【简 介】 　　Snort是一个轻便的网络入侵检测系统，可以完成实时流量分析和对网络上的IP包登录进行测试等功能，能完成协议分析，内容查找／匹配，能用来探测多种攻击和嗅探（如缓冲区溢出、秘密断口扫描、CGI攻击、SMB嗅探、拇纹采集尝试等）。

snort 需安装libpcap和dap As of Snort 2.9.0, and DAQ, Snort now requires the use of a libpcap version greater than 1.0. Unfortunately for people using RHEL 5 (and below), CentOS 5.5 (and below), and Fedora Core 11 (and below), there is not an official RPM for libpcap 1.0.

Sourcefire will not repackage libpcap and distribute libpcap with Snort as part of an RPM, as it may cause other problems and will not be officially supported by Redhat.

yum 安装

yum install libpcap libpcap-devel wget http://www.tcpdump.org/release/libpcap-1.4.0.tar.gz tar zxvf libpcap-1.4.0.tar.gz cd libpcap-1.4.0 ./configure make make install cd .. http://code.google.com/p/libdnet/ wget https://libdnet.googlecode.com/files/libdnet-1.12.tgz tar zxvf libdnet-1.12.tgz cd libdnet-1.12 ./configure make && make install cd .. wget http://www.snort.org/downloads/2778 tar zxvf dap-2.0.2.tar.gz cd daq-2.0.2 ./configure –with-libpcap-libraries=/usr/local/lib make make install

添加用户

groupadd snort useradd -g snort snort -s/sbin/nologin

安装snort

cd .. wget http://www.snort.org/downloads/2787 tar zxvf snort-2.9.6.0.tar.gz cd snort-2.9.6.0 ./configure –prefix=/usr/local/snort-2.9.6.0 –with-dnet-libraries=/usr/local/lib/ make make install cd /usr/local ln -s snort-2.9.6.0 snort cd bin ./snort -v

错误

usr/local/snort/bin/snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory

解决

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib cp libdnet libdnet.so cp libdnet.1 libdnet.1.so ldconfig

错误

configure: WARNING: unrecognized options: –with-mysql

snort-Snort 2.9.3开始不支持mysql,改用barnyard插件

snort规则下载地址： 1.在http://www.snort.org/ 可以免费下载到社区版 snortrules-snapshot,下载官方rules是需要订阅付费 2.在 http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/rules/ 可以下载到一个第三方的 rules 文件 rules.tar.gz，这个系列更新也比较频繁,我的snortrules-snapshot-2.8.tar.gz 是在51cto上下载的。 3.BASE 可以从http://sourceforge.net/projects/secureideas/ 获取版本或者用软件SnortCenter是一个基于Web的snort探针和规则管理系统，用于远程修改snort探针的配置，起动、停止探针，编辑、分发snort特征码规则。http://users.telenet.be/larc/download/ 4.Adodb 可以从 http://sourceforge.net/projects/adodb/ 下载.ADODB 是 Active Data Objects Data Base 的简称，它是一种 PHP 存取数据库的中间函式组件

mkdir /usr/local/snort/etc cd /usr/local/snort/etc/ tar zxvf snortrules-snapshot-2956.tar.gz mv etc/* . rm snortrules-snapshot-2956.tar.gz chown -R root:root . vi /usr/local/snort/etc/snort.conf

修改

var RULE_PATH /usr/local/snort/etc/rules var SO_RULE_PATH /usr/local/snort/etc/so_rules var PREPROC_RULE_PATH /usr/local/snort/etc/preproc_rules var WHITE_LIST_PATH /usr/local/snort/etc/rules var BLACK_LIST_PATH /usr/local/snort/etc/rules dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/ dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules output unified2: filename /var/log/snort/snort.u2, limit 128 mkdir /usr/local/snort/lib/snort_dynamicrules mkdir /var/log/snort chown snort:snort /var/log/snort touch /usr/local/snort/etc/rules/white_list.rules touch /usr/local/snort/etc/rules/black_list.rules

启动snort

/usr/local/snort/bin/snort -d -u snort -g snort -l /var/log/snort -c /usr/local/snort/etc/snort.conf –== Initialization Complete ==– ,,_ -*> Snort!

The database output plugins are considered deprecated as !! of Snort 2.9.2 and will be removed in Snort 2.9.3.

barnyard知名的开源IDS的日志工具，具有快速的响应速度，优异的数据库写入功能，是做自定义的入侵检测系统不可缺少的插件 http://www.securixlive.com/barnyard2/download.php

安装barnyard2,前提需要你已安装mysql,这里装在/opt/mysql

wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz tar zxvf barnyard2-1.9.tar.gz cd barnyard2-1.9 ./configure –with-mysql=/opt/mysql make make install cp etc/barnyard2.conf /usr/local/snort/etc/ mkdir /var/log/barnyard2 touch /var/log/snort/barnyard2.waldo vi /usr/local/snort/etc/barnyard2.conf config reference_file: /usr/local/snort/etc/reference.config config classification_file: /usr/local/snort/etc/classification.config config gen_file: /usr/local/snort/etc/gen-msg.map config sid_file: /usr/local/snort/etc/sid-msg.map config hostname: localhost config interface: eth0 outdatabase: output database: log, mysql, user=snort password=snort dbname=snort host=localhost

output database配好自已的db地址和密码

在编译目录schemas/create_mysql下有数据库语句,用mysql导入

CREATE USER ‘snort’@’localhost’ IDENTIFIED BY ‘***’; GRANT USAGE ON * . * TO ‘snort’@’localhost’ IDENTIFIED BY ‘***’ WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ; GRANT SELECT , INSERT , UPDATE , DELETE , CREATE , DROP , INDEX , ALTER ON `snortdb` . * TO ‘snort’@’localhost’;

安装base和adodb

wget http://jaist.dl.sourceforge.net/project/secureideas/BASE/base-1.4.5/base-1.4.5.tar.gz tar zxvf base-1.4.5.tar.gz chown -R www:website base-1.4.5 mv base-1.4.5 /opt/htdocs/www/ ln -s base-1.4.5 base http://jaist.dl.sourceforge.net/project/adodb/adodb-php5-only/adodb-518-for-php5/adodb518a.zip unzip adodb518a.zip chown -R www:website adodb5 mv adodb5 /opt/htdocs/www/base/adodb5

更新php的pear组件

cd /opt/php/bin ./pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman Mail_Mime Mail

访问地址并在线安装,就是配制一下 http://localhost:80/base/setup/index.php

测试snort

/usr/local/snort/bin/snort vd -i eth1

Snort还有一个测试功能选项（“－T”），它可以轻松地检测到用户批准的配置变更。你可以输入命令“snort -c /etc/snort/snort.conf -T”，然后查看输出来判断变化的配置是否工作正常。

运行snort,监控eth1入侵并记录日志到mysql中

/usr/local/snort/bin/snort -D -c /usr/local/snort/etc/snort.conf -i eth1 barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -D -w /var/log/snort/barnyard2.waldo

查看流量 iftop -i eth1

如果有入侵,在base就可以看到记录.

如果需要监控整个交换机的流量,可以在交换机上做端口镜像将流量导入到snort机网卡对应的端口上. 我这里snort机上有4个网卡,监控电信、网通还有内网的流量,剩下一个做管理和转输数据。

vi /usr/local/snort/etc/barnyard2.conf 去掉绝对路径和时间戳

output unified2: filename snort.log, limit 128 mkdir /var/log/snort0 /var/log/snort1 /var/log/snort2 chown snort:snort /var/log/snort0 /var/log/snort1 /var/log/snort2 touch /var/log/snort0/barnyard.waldo touch /var/log/snort1/barnyard.waldo touch /var/log/snort2/barnyard.waldo

运行

/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1 -l /var/log/snort1 barnyard2 -c /usr/local/snort/etc/barnyard2.conf -i eth1 -d /var/log/snort1 -f snort.log -D -w /var/log/snort1/barnyard.waldo /usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0 -l /var/log/snort0 barnyard2 -c /usr/local/snort/etc/barnyard2.conf -i eth0 -d /var/log/snort0 -f snort.log -D -w /var/log/snort0/barnyard.waldo /usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth2 -l /var/log/snort2 barnyard2 -c /usr/local/snort/etc/barnyard2.conf -i eth2 -d /var/log/snort2 -f snort.log -D -w /var/log/snort2/barnyard.waldo

这时用tcpdump或iftop可以看到同交换机上其它机器的流量.

防止攻击snort,去掉网卡ip, 隐密snort方式 依次去掉eth0、eth1、eth2留下内网eth3 ifdown eth1 vi /etc/sysconfig/network-scripts/ifcfg-eth1

#NETMASK=255.255.255.192 #IPADDR=66.84.77.8

ifup eth1

自动启动 vi /etc/rc.local

/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1 -l /var/log/snort1 barnyard2 -c /usr/local/snort/etc/barnyard2.conf -i eth1 -d /var/log/snort1 -f snort.log -D -w /var/log/snort1/barnyard.waldo /usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0 -l /var/log/snort0 barnyard2 -c /usr/local/snort/etc/barnyard2.conf -i eth0 -d /var/log/snort0 -f snort.log -D -w /var/log/snort0/barnyard.waldo /usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth2 -l /var/log/snort2 barnyard2 -c /usr/local/snort/etc/barnyard2.conf -i eth2 -d /var/log/snort2 -f snort.log -D -w /var/log/snort2/barnyard.waldo

错误示例:

ERROR! dnet header not found, go get it from http://code.google.com/p/libdnet/ or use the –with-dnet-*

解决 安装dbus http://www.freedesktop.org/wiki/Software/dbus/

http://downloads.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Flibdnet%2Ffiles%2Flibdnet%2Flibdnet-1.11%2F&ts=1392967212&use_mirror=jaist tar zxvf libdnet.1.11.tar.gz cd libdnet.1.11 ./configure make && make install

====================

/usr/local/lib/libz.a: could not read symbols: Bad value collect2: ld returned 1 exit status

解决 安装zlib

wget http://nchc.dl.sourceforge.net/project/libpng/zlib/1.2.3/zlib-1.2.3.tar.gz tar zxvf zlib-1.2.3.tar.gz cd zlib-1.2.3 ./configure vi MakeFile ,找到 CFLAGS=xxxxx ,在最后面加上 -fPIC #编译时加这个没用CFLAGS=”-O3 -fPIC” make make install

=======================

May 15 15:22:37 c1gstudio snort[29521]: S5: Pruned 35 sessions from cache for memcap. 5881 ssns remain. memcap: 8362032/8388608 May 15 15:22:38 c1gstudio snort[29521]: S5: Pruned 10 sessions from cache for memcap. 6038 ssns remain. memcap: 8388229/8388608 May 15 15:22:38 c1gstudio snort[29521]: S5: Pruned 5 sessions from cache for memcap. 6033 ssns remain. memcap: 8377128/8388608 May 15 15:22:38 c1gstudio snort[29521]: S5: Pruned 5 sessions from cache for memcap. 6029 ssns remain. memcap: 8362875/8388608 May 15 15:22:38 c1gstudio snort[29521]: S5: Pruned 10 sessions from cache for memcap. 6022 ssns remain. memcap: 8388607/8388608 May 15 15:22:38 c1gstudio snort[29521]: S5: Pruned 20 sessions from cache for memcap. 6002 ssns remain. memcap: 8379709/8388608

vi /usr/local/snort/etc/snort.conf

增加memcap 134217728 (128m)

# Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5 preprocessor stream5_global: track_tcp yes, \ track_udp yes, \ track_icmp no, \ memcap 134217728, \ max_tcp 262144, \ max_udp 131072, \ max_active_responses 2, \ min_response_seconds 5

=====================

WARNING: /usr/local/snort/etc/snort.conf(512) => Keyword priority for whitelist is not applied when white action is unblack. May 15 17:01:08 c1gstudio snort[12460]: Processing whitelist file /usr/local/snort/etc/rules/white_list.rules May 15 17:01:08 c1gstudio snort[12460]: Reputation entries loaded: 1, invalid: 0, re-defined: 0 (from file /usr/local/snort/etc/rules/white_list.rules) May 15 17:01:08 c1gstudio snort[12460]: Processing blacklist file /usr/local/snort/etc/rules/black_list.rules May 15 17:01:08 c1gstudio snort[12460]: Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /usr/local/snort/etc/rules/black_list.rules) May 15 17:01:08 c1gstudio snort[12460]: Reputation total memory usage: 529052 bytes

WHITE_LIST_PATH 绝对路径 vi /usr/local/snort/etc/snort.conf

var WHITE_LIST_PATH /usr/local/snort/etc/rules var BLACK_LIST_PATH /usr/local/snort/etc/rules

黑白名单示例,但我尝试无效.

preprocessor reputation: \ nested_ip both, \ blacklist /etc/snort/default.blacklist, \ whitelist /etc/snort/default.whitelist white trust In file “default.blacklist” # These two entries will match all ipv4 addresses 1.0.0.0/1 128.0.0.0/1 In file “default.whitelist” 68.177.102.22 # sourcefire.com 74.125.93.104 # google.com

================

May 15 23:29:32 c1gstudio snort[20203]: S5: Session exceeded configured max bytes to queue 1048576 using 1049895 bytes (server queue). 36.250.86.52 5917 –> 61.147.125.16 80 (0) : LWstate 0x1 LWFlags 0x2001 May 15 23:32:42 c1gstudio snort[20203]: S5: Pruned session from cache that was using 1108276 bytes (stale/timeout). 36.250.86.52 5917 –> 61.147.125.16 80 (0) : LWstate 0x1 LWFlags 0x212001 May 16 05:01:49 c1gstudio snort[20203]: S5: Session exceeded configured max bytes to queue 1048576 using 1049688 bytes (client queue). 69.196.253.30 3734 –> 61.147.125.16 80 (0) : LWstate 0x1 LWFlags 0x402003

max_queued_bytes Default is “1048576” (1MB). 改成10MB

preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \ max_queued_bytes 10485760, \

参考: http://www.ibm.com/developerworks/cn/web/wa-snort1/ http://www.ibm.com/developerworks/cn/web/wa-snort2/

http://www.snort.org/snort-downloads? http://man.chinaunix.net/network/snort/Snortman.htm http://blog.chinaunix.net/uid-286494-id-2134474.html http://blog.chinaunix.net/uid-522598-id-1764389.html http://sourceforge.net/p/snort/mailman/snort-users/thread/433A1D25-D6EE-4257-8CE6-3743395D05D0%40auckland.ac.nz/#msg26465706 http://manual.snort.org/