snort部署 第二部分

书接上回，报错修复后。继续安装source-libpcap-daq

更新一下

ldconfig

autoreconf -ifv

make

make install

0x04 安装snort主程序包

tar xf snort-2.9.16.1.tar.gz

cd snort-2.9.16.1/

./configure --enable-sourcefire  //预编译，适应源

报错，说缺少libpcre（其实这里会出现的问题非常多，这里我就遇到这个，如果出现其他的，百度一下）

使用命令下载缺少的库

yum install pcre-devel

yum install 缺少的库 缺少的库-devel -y(通用命令)

重新编译一下，还是报错，通用命令！

 yum install luajit luajit-devel -y

重新编译一下，又来！！！！下载缺少的证书

yum install openssl* -y

./configure --enable-sourcefire //再次编译

过了

make

make install

ldconfig //更新一下

检查环境变量没有问题

snort -v

小猪在跑，没问题。

软连接（可以不管）

ln -s /usr/lib64/libdnet.so.1.0.1 /usr/lib64/libdnet.1

新建组，但是已经存在，不用管了

0x05 snort创建目录并配置规则

这里我们用自己的规则包，解压，可以看见这么多规则

tar xf snortrules-snapshot-29161.tar.gz

mkdir -p /etc/snort/rules  //创建规则库

mkdir -p  /var/log/snort 

mkdir /usr/local/lib/snort_dynamicrules

可以看见里面为空，我们移动我们的规则进去。

mv rules /etc/snort/

mv so_rules /etc/snort/

mv preproc_rules /etc/snort/

修改权限

chmod -R 5775 /etc/snort

chmod -R 5775 /var/log/snort

chmod -R 5775 /usr/local/lib/snort_dynamicrules

chmod -R 5775 /usr/local/lib/snort_dynamicrules

chown -R snort:snort /var/log/snort

chown -R snort:snort /usr/local/lib/snort_dynamicrules

创建文件

touch /etc/snort/rules/white_list.rules

touch /etc/snort/rules/black_list.rules

touch /etc/snort/rules/local.rules

Pulledpork安装

yum install perl-libwww-perl perl-core "perl(Crypt::SSLeay)" perl-LWP-Protocol-https

ldconfig //跟新一下

git clone https://github.com/shirkdog/pulledpork.git

cd pulledpork/

cp pulledpork.pl /usr/local/bin

chmod +x /usr/local/bin/pulledpork.pl

cp etc/*.conf /etc/snort

mkdir /etc/snort/rules/iplists

touch /etc/snort/rules/iplists/default.blacklist

检查版本

pulledpork.pl -V

接下来复制粘贴

echo "include \$RULE_PATH/so_rules.rules" >> /etc/snort/snort.conf

echo "include \$RULE_PATH/snort.rules" >> /etc/snort/snort.conf

touch /etc/snort/rules/so_rules.rules

touch /etc/snort/rules/snort.rules

接下来修改配置文件，基本都是改路径

vim /etc/snort/pulledpork.conf

rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz| <oinkcode>

line 72 change to:rule_path=/etc/snort/rules/snort.rules

line 87 change to:local_rules=/etc/snort/rules/local.rules

line 92 change to:sid_msg=/etc/snort/sid-msg.map

line 119 change to:config_path=/etc/snort/snort.conf

line 136 change to:distro=Centos-7

line 144 change to:ack_list=/etc/snort/rules/iplists/default.blacklist

line 153 change to:IPRVersion=/etc/snort/rules/iplists

line 202 uncomment and change to:enablesid=/etc/snort/enablesid.conf

line 203 uncomment and change to:dropsid=/etc/snort/dropsid.conf

line 204 uncomment and change to:disablesid=/etc/snort/disablesid.conf

line 205 uncomment and change to:modifysid=/etc/snort/modifysid.conf

保存退出

pulledpork.pl -c /etc/snort/pulledpork.conf

猪飞了

后面有报错，还是要修改配置文件

Vim /etc/snort/pulledpork

Line 115 : snort_path=/usr/sbin/snort

查看服务服务

systemctl status crond

crontab -e                                                                                                        //创建文件

20 23 * * * root /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf         //写入

crontab -l                                                                                                         //检查一下

再跑一遍，还是有问题，先不管了。

拷贝到自己的/etc/snort/目录，然后配置

cp etc/snort.conf /etc/snort/

还有一行，大概在520行，“：set nu”命令可以显示行号

output alert_syslog: LOG_LOCAL2 LOG_ALERT

最后验证一下

snort -T -c /etc/snort/snort.conf

配置规则

vi /etc/snort/rules/local.rules

alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)

查看服务状态，开启服务

systemctl status snortd  //查看状态

systemctl start snortd    //开启服务

测试

使用命令查看日志

tail -f /var/log/messages

或者使用，但是这个可能需要多人ping

snort -A full -c /etc/snort/snort.conf -l /var/log/snort

tail -f /var/log/snort/alert