這是我的Snort安裝筆記,供大家參考

安裝環境與欲安裝的Snort版本

Ubuntu14.04 LTS
snort-2.9.7.6


安裝相關套件

必須先下載相關套件,待會編譯Snort才不會出問題

$ sudo apt-­get install flex bison build­-essential checkinstall libpcap-­dev libnet1-­dev libpcre3-­dev libmysqlclient15-­dev libnetfilter-­queue-­dev iptables-­dev

按照官網指示下載,編譯並安裝

$ wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
$ wget https://www.snort.org/downloads/snort/snort-2.9.7.6.tar.gz
$ tar xvfz daq-2.0.6.tar.gz
$ cd daq-2.0.6
$ ./configure; make; sudo make install
$ tar xvfz snort-2.9.7.6.tar.gz
$ cd snort-2.9.7.6
$ ./configure --enable-sourcefire; make; sudo make install

測試Snort是否安裝成功

使用以下指令,會看到一隻小豬,還有版本信息

$ snort -V

snort1


Snort設定


#!/bin/bash

#snort source location
snort_src=~/snort-2.9.7.6

# adding group and user
sudo groupadd snort
sudo useradd snort -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort

# Configuring snort
sudo mkdir -p /etc/snort
sudo mkdir -p /etc/snort/rules
sudo touch /etc/snort/rules/black_list.rules
sudo touch /etc/snort/rules/white_list.rules
sudo touch /etc/snort/rules/local.rules
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /var/log/snort
sudo mkdir -p /usr/local/lib/snort_dynamicrules
sudo chmod -R 775 /etc/snort
sudo chmod -R 775 /var/log/snort
sudo chmod -R 775 /usr/local/lib/snort_dynamicrules
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

#copy configuration files
cd $snort_src/etc
sudo cp * /etc/snort

說明:

  • 我們需要建立一個使用者來使用Snort
    -s 用來指定bash,而nologin是個無法登入的合法shell,也就會讓使用者無法登入
    -c 說明欄位
    -g 指定群組
  • 建立/etc/snort資料夾,是snort存放的位置,也可以自己改為其他的地方
  • 建立黑白名單rule與local rule(自定義規則要寫在這)
  • 設定資料夾權限(775)與擁有者(snort)
  • 將設定檔由下載目錄複製到/etc/snort

snort.conf設定

  • 修改HOME_NET,指定保護的IP
  • 將EXTERNAL_NET的後面改為!$HOME_NET
  • 設定rule的路徑
  • 設定黑白名單路徑
  • 為了測試自訂規則,先將所有rule set註解,只保留local.rules
$ sudo vim snort.conf

# Setup the network addresses you are protecting
ipvar HOME_NET 192.168.1.0/24

# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET !$HOME_NET

...(略)

# Path to your rules files (this can be a relative path)
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\rules
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH etc/snort/preproc_rules

# If you are using reputation preprocessor set these
# Currently there is a bug with relative paths, they are relative to where snort is
# not relative to snort.conf like the above variables
# This is completely inconsistent with how other vars work, BUG 89986
# Set the absolute path appropriately
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

...(略)

# site specific rules
include $RULE_PATH/local.rules

##include $RULE_PATH/attack-responses.rules
##include $RULE_PATH/backdoor.rules
##include $RULE_PATH/bad-traffic.rules

...(略)

執行以下指令,檢查設定文件,正確無誤就可以看到successfully的訊息

$ sudo snort -T -c /etc/snort/snort.conf

snort2


加入一條自訂規則

在local.rules檔案中加入一條規則來偵測ICMP封包。

當偵測到ICMP封包進入$HOME_NET,Snort就會發出一個警告,而這警告包含“ICMP detected“這個訊息

$ sudo vim /etc/snort/rules/local.rules
alert icmp any any -> $HOME_NET any (msg:"ICMP detected"; sid:000001;)

再次檢查設定文件,正確的話就可以在Rule Port Counts裏頭看到icmp為1

$ sudo snort -T -c /etc/snort/snort.conf

snort3

輸入以下指令載入snort.conf設定檔,並開始監聽eth0。

$ sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

接著,用另一台電腦來ping這台電腦。

由於ping指令會發出ICMP封包,所以接收到封包後,Snort就會跳出警告訊息!

11/22-15:14:31.527201 [**] [1:1:0] ICMP detected [**] [Priority: 0] {ICMP} 192.168.1.102 -> 192.168.1.11
11/22-15:14:31.527242 [**] [1:1:0] ICMP detected [**] [Priority: 0] {ICMP} 192.168.1.11 -> 192.168.1.102
11/22-15:14:32.526562 [**] [1:1:0] ICMP detected [**] [Priority: 0] {ICMP} 192.168.1.102 -> 192.168.1.11
11/22-15:14:32.526596 [**] [1:1:0] ICMP detected [**] [Priority: 0] {ICMP} 192.168.1.11 -> 192.168.1.102
11/22-15:14:33.526543 [**] [1:1:0] ICMP detected [**] [Priority: 0] {ICMP} 192.168.1.102 -> 192.168.1.11
11/22-15:14:33.526576 [**] [1:1:0] ICMP detected [**] [Priority: 0] {ICMP} 192.168.1.11 -> 192.168.1.102

參考資料

Snort 2.9.7.x on Ubuntu 12 and 14

Install Snort from source on Ubuntu 14.04

在 Ubuntu 15.04 中如何安装和使用 Snort