- 更新源
cp /etc/apt/source.list /etc/apt/source.list.bak
cat > /etc/apt/source.list<<EOF
# 默认注释了源码镜像以提高 apt update 速度,如有需要可自行取消注释
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-updates main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-updates main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-backports main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-backports main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-security main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-security main restricted universe multiverse
# 预发布软件源,不建议启用
# deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-proposed main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-proposed main restricted universe multiverse
EOF
sudo apt-get update && sudo apt-get dist-upgrade -y
- 安装依赖包
sudo apt install -y aptitude
sudo aptitude install -y build-essential autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev libpcre3-dev zlib1g-dev pkg-config libhwloc-dev
sudo aptitude install -y cmake
sudo aptitude install -y liblzma-dev openssl libssl-dev cpputest libsqlite3-dev uuid-dev
sudo aptitude install -y libtool git autoconf
sudo aptitude install -y bison flex
- 下载源码编译安装
cd ~/snort_src
wget https://downloads.sourceforge.net/project/safeclib/libsafec-10052013.tar.gz
tar -xzvf libsafec-10052013.tar.gz
cd libsafec-10052013
./configure
make
sudo make install
cd ~/snort_src
wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.7/gperftools-2.7.tar.gz
tar xzvf gperftools-2.7.tar.gz
cd gperftools-2.7
./configure
make
sudo make install
cd ~/snort_src
wget http://www.colm.net/files/ragel/ragel-6.10.tar.gz
tar -xzvf ragel-6.10.tar.gz
cd ragel-6.10
./configure
make
sudo make install
cd ~/snort_src
wget https://dl.bintray.com/boostorg/release/1.67.0/source/boost_1_67_0.tar.gz
tar -xvzf boost_1_67_0.tar.gz
wget https://github.com/intel/hyperscan/archive/v4.7.0.tar.gz
tar -xvzf v4.7.0.tar.gz
mkdir ~/snort_src/hyperscan-4.7.0-build
cd hyperscan-4.7.0-build/
cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort_src/boost_1_67_0/ ../hyperscan-4.7.0
make
sudo make install
cd ~/snort_src/hyperscan-4.7.0-build/
./bin/unit-hyperscan
cd ~/snort_src
wget https://github.com/google/flatbuffers/archive/v1.9.0.tar.gz -O flatbuffers-v1.9.0.tar.gz
tar -xzvf flatbuffers-v1.9.0.tar.gz
mkdir flatbuffers-build
cd flatbuffers-build
cmake ../flatbuffers-1.9.0
make
sudo make install
cd ~/snort_src
wget https://www.snort.org/downloads/snortplus/daq-2.2.2.tar.gz
tar -xvzf daq-2.2.2.tar.gz
cd daq-2.2.2
./configure
make
sudo make install
cd ~/snort_src
tar -xvzf hwloc-2.0.2.tar.gz
cd hwloc-2.0.2
./configure
make
sudo make install
sudo ldconfig
cd ~/snort_src
git clone git://github.com/snortadmin/snort3.git
cd snort3
./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc
cd build
make
sudo make install
cd ~/snort_src/
wget https://www.snort.org/downloads/openappid/10229 -O snort-openappid.tar.gz
tar -xzvf snort-openappid.tar.gz
sudo cp -R odp /usr/local/lib/
- 配置工作
#验证安装
/usr/local/bin/snort -V
sudo ln -s /usr/local/bin/snort /usr/local/sbin/snort
export LUA_PATH=/usr/local/include/snort/lua/\?.lua\;\;
export SNORT_LUA_PATH=/usr/local/etc/snort
sh -c "echo 'export LUA_PATH=/usr/local/include/snort/lua/\?.lua\;\;' >> ~/.bashrc"
sh -c "echo 'export SNORT_LUA_PATH=/usr/local/etc/snort' >> ~/.bashrc"
sudo visudo
#添加下面到最后一行
Defaults env_keep += "LUA_PATH SNORT_LUA_PATH"
sudo vi /usr/local/etc/snort/snort.lua
#应用层
appid =
{
-- appid requires this to use appids in rules
app_detector_dir = '/usr/local/lib',
}
#测试加载主配置文件是否成功
snort -c /usr/local/etc/snort/snort.lua
- 运行snort
Snort有三种运行模式,分别为嗅探器、包记录和入侵检测模式
5.1嗅探器模式:只嗅探网络包,不做任何处理
snort -i eno1
5.2包记录模式:嗅探网络包,并记录到文件,记录的格式可以选择
首先,修改配置文件,使能文件记录模式
vim /usr/local/etc/snort/snort.lua
主配置文件
snort -i eno1 -l /var/log/snort -A full
snort -i eno1 -l /var/log/snort -A fast
snort -i eno1 -l /var/log/snort -A csv
5.3 入侵检测模式:嗅探网络包,对网络包进行解析和规则匹配,对于匹配到的包进行记录或者告警,规则类型可以分为以下几类:
内置规则,把注释去掉,改成true--本地规则
由自己编写的规则,主要针对于特殊的应用服务
在主配置文件中添加规则文件
在ips中添加rules属性,并将要启用的规则include进来
启动snort,并告警格式为csv
snort -c /usr/local/etc/snort/snort.lua -i eno1 -A csv -s 65535 -k none -l /var/log/snort
6.snort csv格式告警日志字段含义
ID | 字段 | 含义 |
---|---|---|
1 | timestamp | 时间戳 |
2 | proto | 通信协议 |
3 | pkt_gen | 数据包生成器 |
4 | pkt_len | 数据包总长度 |
5 | dir | 方向 |
6 | src_addr | 源地址 |
7 | src_port | 源端口 |
8 | dst_addr | 目的地址 |
9 | dst_port | 目的端口 |
10 | service | 服务名 |
11 | rule | 规则(gid:sid:rev) |
12 | priority | 告警优先级(1-4),越小优先级越高 |
13 | class | 报警类别 |
14 | action | 采取的行动 |
15 | b64_data | 数据段的Base64编码 |
16 | dst_ap | 目的地址和端口(dst_addr:dst_port) |
17 | eth_dst | |
18 | eth_len | |
19 | eth_src | |
20 | eth_type | |
21 | icmp_code | |
22 | icmp_id | |
23 | icmp_seq | |
24 | icmp_type | |
25 | iface | 网卡名 |
26 | ip_id | |
27 | ip_len | |
28 | msg | |
29 | mpls | |
30 | rev | sid 所对应 rule 的版本号 |
31 | seconds | 10位的时间戳(精确到秒) |
32 | sid | Snort Rule ID,每个 Rule 的唯一标识 |
33 | src_ap | 源地址和端口(src_addr:src_port) |
34 | target | |
35 | tcp_ack | |
36 | tcp_flags | |
37 | tcp_len | |
38 | tcp_seq | |
39 | tcp_win | |
40 | tos | |
41 | ttl | |
42 | udp_len | |
43 | vlan |
网友评论