CENTOS7 snort 轻量级入侵检测系统安装与使用
snort 是一个开源的轻量级入侵检测系统(NIDS),使用C语言编写。支持windows、Linux平台,我比较喜欢linux操作系统,所以在linux上学习研究snort。snort有三种工作模式,包括:嗅探、记录数据包、入侵检测。但是,可以把snort配置成入侵防御的模式,过程算是复杂。作为一个轻量级的入侵检测系统,snort功能算是单一,配置复杂,有利于入侵检测系统源码研究与规则编写。snort规则动作有五种,常用为报警、忽略、记录等,详细的后面简说明。
使用环境:ubuntu15.10+snort2.9.8.0+daq2.0.4,snort可以用命令行方式安装,非常方便,安装成功即可配置使用。大部分人喜欢用源代码的方式安装,方便以后学习研究源码,也可以自行调试snort,编写snort规则,测试snort功能。snort的各种插件使用起来也不是很方便,源码安装需要大量时间去折腾。
1、安装依赖软件
1.1安装daq
下载daq源码:
- https://www.snort.org/downloads#snort 下载
- daq-2.0.6.tar.gz
-
snort-2.9.9.0.tar.gz
解压daq源码包,此时直接安装daq会有报错,缺少各种各样的依赖包,所以要先安装依赖包:bison、flex、libpcap
1.2其他依赖
先安装bison 、flex,命令行输入:
- [email protected]:~/snort/daq$ sudo apt-get install bison flex
下载libpcap源码 :
- [email protected]:~/snort/libpcap$ wget http://www.tcpdump.org/release/libpcap-1.7.4.tar.gz
解压并且安装libpcap:
- [email protected]:~/snort/libpcap$ tar -zxvf libpcap-1.7.4.tar.gz
- [email protected]:~/snort/libpcap/libpcap-1.7.4$ ./configure
- [email protected]:~/snort/libpcap/libpcap-1.7.4$ sudo make
- [email protected]:~/snort/libpcap/libpcap-1.7.4$ sudo make install
1.3编译安装daq
再次配置daq:
- [email protected]:~/snort/daq$ ./configure
打印如下即配置成功,可以安装daq:
- Build AFPacket DAQ module.. : yes
- Build Dump DAQ module...... : yes
- Build IPFW DAQ module...... : yes
- Build IPQ DAQ module....... : no
- Build NFQ DAQ module....... : no
- Build PCAP DAQ module...... : yes
- Build netmap DAQ module...... : no
编译daq:
- [email protected]:~/snort/daq$ sudo autoreconf -ivf
- [email protected]:~/snort/daq$ sudo make
-
[email protected]:~/snort/daq$ sudo make install
-
2、安装snort
2.1其他依赖:
libdumbnet-dev
下载地址:https://packages.debian.org/sid/libdumbnet-devl
-
[email protected]:~/snort/libpcap/libpcap-1.7.4$ tar
-zvxf libdumbnet_1.12.orig.tar.gz
- [email protected]:~/snort/libpcap/libpcap-1.7.4$ ./configure
- [email protected]:~/snort/libpcap/libpcap-1.7.4$ sudo make
- [email protected]:~/snort/libpcap/libpcap-1.7.4$ sudo make install
2.3安装snort
安装snort:
- [email protected]:~/snort/snort$ ./configure --enable-sourcefire
- [email protected]:~/snort/snort$ sudo make
- [email protected]:~/snort/snort$ sudo make install
snort会被安装到,如下目录:
/usr/local/bin/snort /usr/local/lib/snort
3、启动snort
输入命令启动snort:
[email protected]:~/snort/snort$ sudo snort
提示如下错误:
snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory
ln -s /usr/lib/libdnet.so.1.0.1 /usr/lib/libdnet.1
再次运行 snort
打印如下即启动成功:
- [email protected]:/etc/snort$ snort --help
可以看到输出如下,全是英文:
- ,,_ -*> Snort! <*-
- o" )~ Version 2.9.8.0 GRE (Build 229)
- '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
- Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
- Copyright (C) 1998-2013 Sourcefire, Inc., et al.
- Using libpcap version 1.7.4
- Using PCRE version: 8.35 2014-04-04
- Using ZLIB version: 1.2.8
- USAGE: snort [-options] <filter options>
- Options:
- -A Set alert mode: fast, full, console, test or none (alert file alerts only)
- "unsock" enables UNIX socket logging (experimental).
- -b Log packets in tcpdump format (much faster!)
- -B <mask> Obfuscated IP addresses in alerts and packet dumps using CIDR mask
- -c <rules> Use Rules File <rules>
- -C Print out payloads with character data only (no hex)
- -d Dump the Application Layer
- -D Run Snort in background (daemon) mode
- -e Display the second layer header info
- -f Turn off fflush() calls after binary log writes
- -F <bpf> Read BPF filters from file <bpf>
- -g <gname> Run snort gid as <gname> group (or gid) after initialization
- -G <0xid> Log Identifier (to uniquely id events for multiple snorts)
- -h <hn> Set home network = <hn>
- (for use with -l or -B, does NOT change $HOME_NET in IDS mode)
- -H Make hash tables deterministic.
- -i <if> Listen on interface <if>
- -I Add Interface name to alert output
- -k <mode> Checksum mode (all,noip,notcp,noudp,noicmp,none)
- -K <mode> Logging mode (pcap[default],ascii,none)
- -l <ld> Log to directory <ld>
- -L <file> Log to this tcpdump file
- -M Log messages to syslog (not alerts)
- -m <umask> Set umask = <umask>
- -n <cnt> Exit after receiving <cnt> packets
- -N Turn off logging (alerts still work)
- -O Obfuscate the logged IP addresses
- -p Disable promiscuous mode sniffing
- -P <snap> Set explicit snaplen of packet (default: 1514)
- -q Quiet. Don't show banner and status report
- -Q Enable inline mode operation.
- -r <tf> Read and process tcpdump file <tf>
- -R <id> Include 'id' in snort_intf<id>.pid file name
- -s Log alert messages to syslog
- -S <n=v> Set rules file variable n equal to value v
- -t <dir> Chroots process to <dir> after initialization
- -T Test and report on the current Snort configuration
- -u <uname> Run snort uid as <uname> user (or uid) after initialization
- -U Use UTC for timestamps
- -v Be verbose
- -V Show version number
- -X Dump the raw packet data starting at the link layer
- -x Exit if Snort configuration problems occur
- -y Include year in timestamp in the alert and log files
- -Z <file> Set the performonitor preprocessor file path and name
- -? Show this information
- <Filter Options> are standard BPF options, as seen in TCPDump
- Longname options and their corresponding single char version
- --logid <0xid> Same as -G
- --perfmon-file <file> Same as -Z
- --pid-path <dir> Specify the directory for the Snort PID file
- --snaplen <snap> Same as -P
- --help Same as -?
- --version Same as -V
- --alert-before-pass Process alert, drop, sdrop, or reject before pass, default is pass before alert, drop,...
- --treat-drop-as-alert Converts drop, sdrop, and reject rules into alert rules during startup
- --treat-drop-as-ignore Use drop, sdrop, and reject rules to ignore session traffic when not inline.
- --process-all-events Process all queued events (drop, alert,...), default stops after 1st action group
- --enable-inline-test Enable Inline-Test Mode Operation
- --dynamic-engine-lib <file> Load a dynamic detection engine
- --dynamic-engine-lib-dir <path> Load all dynamic engines from directory
- --dynamic-detection-lib <file> Load a dynamic rules library
- --dynamic-detection-lib-dir <path> Load all dynamic rules libraries from directory
- --dump-dynamic-rules <path> Creates stub rule files of all loaded rules libraries
- --dynamic-preprocessor-lib <file> Load a dynamic preprocessor library
- --dynamic-preprocessor-lib-dir <path> Load all dynamic preprocessor libraries from directory
- --dynamic-output-lib <file> Load a dynamic output library
- --dynamic-output-lib-dir <path> Load all dynamic output libraries from directory
- --create-pidfile Create PID file, even when not in Daemon mode
- --nolock-pidfile Do not try to lock Snort PID file
- --no-interface-pidfile Do not include the interface name in Snort PID file
- --disable-attribute-reload-thread Do not create a thread to reload the attribute table
- --pcap-single <tf> Same as -r.
- --pcap-file <file> file that contains a list of pcaps to read - read mode is implied.
- --pcap-list "<list>" a space separated list of pcaps to read - read mode is implied.
- --pcap-dir <dir> a directory to recurse to look for pcaps - read mode is implied.
- --pcap-filter <filter> filter to apply when getting pcaps from file or directory.
- --pcap-no-filter reset to use no filter when getting pcaps from file or directory.
- --pcap-loop <count> this option will read the pcaps specified on command line continuously.
- for <count> times. A value of 0 will read until Snort is terminated.
- --pcap-reset if reading multiple pcaps, reset snort to post-configuration state before reading next pcap.
- --pcap-reload if reading multiple pcaps, reload snort config between pcaps.
- --pcap-show print a line saying what pcap is currently being read.
- --exit-check <count> Signal termination after <count> callbacks from DAQ_Acquire(), showing the time it
- takes from signaling until DAQ_Stop() is called.
- --conf-error-out Same as -x
- --enable-mpls-multicast Allow multicast MPLS
- --enable-mpls-overlapping-ip Handle overlapping IPs within MPLS clouds
- --max-mpls-labelchain-len Specify the max MPLS label chain
- --mpls-payload-type Specify the protocol (ipv4, ipv6, ethernet) that is encapsulated by MPLS
- --require-rule-sid Require that all snort rules have SID specified.
- --daq <type> Select packet acquisition module (default is pcap).
- --daq-mode <mode> Select the DAQ operating mode.
- --daq-var <name=value> Specify extra DAQ configuration variable.
- --daq-dir <dir> Tell snort where to find desired DAQ.
- --daq-list[=<dir>] List packet acquisition modules available in dir. Default is static modules only.
- --dirty-pig Don't flush packets and release memory on shutdown.
- --cs-dir <dir> Directory to use for control socket.
- --ha-peer Activate live high-availability state sharing with peer.
- --ha-out <file> Write high-availability events to this file.
- --ha-in <file> Read high-availability events from this file on startup (warm-start).
- --suppress-config-log Suppress configuration information output.
4、配置snort
snort的配置文件在:snort/etc/snort.conf 目录,可以结合官方说明文档去进行配置,也有中文版本的,但是并不完善。5、snort规则
自行编写是snort规则:
- alert tcp any any -> 192.168.213.170 80 (msg:"Telnet Login";sid:26287)
- alert icmp any any -> 192.168.213.170 any (msg:"ICMP PING";sid:8886288)
写入到一个新的规则文件里面,在snort启动配置文件里面添加该新规则文件即可使上面的两条规则生效。
snort规则大体划分为规则头和规则选项两个部分,规则头主要是数据包的协议、端口、地址信息以及数据包的处理动作。数据包的协议、端口、地址信息是网络最常见的基础信息,当然端口和地址包括目的与源头。而数据包的处理动作有报警、忽略、记录、报警并启动另外一个动态规则链、由其它的规则包调用五种方式。
6、测试用例
6.1启动本机snort
- sudo snort -i eth0 -c/etc/snort/etc/snort.conf -A fast -l /var/log/snort
6.2实时查看snort报警日志:
- [email protected]:~/snort/run/log$ tail -f /var/log/snort/alert
6.3测试规则
另外主机ping snort主机,报警:
- 03/21-16:15:13.164956 [**] [1:8886288:0] "ICMP PING" [**] [Priority: 0] {ICMP} 192.168.213.162 -> 192.168.213.170
- 03/21-16:15:14.164567 [**] [1:8886288:0] "ICMP PING" [**] [Priority: 0] {ICMP} 192.168.213.162 -> 192.168.213.170
- 03/21-16:15:15.164590 [**] [1:8886288:0] "ICMP PING" [**] [Priority: 0] {ICMP} 192.168.213.162 -> 192.168.213.170
- 03/21-16:15:16.166108 [**] [1:8886288:0] "ICMP PING" [**] [Priority: 0] {ICMP} 192.168.213.162 -> 192.168.213.170
另外主机访问扫描snort主机80端口(snort主机配置apache服务器),报警:
- 03/21-14:43:04.242200 [**] [1:26287:0] "Telnet Login" [**] [Priority: 0] {TCP} 192.168.213.162:38250 -> 192.168.213.170:80
- 03/21-14:45:46.621115 [**] [1:26287:0] "Telnet Login" [**] [Priority: 0] {TCP} 192.168.213.162:38270 -> 192.168.213.170:80
- 03/21-14:45:46.621268 [**] [1:26287:0] "Telnet Login" [**] [Priority: 0] {TCP} 192.168.213.162:38270 -> 192.168.213.170:80
- 03/21-14:45:46.621409 [**] [1:26287:0] "Telnet Login" [**] [Priority: 0] {TCP} 192.168.213.162:38270 -> 192.168.213.170:80
- 03/21-14:45:46.629345 [**] [1:26287:0] "Telnet Login" [**] [Priority: 0] {TCP} 192.168.213.162:38322 -> 192.168.213.170:80
- 03/21-14:45:46.629466 [**] [1:26287:0] "Telnet Login" [**] [Priority: 0] {TCP} 192.168.213.162:38322 -> 192.168.213.170:80
- 03/21-14:45:46.633859 [**] [1:26287:0] "Telnet Login" [**] [Priority: 0] {TCP} 192.168.213.162:38322 -> 192.168.213.170:80