最近在学习snort,在官网http://www.snort.org下载了最新版的windows平台下的snort安装包Snort_2_9_0_5_Installer.exe和规则文件库snort-2.9.0.3.tar.zip,查阅了网上的资料终于把基本的安装和IDS模式配置完成了,写成学习笔记以便加强记忆。
自己是菜鸟,对这方面挺感兴趣,但是技术有限,希望能得到高手指点![]()
------------------------------------------------------------
1、由于我本机已经安装了WinPcap_4_1_2.exe,可满足当前Snort版本对WinPcap版本的要求,所以只下载了Snort。
首先安装Snort_2_9_0_5_Installer.exe,过程比较简单,由于只是自己测试,我没有进行过多的设置一路Next安装完毕,默认路径C:\Snort,最后弹出Snort has successfullly been installed.窗口,点击“确定”安装成功;
之后同样步骤完成了WinPcap_4_1_2.exe的安装。
2、配置环境变量(我感觉我不配置也可以啊),如下图所示:![]()
3、运行cmd,输入“snort -?”可以查看snort相关命令行,如下图所示:
4、导入规则文件库,解压下载下来的snort-2.9.0.3.tar.zip,得到四个文件夹:
将文件夹下的文件复制到snort安装目录下对应的文件中,我安完snort安装目录下没有so_rules文件夹,就直接复制过去了。
5、然后启用ids模式,执行以下命令:
这时遇到了很多问题,主要都是由于snort.conf配置文件的错误,找了一些资料及snort官网的论坛,终于解决了,可能有些解决的办法不一定是很好的,不管怎样终于可以运行起来了。
第一个错误:ERROR:c:\Snort\etc\snort.conf(39) Unknown rule type:ipvar
解决办法:把snort.conf文件中的ipvar改为var(可能不是根本的解决办法)
解决之后重复执行上图的运行命令,会弹出第二个错误,以下依次类推。。
第二个错误:
ERROR: C:\SnortBuild\snort-2.9.0.5\src\parser.c(5245) Could not stat dynamic mod
ule path "/usr/local/lib/snort_dynamicpreprocessor/": No such file or directory.
ule path "/usr/local/lib/snort_dynamicpreprocessor/": No such file or directory.
解决办法:由于snort.conf文件中默认的配置路径是linux环境中的相对路径,所以在windows环境中需要改为绝对路径:
原来代码是这样的:
###################################################
# Step #4: Configure dynamic loaded libraries.
# For more information, see Snort Manual, Configuring Snort - Dynamic Modules
###################################################
# Step #4: Configure dynamic loaded libraries.
# For more information, see Snort Manual, Configuring Snort - Dynamic Modules
###################################################
# path to dynamic preprocessor libraries
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
# path to base preprocessor engine
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
# path to dynamic rules libraries
dynamicdetection directory /usr/local/lib/snort_dynamicrules
按照当前目录下的文件名称及所在路径改为:
dynamicdetection directory /usr/local/lib/snort_dynamicrules
按照当前目录下的文件名称及所在路径改为:
###################################################
# Step #4: Configure dynamic loaded libraries.
# For more information, see Snort Manual, Configuring Snort - Dynamic Modules
###################################################
# Step #4: Configure dynamic loaded libraries.
# For more information, see Snort Manual, Configuring Snort - Dynamic Modules
###################################################
# path to dynamic preprocessor libraries
#dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor
#dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dce2.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dns.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_sdf.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_smtp.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssh.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssl.dll
dynamicengine C:/Snort/lib/snort_dynamicengine/sf_engine.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dns.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_sdf.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_smtp.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssh.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssl.dll
dynamicengine C:/Snort/lib/snort_dynamicengine/sf_engine.dll
# path to base preprocessor engine
#dynamicengine C:\Snort\lib\snort_dynamicengine\libsf_engine.so
#dynamicengine C:\Snort\lib\snort_dynamicengine\libsf_engine.so
# path to dynamic rules libraries
#dynamicdetection C:\Snort\lib\snort_dynamicrules
#dynamicdetection C:\Snort\lib\snort_dynamicrules
第三个错误:
ERROR: C:\Snort\etc\snort.conf(255) => 'compress_depth' and 'decompress_depth' s
hould be set to max in the default policy to enable 'unlimited_decompress'
Fatal Error, Quitting..
hould be set to max in the default policy to enable 'unlimited_decompress'
Fatal Error, Quitting..
解决办法:我把compress_depth 20480改成了65535,也不知道对不对,反正是不报错了?
第四个错误:
ERROR: C:\Snort\etc\snort.conf(201) Unknown preprocessor: "normalize_ip4".
Fatal Error, Quittig..
Fatal Error, Quittig..
解决办法:把下面的都#注掉了就好了。我看技术人员回复的意思应该是“因为在IDS模式不起作用,但是在windows平台下实际起作用了”,所以注掉。。
# Does nothing in IDS mode
#preprocessor normalize_ip4
#preprocessor normalize_tcp: ips ecn stream
#preprocessor normalize_icmp4
#preprocessor normalize_ip6
#preprocessor normalize_icmp6
#preprocessor normalize_ip4
#preprocessor normalize_tcp: ips ecn stream
#preprocessor normalize_icmp4
#preprocessor normalize_ip6
#preprocessor normalize_icmp6
逐个解决完上面遇到的问题之后,再执行以IDS模式运行的指令时,应该就正确进入IDS模式了。
还需要注意的是,snort.conf文件中此处的路径需要改为绝对路径,这样才能正确调用规则文件,当有事件时才能触发规则发生相应动作(我这么理解的)
# Path to your rules files (this can be a relative path)
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\rules
var RULE_PATH ../rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\rules
var RULE_PATH ../rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules
改为
var RULE_PATH c:\Snort\rules
var SO_RULE_PATH c:\Snort\so_rules
var PREPROC_RULE_PATH c:\Snort\preproc_rules
var SO_RULE_PATH c:\Snort\so_rules
var PREPROC_RULE_PATH c:\Snort\preproc_rules
很有帮助的参考资料: