sudo apt-get install flex
sudo apt-get install bison
sudo apt install aptitude
sudo aptitude install libpcap-dev
wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz
tar xvfz daq-2.0.7.tar.gz
cd daq-2.0.7
./configure && make && sudo make install
aptitude install libpcre3-dev
aptitude install libdumbnet-dev
aptitude install zlib1g-dev
apt install openssl
apt-get install libssl-dev
安装LuaJIT:
sudo wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
sudo tar -zxvf LuaJIT-2.0.5.tar.gz
cd LuaJIT-2.0.5/
sudo make && sudo make install
LuaJIT-2.0.5安装完成
选择官网当前的版本进行下载
wget https://www.snort.org/downloads/snort/snort-2.9.20.tar.gz
tar xvfz snort-2.9.20.tar.gz
cd snort-2.9.20
./configure --enable-sourcefire && make && sudo make install
已成功安装
#Snort的安装目录
sudo mkdir -p /etc/snort/rules/iplists
sudo mkdir -p /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules
#存储过滤规则和服务器黑白名单
sudo touch /etc/snort/rules/iplists/default.blacklist
sudo touch /etc/snort/rules/iplists/default.whitelist
sudo touch /etc/snort/rules/so_rules
#创建日志目录
sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs
#调整权限
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort/rules/so_rules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
cp /snort-2.9.20/etc/*.conf* /etc/snort
cp /snort-2.9.20/etc/*.map /etc/snort
cp /snort-2.9.20/etc/*.dtd /etc/snort
cp /snort-2.9.20/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/* /usr/local/lib/snort_dynamicpreprocessor/
# 打开配置文件
sudo vim /etc/snort/snort.conf
# 修改路径 找到对应复制
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules/iplists/
var BLACK_LIST_PATH /etc/snort/rules/iplists/
wget https://www.snort.org/downloads/registered/snortrules-snapshot-29181.tar.gz
sudo tar zxvf snortrules-snapshot-29181.tar.gz -C /etc/snort
sudo cp /etc/snort/so_rules/precompiled/RHEL-8/x86-64/2.9.18.1/* /usr/local/lib/snort_dynamicrules/
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:4;)
snort -i eth0 -c /etc/snort/snort.conf -A fast -l /var/log/snort/
成功开启snort进行检测
ping 192.168.223.153 -l 1000
可以看到成功检测包大于800的ping攻击
vim /etc/snort/rules/local.rules
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"nmap scan";sid:1000000888;)
保存并退出
sudo snort -i eth0 -c /etc/snort/snort.conf -A fast -l /var/log/snort/
可以看到,成功检测到nmap的扫描