浮雲雅築: [研究] Snort 2.9.8.0 安裝 + 快速安裝程式 (CentOS 7.2 x64)

[研究] Snort 2.9.8.0 安裝 + 快速安裝程式 (CentOS 7.2 x64)

2016-02-18

如果你想快速安裝，可以跳過所有說明，到本文章最下面，有快速安裝 Shell Script。

官方網站
https://www.snort.org/

下載
https://www.snort.org/downloads

參考
https://www.snort.org/#get-started

安裝

yum -y install https://www.snort.org/downloads/snort/daq-2.0.6-1.centos7.x86_64.rpm
yum -y install https://www.snort.org/downloads/snort/snort-2.9.8.0-1.centos7.x86_64.rpm

wget https://www.snort.org/rules/community -O community.tar.gz
tar -xvfz community.tar.gz -C /etc/snort/rules

照官方網站資訊是 wget https://www.snort.org/rules/community，結果下載的檔案是 community，而非 community.tar.gz，根據經驗，某些 Linux 版本上的 wget 會這樣，所以加上 -O community.tar.gz 指定下載的檔案名稱為 community.tar.gz。

測試

[root@localhost src]# snort -V

,,_ -*> Snort! <*-
o" )~ Version 2.9.8.0 GRE (Build 229)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.5.3
Using PCRE version: 8.32 2012-11-30
Using ZLIB version: 1.2.7

下面測試組態檔 (設定檔) /etc/snort/snort.conf
-T 表示進行測試
-c 指定設定檔的路徑和名稱

[root@localhost src]# snort -T -c /etc/snort/snort.conf

...(略)
ERROR: /etc/snort/snort.conf(253) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such file or directory.

Fatal Error, Quitting..

[root@localhost src]#

找到 253行是 dynamicdetection directory /usr/local/lib/snort_dynamicrules

建立的目錄
mkdir -p /usr/local/lib/snort_dynamicrules

再測試

[root@localhost src]# snort -T -c /etc/snort/snort.conf
...(略)
ERROR: /etc/snort//etc/snort/rules/local.rules(0) Unable to open rules file "/etc/snort//etc/snort/rules/local.rules": No such file or directory.

Fatal Error, Quitting..
[root@localhost src]#

把 community.tar.gz 解壓縮，並沒有找到 local.rules

只好去註冊一個 snort 帳號 (免費)，下載 snortrules-snapshot-2980.tar.gz (登入後才能下載，因為是免費的，rules 約比付費訂閱的 rules 內容舊，約差1個月)，在 MS-Windows 上用 WinSCP 軟體，上傳到 CentOS 的 /usr/local/src 目錄

把 rules 解壓到 /etc/snort 目錄

tar xzvf /usr/local/src/snortrules-snapshot-2980.tar.gz -C /etc/snort

[root@localhost src]# snort -T -c /etc/snort/snort.conf
...(略)
ERROR: /etc/snort/snort.conf(512) => Unable to open address file /etc/snort/../rules/white_list.rules, Error: No such file or directory
Fatal Error, Quitting..

這是因為黑白名單檔案不存在，繼續修改設定檔案

sed -i -e "s@var BLACK_LIST_PATH@#var BLACK_LIST_PATH@" /etc/snort/snort.conf
sed -i -e "/var BLACK_LIST_PATH/avar BLACK_LIST_PATH /etc/snort/rules" /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var BLACK_LIST_PATH"

touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules

sed -i -e "s@var WHITE_LIST_PATH@#var WHITE_LIST_PATH@" /etc/snort/snort.conf
sed -i -e "/var WHITE_LIST_PATH/avar WHITE_LIST_PATH /etc/snort/rules" /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var WHITE_LIST_PATH"

[root@localhost src]# snort -T -c /etc/snort/snort.conf

...(略)
Snort successfully validated the configuration!
Snort exiting
[root@localhost rules]#

上面組態檔案測試成功了，再來測試用 Daemon 方式執行

[root@localhost rules]# snort -D
Spawning daemon child...
My daemon child 32058 lives...
Daemon parent exiting (0)

確認一下

[root@localhost rules]# ps aux | grep snort
root 32058 0.0 1.0 74056 19840 ? Ss 08:29 0:00 snort -D
root 32068 0.0 0.0 112644 952 pts/0 R+ 08:29 0:00 grep --color=auto snort
[root@localhost rules]#

停掉 snort

[root@localhost rules]# kill -9 32058

用 service 啟動看看，

[root@localhost rules]# service snortd start

Starting snortd (via systemctl): [ OK ]

用 ps 確認一下，沒發現，看來不行

[root@localhost rules]# ps aux | grep snort

root 33026 0.0 0.0 112644 952 pts/0 S+ 09:01 0:00 grep --color=auto snort

[root@localhost rules]#

找一下 service 用的 snortd

[root@localhost rules]# ls -al /etc/rc.d/init.d/snortd

-rwxr-xr-x. 1 root root 5387 Nov 19 02:59 /etc/rc.d/init.d/snortd

[root@localhost rules]#

指定設定檔案，用 Daemon 方式啟動測試看看

[root@localhost rules]# snort -D -c /etc/snort/snort.conf

Spawning daemon child...

My daemon child 33055 lives...

Daemon parent exiting (0)

[root@localhost rules]# ps aux | grep snort

root 33055 0.0 18.8 698940 352208 ? Ssl 09:03 0:00 snort -D -c /etc/snort/snort.conf

root 33058 0.0 0.0 112644 952 pts/0 R+ 09:03 0:00 grep --color=auto snort

停掉 snort

[root@localhost rules]# kill -9 32055

檢查網路卡名稱

[root@localhost rules]# ifconfig

eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 192.168.128.133 netmask 255.255.255.0 broadcast 192.168.128.255

inet6 fe80::20c:29ff:fe2f:dbb5 prefixlen 64 scopeid 0x20<link>

ether 00:0c:29:2f:db:b5 txqueuelen 1000 (Ethernet)

RX packets 83640 bytes 61704775 (58.8 MiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 51869 bytes 22171588 (21.1 MiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536

inet 127.0.0.1 netmask 255.0.0.0

inet6 ::1 prefixlen 128 scopeid 0x10<host>

loop txqueuelen 0 (Local Loopback)

RX packets 26 bytes 4242 (4.1 KiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 26 bytes 4242 (4.1 KiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500

inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255

ether 00:00:00:00:00:00 txqueuelen 0 (Ethernet)

RX packets 0 bytes 0 (0.0 B)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 0 bytes 0 (0.0 B)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

[root@localhost rules]# snort -D -i eno16777736 -c /etc/snort/snort.conf

Spawning daemon child...

My daemon child 37163 lives...

Daemon parent exiting (0)

[root@localhost rules]# ps aux | grep snort

root 36902 0.0 18.7 699296 350236 ? Ssl 10:06 0:00 snort -D -c /etc/snort/snort.conf

root 37163 0.5 18.8 699356 352804 ? Ssl 10:16 0:00 snort -D -i eno16777736 -c /etc/snort/snort.conf

root 37166 0.0 0.0 112644 952 pts/0 R+ 10:16 0:00 grep --color=auto snort

[root@localhost rules]#

為了測試，安裝 Web Server，啟動 Web Server，停用防火牆

yum -y install httpd
service httpd start
service firewalld stop

先看一下 snort 目前 log，其中 alert 為 0 byte

[root@localhost rules]# ls -al /var/log/snort
total 4
drwxr-xr-x. 2 snort snort 45 Feb 18 09:03 .
drwxr-xr-x. 20 root root 4096 Feb 18 09:53 ..
-rw-r--r--. 1 root root 0 Feb 18 09:01 alert
-rw-------. 1 root root 0 Feb 18 09:03 snort.log.1455757424
[root@localhost rules]#

另

另外找一台主機來攻擊 ( nikto 好像無法對自己攻擊，所以必須另外找一台)
192.168.128.133 是安裝 snort 主機
192.168.128.134 是安裝 nikto 主機

[root@localhost ~]# wget http://www.cirt.net/nikto/nikto-current.tar.gz
[root@localhost ~]# tar zxvf nikto-current.tar.gz
[root@localhost ~]# cd nikto-*
[root@localhost nikto-2.1.5]# chmod +x nikto.pl
[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.133

- ***** SSL support not available (see docs for SSL install) *****

- Nikto v2.1.5

---------------------------------------------------------------------------

+ Target IP: 192.168.128.133

+ Target Hostname: 192.168.128.133

+ Target Port: 80

+ Start Time: 2016-02-18 18:05:00 (GMT8)

---------------------------------------------------------------------------

+ Server: Apache/2.4.6 (CentOS)

+ Server leaks inodes via ETags, header found with file /, fields: 0x1321 0x5058a1e728280

+ The anti-clickjacking X-Frame-Options header is not present.

+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD, TRACE

+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST

+ OSVDB-3268: /icons/: Directory indexing found.

+ OSVDB-3233: /icons/README: Apache default file found.

+ 6544 items checked: 0 error(s) and 6 item(s) reported on remote host

+ End Time: 2016-02-18 18:05:08 (GMT8) (8 seconds)

---------------------------------------------------------------------------

+ 1 host(s) tested

[root@localhost nikto-2.1.5]#

回到原來安裝 snort 主機，可以看到 alert 檔案從 0 byte 變成不是 0 bytes，表示 snort 有正常運作

[root@localhost rules]# ls -al /var/log/snort
total 32
drwxr-xr-x. 2 snort snort 99 Feb 18 10:16 .
drwxr-xr-x. 20 root root 4096 Feb 18 09:53 ..
-rw-r--r--. 1 root root 387 Feb 18 10:17 alert
-rw-------. 1 root root 0 Feb 18 09:03 snort.log.1455757424
-rw-------. 1 root root 22754 Feb 18 10:17 snort.log.1455761790
[root@localhost rules]#

總結：快速安裝程式 snort2.9.8.9_centos7.2x64.sh

#!/bin/bash
echo -e "\033[31m"
echo -e "Program : snort2.9.8.9_centos7.2x64.sh "
echo -e "snort-2.9.8.9 Install Shell Script (CentOS 7.2 x64) "
echo -e "by Shau-Rong Lu 2016-02-18 "
echo -e "\033[0m"

yum -y install https://www.snort.org/downloads/snort/daq-2.0.6-1.centos7.x86_64.rpm
yum -y install https://www.snort.org/downloads/snort/snort-2.9.8.0-1.centos7.x86_64.rpm

mkdir -p /usr/local/lib/snort_dynamicrules
tar xzvf /usr/local/src/snortrules-snapshot-2980.tar.gz -C /etc/snort

sed -i -e "s@var BLACK_LIST_PATH@#var BLACK_LIST_PATH@" /etc/snort/snort.conf
sed -i -e "/var BLACK_LIST_PATH/avar BLACK_LIST_PATH /etc/snort/rules" /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var BLACK_LIST_PATH"

sed -i -e "s@var WHITE_LIST_PATH@#var WHITE_LIST_PATH@" /etc/snort/snort.conf
sed -i -e "/var WHITE_LIST_PATH/avar WHITE_LIST_PATH /etc/snort/rules" /etc/snort/snort.conf
cat /etc/snort/snort.conf | grep "var WHITE_LIST_PATH"

touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules

snort -D -i eno16777736 -c /etc/snort/snort.conf
ps aux | grep snort

注意：
(1) 去註冊一個 snort 帳號 (免費)，下載 snortrules-snapshot-2980.tar.gz ，在 MS-Windows 上用 WinSCP 軟體，上傳到 CentOS 的 /usr/local/src 目錄

(2) 執行 ifconfig 確認網路卡的名稱是否 eno16777736，或需要修改

執行快速安裝程式 snort2.9.8.9_centos7.2x64.sh 進行安裝
sh ./snort2.9.8.9_centos7.2x64.sh
或
chmod +x ./snort2.9.8.9_centos7.2x64.sh

./snort2.9.8.9_centos7.2x64.sh

(完)

[研究] snort-2.9.8.0.tar.gz (CentOS 7.2 x64) 快速安裝程式
http://shaurong.blogspot.com/2016/02/snort-2980targz-centos-72-x64.html

[研究] Snort 2.9.8.0 安裝 + 快速安裝程式 (CentOS 7.2 x64)
http://shaurong.blogspot.com/2016/02/snort-2980-centos-72-x64.html

[研究] Snort 2.9.7.0 + Barnyard 2.13 安裝 (CentOS 6.6 x64) 快速安裝程式
http://shaurong.blogspot.com/2015/02/snort-2970-barnyard-213-centos-66-x64.html

[研究] snort-2.9.6.2.tar.gz (CentOS 6.5 x64) 快速安裝程式

http://shaurong.blogspot.com/2014/08/snort-2962targz-centos-65-x64.html

浮雲雅築

2016年2月18日星期四

[研究] Snort 2.9.8.0 安裝 + 快速安裝程式 (CentOS 7.2 x64)

2 則留言:

2016年2月18日 星期四

[研究] Snort 2.9.8.0 安裝 + 快速安裝程式 (CentOS 7.2 x64)

2 則留言:

2016年2月18日星期四