nJcx's Blog

生而不忧,死而不怖。得其时横刀天下,不得其时蓬头而行。

snort 学习记录


介绍

在1998年,Marty Roesch先生用C语言开发了开放源代码(Open Source)的入侵检测系统Snort.直至今天,Snort已发展成为一个多平台(Multi-Platform),实时(Real-Time)流量分析,网络IP数据包(Pocket)记录等特性的强大的网络入侵检测/防御系统(Network Intrusion Detection/Prevention System),即NIDS/NIPS.Snort符合通用公共许可(GPL——GNU General Pubic License),在网上可以通过免费下载获得Snort,并且只需要几分钟就可以安装并开始使用它。snort基于libpcap。

安装

# curl -Ls https://www.snort.org/downloads/snort/snort-2.9.12.tar.gz | tar zx

# curl -Ls https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz | tar zx

# yum install luagit luagit-devel flex bison libdnet-devel libdnet libpcap libpcap-devel gcc gcc-c++ pcre-devel zlib-devel -y

如果这里找不到luagit,那就编译一个吧
git clone http://luajit.org/git/luajit-2.0.git
cd luajit-2.0 && make && make install 

# cd daq-2.0.6 && ./configure  && make && make install

# cd snort-2.9.12 && ./configure --enable-sourcefire --prefix=/opt/snort && make && make install

# cp -r etc /opt/snort/
# mkdir -p /opt/snort/log

# wget https://www.snort.org/rules/snortrules-snapshot-29111.tar.gz?oinkcode=bcc56dad6b79c5929c7f70985501f7dbabf9dab1 -O snortrules-snapshot-29111.tar.gz

# cd /opt/ && curl -Ls https://www.snort.org/downloads/community/community-rules.tar.gz | tar zx

# cp -r rules preproc_rules so_rules snort
# cd /opt/community-rules && cp community.rules /opt/snort/rules/ 

# mkdir -p /opt/snort/snort_dynamicrules

# touch /opt/snort/rules/black_list.rules
# touch /opt/snort/rules/white_list.rules

然后在 /opt/snort/etc/snort.conf 相关的行数改为下面这个样子

246 # path to dynamic preprocessor libraries
247 dynamicpreprocessor directory /opt/snort/lib/snort_dynamicpreprocessor/
248
249 # path to base preprocessor engine
250 dynamicengine /opt/snort/lib/snort_dynamicengine/libsf_engine.so
251
252 # path to dynamic rules libraries
253 dynamicdetection directory /opt/snort/snort_dynamicrules
652 include $RULE_PATH/community.rules
[root@localhost bin]# ./snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.12 GRE (Build 325)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.32 2012-11-30
           Using ZLIB version: 1.2.7

测试配置文件

/opt/snort/bin/snort -T -c /opt/snort/etc/snort.conf
[ Port Based Pattern Matching Memory ]
+- [ Aho-Corasick Summary ] -------------------------------------
| Storage Format    : Full-Q
| Finite Automaton  : DFA
| Alphabet Size     : 256 Chars
| Sizeof State      : Variable (1,2,4 bytes)
| Instances         : 267
|     1 byte states : 252
|     2 byte states : 15
|     4 byte states : 0
| Characters        : 216598
| States            : 167409
| Transitions       : 27834173
| State Density     : 64.9%
| Patterns          : 10745
| Match States      : 11141
| Memory (MB)       : 86.63
|   Patterns        : 1.23
|   Match Lists     : 2.80
|   DFA
|     1 byte states : 1.56
|     2 byte states : 80.58
|     4 byte states : 0.00
+----------------------------------------------------------------
[ Number of patterns truncated to 20 bytes: 607 ]

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.12 GRE (Build 325)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.


           Using libpcap version 1.5.3
           Using PCRE version: 8.32 2012-11-30
           Using ZLIB version: 1.2.7

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 3.0  <Build 1>
           Preprocessor Object: appid  Version 1.1  <Build 5>
           Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
           Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
           Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
           Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
           Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
           Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
           Preprocessor Object: SF_POP  Version 1.0  <Build 1>
           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>

Snort successfully validated the configuration!
Snort exiting

测试通过

使用

/opt/snort/bin/snort -c /opt/snort/etc/snort.conf -i ens33 -l /opt/snort/log -D

这里通过 -i 指定网卡, -c 指定配置文件, 通过-l 指定log 输出的目录,通过 -D 把进程放到后面运行,就可以在 /opt/snort/log 下面看到警告了