snort -- 入侵检测系统

snort

外网

|

|

路由

|

|

防火墙

|

snort

|

web mail dns ftp

IDS 入侵检测系统

snort

第一步:安装snort (以下步骤是在rhel6.5平台做的)

# yum groupinstall "Development tools" -y

# yum install pcre-devel zlib-devel

# rpm -ivh libpcap-1.4.0-1.20130826git2dbcaa1.el6.x86_64.rpm

# rpm -ivh libpcap-devel-1.4.0-1.20130826git2dbcaa1.el6.x86_64.rpm

# tar xf libdnet-1.11.tar.gz -C /usr/src/

# cd /usr/src/libdnet-1.11/

# ./configure --with-pic

# make

# make install

# echo /usr/local/lib > /etc/ld.so.conf.d/snort.conf

# ldconfig

# tar xf daq-2.0.4.tar.gz -C /usr/src/

# cd /usr/src/daq-2.0.4/

# ./configure

# make

# make install

# echo /usr/local/lib/daq >> /etc/ld.so.conf.d/snort.conf

# ldconfig

# tar xf snort-2.9.7.2.tar.gz -C /usr/src/

# cd /usr/src/snort-2.9.7.2/

#./configure --enable-sourcefire

# make

# make install

# ldconfig

第二步:

建立配置文件目录，拷贝相应的配置文件和规则文件；并建立启动daemon的用户

# mkdir /etc/snort

# cp /usr/src/snort-2.9.7.2/etc/* /etc/snort/

# tar xf 笔记目录/arch/snort_soft/snortrules-snapshot-2972.tar.gz -C /etc/snort/

# cp /etc/snort/etc/* /etc/snort/

cp: overwrite `/etc/snort/classification.config'? y

cp: overwrite `/etc/snort/reference.config'? y

cp: overwrite `/etc/snort/sid-msg.map'? y

cp: overwrite `/etc/snort/snort.conf'? y

cp: overwrite `/etc/snort/threshold.conf'? y

cp: overwrite `/etc/snort/unicode.map'? y

# touch /etc/snort/rules/{white_list.rules,black_list.rules}

# useradd -s /sbin/nologin snort

# chown -R snort.snort /etc/snort/

# mkdir /var/log/snort

# chown snort.snort /var/log/snort

第三步:

配置主配置文件

# vim /etc/snort/snort.conf

45 ipvar HOME_NET 172.16.0.0/16 --监控的内网网段

48 ipvar EXTERNAL_NET !$HOME_NET --外网网段为非内网

104 var RULE_PATH /etc/snort/rules --这几句必须改成绝对路径，如果用默认的相对路径，其它参数在调用时，相对的目录就不一样了

105 var SO_RULE_PATH /etc/snort/so_rules

106 var PREPROC_RULE_PATH /etc/snort/preproc_rules

109 var WHITE_LIST_PATH /etc/snort/rules

110 var BLACK_LIST_PATH /etc/snort/rules

183 config logdir: /var/log/snort --设置log目录

第四步:

拷贝服务启动脚本和全局配置文件

# cp /usr/src/snort-2.9.7.2/rpm/snortd /etc/init.d/

# chmod 755 /etc/init.d/snortd

# vim /etc/init.d/snortd

47 INTERFACE="-i br0" --我这里试验机网卡是br0，所以把eth0改成了br0

# cp /usr/src/snort-2.9.7.2/rpm/snort.sysconfig /etc/sysconfig/snort

# vim /etc/sysconfig/snort

15 INTERFACE=br0 --我这里试验机网卡是br0，所以把eth0改成了br0

第五步:sort自我检测

# snort -T -i br0 -u snort -g snort -c /etc/snort/snort.conf --让snort做自我检测

报错1:

snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory

解决方法:

# ln -s /usr/local/lib/libdnet.1 /lib64/libdnet.1

报错2:

ERROR: /etc/snort/snort.conf(249) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such file or directory.

Fatal Error, Quitting..

解决方法:

# mkdir /usr/local/lib/snort_dynamicrules/

# chmod 700 /usr/local/lib/snort_dynamicrules/

# chown snort.snort /usr/local/lib/snort_dynamicrules/

# cp /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.7.2/* /usr/local/lib/snort_dynamicrules/

# snort -T -i br0 -u snort -g snort -c /etc/snort/snort.conf --再让snort做自我检测，最后报如下两句，则表示成功

......

......

......

Snort successfully validated the configuration!

Snort exiting

第六步:

启动snortd服务

# /etc/init.d/snortd start --启动服务

报错:

Starting snort: /bin/bash: /usr/sbin/snort: No such file or directory

[FAILED]

解决方法:

因为脚本里写的snort命令路径为/usr/sbin/snort,而我们安装在/usr/local/bin/snort

# ln -s /usr/local/bin/snort /usr/sbin/snort

# /etc/init.d/snortd start --再次启动，就成功了

Starting snort: Spawning daemon child...

My daemon child 27533 lives...

Daemon parent exiting (0)

# ps -ef |grep -i snort |grep -v grep --查到相关进程

snort 11594 1 0 15:40 ? 00:00:00 /usr/sbin/snort -A fast -b -d -D -i br0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

# /usr/sbin/snort -A fast -b -d -D -i br0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort --或者不用服务脚本启动，直接用此命令启动也可以

第七步:测试snort

# vim /etc/snort/rules/local.rules --这是/etc/snort/snort.conf里读取的N条规则中的其中一条，是个空文件，以它做测试，写上下面一条规则（表示任何icmp包都会警告)

alert icmp any any -> any any (msg:"ICMP Testing Rule"; sid:1000001;)

# /etc/init.d/snortd restart

然后使用任意IPping本机，会发现/var/log/snort/alert里有警告信息

# snort -A console -i br0 -u snort -g snort -c /etc/snort/snort.conf --或者使用-A console指令启动snort让所有警告信息都直接显示到终端

关于snort规则的编写这里不再详细讨论，可以自行写几个规则加到local.rules里去测试

alert tcp any any -> 172.16.2.9/16 80 (msg:"http access warnings"; sid:1000002;)