环境为Ubuntu:
$ cat /etc/issue
Ubuntu 20.04 LTS \n \l
首先由github下载源码,这里使用3.0.2版本。
~/ips$ wget https://github.com/snort3/snort3/archive/3.0.2-5.tar.gz
~/ips$
~/ips$ tar -xf 3.0.2-5.tar.gz
~/ips$
~/ips$ cd snort3-3.0.2-5/
~/ips/snort3-3.0.2-5$
其次,安装所需的依赖包:
~/ips/snort3-3.0.2-5$ sudo apt install cmake
~/ips/snort3-3.0.2-5$ sudo apt install pkg-config
~/ips/snort3-3.0.2-5$ sudo apt install libdaq-dev
~/ips/snort3-3.0.2-5$ sudo apt install libdaq2
~/ips/snort3-3.0.2-5$ sudo apt install libhwloc-dev
~/ips/snort3-3.0.2-5$ sudo apt install luajit
~/ips/snort3-3.0.2-5$ sudo apt install libluajit-5.1-dev
~/ips/snort3-3.0.2-5$ sudo apt install libpcap-dev
~/ips/snort3-3.0.2-5$ sudo apt install libpcre3-dev
~/ips/snort3-3.0.2-5$ sudo apt install liblzma-dev
根据源码安装libdnet库:
~/ips/snort3-3.0.2-5$ cd ..
~/ips$
~/ips$ wget http://prdownloads.sourceforge.net/libdnet/libdnet-1.11.tar.gz
~/ips$ tar -xf libdnet-1.11.tar.gz
~/ips$
~/ips$ cd libdnet-1.11/
~/ips/libdnet-1.11$
~/ips/libdnet-1.11$ ./configure
~/ips/libdnet-1.11$ make
~/ips/libdnet-1.11$ sudo make install
~/ips/libdnet-1.11$
~/ips/libdnet-1.11$ cd ..
~/ips$
~/ips$ cd snort3-3.0.2-5
~/ips/snort3-3.0.2-5$
运行configure_cmake.sh脚本。
~/ips/snort3-3.0.2-5$ ./configure_cmake.sh
Build Directory : build
...
-------------------------------------------------------
snort version 3.0.2
Install options:
prefix: /usr/local/snort
includes: /usr/local/snort/include/snort
plugins: /usr/local/snort/lib/snort
Compiler options:
CC: /usr/bin/cc
CXX: /usr/bin/c++
CFLAGS: -fvisibility=hidden -DNDEBUG -g -ggdb
CXXFLAGS: -fvisibility=hidden -DNDEBUG -g -ggdb
EXE_LDFLAGS:
MODULE_LDFLAGS:
Feature options:
DAQ Modules: Static ()
Flatbuffers: OFF
Hyperscan: OFF
ICONV: ON
Libunwind: OFF
LZMA: ON
RPC DB: Built-in
SafeC: OFF
TCMalloc: OFF
UUID: OFF
-------------------------------------------------------
-- Configuring done
-- Generating done
...
~/ips/snort3-3.0.2-5$
以下为可选安装包,可开启snort的feature选项。
~/ips/snort3-3.0.2-5$ sudo apt install libhyperscan-dev
~/ips/snort3-3.0.2-5$ sudo apt install libunwind-dev
~/ips/snort3-3.0.2-5$ sudo apt install uuid-dev
~/ips/snort3-3.0.2-5$ sudo apt install libsafec-dev
~/ips/snort3-3.0.2-5$ sudo apt-cache search tcmalloc
~/ips/snort3-3.0.2-5$ sudo apt install libgoogle-perftools-dev
再次运行脚本configure_cmake.sh,发现TCMALLOC还是off状态,下载gperftool源码进行安装:
~/ips/snort3-3.0.2-5$ cd ..
~/ips$
~/ips$ wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.8/gperftools-2.8.tar.gz
~/ips$ tar -xf gperftools-2.8.tar.gz
~/ips$ cd gperftools-2.8/
~/ips/gperftools-2.8$ ./configure
~/ips/gperftools-2.8$ make
~/ips/gperftools-2.8$ sudo make install
~/ips/gperftools-2.8$
~/ips/gperftools-2.8$ cd ..
~/ips$
~/ips$ cd snort3-3.0.2-5/
~/ips/snort3-3.0.2-5$
安装gperftool之后,TCMALLOC还是off状态,发现和其它feature不同,需要在执行脚本时,显示启用TCMALLOC,如下:
~/ips/snort3-3.0.2-5$ ./configure_cmake.sh --enable-tcmalloc
Build Directory : build
...
Feature options:
DAQ Modules: Static ()
Flatbuffers: OFF
Hyperscan: ON
ICONV: ON
Libunwind: ON
LZMA: ON
RPC DB: Built-in
SafeC: ON
TCMalloc: ON
UUID: ON
-------------------------------------------------------
-- Configuring done
-- Generating done
~/ips/snort3-3.0.2-5$
执行make,进行编译,遇到如下错误:
~/ips/snort3-3.0.2-5 $ cd build
~/ips/snort3-3.0.2-5/build
~/ips/snort3-3.0.2-5/build$ make
...
~/ips/snort3-3.0.2-5/src/protocols/packet.h: At global scope:
~/ips/snort3-3.0.2-5/src/protocols/packet.h:144:5: error: ‘DAQ_Msg_h’ does not name a type
144 | DAQ_Msg_h daq_msg; // DAQ message this packet came from
| ^~~~~~~~~
In file included from ~/ips/snort3-3.0.2-5/src/actions/actions.cc:27:
~/ips/snort3-3.0.2-5/src/packet_io/active.h:166:25: error: ‘DAQ_Msg_h’ has not been declared
166 | static int send_eth(DAQ_Msg_h, int, const uint8_t* buf, uint32_t len);
| ^~~~~~~~~
回过头看一下configure_cmake.sh脚本运行时,报过类似的警告:
~/ips/snort3-3.0.2-5$ ./configure_cmake.sh
Build Directory : build
Source Directory: /home/kai/ips/snort3-3.0.2-5
...
-- Found PkgConfig: /usr/bin/pkg-config (found version "0.29.1")
-- Checking for module 'libdaq>=3.0.0'
-- No package 'libdaq' found
-- Found DAQ: /usr/lib/libdaq.so
由源码安装libdaq,这里使用版本3.0.0。
~/ips/snort3-3.0.2-5$ cd ..
~/ips$
~/ips$ wget https://github.com/snort3/libdaq/archive/v3.0.0-alpha7.tar.gz
~/ips$ tar -xf v3.0.0-alpha7.tar.gz
~/ips$
~/ips$ cd libdaq-3.0.0-alpha7/
~/ips/libdaq-3.0.0-alpha7$
~/ips/libdaq-3.0.0-alpha7$ ./bootstrap
~/ips/libdaq-3.0.0-alpha7$ ./configure
...
config.status: executing libtool commands
daq 3.0.0
...
Build AFPacket DAQ module.. : yes
Build BPF DAQ module....... : yes
Build Divert DAQ module.... : no
Build Dump DAQ module...... : yes
Build FST DAQ module....... : yes
Build NFQ DAQ module....... : no
Build PCAP DAQ module...... : yes
Build netmap DAQ module.... : no
Build Trace DAQ module..... : yes
~/ips/libdaq-3.0.0-alpha7$
~/ips/libdaq-3.0.0-alpha7$ make
~/ips/libdaq-3.0.0-alpha7$ sudo make install
再次运行configure_cmake.sh脚本,可见找到libdaq。
~/ips/snort3-3.0.2-5$ ./configure_cmake.sh --enable-tcmalloc
Build Directory : build
...
-- Found PkgConfig: /usr/bin/pkg-config (found version "0.29.1")
-- Checking for module 'libdaq>=3.0.0'
-- Found libdaq, version 3.0.0
-- Found DAQ: /usr/local/lib/libdaq.so
-- Checking for module 'libdaq_static_trace'
-- Found libdaq_static_trace, version 3.0.0
-- Checking for module 'libdaq_static_afpacket'
-- Found libdaq_static_afpacket, version 3.0.0
-- Checking for module 'libdaq_static_dump'
-- Found libdaq_static_dump, version 3.0.0
-- Checking for module 'libdaq_static_pcap'
-- Found libdaq_static_pcap, version 3.0.0
-- Checking for module 'libdaq_static_fst'
-- Found libdaq_static_fst, version 3.0.0
-- Checking for module 'libdaq_static_bpf'
-- Found libdaq_static_bpf, version 3.0.0
-- Found DNET: /usr/local/include
一下编译snort3完成。
~/ips/snort3-3.0.2-5$ cd build/
~/ips/snort3-3.0.2-5/build$
~/ips/snort3-3.0.2-5/build$ make -j 2
[ 1%] Building CXX object src/connectors/tcp_connector/CMakeFiles/tcp_connector.dir/tcp_connector.cc.o
[ 1%] Building CXX object src/actions/CMakeFiles/ips_actions.dir/actions.cc.o
...
[ 98%] Built target preprocessor_states
Scanning dependencies of target snort2lua
[ 98%] Building CXX object tools/snort2lua/CMakeFiles/snort2lua.dir/snort2lua.cc.o
[ 98%] Building CXX object tools/snort2lua/CMakeFiles/snort2lua.dir/init_state.cc.o
[100%] Linking CXX executable snort2lua
[100%] Built target snort2lua
[100%] Built target snort
~/ips/snort3-3.0.2-5/build$
运行snort,发现找不到libdaq库,但是pkg-config能找到。
~/ips/snort3-3.0.2-5/build$ ./src/snort
./src/snort: error while loading shared libraries: libdaq.so.3: cannot open shared object file: No such file or directory
~/ips/snort3-3.0.2-5/build$
~/ips/snort3-3.0.2-5/build$ ldd ./src/snort
...
libdaq.so.3 => not found
...
~/ips/snort3-3.0.2-5/build$
~/ips/snort3-3.0.2-5/build$ pkg-config libdaq --libs
-L/usr/local/lib -ldaq
使用strace进行查看,根本就没有到libdaq所在的目录/usr/local/lib中进行查找。
~/ips/snort3-3.0.2-5/build$ strace ./src/snort
32 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/x86_64/libdaq.so.3", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
33 stat("/lib/x86_64-linux-gnu/x86_64", 0x7fff710f58d0) = -1 ENOENT (No such file or directory)
34 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdaq.so.3", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
35 stat("/lib/x86_64-linux-gnu", {st_mode=S_IFDIR|0755, st_size=36864, ...}) = 0
49 stat("/usr/lib/x86_64-linux-gnu/x86_64", 0x7fff710f58d0) = -1 ENOENT (No such file or directory)
50 openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libdaq.so.3", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
具体原因先不查找,在以上的查找目录/usr/lib/x86_64-linux-gnu/建立一个软连接,到/usr/local/lib/libdaq.so.3.0.0,这样snort运行就可找到此库。
~/ips/snort3-3.0.2-5/build$ sudo ln -s /usr/local/lib/libdaq.so.3.0.0 /usr/lib/x86_64-linux-gnu/libdaq.so.3
~/ips/snort3-3.0.2-5/build$
~/ips/snort3-3.0.2-5/build$ ./src/snort
usage:
./src/snort -?: list options
./src/snort -V: output version
./src/snort --help: help summary
./src/snort [-options] -c conf [-T]: validate conf
./src/snort [-options] -c conf -i iface: process live
./src/snort [-options] -c conf -r pcap: process readback
snort的命令行选项比较多,先使用几个简单的选项抓取一下报文:
~/ips/snort3-3.0.2-5/build$ sudo ./src/snort --help-options
-d dump the Application Layer
-e display the second layer header info
-i <iface>... list of interfaces
-L <mode> logging mode (none, dump, pcap, or log_*)
-n <count> stop after count packets (0:max53)
-Q enable inline mode operation
-v be verbose
-X dump the raw packet data starting at the link layer
如下抓取一个(-n 1)经过ens32网卡的报文。
~/ips/snort3-3.0.2-5/build$ sudo ./src/snort -d -e -v -X -L dump -Q -n 1 -i ens32
--------------------------------------------------
o")~ Snort++ 3.0.2-5
--------------------------------------------------
--------------------------------------------------
Inspection Policy : policy id 0 :
--------------------------------------------------
pcap DAQ configured to inline.
--------------------------------------------------
host_cache
memcap: 8388608 bytes
Commencing packet processing
++ [0] ens32
Instance 0 daq pool size: 256
Instance 0 daq batch size: 64
pkt:1
eth(DLT): 00:0C:29:B1:2B:52 -> 50:7B:9D:C7:03:73 type:0x0800
ipv4(0x0800): 192.168.1.129 -> 192.168.1.109
Next:0x06 TTL:64 TOS:0x10 ID:15025 IpLen:20 DgmLen:184 DF
snort.raw[164]:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0000 00 16 C8 97 4D 1F 94 D3 21 6B 83 74 50 18 04 35 ....M... !k.tP..5
0010 84 E9 00 00 E9 19 BD 80 14 F7 93 91 F1 E3 9A 01 ........ ........
0020 49 34 FD A0 4B 2F 95 78 F2 57 92 0C B9 2E 21 DA I4..K/.x .W....!.
0030 C9 46 2A 1D E1 50 A0 7C 12 0C 83 76 81 54 94 6C .F*..P.| ...v.T.l
0040 B5 0A 8A FC 2A 2A 9D F5 64 B2 EB 69 F7 2C 1B 1F ....**.. d..i.,..
0050 10 49 19 19 C4 01 34 C1 B9 CD 62 F8 2B 65 04 57 .I....4. ..b.+e.W
0060 45 5B 27 E9 CA 5F FD A3 9A A0 64 40 C8 8A 70 44 E['.._.. ..d@..pD
0070 6C 08 0F BB 17 01 40 AC 1D D8 0A 62 27 5B 76 BE l.....@. ...b'[v.
0080 1F 06 E3 FB 72 FA FF D2 0C 77 41 F8 D3 1D 4C AB ....r... .wA...L.
0090 0F 2E C0 60 DC 65 71 FD 9C 82 5E 91 7F 69 E0 74 ...`.eq. ..^..i.t
00A0 D5 8E 75 67 ..ug
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-- [0] ens32
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
received: 1
analyzed: 1
allow: 1
rx_bytes: 198
--------------------------------------------------
codec
total: 1 (100.000%)
discards: 1 (100.000%)
eth: 1 (100.000%)
ipv4: 1 (100.000%)
tcp: 1 (100.000%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
detection
analyzed: 1
logged: 1
--------------------------------------------------
tcp
bad_tcp4_checksum: 1
--------------------------------------------------
Summary Statistics
--------------------------------------------------
timing
runtime: 00:00:00
seconds: 0.105165
pkts/sec: 1
o")~ Snort exiting