【网络安全】Snort安装规则编写及实例验证
Snort安装与使用,本文介绍Snort的编译安装步骤及配置文件修改和自定义规则集进行报文验证。
1、安装所需要的软件包如下:依次解压安装即可 tar zxvf xx.tar.gz ./configure ;make ;make install
-rw-r--r--. 1 root root 419752 12?.19 15:26 libdnet-1.10.tar.gz
-rw-r--r--. 1 root root 425887 12?.19 2013 libpcap-0.9.4.tar.gz
-rw-r--r--. 1 root root 496597 12?.19 15:35 zlib-1.2.3.tar.gz
-rw-r--r--. 1 root root 495316 12?.19 15:34 daq-2.0.4.tar.gz
-rw-r--r--. 1 root root 5229232 12?.19 15:04 snort-2.9.6.2.tar.gz
2、安装完成后运行snort -dev可以查看到网卡正在捕获的报文信息
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/24-14:56:26.012160 10:60:4B:74:8A:89 -> 00:0C:29:6C:3E:B8 type:0x800 len:0x3C
192.168.16.70:8176 -> 192.168.16.71:22 TCP TTL:64 TOS:0x0 ID:8442 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x5098B207 Ack: 0xF40837B6 Win: 0xFAF0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
负载数据等....................
3、进入解压后的snort目录,修改snort所在目录etc/snort.conf文件,修改前请备份,将如下规则集(snort.conf下面的规则包含文件)内容全部删除,只添加一行 include $RULE_PATH/test.rules。
通过搜索查看$RULE_PATH为var RULE_PATH ../rules,所以在snort目录下建目录rules (mkdir rules)此rules目录与etc目录平级,之后在rules中touch test.rules文件即可。
snort.conf下面的规则包含文件如下:
include $RULE_PATH/local.rules
include $RULE_PATH/app-detect.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/blacklist.rules
include $RULE_PATH/botnet-cnc.rules
include $RULE_PATH/browser-chrome.rules
include $RULE_PATH/browser-firefox.rules
include $RULE_PATH/browser-ie.rules
include $RULE_PATH/browser-other.rules
include $RULE_PATH/browser-plugins.rules
include $RULE_PATH/browser-webkit.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/content-replace.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/exploit-kit.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/file-executable.rules
include $RULE_PATH/file-flash.rules
include $RULE_PATH/file-identify.rules
include $RULE_PATH/file-image.rules
include $RULE_PATH/file-java.rules
include $RULE_PATH/file-multimedia.rules
include $RULE_PATH/file-office.rules
include $RULE_PATH/file-other.rules
include $RULE_PATH/file-pdf.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/indicator-compromise.rules
include $RULE_PATH/indicator-obfuscation.rules
include $RULE_PATH/indicator-scan.rules
include $RULE_PATH/indicator-shellcode.rules
include $RULE_PATH/info.rules
include $RULE_PATH/malware-backdoor.rules
include $RULE_PATH/malware-cnc.rules
include $RULE_PATH/malware-other.rules
include $RULE_PATH/malware-tools.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/os-linux.rules
include $RULE_PATH/os-mobile.rules
include $RULE_PATH/os-other.rules
include $RULE_PATH/os-solaris.rules
include $RULE_PATH/os-windows.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/phishing-spam.rules
include $RULE_PATH/policy-multimedia.rules
include $RULE_PATH/policy-other.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/policy-social.rules
include $RULE_PATH/policy-spam.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/protocol-dns.rules
include $RULE_PATH/protocol-finger.rules
include $RULE_PATH/protocol-ftp.rules
include $RULE_PATH/protocol-icmp.rules
include $RULE_PATH/protocol-imap.rules
include $RULE_PATH/protocol-nntp.rules
include $RULE_PATH/protocol-pop.rules
include $RULE_PATH/protocol-rpc.rules
include $RULE_PATH/protocol-scada.rules
include $RULE_PATH/protocol-services.rules
include $RULE_PATH/protocol-snmp.rules
include $RULE_PATH/protocol-telnet.rules
include $RULE_PATH/protocol-tftp.rules
include $RULE_PATH/protocol-voip.rules
include $RULE_PATH/pua-adware.rules
include $RULE_PATH/pua-other.rules
include $RULE_PATH/pua-p2p.rules
include $RULE_PATH/pua-toolbars.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/scada.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/server-apache.rules
include $RULE_PATH/server-iis.rules
include $RULE_PATH/server-mail.rules
include $RULE_PATH/server-mssql.rules
include $RULE_PATH/server-mysql.rules
include $RULE_PATH/server-oracle.rules
include $RULE_PATH/server-other.rules
include $RULE_PATH/server-samba.rules
include $RULE_PATH/server-webapp.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/specific-threats.rules
include $RULE_PATH/spyware-put.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/voip.rules
include $RULE_PATH/web-activex.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/x11.rules
4、增加自定义的规则文件,本文使用ftp报文进行验证测试,如下为报文内容,第一个为下行服务器给客户端返回的信息,第二个为客户端给服务器发送的用户名
220 Serv-U FTP Server v6.0 for WinSock ready...
USER anonymous
规则内容如下,将此规则加到rules目录下的test.rules中即可。
alert tcp any any -> any any (msg:"ftp test jyh ****MALWARE-BACKDOOR - Dagger_1.4.0"; flow:to_client ;content:"Serv-U"; depth:16; metadata:ruleset community; classtype:misc-activity; sid:105; rev:14;)
5、运行程序,进入到snort的etc目录下去执行如下命令行
snort -r ../ftp_signal_ftp_downloadPasv_jyh_20130402_001.pcap -c snort.conf -l log -A console
snort读取ftp文件,使用snort.conf配置文件同时记录日志到log目录中(此目录为自己建的)-A 显示模式 console即告警显示到控制台上,告警信息如下:
04/02-18:57:07.072952 [**] [1:105:14] ftp test jyh ****MALWARE-BACKDOOR - Dagger_1.4.0 [**] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.1.60:21 -> 192.168.90.58:1943
6、错误说明
读取配置文件时可能无法找到whitelist/blacklist直接找到配置文件应该在的目录,建立这两个文件即可,内容可以为空。
如遇到其它错误可参考使用手册或baidu搜索即可搞定。
7、参考资料
snort使用及规则语法说明:snort manual.pdf此文件在源代码doc中可以找到。
snort 相关文档及库下载地址:https://www.snort.org/downloads
snort中文使用手册:http://www.360doc.com/content/08/0114/14/25127_972488.shtml http://man.chinaunix.net/network/snort/Snortman.htm
代码review:
/*
alert tcp any any -> any any (msg:"ftp test jyh ****MALWARE-BACKDOOR - Dagger_1.4.0"; flow:to_client ;content:"\Serv-U"; depth:16; metadata:ruleset community; classtype:misc-activity; sid:105; rev:14;)
读配置文件,读取snort.conf中的include xxx文件时继续调用读取配置文件解析,解析相应的规则。
解析规则选项parserule->parseRuleOptions解析所有的(msg:"ftp test jyh ****MALWARE-BACKDOOR - Dagger_1.4.0"; flow:to_client ;content:"\Serv-U"; depth:16; metadata:ruleset community; classtype:misc-activity; sid:105; rev:14;)字段内容
解析规则-》PayloadSearchInit (sc=0x328a6a0, data=0x389a580 "\"Serv-U\"", otn=0x389a1a0, protocol=6) at sp_pattern_match.c:189
*/