這是我的 Snort 安裝筆記,供大家參考。安裝環境與欲安裝的 Snort 版本為:
- Ubuntu14.04 LTS
- snort-2.9.7.6
安裝相關套件
必須先下載相關套件,待會編譯Snort才不會出問題
sudo apt-get install flex bison build-essential checkinstall libpcap-dev libnet1-dev libpcre3-dev libmysqlclient15-dev libnetfilter-queue-dev iptables-dev下載,編譯並安裝
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
wget https://www.snort.org/downloads/snort/snort-2.9.7.6.tar.gz
tar xvfz daq-2.0.6.tar.gz
cd daq-2.0.6
./configure; make; sudo make install
tar xvfz snort-2.9.7.6.tar.gz
cd snort-2.9.7.6
./configure --enable-sourcefire; make; sudo make install測試 Snort 是否安裝成功
使用以下指令,會看到一隻小豬,還有版本信息
snort -V![snort1 - [教學] 如何在 Ubuntu 14.04 上安裝 Snort](https://jerrynest.io/wp-content/uploads/2015/11/snort1.png "[教學] 如何在 Ubuntu 14.04 上安裝 Snort")
Snort 設定
#!/bin/bash
#snort source location
snort_src=~/snort-2.9.7.6
# adding group and user
sudo groupadd snort
sudo useradd snort -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort
# Configuring snort
sudo mkdir -p /etc/snort
sudo mkdir -p /etc/snort/rules
sudo touch /etc/snort/rules/black_list.rules
sudo touch /etc/snort/rules/white_list.rules
sudo touch /etc/snort/rules/local.rules
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /var/log/snort
sudo mkdir -p /usr/local/lib/snort_dynamicrules
sudo chmod -R 775 /etc/snort
sudo chmod -R 775 /var/log/snort
sudo chmod -R 775 /usr/local/lib/snort_dynamicrules
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules
#copy configuration files
cd $snort_src/etc
sudo cp * /etc/snort
說明:
- 我們需要建立一個使用者來使用 Snort -s 用來指定 bash,而 nologin 是個無法登入的合法 Shell,也就會讓使用者無法登入 -c 說明欄位 -g 指定群組
- 建立 /etc/snort 資料夾,是 snort 存放的位置,也可以自己改為其他的地方
- 建立黑白名單 rule 與 local rule (自定義規則要寫在這)
- 設定資料夾權限 (775) 與擁有者 (snort)
- 將設定檔由下載目錄複製到 /etc/snort
snort.conf設定
- 修改 HOME_NET,指定保護的 IP
- 將 EXTERNAL_NET 的後面改為 !$HOME_NET
- 設定 rule 的路徑
- 設定黑白名單路徑
- 為了測試自訂規則,先將所有 rule set 註解,只保留 local.rules
sudo vim snort.conf# Setup the network addresses you are protecting
ipvar HOME_NET 192.168.1.0/24
# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET !$HOME_NET
…(略)
# Path to your rules files (this can be a relative path)
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\rules
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH etc/snort/preproc_rules
# If you are using reputation preprocessor set these
# Currently there is a bug with relative paths, they are relative to where snort is
# not relative to snort.conf like the above variables
# This is completely inconsistent with how other vars work, BUG 89986
# Set the absolute path appropriately
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
…(略)
# site specific rules
include $RULE_PATH/local.rules
##include $RULE_PATH/attack-responses.rules
##include $RULE_PATH/backdoor.rules
##include $RULE_PATH/bad-traffic.rules
…(略)
執行以下指令,檢查設定文件,正確無誤就可以看到 successfully 的訊息
sudo snort -T -c /etc/snort/snort.conf![snort2 - [教學] 如何在 Ubuntu 14.04 上安裝 Snort](https://jerrynest.io/wp-content/uploads/2015/11/snort2.png "[教學] 如何在 Ubuntu 14.04 上安裝 Snort")
加入一條自訂規則
在 local.rules 檔案中加入一條規則來偵測 ICMP 封包。
當偵測到 ICMP 封包進入 $HOME_NET,Snort 就會發出一個警告,而這警告包含「ICMP detected」這個訊息
sudo vim /etc/snort/rules/local.rulesalert icmp any any -> $HOME_NET any (msg:"ICMP detected"; sid:000001;)
再次檢查設定文件,正確的話就可以在 Rule Port Counts 裏頭看到 ICMP 為 1
sudo snort -T -c /etc/snort/snort.conf![snort3 - [教學] 如何在 Ubuntu 14.04 上安裝 Snort](https://jerrynest.io/wp-content/uploads/2015/11/snort3.png "[教學] 如何在 Ubuntu 14.04 上安裝 Snort")
輸入以下指令載入 snort.conf 設定檔,並開始監聽 eth0。
sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0接著,用另一台電腦來 ping 這台電腦。 由於 ping 指令會發出 ICMP 封包,所以接收到封包後,Snort 就會跳出警告訊息!
11/22-15:14:31.527201 [**] [1:1:0] ICMP detected [**] [Priority: 0] {ICMP} 192.168.1.102 -> 192.168.1.11
11/22-15:14:31.527242 [**] [1:1:0] ICMP detected [**] [Priority: 0] {ICMP} 192.168.1.11 -> 192.168.1.102
11/22-15:14:32.526562 [**] [1:1:0] ICMP detected [**] [Priority: 0] {ICMP} 192.168.1.102 -> 192.168.1.11
11/22-15:14:32.526596 [**] [1:1:0] ICMP detected [**] [Priority: 0] {ICMP} 192.168.1.11 -> 192.168.1.102
11/22-15:14:33.526543 [**] [1:1:0] ICMP detected [**] [Priority: 0] {ICMP} 192.168.1.102 -> 192.168.1.11
11/22-15:14:33.526576 [**] [1:1:0] ICMP detected [**] [Priority: 0] {ICMP} 192.168.1.11 -> 192.168.1.102
