2016年2月18日 星期四

[研究] Snort 2.9.8.0 安裝 + 快速安裝程式 (CentOS 7.2 x64)

[研究] Snort 2.9.8.0 安裝 + 快速安裝程式 (CentOS 7.2 x64)

2016-02-18

如果你想快速安裝,可以跳過所有說明,到本文章最下面,有快速安裝 Shell Script。

官方網站
https://www.snort.org/

下載
https://www.snort.org/downloads

參考
https://www.snort.org/#get-started

安裝

yum -y  install https://www.snort.org/downloads/snort/daq-2.0.6-1.centos7.x86_64.rpm
yum -y install https://www.snort.org/downloads/snort/snort-2.9.8.0-1.centos7.x86_64.rpm

wget https://www.snort.org/rules/community   -O  community.tar.gz
tar -xvfz community.tar.gz -C /etc/snort/rules

照官方網站資訊是 wget https://www.snort.org/rules/community,結果下載的檔案是 community,而非 community.tar.gz,根據經驗,某些 Linux 版本上的 wget 會這樣,所以加上  -O  community.tar.gz 指定下載的檔案名稱為 community.tar.gz。

測試

[root@localhost src]# snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.8.0 GRE (Build 229)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.32 2012-11-30
           Using ZLIB version: 1.2.7

下面測試組態檔 (設定檔)  /etc/snort/snort.conf
-T 表示進行測試
-c 指定設定檔的路徑和名稱

[root@localhost src]# snort -T -c /etc/snort/snort.conf
...(略)
ERROR: /etc/snort/snort.conf(253) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such file or directory.

Fatal Error, Quitting..
[root@localhost src]#

找到 253行是 dynamicdetection directory /usr/local/lib/snort_dynamicrules

建立的目錄
mkdir -p /usr/local/lib/snort_dynamicrules

再測試

[root@localhost src]# snort -T -c /etc/snort/snort.conf
...(略)
ERROR: /etc/snort//etc/snort/rules/local.rules(0) Unable to open rules file "/etc/snort//etc/snort/rules/local.rules": No such file or directory.

Fatal Error, Quitting..
[root@localhost src]#

把 community.tar.gz 解壓縮,並沒有找到 local.rules
只好去註冊一個 snort 帳號 (免費),下載 snortrules-snapshot-2980.tar.gz (登入後才能下載,因為是免費的,rules 約比付費訂閱的 rules 內容舊,約差1個月),在 MS-Windows 上用 WinSCP 軟體,上傳到 CentOS 的 /usr/local/src 目錄
把 rules 解壓到 /etc/snort 目錄

tar xzvf /usr/local/src/snortrules-snapshot-2980.tar.gz   -C /etc/snort

[root@localhost src]# snort -T -c /etc/snort/snort.conf
...(略)
ERROR: /etc/snort/snort.conf(512) => Unable to open address file /etc/snort/../rules/white_list.rules, Error: No such file or directory
Fatal Error, Quitting..

這是因為黑白名單檔案不存在,繼續修改設定檔案

sed -i -e "s@var BLACK_LIST_PATH@#var BLACK_LIST_PATH@"   /etc/snort/snort.conf
sed -i -e "/var BLACK_LIST_PATH/avar BLACK_LIST_PATH /etc/snort/rules"   /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var BLACK_LIST_PATH"
touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules

sed -i -e "s@var WHITE_LIST_PATH@#var WHITE_LIST_PATH@"   /etc/snort/snort.conf
sed -i -e "/var WHITE_LIST_PATH/avar WHITE_LIST_PATH /etc/snort/rules"   /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var WHITE_LIST_PATH"

[root@localhost src]# snort -T -c /etc/snort/snort.conf
...(略)
Snort successfully validated the configuration!
Snort exiting
[root@localhost rules]#

上面組態檔案測試成功了,再來測試用 Daemon 方式執行

[root@localhost rules]# snort  -D
Spawning daemon child...
My daemon child 32058 lives...
Daemon parent exiting (0)

確認一下

[root@localhost rules]# ps aux | grep snort
root      32058  0.0  1.0  74056 19840 ?        Ss   08:29   0:00 snort -D
root      32068  0.0  0.0 112644   952 pts/0    R+   08:29   0:00 grep --color=auto snort
[root@localhost rules]#

停掉 snort

[root@localhost rules]# kill -9 32058

用 service 啟動看看,

[root@localhost rules]# service snortd start
Starting snortd (via systemctl):                           [  OK  ]

用 ps 確認 一下,沒發現,看來不行

[root@localhost rules]# ps aux | grep snort
root      33026  0.0  0.0 112644   952 pts/0    S+   09:01   0:00 grep --color=auto snort
[root@localhost rules]#

找一下 service 用的 snortd

[root@localhost rules]# ls -al /etc/rc.d/init.d/snortd
-rwxr-xr-x. 1 root root 5387 Nov 19 02:59 /etc/rc.d/init.d/snortd
[root@localhost rules]#



指定設定檔案,用 Daemon 方式啟動測試看看

[root@localhost rules]# snort -D -c /etc/snort/snort.conf

Spawning daemon child...
My daemon child 33055 lives...
Daemon parent exiting (0)

[root@localhost rules]# ps aux | grep snort
root      33055  0.0 18.8 698940 352208 ?       Ssl  09:03   0:00 snort -D -c /etc/snort/snort.conf
root      33058  0.0  0.0 112644   952 pts/0    R+   09:03   0:00 grep --color=auto snort

停掉 snort

[root@localhost rules]# kill -9 32055

檢查網路卡名稱 

[root@localhost rules]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.128.133  netmask 255.255.255.0  broadcast 192.168.128.255
        inet6 fe80::20c:29ff:fe2f:dbb5  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:2f:db:b5  txqueuelen 1000  (Ethernet)
        RX packets 83640  bytes 61704775 (58.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 51869  bytes 22171588 (21.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 26  bytes 4242 (4.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 26  bytes 4242 (4.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 00:00:00:00:00:00  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@localhost rules]# snort  -D  -i  eno16777736  -c /etc/snort/snort.conf
Spawning daemon child...
My daemon child 37163 lives...
Daemon parent exiting (0)

[root@localhost rules]# ps aux | grep snort
root      36902  0.0 18.7 699296 350236 ?       Ssl  10:06   0:00 snort -D -c /etc/snort/snort.conf
root      37163  0.5 18.8 699356 352804 ?       Ssl  10:16   0:00 snort -D -i eno16777736 -c /etc/snort/snort.conf
root      37166  0.0  0.0 112644   952 pts/0    R+   10:16   0:00 grep --color=auto snort
[root@localhost rules]#

為了測試,安裝 Web Server,啟動 Web Server,停用防火牆

yum  -y  install  httpd
service  httpd  start
service  firewalld  stop

先看一下 snort 目前 log,其中 alert 為 0 byte


[root@localhost rules]# ls -al /var/log/snort
total 4
drwxr-xr-x.  2 snort snort   45 Feb 18 09:03 .
drwxr-xr-x. 20 root  root  4096 Feb 18 09:53 ..
-rw-r--r--.  1 root  root     0 Feb 18 09:01 alert
-rw-------.  1 root  root     0 Feb 18 09:03 snort.log.1455757424
[root@localhost rules]#


另外找一台主機來攻擊 ( nikto 好像無法對自己攻擊,所以必須另外找一台)
192.168.128.133 是安裝 snort 主機
192.168.128.134 是安裝 nikto 主機


[root@localhost ~]# wget http://www.cirt.net/nikto/nikto-current.tar.gz
[root@localhost ~]# tar zxvf nikto-current.tar.gz
[root@localhost ~]# cd nikto-*
[root@localhost nikto-2.1.5]# chmod +x nikto.pl
[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.133
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.128.133
+ Target Hostname:    192.168.128.133
+ Target Port:        80
+ Start Time:         2016-02-18 18:05:00 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.6 (CentOS)
+ Server leaks inodes via ETags, header found with file /, fields: 0x1321 0x5058a1e728280
+ The anti-clickjacking X-Frame-Options header is not present.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2016-02-18 18:05:08 (GMT8) (8 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
[root@localhost nikto-2.1.5]#




回到原來安裝 snort 主機,可以看到 alert 檔案從 0 byte 變成不是 0 bytes,表示 snort 有正常運作


[root@localhost rules]# ls -al /var/log/snort
total 32
drwxr-xr-x.  2 snort snort    99 Feb 18 10:16 .
drwxr-xr-x. 20 root  root   4096 Feb 18 09:53 ..
-rw-r--r--.  1 root  root    387 Feb 18 10:17 alert
-rw-------.  1 root  root      0 Feb 18 09:03 snort.log.1455757424
-rw-------.  1 root  root  22754 Feb 18 10:17 snort.log.1455761790
[root@localhost rules]#


總結:快速安裝程式 snort2.9.8.9_centos7.2x64.sh



#!/bin/bash
echo -e "\033[31m"
echo -e "Program : snort2.9.8.9_centos7.2x64.sh "
echo -e "snort-2.9.8.9 Install Shell Script (CentOS 7.2 x64) "
echo -e "by Shau-Rong Lu 2016-02-18 "
echo -e "\033[0m"

yum -y  install https://www.snort.org/downloads/snort/daq-2.0.6-1.centos7.x86_64.rpm
yum -y install https://www.snort.org/downloads/snort/snort-2.9.8.0-1.centos7.x86_64.rpm

mkdir -p /usr/local/lib/snort_dynamicrules
tar xzvf /usr/local/src/snortrules-snapshot-2980.tar.gz   -C /etc/snort

sed -i -e "s@var BLACK_LIST_PATH@#var BLACK_LIST_PATH@"   /etc/snort/snort.conf
sed -i -e "/var BLACK_LIST_PATH/avar BLACK_LIST_PATH /etc/snort/rules"   /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var BLACK_LIST_PATH"

sed -i -e "s@var WHITE_LIST_PATH@#var WHITE_LIST_PATH@"   /etc/snort/snort.conf
sed -i -e "/var WHITE_LIST_PATH/avar WHITE_LIST_PATH /etc/snort/rules"   /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var WHITE_LIST_PATH"

touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules

snort  -D  -i  eno16777736  -c /etc/snort/snort.conf
ps aux | grep snort


注意
(1) 去註冊一個 snort 帳號 (免費),下載 snortrules-snapshot-2980.tar.gz ,在 MS-Windows 上用 WinSCP 軟體,上傳到 CentOS 的 /usr/local/src 目錄
(2) 執行 ifconfig 確認網路卡的名稱是否 eno16777736,或需要修改

執行快速安裝程式 snort2.9.8.9_centos7.2x64.sh 進行安裝
             sh     ./snort2.9.8.9_centos7.2x64.sh
             或
            chmod  +x  ./snort2.9.8.9_centos7.2x64.sh

            ./snort2.9.8.9_centos7.2x64.sh

(完)

[研究] snort-2.9.8.0.tar.gz (CentOS 7.2 x64) 快速安裝程式
http://shaurong.blogspot.com/2016/02/snort-2980targz-centos-72-x64.html

[研究] Snort 2.9.8.0 安裝 + 快速安裝程式 (CentOS 7.2 x64)
http://shaurong.blogspot.com/2016/02/snort-2980-centos-72-x64.html

[研究] Snort 2.9.7.0 + Barnyard 2.13 安裝 (CentOS 6.6 x64) 快速安裝程式
http://shaurong.blogspot.com/2015/02/snort-2970-barnyard-213-centos-66-x64.html

[研究] snort-2.9.6.2.tar.gz (CentOS 6.5 x64) 快速安裝程式


2 則留言:

  1. 不好意思我覺得你的教學很好,可以引用你的資料作為我和社團的交流資料嗎

    回覆刪除
    回覆
    1. 可以,請附上來源網址,資料不定期更新

      刪除