CentOS7安装snort

Snort已发展成为一个具有多平台(Multi-Platform)、实时(Real-Time)流量分析、网络IP数据包(Pocket)记录等特性的强大的网络入侵检测/防御系统(Network Intrusion Detection/Prevention System)，即NIDS/NIPS。
### 添加依赖

```bash
yum -y install epel-release
yum -y install gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel libdnet libdnet-devel tcpdump nghttp2 glibc-headers gcc-c++ openssl openssl-devel wget
```

### 下载软件包

```bash
wget https://ali.kenvie.com/Downloads/package/snort-2.9.19.tar.gz --no-check-certificate
wget https://ali.kenvie.com/Downloads/package/daq-2.0.7.tar.gz --no-check-certificate
wget https://ali.kenvie.com/Downloads/package/LuaJIT-2.1.0-beta3.tar.gz --no-check-certificate
wget https://ali.kenvie.com/Downloads/package/libpcap-1.9.0.tar.gz --no-check-certificate
wget https://ali.kenvie.com/Downloads/package/libdnet-1.11.tar.gz --no-check-certificate
```

### 解压软件包

```bash
tar -zxvf snort-2.9.19.tar.gz
tar -zxvf daq-2.0.7.tar.gz
tar -zxvf LuaJIT-2.1.0-beta3.tar.gz
tar -zxvf libpcap-1.9.0.tar.gz
tar -zxvf libdnet-1.11.tar.gz
```

### 依次安装

```bash
#libpcap
cd /root/libpcap-1.9.0 && ./configure && make && make install
#libdnet
cd /root/libdnet-1.11 && ./configure && make && make install
#daq
cd /root/daq-2.0.7 && ./configure && make && make install
#LuaJIT
cd /root/LuaJIT-2.1.0-beta3/src && make && cd .. && make install
#snort
cd /root/snort-2.9.19 && ./configure --enable-sourcefire && make && make install
```

### 配置snort

```bash
ln -s /usr/local/bin/snort /usr/sbin/snort
mkdir /etc/snort
mkdir /var/log/snort
mkdir /usr/local/lib/snort_dynamicrules
#创建账号
groupadd snort
useradd -g snort snort
chown snort:snort /var/log/snort
#下载官网规则进行配置
#官网配置下载(需注册登录)：https://snort.org/downloads
#这里下载的是：snortrules-snapshot-29190.tar.gz
wget https://ali.kenvie.com/Downloads/package/snortrules-snapshot-29190.tar.gz --no-check-certificate
tar -zxvf snortrules-snapshot-29190.tar.gz -C /etc/snort
cp /etc/snort/etc/* /etc/snort/
#这里进入/etc/snort/so_rules/precompiled按系统选择
cp /etc/snort/so_rules/precompiled/Centos-7/x86-64/2.9.19.0/* /usr/local/lib/snort_dynamicrules/
```

### 编辑snort.conf

**两处改动**

```bash
vi /etc/snort/snort.conf
```

1、将以下段的相对路径改为绝对路径

```bash
=====更改前========================
var RULE_PATH ../rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules
# If you are using reputation preprocessor set these
var WHITE_LIST_PATH ../rules
var BLACK_LIST_PATH ../rules
=====更改前========================
=====更改后========================
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
# If you are using reputation preprocessor set these
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
=====更改后========================
```

2、删除snort.conf中321行结尾的`/`，并将322、323行删除

```bash
=====更改前========================
316     iis_delimiter no \
317     iis_unicode no \
318     multi_slash no \
319     utf_8 no \
320     u_encode yes \
321     webroot no \
322     decompress_swf { deflate lzma } \
323     decompress_pdf { deflate }
324     
325 # ONC-RPC normalization and anomaly detection.
=====更改前========================
=====更改后========================
316     iis_delimiter no \
317     iis_unicode no \
318     multi_slash no \
319     utf_8 no \
320     u_encode yes \
321     webroot no 
322     
323 # ONC-RPC normalization and anomaly detection.
=====更改后========================
```

### 创建白/黑名单

```bash
touch /etc/snort/rules/white_list.rules
touch /etc/snort/rules/black_list.rules
```

### 启动

```bash
snort -i ens33 -c /etc/snort/snort.conf -A console
```

### 配置一个测试规则

```bash
vi /etc/snort/rules/local.rules
#将下行加到最后一行
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "nmap scan"; sid:1000000888;)
#启动snort
snort -i ens33 -c /etc/snort/snort.conf -A console
#以下为触发返回信息
12/23-20:04:26.965379  [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22
12/23-20:04:27.996780  [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22
12/23-20:04:28.998366  [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22
12/23-20:04:30.000166  [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22
12/23-20:04:31.001396  [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22
12/23-20:04:31.259922  [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22
12/23-20:04:32.004485  [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22
12/23-20:04:33.006489  [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22
12/23-20:04:34.008070  [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22
```

### 下载软件包

### 解压软件包

```bash
tar -zxvf snort-2.9.19.tar.gz
tar -zxvf daq-2.0.7.tar.gz
tar -zxvf LuaJIT-2.1.0-beta3.tar.gz
tar -zxvf libpcap-1.9.0.tar.gz
tar -zxvf libdnet-1.11.tar.gz
```

### 依次安装

### 配置snort

### 编辑snort.conf

**两处改动**

```bash
vi /etc/snort/snort.conf
```

1、将以下段的相对路径改为绝对路径

2、删除snort.conf中321行结尾的`/`，并将322、323行删除

### 创建白/黑名单

```bash
touch /etc/snort/rules/white_list.rules
touch /etc/snort/rules/black_list.rules
```

### 启动

```bash
snort -i ens33 -c /etc/snort/snort.conf -A console
```

### 配置一个测试规则

最后修改：2025 年 06 月 04 日

如果觉得我的文章对你有用，请随意赞赏

发表评论取消回复
使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款

ShareList- 支持阿里云盘/天翼云盘等多网盘同时挂载

MIUI开启状态栏歌词(需要root/magisk)

DZ论坛通用每日自动签到云函数

ASCII码对照表

A/B分区系统提取boot文件（payload.bin解包boot.img）

网站新年祝福灯笼源码

ASCII码对照表

加密文件夹，实现在指定分区中创建一个分区

DZ论坛通用每日自动签到云函数

A/B分区系统提取boot文件（payload.bin解包boot.img）

CentOS7安装snort

发表评论 取消回复 使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款

CentOS7安装snort

发表评论取消回复
使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款