Snort已发展成为一个具有多平台(Multi-Platform)、实时(Real-Time)流量分析、网络IP数据包(Pocket)记录等特性的强大的网络入侵检测/防御系统(Network Intrusion Detection/Prevention System),即NIDS/NIPS。
添加依赖
yum -y install epel-release
yum -y install gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel libdnet libdnet-devel tcpdump nghttp2 glibc-headers gcc-c++ openssl openssl-devel wget
下载软件包
wget https://ali.kenvie.com/Downloads/package/snort-2.9.19.tar.gz --no-check-certificate
wget https://ali.kenvie.com/Downloads/package/daq-2.0.7.tar.gz --no-check-certificate
wget https://ali.kenvie.com/Downloads/package/LuaJIT-2.1.0-beta3.tar.gz --no-check-certificate
wget https://ali.kenvie.com/Downloads/package/libpcap-1.9.0.tar.gz --no-check-certificate
wget https://ali.kenvie.com/Downloads/package/libdnet-1.11.tar.gz --no-check-certificate
解压软件包
tar -zxvf snort-2.9.19.tar.gz
tar -zxvf daq-2.0.7.tar.gz
tar -zxvf LuaJIT-2.1.0-beta3.tar.gz
tar -zxvf libpcap-1.9.0.tar.gz
tar -zxvf libdnet-1.11.tar.gz
依次安装
#libpcap
cd /root/libpcap-1.9.0 && ./configure && make && make install
#libdnet
cd /root/libdnet-1.11 && ./configure && make && make install
#daq
cd /root/daq-2.0.7 && ./configure && make && make install
#LuaJIT
cd /root/LuaJIT-2.1.0-beta3/src && make && cd .. && make install
#snort
cd /root/snort-2.9.19 && ./configure --enable-sourcefire && make && make install
配置snort
ln -s /usr/local/bin/snort /usr/sbin/snort
mkdir /etc/snort
mkdir /var/log/snort
mkdir /usr/local/lib/snort_dynamicrules
#创建账号
groupadd snort
useradd -g snort snort
chown snort:snort /var/log/snort
#下载官网规则进行配置
#官网配置下载(需注册登录):https://snort.org/downloads
#这里下载的是:snortrules-snapshot-29190.tar.gz
wget https://ali.kenvie.com/Downloads/package/snortrules-snapshot-29190.tar.gz --no-check-certificate
tar -zxvf snortrules-snapshot-29190.tar.gz -C /etc/snort
cp /etc/snort/etc/* /etc/snort/
#这里进入/etc/snort/so_rules/precompiled按系统选择
cp /etc/snort/so_rules/precompiled/Centos-7/x86-64/2.9.19.0/* /usr/local/lib/snort_dynamicrules/
编辑snort.conf
两处改动
vi /etc/snort/snort.conf
1、将以下段的相对路径改为绝对路径
=====更改前========================
var RULE_PATH ../rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules
# If you are using reputation preprocessor set these
var WHITE_LIST_PATH ../rules
var BLACK_LIST_PATH ../rules
=====更改前========================
=====更改后========================
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
# If you are using reputation preprocessor set these
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
=====更改后========================
2、删除snort.conf中321行结尾的/
,并将322、323行删除
=====更改前========================
316 iis_delimiter no \
317 iis_unicode no \
318 multi_slash no \
319 utf_8 no \
320 u_encode yes \
321 webroot no \
322 decompress_swf { deflate lzma } \
323 decompress_pdf { deflate }
324
325 # ONC-RPC normalization and anomaly detection.
=====更改前========================
=====更改后========================
316 iis_delimiter no \
317 iis_unicode no \
318 multi_slash no \
319 utf_8 no \
320 u_encode yes \
321 webroot no
322
323 # ONC-RPC normalization and anomaly detection.
=====更改后========================
创建白/黑名单
touch /etc/snort/rules/white_list.rules
touch /etc/snort/rules/black_list.rules
启动
snort -i ens33 -c /etc/snort/snort.conf -A console
配置一个测试规则
vi /etc/snort/rules/local.rules
#将下行加到最后一行
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "nmap scan"; sid:1000000888;)
#启动snort
snort -i ens33 -c /etc/snort/snort.conf -A console
#以下为触发返回信息
12/23-20:04:26.965379 [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22
12/23-20:04:27.996780 [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22
12/23-20:04:28.998366 [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22
12/23-20:04:30.000166 [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22
12/23-20:04:31.001396 [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22
12/23-20:04:31.259922 [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22
12/23-20:04:32.004485 [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22
12/23-20:04:33.006489 [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22
12/23-20:04:34.008070 [**] [1:1000000888:0] nmap scan [**] [Priority: 0] {TCP} 192.168.100.1:5450 -> 192.168.100.10:22