snort 是一個開源的輕量級入侵檢測系統(NIDS),使用C語言編寫。支持windows、linux平臺,我比較喜歡linux操作系統,所以在linux上學習研究snort。snort有三種工作模式,包括:嗅探、記錄數據包、入侵檢測。但是,可以把snort配置成入侵防禦的模式,過程算是複雜。作爲一個輕量級的入侵檢測系統,snort功能算是單一,配置複雜,有利於入侵檢測系統源碼研究與規則編寫。snort規則動作有五種,常用爲報警、忽略、記錄等,詳細的後面簡說明。
使用環境:ubuntu15.10+snort2.9.8.0+daq2.0.4,snort可以用命令行方式安裝,非常方便,安裝成功即可配置使用。大部分人喜歡用源代碼的方式安裝,方便以後學習研究源碼,也可以自行調試snort,編寫snort規則,測試snort功能。snort的各種插件使用起來也不是很方便,源碼安裝需要大量時間去折騰。
1、安裝依賴軟件
1.1安裝daq
下載daq源碼:
<pre name="code" class="cpp">wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz解壓daq源碼包,此時直接安裝daq會有報錯,缺少各種各樣的依賴包,所以要先安裝依賴包:bison、flex、libpcap
1.2其他依賴
先安裝bison 、flex,命令行輸入:
liang@ubuntu:~/snort/daq$ sudo apt-get install bison flex下載libpcap源碼 :
liang@ubuntu:~/snort/libpcap$ wget http://www.tcpdump.org/release/libpcap-1.7.4.tar.gz 解壓並且安裝libpcap:
liang@ubuntu:~/snort/libpcap$ tar -zxvf libpcap-1.7.4.tar.gz
liang@ubuntu:~/snort/libpcap/libpcap-1.7.4$ ./configure
liang@ubuntu:~/snort/libpcap/libpcap-1.7.4$ sudo make
liang@ubuntu:~/snort/libpcap/libpcap-1.7.4$ sudo make install
liang@ubuntu:~/snort/daq$ sudo cp /usr/local/lib/libpcap.* /usr/lib/1.3編譯安裝daq
再次配置daq:
liang@ubuntu:~/snort/daq$ ./configure打印如下即配置成功,可以安裝daq:
Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : no
Build PCAP DAQ module...... : yes
Build netmap DAQ module...... : no編譯daq:
liang@ubuntu:~/snort/daq$ sudo autoreconf -ivf
liang@ubuntu:~/snort/daq$ sudo make安裝daq:
liang@ubuntu:~/snort/daq$ sudo make install
到此爲止安裝daq成功。2、安裝snort
2.1下載snort源碼:
wget https://www.snort.org/downloads/snort/snort-2.9.8.0.tar.gz
解壓並且安裝snort又發現缺少各種依賴軟件,所以先安裝下面的軟件:libdumbnet-dev、zlib1g-dev
2.2其他依賴:
命令行輸入:
liang@ubuntu:~/snort/snort$ sudo apt-get install libdumbnet-dev zlib1g-dev2.3安裝snort
編譯snort:
liang@ubuntu:~/snort/snort$ ./configure --enable-sourcefire
安裝snort:
liang@ubuntu:~/snort/snort$ sudo autoreconf -ivf
liang@ubuntu:~/snort/snort$ sudo make
liang@ubuntu:~/snort/snort$ sudo make install
snort會被安裝到,如下目錄:
snort: /usr/local/bin/snort /usr/local/lib/snort
3、啓動snort
輸入命令啓動snort:
liang@ubuntu:~/snort/snort$ sudo snort
打印如下即啓動成功:
Running in packet dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "eno16777736".
Decoding Ethernet
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.8.0 GRE (Build 229)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.7.4
Using PCRE version: 8.35 2014-04-04
Using ZLIB version: 1.2.8
Commencing packet processing (pid=47760)查看snort使用幫助,輸入命令:
liang@ubuntu:/etc/snort$ snort --help可以看到輸出如下,全是英文:
,,_ -*> Snort! <*-
o" )~ Version 2.9.8.0 GRE (Build 229)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.7.4
Using PCRE version: 8.35 2014-04-04
Using ZLIB version: 1.2.8
USAGE: snort [-options] <filter options>
Options:
-A Set alert mode: fast, full, console, test or none (alert file alerts only)
"unsock" enables UNIX socket logging (experimental).
-b Log packets in tcpdump format (much faster!)
-B <mask> Obfuscated IP addresses in alerts and packet dumps using CIDR mask
-c <rules> Use Rules File <rules>
-C Print out payloads with character data only (no hex)
-d Dump the Application Layer
-D Run Snort in background (daemon) mode
-e Display the second layer header info
-f Turn off fflush() calls after binary log writes
-F <bpf> Read BPF filters from file <bpf>
-g <gname> Run snort gid as <gname> group (or gid) after initialization
-G <0xid> Log Identifier (to uniquely id events for multiple snorts)
-h <hn> Set home network = <hn>
(for use with -l or -B, does NOT change $HOME_NET in IDS mode)
-H Make hash tables deterministic.
-i <if> Listen on interface <if>
-I Add Interface name to alert output
-k <mode> Checksum mode (all,noip,notcp,noudp,noicmp,none)
-K <mode> Logging mode (pcap[default],ascii,none)
-l <ld> Log to directory <ld>
-L <file> Log to this tcpdump file
-M Log messages to syslog (not alerts)
-m <umask> Set umask = <umask>
-n <cnt> Exit after receiving <cnt> packets
-N Turn off logging (alerts still work)
-O Obfuscate the logged IP addresses
-p Disable promiscuous mode sniffing
-P <snap> Set explicit snaplen of packet (default: 1514)
-q Quiet. Don't show banner and status report
-Q Enable inline mode operation.
-r <tf> Read and process tcpdump file <tf>
-R <id> Include 'id' in snort_intf<id>.pid file name
-s Log alert messages to syslog
-S <n=v> Set rules file variable n equal to value v
-t <dir> Chroots process to <dir> after initialization
-T Test and report on the current Snort configuration
-u <uname> Run snort uid as <uname> user (or uid) after initialization
-U Use UTC for timestamps
-v Be verbose
-V Show version number
-X Dump the raw packet data starting at the link layer
-x Exit if Snort configuration problems occur
-y Include year in timestamp in the alert and log files
-Z <file> Set the performonitor preprocessor file path and name
-? Show this information
<Filter Options> are standard BPF options, as seen in TCPDump
Longname options and their corresponding single char version
--logid <0xid> Same as -G
--perfmon-file <file> Same as -Z
--pid-path <dir> Specify the directory for the Snort PID file
--snaplen <snap> Same as -P
--help Same as -?
--version Same as -V
--alert-before-pass Process alert, drop, sdrop, or reject before pass, default is pass before alert, drop,...
--treat-drop-as-alert Converts drop, sdrop, and reject rules into alert rules during startup
--treat-drop-as-ignore Use drop, sdrop, and reject rules to ignore session traffic when not inline.
--process-all-events Process all queued events (drop, alert,...), default stops after 1st action group
--enable-inline-test Enable Inline-Test Mode Operation
--dynamic-engine-lib <file> Load a dynamic detection engine
--dynamic-engine-lib-dir <path> Load all dynamic engines from directory
--dynamic-detection-lib <file> Load a dynamic rules library
--dynamic-detection-lib-dir <path> Load all dynamic rules libraries from directory
--dump-dynamic-rules <path> Creates stub rule files of all loaded rules libraries
--dynamic-preprocessor-lib <file> Load a dynamic preprocessor library
--dynamic-preprocessor-lib-dir <path> Load all dynamic preprocessor libraries from directory
--dynamic-output-lib <file> Load a dynamic output library
--dynamic-output-lib-dir <path> Load all dynamic output libraries from directory
--create-pidfile Create PID file, even when not in Daemon mode
--nolock-pidfile Do not try to lock Snort PID file
--no-interface-pidfile Do not include the interface name in Snort PID file
--disable-attribute-reload-thread Do not create a thread to reload the attribute table
--pcap-single <tf> Same as -r.
--pcap-file <file> file that contains a list of pcaps to read - read mode is implied.
--pcap-list "<list>" a space separated list of pcaps to read - read mode is implied.
--pcap-dir <dir> a directory to recurse to look for pcaps - read mode is implied.
--pcap-filter <filter> filter to apply when getting pcaps from file or directory.
--pcap-no-filter reset to use no filter when getting pcaps from file or directory.
--pcap-loop <count> this option will read the pcaps specified on command line continuously.
for <count> times. A value of 0 will read until Snort is terminated.
--pcap-reset if reading multiple pcaps, reset snort to post-configuration state before reading next pcap.
--pcap-reload if reading multiple pcaps, reload snort config between pcaps.
--pcap-show print a line saying what pcap is currently being read.
--exit-check <count> Signal termination after <count> callbacks from DAQ_Acquire(), showing the time it
takes from signaling until DAQ_Stop() is called.
--conf-error-out Same as -x
--enable-mpls-multicast Allow multicast MPLS
--enable-mpls-overlapping-ip Handle overlapping IPs within MPLS clouds
--max-mpls-labelchain-len Specify the max MPLS label chain
--mpls-payload-type Specify the protocol (ipv4, ipv6, ethernet) that is encapsulated by MPLS
--require-rule-sid Require that all snort rules have SID specified.
--daq <type> Select packet acquisition module (default is pcap).
--daq-mode <mode> Select the DAQ operating mode.
--daq-var <name=value> Specify extra DAQ configuration variable.
--daq-dir <dir> Tell snort where to find desired DAQ.
--daq-list[=<dir>] List packet acquisition modules available in dir. Default is static modules only.
--dirty-pig Don't flush packets and release memory on shutdown.
--cs-dir <dir> Directory to use for control socket.
--ha-peer Activate live high-availability state sharing with peer.
--ha-out <file> Write high-availability events to this file.
--ha-in <file> Read high-availability events from this file on startup (warm-start).
--suppress-config-log Suppress configuration information output.4、配置snort
snort的配置文件在:snort/etc/snort.conf 目錄,可以結合官方說明文檔去進行配置,也有中文版本的,但是並不完善。5、snort規則
自行編寫是snort規則:
alert tcp any any -> 192.168.213.170 80 (msg:"Telnet Login";sid:26287)
alert icmp any any -> 192.168.213.170 any (msg:"ICMP PING";sid:8886288)
寫入到一個新的規則文件裏面,在snort啓動配置文件裏面添加該新規則文件即可使上面的兩條規則生效。
snort規則大體劃分爲規則頭和規則選項兩個部分,規則頭主要是數據包的協議、端口、地址信息以及數據包的處理動作。數據包的協議、端口、地址信息是網絡最常見的基礎信息,當然端口和地址包括目的與源頭。而數據包的處理動作有報警、忽略、記錄、報警並啓動另外一個動態規則鏈、由其它的規則包調用五種方式。
規則選項中內容比較多,繁瑣。sid爲必要的內容,msg是報警記錄信息,content爲數據包匹配內容。其他的詳細項目可以參考官方文檔,我一直想content這裏的內容可以不可以實現惡意代碼的檢測,如果可以的話惡意代碼的報警與處理直接在網關上面處理,並不會被傳播到主機上面。
6、測試用例
6.1啓動本機snort
sudo snort -i eth0 -c/etc/snort/etc/snort.conf -A fast -l /var/log/snort
6.2實時查看snort報警日誌:
liang@ubuntu:~/snort/run/log$ tail -f /var/log/snort/alert 6.3測試規則
另外主機ping snort主機,報警:
03/21-16:15:13.164956 [**] [1:8886288:0] "ICMP PING" [**] [Priority: 0] {ICMP} 192.168.213.162 -> 192.168.213.170
03/21-16:15:14.164567 [**] [1:8886288:0] "ICMP PING" [**] [Priority: 0] {ICMP} 192.168.213.162 -> 192.168.213.170
03/21-16:15:15.164590 [**] [1:8886288:0] "ICMP PING" [**] [Priority: 0] {ICMP} 192.168.213.162 -> 192.168.213.170
03/21-16:15:16.166108 [**] [1:8886288:0] "ICMP PING" [**] [Priority: 0] {ICMP} 192.168.213.162 -> 192.168.213.170另外主機訪問掃描snort主機80端口(snort主機配置apache服務器),報警:
03/21-14:43:04.242200 [**] [1:26287:0] "Telnet Login" [**] [Priority: 0] {TCP} 192.168.213.162:38250 -> 192.168.213.170:80
03/21-14:45:46.621115 [**] [1:26287:0] "Telnet Login" [**] [Priority: 0] {TCP} 192.168.213.162:38270 -> 192.168.213.170:80
03/21-14:45:46.621268 [**] [1:26287:0] "Telnet Login" [**] [Priority: 0] {TCP} 192.168.213.162:38270 -> 192.168.213.170:80
03/21-14:45:46.621409 [**] [1:26287:0] "Telnet Login" [**] [Priority: 0] {TCP} 192.168.213.162:38270 -> 192.168.213.170:80
03/21-14:45:46.629345 [**] [1:26287:0] "Telnet Login" [**] [Priority: 0] {TCP} 192.168.213.162:38322 -> 192.168.213.170:80
03/21-14:45:46.629466 [**] [1:26287:0] "Telnet Login" [**] [Priority: 0] {TCP} 192.168.213.162:38322 -> 192.168.213.170:80
03/21-14:45:46.633859 [**] [1:26287:0] "Telnet Login" [**] [Priority: 0] {TCP} 192.168.213.162:38322 -> 192.168.213.170:80