目录
1、安装
参考链接https://blog.csdn.net/Ananas_Orangey/article/details/122542065
apt-get install gcc : 编译器,如果报错,apt-get install g++
apt-get install flex : DAQ所需的解析器
apt-get install bison : DAQ所需的解析器
apt-get install zlib1g-dev : Snort所需的压缩库
apt-get install libpcap-dev : Snort所需的网络流量捕获头文件库
apt-get install libdnet-dev : 不是必要的,只是snort为几个网络历程提供了简化的可移植接口
apt-get install luajit : lua的头文件库headers
apt-get install liblua5.1-0-dev
apt-get install liblua5.1-0-dev liblua50-dev liblualib50-dev
apt-get install build-essential : 提供编译软件的构建工具
apt-get install libpcre3-dev : Snort所需的pcre3的头文件
apt-get install libdumbnet-dev : 同libdnet
apt-get install openssl libssl-dev : ssl的加密组件,提供SHA和MD5文件签名
apt-cache search lua
sudo apt-get update -y
sudo apt-get upgrade -y
sudo apt-get install gcc -y
sudo apt-get install flex -y
sudo apt-get install bison -y
sudo apt-get install zlib1g-dev -y
sudo apt-get install libpcap-dev -y
sudo apt-get install libdnet-dev -y
sudo apt-get install luajit -y
sudo apt-get install liblua5.1-0-dev liblua50-dev liblualib50-dev -y
sudo apt-get install build-essential -y
sudo apt-get install libpcre3-dev -y
sudo apt-get install libdumbnet-dev -y
sudo apt-get install openssl libssl-dev -y
sudo apt-cache search lua -y
cd ~/2
wget https://www.tcpdump.org/release/libpcap-1.10.1.tar.gz
tar -zxvf libpcap-1.10.1.tar.gz
cd libpcap-1.10.1
./configure && make && make install
cd ..
wget https://github.com/nghttp2/nghttp2/releases/download/v1.46.0/nghttp2-1.46.0.tar.gz
tar -zxvf nghttp2-1.46.0.tar.gz
cd nghttp2-1.46.0
./configure && make && make install
cd ..
wget https://luajit.org/download/LuaJIT-2.0.5.tar.gz
tar -zxvf LuaJIT-2.0.5.tar.gz
cd LuaJIT-2.0.5
make && make install (ps:无./configure)
cd ..
wget https://sourceforge.net/projects/pcre/files/pcre/8.45/pcre-8.45.tar.gz
tar -zxvf pcre-8.45.tar.gz
cd pcre-8.45
./configure && make && make install
cd ..
wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz
tar xvzf daq-2.0.7.tar.gz
cd daq-2.0.7
./configure && make && sudo make install
cd ..
wget https://www.snort.org/downloads/snort/snort-2.9.20.tar.gz
tar xvzf snort-2.9.20.tar.gz
cd snort-2.9.19
./configure --enable-sourcefire && make && sudo make install
编译出错请使用如下命令
./configure --disable-open-appid && make && sudo make install
问题一 没有rpc.h文件
cp /usr/include/tirpc/rpc/* /usr/include/rpc/
sudo ldconfig
ln -s /usr/local/bin/snort /usr/sbin/snort
snort -V
2、配置文件
# Snort的安装目录
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/rules/iplists
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules
# 存储过滤规则和服务器黑白名单
sudo touch /etc/snort/rules/iplists/default.blacklist
sudo touch /etc/snort/rules/iplists/default.whitelist
sudo touch /etc/snort/rules/local.rules
# 创建日志目录
sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs
# 调整权限
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort/so_rules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
# 改变文件夹属主
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules
classification.config : 描述了Snort理解的攻击分类类型(将规则分组为这些类型的分类),例如木马活动或系统调用检测。分类列表可以在Snort手册的第3.4.6节中找到
file_magic.conf : 描述了用于标识文件类型的规则
reference.config : 包含提供有关警报的更多信息的规则中引用的URL
snort.conf : 是Snort的配置文件,它告诉Snort资源的位置,以及如何输出警报等
threshold.conf : 允许您控制生成警报所需的事件数,这有助于抑制噪声警报
gen-msg.map : 告诉Snort哪个规则使用哪个预处理器,更多信息在这里。
unicode.map : 提供Unicode语言和标识符之间的映,nSnort需要此文件才能启动。
sudo cp ~/snort2/snort-2.9.20/etc/*.conf* /etc/snort
sudo cp ~/snort2/snort-2.9.20/etc/*.map /etc/snort
sudo cp ~/snort2/snort-2.9.20/etc/*.dtd /etc/snort
sudo cp ~/snort2/snort-2.9.20/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/* /usr/local/lib/snort_dynamicpreprocessor/
3、修改配置
编辑snort.conf (ps:现在你的snort.conf在/etc/snort/下)
sudo vi /etc/snort/snort.conf
1. 修改一些文件的路径,你可以搜索RULE_PATH,然后将下面几个路径改为如下(104行开始)
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
# If you are using reputation preprocessor set these
var WHITE_LIST_PATH /etc/snort/rules/iplists/
var BLACK_LIST_PATH /etc/snort/rules/iplists/
2. 打开文件过滤规则包含,去掉开头的#号(546行)
include $RULE_PATH/local.rules
3. 修改配置文件让黑白名单生效(511行)
whitelist $WHITE_LIST_PATH/default.whitelist, \
blacklist $BLACK_LIST_PATH/default.blacklist
4.(659行)
include $PREPROC_RULE_PATH/preprocessor.rules(注释去掉)
include $PREPROC_RULE_PATH/decoder.rules(注释去掉)
include $PREPROC_RULE_PATH/sensitive-data.rules(注释去掉)
(我个人直接从snort官网上下载,参考的链接上下的貌似不完整)
tar zxvf snortrules-snapshot-29190.tar.gz -C /etc/snort
cp /etc/snort/so_rules/precompiled/Ubuntu-22-04/x86-64/2.9.20.0/* /usr/local/lib/snort_dynamicrules/
sudo snort -T -c /etc/snort/snort.conf
......
Snort successfully validated the configuration!
Snort exiting
4、联动准备
参考链接https://blog.csdn.net/hexf9632/article/details/98200876
touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules
groupadd -g 40000 snort
useradd snort -u 40000 -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort
cd /etc/snort
chown -R snort.snort *
chown -R snort.snort /var/log/snort
snort -c /etc/snort/snort.conf --dump-dynamic-rules=/etc/snort/so_rules
# touch /var/log/snort/alert
# cd /var/log/snort
# chown snort.snort alert
# chmod 700 alert
snort -T -c /etc/snort/snort.conf -i ens33
启动snort
snort -c /etc/snort/snort.conf -i ens33
停止snort
ps -ef | grep snort
kill -9 pid