2016-02-18
如果你想快速安裝,可以跳過所有說明,到本文章最下面,有快速安裝 Shell Script。
官方網站
https://www.snort.org/
下載
https://www.snort.org/downloads
參考
https://www.snort.org/#get-started
安裝
yum -y install https://www.snort.org/downloads/snort/daq-2.0.6-1.centos7.x86_64.rpm
yum -y install https://www.snort.org/downloads/snort/snort-2.9.8.0-1.centos7.x86_64.rpm
wget https://www.snort.org/rules/community -O community.tar.gz
tar -xvfz community.tar.gz -C /etc/snort/rules
照官方網站資訊是 wget https://www.snort.org/rules/community,結果下載的檔案是 community,而非 community.tar.gz,根據經驗,某些 Linux 版本上的 wget 會這樣,所以加上 -O community.tar.gz 指定下載的檔案名稱為 community.tar.gz。
測試
[root@localhost src]# snort -V
,,_ -*> Snort! <*-
o" )~ Version 2.9.8.0 GRE (Build 229)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.5.3
Using PCRE version: 8.32 2012-11-30
Using ZLIB version: 1.2.7
下面測試組態檔 (設定檔) /etc/snort/snort.conf
-T 表示進行測試
-c 指定設定檔的路徑和名稱
[root@localhost src]# snort -T -c /etc/snort/snort.conf
...(略)
ERROR: /etc/snort/snort.conf(253) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such file or directory.
ERROR: /etc/snort/snort.conf(253) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such file or directory.
Fatal Error, Quitting..
[root@localhost src]#
找到 253行是 dynamicdetection directory /usr/local/lib/snort_dynamicrules
建立的目錄
mkdir -p /usr/local/lib/snort_dynamicrules
[root@localhost src]# snort -T -c /etc/snort/snort.conf
...(略)
ERROR: /etc/snort//etc/snort/rules/local.rules(0) Unable to open rules file "/etc/snort//etc/snort/rules/local.rules": No such file or directory.
Fatal Error, Quitting..
[root@localhost src]#
把 community.tar.gz 解壓縮,並沒有找到 local.rules
只好去註冊一個 snort 帳號 (免費),下載 snortrules-snapshot-2980.tar.gz (登入後才能下載,因為是免費的,rules 約比付費訂閱的 rules 內容舊,約差1個月),在 MS-Windows 上用 WinSCP 軟體,上傳到 CentOS 的 /usr/local/src 目錄
把 rules 解壓到 /etc/snort 目錄
[root@localhost src]# snort -T -c /etc/snort/snort.conf
...(略)
ERROR: /etc/snort/snort.conf(512) => Unable to open address file /etc/snort/../rules/white_list.rules, Error: No such file or directory
Fatal Error, Quitting..
這是因為黑白名單檔案不存在,繼續修改設定檔案
sed -i -e "s@var BLACK_LIST_PATH@#var BLACK_LIST_PATH@" /etc/snort/snort.conf
sed -i -e "/var BLACK_LIST_PATH/avar BLACK_LIST_PATH /etc/snort/rules" /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var BLACK_LIST_PATH"
sed -i -e "/var BLACK_LIST_PATH/avar BLACK_LIST_PATH /etc/snort/rules" /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var BLACK_LIST_PATH"
touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules
sed -i -e "s@var WHITE_LIST_PATH@#var WHITE_LIST_PATH@" /etc/snort/snort.conf
sed -i -e "/var WHITE_LIST_PATH/avar WHITE_LIST_PATH /etc/snort/rules" /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var WHITE_LIST_PATH"
sed -i -e "/var WHITE_LIST_PATH/avar WHITE_LIST_PATH /etc/snort/rules" /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var WHITE_LIST_PATH"
[root@localhost src]# snort -T -c /etc/snort/snort.conf
...(略)Snort successfully validated the configuration!
Snort exiting
[root@localhost rules]#
上面組態檔案測試成功了,再來測試用 Daemon 方式執行
[root@localhost rules]# snort -D
Spawning daemon child...
My daemon child 32058 lives...
Daemon parent exiting (0)
確認一下
[root@localhost rules]# ps aux | grep snort
root 32058 0.0 1.0 74056 19840 ? Ss 08:29 0:00 snort -D
root 32068 0.0 0.0 112644 952 pts/0 R+ 08:29 0:00 grep --color=auto snort
[root@localhost rules]#
停掉 snort
[root@localhost rules]# kill -9 32058
用 service 啟動看看,
[root@localhost rules]# service snortd start
Starting snortd (via systemctl): [ OK ]
用 ps 確認 一下,沒發現,看來不行
[root@localhost rules]# ps aux | grep snort
root 33026 0.0 0.0 112644 952 pts/0 S+ 09:01 0:00 grep --color=auto snort
[root@localhost rules]#
找一下 service 用的 snortd
[root@localhost rules]# ls -al /etc/rc.d/init.d/snortd
-rwxr-xr-x. 1 root root 5387 Nov 19 02:59 /etc/rc.d/init.d/snortd
[root@localhost rules]#
指定設定檔案,用 Daemon 方式啟動測試看看
[root@localhost rules]# snort -D -c /etc/snort/snort.conf
Spawning daemon child...
My daemon child 33055 lives...
Daemon parent exiting (0)
[root@localhost rules]# ps aux | grep snort
root 33055 0.0 18.8 698940 352208 ? Ssl 09:03 0:00 snort -D -c /etc/snort/snort.conf
root 33058 0.0 0.0 112644 952 pts/0 R+ 09:03 0:00 grep --color=auto snort
停掉 snort
[root@localhost rules]# kill -9 32055
檢查網路卡名稱
[root@localhost rules]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.128.133 netmask 255.255.255.0 broadcast 192.168.128.255
inet6 fe80::20c:29ff:fe2f:dbb5 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:2f:db:b5 txqueuelen 1000 (Ethernet)
RX packets 83640 bytes 61704775 (58.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 51869 bytes 22171588 (21.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 26 bytes 4242 (4.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 26 bytes 4242 (4.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 00:00:00:00:00:00 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost rules]# snort -D -i eno16777736 -c /etc/snort/snort.conf
Spawning daemon child...
My daemon child 37163 lives...
Daemon parent exiting (0)
[root@localhost rules]# ps aux | grep snort
root 36902 0.0 18.7 699296 350236 ? Ssl 10:06 0:00 snort -D -c /etc/snort/snort.conf
root 37163 0.5 18.8 699356 352804 ? Ssl 10:16 0:00 snort -D -i eno16777736 -c /etc/snort/snort.conf
root 37166 0.0 0.0 112644 952 pts/0 R+ 10:16 0:00 grep --color=auto snort
[root@localhost rules]#
為了測試,安裝 Web Server,啟動 Web Server,停用防火牆
yum -y install httpd
service httpd start
service firewalld stop
yum -y install httpd
service httpd start
service firewalld stop
先看一下 snort 目前 log,其中 alert 為 0 byte
另
[root@localhost rules]# ls -al /var/log/snort total 4 drwxr-xr-x. 2 snort snort 45 Feb 18 09:03 . drwxr-xr-x. 20 root root 4096 Feb 18 09:53 .. -rw-r--r--. 1 root root 0 Feb 18 09:01 alert -rw-------. 1 root root 0 Feb 18 09:03 snort.log.1455757424 [root@localhost rules]# |
另
另外找一台主機來攻擊 ( nikto 好像無法對自己攻擊,所以必須另外找一台)
192.168.128.133 是安裝 snort 主機
192.168.128.134 是安裝 nikto 主機
回到原來安裝 snort 主機,可以看到 alert 檔案從 0 byte 變成不是 0 bytes,表示 snort 有正常運作
總結:快速安裝程式 snort2.9.8.9_centos7.2x64.sh
注意:
(1) 去註冊一個 snort 帳號 (免費),下載 snortrules-snapshot-2980.tar.gz ,在 MS-Windows 上用 WinSCP 軟體,上傳到 CentOS 的 /usr/local/src 目錄
執行快速安裝程式 snort2.9.8.9_centos7.2x64.sh 進行安裝
sh ./snort2.9.8.9_centos7.2x64.sh
或
chmod +x ./snort2.9.8.9_centos7.2x64.sh
./snort2.9.8.9_centos7.2x64.sh
(完)
[研究] snort-2.9.8.0.tar.gz (CentOS 7.2 x64) 快速安裝程式
http://shaurong.blogspot.com/2016/02/snort-2980targz-centos-72-x64.html
[研究] Snort 2.9.8.0 安裝 + 快速安裝程式 (CentOS 7.2 x64)
http://shaurong.blogspot.com/2016/02/snort-2980-centos-72-x64.html
[研究] Snort 2.9.7.0 + Barnyard 2.13 安裝 (CentOS 6.6 x64) 快速安裝程式
http://shaurong.blogspot.com/2015/02/snort-2970-barnyard-213-centos-66-x64.html
[研究] snort-2.9.6.2.tar.gz (CentOS 6.5 x64) 快速安裝程式
192.168.128.133 是安裝 snort 主機
192.168.128.134 是安裝 nikto 主機
[root@localhost ~]# wget http://www.cirt.net/nikto/nikto-current.tar.gz [root@localhost ~]# tar zxvf nikto-current.tar.gz [root@localhost ~]# cd nikto-* [root@localhost nikto-2.1.5]# chmod +x nikto.pl [root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.133
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.128.133
+ Target Hostname: 192.168.128.133
+ Target Port: 80
+ Start Time: 2016-02-18 18:05:00 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.6 (CentOS)
+ Server leaks inodes via ETags, header found with file /, fields: 0x1321 0x5058a1e728280
+ The anti-clickjacking X-Frame-Options header is not present.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2016-02-18 18:05:08 (GMT8) (8 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
[root@localhost nikto-2.1.5]#
|
回到原來安裝 snort 主機,可以看到 alert 檔案從 0 byte 變成不是 0 bytes,表示 snort 有正常運作
[root@localhost rules]# ls -al /var/log/snort total 32 drwxr-xr-x. 2 snort snort 99 Feb 18 10:16 . drwxr-xr-x. 20 root root 4096 Feb 18 09:53 .. -rw-r--r--. 1 root root 387 Feb 18 10:17 alert -rw-------. 1 root root 0 Feb 18 09:03 snort.log.1455757424 -rw-------. 1 root root 22754 Feb 18 10:17 snort.log.1455761790 [root@localhost rules]# |
總結:快速安裝程式 snort2.9.8.9_centos7.2x64.sh
#!/bin/bash echo -e "\033[31m" echo -e "Program : snort2.9.8.9_centos7.2x64.sh " echo -e "snort-2.9.8.9 Install Shell Script (CentOS 7.2 x64) " echo -e "by Shau-Rong Lu 2016-02-18 " echo -e "\033[0m" yum -y install https://www.snort.org/downloads/snort/daq-2.0.6-1.centos7.x86_64.rpm yum -y install https://www.snort.org/downloads/snort/snort-2.9.8.0-1.centos7.x86_64.rpm mkdir -p /usr/local/lib/snort_dynamicrules tar xzvf /usr/local/src/snortrules-snapshot-2980.tar.gz -C /etc/snort sed -i -e "s@var BLACK_LIST_PATH@#var BLACK_LIST_PATH@" /etc/snort/snort.conf sed -i -e "/var BLACK_LIST_PATH/avar BLACK_LIST_PATH /etc/snort/rules" /etc/snort/snort.conf cat /etc/snort/snort.conf | grep "var BLACK_LIST_PATH" sed -i -e "s@var WHITE_LIST_PATH@#var WHITE_LIST_PATH@" /etc/snort/snort.conf sed -i -e "/var WHITE_LIST_PATH/avar WHITE_LIST_PATH /etc/snort/rules" /etc/snort/snort.conf cat /etc/snort/snort.conf | grep "var WHITE_LIST_PATH" touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules snort -D -i eno16777736 -c /etc/snort/snort.conf ps aux | grep snort |
注意:
(1) 去註冊一個 snort 帳號 (免費),下載 snortrules-snapshot-2980.tar.gz ,在 MS-Windows 上用 WinSCP 軟體,上傳到 CentOS 的 /usr/local/src 目錄
(2) 執行 ifconfig 確認網路卡的名稱是否 eno16777736,或需要修改
sh ./snort2.9.8.9_centos7.2x64.sh
或
chmod +x ./snort2.9.8.9_centos7.2x64.sh
./snort2.9.8.9_centos7.2x64.sh
(完)
[研究] snort-2.9.8.0.tar.gz (CentOS 7.2 x64) 快速安裝程式
http://shaurong.blogspot.com/2016/02/snort-2980targz-centos-72-x64.html
[研究] Snort 2.9.8.0 安裝 + 快速安裝程式 (CentOS 7.2 x64)
http://shaurong.blogspot.com/2016/02/snort-2980-centos-72-x64.html
[研究] Snort 2.9.7.0 + Barnyard 2.13 安裝 (CentOS 6.6 x64) 快速安裝程式
http://shaurong.blogspot.com/2015/02/snort-2970-barnyard-213-centos-66-x64.html
不好意思我覺得你的教學很好,可以引用你的資料作為我和社團的交流資料嗎
回覆刪除可以,請附上來源網址,資料不定期更新
刪除