Snort IPS入侵防御系统模式

       snort 经常用作入侵检测系统(IDS),进一步可以配置为入侵防御系统(IPS)。snort使用数据采集器(daq)监听防火墙数据包队列,配合snort规则动作drop、alert等处理数据包,防火墙在snort启动后添加链表队列。报文经过防火墙时,将交给snort来处理,触发入侵检测规则时立刻响应动作,屏蔽数据包。其实,入侵防御系统应该直连在网络环境当中,需要配置网桥。snort监听网桥的功能,防火墙更加要支持网桥,网桥也可以配置成透明的模式。这里只是简单的尝试snort的IPS模式,配置在单机上,屏蔽访问单机而且触发规则的数据包,下面是配置与测试过程。

1、准备环境

      1.1、系统、软件版本

           环境:ubuntu15.10+snort2.9.8.0+daq2.0.4(注因为已经安装过snort的入侵检测模式,snort与daq是重新编译安装)


      2.1、依赖库

           snort配置ips模式,先把数据采集器(daq)配置支持nfq模式,为daq安装netfilter_queue、libnfnetlink、libmnl。下载相应源码包解压编译安装,也可以尝试命令方式安装,不过我使用了源码方式安装。同时,安装上面依赖包的开发包,因为源码编译daq需要开发包支持。然后去下载libdnet源码包解压编译安装。


2、系统安装过程

      2.1、数据采集器daq

           数据采集器(daq)配置支持nfq模式,命令行输入如:

     liang@ubuntu:~/snort/daq$ sudo ./configure


           打印如下结果即配置成功,可以进一步编译安装,否则重新检查安装依赖库步骤是否正确。可见NFQ DAQ 模式为yes。           

     Build AFPacket DAQ module.. : yes
     Build Dump DAQ module...... : yes
     Build IPFW DAQ module...... : yes
     Build IPQ DAQ module....... : no
     Build NFQ DAQ module....... : yes
     Build PCAP DAQ module...... : yes
     Build netmap DAQ module...... : no

           编译链接daq,命令行输入:           

     liang@ubuntu:~/snort/daq$ sudo make

           安装daq命令:

     liang@ubuntu:~/snort/daq$ sudo make install

            查看snort daq支持的功能,命令行输入如下命令:

      liang@ubuntu:~/snort_ips/libdnet-1.11$ snort --daq-list

             打印如下结果,snort daq并没有支持nfq,重新编译入侵检测系统ids:

      Available DAQ modules:
      pcap(v3): readback live multi unpriv
      ipfw(v3): live inline multi unpriv
      dump(v2): readback live inline multi unpriv
      afpacket(v5): live inline multi unpriv


      2.2、入侵检测snort

            命令行输入如下命令编译安装:

      liang@ubuntu:~/snort/snort$ sudo make clean
      liang@ubuntu:~/snort/snort$ sudo ./configure
      liang@ubuntu:~/snort/snort$ sudo make
      liang@ubuntu:~/snort/snort$ sudo make install


             再次查看snort daq支持的功能,输入命令:
      liang@ubuntu:~/snort/snort$ sudo snort --daq-list

             已经支持nfq模式,可以开始IPS模式的配置与测试:

      Available DAQ modules:
      pcap(v3): readback live multi unpriv
      nfq(v7): live inline multi
      ipfw(v3): live inline multi unpriv
      dump(v2): readback live inline multi unpriv
      afpacket(v5): live inline multi unpriv


3、简单规则设计

      3.1、添加两条drop规则

      drop tcp any any -> 192.168.213.170 80 (msg:"Drop http:80";sid:26287)
      drop icmp any any -> 192.168.213.170 any (msg:"Drop ping";sid:8886288)


      3.2、drop与alert同在

      alert icmp any any -> 192.168.213.170 any (msg:"ICMP PING";sid:8886288)
      drop tcp any any -> 192.168.213.170 80 (msg:"Drop http:80";sid:26287)

      3.3、只有drop规则存在

      drop tcp any any -> 192.168.213.170 80 (msg:"Drop http:80";sid:26287)

4、snort与iptables联动

      4.1、说明

              首先启动snort,然后添加防火墙规则。可以使用shell脚本或者c程序等监听snort启动成功后,添加防火墙规则,防火墙规则的设置与恢复可以写在文件中,使用iptables命令完成。snort只可以使用一个队列,防火墙里面可以添加多条规则到一个队列。


      4.2、snort启动

             snort启动命令如下:

      sudo snort -Q --daq nfq --daq-var device=eth0 --daq-var queue=1 -c /etc/snort/etc/snort.conf

      4.3、iptables 队列

             防火墙队列如下,简单的配置过程:

      sudo /usr/sbin/iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
      sudo /usr/sbin/iptables -I FORWARD -j NFQUEUE --queue-num 1
      sudo /usr/sbin/iptables -t input -I PREROUTING -j NFQUEUE --queue-num 1

             查看防火墙filter表规则:

      liang@ubuntu:~$ sudo iptables -nL

             打印如下:

      Chain INPUT (policy ACCEPT)
      target     prot opt source               destination         
      NFQUEUE    all  --  0.0.0.0/0            0.0.0.0/0            NFQUEUE num 1

      Chain FORWARD (policy ACCEPT)
      target     prot opt source               destination         
      NFQUEUE    all  --  0.0.0.0/0            0.0.0.0/0            NFQUEUE num 1

      Chain OUTPUT (policy ACCEPT)
      target     prot opt source               destination 


             查看防火墙nat表规则:

      liang@ubuntu:~$ sudo iptables -t nat -nL

             打印如下:

      Chain PREROUTING (policy ACCEPT)
      target     prot opt source               destination         
      NFQUEUE    all  --  0.0.0.0/0            0.0.0.0/0            NFQUEUE num 1


      Chain INPUT (policy ACCEPT)
      target     prot opt source               destination         


      Chain OUTPUT (policy ACCEPT)
      target     prot opt source               destination         


      Chain POSTROUTING (policy ACCEPT)
      target     prot opt source               destination 


5、测试

     5.1、添加两条drop规则

             本机监听alert输出文件:

      liang@ubuntu:~$ tail -f /var/log/snort/alert  

           

             另外一台机器访问本机80端口,监听输出如下,而且访问80端口失败:

              

[**] [1:26287:0] "Drop http:80" [**]
[Priority: 0] 
03/28-18:15:37.362404 192.168.213.162:40640 -> 192.168.213.170:80
TCP TTL:64 TOS:0x0 ID:15682 IpLen:20 DgmLen:60 DF
******S* Seq: 0x3DB5D5B  Ack: 0x0  Win: 0x7210  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 16408601 0 NOP WS: 7 

[**] [1:26287:0] "Drop http:80" [**]
[Priority: 0] 
03/28-18:15:37.595837 192.168.213.162:40642 -> 192.168.213.170:80
TCP TTL:64 TOS:0x0 ID:17709 IpLen:20 DgmLen:60 DF
******S* Seq: 0x8619257E  Ack: 0x0  Win: 0x7210  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 16408659 0 NOP WS: 7 

[**] [1:26287:0] "Drop http:80" [**]
[Priority: 0] 
03/28-18:15:37.731718 192.168.213.162:40644 -> 192.168.213.170:80
TCP TTL:64 TOS:0x0 ID:6892 IpLen:20 DgmLen:60 DF
******S* Seq: 0xA1C7A99  Ack: 0x0  Win: 0x7210  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 16408693 0 NOP WS: 7 

[**] [1:26287:0] "Drop http:80" [**]
[Priority: 0] 
03/28-18:15:37.884915 192.168.213.162:40646 -> 192.168.213.170:80
TCP TTL:64 TOS:0x0 ID:42308 IpLen:20 DgmLen:60 DF
******S* Seq: 0x495EC5DF  Ack: 0x0  Win: 0x7210  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 16408731 0 NOP WS: 7 

[**] [1:26287:0] "Drop http:80" [**]
[Priority: 0] 
03/28-18:15:38.082540 192.168.213.162:40648 -> 192.168.213.170:80
TCP TTL:64 TOS:0x0 ID:7605 IpLen:20 DgmLen:60 DF
******S* Seq: 0xEF657D78  Ack: 0x0  Win: 0x7210  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 16408781 0 NOP WS: 7 

[**] [1:26287:0] "Drop http:80" [**]
[Priority: 0] 
03/28-18:15:38.333060 192.168.213.162:40650 -> 192.168.213.170:80
TCP TTL:64 TOS:0x0 ID:61398 IpLen:20 DgmLen:60 DF
******S* Seq: 0x64518EDD  Ack: 0x0  Win: 0x7210  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 16408843 0 NOP WS: 7 

             另一台机器ping本地主机,打印如下,而且ping失败:

[**] [1:8886288:0] "Drop ping" [**]
[Priority: 0] 
03/28-18:16:50.932352 192.168.213.162 -> 192.168.213.170
ICMP TTL:4 TOS:0x0 ID:36821 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:41134   Seq:1  ECHO

[**] [1:8886288:0] "Drop ping" [**]
[Priority: 0] 
03/28-18:16:51.940781 192.168.213.162 -> 192.168.213.170
ICMP TTL:4 TOS:0x0 ID:36847 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:41134   Seq:2  ECHO

[**] [1:8886288:0] "Drop ping" [**]
[Priority: 0] 
03/28-18:16:52.941954 192.168.213.162 -> 192.168.213.170
ICMP TTL:4 TOS:0x0 ID:37040 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:41134   Seq:3  ECHO

[**] [1:8886288:0] "Drop ping" [**]
[Priority: 0] 
03/28-18:16:53.941261 192.168.213.162 -> 192.168.213.170
ICMP TTL:4 TOS:0x0 ID:37191 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:41134   Seq:4  ECHO

[**] [1:8886288:0] "Drop ping" [**]
[Priority: 0] 
03/28-18:16:54.941031 192.168.213.162 -> 192.168.213.170
ICMP TTL:4 TOS:0x0 ID:37319 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:41134   Seq:5  ECHO

[**] [1:8886288:0] "Drop ping" [**]
[Priority: 0] 
03/28-18:16:55.941207 192.168.213.162 -> 192.168.213.170
ICMP TTL:4 TOS:0x0 ID:37535 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:41134   Seq:6  ECHO

[**] [1:8886288:0] "Drop ping" [**]
[Priority: 0] 
03/28-18:16:56.941222 192.168.213.162 -> 192.168.213.170
ICMP TTL:4 TOS:0x0 ID:37771 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:41134   Seq:7  ECHO


             查看snort终端打印信息,看到屏蔽了29个数据包,加上以上打印信息证明snort IPS模式生效:

Commencing packet processing (pid=3466)
Decoding Raw IP4
^C*** Caught Int-Signal
===============================================================================
Run time for packet processing was 261.437100 seconds
Snort processed 763 packets.
Snort ran for 0 days 0 hours 4 minutes 21 seconds
   Pkts/min:          190
   Pkts/sec:            2
===============================================================================
Memory usage summary:
  Total non-mmapped bytes (arena):       274706432
  Bytes in mapped regions (hblkhd):      21590016
  Total allocated space (uordblks):      102918272
  Total free space (fordblks):           171788160
  Topmost releasable block (keepcost):   59472
===============================================================================
Packet I/O Totals:
   Received:          763
   Analyzed:          763 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:           29
===============================================================================


     5.2、drop与alert同在

            因为配置了 alert icmp any any -> 192.168.213.170 any (msg:"ICMP PING";sid:8886288) 规则,ping操作可以完成,但是ping操作被报警记录,此时像是入侵检测   模式,但是屏蔽的80端口仍然不能访问,而且被记录在报警日志里面。同时,snort终端也有打印屏蔽数据包的信息。


     5.3、只有drop规则存在

             此时ping操作可以完成,没有被记录到日志。而访问80端口让然出现上面的情况,证明snort IPS模式配置成功,屏蔽数据的功能有snort根据规则动作来完成。         


你可能感兴趣的:(IPS,snort,daq,nfq)