Snort基础
安装
sudo apt install -y gcc libpcre3-dev zlib1g-dev libpcap-dev openssl libssl-dev libnghttp2-dev libdumbnet-dev bison flex libdnet mkdir ~/snort && cd ~/snort # 下载 daq-2.0.6.tar.gz 到当前目录 tar -xvzf daq-2.0.6.tar.gz cd daq-2.0.6 ./configure && make && sudo make install cd ~/snort # 下载 snort-2.9.11.1.tar.gz tar -xvzf snort-2.9.11.1.tar.gz cd snort-2.9.11.1 ./configure --enable-sourcefire && make && sudo make install
配置
编辑配置文件, 下载规则, 测试.
sudo ldconfig sudo ln -s /usr/local/bin/snort /usr/sbin/snort sudo mkdir /usr/local/lib/snort_dynamicrules sudo chmod -R 5775 /etc/snort/ sudo chmod -R 5775 /var/log/snort/ sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules/ sudo chown -R pinvon:pinvon /etc/snort/ sudo chown -R pinvon:pinvon /var/log/snort/ sudo chown -R pinvon:pinvon /usr/local/lib/snort_dynamicrules/ touch /etc/snort/rules/white_list.rules touch /etc/snort/rules/black_list.rules touch /etc/snort/rules/local.rules cp ~/snort/snort-2.9.11.1/etc/*.conf* /etc/snort cp ~/snort/snort-2.9.11.1/etc/*.map /etc/snort
下载规则 community-rules.tar
sudo tar -xvf community-rules.tar -C ~/snort cd snort/community-rules sudo cp * /etc/snort/rules sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf
编辑配置文件 /etc/snort/snort.conf
# 如果想要保护某个主机 ipvar HOME_NET 想要保护的主机IP ipvar EXTERNAL_NET !$HOME_NET # 规则的路径 var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules # 末尾 include $RULE_PATH/community.rules
验证配置
sudo snort -T -c /etc/snort/snort.conf # 最后会提示 Snort successfully validated the configuration! Snort exiting
测试配置
打开 /etc/snort/rules/local.rules, 在最后一行加上需要的规则, 如:
include $RULE_PATH/local.rules include $RULE_PATH/dos.rules include $RULE_PATH/community-dos.rules include $RULE_PATH/scan.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/telnet.rules
启动:
# 使用网卡监听流量 sudo snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf # 读取现有的pcap文件 snort -r xxx.pcap -c /etc/snort/snort.conf
如果报没有 classtype 这种类型的错, 则修改一下snort.conf文件:
# 将 include /classification.config 改为: include /etc/snort/classification.config
设置输出格式, 打开 /etc/snort/snort.conf, 末尾添加:
output alert_csv: /var/log/alert.csv default # 或自定义输出字段 output alert_csv: /var/log/alert.csv timestamp, msg
Generated by Emacs 25.x(Org mode 8.x)
Copyright © 2014 - Pinvon - Powered by EGO
