Skip to content


部署snort+base入侵检测系统

【简 介】
  Snort是一个轻便的网络入侵检测系统,可以完成实时流量分析和对网络上的IP包登录进行测试等功能,能完成协议分析,内容查找/匹配,能用来探测多种攻击和嗅探(如缓冲区溢出、秘密断口扫描、CGI攻击、SMB嗅探、拇纹采集尝试等)。

snort 需安装libpcap和dap
As of Snort 2.9.0, and DAQ, Snort now requires the use of a libpcap version greater than 1.0. Unfortunately for people using RHEL 5 (and below), CentOS 5.5 (and below), and Fedora Core 11 (and below), there is not an official RPM for libpcap 1.0.

Sourcefire will not repackage libpcap and distribute libpcap with Snort as part of an RPM, as it may cause other problems and will not be officially supported by Redhat.

yum 安装

yum install libpcap libpcap-devel


wget http://www.tcpdump.org/release/libpcap-1.4.0.tar.gz
tar zxvf libpcap-1.4.0.tar.gz
cd libpcap-1.4.0
./configure
make
make install


cd ..
http://code.google.com/p/libdnet/
wget https://libdnet.googlecode.com/files/libdnet-1.12.tgz
tar zxvf libdnet-1.12.tgz
cd libdnet-1.12
./configure
make && make install


cd ..
wget http://www.snort.org/downloads/2778
tar zxvf dap-2.0.2.tar.gz
cd daq-2.0.2
./configure –with-libpcap-libraries=/usr/local/lib
make
make install

添加用户

groupadd snort
useradd -g snort snort -s/sbin/nologin

安装snort

cd ..
wget http://www.snort.org/downloads/2787
tar zxvf snort-2.9.6.0.tar.gz
cd snort-2.9.6.0
./configure –prefix=/usr/local/snort-2.9.6.0 –with-dnet-libraries=/usr/local/lib/
make
make install
cd /usr/local
ln -s snort-2.9.6.0 snort
cd bin
./snort -v

错误

usr/local/snort/bin/snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory

解决

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib
cp libdnet libdnet.so
cp libdnet.1 libdnet.1.so
ldconfig

错误

configure: WARNING: unrecognized options: –with-mysql

snort-Snort 2.9.3开始不支持mysql,改用barnyard插件

snort规则下载地址:
1.在http://www.snort.org/ 可以免费下载到社区版 snortrules-snapshot,下载官方rules是需要订阅付费
2.在 http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/rules/ 可以下载到一个第三方的 rules 文件 rules.tar.gz,这个系列更新也比较频繁,我的snortrules-snapshot-2.8.tar.gz 是在51cto上下载的。
3.BASE 可以从http://sourceforge.net/projects/secureideas/ 获取版本或者用软件SnortCenter是一个基于Web的snort探针和规则管理系统,用于远程修改snort探针的配置,起动、停止探针,编辑、分发snort特征码规则。http://users.telenet.be/larc/download/
4.Adodb 可以从 http://sourceforge.net/projects/adodb/ 下载.ADODB 是 Active Data Objects Data Base 的简称,它是一种 PHP 存取数据库的中间函式组件


mkdir /usr/local/snort/etc
cd /usr/local/snort/etc/
tar zxvf snortrules-snapshot-2956.tar.gz
mv etc/* .
rm snortrules-snapshot-2956.tar.gz

chown -R root:root .
vi /usr/local/snort/etc/snort.conf

修改

var RULE_PATH /usr/local/snort/etc/rules
var SO_RULE_PATH /usr/local/snort/etc/so_rules
var PREPROC_RULE_PATH /usr/local/snort/etc/preproc_rules

var WHITE_LIST_PATH /usr/local/snort/etc/rules
var BLACK_LIST_PATH /usr/local/snort/etc/rules

dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules

output unified2: filename /var/log/snort/snort.u2, limit 128


mkdir /usr/local/snort/lib/snort_dynamicrules
mkdir /var/log/snort
chown snort:snort /var/log/snort

touch /usr/local/snort/etc/rules/white_list.rules
touch /usr/local/snort/etc/rules/black_list.rules

启动snort

/usr/local/snort/bin/snort -d -u snort -g snort -l /var/log/snort -c /usr/local/snort/etc/snort.conf


–== Initialization Complete ==–

,,_ -*> Snort! <*- o" )~ Version 2.9.6.0 GRE (Build 47) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.4.0 Using PCRE version: 8.30 2012-02-04 Using ZLIB version: 1.2.3

The database output plugins are considered deprecated as
!! of Snort 2.9.2 and will be removed in Snort 2.9.3.

barnyard知名的开源IDS的日志工具,具有快速的响应速度,优异的数据库写入功能,是做自定义的入侵检测系统不可缺少的插件
http://www.securixlive.com/barnyard2/download.php

安装barnyard2,前提需要你已安装mysql,这里装在/opt/mysql

wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
tar zxvf barnyard2-1.9.tar.gz
cd barnyard2-1.9
./configure –with-mysql=/opt/mysql
make
make install

cp etc/barnyard2.conf /usr/local/snort/etc/
mkdir /var/log/barnyard2
touch /var/log/snort/barnyard2.waldo

vi /usr/local/snort/etc/barnyard2.conf


config reference_file: /usr/local/snort/etc/reference.config
config classification_file: /usr/local/snort/etc/classification.config
config gen_file: /usr/local/snort/etc/gen-msg.map
config sid_file: /usr/local/snort/etc/sid-msg.map

config hostname: localhost
config interface: eth0
outdatabase:
output database: log, mysql, user=snort password=snort dbname=snort host=localhost

output database配好自已的db地址和密码

在编译目录schemas/create_mysql下有数据库语句,用mysql导入

CREATE USER ‘snort’@’localhost’ IDENTIFIED BY ‘***’;

GRANT USAGE ON * . * TO ‘snort’@’localhost’ IDENTIFIED BY ‘***’ WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
GRANT SELECT , INSERT , UPDATE , DELETE , CREATE , DROP , INDEX , ALTER ON `snortdb` . * TO ‘snort’@’localhost’;

安装base和adodb

wget http://jaist.dl.sourceforge.net/project/secureideas/BASE/base-1.4.5/base-1.4.5.tar.gz
tar zxvf base-1.4.5.tar.gz
chown -R www:website base-1.4.5
mv base-1.4.5 /opt/htdocs/www/
ln -s base-1.4.5 base

http://jaist.dl.sourceforge.net/project/adodb/adodb-php5-only/adodb-518-for-php5/adodb518a.zip
unzip adodb518a.zip
chown -R www:website adodb5
mv adodb5 /opt/htdocs/www/base/adodb5

更新php的pear组件

cd /opt/php/bin
./pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman Mail_Mime Mail

访问地址并在线安装,就是配制一下
http://localhost:80/base/setup/index.php

测试snort

/usr/local/snort/bin/snort vd -i eth1

Snort还有一个测试功能选项(“-T”),它可以轻松地检测到用户批准的配置变更。你可以输入命令“snort -c /etc/snort/snort.conf -T”,然后查看输出来判断变化的配置是否工作正常。

运行snort,监控eth1入侵并记录日志到mysql中

/usr/local/snort/bin/snort -D -c /usr/local/snort/etc/snort.conf -i eth1

barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -D -w /var/log/snort/barnyard2.waldo

查看流量
iftop -i eth1

如果有入侵,在base就可以看到记录.

如果需要监控整个交换机的流量,可以在交换机上做端口镜像将流量导入到snort机网卡对应的端口上.
我这里snort机上有4个网卡,监控电信、网通还有内网的流量,剩下一个做管理和转输数据。

vi /usr/local/snort/etc/barnyard2.conf
去掉绝对路径和时间戳

output unified2: filename snort.log, limit 128


mkdir /var/log/snort0 /var/log/snort1 /var/log/snort2
chown snort:snort /var/log/snort0 /var/log/snort1 /var/log/snort2
touch /var/log/snort0/barnyard.waldo
touch /var/log/snort1/barnyard.waldo
touch /var/log/snort2/barnyard.waldo

运行

/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1 -l /var/log/snort1
barnyard2 -c /usr/local/snort/etc/barnyard2.conf -i eth1 -d /var/log/snort1 -f snort.log -D -w /var/log/snort1/barnyard.waldo

/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0 -l /var/log/snort0
barnyard2 -c /usr/local/snort/etc/barnyard2.conf -i eth0 -d /var/log/snort0 -f snort.log -D -w /var/log/snort0/barnyard.waldo

/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth2 -l /var/log/snort2
barnyard2 -c /usr/local/snort/etc/barnyard2.conf -i eth2 -d /var/log/snort2 -f snort.log -D -w /var/log/snort2/barnyard.waldo

这时用tcpdump或iftop可以看到同交换机上其它机器的流量.

防止攻击snort,去掉网卡ip, 隐密snort方式
依次去掉eth0、eth1、eth2留下内网eth3
ifdown eth1
vi /etc/sysconfig/network-scripts/ifcfg-eth1

#NETMASK=255.255.255.192
#IPADDR=66.84.77.8

ifup eth1

自动启动
vi /etc/rc.local

/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1 -l /var/log/snort1
barnyard2 -c /usr/local/snort/etc/barnyard2.conf -i eth1 -d /var/log/snort1 -f snort.log -D -w /var/log/snort1/barnyard.waldo

/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0 -l /var/log/snort0
barnyard2 -c /usr/local/snort/etc/barnyard2.conf -i eth0 -d /var/log/snort0 -f snort.log -D -w /var/log/snort0/barnyard.waldo

/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth2 -l /var/log/snort2
barnyard2 -c /usr/local/snort/etc/barnyard2.conf -i eth2 -d /var/log/snort2 -f snort.log -D -w /var/log/snort2/barnyard.waldo

错误示例:
====================

ERROR! dnet header not found, go get it from
http://code.google.com/p/libdnet/ or use the –with-dnet-*

解决
安装dbus
http://www.freedesktop.org/wiki/Software/dbus/

http://downloads.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Flibdnet%2Ffiles%2Flibdnet%2Flibdnet-1.11%2F&ts=1392967212&use_mirror=jaist
tar zxvf libdnet.1.11.tar.gz
cd libdnet.1.11
./configure
make && make install

====================

/usr/local/lib/libz.a: could not read symbols: Bad value
collect2: ld returned 1 exit status

解决
安装zlib

wget http://nchc.dl.sourceforge.net/project/libpng/zlib/1.2.3/zlib-1.2.3.tar.gz
tar zxvf zlib-1.2.3.tar.gz
cd zlib-1.2.3
./configure
vi MakeFile ,找到 CFLAGS=xxxxx ,在最后面加上 -fPIC #编译时加这个没用CFLAGS=”-O3 -fPIC”
make
make install

=======================

May 15 15:22:37 c1gstudio snort[29521]: S5: Pruned 35 sessions from cache for memcap. 5881 ssns remain. memcap: 8362032/8388608
May 15 15:22:38 c1gstudio snort[29521]: S5: Pruned 10 sessions from cache for memcap. 6038 ssns remain. memcap: 8388229/8388608
May 15 15:22:38 c1gstudio snort[29521]: S5: Pruned 5 sessions from cache for memcap. 6033 ssns remain. memcap: 8377128/8388608
May 15 15:22:38 c1gstudio snort[29521]: S5: Pruned 5 sessions from cache for memcap. 6029 ssns remain. memcap: 8362875/8388608
May 15 15:22:38 c1gstudio snort[29521]: S5: Pruned 10 sessions from cache for memcap. 6022 ssns remain. memcap: 8388607/8388608
May 15 15:22:38 c1gstudio snort[29521]: S5: Pruned 20 sessions from cache for memcap. 6002 ssns remain. memcap: 8379709/8388608

vi /usr/local/snort/etc/snort.conf

增加memcap 134217728 (128m)

# Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5
preprocessor stream5_global: track_tcp yes, \
track_udp yes, \
track_icmp no, \
memcap 134217728, \
max_tcp 262144, \
max_udp 131072, \
max_active_responses 2, \
min_response_seconds 5

=====================

WARNING: /usr/local/snort/etc/snort.conf(512) => Keyword priority for whitelist is not applied when white action is unblack.
May 15 17:01:08 c1gstudio snort[12460]: Processing whitelist file /usr/local/snort/etc/rules/white_list.rules
May 15 17:01:08 c1gstudio snort[12460]: Reputation entries loaded: 1, invalid: 0, re-defined: 0 (from file /usr/local/snort/etc/rules/white_list.rules)
May 15 17:01:08 c1gstudio snort[12460]: Processing blacklist file /usr/local/snort/etc/rules/black_list.rules
May 15 17:01:08 c1gstudio snort[12460]: Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /usr/local/snort/etc/rules/black_list.rules)
May 15 17:01:08 c1gstudio snort[12460]: Reputation total memory usage: 529052 bytes

WHITE_LIST_PATH 绝对路径
vi /usr/local/snort/etc/snort.conf

var WHITE_LIST_PATH /usr/local/snort/etc/rules
var BLACK_LIST_PATH /usr/local/snort/etc/rules

黑白名单示例,但我尝试无效.

preprocessor reputation: \
nested_ip both, \
blacklist /etc/snort/default.blacklist, \
whitelist /etc/snort/default.whitelist
white trust

In file “default.blacklist”
# These two entries will match all ipv4 addresses
1.0.0.0/1
128.0.0.0/1

In file “default.whitelist”
68.177.102.22 # sourcefire.com
74.125.93.104 # google.com

================

May 15 23:29:32 c1gstudio snort[20203]: S5: Session exceeded configured max bytes to queue 1048576 using 1049895 bytes (server queue). 36.250.86.52 5917 –> 61.147.125.16 80 (0) : LWstate 0x1 LWFlags 0x2001
May 15 23:32:42 c1gstudio snort[20203]: S5: Pruned session from cache that was using 1108276 bytes (stale/timeout). 36.250.86.52 5917 –> 61.147.125.16 80 (0) : LWstate 0x1 LWFlags 0x212001
May 16 05:01:49 c1gstudio snort[20203]: S5: Session exceeded configured max bytes to queue 1048576 using 1049688 bytes (client queue). 69.196.253.30 3734 –> 61.147.125.16 80 (0) : LWstate 0x1 LWFlags 0x402003

max_queued_bytes
Default is “1048576” (1MB).
改成10MB


preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
max_queued_bytes 10485760, \

参考:
http://www.ibm.com/developerworks/cn/web/wa-snort1/
http://www.ibm.com/developerworks/cn/web/wa-snort2/

http://www.snort.org/snort-downloads?
http://man.chinaunix.net/network/snort/Snortman.htm
http://blog.chinaunix.net/uid-286494-id-2134474.html
http://blog.chinaunix.net/uid-522598-id-1764389.html
http://sourceforge.net/p/snort/mailman/snort-users/thread/433A1D25-D6EE-4257-8CE6-3743395D05D0%40auckland.ac.nz/#msg26465706
http://manual.snort.org/

Posted in 安全, 技术.

Tagged with , .


No Responses (yet)

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.