简介

Snort是美国Sourcefire公司开发的发布在GPL v2下的IDS(Intrusion Detection System)软件,在1998年,Marty Roesch先生用C语言开发了开放源代码(Open Source)的入侵检测系统Snort.直至今天,Snort已发展成为一个多平台(Multi-Platform),实时(Real-Time)流量分析,网络IP数据包(Pocket)记录等特性的强大的网络入侵检测/防御系统(Network Intrusion Detection/Prevention System),即NIDS/NIPS

工作原理

Snort通过在网络TCP/IP的5层结构的数据链路层进行抓取网络数据包,抓包时需将网卡设置为混杂模式,根据操作系统的不同采用libpcap或winpcap函数从网络中捕获数据包;然后将捕获的数据包送到包解码器进行解码。网络中的数据包有可能是以太网包、令牌环包、TCP/IP包、802.11包等格式。在这一过程包解码器将其解码成Snort认识的统一的格式;之后就将数据包送到预处理器进行处理,预处理包括能分片的数据包进行重新组装,处理一些明显的错误等问题。预处理的过程主要是通过插件来完成,比如Http预处理器完成对Http请求解码的规格化,Frag2事务处理器完成数据包的组装,Stream4预处理器用来使Snort状态化,端口扫描预处理器能检测端口扫描的能力等;对数据包进行了解码,过滤,预处理后,进入了Snort的最重要一环,进行规则的建立及根据规则进行检测。规则检测是Snort中最重要的部分,作用是检测数据包中是否包含有入侵行为。例如规则alert tcp any any ->202.12.1.0/24 80(msg:”misc large tcp packet”;dsize:>3000;)这条规则的意思是,当一个流入202.12.1.0这个网段的TCP包长度超过3000B时就发出警报。规则语法涉及到协议的类型、内容、长度、报头等各种要素。处理规则文件的时候,用三维链表来存规则信息以便和后面的数据包进行匹配,三维链表一旦构建好了,就通过某种方法查找三维链表并进行匹配和发生响应。规则检测的处理能力需要根据规则的数量,运行Snort机器的性能,网络负载等因素决定;最后一步就是输出模块,经过检测后的数据包需要以各种形式将结果进行输出,输出形式可以是输出到alert文件、其它日志文件、数据库UNIX域或Socket等。

安装(ubuntu14.04)

安装snort前,首先需要安装一些依赖包 数据采集库(DAQ))用于一个调用包捕获库的抽象层

https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz

解压并运行./configure、make、make install来安装DAQ。然而,DAQ要求其他的工具,因此,./configure脚本会生成下面的错误

因此在安装DAQ之前先安装flex/bison和libcap

apt-get install flex
apt-get install bison
apt-get install libcap-dev

安装完必要的工具后,再次运行./configure脚本,将会显示下面的输出, 然后使用make和make install 命令进行编译

成功安装DAQ之后,我们现在安装snort

https://www.cnblogs.com/lcamry/p/6339475.html

apt-get install snort

snort命令参数详解

 snort -[options] <filters>
root@ubuntu-virtual-machine:~# snort --help

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.6.0 GRE (Build 47)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.8

USAGE: snort [-options] <filter options>
Options:
        -A         #设置报警模式
                    Set alert mode: fast, full, console, test or none  (alert file alerts only)
                    "unsock" enables UNIX socket logging (experimental).

        -b         #用二进制文件保存网络数据包,以应付高吞吐量的网络
                    Log packets in tcpdump format (much faster!)

        -B <mask>  #将IP地址信息抹掉,去隐私化
                    Obfuscated IP addresses in alerts and packet dumps using CIDR mask

        -c <rules> #使用配置文件规则,使得snort进入IDS模式
                    Use Rules File <rules>

        -C         #打印出只有字符数据的有效载荷(无十六进制)
                    Print out payloads with character data only (no hex)

        -d         #显示包的应用层数据
                    Dump the Application Layer

        -D         #后台运行snort,如无指定,Alerts将写到/var/log/snort/alert
                    Run Snort in background (daemon) mode

        -e         #显示数据链路层信息
                    Display the second layer header info

        -f         #激活PCAP行缓冲(line buffering)
                    Turn off fflush() calls after binary log writes

        -F <bpf>   #指定BPF过滤器
                    Read BPF filters from file <bpf>

        -g <gname> #初始化Snort后以组ID(group ID)运行
                    Run snort gid as <gname> group (or gid) after initialization

        -G <0xid>  #为事件生成设置一个基础事件id值
                    Log Identifier (to uniquely id events for multiple snorts)

        -h <hn>    #设置本地网络为hn,如192.168.1.0/24
                    Set home network = <hn>
                   (for use with -l or -B, does NOT change $HOME_NET in IDS mode)

        -H         #
                    Make hash tables deterministic.

        -i <if>    #设置网络接口为<if>。可以用-W选项查询网络接口列表,然后用接口序号index指定接口。如-i 2
                    Listen on interface <if>

        -I         #报警时附加上接口信息
                    Add Interface name to alert output

        -k <mode>  #为all,noip,notcp,noudp,noicmp,or none设置校验和模式
                    Checksum mode (all,noip,notcp,noudp,noicmp,none)

        -K <mode>  #设置保存文件的格式:pcap,ascii, none。pcap是默认格式,同于-b选项的格式。ascii是老的模式格式。none则关闭数据包记录
                    Logging mode (pcap[default],ascii,none)

        -l <ld>    #设置数据包文件存放目录<ld>。默认目录是/var/log/snort
                    Log to directory <ld>

        -L <file>  #设置二进制输出文件的文件名为<fn>
                    Log to this tcpdump file

        -M         #当以非后台模式daemon运行时,保存信息到syslog
                    Log messages to syslog (not alerts)

        -m <umask> #设置snort输出文件的权限位
                    Set umask = <umask>

        -n <cnt>   #出来<count>个报文后终止程序
                    Exit after receiving <cnt> packets

        -N         #关闭保存日志包功能
                    Turn off logging (alerts still work)
        -O         #在ASCII数据包捕获模式下混淆IP地址
                    Obfuscate the logged IP addresses

        -p         #关闭混杂模式
                    Disable promiscuous mode sniffing

        -P <snap>  #设置snaplen,默认值是当前网卡的MTU
                    Set explicit snaplen of packet (default: 1514)

        -q         #安静模式,不显示标志和状态报告
                    Quiet. Don't show banner and status report

        -Q         #当在线(in-line)运行时,从iptables/IPQ中读取数据包
                    Enable inline mode operation.

        -r <tf>    #从pcap格式的文件中读取数据包
                    Read and process tcpdump file <tf>

        -R <id>    # 为snort pidfile增加下标
                    Include 'id' in snort_intf<id>.pid file name

        -s         #使snort把报警消息发送到syslog,默认的设备是LOG_AUTHPRIV和LOG_ALERT。可以修改snort.conf文件修改其配置
                    Log alert messages to syslog

        -S <n=v>   #为变量n设置值为v
                    Set rules file variable n equal to value v

        -t <dir>   #初始化后将Snort的根目录改变为<chroot>
                    Chroots process to <dir> after initialization

        -T         # 以自检测模式启动Snort
                    Test and report on the current Snort configuration

        -u <uname> #初始化后改变Snort的UID
                    Run snort uid as <uname> user (or uid) after initialization

        -U         #在时间戳上用UTC时间代替本地时间
                    Use UTC for timestamps

        -v         #从网络上读出数据包然后显示在你的控制台上
                    Be verbose

        -V         #查看版本号并退出
                    Show version number

        -X         #显示包括数据链路层的原始数据包
                    Dump the raw packet data starting at the link layer

        -x         #如果出现Snort配置问题,请退出
                    Exit if Snort configuration problems occur

        -y         #在时间戳里显示年份
                    Include year in timestamp in the alert and log files

        -Z <file>  #设置性能监视器(perfmon)路径
                    Set the performonitor preprocessor file path and name

        -?         #帮助信息
                    Show this information
<Filter Options> are standard BPF options, as seen in TCPDump
Longname options and their corresponding single char version
   --logid <0xid>                  Same as -G
   --perfmon-file <file>           Same as -Z
   --pid-path <dir>                #为SnortPID文件指定路径
                                    Specify the directory for the Snort PID file

   --snaplen <snap>                Same as -P
   --help                          Same as -?
   --version                       Same as -V
   --alert-before-pass             #在pass之前处理alert, drop, sdrop, or reject. 默认是pass before alert, drop, etc.
                                    Process alert, drop, sdrop, or reject before pass, default is pass before alert, drop,...

   --treat-drop-as-alert           #将drop处理为alert
                                    Converts drop, sdrop, and reject rules into alert rules during startup

   --treat-drop-as-ignore          Use drop, sdrop, and reject rules to ignore session traffic when not inline.
   --process-all-events            Process all queued events (drop, alert,...), default stops after 1st action group
   --enable-inline-test            Enable Inline-Test Mode Operation
   --dynamic-engine-lib <file>     Load a dynamic detection engine
   --dynamic-engine-lib-dir <path> Load all dynamic engines from directory
   --dynamic-detection-lib <file>  Load a dynamic rules library
   --dynamic-detection-lib-dir <path> Load all dynamic rules libraries from directory
   --dump-dynamic-rules <path>     Creates stub rule files of all loaded rules libraries
   --dynamic-preprocessor-lib <file>  Load a dynamic preprocessor library
   --dynamic-preprocessor-lib-dir <path> Load all dynamic preprocessor libraries from directory
   --dynamic-output-lib <file>  Load a dynamic output library
   --dynamic-output-lib-dir <path> Load all dynamic output libraries from directory
   --create-pidfile                Create PID file, even when not in Daemon mode
   --nolock-pidfile                Do not try to lock Snort PID file
   --no-interface-pidfile          Do not include the interface name in Snort PID file
   --disable-attribute-reload-thread Do not create a thread to reload the attribute table
   --pcap-single <tf>              #读取单个pcap文件
                                    Same as -r.

   --pcap-file <file>              #读取多个pcap文件
                                    file that contains a list of pcaps to read - read mode is implied.

   --pcap-list "<list>"            #以列表的形式在命令行读取
                                    a space separated list of pcaps to read - read mode is implied.

   --pcap-dir <dir>                #读取指定目录下的所有pcap文件
                                    a directory to recurse to look for pcaps - read mode is implied.
                                    
   --pcap-filter <filter>          #用过滤方式读取pcap文件
                                    filter to apply when getting pcaps from file or directory.
                                    
   --pcap-no-filter               #用非过滤方式读取pcap文件
                                    reset to use no filter when getting pcaps from file or directory.
                                    
   --pcap-loop <count>             this option will read the pcaps specified on command line continuously.
                                   for <count> times.  A value of 0 will read until Snort is terminated.
   --pcap-reset                    if reading multiple pcaps, reset snort to post-configuration state before reading next pcap.
   --pcap-reload                   if reading multiple pcaps, reload snort config between pcaps.
   --pcap-show                     print a line saying what pcap is currently being read.
   --exit-check <count>            Signal termination after <count> callbacks from DAQ_Acquire(), showing the time it
                                   takes from signaling until DAQ_Stop() is called.
   --conf-error-out                Same as -x
   --enable-mpls-multicast         Allow multicast MPLS
   --enable-mpls-overlapping-ip    Handle overlapping IPs within MPLS clouds
   --max-mpls-labelchain-len       Specify the max MPLS label chain
   --mpls-payload-type             Specify the protocol (ipv4, ipv6, ethernet) that is encapsulated by MPLS
   --require-rule-sid              Require that all snort rules have SID specified.
   --daq <type>                    Select packet acquisition module (default is pcap).
   --daq-mode <mode>               Select the DAQ operating mode.
   --daq-var <name=value>          Specify extra DAQ configuration variable.
   --daq-dir <dir>                 Tell snort where to find desired DAQ.
   --daq-list[=<dir>]              List packet acquisition modules available in dir.  Default is static modules only.
   --dirty-pig                     Don't flush packets and release memory on shutdown.
   --cs-dir <dir>                  Directory to use for control socket.
   --ha-peer                       Activate live high-availability state sharing with peer.
   --ha-out <file>                 Write high-availability events to this file.
   --ha-in <file>                  Read high-availability events from this file on startup (warm-start).
命令参数

工作原理(嗅探器、数据包记录器、网络入侵检测系统)

嗅探器

snort从网络上读出数据包然后显示在你的控制台上

数据包记录器

如果要把所有的包记录到硬盘上,你需要指定一个日志目录,snort就会自动记录数据包

snort -dev -l ./log

snort -dev -l ./log -h 192.168.1.0/24

这个命令告诉snort把进入C类网络192.168.1的所有包的数据链路、TCP/IP以及应用层的数据记录到目录./log中。

网络入侵检测系统

snort最重要的用途还是作为网络入侵检测系统(NIDS),使用下面命令行可以启动这种模式

snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf

snort.conf是规则集文件。snort会对每个包和规则集进行匹配,发现这样的包就采取相应的行动。如果你不指定输出目录,snort就输出到/var/log/snort目录。

注意:如果你想长期使用snort作为自己的入侵检测系统,最好不要使用-v选项。因为使用这个选项,使snort向屏幕上输出一些信息,会大大降低snort的处理速度,从而在向显示器输出的过程中丢弃一些包。

此外,在绝大多数情况下,也没有必要记录数据链路层的包头,所以-e选项也可以不用

snort -d -h 192.168.1.0/24 -l ./log -c snort.conf

 

posted on 2018-03-19 09:34  23云恋49枫  阅读(893)  评论(0编辑  收藏  举报