美文网首页大数据互联网科技Java 杂谈
Snort3(NIDS)的安装与使用(Ubuntu16.04)

Snort3(NIDS)的安装与使用(Ubuntu16.04)

作者: 杨赟快跑 | 来源:发表于2019-05-15 12:26 被阅读57次
  1. 更新源
cp /etc/apt/source.list /etc/apt/source.list.bak
cat > /etc/apt/source.list<<EOF
# 默认注释了源码镜像以提高 apt update 速度,如有需要可自行取消注释
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-updates main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-updates main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-backports main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-backports main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-security main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-security main restricted universe multiverse

# 预发布软件源,不建议启用
# deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-proposed main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-proposed main restricted universe multiverse
EOF
sudo apt-get update && sudo apt-get dist-upgrade -y
  1. 安装依赖包
sudo apt install -y aptitude
sudo aptitude install -y build-essential autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev libpcre3-dev zlib1g-dev pkg-config libhwloc-dev
sudo aptitude install -y cmake
sudo aptitude  install -y liblzma-dev openssl libssl-dev cpputest libsqlite3-dev uuid-dev
sudo aptitude  install -y libtool git autoconf
sudo aptitude  install -y bison flex
  1. 下载源码编译安装
cd ~/snort_src
wget https://downloads.sourceforge.net/project/safeclib/libsafec-10052013.tar.gz
tar -xzvf libsafec-10052013.tar.gz
cd libsafec-10052013
./configure
make
sudo make install
cd ~/snort_src
wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.7/gperftools-2.7.tar.gz
tar xzvf gperftools-2.7.tar.gz
cd gperftools-2.7
./configure
make
sudo make install
cd ~/snort_src
wget http://www.colm.net/files/ragel/ragel-6.10.tar.gz
tar -xzvf ragel-6.10.tar.gz
cd ragel-6.10
./configure
make
sudo make install
cd ~/snort_src
wget https://dl.bintray.com/boostorg/release/1.67.0/source/boost_1_67_0.tar.gz
tar -xvzf boost_1_67_0.tar.gz
wget https://github.com/intel/hyperscan/archive/v4.7.0.tar.gz
tar -xvzf v4.7.0.tar.gz
mkdir ~/snort_src/hyperscan-4.7.0-build
cd hyperscan-4.7.0-build/
cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort_src/boost_1_67_0/ ../hyperscan-4.7.0
make
sudo make install
cd ~/snort_src/hyperscan-4.7.0-build/
./bin/unit-hyperscan
cd ~/snort_src
wget https://github.com/google/flatbuffers/archive/v1.9.0.tar.gz -O flatbuffers-v1.9.0.tar.gz
tar -xzvf flatbuffers-v1.9.0.tar.gz
mkdir flatbuffers-build
cd flatbuffers-build
cmake ../flatbuffers-1.9.0
make
sudo make install
cd ~/snort_src
wget https://www.snort.org/downloads/snortplus/daq-2.2.2.tar.gz
tar -xvzf daq-2.2.2.tar.gz
cd daq-2.2.2
./configure
make
sudo make install
cd ~/snort_src
tar -xvzf hwloc-2.0.2.tar.gz
cd hwloc-2.0.2
./configure
make
sudo make install
sudo ldconfig
cd ~/snort_src
git clone git://github.com/snortadmin/snort3.git
cd snort3
./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc
cd build
make
sudo make install
cd ~/snort_src/
wget https://www.snort.org/downloads/openappid/10229 -O snort-openappid.tar.gz
tar -xzvf snort-openappid.tar.gz
sudo cp -R odp /usr/local/lib/
  1. 配置工作
#验证安装
/usr/local/bin/snort -V
sudo ln -s /usr/local/bin/snort /usr/local/sbin/snort
export LUA_PATH=/usr/local/include/snort/lua/\?.lua\;\;
export SNORT_LUA_PATH=/usr/local/etc/snort
sh -c "echo 'export LUA_PATH=/usr/local/include/snort/lua/\?.lua\;\;' >> ~/.bashrc"
sh -c "echo 'export SNORT_LUA_PATH=/usr/local/etc/snort' >> ~/.bashrc"
sudo visudo
#添加下面到最后一行
Defaults env_keep += "LUA_PATH SNORT_LUA_PATH"
sudo vi /usr/local/etc/snort/snort.lua
#应用层
appid =
{
-- appid requires this to use appids in rules
app_detector_dir = '/usr/local/lib',
}
#测试加载主配置文件是否成功
snort -c /usr/local/etc/snort/snort.lua
  1. 运行snort

Snort有三种运行模式,分别为嗅探器、包记录和入侵检测模式

5.1嗅探器模式:只嗅探网络包,不做任何处理

snort -i eno1

5.2包记录模式:嗅探网络包,并记录到文件,记录的格式可以选择
首先,修改配置文件,使能文件记录模式

vim /usr/local/etc/snort/snort.lua
主配置文件
snort -i eno1 -l /var/log/snort -A full
snort -i eno1 -l /var/log/snort -A fast
snort -i eno1 -l /var/log/snort -A csv

5.3 入侵检测模式:嗅探网络包,对网络包进行解析和规则匹配,对于匹配到的包进行记录或者告警,规则类型可以分为以下几类:

--官网规则
--社区规则
--内置规则

内置规则,把注释去掉,改成true
--本地规则
由自己编写的规则,主要针对于特殊的应用服务

在主配置文件中添加规则文件


在ips中添加rules属性,并将要启用的规则include进来

启动snort,并告警格式为csv

snort -c /usr/local/etc/snort/snort.lua -i eno1 -A csv -s 65535 -k none -l /var/log/snort

6.snort csv格式告警日志字段含义

ID 字段 含义
1 timestamp 时间戳
2 proto 通信协议
3 pkt_gen 数据包生成器
4 pkt_len 数据包总长度
5 dir 方向
6 src_addr 源地址
7 src_port 源端口
8 dst_addr 目的地址
9 dst_port 目的端口
10 service 服务名
11 rule 规则(gid:sid:rev)
12 priority 告警优先级(1-4),越小优先级越高
13 class 报警类别
14 action 采取的行动
15 b64_data 数据段的Base64编码
16 dst_ap 目的地址和端口(dst_addr:dst_port)
17 eth_dst
18 eth_len
19 eth_src
20 eth_type
21 icmp_code
22 icmp_id
23 icmp_seq
24 icmp_type
25 iface 网卡名
26 ip_id
27 ip_len
28 msg
29 mpls
30 rev sid 所对应 rule 的版本号
31 seconds 10位的时间戳(精确到秒)
32 sid Snort Rule ID,每个 Rule 的唯一标识
33 src_ap 源地址和端口(src_addr:src_port)
34 target
35 tcp_ack
36 tcp_flags
37 tcp_len
38 tcp_seq
39 tcp_win
40 tos
41 ttl
42 udp_len
43 vlan

相关文章

网友评论

    本文标题:Snort3(NIDS)的安装与使用(Ubuntu16.04)

    本文链接:https://www.haomeiwen.com/subject/ffnuaqtx.html