-
-
[原创][原创]Snort安装、配置、iptables联动
-
发表于: 2016-8-3 14:24
-
网上关于snort、及与iptables联动文章很多,转来转去,没几篇照着能欢快的跑起来的,总没准有个坑,好吧,史上最详细版,坑少、最严谨的一篇操作指南如下:
0x1、Snort安装篇
https://www.snort.org/documents,结合维护等os类型,下载指导paper
安装包下载
https://pan.baidu.com/s/1o7V5Aoq提取码: 4au5
安装过程:
根据官方安装指导手册,安装前需要一些依赖文件
步骤1:安装gcc,flex,bison,….. libdnet、libdnet-devel
[root@localhost ~]# yum -y install gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel libdnet libdnet-devel
这里交代下,libdnet、libdnet-devel这两个依赖包,不确定一定能yum 安装上,可能yum –y install不报错,但snort编译时会还出错,可以下面两种方法解决:
方法1:下载libdnet进行源码编译安装,文件上面网盘有下载,下面为操作步骤:
cd /usr/local/src/libdnet-1.xx
./configure –with-pic
make
make install
cd /usr/local/lib
ldconfig –v /usr/local/lib 别忘了,容易忽略
可能会出以下错误:
checking how to run the C++ preprocessor... /lib/cpp
configure: error: C++ preprocessor "/lib/cpp" fails sanity check
解决办法:
yum install glibc-headers gcc-c++
方法2:升级yum –y update
然后运行,直接yum -y install gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel libdnet libdnet-devel
步骤2: 安装DAQ-2.0.x
tar zxvf daq-2.0.6.tar.gz
./configure
make
make install
cd /usr/local/lib
ldconfig -v /usr/local/lib 别忘了,容易忽略
步骤3:安装snort-2.9.8.3
tar zxvf snort-2.9.8.3.tar.gz
./configure --enable-sourcefire
make
make install
cd /usr/local/lib
ldconfig -v /usr/local/lib
0x2、snort基本配置
1. cd /etc/
2. mkdir -p snort
3. cd snort-2.9.8.3
4. cp etc/* /etc/snort/
5. tar zxvf snortrules-snapshot-2983.tar.gz -C /etc/snort/
6. 解压规则到snort目录下,snort精华所在
7. touch /etc/snort/rules/white_list.rules
8. touch /etc/snort/rules/black_list.rules
9. groupadd -g 40000 snort
10. useradd snort -u 40000 -d /var/log/snort -s /sbin/nologin -c SNORT_IDS –g snort
11. cd /etc/snort
12. chown -R snort:snort *
13. chown -R snort:snort /var/log/snort
修改/etc/snort/snort.conf配置文件,参考如下:
# such as: c:\snort\rules
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
# If you are using reputation preprocessor set these
# Currently there is a bug with relative paths, they are relative to where snort is
# not relative to snort.conf like the above variables
# This is completely inconsistent with how other vars work, BUG 89986
# Set the absolute path appropriately
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
尝试启动snort –c /etc/snort/snort.conf,会报如下错误:
ERROR: snort.conf(253) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such file or directory. Fatal Error, Quitting.
解决办法:
mkdir -p /usr/local/lib/snort_dynamicrules
chown -R snort:snort /usr/local/lib/snort_dynamicrules
chmod -R 700 /usr/local/lib/snort_dynamicrules
规则添加:(很重要)
发现2.9.8这个版本下载后,rules目录下有些策略默认是空的,比如/etc/snort/rules/scan.rules
# to the VRT Certified Rules License Agreement (v2.0).
#
#------------
# SCAN RULES
#------------
需要我们自己完善,这些规则可以参考其他人写的,完善到自己的snort rules中
https://github.com/eldondev/Snort/blob/master/rules/scan.rules
规则编写可以参考这个网站:
http://asecuritysite.com/forensics/snort?fname=hping_fin.pcap&rulesname=rulesstealth.rules
当然也可以结合自己需要,定制一些特殊规则,给几个常用的,可以添加到local.rules文件
1、检测xss跨站脚本规则: -> /etc/snort/rules/local.rules
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"NII Cross-site scripting attempt"; flow:to_server,established; pcre:"/((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/i"; classtype:Web-application-attack; sid:9000; rev:5;)
2、检测nmap类扫描规则: -> /etc/snort/rules/scan.rules
alert tcp any any -> any any (msg:"SYN FIN Scan"; flags: S;sid:9000000;)
alert tcp any any -> any any (msg:"FIN Scan"; flags: F;sid:9000001;)
alert tcp any any -> any any (msg:"NULL Scan"; flags: 0;sid:9000002;)
alert tcp any any -> any any (msg:"XMAS Scan"; flags: FPU;sid:9000003;)
alert tcp any any -> any any (msg:"Full XMAS Scan"; flags: SRAFPU;sid:9000004;)
alert tcp any any -> any any (msg:"URG Scan"; flags: U;sid:9000005;)
alert tcp any any -> any any (msg:"URG FIN Scan"; flags: FU;sid:9000006;)
alert tcp any any -> any any (msg:"PUSH FIN Scan"; flags: FP;sid:9000007;)
alert tcp any any -> any any (msg:"URG PUSH Scan"; flags: PU;sid:9000008;)
alert tcp any any -> any any (flags: A; ack: 0; msg:"NMAP TCP ping!";sid:9000009;)
3、检测一句话(中国菜刀webshell)规则:-> /etc/snort/rules/local.rules
alert tcp any any -> any 80 (msg:"China Chopper PHP/Backdoor Detected"; content:"|62 61 73 65 36 34 5f 64 65 63 6f 64 65|"; rawbytes;reference:url,http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html; classtype:trojan-activity; sid:500007; rev:1;)
alert tcp any any -> any 80 ( sid:900001; content:"base64_decode";http_client_body;flow:to_server,established; content:"POST"; nocase;http_method;msg:"Webshell Detected Apache";)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "China Chopper with first Command Detected";flow:to_server,established; content: "FromBase64String";content: "z1"; content:"POST"; nocase;http_method;reference:url,http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html;classtype:web-application-attack; sid: 900000101;)
4、检测sql注入规则
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection - Paranoid"; flow:to_server,established;uricontent:".pl";pcre:"/(\%27)|(\')|(\-\-)|(%23)|(#)/i"; classtype:Web-application-attack; sid:9099; rev:5;)
5、heartbeart规则
alert tcp any any -> any 443 (msg:"Heartbeat request"; content:"|18 03 02 00|"; rawbytes;sid:100000)
最后提下攻击日志,snort攻击日志一般存与/var/log/snort/下,会生成alert纪录攻击日志,snort.xxxxx纪录详情,当然输出格式支持很多种syslog,csv、也可以将攻击日志写入mysql(2.9x以后版本需要借助barnyard2,如果只是web网站上部署,没必要建议你安装图像界面、管理控制台、开源东西,最小化安装、功能能跑起来,未必是坏事.)
一般攻击日志,导出csv格式就可以了,纪录的也不是很详细,丢数据库个人觉得意义不是特大,自己结合实际情况吧。
导出csv方法:
vim /etc/snort/snort.conf
output alert_csv: /var/log/snort/alert.csv msg,proto,timestamp,src,srcport,dst,dstport
0x3、snort与iptables联动,升级为IPS
Step 1 :
Go to http://www.chaotic.org/guardian/ to download Guardian. The current version as at this writing is version 1.7.
wget http://www.chaotic.org/guardian/guardian-1.7.tar.gz
Step 2 :
Untar the package.
tar -xzvf guardian-1.7.tar.gz
Step 3 :
cd guardian-1.7
cp guardian.pl /usr/local/bin/
cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
cp guardian.conf /etc/snort/
touch /etc/snort/guardian.ignore
touch /etc/snort/guardian.target
touch /var/log/snort/guardian.log
Step 4 :
vi /etc/snort/guardian.conf
Make the file looks like this (the IP address of HostIpAddr may be different from yours).
HostIpAddr取消注释,写自己eth0 ip地址
Step 5:
Vim /etc/snort/guardian.target
将步骤4中监听的eth0 ip地址写进来,这里别落下了,网上已有文章,这里是个坑,导致关联有问题
Step 6:
Vim /etc/snort/snort.conf注释掉output alert_syslog:LOG_AUTH LOG_ALERT,至于下一行的需不需要output alert_csv结合自己需要。
配置完毕
0x4、效果演示:
步骤1:先瞅瞅iptables、空空如也:
步骤2:启动guardian
步骤3:启动snort:
snort –c /etc/snort/snort.conf
步骤4:模拟攻击,发现一会就被干掉了
行文不易,且看且珍惜吧
0x1、Snort安装篇
https://www.snort.org/documents,结合维护等os类型,下载指导paper
安装包下载
https://pan.baidu.com/s/1o7V5Aoq提取码: 4au5
安装过程:
根据官方安装指导手册,安装前需要一些依赖文件
步骤1:安装gcc,flex,bison,….. libdnet、libdnet-devel
[root@localhost ~]# yum -y install gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel libdnet libdnet-devel
这里交代下,libdnet、libdnet-devel这两个依赖包,不确定一定能yum 安装上,可能yum –y install不报错,但snort编译时会还出错,可以下面两种方法解决:
方法1:下载libdnet进行源码编译安装,文件上面网盘有下载,下面为操作步骤:
cd /usr/local/src/libdnet-1.xx
./configure –with-pic
make
make install
cd /usr/local/lib
ldconfig –v /usr/local/lib 别忘了,容易忽略
可能会出以下错误:
checking how to run the C++ preprocessor... /lib/cpp
configure: error: C++ preprocessor "/lib/cpp" fails sanity check
解决办法:
yum install glibc-headers gcc-c++
方法2:升级yum –y update
然后运行,直接yum -y install gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel libdnet libdnet-devel
步骤2: 安装DAQ-2.0.x
tar zxvf daq-2.0.6.tar.gz
./configure
make
make install
cd /usr/local/lib
ldconfig -v /usr/local/lib 别忘了,容易忽略
步骤3:安装snort-2.9.8.3
tar zxvf snort-2.9.8.3.tar.gz
./configure --enable-sourcefire
make
make install
cd /usr/local/lib
ldconfig -v /usr/local/lib
0x2、snort基本配置
1. cd /etc/
2. mkdir -p snort
3. cd snort-2.9.8.3
4. cp etc/* /etc/snort/
5. tar zxvf snortrules-snapshot-2983.tar.gz -C /etc/snort/
6. 解压规则到snort目录下,snort精华所在
7. touch /etc/snort/rules/white_list.rules
8. touch /etc/snort/rules/black_list.rules
9. groupadd -g 40000 snort
10. useradd snort -u 40000 -d /var/log/snort -s /sbin/nologin -c SNORT_IDS –g snort
11. cd /etc/snort
12. chown -R snort:snort *
13. chown -R snort:snort /var/log/snort
修改/etc/snort/snort.conf配置文件,参考如下:
# such as: c:\snort\rules
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
# If you are using reputation preprocessor set these
# Currently there is a bug with relative paths, they are relative to where snort is
# not relative to snort.conf like the above variables
# This is completely inconsistent with how other vars work, BUG 89986
# Set the absolute path appropriately
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
尝试启动snort –c /etc/snort/snort.conf,会报如下错误:
ERROR: snort.conf(253) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such file or directory. Fatal Error, Quitting.
解决办法:
mkdir -p /usr/local/lib/snort_dynamicrules
chown -R snort:snort /usr/local/lib/snort_dynamicrules
chmod -R 700 /usr/local/lib/snort_dynamicrules
规则添加:(很重要)
发现2.9.8这个版本下载后,rules目录下有些策略默认是空的,比如/etc/snort/rules/scan.rules
# to the VRT Certified Rules License Agreement (v2.0).
#
#------------
# SCAN RULES
#------------
需要我们自己完善,这些规则可以参考其他人写的,完善到自己的snort rules中
https://github.com/eldondev/Snort/blob/master/rules/scan.rules
规则编写可以参考这个网站:
http://asecuritysite.com/forensics/snort?fname=hping_fin.pcap&rulesname=rulesstealth.rules
当然也可以结合自己需要,定制一些特殊规则,给几个常用的,可以添加到local.rules文件
1、检测xss跨站脚本规则: -> /etc/snort/rules/local.rules
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"NII Cross-site scripting attempt"; flow:to_server,established; pcre:"/((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/i"; classtype:Web-application-attack; sid:9000; rev:5;)
2、检测nmap类扫描规则: -> /etc/snort/rules/scan.rules
alert tcp any any -> any any (msg:"SYN FIN Scan"; flags: S;sid:9000000;)
alert tcp any any -> any any (msg:"FIN Scan"; flags: F;sid:9000001;)
alert tcp any any -> any any (msg:"NULL Scan"; flags: 0;sid:9000002;)
alert tcp any any -> any any (msg:"XMAS Scan"; flags: FPU;sid:9000003;)
alert tcp any any -> any any (msg:"Full XMAS Scan"; flags: SRAFPU;sid:9000004;)
alert tcp any any -> any any (msg:"URG Scan"; flags: U;sid:9000005;)
alert tcp any any -> any any (msg:"URG FIN Scan"; flags: FU;sid:9000006;)
alert tcp any any -> any any (msg:"PUSH FIN Scan"; flags: FP;sid:9000007;)
alert tcp any any -> any any (msg:"URG PUSH Scan"; flags: PU;sid:9000008;)
alert tcp any any -> any any (flags: A; ack: 0; msg:"NMAP TCP ping!";sid:9000009;)
3、检测一句话(中国菜刀webshell)规则:-> /etc/snort/rules/local.rules
alert tcp any any -> any 80 (msg:"China Chopper PHP/Backdoor Detected"; content:"|62 61 73 65 36 34 5f 64 65 63 6f 64 65|"; rawbytes;reference:url,http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html; classtype:trojan-activity; sid:500007; rev:1;)
alert tcp any any -> any 80 ( sid:900001; content:"base64_decode";http_client_body;flow:to_server,established; content:"POST"; nocase;http_method;msg:"Webshell Detected Apache";)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "China Chopper with first Command Detected";flow:to_server,established; content: "FromBase64String";content: "z1"; content:"POST"; nocase;http_method;reference:url,http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html;classtype:web-application-attack; sid: 900000101;)
4、检测sql注入规则
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection - Paranoid"; flow:to_server,established;uricontent:".pl";pcre:"/(\%27)|(\')|(\-\-)|(%23)|(#)/i"; classtype:Web-application-attack; sid:9099; rev:5;)
5、heartbeart规则
alert tcp any any -> any 443 (msg:"Heartbeat request"; content:"|18 03 02 00|"; rawbytes;sid:100000)
最后提下攻击日志,snort攻击日志一般存与/var/log/snort/下,会生成alert纪录攻击日志,snort.xxxxx纪录详情,当然输出格式支持很多种syslog,csv、也可以将攻击日志写入mysql(2.9x以后版本需要借助barnyard2,如果只是web网站上部署,没必要建议你安装图像界面、管理控制台、开源东西,最小化安装、功能能跑起来,未必是坏事.)
一般攻击日志,导出csv格式就可以了,纪录的也不是很详细,丢数据库个人觉得意义不是特大,自己结合实际情况吧。
导出csv方法:
vim /etc/snort/snort.conf
output alert_csv: /var/log/snort/alert.csv msg,proto,timestamp,src,srcport,dst,dstport
0x3、snort与iptables联动,升级为IPS
Step 1 :
Go to http://www.chaotic.org/guardian/ to download Guardian. The current version as at this writing is version 1.7.
wget http://www.chaotic.org/guardian/guardian-1.7.tar.gz
Step 2 :
Untar the package.
tar -xzvf guardian-1.7.tar.gz
Step 3 :
cd guardian-1.7
cp guardian.pl /usr/local/bin/
cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
cp guardian.conf /etc/snort/
touch /etc/snort/guardian.ignore
touch /etc/snort/guardian.target
touch /var/log/snort/guardian.log
Step 4 :
vi /etc/snort/guardian.conf
Make the file looks like this (the IP address of HostIpAddr may be different from yours).
HostIpAddr取消注释,写自己eth0 ip地址
Step 5:
Vim /etc/snort/guardian.target
将步骤4中监听的eth0 ip地址写进来,这里别落下了,网上已有文章,这里是个坑,导致关联有问题
Step 6:
Vim /etc/snort/snort.conf注释掉output alert_syslog:LOG_AUTH LOG_ALERT,至于下一行的需不需要output alert_csv结合自己需要。
配置完毕
0x4、效果演示:
步骤1:先瞅瞅iptables、空空如也:
步骤2:启动guardian
步骤3:启动snort:
snort –c /etc/snort/snort.conf
步骤4:模拟攻击,发现一会就被干掉了
行文不易,且看且珍惜吧
