Skip to content


部署snort+base入侵检测系统

【简 介】
  Snort是一个轻便的网络入侵检测系统,可以完成实时流量分析和对网络上的IP包登录进行测试等功能,能完成协议分析,内容查找/匹配,能用来探测多种攻击和嗅探(如缓冲区溢出、秘密断口扫描、CGI攻击、SMB嗅探、拇纹采集尝试等)。

snort 需安装libpcap和dap
As of Snort 2.9.0, and DAQ, Snort now requires the use of a libpcap version greater than 1.0. Unfortunately for people using RHEL 5 (and below), CentOS 5.5 (and below), and Fedora Core 11 (and below), there is not an official RPM for libpcap 1.0.

Sourcefire will not repackage libpcap and distribute libpcap with Snort as part of an RPM, as it may cause other problems and will not be officially supported by Redhat.

yum 安装

  1. yum install libpcap libpcap-devel
  1. wget http://www.tcpdump.org/release/libpcap-1.4.0.tar.gz
  2. tar zxvf libpcap-1.4.0.tar.gz
  3. cd libpcap-1.4.0
  4. ./configure
  5. make
  6. make install
  1. cd ..
  2. http://code.google.com/p/libdnet/
  3. wget https://libdnet.googlecode.com/files/libdnet-1.12.tgz
  4. tar zxvf libdnet-1.12.tgz
  5. cd libdnet-1.12
  6. ./configure
  7. make && make install
  1. cd ..
  2. wget http://www.snort.org/downloads/2778
  3. tar zxvf dap-2.0.2.tar.gz
  4. cd daq-2.0.2
  5. ./configure --with-libpcap-libraries=/usr/local/lib
  6. make
  7. make install

添加用户

  1. groupadd snort
  2. useradd -g snort snort -s/sbin/nologin

安装snort

  1. cd ..
  2. wget http://www.snort.org/downloads/2787
  3. tar zxvf  snort-2.9.6.0.tar.gz
  4. cd  snort-2.9.6.0
  5. ./configure --prefix=/usr/local/snort-2.9.6.0 --with-dnet-libraries=/usr/local/lib/
  6. make
  7. make install
  8. cd /usr/local
  9. ln -s snort-2.9.6.0 snort
  10. cd bin
  11. ./snort -v

错误

  1. usr/local/snort/bin/snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory

解决

  1. export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib
  2. cp libdnet libdnet.so
  3. cp libdnet.1 libdnet.1.so
  4. ldconfig

错误

  1. configure: WARNING: unrecognized options: --with-mysql

snort-Snort 2.9.3开始不支持mysql,改用barnyard插件

snort规则下载地址:
1.在http://www.snort.org/ 可以免费下载到社区版 snortrules-snapshot,下载官方rules是需要订阅付费
2.在 http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/rules/ 可以下载到一个第三方的 rules 文件 rules.tar.gz,这个系列更新也比较频繁,我的snortrules-snapshot-2.8.tar.gz 是在51cto上下载的。
3.BASE 可以从http://sourceforge.net/projects/secureideas/ 获取版本或者用软件SnortCenter是一个基于Web的snort探针和规则管理系统,用于远程修改snort探针的配置,起动、停止探针,编辑、分发snort特征码规则。http://users.telenet.be/larc/download/
4.Adodb 可以从 http://sourceforge.net/projects/adodb/ 下载.ADODB 是 Active Data Objects Data Base 的简称,它是一种 PHP 存取数据库的中间函式组件

  1. mkdir /usr/local/snort/etc
  2. cd /usr/local/snort/etc/
  3. tar zxvf snortrules-snapshot-2956.tar.gz
  4. mv etc/* .
  5. rm snortrules-snapshot-2956.tar.gz
  6.  
  7. chown -R root:root .
  8. vi /usr/local/snort/etc/snort.conf

修改

  1. var RULE_PATH /usr/local/snort/etc/rules
  2. var SO_RULE_PATH /usr/local/snort/etc/so_rules
  3. var PREPROC_RULE_PATH /usr/local/snort/etc/preproc_rules
  4.  
  5.  
  6. var WHITE_LIST_PATH /usr/local/snort/etc/rules
  7. var BLACK_LIST_PATH /usr/local/snort/etc/rules
  8.  
  9. dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/
  10. dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so
  11. dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules
  12.  
  13. output unified2: filename /var/log/snort/snort.u2, limit 128
  1. mkdir /usr/local/snort/lib/snort_dynamicrules
  2. mkdir /var/log/snort
  3. chown snort:snort /var/log/snort
  4.  
  5. touch /usr/local/snort/etc/rules/white_list.rules
  6. touch /usr/local/snort/etc/rules/black_list.rules

启动snort

  1. /usr/local/snort/bin/snort -d -u snort -g snort -l /var/log/snort -c /usr/local/snort/etc/snort.conf
  1. --== Initialization Complete ==--
  2.  
  3.    ,,_     -*> Snort! <*-
  4.   o"  )~   Version 2.9.6.0 GRE (Build 47)
  5.    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
  6.            Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
  7.            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
  8.            Using libpcap version 1.4.0
  9.            Using PCRE version: 8.30 2012-02-04
  10.            Using ZLIB version: 1.2.3

The database output plugins are considered deprecated as
!! of Snort 2.9.2 and will be removed in Snort 2.9.3.

barnyard知名的开源IDS的日志工具,具有快速的响应速度,优异的数据库写入功能,是做自定义的入侵检测系统不可缺少的插件
http://www.securixlive.com/barnyard2/download.php

安装barnyard2,前提需要你已安装mysql,这里装在/opt/mysql

  1. wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
  2. tar zxvf barnyard2-1.9.tar.gz
  3. cd barnyard2-1.9
  4. ./configure --with-mysql=/opt/mysql
  5. make
  6. make install
  7.  
  8. cp etc/barnyard2.conf /usr/local/snort/etc/
  9. mkdir /var/log/barnyard2
  10. touch /var/log/snort/barnyard2.waldo
  11.  
  12. vi /usr/local/snort/etc/barnyard2.conf
  1. config reference_file:      /usr/local/snort/etc/reference.config
  2. config classification_file: /usr/local/snort/etc/classification.config
  3. config gen_file:            /usr/local/snort/etc/gen-msg.map
  4. config sid_file:                /usr/local/snort/etc/sid-msg.map
  5.  
  6. config hostname: localhost
  7. config interface: eth0
  8. outdatabase:
  9. output database: log, mysql, user=snort password=snort dbname=snort host=localhost

output database配好自已的db地址和密码

在编译目录schemas/create_mysql下有数据库语句,用mysql导入

  1. CREATE USER 'snort'@'localhost' IDENTIFIED BY '***';
  2.  
  3. GRANT USAGE ON * . * TO 'snort'@'localhost' IDENTIFIED BY '***' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
  4. GRANT SELECT , INSERT , UPDATE , DELETE , CREATE , DROP , INDEX , ALTER ON `snortdb` . * TO 'snort'@'localhost';

安装base和adodb

  1. wget http://jaist.dl.sourceforge.net/project/secureideas/BASE/base-1.4.5/base-1.4.5.tar.gz
  2.  tar zxvf base-1.4.5.tar.gz
  3. chown -R www:website base-1.4.5
  4. mv base-1.4.5 /opt/htdocs/www/
  5. ln -s base-1.4.5 base
  6.  
  7. http://jaist.dl.sourceforge.net/project/adodb/adodb-php5-only/adodb-518-for-php5/adodb518a.zip
  8. unzip adodb518a.zip
  9. chown -R www:website adodb5
  10. mv adodb5 /opt/htdocs/www/base/adodb5

更新php的pear组件

  1. cd /opt/php/bin
  2. ./pear  install Image_Graph-alpha Image_Canvas-alpha  Image_Color Numbers_Roman Mail_Mime Mail

访问地址并在线安装,就是配制一下
http://localhost:80/base/setup/index.php

测试snort

  1. /usr/local/snort/bin/snort vd -i eth1

Snort还有一个测试功能选项(“-T”),它可以轻松地检测到用户批准的配置变更。你可以输入命令“snort -c /etc/snort/snort.conf -T”,然后查看输出来判断变化的配置是否工作正常。

运行snort,监控eth1入侵并记录日志到mysql中

  1. /usr/local/snort/bin/snort -D  -c /usr/local/snort/etc/snort.conf -i eth1
  2.  
  3. barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -D -w /var/log/snort/barnyard2.waldo

查看流量
iftop -i eth1

如果有入侵,在base就可以看到记录.

如果需要监控整个交换机的流量,可以在交换机上做端口镜像将流量导入到snort机网卡对应的端口上.
我这里snort机上有4个网卡,监控电信、网通还有内网的流量,剩下一个做管理和转输数据。

vi /usr/local/snort/etc/barnyard2.conf
去掉绝对路径和时间戳

  1. output unified2: filename snort.log, limit 128
  1. mkdir /var/log/snort0 /var/log/snort1 /var/log/snort2
  2. chown snort:snort /var/log/snort0 /var/log/snort1 /var/log/snort2
  3. touch /var/log/snort0/barnyard.waldo
  4. touch /var/log/snort1/barnyard.waldo
  5. touch /var/log/snort2/barnyard.waldo

运行

  1. /usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1 -l /var/log/snort1
  2. barnyard2 -c /usr/local/snort/etc/barnyard2.conf -i eth1 -d /var/log/snort1 -f snort.log -D -w /var/log/snort1/barnyard.waldo
  3.  
  4. /usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0 -l /var/log/snort0
  5. barnyard2 -c /usr/local/snort/etc/barnyard2.conf -i eth0 -d /var/log/snort0 -f snort.log -D -w /var/log/snort0/barnyard.waldo
  6.  
  7. /usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth2 -l /var/log/snort2
  8. barnyard2 -c /usr/local/snort/etc/barnyard2.conf -i eth2 -d /var/log/snort2 -f snort.log -D -w /var/log/snort2/barnyard.waldo

这时用tcpdump或iftop可以看到同交换机上其它机器的流量.

防止攻击snort,去掉网卡ip, 隐密snort方式
依次去掉eth0、eth1、eth2留下内网eth3
ifdown eth1
vi /etc/sysconfig/network-scripts/ifcfg-eth1

  1. #NETMASK=255.255.255.192
  2. #IPADDR=66.84.77.8

ifup eth1

自动启动
vi /etc/rc.local

  1. /usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1 -l /var/log/snort1
  2. barnyard2 -c /usr/local/snort/etc/barnyard2.conf -i eth1 -d /var/log/snort1 -f snort.log -D -w /var/log/snort1/barnyard.waldo
  3.  
  4. /usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0 -l /var/log/snort0
  5. barnyard2 -c /usr/local/snort/etc/barnyard2.conf -i eth0 -d /var/log/snort0 -f snort.log -D -w /var/log/snort0/barnyard.waldo
  6.  
  7. /usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth2 -l /var/log/snort2
  8. barnyard2 -c /usr/local/snort/etc/barnyard2.conf -i eth2 -d /var/log/snort2 -f snort.log -D -w /var/log/snort2/barnyard.waldo

错误示例:
====================

  1. ERROR!  dnet header not found, go get it from
  2.    http://code.google.com/p/libdnet/ or use the --with-dnet-*

解决
安装dbus
http://www.freedesktop.org/wiki/Software/dbus/

  1. http://downloads.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Flibdnet%2Ffiles%2Flibdnet%2Flibdnet-1.11%2F&ts=1392967212&use_mirror=jaist
  2. tar zxvf libdnet.1.11.tar.gz
  3. cd libdnet.1.11
  4. ./configure
  5. make && make install

====================

  1. /usr/local/lib/libz.a: could not read symbols: Bad value
  2. collect2: ld returned 1 exit status

解决
安装zlib

  1. wget http://nchc.dl.sourceforge.net/project/libpng/zlib/1.2.3/zlib-1.2.3.tar.gz
  2. tar zxvf zlib-1.2.3.tar.gz
  3. cd zlib-1.2.3
  4. ./configure
  5. vi MakeFile ,找到 CFLAGS=xxxxx ,在最后面加上  -fPIC  #编译时加这个没用CFLAGS="-O3 -fPIC"
  6. make
  7. make install

=======================

  1. May 15 15:22:37 c1gstudio snort[29521]: S5: Pruned 35 sessions from cache for memcap. 5881 ssns remain.  memcap: 8362032/8388608
  2. May 15 15:22:38 c1gstudio snort[29521]: S5: Pruned 10 sessions from cache for memcap. 6038 ssns remain.  memcap: 8388229/8388608
  3. May 15 15:22:38 c1gstudio snort[29521]: S5: Pruned 5 sessions from cache for memcap. 6033 ssns remain.  memcap: 8377128/8388608
  4. May 15 15:22:38 c1gstudio snort[29521]: S5: Pruned 5 sessions from cache for memcap. 6029 ssns remain.  memcap: 8362875/8388608
  5. May 15 15:22:38 c1gstudio snort[29521]: S5: Pruned 10 sessions from cache for memcap. 6022 ssns remain.  memcap: 8388607/8388608
  6. May 15 15:22:38 c1gstudio snort[29521]: S5: Pruned 20 sessions from cache for memcap. 6002 ssns remain.  memcap: 8379709/8388608

vi /usr/local/snort/etc/snort.conf

增加memcap 134217728 (128m)

  1. # Target-Based stateful inspection/stream reassembly.  For more inforation, see README.stream5
  2. preprocessor stream5_global: track_tcp yes, \
  3.    track_udp yes, \
  4.    track_icmp no, \
  5.    memcap 134217728, \
  6.    max_tcp 262144, \
  7.    max_udp 131072, \
  8.    max_active_responses 2, \
  9.    min_response_seconds 5

=====================

  1. WARNING: /usr/local/snort/etc/snort.conf(512) => Keyword priority for whitelist is not applied when white action is unblack.
  2. May 15 17:01:08 c1gstudio snort[12460]:     Processing whitelist file /usr/local/snort/etc/rules/white_list.rules
  3. May 15 17:01:08 c1gstudio snort[12460]:     Reputation entries loaded: 1, invalid: 0, re-defined: 0 (from file /usr/local/snort/etc/rules/white_list.rules)
  4. May 15 17:01:08 c1gstudio snort[12460]:     Processing blacklist file /usr/local/snort/etc/rules/black_list.rules
  5. May 15 17:01:08 c1gstudio snort[12460]:     Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /usr/local/snort/etc/rules/black_list.rules)
  6. May 15 17:01:08 c1gstudio snort[12460]:     Reputation total memory usage: 529052 bytes

WHITE_LIST_PATH 绝对路径
vi /usr/local/snort/etc/snort.conf

  1. var WHITE_LIST_PATH /usr/local/snort/etc/rules
  2. var BLACK_LIST_PATH /usr/local/snort/etc/rules

黑白名单示例,但我尝试无效.

  1. preprocessor reputation: \
  2.                    nested_ip both, \
  3.                    blacklist /etc/snort/default.blacklist, \
  4.                    whitelist /etc/snort/default.whitelist
  5.    white trust
  6.  
  7.   In file "default.blacklist"
  8.         # These two entries will match all ipv4 addresses 
  9.         1.0.0.0/1 
  10.         128.0.0.0/1
  11.  
  12.   In file "default.whitelist"
  13.         68.177.102.22 # sourcefire.com
  14.         74.125.93.104 # google.com

================

  1. May 15 23:29:32 c1gstudio snort[20203]: S5: Session exceeded configured max bytes to queue 1048576 using 1049895 bytes (server queue). 36.250.86.52 5917 --> 61.147.125.16 80 (0) : LWstate 0x1 LWFlags 0x2001
  2. May 15 23:32:42 c1gstudio snort[20203]: S5: Pruned session from cache that was using 1108276 bytes (stale/timeout). 36.250.86.52 5917 --> 61.147.125.16 80 (0) : LWstate 0x1 LWFlags 0x212001
  3. May 16 05:01:49 c1gstudio snort[20203]: S5: Session exceeded configured max bytes to queue 1048576 using 1049688 bytes (client queue). 69.196.253.30 3734 --> 61.147.125.16 80 (0) : LWstate 0x1 LWFlags 0x402003

max_queued_bytes
Default is “1048576” (1MB).
改成10MB

  1. preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
  2.    max_queued_bytes 10485760, \

参考:
http://www.ibm.com/developerworks/cn/web/wa-snort1/
http://www.ibm.com/developerworks/cn/web/wa-snort2/

http://www.snort.org/snort-downloads?
http://man.chinaunix.net/network/snort/Snortman.htm
http://blog.chinaunix.net/uid-286494-id-2134474.html
http://blog.chinaunix.net/uid-522598-id-1764389.html
http://sourceforge.net/p/snort/mailman/snort-users/thread/433A1D25-D6EE-4257-8CE6-3743395D05D0%40auckland.ac.nz/#msg26465706
http://manual.snort.org/

Posted in 安全, 技术.

Tagged with , .


No Responses (yet)

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.