企業常設置防火牆作為防止駭客入侵的第一道防線, 但在實務上, 防火牆並無法有效阻擋所有種類的網路攻擊行為. 也因此有所謂的入侵偵測系統設備(既然無法阻擋攻擊, 那就記錄攻擊行為, 以便事後追查, 當然目前也有所謂的入侵預防系統 (Intrusion Prevention System, IPS), 除了可記錄惡意行為外還可直接阻擋正在進行中的惡意行為).
Snort 是一種以攻擊特徵碼為基礎的入侵偵測系統,利用事先建立好的已知攻擊資料特徵碼,來比對接收到的封包內容是否含有攻擊行為。若符合特徵碼即觸發相對應的動作。
編譯套件
sudo apt-get install flex bison build-essential checkinstall libpcap-dev libnet1-dev libpcre3-dev libmysqlclient-dev libnetfilter-queue-dev iptables-dev libdnet-dev libdumbnet-dev
下載原始碼
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
wget https://www.snort.org/downloads/snort/snort-2.9.11.1.tar.gz
編譯
tar xvfz daq-2.0.6.tar.gz
cd daq-2.0.6
./configure; make; sudo make install
tar xvfz snort-2.9.7.6.tar.gz
cd snort-2.9.7.6
./configure –enable-sourcefire; make; sudo make install
測試
先連結libirary, 下達如下指令
sudo ldconfig
sudo snort -V , 會得到如下反應
,,_ -*> Snort! <*- o" )~ Version 2.9.11.1 GRE (Build 268) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.7.4 Using PCRE version: 8.38 2015-11-23 Using ZLIB version: 1.2.8
設定
使用vim, 編寫如下script
vim ~/setup.sh
#!/bin/bash #snort source location snort_src=~/Downloads/snort-2.9.11.1 # adding group and user sudo groupadd snort sudo useradd snort -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort # Configuring snort sudo mkdir -p /etc/snort sudo mkdir -p /etc/snort/rules sudo touch /etc/snort/rules/black_list.rules sudo touch /etc/snort/rules/white_list.rules sudo touch /etc/snort/rules/local.rules sudo mkdir /etc/snort/preproc_rules sudo mkdir /var/log/snort sudo mkdir -p /usr/local/lib/snort_dynamicrules sudo chmod -R 775 /etc/snort sudo chmod -R 775 /var/log/snort sudo chmod -R 775 /usr/local/lib/snort_dynamicrules sudo chown -R snort:snort /etc/snort sudo chown -R snort:snort /var/log/snort sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules #copy configuration files cd $snort_src/etc sudo cp * /etc/snort
退出vim後下達如下指令
chmod 755 setup.sh
./setup.sh
snort.conf 設定檔
sudo vim /etc/snort/snort.conf
修改如下設定
ipvar HOME_NET 192.168.1.0/24 #受保護的ip ipvar EXTERNAL_NET !$HOME_NET # Path to your rules files (this can be a relative path) # Note for Windows users: You are advised to make this an absolute path, # such as: c:\snort\rules var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH etc/snort/preproc_rules # If you are using reputation preprocessor set these # Currently there is a bug with relative paths, they are relative to where snort is # not relative to snort.conf like the above variables # This is completely inconsistent with how other vars work, BUG 89986 # Set the absolute path appropriately var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules
上述的檔案中, include全都取消, 只留下local.rules
# site specific rules include $RULE_PATH/local.rules #include $RULE_PATH/app-detect.rules #include $RULE_PATH/attack-responses.rules #include $RULE_PATH/backdoor.rules ......底下的include 全都註解
執行
sudo snort -T -c /etc/snort/snort.conf , 若正確執行, 可看到如下訊息
Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.11.1 GRE (Build 268)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.7.4
Using PCRE version: 8.38 2015-11-23
Using ZLIB version: 1.2.8
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.0
Preprocessor Object: SF_POP Version 1.0
Preprocessor Object: SF_SSLPP Version 1.1
Preprocessor Object: SF_FTPTELNET Version 1.2
Preprocessor Object: SF_MODBUS Version 1.1
Preprocessor Object: SF_DCERPC2 Version 1.0
Preprocessor Object: SF_SSH Version 1.1
Preprocessor Object: SF_IMAP Version 1.0
Preprocessor Object: SF_DNP3 Version 1.1
Preprocessor Object: SF_SMTP Version 1.1
Preprocessor Object: SF_DNS Version 1.1
Preprocessor Object: SF_SDF Version 1.1
Preprocessor Object: SF_SIP Version 1.1
Preprocessor Object: SF_REPUTATION Version 1.1
Preprocessor Object: SF_GTP Version 1.1
Snort successfully validated the configuration!
Snort exiting
新增一條規則
在/etc/snort/rules/ local.rules 檔案中加入一條規則來偵測 ICMP 封包。當偵測到 ICMP 封包進入 $HOME_NET,Snort 就會發出一個警告,而這警告包含「ICMP detected」這個訊息
alert icmp any any -> $HOME_NET any (msg:"ICMP detected"; sid:000001;)
設定完, 再執行一次 sudo snort -T -c /etc/snort/snort.conf
監控
輸入如下指令
sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
然後於Windows下, ping vm的IP, 即可出現如下訊息
thomas@ubuntu:/etc/snort/rules$ sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i ens33
05/06-05:26:33.574903 [**] [1:1:0] ICMP detected [**] [Priority: 0] {ICMP} 192.168.19.1 -> 192.168.19.132
05/06-05:26:33.574921 [**] [1:1:0] ICMP detected [**] [Priority: 0] {ICMP} 192.168.19.132 -> 192.168.19.1
05/06-05:26:34.580077 [**] [1:1:0] ICMP detected [**] [Priority: 0] {ICMP} 192.168.19.1 -> 192.168.19.132
05/06-05:26:34.580103 [**] [1:1:0] ICMP detected [**] [Priority: 0] {ICMP} 192.168.19.132 -> 192.168.19.1
05/06-05:26:35.584530 [**] [1:1:0] ICMP detected [**] [Priority: 0] {ICMP} 192.168.19.1 -> 192.168.19.132
05/06-05:26:35.584556 [**] [1:1:0] ICMP detected [**] [Priority: 0] {ICMP} 192.168.19.132 -> 192.168.19.1
05/06-05:26:36.588185 [**] [1:1:0] ICMP detected [**] [Priority: 0] {ICMP} 192.168.19.1 -> 192.168.19.132
05/06-05:26:36.588211 [**] [1:1:0] ICMP detected [**] [Priority: 0] {ICMP} 192.168.19.132 -> 192.168.19.1