一、介绍
- Snort是一套开源的网络入侵检测系统(NIDS),主要功能有包嗅探、包记录和入侵检测功能。
Snort能够对网络上的数据包进行抓包分析,但区别于其它嗅探器的是,它能根据所定义的规则进行响应及处理。Snort 通过对获取的数据包,进行各规则的分析后,根据规则链,可采取Activation(报警并启动另外一个动态规则链)、Dynamic(由其它的规则包调用)、Alert(报警),Pass(忽略),Log(不报警但记录网络流量)五种响应的机制。
Snort有数据包嗅探,数据包分析,数据包检测,响应处理等多种功能,每个模块实现不同的功能,各模块都是用插件的方式和Snort相结合,功能扩展方便。例如,预处理插件的功能就是在规则匹配误用检测之前运行,完成TIP碎片重组,http解码,telnet解码等功能,处理插件完成检查协议各字段,关闭连接,攻击响应等功能,输出插件将得理后的各种情况以日志或警告的方式输出。
- Barnyard2是Snort专用的处理程序。
为了减少Snort进程的负担,Snort将符合规则的二进制数据包以及日志保存在本地而不进行处理。Barnyard2进行异步处理并保存至Mysql。
- PulledPork是Snort规则集更新程序。
PulledPork是一个Perl脚本,用来自动下载最新的Snort规则集。
- BASE是Snort的web前端。
用于查询和分析Snort警报的web前端。
二、环境准备
-
系统环境
Ubuntu 18.04 LTS -
软件环境
Mysql / Apache2 / PHP 5.5 / SNORT / Barnyard2 / BASE -
库环境
sudo apt-get update -y
sudo apt-get dist-upgrade -y
sudo apt-get install -y zlib1g-dev liblzma-dev openssl libssl-dev
sudo apt-get install -y build-essential bison flex
sudo apt-get install -y libpcap-dev libpcre3-dev libdumbnet-dev libnghttp2-dev
sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool
sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl libwww-perl
sudo add-apt-repository ppa:ondrej/php
sudo apt-get update -y
sudo apt-get install -y apache2 libapache2-mod-php5.6 php5.6 php5.6-common php5.6-gd php5.6-cli php5.6-xml php5.6-mysql
sudo apt-get install -y php-pear libphp-adodb
- 软件下载
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
wget https://www.snort.org/downloads/snort/snort-2.9.11.1.tar.gz
wget https://github.com/firnsy/barnyard2/archive/v2-1.13.tar.gz -O barnyard2-2-1.13.tar.gz
wget https://github.com/shirkdog/pulledpork/archive/v0.7.3.tar.gz -O pulledpork-v0.7.3.tar.gz
wget https://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-520-for-php5/adodb-5.20.8.tar.gz
wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
三、系统安装
1.安装Snort:
- 安装DAQ
解压编译
tar -xvzf daq-2.0.6.tar.gz
cd daq-2.0.6
./configure
sudo make
sudo make install
- 安装Snort
解压编译
tar -xvzf snort-2.9.11.tar.gz
cd snort-2.9.11
./configure --enable-sourcefire
make
sudo make install
修复链接
sudo ldconfig
测试
ubuntu@ubuntu:~$ snort -V
,,_ -*> Snort! <*-
o" )~ Version 2.9.11.1 GRE (Build 268)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.8.1
Using PCRE version: 8.41 2017-07-05
Using ZLIB version: 1.2.11
创建用户环境
扫描二维码关注公众号,回复:
10314826 查看本文章
# Create the snort user and group:
sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
# Create the Snort directories:
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/rules/iplists
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules
# Create some files that stores rules and ip lists
sudo touch /etc/snort/rules/iplists/black_list.rules
sudo touch /etc/snort/rules/iplists/white_list.rules
sudo touch /etc/snort/rules/local.rules
sudo touch /etc/snort/sid-msg.map
# Create our logging directories:
sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs
# Adjust permissions:
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort/so_rules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
# Change Ownership on folders:
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules
配置文件目录
Snort配置文件:/etc/snort/snort.conf
Snort日志数据:/var/log/snort/
Snort规则目录:/etc/snort/rules/
/etc/snort/so_rules/
/etc/snort/preproc_rules/
/usr/local/lib/snort_dynamicrules/
Snort IP列表目录:/etc/snort/rules/iplists/
Snort动态预处理程序:/usr/local/lib/snort_dynamicpreprocessor/
复制配置文件
cd ~/snort-2.9.11/etc/
sudo cp *.conf* /etc/snort
sudo cp *.map /etc/snort
sudo cp *.dtd /etc/snort
cd ~/snort-2.9.11/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/
sudo cp * /usr/local/lib/snort_dynamicpreprocessor/
注释掉snort.conf中引用的规则文件,使用PulledPork管理规则集
sudo sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf
手动修改snort.conf配置
sudo vi /etc/snort/snort.conf
#第45行,ipvar HOME_NET修改为本机的内部网络
ipvar HOME_NET 192.168.10.1/24
#第104行,设置以下配置文件路径
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules/iplists
var BLACK_LIST_PATH /etc/snort/rules/iplists
#第521行添加
# output unified2: filename merged.log, l imit 128, nostamp, mpls event types, vlan event types }
output unified2: filename snort.u2, limit 128
#第546行取消注释,启用local.rules文件
include $RULE_PATH/local.rules
添加本地规则
sudo vi /etc/snort/rules/local.rules
alert icmp any any -> $HOME_NET any (msg:"ICMP Test detected!!!"; classtype:icmp-event; sid:10000001; rev:001; GID:1; )
sudo vi /etc/snort/sid-msg.map
#v2
1 || 10000001 || 001 || icmp-event || 0 || ICMP Test detected || url,tools.ietf.org/html/rfc792
测试配置文件
sudo snort -T -c /etc/snort/snort.conf -i eth1
测试功能
sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth1
此时从外面ping网口eth1的IP,snort会记录受到攻击,信息保存在/var/log/snort中,文件名为snort.u2.xxx
2.安装Barnyard2
安装mysql
sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool
解压编译
tar zxvf barnyard2-2-1.13.tar.gz
cd barnyard2-2-1.13
autoreconf -fvi -I ./
# Choose ONE of these two commands to run
./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu
./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu
sudo make
sudo make install
测试
ubuntu@ubuntu:~$ barnyard2 -V
______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.13 (Build 327)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' + (C) Copyright 2008-2013 Ian Firns <[email protected]>
设置配置文件
sudo cp ~/barnyard2-2-1.13/etc/barnyard2.conf /etc/snort/
# the /var/log/barnyard2 folder is never used or referenced
# but barnyard2 will error without it existing
sudo mkdir /var/log/barnyard2
sudo chown snort.snort /var/log/barnyard2
sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort.snort /var/log/snort/barnyard2.waldo
配置数据库
ubuntu@ubuntu:~$ mysql -u root -p
mysql> create database snort;
mysql> use snort;
mysql> source ~/barnyard2-2-1.13/schemas/create_mysql;
mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY '123456';
mysql> grant create, insert, select, delete, update on snort.* to 'snort'@'localhost';
mysql> exit;
添加数据库配置
sudo vi /etc/snort/barnyard2.conf
#在末尾添加数据库配置
output database: log, mysql, user=snort password=123456 dbname=snort host=localhost sensor name=sensor01
修改barnyard2.conf权限防止被修改
sudo chmod o-r /etc/snort/barnyard2.conf
测试
# 开启snort,并向eth1发送ping数据包
sudo snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth1
# 开启barnyard2,将日志信息存入数据库
# 1.连续处理模式,设置barnyard2.waldo为书签
sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort
# 2.文件处理模式,处理单个日志文件
sudo barnyard2 -c /etc/snort/barnyard2.conf -o /var/log/snort/snort.u2.xxx
# 查看数据库条目数量,看是否增加
mysql -u snort -p -D snort -e "select count(*) from event"
3.安装PulledPork
解压并安装
tar xzvf pulledpork-v0.7.3.tar.gz
cd pulledpork-v0.7.3/
sudo cp pulledpork.pl /usr/local/bin
sudo chmod +x /usr/local/bin/pulledpork.pl
sudo cp etc/*.conf /etc/snort
测试
ubuntu@ubuntu:~$ pulledpork.pl -V
PulledPork v0.7.3 - Making signature updates great again!
配置
sudo vi /etc/snort/pulledpork.conf
#第19行:输入注册账户生成的oinkcode,若没有则注释掉
#第29行:取消注释可下载针对新兴威胁的规则
#第74行:更改为:
rule_path = /etc/snort/rules/snort.rules
#第89行:更改为:
local_rules = /etc/snort/rules/local.rules
#第92行:更改为:
sid_msg = /etc/snort/sid-msg.map
#第96行:更改为:
sid_msg_version = 2
#第119行:更改为:
config_path = /etc/snort/snort.conf
#第133行:更改为:
distro = Ubuntu-12-04
#第141行:更改为:
black_list = /etc/snort/rules/iplists/black_list.rules
#第150行:更改为:
IPRVersion = /etc/snort/rules/iplists
sudo vi /etc/snort/snort.conf
#第548行添加
include $RULE_PATH/snort.rules
更新规则
sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l
测试规则
sudo snort -T -c /etc/snort/snort.conf -i eth0
4.创建服务
A.创建Snort服务
创建服务配置文件
sudo vi /lib/systemd/system/snort.service
[Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target
[Service]
Type=simple
Restart=always
ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth1
[Install]
WantedBy=multi-user.target
设置开机启动
sudo systemctl enable snort
启动服务
sudo systemctl start snort
检查服务状态
sudo systemctl status snort
B.创建Barnyard2服务
创建服务配置文件
sudo vi /lib/systemd/system/barnyard2.service
[Unit]
Description=Barnyard2 Daemon
After=syslog.target network.target
[Service]
Type=simple
Restart=always
ExecStart=/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -q -w /var/log/snort/barnyard2.waldo -g snort -u snort -D -a /var/log/snort/archived_logs --pid-path=/var/run
[Install]
WantedBy=multi-user.target
设置开机启动
sudo systemctl enable barnyard2
启动服务
sudo systemctl start barnyard2
检查服务状态
sudo systemctl status barnyard2
5.安装BASE
解压
tar xzvf base-1.4.5.tar.gz
sudo mv base-1.4.5 /var/www/html/base/
配置
cd /var/www/html/base
sudo cp base_conf.php.dist base_conf.php
sudo vi /var/www/html/base/base_conf.php
$BASE_Language = 'chinese'; # line 27
$BASE_urlpath = '/base'; # line 50
$DBlib_path = '/usr/share/php/adodb/'; #line 80
$alert_dbname = 'snort'; # line 102
$alert_host = 'localhost';
$alert_port = '';
$alert_user = 'snort';
$alert_password = '123456'; # line 106
// $graph_font_name = "Verdana";
// $graph_font_name = "DejaVuSans";
// $graph_font_name = "Image_Graph_Font";
$graph_font_name = "";
sudo chown -R www-data:www-data /var/www/html/base
sudo chmod o-r /var/www/html/base/base_conf.php
sudo service apache2 restart
浏览器访问http://x.x.x./base进行访问。