CentOS6u9 Snort入侵检测系统部署配置

Snort是开源的基于实时网络流量分析和数据包记录的入侵检测系统 官方文档位置：https://www.snort.org/documents 查看官档《Snort 2.9.8.x on CentOS 6.x and 7.x》 依据《CentOS6实验机模板搭建部署》克隆实验机进行部署测试 

经测试，官档写的并不好，本实验根据官档进行安装，还有一些问题，本博文只做一次实验记录
后期会发布一篇根据其他博文，类似基于snort+barnyard2+base的入侵检测系统的实验转载博文

1° 增加配置epel源，安装系统包

yum -y install epel-release yum -y install gcc flex bison tcpdump \ zlib zlib-devel libpcap libpcap-devel \ pcre pcre-devel libdnet libdnet-devel # 还需要libdnet-debuginfo包，可以从rpmfind网站找到 axel https://www.rpmfind.net/linux/epel/6/x86_64/debug/Packages/l/libdnet-debuginfo-1.12-6.el6.x86_64.rpm yum -y localinstall libdnet-debuginfo-1.12-6.el6.x86_64.rpm

2° 从官网下载源码包并安装

cd /tmp wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz wget https://www.snort.org/downloads/snort/snort-2.9.11.1.tar.gz cd /usr/local/src tar -xf /tmp/daq-2.0.6.tar.gz cd daq-2.0.6 ./configure make && sudo make install cd /usr/local/lib ldconfig -v /usr/local/lib cd /usr/local/src tar -xf /tmp/snort-2.9.11.1.tar.gz cd snort-2.9.11.1 ./configure --enable-sourcefire make && sudo make install cd /usr/local/lib ldconfig -v /usr/local/lib

3° 注册官方账号，使用该账号登录，下载规则集合或者VRT规则
登录 https://www.snort.org
点击Sign in，然后Sign up进行注册，勾选Snort-users

根据邮件，打开连接

下载规则包
https://www.snort.org/downloads
下载 snortrules-snapshot-29111.tar.gz

4° 导入下载的规则包

cd /etc mkdir -p snort cd snort cp -av /usr/local/src/snort-2.9.11.1/etc/* . tar -xf /tmp/snortrules-snapshot-29111.tar.gz cp ./etc/* . touch /etc/snort/rules/white_list.rules touch /etc/snort/rules/black_list.rules

5° 添加系统用户

groupadd -g 40000 snort useradd -u 40000 -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort snort cd /etc/snort chown -R snort:snort * chown -R snort:snort /var/log/snort

6° 编辑配置文件 /etc/snort/snort.conf

# 假设监控的网段为192.168.77.0/24 NET='192.168.77.0/24' sed -i 's|^\(var RULE_PATH\).*|\1 /etc/snort/rules|g' /etc/snort/snort.conf sed -i "s|^\(ipvar HOME_NET\).*|\1 ${NET}|g" /etc/snort/snort.conf sed -i 's|^\(ipvar EXTERNAL_NET\).*|\1 !$HOME_NET|g' /etc/snort/snort.conf sed -i 's|^\(var SO_RULE_PATH\).*|\1 /etc/snort/so_rules|g' /etc/snort/snort.conf sed -i 's|^\(var PREPROC_RULE_PATH\).*|\1 /etc/snort/preproc_rules|g' /etc/snort/snort.conf sed -i 's|^\(var WHITE_LIST_PATH\).*|\1 /etc/snort/rules|g' /etc/snort/snort.conf sed -i 's|^\(var BLACK_LIST_PATH\).*|\1 /etc/snort/rules|g' /etc/snort/snort.conf

7° 权限更改

cd /usr/local/src chown -R snort:snort daq-2.0.6 chmod -R 700 daq-2.0.6 chown -R snort:snort snort-2.9.11.1 chmod -R 700 snort-2.9.11.1 chown -R snort:snort snort_dynamicsrc chmod -R 700 snort_dynamicsrc

8° 添加系统托管启动脚本

# 官网 https://www.snort.org/documents # 下载 Snort Startup Script for CentOS chmod +x /etc/init.d/snort chkconfig --add snort chkconfig snort on

9° 创建软连接

cd /usr/sbin ln -s /usr/local/bin/snort snort

10° 创建配置文件

vi /etc/sysconfig/snort # /etc/sysconfig/snort # $Id: snort.sysconfig,v 1.8 2003/09/19 05:18:12 dwittenb Exp $ #### General Configuration INTERFACE=eth0 CONF=/etc/snort/snort.conf USER=snort GROUP=snort PASS_FIRST=0 #### Logging & Alerting LOGDIR=/var/log/snort ALERTMODE=fast DUMP_APP=1 BINARY_LOG=1 NO_PACKET_LOG=0 PRINT_INTERFACE=0  chown snort: /etc/sysconfig/snort chmod 700 /etc/sysconfig/snort

11° 如果/var/log/snort不存在，则创建：

cd /var/log mkdir snort chmod 700 snort chown -R snort:snort snort # 更改权限 cd /usr/local/lib chown -R snort:snort snort* chown -R snort:snort snort_dynamic* chown -R snort:snort pkgconfig chmod -R 700 snort* chmod -R 700 pkgconfig cd /usr/local/bin chown -R snort:snort daq-modules-config chown -R snort:snort u2* chmod -R 700 daq-modules-config chmod 700 u2* cd /etc chown -R snort:snort snort chmod -R 700 snort

12° 创建动态规则目录

mkdir -p /usr/local/lib/snort_dynamicrules chown -R snort:snort /usr/local/lib/snort_dynamicrules chmod -R 700 /usr/local/lib/snort_dynamicrules # 官档上写要导入一些动态规则，不明所以  # 配置文件 /etc/snort/snort.conf 生效行要以反斜杠结尾 # 该配置文件很多该错误行 sed -i 's/[^\\]$/ \\/g' /etc/snort/snort.conf

13° 启动自我测试模式进行测试

cd /usr/local/bin ./snort -T -i eth0 -u snort -g snort -c /etc/snort/snort.conf # 测试成功的输出： # Snort successfully validated the configuration! # Snort exiting # 其他错误参见官当

14° 手动启动，监控启动

snort -A fast -b -d -D -i eth0 -u snort -g snort \ -c /etc/snort/snort.conf -l /var/log/snort tailf /var/log/messages

15° 升级建议

# 如果要升级snort，强烈建议备份以下配置文件： local.rules snort.conf threshold.conf white_list.rules black_list.rules

[TOC]

文章来源: CentOS6u9 Snort入侵检测系统部署配置