[教學] 如何在 Ubuntu 14.04 上安裝 Snort

這是我的 Snort 安裝筆記,供大家參考。安裝環境與欲安裝的 Snort 版本為:

  • Ubuntu14.04 LTS
  • snort-2.9.7.6

安裝相關套件

必須先下載相關套件,待會編譯Snort才不會出問題

sudo apt-get install flex bison build-essential checkinstall libpcap-dev libnet1-dev libpcre3-dev libmysqlclient15-dev libnetfilter-queue-dev iptables-dev

下載,編譯並安裝

wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
wget https://www.snort.org/downloads/snort/snort-2.9.7.6.tar.gz
tar xvfz daq-2.0.6.tar.gz
cd daq-2.0.6
./configure; make; sudo make install
tar xvfz snort-2.9.7.6.tar.gz
cd snort-2.9.7.6
./configure --enable-sourcefire; make; sudo make install

測試 Snort 是否安裝成功

使用以下指令,會看到一隻小豬,還有版本信息

snort -V

snort1 - [教學] 如何在 Ubuntu 14.04 上安裝 Snort


Snort 設定

#!/bin/bash

#snort source location
snort_src=~/snort-2.9.7.6

# adding group and user
sudo groupadd snort
sudo useradd snort -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort

# Configuring snort
sudo mkdir -p /etc/snort
sudo mkdir -p /etc/snort/rules
sudo touch /etc/snort/rules/black_list.rules
sudo touch /etc/snort/rules/white_list.rules
sudo touch /etc/snort/rules/local.rules
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /var/log/snort
sudo mkdir -p /usr/local/lib/snort_dynamicrules
sudo chmod -R 775 /etc/snort
sudo chmod -R 775 /var/log/snort
sudo chmod -R 775 /usr/local/lib/snort_dynamicrules
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

#copy configuration files
cd $snort_src/etc
sudo cp * /etc/snort

說明:

  • 我們需要建立一個使用者來使用 Snort -s 用來指定 bash,而 nologin 是個無法登入的合法 Shell,也就會讓使用者無法登入 -c 說明欄位 -g 指定群組
  • 建立 /etc/snort 資料夾,是 snort 存放的位置,也可以自己改為其他的地方
  • 建立黑白名單 rule 與 local rule (自定義規則要寫在這)
  • 設定資料夾權限 (775) 與擁有者 (snort)
  • 將設定檔由下載目錄複製到 /etc/snort

snort.conf設定

請支持《傑瑞窩在這》原創文章。原文標題:[教學] 如何在 Ubuntu 14.04 上安裝 Snort,原文網址:https://jerrynest.io/install-snort-ubuntu/
  • 修改 HOME_NET,指定保護的 IP
  • 將 EXTERNAL_NET 的後面改為 !$HOME_NET
  • 設定 rule 的路徑
  • 設定黑白名單路徑
  • 為了測試自訂規則,先將所有 rule set 註解,只保留 local.rules
sudo vim snort.conf
# Setup the network addresses you are protecting
ipvar HOME_NET 192.168.1.0/24

# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET !$HOME_NET

…(略)

# Path to your rules files (this can be a relative path)
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\rules
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH etc/snort/preproc_rules

# If you are using reputation preprocessor set these
# Currently there is a bug with relative paths, they are relative to where snort is
# not relative to snort.conf like the above variables
# This is completely inconsistent with how other vars work, BUG 89986
# Set the absolute path appropriately
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

…(略)

# site specific rules
include $RULE_PATH/local.rules

##include $RULE_PATH/attack-responses.rules
##include $RULE_PATH/backdoor.rules
##include $RULE_PATH/bad-traffic.rules

…(略)

執行以下指令,檢查設定文件,正確無誤就可以看到 successfully 的訊息

sudo snort -T -c /etc/snort/snort.conf

snort2 - [教學] 如何在 Ubuntu 14.04 上安裝 Snort


加入一條自訂規則

在 local.rules 檔案中加入一條規則來偵測 ICMP 封包。

當偵測到 ICMP 封包進入 $HOME_NET,Snort 就會發出一個警告,而這警告包含「ICMP detected」這個訊息

sudo vim /etc/snort/rules/local.rules
alert icmp any any -> $HOME_NET any (msg:"ICMP detected"; sid:000001;)

再次檢查設定文件,正確的話就可以在 Rule Port Counts 裏頭看到 ICMP 為 1

sudo snort -T -c /etc/snort/snort.conf

snort3 - [教學] 如何在 Ubuntu 14.04 上安裝 Snort

輸入以下指令載入 snort.conf 設定檔,並開始監聽 eth0。

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

接著,用另一台電腦來 ping 這台電腦。 由於 ping 指令會發出 ICMP 封包,所以接收到封包後,Snort 就會跳出警告訊息!

11/22-15:14:31.527201 [**] [1:1:0] ICMP detected [**] [Priority: 0] {ICMP} 192.168.1.102 -> 192.168.1.11
11/22-15:14:31.527242 [**] [1:1:0] ICMP detected [**] [Priority: 0] {ICMP} 192.168.1.11 -> 192.168.1.102
11/22-15:14:32.526562 [**] [1:1:0] ICMP detected [**] [Priority: 0] {ICMP} 192.168.1.102 -> 192.168.1.11
11/22-15:14:32.526596 [**] [1:1:0] ICMP detected [**] [Priority: 0] {ICMP} 192.168.1.11 -> 192.168.1.102
11/22-15:14:33.526543 [**] [1:1:0] ICMP detected [**] [Priority: 0] {ICMP} 192.168.1.102 -> 192.168.1.11
11/22-15:14:33.526576 [**] [1:1:0] ICMP detected [**] [Priority: 0] {ICMP} 192.168.1.11 -> 192.168.1.102

參考資料

如果您覺得這篇文章有幫助,歡迎按個讚或分享出去唷:

樂於分享的軟體工程師,曾在新創與大型科技公司實習,獲得黑客松競賽冠軍,擔任資安研討會講者。長期熱衷於資訊安全、雲端服務、網路行銷等領域,希望將科技知識分享給更多人。內容轉載請來信:jlee58tw@gmail.com

發表回應