snort3安装测试

最新推荐文章于 2024-04-05 22:16:40 发布

redwingz

最新推荐文章于 2024-04-05 22:16:40 发布

阅读量2.7k

点赞数 3

分类专栏：网络安全文章标签： snort ids

本文链接：https://blog.csdn.net/sinat_20184565/article/details/108108742

版权

网络安全专栏收录该内容

14 篇文章 0 订阅

订阅专栏

环境为Ubuntu：

$ cat /etc/issue
Ubuntu 20.04 LTS \n \l

首先由github下载源码，这里使用3.0.2版本。

~/ips$ wget https://github.com/snort3/snort3/archive/3.0.2-5.tar.gz
~/ips$
~/ips$ tar -xf 3.0.2-5.tar.gz
~/ips$
~/ips$ cd snort3-3.0.2-5/
~/ips/snort3-3.0.2-5$

其次，安装所需的依赖包：

~/ips/snort3-3.0.2-5$ sudo apt install cmake
~/ips/snort3-3.0.2-5$ sudo apt install pkg-config
~/ips/snort3-3.0.2-5$ sudo apt install libdaq-dev
~/ips/snort3-3.0.2-5$ sudo apt install libdaq2
~/ips/snort3-3.0.2-5$ sudo apt install libhwloc-dev
~/ips/snort3-3.0.2-5$ sudo apt install luajit
~/ips/snort3-3.0.2-5$ sudo apt install libluajit-5.1-dev
~/ips/snort3-3.0.2-5$ sudo apt install libpcap-dev
~/ips/snort3-3.0.2-5$ sudo apt install libpcre3-dev
~/ips/snort3-3.0.2-5$ sudo apt install liblzma-dev

根据源码安装libdnet库：

~/ips/snort3-3.0.2-5$ cd ..
~/ips$ 
~/ips$ wget http://prdownloads.sourceforge.net/libdnet/libdnet-1.11.tar.gz
~/ips$ tar -xf libdnet-1.11.tar.gz 
~/ips$ 
~/ips$ cd libdnet-1.11/
~/ips/libdnet-1.11$ 
~/ips/libdnet-1.11$ ./configure 
~/ips/libdnet-1.11$ make
~/ips/libdnet-1.11$ sudo make install
~/ips/libdnet-1.11$ 
~/ips/libdnet-1.11$ cd ..
~/ips$
~/ips$ cd snort3-3.0.2-5
~/ips/snort3-3.0.2-5$

运行configure_cmake.sh脚本。

~/ips/snort3-3.0.2-5$ ./configure_cmake.sh         
Build Directory : build
...

-------------------------------------------------------
snort version 3.0.2

Install options:
    prefix:     /usr/local/snort
    includes:   /usr/local/snort/include/snort
    plugins:    /usr/local/snort/lib/snort

Compiler options:
    CC:             /usr/bin/cc
    CXX:            /usr/bin/c++
    CFLAGS:            -fvisibility=hidden   -DNDEBUG -g -ggdb   
    CXXFLAGS:          -fvisibility=hidden   -DNDEBUG -g -ggdb   
    EXE_LDFLAGS:        
    MODULE_LDFLAGS:     

Feature options:
    DAQ Modules:    Static ()
    Flatbuffers:    OFF
    Hyperscan:      OFF
    ICONV:          ON
    Libunwind:      OFF
    LZMA:           ON
    RPC DB:         Built-in
    SafeC:          OFF
    TCMalloc:       OFF
    UUID:           OFF
-------------------------------------------------------

-- Configuring done
-- Generating done
...
~/ips/snort3-3.0.2-5$

以下为可选安装包，可开启snort的feature选项。

~/ips/snort3-3.0.2-5$ sudo apt install libhyperscan-dev
~/ips/snort3-3.0.2-5$ sudo apt install libunwind-dev
~/ips/snort3-3.0.2-5$ sudo apt install uuid-dev
~/ips/snort3-3.0.2-5$ sudo apt install libsafec-dev
~/ips/snort3-3.0.2-5$ sudo apt-cache search tcmalloc
~/ips/snort3-3.0.2-5$ sudo apt install libgoogle-perftools-dev

再次运行脚本configure_cmake.sh，发现TCMALLOC还是off状态，下载gperftool源码进行安装：

~/ips/snort3-3.0.2-5$ cd ..
~/ips$ 
~/ips$ wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.8/gperftools-2.8.tar.gz
~/ips$ tar -xf gperftools-2.8.tar.gz 
~/ips$ cd gperftools-2.8/
~/ips/gperftools-2.8$ ./configure
~/ips/gperftools-2.8$ make
~/ips/gperftools-2.8$ sudo make install
~/ips/gperftools-2.8$ 
~/ips/gperftools-2.8$ cd ..
~/ips$
~/ips$ cd snort3-3.0.2-5/
~/ips/snort3-3.0.2-5$

安装gperftool之后，TCMALLOC还是off状态，发现和其它feature不同，需要在执行脚本时，显示启用TCMALLOC，如下：

~/ips/snort3-3.0.2-5$ ./configure_cmake.sh --enable-tcmalloc
Build Directory : build
...    

Feature options:
    DAQ Modules:    Static ()
    Flatbuffers:    OFF
    Hyperscan:      ON
    ICONV:          ON
    Libunwind:      ON
    LZMA:           ON
    RPC DB:         Built-in
    SafeC:          ON
    TCMalloc:       ON
    UUID:           ON
-------------------------------------------------------

-- Configuring done
-- Generating done
~/ips/snort3-3.0.2-5$

执行make，进行编译，遇到如下错误：

~/ips/snort3-3.0.2-5 $ cd build
~/ips/snort3-3.0.2-5/build
~/ips/snort3-3.0.2-5/build$ make
...
~/ips/snort3-3.0.2-5/src/protocols/packet.h: At global scope:
~/ips/snort3-3.0.2-5/src/protocols/packet.h:144:5: error: ‘DAQ_Msg_h’ does not name a type
  144 |     DAQ_Msg_h daq_msg;              // DAQ message this packet came from
      |     ^~~~~~~~~
In file included from ~/ips/snort3-3.0.2-5/src/actions/actions.cc:27:
~/ips/snort3-3.0.2-5/src/packet_io/active.h:166:25: error: ‘DAQ_Msg_h’ has not been declared
  166 |     static int send_eth(DAQ_Msg_h, int, const uint8_t* buf, uint32_t len);
      |                         ^~~~~~~~~

回过头看一下configure_cmake.sh脚本运行时，报过类似的警告：

~/ips/snort3-3.0.2-5$ ./configure_cmake.sh 
Build Directory : build
Source Directory: /home/kai/ips/snort3-3.0.2-5
... 
-- Found PkgConfig: /usr/bin/pkg-config (found version "0.29.1") 
-- Checking for module 'libdaq>=3.0.0'
--   No package 'libdaq' found
-- Found DAQ: /usr/lib/libdaq.so

由源码安装libdaq，这里使用版本3.0.0。

~/ips/snort3-3.0.2-5$ cd ..
~/ips$ 
~/ips$ wget https://github.com/snort3/libdaq/archive/v3.0.0-alpha7.tar.gz
~/ips$ tar -xf v3.0.0-alpha7.tar.gz 
~/ips$ 
~/ips$ cd libdaq-3.0.0-alpha7/
~/ips/libdaq-3.0.0-alpha7$ 
~/ips/libdaq-3.0.0-alpha7$ ./bootstrap 
~/ips/libdaq-3.0.0-alpha7$ ./configure 
...
config.status: executing libtool commands

    daq 3.0.0

    ...

    Build AFPacket DAQ module.. : yes
    Build BPF DAQ module....... : yes
    Build Divert DAQ module.... : no
    Build Dump DAQ module...... : yes
    Build FST DAQ module....... : yes
    Build NFQ DAQ module....... : no
    Build PCAP DAQ module...... : yes
    Build netmap DAQ module.... : no
    Build Trace DAQ module..... : yes

~/ips/libdaq-3.0.0-alpha7$ 
~/ips/libdaq-3.0.0-alpha7$ make
~/ips/libdaq-3.0.0-alpha7$ sudo make install

再次运行configure_cmake.sh脚本，可见找到libdaq。

~/ips/snort3-3.0.2-5$ ./configure_cmake.sh --enable-tcmalloc
Build Directory : build
...
-- Found PkgConfig: /usr/bin/pkg-config (found version "0.29.1") 
-- Checking for module 'libdaq>=3.0.0'
--   Found libdaq, version 3.0.0
-- Found DAQ: /usr/local/lib/libdaq.so  
-- Checking for module 'libdaq_static_trace'
--   Found libdaq_static_trace, version 3.0.0
-- Checking for module 'libdaq_static_afpacket'
--   Found libdaq_static_afpacket, version 3.0.0
-- Checking for module 'libdaq_static_dump'
--   Found libdaq_static_dump, version 3.0.0
-- Checking for module 'libdaq_static_pcap'
--   Found libdaq_static_pcap, version 3.0.0
-- Checking for module 'libdaq_static_fst'
--   Found libdaq_static_fst, version 3.0.0
-- Checking for module 'libdaq_static_bpf'
--   Found libdaq_static_bpf, version 3.0.0
-- Found DNET: /usr/local/include

一下编译snort3完成。

~/ips/snort3-3.0.2-5$ cd build/
~/ips/snort3-3.0.2-5/build$ 
~/ips/snort3-3.0.2-5/build$ make -j 2
[  1%] Building CXX object src/connectors/tcp_connector/CMakeFiles/tcp_connector.dir/tcp_connector.cc.o
[  1%] Building CXX object src/actions/CMakeFiles/ips_actions.dir/actions.cc.o
...
[ 98%] Built target preprocessor_states
Scanning dependencies of target snort2lua
[ 98%] Building CXX object tools/snort2lua/CMakeFiles/snort2lua.dir/snort2lua.cc.o
[ 98%] Building CXX object tools/snort2lua/CMakeFiles/snort2lua.dir/init_state.cc.o
[100%] Linking CXX executable snort2lua
[100%] Built target snort2lua
[100%] Built target snort
~/ips/snort3-3.0.2-5/build$

运行snort，发现找不到libdaq库，但是pkg-config能找到。

~/ips/snort3-3.0.2-5/build$ ./src/snort
./src/snort: error while loading shared libraries: libdaq.so.3: cannot open shared object file: No such file or directory
~/ips/snort3-3.0.2-5/build$ 
~/ips/snort3-3.0.2-5/build$ ldd ./src/snort 
        ...
        libdaq.so.3 => not found
        ...
~/ips/snort3-3.0.2-5/build$ 
~/ips/snort3-3.0.2-5/build$ pkg-config libdaq --libs
-L/usr/local/lib -ldaq

使用strace进行查看，根本就没有到libdaq所在的目录/usr/local/lib中进行查找。

~/ips/snort3-3.0.2-5/build$ strace ./src/snort

 32 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/x86_64/libdaq.so.3", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
 33 stat("/lib/x86_64-linux-gnu/x86_64", 0x7fff710f58d0) = -1 ENOENT (No such file or directory)
 34 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdaq.so.3", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
 35 stat("/lib/x86_64-linux-gnu", {st_mode=S_IFDIR|0755, st_size=36864, ...}) = 0
 49 stat("/usr/lib/x86_64-linux-gnu/x86_64", 0x7fff710f58d0) = -1 ENOENT (No such file or directory)
 50 openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libdaq.so.3", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)

具体原因先不查找，在以上的查找目录/usr/lib/x86_64-linux-gnu/建立一个软连接，到/usr/local/lib/libdaq.so.3.0.0，这样snort运行就可找到此库。

~/ips/snort3-3.0.2-5/build$ sudo ln -s /usr/local/lib/libdaq.so.3.0.0 /usr/lib/x86_64-linux-gnu/libdaq.so.3
~/ips/snort3-3.0.2-5/build$ 
~/ips/snort3-3.0.2-5/build$ ./src/snort        
usage:
    ./src/snort -?: list options
    ./src/snort -V: output version
    ./src/snort --help: help summary
    ./src/snort [-options] -c conf [-T]: validate conf
    ./src/snort [-options] -c conf -i iface: process live
    ./src/snort [-options] -c conf -r pcap: process readback

snort的命令行选项比较多，先使用几个简单的选项抓取一下报文：

~/ips/snort3-3.0.2-5/build$ sudo ./src/snort --help-options
-d dump the Application Layer
-e display the second layer header info
-i <iface>... list of interfaces
-L <mode> logging mode (none, dump, pcap, or log_*)
-n <count> stop after count packets (0:max53)
-Q enable inline mode operation
-v be verbose
-X dump the raw packet data starting at the link layer

如下抓取一个（-n 1）经过ens32网卡的报文。

~/ips/snort3-3.0.2-5/build$ sudo ./src/snort -d -e -v -X  -L dump -Q -n 1 -i ens32
--------------------------------------------------
o")~   Snort++ 3.0.2-5
--------------------------------------------------
--------------------------------------------------
Inspection Policy : policy id 0 : 
--------------------------------------------------
pcap DAQ configured to inline.
--------------------------------------------------
host_cache
    memcap: 8388608 bytes
Commencing packet processing
++ [0] ens32
Instance 0 daq pool size: 256
Instance 0 daq batch size: 64
pkt:1
eth(DLT):  00:0C:29:B1:2B:52 -> 50:7B:9D:C7:03:73  type:0x0800
ipv4(0x0800):  192.168.1.129 -> 192.168.1.109
        Next:0x06 TTL:64 TOS:0x10 ID:15025 IpLen:20 DgmLen:184 DF

snort.raw[164]:
- -   - - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
0000  00 16 C8 97 4D 1F 94 D3  21 6B 83 74 50 18 04 35  ....M... !k.tP..5
0010  84 E9 00 00 E9 19 BD 80  14 F7 93 91 F1 E3 9A 01  ........ ........
0020  49 34 FD A0 4B 2F 95 78  F2 57 92 0C B9 2E 21 DA  I4..K/.x .W....!.
0030  C9 46 2A 1D E1 50 A0 7C  12 0C 83 76 81 54 94 6C  .F*..P.| ...v.T.l
0040  B5 0A 8A FC 2A 2A 9D F5  64 B2 EB 69 F7 2C 1B 1F  ....**.. d..i.,..
0050  10 49 19 19 C4 01 34 C1  B9 CD 62 F8 2B 65 04 57  .I....4. ..b.+e.W
0060  45 5B 27 E9 CA 5F FD A3  9A A0 64 40 C8 8A 70 44  E['.._.. ..d@..pD
0070  6C 08 0F BB 17 01 40 AC  1D D8 0A 62 27 5B 76 BE  l.....@. ...b'[v.
0080  1F 06 E3 FB 72 FA FF D2  0C 77 41 F8 D3 1D 4C AB  ....r... .wA...L.
0090  0F 2E C0 60 DC 65 71 FD  9C 82 5E 91 7F 69 E0 74  ...`.eq. ..^..i.t
00A0  D5 8E 75 67                                       ..ug
- -   - - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

-- [0] ens32
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
                 received: 1
                 analyzed: 1
                    allow: 1
                 rx_bytes: 198
--------------------------------------------------
codec
                    total: 1            (100.000%)
                 discards: 1            (100.000%)
                      eth: 1            (100.000%)
                     ipv4: 1            (100.000%)
                      tcp: 1            (100.000%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
detection
                 analyzed: 1
                   logged: 1
--------------------------------------------------
tcp
        bad_tcp4_checksum: 1
--------------------------------------------------
Summary Statistics
--------------------------------------------------
timing
                  runtime: 00:00:00
                  seconds: 0.105165
                 pkts/sec: 1
o")~   Snort exiting