1 安装Ubuntu16.04
2 配置网络eth1或em1
3 安装snort的前提条件:
sudo apt-get install -y build-essential; sudo apt-get install -y libpcap-dev libpcre3-dev libdumbnet-dev; sudo apt-get install -y bison flex;
创建文件夹: mkdir ~/snort_src; cd ~/snort_src
进入官网下载DAQ最新版: wget https://snort.org/downloads/snort/daq-2.0.6.tar.gz
tar -xvzf daq-2.0.6.tar.gz; cd daq-2.0.6; ./configure; make; sudo make install
4 安装snort
sudo apt-get install -y zlib1g-dev liblzma-dev openssl libssl-dev; sudo apt-get install -y libnghttp2-dev
cd ~/snort_src; wget https://snort.org/downloads/snort/snort-2.9.12.tar.gz; tar -xvzf snort-2.9.12.tar.gz
cd snort-2.9.12; ./configure --enable-sourcefire; make; sudo make install
更新共享库:sudo ldconfig;
sudo ln -s /usr/local/bin/snort /usr/sbin/snort
snort -V
5 配置snort运行在NIDS模式
# 创建snort用户和组:
sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
# 创建snort目录:
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/rules/iplists
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules
# 创建一些存储规则和IP列表的文件
sudo touch /etc/snort/rules/iplists/black_list.rules
sudo touch /etc/snort/rules/iplists/white_list.rules
sudo touch /etc/snort/rules/local.rules
sudo touch /etc/snort/sid-msg.map
# 创建日志目录:
sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs
# 调整权限:
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort/so_rules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
# 更改文件夹的所有权:
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules
#/etc/snort 配置文件和动态处理
cd ~/snort_src/snort-2.9.9.0/etc/
sudo cp *.conf* /etc/snort
sudo cp *.map /etc/snort
sudo cp *.dtd /etc/snort
cd ~/snort_src/snort-2.9.9.0/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/
sudo cp * /usr/local/lib/snort_dynamicpreprocessor/
#注释掉snort配置文件中引用的所有单个规则文件(不需要单独下载每个文件)
sudo sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf
sudo vi /etc/snort/snort.conf
设置:ipvar HOME_NET 10.0.0.0/24(em1网段或者any) #采用/HOME_NET
在第104行开始设置::104
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules/iplists
var BLACK_LIST_PATH /etc/snort/rules/iplists
在546行插入:include $RULE_PATH/local.rules
查看snort是否配置成功:
$ sudo snort -T -i eth0 -c /etc/snort/snort.conf (或eth1 em1)
6 写入简单规则进行snort检测
sudo vi /etc/snort/rules/local.rules
alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; GID:1; sid:10000001; rev:001; classtype:icmpevent;) (源ip 端口号-> 目的IP 目的端口)
设置/etc/snort/sid-msg.map
1 || 10000001 || 001 || icmp-event || 0 || ICMP Test detected || url,tools.ietf.org/html/rfc792
sudo snort -T -c /etc/snort/snort.conf -i em1
$ sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i em1
匹配数据保存在/var/log/snort中,name snort.log.nnnnnnnnn
7 安装Barnyard2
将snort事件写入Mysql数据库
安装前提:sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool
告诉snort输入告警在二进制文件
/etc/snort/snort.conf 521行
# output unified2: filename merged.log, limit 128, nostamp, mpls event types, vlan event typesg
output unified2: filename snort.u2, limit 128 (128M大小)
下载Barnyard2
cd ~/snort_src
wget https://github.com/firnsy/barnyard2/archive/master.tar.gz -O barnyard2-Master.tar.gz
tar zxvf barnyard2-Master.tar.gz
cd barnyard2-master
autoreconf -fvi -I ./m4
创建软链接
sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h
sudo ldconfig
选择版本 uname -a
# Choose ONE of these two commands to run
./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu
./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu
完成安装到/usr/local/bin/barnyard2:
make
sudo make install
$ /usr/local/bin/barnyard2 -V
复制相关文件
sudo cp ~/snort_src/barnyard2-master/etc/barnyard2.conf /etc/snort/
# the /var/log/barnyard2 folder is never used or referenced
# but barnyard2 will error without it existing
sudo mkdir /var/log/barnyard2
sudo chown snort.snort /var/log/barnyard2
sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort.snort /var/log/snort/barnyard2.waldo
创建snort数据库
$ mysql -u root -p
mysql> create database snort;
mysql> use snort;
mysql> source ~/snort_src/barnyard2-master/schemas/create_mysql
mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY 'MySqlSNORTpassword';
mysql> grant create, insert, select, delete, update on snort.* to 'snort'@'localhost';
mysql> exit
编辑/etc/snort/barnyard2.conf; 在最后一行添加
output database: log, mysql, user=snort password=MySqlSNORTpassword dbname=snort host=localhost sensor name=sensor01
组织其他用户查看
sudo chmod o-r /etc/snort/barnyard2.conf
测试snort事件写入数据库
sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i em1 -D
sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort
8 安装pulledpork
#install pulledpork
sudo apt-get install -ylibcrypt-ssleay-perl liblwp-useragent-determined-perl
cd ~/snort_src
wgethttps://github.com/shirkdog/pulledpork/archive/master.tar.gz -Opulledpork-master.tar.gz
tar xzvf pulledpork-master.tar.gz
cd pulledpork-master/
sudo cp pulledpork.pl /usr/local/bin
sudo chmod +x /usr/local/bin/pulledpork.pl
sudo cp etc/*.conf /etc/snort