Snort是开源的基于实时网络流量分析和数据包记录的入侵检测系统 官方文档位置:https://www.snort.org/documents 查看官档《Snort 2.9.8.x on CentOS 6.x and 7.x》 依据《CentOS6实验机模板搭建部署》克隆实验机进行部署测试
经测试,官档写的并不好,本实验根据官档进行安装,还有一些问题,本博文只做一次实验记录
后期会发布一篇根据其他博文,类似基于snort+barnyard2+base的入侵检测系统的实验转载博文
1° 增加配置epel源,安装系统包
yum -y install epel-release yum -y install gcc flex bison tcpdump \ zlib zlib-devel libpcap libpcap-devel \ pcre pcre-devel libdnet libdnet-devel # 还需要libdnet-debuginfo包,可以从rpmfind网站找到 axel https://www.rpmfind.net/linux/epel/6/x86_64/debug/Packages/l/libdnet-debuginfo-1.12-6.el6.x86_64.rpm yum -y localinstall libdnet-debuginfo-1.12-6.el6.x86_64.rpm
2° 从官网下载源码包并安装
cd /tmp wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz wget https://www.snort.org/downloads/snort/snort-2.9.11.1.tar.gz cd /usr/local/src tar -xf /tmp/daq-2.0.6.tar.gz cd daq-2.0.6 ./configure make && sudo make install cd /usr/local/lib ldconfig -v /usr/local/lib cd /usr/local/src tar -xf /tmp/snort-2.9.11.1.tar.gz cd snort-2.9.11.1 ./configure --enable-sourcefire make && sudo make install cd /usr/local/lib ldconfig -v /usr/local/lib
3° 注册官方账号,使用该账号登录,下载规则集合或者VRT规则
登录 https://www.snort.org
点击Sign in,然后Sign up进行注册,勾选Snort-users
根据邮件,打开连接
下载规则包
https://www.snort.org/downloads
下载 snortrules-snapshot-29111.tar.gz
4° 导入下载的规则包
cd /etc mkdir -p snort cd snort cp -av /usr/local/src/snort-2.9.11.1/etc/* . tar -xf /tmp/snortrules-snapshot-29111.tar.gz cp ./etc/* . touch /etc/snort/rules/white_list.rules touch /etc/snort/rules/black_list.rules
5° 添加系统用户
groupadd -g 40000 snort useradd -u 40000 -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort snort cd /etc/snort chown -R snort:snort * chown -R snort:snort /var/log/snort
6° 编辑配置文件 /etc/snort/snort.conf
# 假设监控的网段为192.168.77.0/24 NET='192.168.77.0/24' sed -i 's|^\(var RULE_PATH\).*|\1 /etc/snort/rules|g' /etc/snort/snort.conf sed -i "s|^\(ipvar HOME_NET\).*|\1 ${NET}|g" /etc/snort/snort.conf sed -i 's|^\(ipvar EXTERNAL_NET\).*|\1 !$HOME_NET|g' /etc/snort/snort.conf sed -i 's|^\(var SO_RULE_PATH\).*|\1 /etc/snort/so_rules|g' /etc/snort/snort.conf sed -i 's|^\(var PREPROC_RULE_PATH\).*|\1 /etc/snort/preproc_rules|g' /etc/snort/snort.conf sed -i 's|^\(var WHITE_LIST_PATH\).*|\1 /etc/snort/rules|g' /etc/snort/snort.conf sed -i 's|^\(var BLACK_LIST_PATH\).*|\1 /etc/snort/rules|g' /etc/snort/snort.conf
7° 权限更改
cd /usr/local/src chown -R snort:snort daq-2.0.6 chmod -R 700 daq-2.0.6 chown -R snort:snort snort-2.9.11.1 chmod -R 700 snort-2.9.11.1 chown -R snort:snort snort_dynamicsrc chmod -R 700 snort_dynamicsrc
8° 添加系统托管启动脚本
# 官网 https://www.snort.org/documents # 下载 Snort Startup Script for CentOS chmod +x /etc/init.d/snort chkconfig --add snort chkconfig snort on
9° 创建软连接
cd /usr/sbin ln -s /usr/local/bin/snort snort
10° 创建配置文件
vi /etc/sysconfig/snort # /etc/sysconfig/snort # $Id: snort.sysconfig,v 1.8 2003/09/19 05:18:12 dwittenb Exp $ #### General Configuration INTERFACE=eth0 CONF=/etc/snort/snort.conf USER=snort GROUP=snort PASS_FIRST=0 #### Logging & Alerting LOGDIR=/var/log/snort ALERTMODE=fast DUMP_APP=1 BINARY_LOG=1 NO_PACKET_LOG=0 PRINT_INTERFACE=0 chown snort: /etc/sysconfig/snort chmod 700 /etc/sysconfig/snort
11° 如果/var/log/snort不存在,则创建:
cd /var/log mkdir snort chmod 700 snort chown -R snort:snort snort # 更改权限 cd /usr/local/lib chown -R snort:snort snort* chown -R snort:snort snort_dynamic* chown -R snort:snort pkgconfig chmod -R 700 snort* chmod -R 700 pkgconfig cd /usr/local/bin chown -R snort:snort daq-modules-config chown -R snort:snort u2* chmod -R 700 daq-modules-config chmod 700 u2* cd /etc chown -R snort:snort snort chmod -R 700 snort
12° 创建动态规则目录
mkdir -p /usr/local/lib/snort_dynamicrules chown -R snort:snort /usr/local/lib/snort_dynamicrules chmod -R 700 /usr/local/lib/snort_dynamicrules # 官档上写要导入一些动态规则,不明所以 # 配置文件 /etc/snort/snort.conf 生效行要以反斜杠结尾 # 该配置文件很多该错误行 sed -i 's/[^\\]$/ \\/g' /etc/snort/snort.conf
13° 启动自我测试模式进行测试
cd /usr/local/bin ./snort -T -i eth0 -u snort -g snort -c /etc/snort/snort.conf # 测试成功的输出: # Snort successfully validated the configuration! # Snort exiting # 其他错误参见官当
14° 手动启动,监控启动
snort -A fast -b -d -D -i eth0 -u snort -g snort \ -c /etc/snort/snort.conf -l /var/log/snort tailf /var/log/messages
15° 升级建议
# 如果要升级snort,强烈建议备份以下配置文件: local.rules snort.conf threshold.conf white_list.rules black_list.rules
[TOC]