Snort初探

2022-02-26 06:45:45

Snort初探

概念:

  Snort是一款开源的网络入侵防御系统(IPS),可以实时分析和记录网络数据包,你可以通过执行协议分析、内容搜索和匹配,从而发现各种网络攻击和可疑的探测。例如,缓冲区溢出、端口扫描、CGI攻击、SMB探测等。

安装:

OS version:CentOS 6.5

DAQ version:2.0.6

Snort version:2.9.8.0

依赖包:

gcc、flex、bison、zlib、libpcap、pcre、libdnet、tcpdump

libnetfilter_queue(IPS支持) --> libmnl、libnfnetlink

以上建议使用yum安装,若出现版本问题,再通过编译源码安装,

本文大部分使用源码编译,源码包可自行到网上下载,也可通过本文最后给的Github地址下载本文所使用的所有源码包。

依赖包安装:

yum -y install gcc flex bison zlib pcre tcpdump

安装libpcap

tar -zxf libpcap-1.7.4.tar.gz

cd libpcap-1.7.4

./configure --prefix=/usr/local --libdir=/usr/local/lib64

make && make install

PS:若不是安装在/ 或者 /usr 底下 需要在/etc/ld.so.conf.d/local.conf中加入安装的lib路径, 文件不存在可自行创建 使用ldconfig使配置生效

ldconfig -p | grep NAME   可以查看是否能找到该动态库

安装libdnet

tar -zxf libdnet-1.12.tgz

cd libdnet-1.12

./configure "CFLAGS=-fPIC -g -O2" --prefix=/usr --libdir=/usr/lib64

make && make install

安装DAQ:

若要支持IPS(入侵防御系统),安装DAQ前需安装libnetfilter_queue ,libnetfilter_queue需要libmnl、libnfnetlink 支持。

安装libmnl

tar -jxf libmnl-1.0.3.tar.bz2

cd libmnl-1.0.3

./configure --prefix=/usr --libdir=/usr/lib64

make && make install

安装libnfnetlink

tar -jxf libnfnetlink-1.0.1.tar.bz2

cd libnfnetlink-1.0.1

./configure --prefix=/usr --libdir=/usr/lib64

make && make install

安装libnetfilter_queue

tar -jxf libnetfilter_queue-1.0.2.tar.bz2

cd libnetfilter_queue-1.0.2

./configure --prefix=/usr --libdir=/usr/lib64

make && make install

安装daq

tar -zxf daq-2.0.6.tar.gz

cd daq-2.0.6

./configure --prefix=/usr/local --libdir=/usr/local/lib64

PS:需确保NFQ module已enabled:Build NFQ DAQ module....... : yes,否则修改/usr/include/libnetfilter_queue/linux_nfnetlink_queue.h,

#include <libnfnetlink/linux_nfnetlink.h>改成#include <libnfnetlink/libnfnetlink.h>

然后再重新configure一次。

make && make

安装Snort

tar -zxf snort-2.9.8.0.tar.gz

cd snort-2.9.8.0

./configure --prefix=/usr/local/snort

make && make install

至此,snort就安装完成了,可运行/usr/local/snort/bin/snort 查看snort能否正常工作。

启动配置:

创建snort用户

useradd snort

创建日志目录

mkdir /var/log/snort

启动脚本可以在官方网站中下载,根据自己的系统进行选择。

Snort初探

将启动脚本snortd拷贝到/etc/init.d/中

cp /path/to/snortd /etc/init.d/

另外,需要在 /etc/sysconfig/中创建一个snort的文件

touch /etc/sysconfig/snort

添加以下内容:

 # /etc/sysconfig/snort

 # $Id: snort.sysconfig,v 1.8 2003/09/19 05:18:12 dwittenb Exp $

 #### General Configuration

 INTERFACE="eth0:eth1"    //指定接入网口

 USER="snort"             //指定用户

 GROUP="snort"       //指定用户组

 #### Logging & Alerting

 SNORT_OPTIONS="-A fast -b -Q --daq nfq --daq-mode inline --daq-var queue=8"    //启动相关指令

rule配置:

从官网下载最新版本的rule文件

Snort初探

在/etc/中创建snort文件夹

mkdir /etc/snort

在rule文件解压到该文件夹中

tar -zxf snortrules-snapshot-2976.tar.gz -C /etc/snort

更改/etc/snort/etc/snort.conf

 # path to dynamic preprocessor libraries

 dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/      //指定到snort的lib目录中

 # path to base preprocessor engine

 dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so             //指定到snort的lib目录中

 # path to dynamic rules libraries

 dynamicdetection directory /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.7.6  //指定到so_rules中的具体系统的目录

touch /etc/snort/rules/black_list.rules /etc/snort/rules/white_list.rules

本文中使用的启动脚本有做过改动,用于支持IPS。

snortd文件如下:

 #!/bin/sh

 #

 # snortd         Start/Stop the snort IDS daemon.

 #

 # chkconfig: 2345 40 60

 # description:  snort is a lightweight network intrusion detection tool that

 #               currently detects more than 1100 host and network

 #               vulnerabilities, portscans, backdoors, and more.

 #

 # June 10, 2000 -- Dave Wreski <dave@linuxsecurity.com>

 #   - initial version

 #

 # July 08, 2000 Dave Wreski <dave@guardiandigital.com>

 #   - added snort user/group

 #   - support for 1.6.2

 # July 31, 2000 Wim Vandersmissen <wim@bofh.st>

 #   - added chroot support

 # Source function library.

 . /etc/rc.d/init.d/functions

 # source the interface to listen on

 . /etc/sysconfig/snort

 # See how we were called.

 case "$1" in

   start)

         echo -n "Starting snort: "

     if [ -f /var/lock/subsys/snort ];then

         status snort

     else

             cd /var/log/snort

             daemon /usr/local/snort/bin/snort -D $SNORT_OPTIONS \

                     -c /etc/snort/etc/snort.conf

             touch /var/lock/subsys/snort

     fi

         # for NFQ mode

     /sbin/iptables -t raw -nL | grep "NFQUEUE" 2>&1 >/dev/null

     RETV=$?

     if [ $RETV != 0 ];then

         /sbin/iptables -t raw -A PREROUTING -p tcp -m multiport --dports 8080 -j NFQUEUE --queue-num 8  //将通过该端口的数据导入NFQ列表供snort检测

         #/sbin/iptables -t raw -A PREROUTING -p udp -j NFQUEUE --queue-num 8

     else

         exit $RETV

     fi

         echo

         ;;

   stop)

         echo -n "Stopping snort: "

         # for NFQ mode

         /sbin/iptables -t raw -D PREROUTING -p tcp -m multiport --dports 8080 -j NFQUEUE --queue-num 8

         #/sbin/iptables -t raw -D PREROUTING -p udp -j NFQUEUE --queue-num 8

         killproc snort

         rm -f /var/lock/subsys/snort

         echo

         ;;

   restart)

         $0 stop

         $0 start

         ;;

   status)

         status snort

         ;;

   *)

         echo "Usage: $0 {start|stop|restart|status}"

         exit 1

 esac

 exit 0

启动snort

chmod a+x /etc/init.d/snortd

/etc/init.d/snortd start

启动正常后,若有可疑攻击,可在/var/log/snort/alter文件中查看到被拒绝的规则信息。

Snort简易安装脚本和源码包:https://github.com/Code-CC/Security/tree/master/snort

参考:

https://www.snort.org/documents

https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/023/original/ids2ips.txt?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1449938392&Signature=T27xIDifF9HvCxORWyltW5Ey7pA%3D

上一篇:各机器学习方法代码(OpenCV2)


下一篇:MyBatis 常见面试题总结