Snort已发展成为一个具有多平台(Multi-Platform)、实时(Real-Time)流量分析、网络IP数据包(Pocket)记录等特性的强大的网络入侵检测/防御系统(Network Intrusion Detection/Prevention System),即NIDS/NIPS。

添加依赖

yum -y install epel-release
yum -y install gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel libdnet libdnet-devel tcpdump nghttp2 glibc-headers gcc-c++ openssl openssl-devel wget

下载软件包

wget https://ali.kenvie.com/Downloads/package/snort-2.9.19.tar.gz --no-check-certificate
wget https://ali.kenvie.com/Downloads/package/daq-2.0.7.tar.gz --no-check-certificate
wget https://ali.kenvie.com/Downloads/package/LuaJIT-2.1.0-beta3.tar.gz --no-check-certificate
wget https://ali.kenvie.com/Downloads/package/libpcap-1.9.0.tar.gz --no-check-certificate
wget https://ali.kenvie.com/Downloads/package/libdnet-1.11.tar.gz --no-check-certificate

解压软件包

tar -zxvf snort-2.9.19.tar.gz
tar -zxvf daq-2.0.7.tar.gz
tar -zxvf LuaJIT-2.1.0-beta3.tar.gz
tar -zxvf libpcap-1.9.0.tar.gz
tar -zxvf libdnet-1.11.tar.gz

依次安装

#libpcap
cd /root/libpcap-1.9.0 && ./configure && make && make install
#libdnet
cd /root/libdnet-1.11 && ./configure && make && make install
#daq
cd /root/daq-2.0.7 && ./configure && make && make install
#LuaJIT
cd /root/LuaJIT-2.1.0-beta3/src && make && cd .. && make install
#snort
cd /root/snort-2.9.19 && ./configure --enable-sourcefire && make && make install

配置snort

ln -s /usr/local/bin/snort /usr/sbin/snort
mkdir /etc/snort
mkdir /var/log/snort
mkdir /usr/local/lib/snort_dynamicrules
#创建账号
groupadd snort
useradd -g snort snort
chown snort:snort /var/log/snort
#下载官网规则进行配置
#官网配置下载(需注册登录):https://snort.org/downloads
#这里下载的是:snortrules-snapshot-29190.tar.gz
wget https://ali.kenvie.com/Downloads/package/snortrules-snapshot-29190.tar.gz --no-check-certificate
tar -zxvf snortrules-snapshot-29190.tar.gz -C /etc/snort
cp /etc/snort/etc/* /etc/snort/
#这里进入/etc/snort/so_rules/precompiled按系统选择
cp /etc/snort/so_rules/precompiled/Centos-7/x86-64/2.9.19.0/* /usr/local/lib/snort_dynamicrules/

编辑snort.conf

两处改动

vi /etc/snort/snort.conf

1、将以下段的相对路径改为绝对路径

=====更改前========================
var RULE_PATH ../rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules
# If you are using reputation preprocessor set these
var WHITE_LIST_PATH ../rules
var BLACK_LIST_PATH ../rules
=====更改前========================
=====更改后========================
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
# If you are using reputation preprocessor set these
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
=====更改后========================

2、删除snort.conf中321行结尾的/,并将322、323行删除

=====更改前========================
316     iis_delimiter no \
317     iis_unicode no \
318     multi_slash no \
319     utf_8 no \
320     u_encode yes \
321     webroot no \
322     decompress_swf { deflate lzma } \
323     decompress_pdf { deflate }
324     
325 # ONC-RPC normalization and anomaly detection.
=====更改前========================
=====更改后========================
316     iis_delimiter no \
317     iis_unicode no \
318     multi_slash no \
319     utf_8 no \
320     u_encode yes \
321     webroot no 
322     
323 # ONC-RPC normalization and anomaly detection.
=====更改后========================

创建白/黑名单

touch /etc/snort/rules/white_list.rules
touch /etc/snort/rules/black_list.rules

启动

snort -i ens33 -c /etc/snort/snort.conf -A console

配置一个测试规则

vi /etc/snort/rules/local.rules
#将下行加到最后一行
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "nmap scan"; sid:1000000888;)
#启动snort
snort -i ens33 -c /etc/snort/snort.conf -A console
#以下为触发返回信息
12/23-20:04:26.965379  [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22
12/23-20:04:27.996780  [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22
12/23-20:04:28.998366  [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22
12/23-20:04:30.000166  [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22
12/23-20:04:31.001396  [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22
12/23-20:04:31.259922  [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22
12/23-20:04:32.004485  [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22
12/23-20:04:33.006489  [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22
12/23-20:04:34.008070  [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22
最后修改:2022 年 01 月 14 日
© 允许规范转载
如果觉得我的文章对你有用,请随意赞赏