Snort有3种工作模式,分别为嗅探器模式、分组数据包记录模式与网络**检测模式。
m 嗅探器模式。
Snort使用Libpcap包捕获库。在该模式下,Snort使用网络接口的混杂模式读取并解析数据包。该模式使用的命令如下所示。
localhost:~# snort -v
Running in packet dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "eth0".
Decoding Ethernet
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.3.1 IPv6 GRE (Build 40)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2012 Sourcefire, Inc., et al.
Using libpcap version 1.1.1
Using PCRE version: 8.02 2010-03-19
Using ZLIB version: 1.2.3.4
Commencing packet processing (pid=5053)
注意,这里的参数是小写的字母v,大写字母V用来显示Snort版本。以上只显示了TCP/IP网络数据包头信息,如果想查看应用层数据信息,则需要输入以下命令。
#snort –vd
此命令不会将日志记录到/var/log/snort/目录中。
m 分组数据包记录模式。
Snort还可以提取部分感兴趣的数据,例如输入如下命令只读取有关ICMP包的数据:
#snort –dvr snort.log.140493321 icmp
输入如下命令只读取有关TCP包的数据:
#snort –dvr snort.log.140493321 tcp
如果只记录某个网段的数据,操作命令如下(注意,当前有log目录):
# snort -vde -l ./log -h 10.32.14.0/24
该命令的部分输出如下:
Running in packet logging mode
--== Initializing Snort ==--
Initializing Output Plugins!
Log directory = ./log //日志存储路径
pcap DAQ configured to passive.
Acquiring network traffic from "eth0". //从eth0网卡获取网络流量
Decoding Ethernet
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.3.1 IPv6 GRE (Build 40)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2012 Sourcefire, Inc., et al.
Using libpcap version 1.1.1
Using PCRE version: 8.02 2010-03-19
Using ZLIB version: 1.2.3.4
Commencing packet processing (pid=4569) //开始数据包处理进程
^C*** Caught Int-Signal
=======================================================================
Run time for packet processing was 5.193675 seconds //分析数据包的时间开销
Snort processed 7 packets.
Snort ran for 0 days 0 hours 0 minutes 5 seconds
Pkts/sec: 1 //接收数据包的平均速率(单位为包/秒)
=======================================================================
Packet I/O Totals: //网络数据包输入/输出总计
Received: 7 //已接收数量
Analyzed: 7 (100.000%) //已分析数量
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 0 ( 0.000%)
Injected: 0
=======================================================================
Breakdown by protocol (includes rebuilt packets): //按协议进行分类(包括重建的数据包)
Eth: 7 (100.000%)
VLAN: 0 ( 0.000%)
IP4: 4 ( 57.143%)
Frag: 0 ( 0.000%)
ICMP: 0 ( 0.000%)
UDP: 0 ( 0.000%)
TCP: 4 ( 57.143%)
IP6: 0 ( 0.000%)
IP6 Ext: 0 ( 0.000%)
IP6 Opts: 0 ( 0.000%)
Frag6: 0 ( 0.000%)
ICMP6: 0 ( 0.000%)
UDP6: 0 ( 0.000%)
TCP6: 0 ( 0.000%)
Teredo: 0 ( 0.000%)
ICMP-IP: 0 ( 0.000%)
EAPOL: 0 ( 0.000%)
IP4/IP4: 0 ( 0.000%)
IP4/IP6: 0 ( 0.000%)
IP6/IP4: 0 ( 0.000%)
IP6/IP6: 0 ( 0.000%)
GRE: 0 ( 0.000%)
GRE Eth: 0 ( 0.000%)
GRE VLAN: 0 ( 0.000%)
GRE IP4: 0 ( 0.000%)
GRE IP6: 0 ( 0.000%)
GRE IP6 Ext: 0 ( 0.000%)
GRE PPTP: 0 ( 0.000%)
GRE ARP: 0 ( 0.000%)
GRE IPX: 0 ( 0.000%)
GRE Loop: 0 ( 0.000%)
MPLS: 0 ( 0.000%)
ARP: 3 ( 42.857%)
IPX: 0 ( 0.000%)
Eth Loop: 0 ( 0.000%)
Eth Disc: 0 ( 0.000%)
IP4 Disc: 0 ( 0.000%)
IP6 Disc: 0 ( 0.000%)
TCP Disc: 0 ( 0.000%)
UDP Disc: 0 ( 0.000%)
ICMP Disc: 0 ( 0.000%)
All Discard: 0 ( 0.000%)
Other: 0 ( 0.000%)
Bad Chk Sum: 2 ( 28.571%)
Bad TTL: 0 ( 0.000%)
S5 G 1: 0 ( 0.000%)
S5 G 2: 0 ( 0.000%)
Total: 7
========================================================================
Snort exiting
下面继续讲解更复杂的实验,实验环境为OSSIM 4。在命令行上启动Snort:
#snort –l /var/log/snort/ -c /etc/snort/snort.conf
按Ctrl+C组合键退出程序,收到的信息如下所示:
[ Port Based Pattern Matching Memory ]
+- [ Aho-Corasick Summary ] -------------------------------------
| Storage Format : Full-Q
| Finite Automaton : DFA
| Alphabet Size : 256 Chars
| Sizeof State : Variable (1,2,4 bytes)
| Instances : 144
| 1 byte states : 132
| 2 byte states : 12
| 4 byte states : 0
| Characters : 67366
| States : 41455
| Transitions : 1910758
| State Density : 18.0%
| Patterns : 4676
| Match States : 4776
| Memory (MB) : 21.56
| Patterns : 0.49
| Match Lists : 1.01
| DFA
| 1 byte states : 0.96
| 2 byte states : 18.82
| 4 byte states : 0.00
+----------------------------------------------------------------
[ Number of patterns truncated to 20 bytes: 1332 ]
pcap DAQ configured to passive.
Acquiring network traffic from "eth0".
Reload thread starting...
Reload thread started, thread 0x7fd8f6273700 (5649)
Decoding Ethernet
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.3.1 IPv6 GRE (Build 40)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2012 Sourcefire, Inc., et al.
Using libpcap version 1.1.1
Using PCRE version: 8.02 2010-03-19
Using ZLIB version: 1.2.3.4
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.16 <Build 18>
Preprocessor Object: SF_GTP (IPV6) Version 1.1 <Build 1>
dcerpc2 Preprocessor Statistics
Total sessions: 0
========================================================================
SIP Preprocessor Statistics
Total sessions: 0
========================================================================
Snort exiting
警报数即为在日志中看到的记录数,两者一致,在另一个控制台查看日志详情,如下所示:
#tail –f /var/log/auth.log
Apr 5 06:24:04 alienvault snort[4133]: [1:2013504:3] ET POLICY GNU/Linux APT User- Agent Outbound likely related to package management [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.11.201:34939 -> 193.62.202.28:80
Apr 5 06:24:04 alienvault snort[4133]: [1:2013504:3] ET POLICY GNU/Linux APT User- Agent Outbound likely related to package management [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.11.201:34939 -> 193.62.202.28:80
Apr 5 06:24:04 alienvault snort[4133]: [1:2013504:3] ET POLICY GNU/Linux APT User- Agent Outbound likely related to package management [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.11.201:34331 -> 52.28.229.156:80
Apr 5 06:24:04 alienvault snort[4133]: [1:2013504:3] ET POLICY GNU/Linux APT User- Agent Outbound likely related to package management [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.11.201:34331 -> 52.28.229.156:80
Apr 5 06:24:04 alienvault snort[4133]: [1:2013504:3] ET POLICY GNU/Linux APT User- Agent Outbound likely related to package management [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.11.201:34331 -> 52.28.229.156:80
Apr 5 06:24:04 alienvault snort[4133]: [1:2013504:3] ET POLICY GNU/Linux APT User- Agent Outbound likely related to package management [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.11.201:34939 -> 193.62.202.28:80
Apr 5 06:24:05 alienvault snort[4133]: [1:2013504:3] ET POLICY GNU/Linux APT User- Agent Outbound likely related to package management [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.11.201:34939 -> 193.62.202.28:80
Apr 5 06:24:05 alienvault snort[4133]: [1:2013504:3] ET POLICY GNU/Linux APT User- Agent Outbound likely related to package management [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.11.201:34331 -> 52.28.229.156:80
Apr 5 06:24:05 alienvault snort[4133]: [1:2013504:3] ET POLICY GNU/Linux APT User- Agent Outbound likely related to package management [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.11.201:34331 -> 52.28.229.156:80
此时,我们还可以在SIEM控制台中看到经归一化处理的Snort事件,如图1所示。
m 网络**检测模式。
网络**检测模式集成了嗅探器模式和日志模式(该模式下会把抓取的数据包存放到指定目录中),并且需要载入Snort规则库才能正常工作。操作命令如下:
#snort –vde –l ./log –h 10.32.14.0/24 –c /etc/snort/snort.conf
注意,当前目录下已有log目录。如果指定了“-l ./log”参数,则系统会将日志中原来的/var/log/snort/转储到当前目录的log目录下。