Snort IPS入侵防御系统模式
snort 经常用作入侵检测系统(IDS),进一步可以配置为入侵防御系统(IPS)。snort使用数据采集器(daq)监听防火墙数据包队列,配合snort规则动作drop、alert等处理数据包,防火墙在snort启动后添加链表队列。报文经过防火墙时,将交给snort来处理,触发入侵检测规则时立刻响应动作,屏蔽数据包。其实,入侵防御系统应该直连在网络环境当中,需要配置网桥。snort监听网桥的功能,防火墙更加要支持网桥,网桥也可以配置成透明的模式。这里只是简单的尝试snort的IPS模式,配置在单机上,屏蔽访问单机而且触发规则的数据包,下面是配置与测试过程。
1、准备环境
1.1、系统、软件版本
环境:ubuntu15.10+snort2.9.8.0+daq2.0.4(注因为已经安装过snort的入侵检测模式,snort与daq是重新编译安装)
2.1、依赖库
snort配置ips模式,先把数据采集器(daq)配置支持nfq模式,为daq安装netfilter_queue、libnfnetlink、libmnl。下载相应源码包解压编译安装,也可以尝试命令方式安装,不过我使用了源码方式安装。同时,安装上面依赖包的开发包,因为源码编译daq需要开发包支持。然后去下载libdnet源码包解压编译安装。
2、系统安装过程
2.1、数据采集器daq
数据采集器(daq)配置支持nfq模式,命令行输入如:
liang@ubuntu:~/snort/daq$ sudo ./configure
Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : yes
Build PCAP DAQ module...... : yes
Build netmap DAQ module...... : no
编译链接daq,命令行输入:
liang@ubuntu:~/snort/daq$ sudo make
安装daq命令:
liang@ubuntu:~/snort/daq$ sudo make install
查看snort daq支持的功能,命令行输入如下命令:
liang@ubuntu:~/snort_ips/libdnet-1.11$ snort --daq-list
打印如下结果,snort daq并没有支持nfq,重新编译入侵检测系统ids:
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv
2.2、入侵检测snort
命令行输入如下命令编译安装: liang@ubuntu:~/snort/snort$ sudo make clean
liang@ubuntu:~/snort/snort$ sudo ./configure
liang@ubuntu:~/snort/snort$ sudo make
liang@ubuntu:~/snort/snort$ sudo make install
liang@ubuntu:~/snort/snort$ sudo snort --daq-list
已经支持nfq模式,可以开始IPS模式的配置与测试:
Available DAQ modules:
pcap(v3): readback live multi unpriv
nfq(v7): live inline multi
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv
3、简单规则设计
3.1、添加两条drop规则
drop tcp any any -> 192.168.213.170 80 (msg:"Drop http:80";sid:26287)
drop icmp any any -> 192.168.213.170 any (msg:"Drop ping";sid:8886288)
3.2、drop与alert同在
alert icmp any any -> 192.168.213.170 any (msg:"ICMP PING";sid:8886288)
drop tcp any any -> 192.168.213.170 80 (msg:"Drop http:80";sid:26287)
3.3、只有drop规则存在
drop tcp any any -> 192.168.213.170 80 (msg:"Drop http:80";sid:26287)
4、snort与iptables联动
4.1、说明
首先启动snort,然后添加防火墙规则。可以使用shell脚本或者c程序等监听snort启动成功后,添加防火墙规则,防火墙规则的设置与恢复可以写在文件中,使用iptables命令完成。snort只可以使用一个队列,防火墙里面可以添加多条规则到一个队列。
4.2、snort启动
snort启动命令如下:
sudo snort -Q --daq nfq --daq-var device=eth0 --daq-var queue=1 -c /etc/snort/etc/snort.conf
4.3、iptables 队列
防火墙队列如下,简单的配置过程:
sudo /usr/sbin/iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
sudo /usr/sbin/iptables -I FORWARD -j NFQUEUE --queue-num 1
sudo /usr/sbin/iptables -t input -I PREROUTING -j NFQUEUE --queue-num 1
查看防火墙filter表规则:
liang@ubuntu:~$ sudo iptables -nL
打印如下:
Chain INPUT (policy ACCEPT)
target prot opt source destination
NFQUEUE all -- 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 1
Chain FORWARD (policy ACCEPT)
target prot opt source destination
NFQUEUE all -- 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 1
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
查看防火墙nat表规则:
liang@ubuntu:~$ sudo iptables -t nat -nL
打印如下:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
NFQUEUE all -- 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 1
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
5、测试
5.1、添加两条drop规则
本机监听alert输出文件:
liang@ubuntu:~$ tail -f /var/log/snort/alert
另外一台机器访问本机80端口,监听输出如下,而且访问80端口失败:
[**] [1:26287:0] "Drop http:80" [**] [Priority: 0] 03/28-18:15:37.362404 192.168.213.162:40640 -> 192.168.213.170:80 TCP TTL:64 TOS:0x0 ID:15682 IpLen:20 DgmLen:60 DF ******S* Seq: 0x3DB5D5B Ack: 0x0 Win: 0x7210 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 16408601 0 NOP WS: 7 [**] [1:26287:0] "Drop http:80" [**] [Priority: 0] 03/28-18:15:37.595837 192.168.213.162:40642 -> 192.168.213.170:80 TCP TTL:64 TOS:0x0 ID:17709 IpLen:20 DgmLen:60 DF ******S* Seq: 0x8619257E Ack: 0x0 Win: 0x7210 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 16408659 0 NOP WS: 7 [**] [1:26287:0] "Drop http:80" [**] [Priority: 0] 03/28-18:15:37.731718 192.168.213.162:40644 -> 192.168.213.170:80 TCP TTL:64 TOS:0x0 ID:6892 IpLen:20 DgmLen:60 DF ******S* Seq: 0xA1C7A99 Ack: 0x0 Win: 0x7210 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 16408693 0 NOP WS: 7 [**] [1:26287:0] "Drop http:80" [**] [Priority: 0] 03/28-18:15:37.884915 192.168.213.162:40646 -> 192.168.213.170:80 TCP TTL:64 TOS:0x0 ID:42308 IpLen:20 DgmLen:60 DF ******S* Seq: 0x495EC5DF Ack: 0x0 Win: 0x7210 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 16408731 0 NOP WS: 7 [**] [1:26287:0] "Drop http:80" [**] [Priority: 0] 03/28-18:15:38.082540 192.168.213.162:40648 -> 192.168.213.170:80 TCP TTL:64 TOS:0x0 ID:7605 IpLen:20 DgmLen:60 DF ******S* Seq: 0xEF657D78 Ack: 0x0 Win: 0x7210 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 16408781 0 NOP WS: 7 [**] [1:26287:0] "Drop http:80" [**] [Priority: 0] 03/28-18:15:38.333060 192.168.213.162:40650 -> 192.168.213.170:80 TCP TTL:64 TOS:0x0 ID:61398 IpLen:20 DgmLen:60 DF ******S* Seq: 0x64518EDD Ack: 0x0 Win: 0x7210 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 16408843 0 NOP WS: 7
另一台机器ping本地主机,打印如下,而且ping失败:
[**] [1:8886288:0] "Drop ping" [**] [Priority: 0] 03/28-18:16:50.932352 192.168.213.162 -> 192.168.213.170 ICMP TTL:4 TOS:0x0 ID:36821 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:41134 Seq:1 ECHO [**] [1:8886288:0] "Drop ping" [**] [Priority: 0] 03/28-18:16:51.940781 192.168.213.162 -> 192.168.213.170 ICMP TTL:4 TOS:0x0 ID:36847 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:41134 Seq:2 ECHO [**] [1:8886288:0] "Drop ping" [**] [Priority: 0] 03/28-18:16:52.941954 192.168.213.162 -> 192.168.213.170 ICMP TTL:4 TOS:0x0 ID:37040 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:41134 Seq:3 ECHO [**] [1:8886288:0] "Drop ping" [**] [Priority: 0] 03/28-18:16:53.941261 192.168.213.162 -> 192.168.213.170 ICMP TTL:4 TOS:0x0 ID:37191 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:41134 Seq:4 ECHO [**] [1:8886288:0] "Drop ping" [**] [Priority: 0] 03/28-18:16:54.941031 192.168.213.162 -> 192.168.213.170 ICMP TTL:4 TOS:0x0 ID:37319 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:41134 Seq:5 ECHO [**] [1:8886288:0] "Drop ping" [**] [Priority: 0] 03/28-18:16:55.941207 192.168.213.162 -> 192.168.213.170 ICMP TTL:4 TOS:0x0 ID:37535 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:41134 Seq:6 ECHO [**] [1:8886288:0] "Drop ping" [**] [Priority: 0] 03/28-18:16:56.941222 192.168.213.162 -> 192.168.213.170 ICMP TTL:4 TOS:0x0 ID:37771 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:41134 Seq:7 ECHO
Commencing packet processing (pid=3466)
Decoding Raw IP4
^C*** Caught Int-Signal
===============================================================================
Run time for packet processing was 261.437100 seconds
Snort processed 763 packets.
Snort ran for 0 days 0 hours 4 minutes 21 seconds
Pkts/min: 190
Pkts/sec: 2
===============================================================================
Memory usage summary:
Total non-mmapped bytes (arena): 274706432
Bytes in mapped regions (hblkhd): 21590016
Total allocated space (uordblks): 102918272
Total free space (fordblks): 171788160
Topmost releasable block (keepcost): 59472
===============================================================================
Packet I/O Totals:
Received: 763
Analyzed: 763 (100.000%)
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 0 ( 0.000%)
Injected: 29
===============================================================================
5.2、drop与alert同在
因为配置了 alert icmp any any -> 192.168.213.170 any (msg:"ICMP PING";sid:8886288) 规则,ping操作可以完成,但是ping操作被报警记录,此时像是入侵检测 模式,但是屏蔽的80端口仍然不能访问,而且被记录在报警日志里面。同时,snort终端也有打印屏蔽数据包的信息。
5.3、只有drop规则存在
此时ping操作可以完成,没有被记录到日志。而访问80端口让然出现上面的情况,证明snort IPS模式配置成功,屏蔽数据的功能有snort根据规则动作来完成。