CentOS6u9 Snort入侵检测系统部署配置

简单说明：

Snort是开源的基于实时网络流量分析和数据包记录的入侵检测系统
官方文档位置：https://www.snort.org/documents
查看官档《Snort 2.9.8.x on CentOS 6.x and 7.x》
依据《CentOS6实验机模板搭建部署》克隆实验机进行部署测试

经测试，官档写的并不好，本实验根据官档进行安装，还有一些问题，本博文只做一次实验记录
后期会发布一篇根据其他博文，类似基于snort+barnyard2+base的入侵检测系统的实验转载博文

实验过程：

1° 增加配置epel源，安装系统包

yum -y install epel-release
yum -y install gcc flex bison tcpdump \
zlib zlib-devel libpcap libpcap-devel \
pcre pcre-devel libdnet libdnet-devel
# 还需要libdnet-debuginfo包，可以从rpmfind网站找到
axel https://www.rpmfind.net/linux/epel/6/x86_64/debug/Packages/l/libdnet-debuginfo-1.12-6.el6.x86_64.rpm
yum -y localinstall libdnet-debuginfo-1.12-6.el6.x86_64.rpm

2° 从官网下载源码包并安装

cd /tmp
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
wget https://www.snort.org/downloads/snort/snort-2.9.11.1.tar.gz
cd /usr/local/src
tar -xf /tmp/daq-2.0.6.tar.gz
cd daq-2.0.6
./configure
make && sudo make install
cd /usr/local/lib
ldconfig -v /usr/local/lib
cd /usr/local/src
tar -xf /tmp/snort-2.9.11.1.tar.gz
cd snort-2.9.11.1
./configure --enable-sourcefire
make && sudo make install
cd /usr/local/lib
ldconfig -v /usr/local/lib

3° 注册官方账号，使用该账号登录，下载规则集合或者VRT规则
登录 https://www.snort.org
点击Sign in，然后Sign up进行注册，勾选Snort-users

根据邮件，打开连接

下载规则包
https://www.snort.org/downloads
下载 snortrules-snapshot-29111.tar.gz

4° 导入下载的规则包

cd /etc
mkdir -p snort
cd snort
cp -av /usr/local/src/snort-2.9.11.1/etc/* .
tar -xf /tmp/snortrules-snapshot-29111.tar.gz
cp ./etc/* .
touch /etc/snort/rules/white_list.rules
touch /etc/snort/rules/black_list.rules

5° 添加系统用户

groupadd -g 40000 snort
useradd -u 40000 -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort snort
cd /etc/snort
chown -R snort:snort *
chown -R snort:snort /var/log/snort

6° 编辑配置文件 /etc/snort/snort.conf

# 假设监控的网段为192.168.77.0/24
NET='192.168.77.0/24'
sed -i 's|^\(var RULE_PATH\).*|\1 /etc/snort/rules|g' /etc/snort/snort.conf
sed -i "s|^\(ipvar HOME_NET\).*|\1 ${NET}|g" /etc/snort/snort.conf
sed -i 's|^\(ipvar EXTERNAL_NET\).*|\1 !$HOME_NET|g' /etc/snort/snort.conf
sed -i 's|^\(var SO_RULE_PATH\).*|\1 /etc/snort/so_rules|g' /etc/snort/snort.conf
sed -i 's|^\(var PREPROC_RULE_PATH\).*|\1 /etc/snort/preproc_rules|g' /etc/snort/snort.conf
sed -i 's|^\(var WHITE_LIST_PATH\).*|\1 /etc/snort/rules|g' /etc/snort/snort.conf
sed -i 's|^\(var BLACK_LIST_PATH\).*|\1 /etc/snort/rules|g' /etc/snort/snort.conf

7° 权限更改

cd /usr/local/src
chown -R snort:snort daq-2.0.6
chmod -R 700 daq-2.0.6
chown -R snort:snort snort-2.9.11.1
chmod -R 700 snort-2.9.11.1
chown -R snort:snort snort_dynamicsrc
chmod -R 700 snort_dynamicsrc

8° 添加系统托管启动脚本

# 官网 https://www.snort.org/documents
# 下载 Snort Startup Script for CentOS
chmod +x /etc/init.d/snort
chkconfig --add snort
chkconfig snort on

9° 创建软连接

cd /usr/sbin
ln -s /usr/local/bin/snort snort

10° 创建配置文件

vi /etc/sysconfig/snort
# /etc/sysconfig/snort
# $Id: snort.sysconfig,v 1.8 2003/09/19 05:18:12 dwittenb Exp $
#### General Configuration
INTERFACE=eth0
CONF=/etc/snort/snort.conf
USER=snort
GROUP=snort
PASS_FIRST=0
#### Logging & Alerting
LOGDIR=/var/log/snort
ALERTMODE=fast
DUMP_APP=1
BINARY_LOG=1
NO_PACKET_LOG=0
PRINT_INTERFACE=0

chown snort: /etc/sysconfig/snort
chmod 700 /etc/sysconfig/snort

11° 如果/var/log/snort不存在，则创建：

cd /var/log
mkdir snort
chmod 700 snort
chown -R snort:snort snort
# 更改权限
cd /usr/local/lib
chown -R snort:snort snort*
chown -R snort:snort snort_dynamic*
chown -R snort:snort pkgconfig
chmod -R 700 snort*
chmod -R 700 pkgconfig
cd /usr/local/bin
chown -R snort:snort daq-modules-config
chown -R snort:snort u2*
chmod -R 700 daq-modules-config
chmod 700 u2*
cd /etc
chown -R snort:snort snort
chmod -R 700 snort

12° 创建动态规则目录

mkdir -p /usr/local/lib/snort_dynamicrules
chown -R snort:snort /usr/local/lib/snort_dynamicrules
chmod -R 700 /usr/local/lib/snort_dynamicrules
# 官档上写要导入一些动态规则，不明所以

# 配置文件 /etc/snort/snort.conf 生效行要以反斜杠结尾
# 该配置文件很多该错误行
sed -i 's/[^\\]$/ \\/g' /etc/snort/snort.conf

13° 启动自我测试模式进行测试

cd /usr/local/bin
./snort -T -i eth0 -u snort -g snort -c /etc/snort/snort.conf
# 测试成功的输出：
# Snort successfully validated the configuration!
# Snort exiting
# 其他错误参见官当

14° 手动启动，监控启动

snort -A fast -b -d -D -i eth0 -u snort -g snort \
-c /etc/snort/snort.conf -l /var/log/snort
tailf /var/log/messages

15° 升级建议

# 如果要升级snort，强烈建议备份以下配置文件：
local.rules
snort.conf
threshold.conf
white_list.rules
black_list.rules

[TOC]