snort -- 入侵检测系统

snort
外网
|
|
路由
|
|
防火墙
|
snort
|
web mail dns ftp
IDS 入侵检测系统
snort
第一步:安装snort (以下步骤是在rhel6.5平台做的)
# yum groupinstall "Development tools" -y
# yum install pcre-devel zlib-devel
# rpm -ivh libpcap-1.4.0-1.20130826git2dbcaa1.el6.x86_64.rpm
# rpm -ivh libpcap-devel-1.4.0-1.20130826git2dbcaa1.el6.x86_64.rpm
# tar xf libdnet-1.11.tar.gz -C /usr/src/
# cd /usr/src/libdnet-1.11/
# ./configure --with-pic
# make
# make install
# echo /usr/local/lib > /etc/ld.so.conf.d/snort.conf
# ldconfig
# tar xf daq-2.0.4.tar.gz -C /usr/src/
# cd /usr/src/daq-2.0.4/
# ./configure
# make
# make install
# echo /usr/local/lib/daq >> /etc/ld.so.conf.d/snort.conf
# ldconfig
# tar xf snort-2.9.7.2.tar.gz -C /usr/src/
# cd /usr/src/snort-2.9.7.2/
#./configure --enable-sourcefire
# make
# make install
# ldconfig
第二步:
建立配置文件目录,拷贝相应的配置文件和规则文件;并建立启动daemon的用户
# mkdir /etc/snort
# cp /usr/src/snort-2.9.7.2/etc/* /etc/snort/
# tar xf 笔记目录/arch/snort_soft/snortrules-snapshot-2972.tar.gz -C /etc/snort/
# cp /etc/snort/etc/* /etc/snort/
cp: overwrite `/etc/snort/classification.config'? y
cp: overwrite `/etc/snort/reference.config'? y
cp: overwrite `/etc/snort/sid-msg.map'? y
cp: overwrite `/etc/snort/snort.conf'? y
cp: overwrite `/etc/snort/threshold.conf'? y
cp: overwrite `/etc/snort/unicode.map'? y
# touch /etc/snort/rules/{white_list.rules,black_list.rules}
# useradd -s /sbin/nologin snort
# chown -R snort.snort /etc/snort/
# mkdir /var/log/snort
# chown snort.snort /var/log/snort
第三步:
配置主配置文件
# vim /etc/snort/snort.conf
45 ipvar HOME_NET 172.16.0.0/16 --监控的内网网段
48 ipvar EXTERNAL_NET !$HOME_NET --外网网段为非内网
104 var RULE_PATH /etc/snort/rules --这几句必须改成绝对路径,如果用默认的相对路径,其它参数在调用时,相对的目录就不一样了
105 var SO_RULE_PATH /etc/snort/so_rules
106 var PREPROC_RULE_PATH /etc/snort/preproc_rules
109 var WHITE_LIST_PATH /etc/snort/rules
110 var BLACK_LIST_PATH /etc/snort/rules
183 config logdir: /var/log/snort --设置log目录
第四步:
拷贝服务启动脚本和全局配置文件
# cp /usr/src/snort-2.9.7.2/rpm/snortd /etc/init.d/
# chmod 755 /etc/init.d/snortd
# vim /etc/init.d/snortd
47 INTERFACE="-i br0" --我这里试验机网卡是br0,所以把eth0改成了br0
# cp /usr/src/snort-2.9.7.2/rpm/snort.sysconfig /etc/sysconfig/snort
# vim /etc/sysconfig/snort
15 INTERFACE=br0 --我这里试验机网卡是br0,所以把eth0改成了br0
第五步:sort自我检测
# snort -T -i br0 -u snort -g snort -c /etc/snort/snort.conf --让snort做自我检测
报错1:
snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory
解决方法:
# ln -s /usr/local/lib/libdnet.1 /lib64/libdnet.1
报错2:
ERROR: /etc/snort/snort.conf(249) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such file or directory.
Fatal Error, Quitting..
解决方法:
# mkdir /usr/local/lib/snort_dynamicrules/
# chmod 700 /usr/local/lib/snort_dynamicrules/
# chown snort.snort /usr/local/lib/snort_dynamicrules/
# cp /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.7.2/* /usr/local/lib/snort_dynamicrules/
# snort -T -i br0 -u snort -g snort -c /etc/snort/snort.conf --再让snort做自我检测,最后报如下两句,则表示成功
......
......
......
Snort successfully validated the configuration!
Snort exiting
第六步:
启动snortd服务
# /etc/init.d/snortd start --启动服务
报错:
Starting snort: /bin/bash: /usr/sbin/snort: No such file or directory
[FAILED]
解决方法:
因为脚本里写的snort命令路径为/usr/sbin/snort,而我们安装在/usr/local/bin/snort
# ln -s /usr/local/bin/snort /usr/sbin/snort
# /etc/init.d/snortd start --再次启动,就成功了
Starting snort: Spawning daemon child...
My daemon child 27533 lives...
Daemon parent exiting (0)
# ps -ef |grep -i snort |grep -v grep --查到相关进程
snort 11594 1 0 15:40 ? 00:00:00 /usr/sbin/snort -A fast -b -d -D -i br0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
# /usr/sbin/snort -A fast -b -d -D -i br0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort --或者不用服务脚本启动,直接用此命令启动也可以
第七步:测试snort
# vim /etc/snort/rules/local.rules --这是/etc/snort/snort.conf里读取的N条规则中的其中一条,是个空文件,以它做测试,写上下面一条规则(表示任何icmp包都会警告)
alert icmp any any -> any any (msg:"ICMP Testing Rule"; sid:1000001;)
# /etc/init.d/snortd restart
然后使用任意IPping本机,会发现/var/log/snort/alert里有警告信息
# snort -A console -i br0 -u snort -g snort -c /etc/snort/snort.conf --或者使用-A console指令启动snort让所有警告信息都直接显示到终端
关于snort规则的编写这里不再详细讨论,可以自行写几个规则加到local.rules里去测试
alert tcp any any -> 172.16.2.9/16 80 (msg:"http access warnings"; sid:1000002;)
posted @ 2018-06-19 22:12  Sky-wings  阅读(684)  评论(0编辑  收藏  举报