安装

关闭SELinux,不关闭sytemd服务不能启动

vi /etc/selinux/config
将SELINUX=enforcing改为SELINUX=disabled

设置后需要重启才能生效

 

配置epel源
yum install epel-release -y
 
Snort为CentOS 7提供了rpm软件包,只需使用以下命令即可安装:
 
yum install https://www.snort.org/downloads/snort/snort-2.9.16-1.centos7.x86_64.rpm

配置

现在,我们需要编辑一些配置文件,从snort.org下载规则,并使用snort进行测试。

 

首先,我们将更新共享库:

ldconfig

 

要验证snort的安装,请使用以下命令:

snort -v 

 

如果在加载共享的libdnet.1库时遇到错误,请创建以下链接,然后重试。

ln -s /usr/lib64/libdnet.so.1.0.1 /usr/lib64/libdnet.1 

创建新文件:

touch /etc/snort/rules/white_list.rules
touch /etc/snort/rules/black_list.rules
touch /etc/snort/rules/local.rules 
Pulledpork

Pulled_Pork是用perl编写的用于管理Snort规则集的工具。Pulled_Pork功能包括:

使用您的Oinkcode自动下载规则

在下载新规则集之前进行MD5验证

全面处理共享对象(SO)规则

so_rule存根文件的生成

修改规则集状态(禁用规则等)

该项目由JJ Cummings经营

安装必要的软件包:

yum install perl-libwww-perl perl-core "perl(Crypt::SSLeay)" perl-LWP-Protocol-https
从Git下载Pulledpork并安装:
yum install git
git clone https://github.com/shirkdog/pulledpork.git
cd pulledpork/
cp pulledpork.pl /usr/local/bin
chmod +x /usr/local/bin/pulledpork.pl
cp etc/*.conf /etc/snort
mkdir /etc/snort/rules/iplists
touch /etc/snort/rules/iplists/default.blacklist

 

要验证Pulledpork的安装,请使用以下命令:

pulledpork.pl -V 
运行以下命令以更改snort.conf上的规则路径并制作一些文件:
echo "include \$RULE_PATH/so_rules.rules" >> /etc/snort/snort.conf
echo "include \$RULE_PATH/snort.rules" >> /etc/snort/snort.conf
touch /etc/snort/rules/so_rules.rules
touch /etc/snort/rules/snort.rules 
然后如下所示更改Pulledpork配置文件:替换您的oinkcode
vim /etc/snort/pulledpork.conf rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
line 21 comment it
line 74 change to:rule_path=/etc/snort/rules/snort.rules
line 89 change to:local_rules=/etc/snort/rules/local.rules
line 92 change to:sid_msg=/etc/snort/sid-msg.map
line 119 change to:config_path=/etc/snort/snort.conf
line 136 change to:distro=Centos-7
line 144 change to:ack_list=/etc/snort/rules/iplists/default.blacklist
line 153 change to:IPRVersion=/etc/snort/rules/iplists
line 202 uncomment and change to:enablesid=/etc/snort/enablesid.conf
line 203 uncomment and change to:dropsid=/etc/snort/dropsid.conf
line 204 uncomment and change to:disablesid=/etc/snort/disablesid.conf
line 205 uncomment and change to:modifysid=/etc/snort/modifysid.conf

 

保存并运行以下命令:

mkdir -p /usr/local/etc/snort/rules/iplists/
touch /usr/local/etc/snort/rules/iplists/default
 
运行 Pulledpork:
pulledpork.pl -c /etc/snort/pulledpork.conf

如果得到(指定的Snort二进制文件不存在!

请更正该值或在pullpork.conf中指定FULL规则tarball名称!  /usr/local/bin/pulledpork.pl2120。)错误执行以下操作:

vim /etc/snort/pulledpork.conf
Line 115 : snort_path=/sbin/snort

要使Pulledpork自动运行,请访问https://snort.org/oinkcodes并阅读说明。例如:(确保使用他们的命令)

crontab –e
20 23 * * * root /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf

配置网络和规则集

编辑snort.conf文件以修改一些参数:

vi /etc/snort/snort.conf 
更改参数,如下例所示:
ipvar HOME_NET 192.168.1.0/24
ipvar EXTERNAL_NET !$HOME_NET
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

 

 

在本教程中,我们使用ELK堆栈来存储和可视化警报,并  从snort日志文件夹中进行日志记录。因此,我们需要  如下设置snort输出日志:

# syslog
output alert_syslog: LOG_LOCAL2 LOG_ALERT

最后,通过以下命令测试snort配置文件:

snort -T -c /etc/snort/snort.conf

如果您收到成功消息,则说明一切正确。

 

为了测试Snort,我们向本地添加了规则。规则:

vi /etc/snort/rules/local.rules
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)

这些规则对发送到$ HOME_NET的所有icmp消息发出警报(可以在snort.org中找到警报警报结构)

 

作为守护程序运行snort 

vi /etc/sysconfig/snort

修改

INTERFACE=ens33

systemctl daemon-reload
systemctl start snortd
systemctl enable snortd

如果我们使用systemctl status snortd.service,我们应该看到如下输出:

cenos 安装容器 snort安装 centos7_cenos 安装容器

 

 

在/etc/sysconfig/snort文件中,我们可以确定snort的启动方式以及在哪个接口上进行嗅探,或者确定如何保存输出日志。如果我们将日志存储到“ barnyard2”,则需要在此文件中注释一些变量,例如:

vi /etc/sysconfig/snort 

注释下面变量:

BINARY_LOG=0
DUMP_APP=1
ALERTMODE=full

保存并退出。现在,snort已安装并可以在Nids模式下使用。

通过电子邮件发送警报

 

要通过电子邮件发送警报,我们需要配置snort以将日志发送到rsyslog:

Vi /etc/snort/snort.conf
528行未分隔:输出alert_syslog:LOG_LOCAL2 LOG_ALERT

 

然后将rsyslog配置为将收到的来自snort的日志存储到/var/log/alert.log:

vi /etc/rsyslog.conf添加此行
local2.alert                                               /var/log/snort/alert.log

 

现在安装色板

百胜安装色板

现在为样本配置文件创建文件夹

mkdir〜/swatch vi se.conf

现在我们  需要配置色板以在带尾日志文件  中找到特定的单词,在这种情况下,我将色板配置为查找包含“ Priority:1”和“ Priority:2”的警报

注意 /[优先级:(1 | 2)] /

swatch          echo red –c〜/swatch/se.conf –t/vae/log/alert --tail-args =-follow = name –daemon&

       

mail = root @ localhost,subject =“ Nids:优先级:$ 1”

 

 

 

用于作为守护程序运行并使用新的配置文件

 

为了在stratup中运行,制作swatch.sh并复制上面的命令并追加  ;

Vi /etc/rc.local
sh /root/swatch/swatch.sh

 

通过snort-watcher发送警报

如果您使用base,则snort-watcher可以查找基础数据库以查找新警报并将其发送,  您可以从github找到它: