
+</WRAP>
+====3.6 - Créer les Pairs de Clefs====
+Utilisez la commande **dnssec-keygen** pour créer la ZSK :
 <code>
-[root@centos7 ~]# tcpdump -r /var/log/snort/snort.log.1501943548 | more
+root@debian12:~# cd /etc/bind/zones/
-reading from file /var/log/snort/snort.log.1501943548, link-type EN10MB (Ethernet)
-:32:28.316281 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 2695230935:2695231611, ack 28164311, win 534
-, length 676
-:32:28.316485 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 676, win 65535, length 0
-:32:28.318511 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 676:768, ack 1, win 53440, length 92
-:32:28.318706 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 768, win 65535, length 0
-:32:28.318799 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 768:860, ack 1, win 53440, length 92
-:32:28.318963 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 860, win 65535, length 0
-:32:28.319081 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 860:952, ack 1, win 53440, length 92
-:32:28.319220 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 952, win 65535, length 0
-:32:28.319278 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 952:1044, ack 1, win 53440, length 92
-:32:28.319373 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 1044, win 65535, length 0
-:32:28.319457 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 1044:1136, ack 1, win 53440, length 92
-:32:28.319544 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 1136, win 65535, length 0
-:32:28.319624 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 1136:1228, ack 1, win 53440, length 92
-:32:28.319734 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 1228, win 65535, length 0
-:32:28.319787 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 1228:1320, ack 1, win 53440, length 92
-:32:28.319972 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 1320, win 65535, length 0
-:32:28.320041 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 1320:1412, ack 1, win 53440, length 92
-:32:28.320186 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 1412, win 65535, length 0
-:32:28.320240 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 1412:1504, ack 1, win 53440, length 92
-:32:28.320397 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 1504, win 65535, length 0
-:32:28.320451 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 1504:1596, ack 1, win 53440, length 92
-:32:28.320606 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 1596, win 65535, length 0
-:32:28.320659 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 1596:1688, ack 1, win 53440, length 92
-:32:28.320816 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 1688, win 65535, length 0
-:32:28.320869 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 1688:1780, ack 1, win 53440, length 92
-:32:28.320991 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 1780, win 65535, length 0
-:32:28.321047 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 1780:1872, ack 1, win 53440, length 92
-:32:28.321161 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 1872, win 65535, length 0
-:32:28.321232 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 1872:1964, ack 1, win 53440, length 92
-:32:28.321355 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 1964, win 65535, length 0
-:32:28.321426 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 1964:2056, ack 1, win 53440, length 92
-:32:28.321533 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 2056, win 65535, length 0
-:32:28.321589 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 2056:2148, ack 1, win 53440, length 92
-:32:28.321695 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 2148, win 65535, length 0
---More--
+root@debian12:/etc/bind/zones# dnssec-keygen -b 2048 -a RSASHA256 ittraining.loc
+Generating key pair............+.....+...+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+........+...+...+....+...+........+.......+.....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*........+.........+..............+....+..+...+.+......+...+..+...+..........+...+.....+...+......+.+........+.+.........+..+.........+......+...+......+.........+..........+......+.....+...+.+.........+...+.....+....+...+............+........+.+...........+...+...+...+........................+...+.......+......+.....+.+....................+....+.....+......................+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ..+......+........+.......+.....+......+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.......+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*................+.+............+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+Kittraining.loc.+008+18528
 </code>
 <WRAP center round important 50%>
-**Important** - Vous pouvez utiliser le logiciel Wireshark pour visulaiser le contenu du fichier en mode graphique.
+**Important** - L'option **-a RSASHA256** force l'utilisation de l'algorithme SHA2 au lieu de SHA1.
 </WRAP>
-Dernièrement, notez qu'il est aussi possible de ne journaliser le trafic que sur un seul réseau :
+<code>
+root@debian12:/etc/bind/zones# ls -l
-  # snort -de -l /var/log/snort -h 10.0.2.0/24
+total 24
+-rw-rw-r-- 1 root bind  362 Dec  7 12:16 db.2.0.10.hosts
+-rw-rw-r-- 1 root bind  747 Dec  7 13:13 ittraining.loc
+-rw-r--r-- 1 root bind  612 Dec  7 13:28 Kittraining.loc.+008+18528.key
+-rw------- 1 root bind 1776 Dec  7 13:28 Kittraining.loc.+008+18528.private
+</code>
 <WRAP center round important 50%>
-**Important** - Notez l'utilisation des options suivantes : **-l** indique le fichier de journalisation**, -h** indique le **home-net**.
+**Important** - Dans le nom de chaque fichier, **008** indique l'utilisation de SHA2. Dans le cas de l'utilisation de SHA1, la valeur serait **005**. La valeur **18528** est l'identifiant du pair de clefs.
 </WRAP>
-Pour lancer snort en arrière plan afin de surveiller l'interface **enp0s3**, utilisez la commande suivante :
+Utilisez la commande **dnssec-keygen** pour créer la KSK :
 <code>
-[root@centos7 ~]# /usr/sbin/snort -A fast -b -d -D -i enp0s3 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort &
+root@debian12:/etc/bind/zones# dnssec-keygen -b 4096 -f KSK -a RSASHA256 ittraining.loc
-[1] 19281
+Generating key pair..+.....+....+......+......+.....+....+...+.....+......+......................+........+....+...+...+.........+..+...+.+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+.....+.+...........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.........+.......+......+..+......+.......+.........+..............+.........+.+..+....+.....+....+..+.......+...+..+......+..........+...........+.+....................+...+......+.........+.........+.+......+........+...+............+..........+...+...+....................+....+........+...+....+..................+..............+.........+.......+...+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ..+..+....+..+.......+..+......+.........+....+..+..........+.....+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.......+........+.+.....+.......+........+.......+..+.+......+..............+.+......+.........+...+......+.........+...+.................+................+......+.....+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...........+....+...+............+..............+..........+.................+.............+.........+..+...+.+..+.........+...+.............+...+.....+....+..+...+......+.......+...+.........+...+.....+.........+....+...........+......+.......+...........+.+.........+.....+.+.....+..................+.+..+.........+.........+.......+........+...................+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-[root@centos7 ~]# Spawning daemon child...
+Kittraining.loc.+008+63515
-My daemon child 19401 lives...
-Daemon parent exiting (0)
-^C
-[1]+  Done                    /usr/sbin/snort -A fast -b -d -D -i enp0s3 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
-[root@centos7 ~]# ps aux | grep snort
-snort    19401  0.0 24.6 850984 504544 ?       Ssl  11:03   0:00 /usr/sbin/snort -A fast -b -d -D -i enp0s3 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
-root     19688  0.0  0.0 114692   964 pts/0    R+   11:04   0:00 grep --color=auto snort
 </code>
-Pour arrêter ce processus, utilisez al commande **kill**:
+<WRAP center round important 50%>
+**Important** - L'option **-f** indique le type de pair de clefs, soit KSK.
+</WRAP>
+Constatez la présence des pairs de clefs :
 <code>
-[root@centos7 ~]# ps aux | grep snort
+root@debian12:/etc/bind/zones# ls -l
-snort    19401  0.0 24.6 850984 504692 ?       Ssl  11:03   0:00 /usr/sbin/snort -A fast -b -d -D -i enp0s3 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
+total 24
-root     20521  0.0  0.0 114692   964 pts/0    R+   11:07   0:00 grep --color=auto snort
+-rw-rw-r-- 1 root bind  362 Dec  7 12:16 db.2.0.10.hosts
-[root@centos7 ~]# kill 19401
+-rw-rw-r-- 1 root bind  747 Dec  7 13:13 ittraining.loc
-[root@centos7 ~]# ps aux | grep snort
+-rw-r--r-- 1 root bind  612 Dec  7 13:28 Kittraining.loc.+008+18528.key
-root     20568  0.0  0.0 114692   968 pts/0    R+   11:07   0:00 grep --color=auto snort
+-rw------- 1 root bind 1776 Dec  7 13:28 Kittraining.loc.+008+18528.private
+-rw-r--r-- 1 root bind  957 Dec  7 13:28 Kittraining.loc.+008+63515.key
+-rw------- 1 root bind 3316 Dec  7 13:28 Kittraining.loc.+008+63515.private
 </code>
-====LAB #3 - Mise en place du Système de Détection et de Prévention d'Intrusion Portsentry====
+====3.7 - Modifier la Configuration de Bind====
-Portsentry est un **S**ystème de **D**étection et de **Prévention** d'**I**ntrusion (SDPI) qui surveille les requêtes entrantes et en cas d'anomalie bloque l'adresse IP de l'attaquant en inscrivant une règle dans le pare-feu NetFilter (Iptables).
+Ajoutez les deux clefs publiques dans la configuration du fichier de zone **/etc/bind/zones/ittraining.loc** :
-=== Installation ===
+<code>
+root@debian12:/etc/bind/zones# vi ittraining.loc
+root@debian12:/etc/bind/zones# cat ittraining.loc
+$TTL 3D
+@       IN     SOA     debian12.ittraining.loc. root.debian12.ittraining.loc. (
+               2025120702       ; Serial
+H   ; Refresh
+H   ; Retry
+W  ; Expire
+D)  ; Minimum TTL
+               IN      NS      debian12.ittraining.loc.
+localhost                   A              127.0.0.1
+dnsmaster                   IN      CNAME  debian12.ittraining.loc.
+debian12.ittraining.loc.    IN      A      10.0.2.46
+ftp IN CNAME debian12.ittraining.loc.
+www IN CNAME debian12.ittraining.loc.
+mail IN CNAME debian12.ittraining.loc.
+news IN CNAME debian12.ittraining.loc.
+$include /etc/bind/zones/Kittraining.loc.+008+18528.key
+$include /etc/bind/zones/Kittraining.loc.+008+63515.key
+</code>
+<WRAP center round important 50%>
+**Important** - N'oubliez pas de changer la valeur **serial**.
+</WRAP>
-Sous RHEL/CentOS 7, **portsentry** n'est pas installé par défaut. Qui plus est **portsentry** ne se trouve pas dans les dépôts standards. Installez donc le paquet **portsentry-1.2-1.el5.x86_64.rpm** à partir de l'URL ci-dessous :
+Redémarrez le service **named** :
 <code>
-[root@centos7 ~]# rpm -ivh https://www.dropbox.com/scl/fi/v1iniimmjkvj0kx6xllmt/portsentry-1.2-1.el5.x86_64.rpm?rlkey=zyyvgd2a1ksi27y2v2maf6fuh&st=ovf7z0d1
+root@debian12:/etc/bind/zones# systemctl restart named
-Loaded plugins: fastestmirror, langpacks
-portsentry-1.2-1.el5.x86_64.rpm                                                                                 |  53 kB  00:00:00
-Examining /var/tmp/yum-root-qpYJaP/portsentry-1.2-1.el5.x86_64.rpm: portsentry-1.2-1.el5.x86_64
-Marking /var/tmp/yum-root-qpYJaP/portsentry-1.2-1.el5.x86_64.rpm to be installed
-Resolving Dependencies
---> Running transaction check
----> Package portsentry.x86_64 0:1.2-1.el5 will be installed
---> Finished Dependency Resolution
-adobe-linux-x86_64                                                                                              | 2.9 kB  00:00:00
-base/7/x86_64                                                                                                   | 3.6 kB  00:00:00
-extras/7/x86_64                                                                                                 | 3.4 kB  00:00:00
-updates/7/x86_64                                                                                                | 3.4 kB  00:00:00
-Dependencies Resolved
+root@debian12:/etc/bind/zones# systemctl status  named
+● named.service - BIND Domain Name Server
+     Loaded: loaded (/lib/systemd/system/named.service; enabled; preset: enabled)
+     Active: active (running) since Sun 2025-12-07 13:32:03 CET; 7s ago
+       Docs: man:named(8)
+   Main PID: 32952 (named)
+     Status: "running"
+      Tasks: 18 (limit: 19123)
+     Memory: 113.1M
+        CPU: 83ms
+     CGroup: /system.slice/named.service
+             └─32952 /usr/sbin/named -f -u bind
-=======================================================================================================================================
+Dec 07 13:32:03 debian12.ittraining.loc named[32952]: network unreachable resolving './DNSKEY/IN': 2001:503:ba3e::2:30#53
- Package                     Arch                    Version                       Repository                                     Size
+Dec 07 13:32:03 debian12.ittraining.loc named[32952]: network unreachable resolving './NS/IN': 2001:503:ba3e::2:30#53
-=======================================================================================================================================
+Dec 07 13:32:03 debian12.ittraining.loc named[32952]: network unreachable resolving './DNSKEY/IN': 2001:7fe::53#53
-Installing:
+Dec 07 13:32:03 debian12.ittraining.loc named[32952]: network unreachable resolving './NS/IN': 2001:7fe::53#53
- portsentry                  x86_64                  1.2-1.el5                     /portsentry-1.2-1.el5.x86_64                  114 k
+Dec 07 13:32:03 debian12.ittraining.loc named[32952]: network unreachable resolving './DNSKEY/IN': 2001:500:9f::42#53
+Dec 07 13:32:03 debian12.ittraining.loc named[32952]: network unreachable resolving './NS/IN': 2001:500:9f::42#53
+Dec 07 13:32:03 debian12.ittraining.loc named[32952]: network unreachable resolving './DNSKEY/IN': 2001:503:c27::2:30#53
+Dec 07 13:32:03 debian12.ittraining.loc named[32952]: network unreachable resolving './NS/IN': 2001:503:c27::2:30#53
+Dec 07 13:32:03 debian12.ittraining.loc named[32952]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
+Dec 07 13:32:03 debian12.ittraining.loc named[32952]: managed-keys-zone: Key 38696 for zone . is now trusted (acceptance timer complete)
+</code>
-Transaction Summary
+Intérogez le DNS local pour obtenir les clefs publiques :
-=======================================================================================================================================
-Install  1 Package
-Total size: 114 k
+<code>
-Installed size: 114 k
+root@debian12:/etc/bind/zones# dig @debian12.ittraining.loc DNSKEY ittraining.loc
-Is this ok [y/d/N]: y
+; <<>> DiG 9.18.41-1~deb12u1-Debian <<>> @debian12.ittraining.loc DNSKEY ittraining.loc
+; (1 server found)
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58210
+;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 1232
+; COOKIE: 74f4778aedb99b4d01000000693576d3fe2e16da8329795a (good)
+;; QUESTION SECTION:
+;ittraining.loc.                        IN      DNSKEY
+;; ANSWER SECTION:
+ittraining.loc.         259200  IN      DNSKEY  256 3 8 AwEAAZ+2bRM+yedcAeqUR6AdkSzyIeQg1kH4021as3WvYGlOLqeUnfbe gNewRYifndXx/b1t84A9L6IZH1ZamuSNxNi7Y0+FZbyq4DJmFnHA68Ao 5zmOhK76mrQf6SjzQHZWzwtoG0DAApTggaRxhmezzjkSr3WNadIoFg4F XU5UaV4ePU5hhPn+zi34SUYvgPTZsSWb/solo0yna80RBxI+hgRxoaPp jV/v4mEVVS9Fjpvc6SxJ/ZZbtUMJi5lTUCvko+Ny9cuXZ5auW4b2qp4u Sk6NuywMawQafxBaxZ/9KuhxqO4qp2n1pl+gBatqb/XPydE41z6ONkT2 YnDOLQVZxLM=
+ittraining.loc.         259200  IN      DNSKEY  257 3 8 AwEAAcRrC7vljqlLFZGQbLUBpMs29NWyiJ8158xqL0GdZuRslhAqy4q2 JisfBS1gKm27J4y2s8zrDhKLAnEqWpIydvRkZd+a6oTJAomfAF9bxHAe xxEyLK7Xd4ATGiXRUv2vALQq1e6XejBhVr10gmbKdQW+SxayYnwQ0G8h 1VFJ2wtAJZdNn/exhmgxxmUwxeJWLmUf37VOkycwn4RbwWZY3rBIOi2V mCigGe1cDpZoNb2FCTKLjEj5ZRz0ieM9SXXLkZEvGd77xAvoV8+JTTX5 BjlP6Hfso+C/NZUchvoNYisqWSPzffyrsaOzumMtuIsKJX2PaADSmFg8 os/b16zqtPbd+lPhQdsR+RE9V5R0YJhNPnsoG0Vy/mfQCCcP7VIC97iB aYSz/u5KFhsS5E0AIJt8rJwGrb2eqZYTFe2Mdtth1FjgIk7DCvFm2GYM zZ0F15WqcBpJGEDof0/HWSpMfjbnc20QAojLYmuek5XE9lWlZLrk9tby q4R7dZrUdDez3oShtJ/rXTA8AxOzcftLsoCZHy+bMfy5RxThidWQYJGE dQsnk3IgJ1pgzSjdB4nXQkyxMBpRzjyxPw9k1a4oLxYrdLQnHkm5RdWA b5k6Csu2xmSKaQUy9oyLaCRrkd9BnpJPELjRmXIdmyswevjmUr9qwLtk L1W/qxN3it6Ribh3
+;; Query time: 4 msec
+;; SERVER: 10.0.2.46#53(debian12.ittraining.loc) (UDP)
+;; WHEN: Sun Dec 07 13:45:07 CET 2025
+;; MSG SIZE  rcvd: 879
 </code>
-===Configuration===
+====3.8 - Signer la Zone====
-Modifiez le fichier **/etc/portsentry/portsentry.conf** en ajoutant la ligne **237** :
+Les clefs étant maintenant insérées dans la configuration, il convient de signer la zone en utilisant la commande **dnssec-signzone**. L'option **-S** signifie **smart signing** permet de trouver automatiquement les fichiers de clefs pour la zone et détermine comment ils doivent être utilisés :
 <code>
-[root@centos7 ~]# nl /etc/portsentry/portsentry.conf
+root@debian12:/etc/bind/zones# dnssec-signzone -S ittraining.loc
-	# PortSentry Configuration
+Verifying the zone using the following algorithms:
-	#
+- RSASHA256
-	# $Id: portsentry.conf,v 1.25 2003/05/23 16:15:39 crowland Exp crowland $
+Zone fully signed:
-	#
+Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
-	# IMPORTANT NOTE: You CAN NOT put spaces between your port arguments.
+                      ZSKs: 1 active, 0 stand-by, 0 revoked
-	#
+ittraining.loc.signed
-	# The default ports will catch a large number of common probes
-	#
+root@debian12:/etc/bind/zones# ls -l | grep signed
-	# All entries must be in quotes.
+-rw-r--r-- 1 root bind 12407 Dec  7 13:39 ittraining.loc.signed
-	#######################
-	# Port Configurations #
-	#######################
-	#
-	#
-	# Some example port configs for classic and basic Stealth modes
-	#
-	# I like to always keep some ports at the "low" end of the spectrum.
-	# This will detect a sequential port sweep really quickly and usually
-	# these ports are not in use (i.e. tcpmux port 1)
-	#
-	# ** X-Windows Users **: If you are running X on your box, you need to be sure
-	# you are not binding PortSentry to port 6000 (or port 2000 for OpenWindows users).
-	# Doing so will prevent the X-client from starting properly.
-	#
-	# These port bindings are *ignored* for Advanced Stealth Scan Detection Mode.
-	#
-	# Un-comment these if you are really anal:
-	#TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,27665,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320"
-	#UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,27444,34555,32770,32771,32772,32773,32774,31337,54321"
-	#
-	# Use these if you just want to be aware:
-	TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320"
-	UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321"
-	#
-	# Use these for just bare-bones
-	#TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320"
-	#UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321"
-	###########################################
-	# Advanced Stealth Scan Detection Options #
-	###########################################
-	#
-	# This is the number of ports you want PortSentry to monitor in Advanced mode.
-	# Any port *below* this number will be monitored. Right now it watches
-	# everything below 1024.
-	#
-	# On many Linux systems you cannot bind above port 61000. This is because
-	# these ports are used as part of IP masquerading. I don't recommend you
-	# bind over this number of ports. Realistically: I DON'T RECOMMEND YOU MONITOR
-	# OVER 1024 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. You've been
-	# warned! Don't write me if you have have a problem because I'll only tell
-	# you to RTFM and don't run above the first 1024 ports.
-	#
-	#
-	ADVANCED_PORTS_TCP="1024"
-	ADVANCED_PORTS_UDP="1024"
-	#
-	# This field tells PortSentry what ports (besides listening daemons) to
-	# ignore. This is helpful for services like ident that services such
-	# as FTP, SMTP, and wrappers look for but you may not run (and probably
-	# *shouldn't* IMHO).
-	#
-	# By specifying ports here PortSentry will simply not respond to
-	# incoming requests, in effect PortSentry treats them as if they are
-	# actual bound daemons. The default ports are ones reported as
-	# problematic false alarms and should probably be left alone for
-	# all but the most isolated systems/networks.
-	#
-	# Default TCP ident and NetBIOS service
-	ADVANCED_EXCLUDE_TCP="21,22,25,53,80,110,113,135,137,138,139,443"
-	# Default UDP route (RIP), NetBIOS, bootp broadcasts.
-	ADVANCED_EXCLUDE_UDP="520,517,518,513,138,137,123,68,67,53"
-	######################
-	# Configuration Files#
-	######################
-	#
-	# Hosts to ignore
-	IGNORE_FILE="/etc/portsentry/portsentry.ignore"
-	# Hosts that have been denied (running history)
-	HISTORY_FILE="/etc/portsentry/portsentry.history"
-	# Hosts that have been denied this session only (temporary until next restart)
-	BLOCKED_FILE="/etc/portsentry/portsentry.blocked"
-	##############################
-	# Misc. Configuration Options#
-	##############################
-	#
-	# DNS Name resolution - Setting this to "1" will turn on DNS lookups
-	# for attacking hosts. Setting it to "0" (or any other value) will shut
-	# it off.
-	RESOLVE_HOST = "1"
-	###################
-	# Response Options#
-	###################
-	# Options to dispose of attacker. Each is an action that will
-	# be run if an attack is detected. If you don't want a particular
-	# option then comment it out and it will be skipped.
-	#
-	# The variable $TARGET$ will be substituted with the target attacking
-	# host when an attack is detected. The variable $PORT$ will be substituted
-	# with the port that was scanned.
-	#
-	##################
-	# Ignore Options #
-	##################
-	# These options allow you to enable automatic response
-	# options for UDP/TCP. This is useful if you just want
-	# warnings for connections, but don't want to react for
-	# a particular protocol (i.e. you want to block TCP, but
-	# not UDP). To prevent a possible Denial of service attack
-	# against UDP and stealth scan detection for TCP, you may
-	# want to disable blocking, but leave the warning enabled.
-	# I personally would wait for this to become a problem before
-	# doing though as most attackers really aren't doing this.
-	# The third option allows you to run just the external command
-	# in case of a scan to have a pager script or such execute
-	# but not drop the route. This may be useful for some admins
-	# who want to block TCP, but only want pager/e-mail warnings
-	# on UDP, etc.
-	#
-	#
-	# 0 = Do not block UDP/TCP scans.
-	# 1 = Block UDP/TCP scans.
-	# 2 = Run external command only (KILL_RUN_CMD)
-	BLOCK_UDP="1"
-	BLOCK_TCP="1"
-	###################
-	# Dropping Routes:#
-	###################
-	# This command is used to drop the route or add the host into
-	# a local filter table.
-	#
-	# The gateway (333.444.555.666) should ideally be a dead host on
-	# the *local* subnet. On some hosts you can also point this at
-	# localhost (127.0.0.1) and get the same effect. NOTE THAT
-	# 333.444.555.66 WILL *NOT* WORK. YOU NEED TO CHANGE IT!!
-	#
-	# ALL KILL ROUTE OPTIONS ARE COMMENTED OUT INITIALLY. Make sure you
-	# uncomment the correct line for your OS. If you OS is not listed
-	# here and you have a route drop command that works then please
-	# mail it to me so I can include it. ONLY ONE KILL_ROUTE OPTION
-	# CAN BE USED AT A TIME SO DON'T UNCOMMENT MULTIPLE LINES.
-	#
-	# NOTE: The route commands are the least optimal way of blocking
-	# and do not provide complete protection against UDP attacks and
-	# will still generate alarms for both UDP and stealth scans. I
-	# always recommend you use a packet filter because they are made
-	# for this purpose.
-	#
-	# Generic
-	#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
-	# Generic Linux
-	#KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"
-	# Newer versions of Linux support the reject flag now. This
-	# is cleaner than the above option.
-	#KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
-	# Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)
-	#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
-	# Generic Sun
-	#KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1"
-	# NEXTSTEP
-	#KILL_ROUTE="/usr/etc/route add $TARGET$ 127.0.0.1 1"
-	# FreeBSD
-	#KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole"
-	# Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX)
-	#KILL_ROUTE="/sbin/route add -host -blackhole $TARGET$ 127.0.0.1"
-	# Generic HP-UX
-	#KILL_ROUTE="/usr/sbin/route add net $TARGET$ netmask 255.255.255.0 127.0.0.1"
-	##
-	# Using a packet filter is the PREFERRED. The below lines
-	# work well on many OS's. Remember, you can only uncomment *one*
-	# KILL_ROUTE option.
-	##
-	# ipfwadm support for Linux
-	#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o"
-	#
-	# ipfwadm support for Linux (no logging of denied packets)
-	#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$"
-	#
-	# ipchain support for Linux
-	#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"
-	#
-	# ipchain support for Linux (no logging of denied packets)
-	#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY"
-	#
-	# iptables support for Linux
-	KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
-	# For those of you running FreeBSD (and compatible) you can
-	# use their built in firewalling as well.
-	#
-	#KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any"
-	#
-	#
-	# For those running ipfilt (OpenBSD, etc.)
-	# NOTE THAT YOU NEED TO CHANGE external_interface TO A VALID INTERFACE!!
-	#
-	#KILL_ROUTE="/bin/echo 'block in log on external_interface from $TARGET$/32 to any' | /sbin/ipf -f -"
-	###############
-	# TCP Wrappers#
-	###############
-	# This text will be dropped into the hosts.deny file for wrappers
-	# to use. There are two formats for TCP wrappers:
-	#
-	# Format One: Old Style - The default when extended host processing
-	# options are not enabled.
-	#
-	#KILL_HOSTS_DENY="ALL: $TARGET$"
-	# Format Two: New Style - The format used when extended option
-	# processing is enabled. You can drop in extended processing
-	# options, but be sure you escape all '%' symbols with a backslash
-	# to prevent problems writing out (i.e. \%c \%h )
-	#
-	#KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"
-	###################
-	# External Command#
-	###################
-	# This is a command that is run when a host connects, it can be whatever
-	# you want it to be (pager, etc.). This command is executed before the
-	# route is dropped or after depending on the KILL_RUN_CMD_FIRST option below
-	#
-	#
-	# I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS AGAINST THE HOST SCANNING
-	# YOU!
-	#
-	# TCP/IP is an *unauthenticated protocol* and people can make scans appear out
-	# of thin air. The only time it is reasonably safe (and I *never* think it is
-	# reasonable) to run reverse probe scripts is when using the "classic" -tcp mode.
-	# This mode requires a full connect and is very hard to spoof.
-	#
-	# The KILL_RUN_CMD_FIRST value should be set to "1" to force the command
-	# to run *before* the blocking occurs and should be set to "0" to make the
-	# command run *after* the blocking has occurred.
-	#
-	#KILL_RUN_CMD_FIRST = "0"
-	#
-	#
-	#KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$"
-	#KILL_RUN_CMD="/bin/mail -s 'Portscan from $TARGET$ on port $PORT$' user@host < /dev/null"
-	KILL_RUN_CMD="/bin/mail -s 'Portscan from $TARGET$ on port $PORT$' root@localhost < /dev/null"  <--------------------------------AJOUTEZ cette ligne
-	#####################
-	# Scan trigger value#
-	#####################
-	# Enter in the number of port connects you will allow before an
-	# alarm is given. The default is 0 which will react immediately.
-	# A value of 1 or 2 will reduce false alarms. Anything higher is
-	# probably not necessary. This value must always be specified, but
-	# generally can be left at 0.
-	#
-	# NOTE: If you are using the advanced detection option you need to
-	# be careful that you don't make a hair trigger situation. Because
-	# Advanced mode will react for *any* host connecting to a non-used
-	# below your specified range, you have the opportunity to really
-	# break things. (i.e someone innocently tries to connect to you via
-	# SSL [TCP port 443] and you immediately block them). Some of you
-	# may even want this though. Just be careful.
-	#
-	SCAN_TRIGGER="2"
-	######################
-	# Port Banner Section#
-	######################
-	#
-	# Enter text in here you want displayed to a person tripping the PortSentry.
-	# I *don't* recommend taunting the person as this will aggravate them.
-	# Leave this commented out to disable the feature
-	#
-	# Stealth scan detection modes don't use this feature
-	#
-	#PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT HAS BEEN LOGGED. GO AWAY."
-	# EOF
 </code>
-Pour rendre le service SysVInit compatible avec Systemd, éditez le fichier **/etc/init.d/portsentry** en supprimant la ligne **11** :
+Consultez le fichier **ittraining.loc.signed** :
 <code>
-[root@centos7 ~]# nl /etc/init.d/portsentry
+root@debian12:/etc/bind/zones# more ittraining.loc.signed
-	#!/bin/bash
+; File written on Sun Dec  7 13:39:03 2025
-	#
+; dnssec_signzone version 9.18.41-1~deb12u1-Debian
-	# Startup script for the Portsentry portscan detector
+ittraining.loc.         259200  IN SOA  debian12.ittraining.loc. root.debian12.ittraining.loc. (
-	#
+                                        2025120703 ; serial
-	# chkconfig: 345 98 02
+      ; refresh (8 hours)
-	# description: PortSentry Port Scan Detector is part of the Abacus Project \
+       ; retry (2 hours)
-	#              suite of tools. The Abacus Project is an initiative to release \
+                                        2419200    ; expire (4 weeks)
-	#              low-maintenance, generic, and reliable host based intrusion \
+      ; minimum (1 day)
-	#              detection software to the Internet community.
+                                        )
-	# processname: portsentry
+  RRSIG   SOA 8 2 259200 (
-	# pidfile: /var/run/portsentry.pid  <--------------------------------SUPPRIMEZ cette ligne
+                                        20260106113903 20251207113903 18528 ittraining.loc.
-	# config: /etc/portsentry/portsentry.conf
+                                        ANlboBzlffzcYC1G10cQuxvRP3XC5bvDP1+v
+                                        Baxfh/B4BxgYGeQoDih2uGqLxzDExRWix2a2
-	# Source function library.
+                                        B95uAkDGClaGdlFkYtU4voIQJWuAx0Goo6Xa
-...
+                                        omEyrIdLGqoj9e2vdn6j2lVpJik9YgCTxP2G
+                                        ShVYc632XsAFPXN6SJrR3QdKo1x6KM1uPYdd
+                                        OxAX9fGNYj59ZXG84slUxreDejoqn2k8Rx68
+                                        gxuzkIY3oM5aUtbvL8bwjflk121mWxQ4vVhW
+                                        R/KNk9SEc6AbZSqJXwmlY/vReOA+pvPCdLYJ
+Wf+S9kr1i1xT1y078Iqz2twASWBjBnP/adG
+                                        QtKpn9SvKUEzICTaNA== )
+  NS      debian12.ittraining.loc.
+  RRSIG   NS 8 2 259200 (
+                                        20260106113903 20251207113903 18528 ittraining.loc.
+                                        CGtE8nZ2F0JQLAmbyPgrqKLDXjyWg2hZmEcf
+h2zAxJZWjNWB7k5aLHA6weKkvo7mTnH7sS
+                                        pEazWPhaDzmW2BLfdBjeaSZzj+mMWUiXVnUq
+                                        LYAMLRXGD1NAPcuSQlyzDpN0JZXwWfQFTpzT
+                                        DJttJyChcQgyJmvaJEhIhQK5gRFMaT+Ww1zg
+                                        pvAke0HlkSEz9mQxIhff5FqSL00Zyn5mnLBB
+                                        N6X1XKQXL/mUJ8nb9X70n9b/qsYqAQdFFxzS
+lz+kMr/D1AhzabDGkeD/+xlXSPMygYc4I6b
+                                        eYZKmEsD8HOdYJb5JlWicP7cheeKonPXxjrZ
+                                        TQqLDJFaRETE+IDnLQ== )
+   NSEC    debian12.ittraining.loc. NS SOA RRSIG NSEC DNSKEY
+   RRSIG   NSEC 8 2 86400 (
+                                        20260106113903 20251207113903 18528 ittraining.loc.
+                                        dDLcoBI/agA+tHni16R8aWdWHBqPPfBjbFRZ
+fNQI/d20d47vFx/u2rx+WzenCSZBOpU/J
+b8Q2Dm26f218L1KYF7NF7dew2s5OUIkfM+V
+                                        iZIqBSAFYyAbLYRCfbQA6DxsIgDT6T/x7jLf
+                                        +jYHNeASGauWunufrSLvbqdsIE0z+JH+3AVE
+                                        JaLTeXYL6I+/U4vn+EwVOiOuVv3eOt8d1d5a
+lqDK8qRlcbhFF1ngOJHe+Fa5ect9kqnbjCa
+mwOOmp4v4JA6Myvvut7OEDI5mQItd9HApPl
+                                        eM0kvui7mioUEUCM2EXRPtJYXVAELUnqGz1S
+                                        hn6EYefpcWvUDo8veg== )
+  DNSKEY  256 3 8 (
+                                        AwEAAZ+2bRM+yedcAeqUR6AdkSzyIeQg1kH4
+as3WvYGlOLqeUnfbegNewRYifndXx/b1t
+A9L6IZH1ZamuSNxNi7Y0+FZbyq4DJmFnHA
+Ao5zmOhK76mrQf6SjzQHZWzwtoG0DAApTg
+                                        gaRxhmezzjkSr3WNadIoFg4FXU5UaV4ePU5h
+                                        hPn+zi34SUYvgPTZsSWb/solo0yna80RBxI+
+                                        hgRxoaPpjV/v4mEVVS9Fjpvc6SxJ/ZZbtUMJ
+--More--(18%)
 </code>
-Puis ajoutez la ligne **80** :
+Consultez la section RRSIG du SOA :
-<code>
+<file>
 ...
-	stop() {
+  RRSIG   SOA 8 2 259200 (
-		echo -n $"Stopping $prog: "
+                                        20260106113903 20251207113903 18528 ittraining.loc.
-		killproc portsentry
+                                        ANlboBzlffzcYC1G10cQuxvRP3XC5bvDP1+v
-		killall portsentry  <--------------------------------AJOUTEZ cette ligne
+                                        Baxfh/B4BxgYGeQoDih2uGqLxzDExRWix2a2
-		RETVAL=$?
+                                        B95uAkDGClaGdlFkYtU4voIQJWuAx0Goo6Xa
-		echo
+                                        omEyrIdLGqoj9e2vdn6j2lVpJik9YgCTxP2G
-		[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/portsentry
+                                        ShVYc632XsAFPXN6SJrR3QdKo1x6KM1uPYdd
-	}
+                                        OxAX9fGNYj59ZXG84slUxreDejoqn2k8Rx68
+                                        gxuzkIY3oM5aUtbvL8bwjflk121mWxQ4vVhW
-	# See how we were called.
+                                        R/KNk9SEc6AbZSqJXwmlY/vReOA+pvPCdLYJ
+Wf+S9kr1i1xT1y078Iqz2twASWBjBnP/adG
+                                        QtKpn9SvKUEzICTaNA== )
 ...
 </code>
-Dernièrement, installez le paquet **initscripts** :
+Dans cette section on constate :
+  * L'ID de la clef **18528** utilisée pour la signature, soit la ZSK
+  * La date et l'heure de la signature **20251207113903**
+  * La date et l'heure de l'expiration de la signature **20260106113903**
+Configurez Bind pour qu'il utilise le fichier signé :
 <code>
-[root@centos7 ~]# yum install -y initscripts
+root@debian12:/etc/bind/zones# vi ../named.conf.default-zones
-</code>
+root@debian12:/etc/bind/zones# cat ../named.conf.default-zones
+// prime the server with knowledge of the root servers
+zone "." {
+        type hint;
+        file "/usr/share/dns/root.hints";
+};
-===Utilisation===
+// be authoritative for the localhost forward and reverse zones, and for
+// broadcast zones as per RFC 1912
-Démarrez le service **portsentry** :
+zone "localhost" {
+        type master;
+        file "/etc/bind/db.local";
+};
-<code>
+zone "127.in-addr.arpa" {
-[root@centos7 ~]# systemctl start portsentry
+        type master;
-[root@centos7 ~]# systemctl status portsentry
+        file "/etc/bind/db.127";
-● portsentry.service - SYSV: PortSentry Port Scan Detector is part of the Abacus Project suite of tools. The Abacus Project is an initiative to release low-maintenance, generic, and reliable host based intrusion detection software to the Internet community.
+};
-   Loaded: loaded (/etc/rc.d/init.d/portsentry; bad; vendor preset: disabled)
-   Active: active (running) since Sun 2017-08-06 14:48:18 CEST; 6s ago
+zone "0.in-addr.arpa" {
-     Docs: man:systemd-sysv-generator(8)
+        type master;
-  Process: 6487 ExecStart=/etc/rc.d/init.d/portsentry start (code=exited, status=0/SUCCESS)
+        file "/etc/bind/db.0";
-   CGroup: /system.slice/portsentry.service
+};
-           ├─6511 /usr/sbin/portsentry -atcp
-           └─6513 /usr/sbin/portsentry -audp
+zone "255.in-addr.arpa" {
+        type master;
+        file "/etc/bind/db.255";
+};
+zone "ittraining.loc" {
+    type master;
+    file "/etc/bind/zones/ittraining.loc.signed";
+    forwarders { };
+};
-Aug 06 14:48:18 centos7.fenestros.loc portsentry[6513]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP...: 517
+zone "2.0.10.in-addr.arpa" {
-Aug 06 14:48:18 centos7.fenestros.loc portsentry[6513]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP...: 518
+    type master;
-Aug 06 14:48:18 centos7.fenestros.loc portsentry[6513]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP...: 513
+    file "/etc/bind/zones/db.2.0.10.hosts";
-Aug 06 14:48:18 centos7.fenestros.loc portsentry[6513]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP...: 138
+    forwarders { };
-Aug 06 14:48:18 centos7.fenestros.loc portsentry[6513]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP...: 137
+};
-Aug 06 14:48:18 centos7.fenestros.loc portsentry[6513]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP...: 123
-Aug 06 14:48:18 centos7.fenestros.loc portsentry[6513]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP...t: 68
-Aug 06 14:48:18 centos7.fenestros.loc portsentry[6513]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP...t: 67
-Aug 06 14:48:18 centos7.fenestros.loc portsentry[6513]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP...t: 53
-Aug 06 14:48:18 centos7.fenestros.loc portsentry[6513]: adminalert: PortSentry is now active and listening.
-Hint: Some lines were ellipsized, use -l to show in full.
-[root@centos7 ~]# ps aux | grep portsentry
-root      6511  0.0  0.0   6364   460 ?        Ss   14:48   0:00 /usr/sbin/portsentry -atcp
-root      6513  0.0  0.0   6364   460 ?        Ss   14:48   0:00 /usr/sbin/portsentry -audp
-root      6687  0.0  0.0 114692   972 pts/0    R+   14:48   0:00 grep --color=auto portsentry
 </code>
-Editez le fichier **/etc/portsentry/portsentry.ignore** en commentant la ligne contenant votre adresse IP :
+Redémarrez le service **named** :
 <code>
-[root@centos7 ~]# nl /etc/portsentry/portsentry.ignore
+root@debian12:/etc/bind/zones# systemctl restart named
-	# Put hosts in here you never want blocked. This includes the IP addresses
-	# of all local interfaces on the protected host (i.e virtual host, mult-home)
+root@debian12:/etc/bind/zones# systemctl status named
-	# Keep 127.0.0.1 and 0.0.0.0 to keep people from playing games.
+● named.service - BIND Domain Name Server
-	#
+     Loaded: loaded (/lib/systemd/system/named.service; enabled; preset: enabled)
-	# PortSentry can support full netmasks for networks as well. Format is:
+     Active: active (running) since Sun 2025-12-07 14:02:52 CET; 7s ago
-	#
+       Docs: man:named(8)
-	# <IP Address>/<Netmask>
+   Main PID: 33227 (named)
-	#
+     Status: "running"
-	# Example:
+      Tasks: 18 (limit: 19123)
-	#
+     Memory: 109.0M
-	# 192.168.2.0/24
+        CPU: 88ms
-	# 192.168.0.0/16
+     CGroup: /system.slice/named.service
-	# 192.168.2.1/32
+             └─33227 /usr/sbin/named -f -u bind
-	# Etc.
-	#
+Dec 07 14:02:52 debian12.ittraining.loc named[33227]: network unreachable resolving './DNSKEY>
-	# If you don't supply a netmask it is assumed to be 32 bits.
+Dec 07 14:02:52 debian12.ittraining.loc named[33227]: network unreachable resolving './NS/IN'>
-	#
+Dec 07 14:02:52 debian12.ittraining.loc named[33227]: network unreachable resolving './DNSKEY>
-	#
+Dec 07 14:02:52 debian12.ittraining.loc named[33227]: network unreachable resolving './NS/IN'>
+Dec 07 14:02:52 debian12.ittraining.loc named[33227]: network unreachable resolving './DNSKEY>
-	127.0.0.1/32
+Dec 07 14:02:52 debian12.ittraining.loc named[33227]: network unreachable resolving './NS/IN'>
-	0.0.0.0
+Dec 07 14:02:52 debian12.ittraining.loc named[33227]: network unreachable resolving './DNSKEY>
-	#########################################
+Dec 07 14:02:52 debian12.ittraining.loc named[33227]: network unreachable resolving './NS/IN'>
-	# Do NOT edit below this line, if you   #
+Dec 07 14:02:52 debian12.ittraining.loc named[33227]: managed-keys-zone: Key 20326 for zone .>
-	# do, your changes will be lost when    #
+Dec 07 14:02:52 debian12.ittraining.loc named[33227]: managed-keys-zone: Key 38696 for zone .>
-	# portsentry is restarted via the       #
-	# initscript. Make all changes above    #
-	# this box.                             #
-	#########################################
-	# Exclude all local interfaces
-	#172.YY+20.0.3        <--------------------------------EDITEZ cette ligne
-	fe80::94b9:ef1e:8c65:97c6
-	127.0.0.1
-	::1
-	# Exclude the default gateway(s)
-	10.0.2.2
-	# Exclude the nameservers
-	10.0.2.3
-	# And last but not least...
-	0.0.0.0
 </code>
-**Sans** re-démarrez le service portsentry, lancez un scan des ports avec nmap :
+Demandez l'enregistrement SOA du DNS local :
 <code>
-[root@centos7 ~]# nmap -sC 172.YY+20.0.3
+root@debian12:/etc/bind/zones# dig @debian12.ittraining.loc ittraining.loc SOA
-Starting Nmap 6.40 ( http://nmap.org ) at 2017-08-06 14:52 CEST
+; <<>> DiG 9.18.41-1~deb12u1-Debian <<>> @debian12.ittraining.loc ittraining.loc SOA
-^C
+; (1 server found)
-You have new mail in /var/spool/mail/root
+;; global options: +cmd
-</code>
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42848
+;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
-<WRAP center round important 50%>
+;; OPT PSEUDOSECTION:
-**Important** - Notez l'utilisation de la combinaison de touches <key>C</key><key>c</key> pour arrêter nmap.
+; EDNS: version: 0, flags:; udp: 1232
-</WRAP>
+; COOKIE: a42dbdb3e931b5b40100000069357b611d705b9c213bca01 (good)
+;; QUESTION SECTION:
+;ittraining.loc.                        IN      SOA
+;; ANSWER SECTION:
+ittraining.loc.         259200  IN      SOA     debian12.ittraining.loc. root.debian12.ittraining.loc. 2025120703 28800 7200 2419200 86400
+;; Query time: 0 msec
+;; SERVER: 10.0.2.46#53(debian12.ittraining.loc) (UDP)
+;; WHEN: Sun Dec 07 14:04:33 CET 2025
+;; MSG SIZE  rcvd: 121
+</code>
-Consultez les règles d'iptables :
+Demandez l'enregistrement SOA et sa signature du DNS local :
 <code>
-[root@centos7 ~]# iptables -L
+root@debian12:/etc/bind/zones# dig @debian12.ittraining.loc ittraining.loc SOA +dnssec
-Chain INPUT (policy ACCEPT)
-target     prot opt source               destination
+; <<>> DiG 9.18.41-1~deb12u1-Debian <<>> @debian12.ittraining.loc ittraining.loc SOA +dnssec
-DROP       all  --  15.2.0.10.rev.sfr.net  anywhere   <--------------------------------REGARDEZ cette ligne, elle sera différente en fonction de votre adresse IP
+; (1 server found)
-ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
+;; global options: +cmd
-ACCEPT     all  --  anywhere             anywhere
+;; Got answer:
-INPUT_direct  all  --  anywhere             anywhere
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56632
-INPUT_ZONES_SOURCE  all  --  anywhere             anywhere
+;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
-INPUT_ZONES  all  --  anywhere             anywhere
-DROP       all  --  anywhere             anywhere             ctstate INVALID
+;; OPT PSEUDOSECTION:
-REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
+; EDNS: version: 0, flags: do; udp: 1232
-...
+; COOKIE: 14cfa09283a1f4980100000069357b95d90b040d04f37247 (good)
+;; QUESTION SECTION:
+;ittraining.loc.                        IN      SOA
+;; ANSWER SECTION:
+ittraining.loc.         259200  IN      SOA     debian12.ittraining.loc. root.debian12.ittraining.loc. 2025120703 28800 7200 2419200 86400
+ittraining.loc.         259200  IN      RRSIG   SOA 8 2 259200 20260106113903 20251207113903 18528 ittraining.loc. ANlboBzlffzcYC1G10cQuxvRP3XC5bvDP1+vBaxfh/B4BxgYGeQoDih2 uGqLxzDExRWix2a2B95uAkDGClaGdlFkYtU4voIQJWuAx0Goo6XaomEy rIdLGqoj9e2vdn6j2lVpJik9YgCTxP2GShVYc632XsAFPXN6SJrR3QdK o1x6KM1uPYddOxAX9fGNYj59ZXG84slUxreDejoqn2k8Rx68gxuzkIY3 oM5aUtbvL8bwjflk121mWxQ4vVhWR/KNk9SEc6AbZSqJXwmlY/vReOA+ pvPCdLYJ7Wf+S9kr1i1xT1y078Iqz2twASWBjBnP/adGQtKpn9SvKUEz ICTaNA==
+;; Query time: 0 msec
+;; SERVER: 10.0.2.46#53(debian12.ittraining.loc) (UDP)
+;; WHEN: Sun Dec 07 14:05:25 CET 2025
+;; MSG SIZE  rcvd: 423
 </code>
-Dernièrement, consultez les messages destinés à root :
+====3.9 - La chaîne de confiance DNS====
+Créez le DSSet à partir de la clef publique KSK :
 <code>
-[root@centos7 ~]# mail
+root@debian12:/etc/bind/zones# dnssec-dsfromkey -2 Kittraining.loc.+008+63515.key
-Heirloom Mail version 12.5 7/5/10.  Type ? for help.
+ittraining.loc. IN DS 63515 8 2 909F3FC8A2B34083B1268C0FE7FDAA851252626CDCDF4D8B51D97CB98C62FDA4
-"/var/spool/mail/root": 6 messages 6 new
->N  1 trainee@centos7.fene  Sat Apr 30 12:38  16/688   "*** SECURITY information for centos7.fenestros.loc ***"
- N  2 user@localhost.fenes  Tue May  9 15:21 1238/86160 "[abrt] firefox: plugin-container killed by SIGSEGV"
- N  3 (Cron Daemon)         Sun Aug  6 11:28  25/1061  "Cron <root@centos7> /sbin/service portsentry restart >/dev/null && /sbin/ser"
- N  4 (Cron Daemon)         Sun Aug  6 14:27  26/1328  "Cron <root@centos7> /sbin/service portsentry restart >/dev/null && /sbin/ser"
- N  5 (Cron Daemon)         Sun Aug  6 14:43  25/1168  "Cron <root@centos7> /sbin/service portsentry restart >/dev/null && /sbin/ser"
- N  6 root                  Sun Aug  6 14:52  18/658   "Portscan from 10.0.2.15 on port 143"
-& 6
-Message  6:
-From root@centos7.fenestros.loc  Sun Aug  6 14:52:43 2017
-Return-Path: <root@centos7.fenestros.loc>
-X-Original-To: root@localhost
-Delivered-To: root@localhost.fenestros.loc
-Date: Sun, 06 Aug 2017 14:52:43 +0200
-To: root@localhost.fenestros.loc
-Subject: Portscan from 10.0.2.15 on port 143
-User-Agent: Heirloom mailx 12.5 7/5/10
-Content-Type: text/plain; charset=us-ascii
-From: root@centos7.fenestros.loc (root)
-Status: R
+root@debian12:/etc/bind/zones# ls -l | grep dsset
+-rw-r--r-- 1 root bind    99 Dec  7 13:39 dsset-ittraining.loc.
-& q
+root@debian12:/etc/bind/zones# cat dsset-ittraining.loc.
-Held 6 messages in /var/spool/mail/root
+ittraining.loc.         IN DS 63515 8 2 909F3FC8A2B34083B1268C0FE7FDAA851252626CDCDF4D8B51D97CB9 8C62FDA4
-You have mail in /var/spool/mail/root
-[root@centos7 ~]#
 </code>
-Pour nettoyer la règle, re-démarrez le service **firewalld** :
+Il conviendrait maintenant d'insérer un enregistrement DSSet dans le DNS du domaine parent, dans notre cas **.loc**. Cet enregistrement comportera l'ID de la clef, soit **63515**, ainsi que le hash **909F3FC8A2B34083B1268C0FE7FDAA851252626CDCDF4D8B51D97CB98C62FDA4**
+Quand DNSSEC ne peut pas être validé, le résultat routorné par la commande dig est **SERVFAIL** :
 <code>
-[root@centos7 ~]# systemctl restart firewalld
+root@debian12:/etc/bind/zones# dig www.dnssec-failed.org +dnssec
-[root@centos7 ~]# iptables -L
-Chain INPUT (policy ACCEPT)
+; <<>> DiG 9.18.41-1~deb12u1-Debian <<>> www.dnssec-failed.org +dnssec
-target     prot opt source               destination
+;; global options: +cmd
-ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
+;; Got answer:
-ACCEPT     all  --  anywhere             anywhere
+;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42077
-INPUT_direct  all  --  anywhere             anywhere
+;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
-INPUT_ZONES_SOURCE  all  --  anywhere             anywhere
-INPUT_ZONES  all  --  anywhere             anywhere
+;; OPT PSEUDOSECTION:
-DROP       all  --  anywhere             anywhere             ctstate INVALID
+; EDNS: version: 0, flags: do; udp: 1232
-REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
+; COOKIE: 5321c94da922f6ca010000006935867f45a42de06e00bfa1 (good)
-...
+;; QUESTION SECTION:
+;www.dnssec-failed.org.         IN      A
+;; Query time: 140 msec
+;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
+;; WHEN: Sun Dec 07 14:51:59 CET 2025
+;; MSG SIZE  rcvd: 78
 </code>
 -----
 Copyright © 2025 Hugh Norris.

Piste : • LDF406 - Sécurité Applicative • LDF407 - Balayage des Ports • LDF405 - System Hardening • LDF409 - Gestion de la Sécurité de Docker • LDF403 - Authentification • LDF400 - Administration de la Sécurité • LDF408 - Cryptologie • LDF401 - Gestion des Droits • LDF404 - Système de Fichiers • LDF410 - Validation de la Formation

Différences

Recherche

Imprimer/exporter

Menu