书接上回,报错修复后。继续安装source-libpcap-daq
更新一下
ldconfig
autoreconf -ifv
make
make install
0x04 安装snort主程序包
tar xf snort-2.9.16.1.tar.gz
cd snort-2.9.16.1/
./configure --enable-sourcefire //预编译,适应源
![](https://img-blog.csdnimg.cn/direct/ba65dc8e0c854f0a8b8faf9d778c2c64.png)
报错,说缺少libpcre(其实这里会出现的问题非常多,这里我就遇到这个,如果出现其他的,百度一下)
使用命令下载缺少的库
yum install pcre-devel
yum install 缺少的库 缺少的库-devel -y(通用命令)
重新编译一下,还是报错,通用命令!
yum install luajit luajit-devel -y
重新编译一下,又来!!!!下载缺少的证书
yum install openssl* -y
./configure --enable-sourcefire //再次编译
过了
make
make install
ldconfig //更新一下
检查环境变量没有问题
snort -v
小猪在跑,没问题。
软连接(可以不管)
ln -s /usr/lib64/libdnet.so.1.0.1 /usr/lib64/libdnet.1
新建组,但是已经存在,不用管了
0x05 snort创建目录并配置规则
这里我们用自己的规则包,解压,可以看见这么多规则
tar xf snortrules-snapshot-29161.tar.gz
mkdir -p /etc/snort/rules //创建规则库mkdir -p /var/log/snortmkdir /usr/local/lib/snort_dynamicrules
可以看见里面为空,我们移动我们的规则进去。
![](https://img-blog.csdnimg.cn/direct/7e834a18e83845aaa960cfe27abe88d0.png)
mv rules /etc/snort/mv so_rules /etc/snort/mv preproc_rules /etc/snort/
![](https://img-blog.csdnimg.cn/direct/41309ea51b47480a98a42d5657905888.png)
修改权限
chmod -R 5775 /etc/snortchmod -R 5775 /var/log/snortchmod -R 5775 /usr/local/lib/snort_dynamicruleschmod -R 5775 /usr/local/lib/snort_dynamicruleschown -R snort:snort /var/log/snortchown -R snort:snort /usr/local/lib/snort_dynamicrules
创建文件
touch /etc/snort/rules/white_list.rulestouch /etc/snort/rules/black_list.rulestouch /etc/snort/rules/local.rules
Pulledpork安装
yum install perl-libwww-perl perl-core "perl(Crypt::SSLeay)" perl-LWP-Protocol-httpsldconfig //跟新一下
![](https://img-blog.csdnimg.cn/direct/e4912636f0c34f278a67c4860e370421.png)
git clone https://github.com/shirkdog/pulledpork.git
![](https://img-blog.csdnimg.cn/direct/6f10f88f9dc04efd8c0e7e14af51e641.png)
cd pulledpork/cp pulledpork.pl /usr/local/binchmod +x /usr/local/bin/pulledpork.plcp etc/*.conf /etc/snortmkdir /etc/snort/rules/ipliststouch /etc/snort/rules/iplists/default.blacklist
![](https://img-blog.csdnimg.cn/direct/71c1050dfa5c4e30a6c1a8564b0421a5.png)
检查版本
pulledpork.pl -V
![](https://img-blog.csdnimg.cn/direct/c47600098d9c4fe5b2a0311621c9ce26.png)
接下来复制粘贴
echo "include \$RULE_PATH/so_rules.rules" >> /etc/snort/snort.confecho "include \$RULE_PATH/snort.rules" >> /etc/snort/snort.conftouch /etc/snort/rules/so_rules.rulestouch /etc/snort/rules/snort.rules
![](https://img-blog.csdnimg.cn/direct/3bcd444d89174daca96d535889e7c3be.png)
接下来修改配置文件,基本都是改路径
vim /etc/snort/pulledpork.confrule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz| <oinkcode>line 72 change to:rule_path=/etc/snort/rules/snort.rulesline 87 change to:local_rules=/etc/snort/rules/local.rulesline 92 change to:sid_msg=/etc/snort/sid-msg.mapline 119 change to:config_path=/etc/snort/snort.confline 136 change to:distro=Centos-7line 144 change to:ack_list=/etc/snort/rules/iplists/default.blacklistline 153 change to:IPRVersion=/etc/snort/rules/iplistsline 202 uncomment and change to:enablesid=/etc/snort/enablesid.confline 203 uncomment and change to:dropsid=/etc/snort/dropsid.confline 204 uncomment and change to:disablesid=/etc/snort/disablesid.confline 205 uncomment and change to:modifysid=/etc/snort/modifysid.conf保存退出
![](https://img-blog.csdnimg.cn/direct/628ec40d6f674d0a90ae8cbe4a8cdb20.png)
![](https://img-blog.csdnimg.cn/direct/3dd185d27f66483f9166b4683776df58.png)
![](https://img-blog.csdnimg.cn/direct/2455f0bfc9f44a0fb2988f00692b158a.png)
pulledpork.pl -c /etc/snort/pulledpork.conf
猪飞了
![](https://img-blog.csdnimg.cn/direct/1b7b00568d184628a076c9689bb0678d.png)
后面有报错,还是要修改配置文件
Vim /etc/snort/pulledporkLine 115 : snort_path=/usr/sbin/snort
![](https://img-blog.csdnimg.cn/direct/bc22213ed9b348b3b9690a034d4dd0c9.png)
查看服务服务
systemctl status crond
![](https://img-blog.csdnimg.cn/direct/48ccda0cde804fa897ccd4899238fa28.png)
crontab -e //创建文件20 23 * * * root /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf //写入crontab -l //检查一下
![](https://img-blog.csdnimg.cn/direct/c40aba03392d428284f04b5be4f49dad.png)
再跑一遍,还是有问题,先不管了。
![](https://img-blog.csdnimg.cn/direct/4cb381be06b242bc94843bd15d06d39b.png)
拷贝到自己的/etc/snort/目录,然后配置
cp etc/snort.conf /etc/snort/
还有一行,大概在520行,“:set nu”命令可以显示行号
output alert_syslog: LOG_LOCAL2 LOG_ALERT
最后验证一下
snort -T -c /etc/snort/snort.conf
![](https://img-blog.csdnimg.cn/direct/e3a0563f57e9457f92b3d115066b1d57.png)
配置规则
vi /etc/snort/rules/local.rulesalert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)
查看服务状态,开启服务
systemctl status snortd //查看状态systemctl start snortd //开启服务
![](https://img-blog.csdnimg.cn/direct/08e2d27c7a144efba18c66acf7a820f7.png)
![](https://img-blog.csdnimg.cn/direct/9f890f7edc66444ea96672279964f36d.png)
测试
![](https://img-blog.csdnimg.cn/direct/7a27797f4e2a4aa393fd41e7a5bbd674.png)
使用命令查看日志
tail -f /var/log/messages
![](https://img-blog.csdnimg.cn/direct/575a033a9575499cb3342024cd37f2fc.png)
或者使用,但是这个可能需要多人ping
snort -A full -c /etc/snort/snort.conf -l /var/log/snorttail -f /var/log/snort/alert