2024年网络安全最新【网络安全实验】snort实现高级IDS

2.4安装Snort

执行如下命令：

wget https://www.snort.org/downloads/snort/snort-2.9.20.tar.gz

tar xvfz snort-2.9.20.tar.gz

cd snort-2.9.20

./configure --enable-sourcefire && make && sudo make install

报错：fatal error: rpc/types.h: No such file or directory

执行如下命令：

sudo apt-get install -y libtirpc-dev

sudo ln -s /usr/include/tirpc/rpc/* /usr/include/rpc

报错：fatal error: netconfig.h: No such file or directory

执行如下命令：

sudo ln -s /usr/include/tirpc/netconfig.h /usr/include

执行如下命令：

snort

已成功安装

3对Snort进行配置

3.1创建一些必要的文件夹

#Snort的安装目录

sudo mkdir -p /etc/snort/rules/iplists

sudo mkdir -p /etc/snort/preproc_rules

sudo mkdir /usr/local/lib/snort_dynamicrules

sudo mkdir /etc/snort/so_rules

#存储过滤规则和服务器黑白名单

sudo touch /etc/snort/rules/iplists/default.blacklist

sudo touch /etc/snort/rules/iplists/default.whitelist

sudo touch /etc/snort/rules/so_rules

#创建日志目录

sudo mkdir /var/log/snort

sudo mkdir /var/log/snort/archived_logs

#调整权限

sudo chmod -R 5775 /etc/snort

sudo chmod -R 5775 /var/log/snort

sudo chmod -R 5775 /var/log/snort/archived_logs

sudo chmod -R 5775 /etc/snort/rules/so_rules

sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules

3.2复制文件到 /etc/snort

cd /home/lingqi/daq-2.0.7/LuaJIT-2.0.5/

cp ./snort-2.9.20/etc/*.conf* /etc/snort

cp ./snort-2.9.20/etc/*.map /etc/snort

cp ./snort-2.9.20/etc/*.dtd /etc/snort

cp ./snort-2.9.20/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/* /usr/local/lib/snort_dynamicpreprocessor/

3.3修改默认配置

打开配置文件

sudo vim /etc/snort/snort.conf

修改路径

var RULE_PATH /etc/snort/rules

var SO_RULE_PATH /etc/snort/so_rules

var PREPROC_RULE_PATH /etc/snort/preproc_rules

var WHITE_LIST_PATH /etc/snort/rules/iplists/

var BLACK_LIST_PATH /etc/snort/rules/iplists/

让黑白名单生效

3.4****安装rules包

wget Snort - Network Intrusion Detection & Prevention System

sudo tar zxvf snortrules-snapshot-29181.tar.gz -C /etc/snort

报错：

看报错描述，stdin: not in gzip format，其实已经说明了问题所在，即文件不是gzip格式。可以使用“file”命令查看文件的具体信息：

发现这个文件是 HTML document。回到snort官网，直接下载文件。

sudo tar zxvf snortrules-snapshot-29181.tar.gz -C /etc/snort

sudo cp /etc/snort/so_rules/precompiled/RHEL-8/x86-64/2.9.18.1/* /usr/local/lib/snort_dynamicrules/

4****启动测试

sudo snort -T -c /etc/snort/snort.conf

CentOS：

一、准备工作

使用镜像CentOS-6.8-x86_64-mini在虚拟机中安装操作系统。

默认安装时，网络IP是自动获取的，需要改成静态IP地址。

#ifconfig -a //查看网卡配置信息

#vi /etc/sysconfig/network-scripts/ifcfg-eth0 //编辑网卡配置文件

修改为静态IP地址的方法是将BOOTPROTO=dhcp中的dhcp改为static，然后增加以下内容（根据内网环境配置IP）：

IPADDR=192.168.91.128

NETMASK=255.255.255.0

GATEWAY=192.168.91.2

DNS1=192.168.91.2

DNS2=8.8.8.8 //DNS地址可以多个，要根据当地网络供应商进行添加

最后保存退出，重启网络服务。

一、使用 cat /etc/issue 命令看看自己系统版本是6.几，先找个小本本记下来

二、备份出问题的文件，以免出错后可以恢复。

1.mkdir /etc/yum.repos.d/bakk //新建文件夹

2.mv /etc/yum.repos.d/* /etc/yum.repos.d/bakk //会出现报错，不用管

三、如下打开配置文件CentOS-Base.repo

vim /etc/yum.repos.d/CentOS-Base.repo

清空！

把下方代码复制进去

注意：如果你的系统版本不是6.7版本

需要先把代码中5个“baseurl“里的“6.7”更换成你自己的系统版本

CentOS-Base.repo

The mirror system uses the connecting IP address of the client and the

update status of each mirror to pick mirrors that are updated to and

geographically close to the client.  You should use this for CentOS updates

unless you are manually picking other mirrors.

If the mirrorlist= does not work for you, as a fall back you can try the

remarked out baseurl= line instead.

[base]

name=CentOS-$releasever - Base

#mirrorlist=http://mirrorlist.centos.org/?release=KaTeX parse error: Expected 'EOF', got '&' at position 11: releasever