Snort初探
概念:
Snort是一款开源的网络入侵防御系统(IPS),可以实时分析和记录网络数据包,你可以通过执行协议分析、内容搜索和匹配,从而发现各种网络攻击和可疑的探测。例如,缓冲区溢出、端口扫描、CGI攻击、SMB探测等。
安装:
OS version:CentOS 6.5
DAQ version:2.0.6
Snort version:2.9.8.0
依赖包:
gcc、flex、bison、zlib、libpcap、pcre、libdnet、tcpdump
libnetfilter_queue(IPS支持) --> libmnl、libnfnetlink
以上建议使用yum安装,若出现版本问题,再通过编译源码安装,
本文大部分使用源码编译,源码包可自行到网上下载,也可通过本文最后给的Github地址下载本文所使用的所有源码包。
依赖包安装:
yum -y install gcc flex bison zlib pcre tcpdump
安装libpcap
tar -zxf libpcap-1.7.4.tar.gz
cd libpcap-1.7.4
./configure --prefix=/usr/local --libdir=/usr/local/lib64
make && make install
PS:若不是安装在/ 或者 /usr 底下 需要在/etc/ld.so.conf.d/local.conf中加入安装的lib路径, 文件不存在可自行创建 使用ldconfig使配置生效
ldconfig -p | grep NAME 可以查看是否能找到该动态库
安装libdnet
tar -zxf libdnet-1.12.tgz
cd libdnet-1.12
./configure "CFLAGS=-fPIC -g -O2" --prefix=/usr --libdir=/usr/lib64
make && make install
安装DAQ:
若要支持IPS(入侵防御系统),安装DAQ前需安装libnetfilter_queue ,libnetfilter_queue需要libmnl、libnfnetlink 支持。
安装libmnl
tar -jxf libmnl-1.0.3.tar.bz2
cd libmnl-1.0.3
./configure --prefix=/usr --libdir=/usr/lib64
make && make install
安装libnfnetlink
tar -jxf libnfnetlink-1.0.1.tar.bz2
cd libnfnetlink-1.0.1
./configure --prefix=/usr --libdir=/usr/lib64
make && make install
安装libnetfilter_queue
tar -jxf libnetfilter_queue-1.0.2.tar.bz2
cd libnetfilter_queue-1.0.2
./configure --prefix=/usr --libdir=/usr/lib64
make && make install
安装daq
tar -zxf daq-2.0.6.tar.gz
cd daq-2.0.6
./configure --prefix=/usr/local --libdir=/usr/local/lib64
PS:需确保NFQ module已enabled:Build NFQ DAQ module....... : yes,否则修改/usr/include/libnetfilter_queue/linux_nfnetlink_queue.h,
#include <libnfnetlink/linux_nfnetlink.h>改成#include <libnfnetlink/libnfnetlink.h>
然后再重新configure一次。
make && make
安装Snort
tar -zxf snort-2.9.8.0.tar.gz
cd snort-2.9.8.0
./configure --prefix=/usr/local/snort
make && make install
至此,snort就安装完成了,可运行/usr/local/snort/bin/snort 查看snort能否正常工作。
启动配置:
创建snort用户
useradd snort
创建日志目录
mkdir /var/log/snort
启动脚本可以在官方网站中下载,根据自己的系统进行选择。
将启动脚本snortd拷贝到/etc/init.d/中
cp /path/to/snortd /etc/init.d/
另外,需要在 /etc/sysconfig/中创建一个snort的文件
touch /etc/sysconfig/snort
添加以下内容:
1 # /etc/sysconfig/snort 2 # $Id: snort.sysconfig,v 1.8 2003/09/19 05:18:12 dwittenb Exp $ 3 #### General Configuration 4 INTERFACE="eth0:eth1" //指定接入网口 5 USER="snort" //指定用户 6 GROUP="snort" //指定用户组 7 #### Logging & Alerting 8 SNORT_OPTIONS="-A fast -b -Q --daq nfq --daq-mode inline --daq-var queue=8" //启动相关指令
rule配置:
从官网下载最新版本的rule文件
在/etc/中创建snort文件夹
mkdir /etc/snort
在rule文件解压到该文件夹中
tar -zxf snortrules-snapshot-2976.tar.gz -C /etc/snort
更改/etc/snort/etc/snort.conf
1 # path to dynamic preprocessor libraries 2 dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/ //指定到snort的lib目录中 3 4 # path to base preprocessor engine 5 dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so //指定到snort的lib目录中 6 7 # path to dynamic rules libraries 8 dynamicdetection directory /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.7.6 //指定到so_rules中的具体系统的目录
touch /etc/snort/rules/black_list.rules /etc/snort/rules/white_list.rules
本文中使用的启动脚本有做过改动,用于支持IPS。
snortd文件如下:
1 #!/bin/sh 2 # 3 # snortd Start/Stop the snort IDS daemon. 4 # 5 # chkconfig: 2345 40 60 6 # description: snort is a lightweight network intrusion detection tool that 7 # currently detects more than 1100 host and network 8 # vulnerabilities, portscans, backdoors, and more. 9 # 10 # June 10, 2000 -- Dave Wreski <dave@linuxsecurity.com> 11 # - initial version 12 # 13 # July 08, 2000 Dave Wreski <dave@guardiandigital.com> 14 # - added snort user/group 15 # - support for 1.6.2 16 # July 31, 2000 Wim Vandersmissen <wim@bofh.st> 17 # - added chroot support 18 19 # Source function library. 20 . /etc/rc.d/init.d/functions 21 22 # source the interface to listen on 23 . /etc/sysconfig/snort 24 25 # See how we were called. 26 case "$1" in 27 start) 28 echo -n "Starting snort: " 29 if [ -f /var/lock/subsys/snort ];then 30 status snort 31 else 32 cd /var/log/snort 33 daemon /usr/local/snort/bin/snort -D $SNORT_OPTIONS 34 -c /etc/snort/etc/snort.conf 35 touch /var/lock/subsys/snort 36 fi 37 # for NFQ mode 38 /sbin/iptables -t raw -nL | grep "NFQUEUE" 2>&1 >/dev/null 39 RETV=$? 40 if [ $RETV != 0 ];then 41 /sbin/iptables -t raw -A PREROUTING -p tcp -m multiport --dports 8080 -j NFQUEUE --queue-num 8 //将通过该端口的数据导入NFQ列表供snort检测 42 #/sbin/iptables -t raw -A PREROUTING -p udp -j NFQUEUE --queue-num 8 43 else 44 exit $RETV 45 fi 46 echo 47 ;; 48 stop) 49 echo -n "Stopping snort: " 50 # for NFQ mode 51 /sbin/iptables -t raw -D PREROUTING -p tcp -m multiport --dports 8080 -j NFQUEUE --queue-num 8 52 #/sbin/iptables -t raw -D PREROUTING -p udp -j NFQUEUE --queue-num 8 53 killproc snort 54 rm -f /var/lock/subsys/snort 55 echo 56 ;; 57 restart) 58 $0 stop 59 $0 start 60 ;; 61 status) 62 status snort 63 ;; 64 *) 65 echo "Usage: $0 {start|stop|restart|status}" 66 exit 1 67 esac 68 69 exit 0
启动snort
chmod a+x /etc/init.d/snortd
/etc/init.d/snortd start
启动正常后,若有可疑攻击,可在/var/log/snort/alter文件中查看到被拒绝的规则信息。
Snort简易安装脚本和源码包:https://github.com/Code-CC/Security/tree/master/snort
参考: