snort安装使用教程(CentOS6.5)

孤街醉人 提交于 2020-01-17 08:51:39

 

官网:https://www.snort.org/

官方文档:https://www.snort.org/documents

 

2.安装

2.1安装依赖

yum install libpcap libpcap-devel zlib zlib-deve* -y
yum install glibc-headers gcc-c++ make  -y
tar -zxf libdnet-1.11.tar.gz
cd libdnet-1.11
./configure && make && make installtar zxf pcre-8.39.tar.gz ./configure make && make install

复制代码

如果不安装这些依赖,在后边执行configure时会有报错

 

2.2安装daq

tar -zxf daq-2.0.6.tar.gz                
cd daq-2.0.6
./configure
make
make install

configure报错:configure: error: Your operating system's lex is insufficient to compile libsfbpf. You should install both bison and flex.

处理:yum install flex bison -y

configure报错: ERROR!  Libpcap library version >= 1.0.0 not found.

处理: yum install libpcap libpcap-devel -y

 

2.3安装snort

tar -zxf snort-2.9.11.tar.gz                   
cd snort-2.9.11
./configure --enable-sourcefire --disable-open-appid
make
make install

configure报错:ERROR!  dnet header not found, go get it from

处理: wget https://nchc.dl.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz

            tar -zxf libdnet-1.11.tar.gz

            cd libdnet-1.11

           ./configure && make && make install

 

2.4安装规则

复制代码
# 首先创建snort配置(及规则)目录
mkdir -p /etc/snort/rules
# 创建运行需要目录
mkdir /usr/local/lib/snort_dynamicrules

# 首先将2.3解压出来的etc下的默认配置文件复制到snort配置目录下
cp etc/*.conf* /etc/snort
cp etc/*.map /etc/snort

# 下载社区规则并解压到规则目录
wget https://www.snort.org/downloads/community/community-rules.tar.gz
tar -zxf community-rules.tar.gz -C /etc/snort/rules

# 注释掉所有默认要加载的规则文件
sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

# 启用社区规则文件
echo '' >> /etc/snort/snort.conf
echo '# enable community rule' >> /etc/snort/snort.conf
echo 'include $RULE_PATH/community-rules/community.rules' >> /etc/snort/snort.conf

# 重新设置snort.conf中的变量值
sed -i 's/var RULE_PATH ..\/rules/var RULE_PATH .\/rules/' /etc/snort/snort.conf
sed -i 's/var WHITE_LIST_PATH ..\/rules/var WHITE_LIST_PATH .\/rules/' /etc/snort/snort.conf
sed -i 's/var BLACK_LIST_PATH ..\/rules/var BLACK_LIST_PATH .\/rules/' /etc/snort/snort.conf

# 创建默认使用的白名单文件
touch /etc/snort/rules/white_list.rules
# 创建默认的黑名单文件
touch /etc/snort/rules/black_list.rules
# 创建默认自己设置的规则文件,其实我们注意了其他include只include了社区规则,所以这条根本没用这里只是意思一下
touch /etc/snort/rules/local.rules

# 测试配置文件是否有误
snort -T -c /etc/snort/snort.conf
复制代码

 

3.使用

snort有三种用法:嗅探模式、记录模式和网络入侵检测模式。

3.1嗅探模式

snort -v

该模式打印通信的双方IP及协议头部,类似tcpdump

 

3.2记录模式

mkdir log
snort -dev -l ./log

该模式将截获的数据包记入文件(此处是当前log目录下),重点是-l

 

3.3网络入侵检测模式

mkdir log
snort -dev -l ./log -h 192.168.1.0/24 -c /etc/snort/snort.conf

该模式将会按指定的规则扫描通信数据包

报错:ERROR: /etc/snort/rules/community-rules/snort.conf(249) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such file or directory.

处理:mkdir -p /usr/local/lib/snort_dynamicrules

报错:ERROR: /etc/snort/classification.config(0) Unable to open rules file "/etc/snort/classification.config": No such file or directory.

处理:将上边2.3解压出的snort包中的etc/classification.config复制到/etc/snort/classification.config

官网:https://www.snort.org/

官方文档:https://www.snort.org/documents

 

2.安装

2.1安装依赖

yum install libpcap libpcap-devel zlib zlib-deve* -y
yum install glibc-headers gcc-c++ make  -y
tar -zxf libdnet-1.11.tar.gz
cd libdnet-1.11
./configure && make && make installtar zxf pcre-8.39.tar.gz ./configure make && make install

复制代码

如果不安装这些依赖,在后边执行configure时会有报错

 

2.2安装daq

tar -zxf daq-2.0.6.tar.gz                
cd daq-2.0.6
./configure
make
make install

configure报错:configure: error: Your operating system's lex is insufficient to compile libsfbpf. You should install both bison and flex.

处理:yum install flex bison -y

configure报错: ERROR!  Libpcap library version >= 1.0.0 not found.

处理: yum install libpcap libpcap-devel -y

 

2.3安装snort

tar -zxf snort-2.9.11.tar.gz                   
cd snort-2.9.11
./configure --enable-sourcefire --disable-open-appid
make
make install

configure报错:ERROR!  dnet header not found, go get it from

处理: wget https://nchc.dl.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz

            tar -zxf libdnet-1.11.tar.gz

            cd libdnet-1.11

           ./configure && make && make install

 

2.4安装规则

复制代码
# 首先创建snort配置(及规则)目录
mkdir -p /etc/snort/rules
# 创建运行需要目录
mkdir /usr/local/lib/snort_dynamicrules

# 首先将2.3解压出来的etc下的默认配置文件复制到snort配置目录下
cp etc/*.conf* /etc/snort
cp etc/*.map /etc/snort

# 下载社区规则并解压到规则目录
wget https://www.snort.org/downloads/community/community-rules.tar.gz
tar -zxf community-rules.tar.gz -C /etc/snort/rules

# 注释掉所有默认要加载的规则文件
sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

# 启用社区规则文件
echo '' >> /etc/snort/snort.conf
echo '# enable community rule' >> /etc/snort/snort.conf
echo 'include $RULE_PATH/community-rules/community.rules' >> /etc/snort/snort.conf

# 重新设置snort.conf中的变量值
sed -i 's/var RULE_PATH ..\/rules/var RULE_PATH .\/rules/' /etc/snort/snort.conf
sed -i 's/var WHITE_LIST_PATH ..\/rules/var WHITE_LIST_PATH .\/rules/' /etc/snort/snort.conf
sed -i 's/var BLACK_LIST_PATH ..\/rules/var BLACK_LIST_PATH .\/rules/' /etc/snort/snort.conf

# 创建默认使用的白名单文件
touch /etc/snort/rules/white_list.rules
# 创建默认的黑名单文件
touch /etc/snort/rules/black_list.rules
# 创建默认自己设置的规则文件,其实我们注意了其他include只include了社区规则,所以这条根本没用这里只是意思一下
touch /etc/snort/rules/local.rules

# 测试配置文件是否有误
snort -T -c /etc/snort/snort.conf
复制代码

 

3.使用

snort有三种用法:嗅探模式、记录模式和网络入侵检测模式。

3.1嗅探模式

snort -v

该模式打印通信的双方IP及协议头部,类似tcpdump

 

3.2记录模式

mkdir log
snort -dev -l ./log

该模式将截获的数据包记入文件(此处是当前log目录下),重点是-l

 

3.3网络入侵检测模式

mkdir log
snort -dev -l ./log -h 192.168.1.0/24 -c /etc/snort/snort.conf

该模式将会按指定的规则扫描通信数据包

报错:ERROR: /etc/snort/rules/community-rules/snort.conf(249) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such file or directory.

处理:mkdir -p /usr/local/lib/snort_dynamicrules

报错:ERROR: /etc/snort/classification.config(0) Unable to open rules file "/etc/snort/classification.config": No such file or directory.

处理:将上边2.3解压出的snort包中的etc/classification.config复制到/etc/snort/classification.config

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!