Snort有3種工作模式,分別爲嗅探器模式、分組數據包記錄模式與網絡**檢測模式,這3種工作模式常常被初學者弄混淆,本文通過對着幾種工作模式的功能和作用來進行一一辨析。
一、 嗅探器(packet dump)模式
Snort使用Libpcap包捕獲庫。在該模式下,Snort使用網絡接口的混雜模式讀取並解析數據包。該功能有些類似於tcpdump工具,使用的命令如下所示。
localhost:~# snort -v //顯示捕獲到的數據包中TCP/IP包頭信息
Running in packet dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "eth0".
Decoding Ethernet
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.3.1 IPv6 GRE (Build 40)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2012 Sourcefire, Inc., et al.
Using libpcap version 1.1.1
Using PCRE version: 8.02 2010-03-19
Using ZLIB version: 1.2.3.4
Commencing packet processing (pid=5053)
注意,這裏的參數是小寫的字母v,大寫字母V用來顯示Snort版本。以上只顯示了TCP/IP網絡數據包頭信息,如果想查看應用層數據信息,則需要輸入以下命令。
#snort –vd //捕獲包頭+應用層的信息
此命令不會將日誌記錄到/var/log/snort/目錄中。
二、 數據包記錄(packet logging)模式
上面介紹的嗅探器只是捕獲網絡中的數據包,而數據包記錄器就是將捕獲到的數據包保存到存儲介質中,例如輸入如下命令只讀取有關ICMP包的數據:
#snort –dvr snort.log.140493321 icmp
輸入如下命令只讀取有關TCP包的數據:
#snort –dvr snort.log.140493321 tcp
如果只記錄某個網段的數據,操作命令如下(注意,當前有log目錄):
# snort -vde -l ./log -h 10.32.14.0/24
該命令的部分輸出如下:
Running in packet logging mode
--== Initializing Snort ==--
Initializing Output Plugins!
Log directory = ./log //日誌存儲路徑
pcap DAQ configured to passive.
Acquiring network traffic from "eth0". //從eth0網卡獲取網絡流量
Decoding Ethernet
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.3.1 IPv6 GRE (Build 40)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2012 Sourcefire, Inc., et al.
Using libpcap version 1.1.1
Using PCRE version: 8.02 2010-03-19
Using ZLIB version: 1.2.3.4
Commencing packet processing (pid=4569) //開始數據包處理進程
^C*** Caught Int-Signal
=======================================================================
Run time for packet processing was 5.193675 seconds //分析數據包的時間開銷
Snort processed 7 packets.
Snort ran for 0 days 0 hours 0 minutes 5 seconds
Pkts/sec: 1 //接收數據包的平均速率(單位爲包/秒)
=======================================================================
Packet I/O Totals: //網絡數據包輸入/輸出總計
Received: 7 //已接收數量
Analyzed: 7 (100.000%) //已分析數量
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 0 ( 0.000%)
Injected: 0
=======================================================================
Breakdown by protocol (includes rebuilt packets): //按協議進行分類(包括重建的數據包)
Eth: 7 (100.000%)
VLAN: 0 ( 0.000%)
IP4: 4 ( 57.143%)
Frag: 0 ( 0.000%)
ICMP: 0 ( 0.000%)
UDP: 0 ( 0.000%)
TCP: 4 ( 57.143%)
IP6: 0 ( 0.000%)
IP6 Ext: 0 ( 0.000%)
IP6 Opts: 0 ( 0.000%)
Frag6: 0 ( 0.000%)
ICMP6: 0 ( 0.000%)
UDP6: 0 ( 0.000%)
TCP6: 0 ( 0.000%)
Teredo: 0 ( 0.000%)
ICMP-IP: 0 ( 0.000%)
EAPOL: 0 ( 0.000%)
IP4/IP4: 0 ( 0.000%)
IP4/IP6: 0 ( 0.000%)
IP6/IP4: 0 ( 0.000%)
IP6/IP6: 0 ( 0.000%)
GRE: 0 ( 0.000%)
GRE Eth: 0 ( 0.000%)
GRE VLAN: 0 ( 0.000%)
GRE IP4: 0 ( 0.000%)
GRE IP6: 0 ( 0.000%)
GRE IP6 Ext: 0 ( 0.000%)
GRE PPTP: 0 ( 0.000%)
GRE ARP: 0 ( 0.000%)
GRE IPX: 0 ( 0.000%)
GRE Loop: 0 ( 0.000%)
MPLS: 0 ( 0.000%)
ARP: 3 ( 42.857%)
IPX: 0 ( 0.000%)
Eth Loop: 0 ( 0.000%)
Eth Disc: 0 ( 0.000%)
IP4 Disc: 0 ( 0.000%)
IP6 Disc: 0 ( 0.000%)
TCP Disc: 0 ( 0.000%)
UDP Disc: 0 ( 0.000%)
ICMP Disc: 0 ( 0.000%)
All Discard: 0 ( 0.000%)
Other: 0 ( 0.000%)
Bad Chk Sum: 2 ( 28.571%)
Bad TTL: 0 ( 0.000%)
S5 G 1: 0 ( 0.000%)
S5 G 2: 0 ( 0.000%)
Total: 7
========================================================================
Snort exiting
下面繼續講解更復雜的實驗,實驗環境爲OSSIM 4。在命令行上啓動Snort:
#snort –l /var/log/snort/ -c /etc/snort/snort.conf
按Ctrl+C組合鍵退出程序,收到的信息如下所示:
[ Port Based Pattern Matching Memory ]
+- [ Aho-Corasick Summary ] -------------------------------------
| Storage Format : Full-Q
| Finite Automaton : DFA
| Alphabet Size : 256 Chars
| Sizeof State : Variable (1,2,4 bytes)
| Instances : 144
| 1 byte states : 132
| 2 byte states : 12
| 4 byte states : 0
| Characters : 67366
| States : 41455
| Transitions : 1910758
| State Density : 18.0%
| Patterns : 4676
| Match States : 4776
| Memory (MB) : 21.56
| Patterns : 0.49
| Match Lists : 1.01
| DFA
| 1 byte states : 0.96
| 2 byte states : 18.82
| 4 byte states : 0.00
+----------------------------------------------------------------
[ Number of patterns truncated to 20 bytes: 1332 ]
pcap DAQ configured to passive.
Acquiring network traffic from "eth0".
Reload thread starting...
Reload thread started, thread 0x7fd8f6273700 (5649)
Decoding Ethernet
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.3.1 IPv6 GRE (Build 40)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2012 Sourcefire, Inc., et al.
Using libpcap version 1.1.1
Using PCRE version: 8.02 2010-03-19
Using ZLIB version: 1.2.3.4
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.16 <Build 18>
Preprocessor Object: SF_GTP (IPV6) Version 1.1 <Build 1>
dcerpc2 Preprocessor Statistics
Total sessions: 0
========================================================================
SIP Preprocessor Statistics
Total sessions: 0
========================================================================
Snort exiting
警報數即爲在日誌中看到的記錄數,兩者一致,在另一個控制檯查看日誌詳情,如下所示:
#tail –f /var/log/auth.log
Apr 5 06:24:04 alienvault snort[4133]: [1:2013504:3] ET POLICY GNU/Linux APT User- Agent Outbound likely related to package management [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.11.201:34939 -> 193.62.202.28:80
Apr 5 06:24:04 alienvault snort[4133]: [1:2013504:3] ET POLICY GNU/Linux APT User- Agent Outbound likely related to package management [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.11.201:34939 -> 193.62.202.28:80
Apr 5 06:24:04 alienvault snort[4133]: [1:2013504:3] ET POLICY GNU/Linux APT User- Agent Outbound likely related to package management [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.11.201:34331 -> 52.28.229.156:80
Apr 5 06:24:04 alienvault snort[4133]: [1:2013504:3] ET POLICY GNU/Linux APT User- Agent Outbound likely related to package management [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.11.201:34331 -> 52.28.229.156:80
Apr 5 06:24:04 alienvault snort[4133]: [1:2013504:3] ET POLICY GNU/Linux APT User- Agent Outbound likely related to package management [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.11.201:34331 -> 52.28.229.156:80
Apr 5 06:24:04 alienvault snort[4133]: [1:2013504:3] ET POLICY GNU/Linux APT User- Agent Outbound likely related to package management [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.11.201:34939 -> 193.62.202.28:80
Apr 5 06:24:05 alienvault snort[4133]: [1:2013504:3] ET POLICY GNU/Linux APT User- Agent Outbound likely related to package management [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.11.201:34939 -> 193.62.202.28:80
Apr 5 06:24:05 alienvault snort[4133]: [1:2013504:3] ET POLICY GNU/Linux APT User- Agent Outbound likely related to package management [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.11.201:34331 -> 52.28.229.156:80
Apr 5 06:24:05 alienvault snort[4133]: [1:2013504:3] ET POLICY GNU/Linux APT User- Agent Outbound likely related to package management [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.11.201:34331 -> 52.28.229.156:80
此時,我們還可以在SIEM控制檯中看到經歸一化處理的Snort事件,如圖1所示。
三、 NIDS(Network Intrusion Detection )模式
在NIDS檢測模式下可以理解爲嗅探器模式和日誌模式(該模式下會把抓取的數據包存放到指定目錄中)這兩種功能上的疊加,是最複雜的工作模式,也是Snort最常見的工作模式。它可以通過特定的配置文件來管理和配置它(比如在規則裏面可以寫一些對特定流量進行分析的策略)。而作爲NIDS系統Snort 的報警機制還包括了full、fast、socket、syslog、smb(winpopup)和 none共6種。通過報警機制我們就可以掌握網絡中所受到的異常行,在這種模式下並且需要載入Snort規則庫才能正常工作。操作命令如下:
#snort –vde –l ./log –h 10.32.14.0/24 –c /etc/snort/snort.conf
注意,當前目錄下已有log目錄。如果指定了“-l ./log”參數,則系統會將日誌中原來的/var/log/snort/轉儲到當前目錄的log目錄下。