Snort已发展成为一个具有多平台(Multi-Platform)、实时(Real-Time)流量分析、网络IP数据包(Pocket)记录等特性的强大的网络入侵检测/防御系统(Network Intrusion Detection/Prevention System),即NIDS/NIPS。
配置云CentOS7源
mkdir /etc/yumback #创建备份文件夹
mv /etc/yum.repos.d/* /etc/yumback/ # 将官方文件复制到刚刚创建yumback
curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
yum clean all
yum makecache
yum -y install epel-release
yum -y install gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel libdnet libdnet-devel tcpdump nghttp2 glibc-headers gcc-c++ openssl openssl-devel
gcc-c++:编译器
flex:DAQ所需的解析器
bison:DAQ所需的解析器
libpcap-devel:Snort所需的网络流量捕获头文件库
libdnet-devel:不是必要的,只是snort为几个网络历程提供了简化的可移植接口
pcre-devel:Snort所需的pcre3的头文件
tcpdump:截取网络分组,并输出分组内容的工具
以下包上传至服务器
tar -zxvf snort-2.9.19.tar.gz
tar -zxvf daq-2.0.7.tar.gz
tar -zxvf LuaJIT-2.1.0-beta3.tar.gz
tar -zxvf libpcap-1.9.0.tar.gz
tar -zxvf libdnet-1.11.tar.gz
#libpcap
cd /root/libpcap-1.9.0 && ./configure && make && make install
#libdnet
cd /root/libdnet-1.11 && ./configure && make && make install
#daq
cd /root/daq-2.0.7 && ./configure && make && make install
#LuaJIT
cd /root/LuaJIT-2.1.0-beta3/src && make && cd .. && make install
#snort
cd /root/snort-2.9.19 && ./configure --enable-sourcefire && make && make install
# Snort安装会将二进制文件放在/usr/local/bin/snort,因此,创建到/usr/sbin/snort的软连接
ln -s /usr/local/bin/snort /usr/sbin/snort
mkdir /etc/snort # 创建规则目录
mkdir /var/log/snort # 创建日志目录
mkdir /usr/local/lib/snort_dynamicrules # 创建动态规则目录
# 用root用户运行snort不安全,所以需要创建一个用户来运行
# 创建账号
groupadd snort
useradd -g snort snort
chown snort:snort /var/log/snort
# 下载官网规则进行配置
# 官网配置下载(需注册登录):https://snort.org/downloads
# 这里下载的是:snortrules-snapshot-29190.tar.gz
tar -zxvf snortrules-snapshot-29190.tar.gz -C /etc/snort
cp /etc/snort/etc/* /etc/snort/
#这里进入/etc/snort/so_rules/precompiled按系统选择
cp /etc/snort/so_rules/precompiled/Centos-7/x86-64/2.9.19.0/* /usr/local/lib/snort_dynamicrules/
四处改动
vi /etc/snort/snort.conf
1、将以下段的相对路径改为绝对路径
=====更改前========================
var RULE_PATH ../rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules
# If you are using reputation preprocessor set these
var WHITE_LIST_PATH ../rules
var BLACK_LIST_PATH ../rules
=====更改前========================
=====更改后========================
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
# If you are using reputation preprocessor set these
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
=====更改后========================
2、删除snort.conf中321行结尾的/
,并将322、323行删除
=====更改前========================
316 iis_delimiter no \
317 iis_unicode no \
318 multi_slash no \
319 utf_8 no \
320 u_encode yes \
321 webroot no \
322 decompress_swf { deflate lzma } \
323 decompress_pdf { deflate }
324
325 # ONC-RPC normalization and anomaly detection.
=====更改前========================
=====更改后========================
316 iis_delimiter no \
317 iis_unicode no \
318 multi_slash no \
319 utf_8 no \
320 u_encode yes \
321 webroot no
322
323 # ONC-RPC normalization and anomaly detection.
=====更改后========================
3、将IP变量HOME_NET的值改为本机的IP地址
ipvar HOME_NET 192.168.200.10
4、将多余规则注释掉,不要注释include $RULE_PATH/local.rules
,大约540行至655行全部添加#号注释
可以用快捷命令替换
:%s/include $RULE_PATH/#include $RULE_PATH/g
# 然后搜索local.rules取消注释
此配置的目的是入侵检测模式使用snort的时候,snort仅以规则文件local.rules
中自定义的规则来进行工作
touch /etc/snort/rules/white_list.rules
touch /etc/snort/rules/black_list.rules
[root@localhost ~]# snort -V
,,_ -*> Snort! <*-
o" )~ Version 2.9.19 GRE (Build 85)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.9.0-PRE-GIT (with TPACKET_V3)
Using PCRE version: 8.32 2012-11-30
Using ZLIB version: 1.2.7
Ping
vi /etc/snort/rules/local.rules
#将下行加到最后一行
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"We are being pinged!";icode:0;itype:8;sid:10000003;rev:1;)
#启动snort
# 此时打开两个终端,一个启动snort,另一个查看动态日志
shell1 : snort -e -A full -c /etc/snort/snort.conf
shell2 : tail -f /var/log/snort/alert
# 然后用另一台主机ping snort主机,
# shell2日志就会触发规则返回信息
[**] [1:10000003:1] We are being pinged! [**]
[Priority: 0]
04/16-10:28:27.949163 00:50:56:C0:00:08 -> 00:0C:29:C6:6E:91 type:0x800 len:0x4A
192.168.200.1 -> 192.168.200.10 ICMP TTL:64 TOS:0x0 ID:9816 IpLen:20 DgmLen:60
Type:8 Code:0 ID:1 Seq:21 ECHO
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。