snort怎么安装rules snort安装教程

转载

mob64ca140dc73b 2024-06-28 18:09:15

文章标签 snort怎么安装rules c# lua 配置文件 文章分类 架构后端开发

1.安装snort
首先，新建一个文件夹来保存需要的tar包的文件夹
#mkdir ~/snort_src
#cd ~/snort_src
安装必备的组件
#sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev
build-essential：提供用于编译软件的构建工具（GCC等）。
bison，flex：DAQ所需的解析器（DAQ将在下面安装）。
libpcap-dev：Snort所需的网络流量捕获库。
libpcre3-dev：支持Snort所需正则表达式的函数库。
libdumbnet-dev：libdnet库为几个低层网络例程提供了一个简化的可移植接口。许多安装Snort的指南都是从源代码安装此库的，尽管这不是必需的。
zlib1g-dev：Snort所需的压缩库。
liblzma-dev：提供对swf文件的解压缩（adobe flash）
openssl和libssl-dev：提供SHA和MD5文件签名
Snort所需的最后一个库是Nghttp2的开发库
#sudo apt-get install -y libnghttp2-dev

在snort官网下载数据采集器（DAQ）来抽象对数据包捕获库的调用
#cd ~/snort_src
#wget https://snort.org/downloads/snort/daq-2.0.7.tar.gz
#tar -xvzf daq-2.0.7.tar.gz
#cd daq-2.0.7
#./configure
#make
#sudo make install

源码安装snort
1.首先需要下载LuaJIT
#wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
#make
#make install
否则报错
checking for luajit... no
   ERROR! LuaJIT library not found. Go get it from http://www.luajit.org/ (or)
   Try compiling without openAppId using '--disable-open-appid'
2.再安装snort
#cd ~/snort_src
#wget https://snort.org/downloads/snort/snort-2.9.17.tar.gz
#tar -xvzf snort-2.9.17.tar.gz
#cd snort-2.9.17
#./configure --enable-sourcefire
#make
#sudo make install
更新共享库
#sudo ldconfig
Snort安装会将Snort二进制文件放在/usr/local/bin/snort，因此，创建到/usr/sbin/snort的符号链接
#sudo ln -s /usr/local/bin/snort /usr/sbin/snort
安装后输入snort -V看到以下内容
root@kali:/usr/sbin# snort -V

   ,,_     -*> Snort! <*-
o" )~   Version 2.9.17 GRE (Build 199)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.10.0 (with TPACKET_V3)
           Using PCRE version: 8.39 2016-06-14
           Using ZLIB version: 1.2.11

root@kali:/usr/sbin#
**************************************************
将snort配置为NIDS
--------网络入侵检测（Network Intrusion Detection System: NIDS）模式---------
基本配置：出于安全原因， Snort应该以非特权用户身份运行，
1.创建一个snort用户和组
#sudo groupadd snort
#sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
创建snort需要的文件和文件夹

2.创建Snort目录:
#sudo mkdir /etc/snort
#sudo mkdir /etc/snort/rules
#sudo mkdir /etc/snort/rules/iplists
#sudo mkdir /etc/snort/preproc_rules
#sudo mkdir /usr/local/lib/snort_dynamicrules
#sudo mkdir /etc/snort/so_rules

3.创建一些存储规则和ip列表的文件
#sudo touch /etc/snort/rules/iplists/black_list.rules
#sudo touch /etc/snort/rules/iplists/white_list.rules
#sudo touch /etc/snort/rules/local.rules
#sudo touch /etc/snort/sid-msg.map

4.创建日志文件
#sudo mkdir /var/log/snort
#sudo mkdir /var/log/snort/archived_logs

5.调整权限
#sudo chmod -R 5775 /etc/snort
#sudo chmod -R 5775 /var/log/snort
#sudo chmod -R 5775 /var/log/snort/archived_logs
#sudo chmod -R 5775 /etc/snort/so_rules
#sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules

6.改变文件夹的所有权
#sudo chown -R snort:snort /etc/snort
#sudo chown -R snort:snort /var/log/snort
#sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

将解压后snort中的文件复制到我们新建的文件夹中

#cd ~/snort_src/snort-2.9.17/etc
#sudo cp *.conf* /etc/snort
#sudo cp *.map /etc/snort
#sudo cp *.dtd /etc/snort

#cd ~/snort_src/snort-2.9.17/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor
#sudo cp * /usr/local/lib/snort_dynamicpreprocessor/

查看snort的目录
tree /etc/snort
//如未安装tree，通过下面命令安装
sudo apt-get install tree
# tree /etc/snort
/etc/snort
|-- attribute_table.dtd
|-- classification.config
|-- file_magic.conf
|-- gen-msg.map
|-- preproc_rules
|-- reference.config
|-- rules
|   |-- iplists
|   |   |-- black_list.rules
|   |   `-- white_list.rules
|   `-- local.rules
|-- sid-msg.map
|-- snort.conf
|-- so_rules
|-- threshold.conf
`-- unicode.map

编辑snort配置文件,注释掉Snort导入默认规则文件集的行
#sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf
修改snort.conf文件（这里使用gedit编辑器）
#sudo gedit /etc/snort/snort.conf
文件中修改如下 #配置网络信息，这里的IP是192.168.3.17，所以ip如下
ipvar HOME_NET 192.168.3.17
我们需要告诉Snort我们之前创建的所有文件夹的位置。这些设置也是snort.conf文件的一部分
var RULE_PATH /etc/snort/rules           # 104行左右
var SO_RULE_PATH /etc/snort/so_rules        # 105行左右
var PREPROC_RULE_PATH /etc/snort/preproc_rules   # 106行左右
var WHITE_LIST_PATH /etc/snort/rules/iplists    # 113行左右
var BLACK_LIST_PATH /etc/snort/rules/iplists    # 114行左右

#启用规则文件
include $RULE_PATH/local.rules               #取消注释，在545行左右
测试snort
#sudo snort -T -c /etc/snort/snort.conf -i eth0   #eth0是网卡，可用ifconfig查看
结果如下：
           Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.1 <Build 1>
           Preprocessor Object: SF_S7COMMPLUS Version 1.0 <Build 1>
           Preprocessor Object: SF_IMAP Version 1.0 <Build 1>
           Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
           Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
           Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
           Preprocessor Object: SF_SDF Version 1.1 <Build 1>
           Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1>
           Preprocessor Object: SF_DNS Version 1.1 <Build 4>
           Preprocessor Object: SF_SIP Version 1.1 <Build 1>
           Preprocessor Object: SF_MODBUS Version 1.1 <Build 1>
           Preprocessor Object: SF_POP Version 1.0 <Build 1>
           Preprocessor Object: SF_GTP Version 1.1 <Build 1>
           Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
           Preprocessor Object: appid Version 1.1 <Build 5>
           Preprocessor Object: SF_SSH Version 1.1 <Build 3>
           Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>

Snort successfully validated the configuration!
Snort exiting
接下里，编辑规则文件，编写两条基本的规则，写入监听ping的最简单ICMP规则
vi /etc/snort/rules/local.rules
//加入ICMP规则：
alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; GID:1; sid:10000001; rev:001; classtype:icmp-event;)
vi /etc/snort/sid-msg.map
//加入提示消息：
1 || 10000001 || 001 || icmp-event || 0 || ICMP Test detected || url,tools.ietf.org/html/rfc792
//验证配置：
sudo snort -T -c /etc/snort/snort.conf -i ens3 //有的是eth0，可以通过ifconfig来确定
**************************************************
开始检验，用一台别的主机ping snort的主机
#sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

***************************************************
设置snort开机自启动
echo "snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D" >> /server/scripts/autoStart.sh
    snort参数详解：
    -A: 指定告警模式：fast,full,console,test or none
   -T：指定启动模式：测试
    -i：指定网络接口
    -u：指定运行用户
    -g：指定运行时用户组
    -c：指定配置文件
    -q：以静默方式运行
    -D：后台以Daemon方式运行

**************运行snort检测各种规则*****************************
/usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf
****************************************************************