下载  >  安全技术  >  网络攻防  > Snort官方文档 Snort3 on Centos7

Snort官方文档 Snort3 on Centos7 评分:

Snort官方英文原版的Snort3手册。在1998年,Martin Roesch [1] 用C语言开发了开放源代码(Open Source)的入侵检测系统Snort。直至今天,Snort已发展成为一个具有多平台(Multi-Platform)、实时(Real-Time)流量分析、网络IP数据包(Pocket)记录等特性的强大的网络入侵检测/防御系统(Network Intrusion Detection/Prevention System),即NIDS/NIPS。Snort符合通用公共许可(GPL——GNU General Pubic License),在网上可以通过免费下载获得Snort
Alternatively, to install PCRE from the base repository and ignore Hyperscan warnings t yum instal pcrc-dcvcl The pcap package(1-53) in the base repository, while compatible with Snort 3, is older than the latest version(1.8.1) To install PCAP(1.8.1) from source #wgetittp://www.tcpdump.org/release/libpcap-1.8.1.tar.gz f tar xf libpcap-l8l. tar. gz f cd libpcap-1.8.1 #f ./configure --libdir-/usr/lib64 --ircludcdir-/usr/includc make 5& make install Alternatively, to install PCAP(1.5.3)from the repository yum install libpcap-deve- Snort 3 requires dag version 2.2.2 for packet IO. Some of the daq modules can be disabled if not used. For example, if the afpacket module will be used, other modules such as ipfw, nfq, etc can be disabled wgethttps://snort.org/downloads/snortp-us/daq-222.tar.gz f tar xf daq-2.2.2. tar. gz cd dac-2.2. 2 Example-Configuring daq for afpacket while disabling other modules +./ configure --disable-ipfw-module--disable-ipg-moduie --disable-rfg-module--disable-netmap-module Build AFPacket DAC mcdule.: yes odule Build IPFW DAQ module Build IP2 DAQ module Build NFQ DA@ module Build PCAP DAQ module......: yes Build netmap DAo modul he installed prior to configuring dag: libnetfilter (1 ibnetfilter-queue-deve nfy module requires an additional package to t yum instal libnetfilter queue-devel +./ configure --disable-ipfw-module --disable-ipg-modu-e --disable-afpacket-module --disable-netmap-module Build AFPacket DAo mcdule Build Dump DAo modul Build IPFw DAQ modul Build IP@ DAQ module . no Bui1 d NFQ DAO moc⊥e Build PCAP DAQ module ye当 Build netmap DAQ module Proceed with installing DAQ t make make install Snort optional dependencies include: lzma(xz-devel), hyperscan, cpputest, flattbuffers, safec, uuid (uuid-deve1), and iconv. Some of the optional dependencies will be installed from source code requiresIzmaversion>=5.1.2.ThelzmapackageinCentosrepositoryisversion5.22Vthehttp-nspectpreprocessorSnort Lzma is used for decompression of SWF and PDF files. In Snort 2.9. x, this was utilized Uuid is a library for generating and parsing Universally Unique IDs for tagging and identifying objects across a network w yum install xz-devel libuuid-devel Hyperscan is a high-performance multiple regex matching library Snort 3 can utilize Hyperscan to build new the regex and sd_pattern rule options and hyperscan search engine Prior to installing hyperscan, the following required dependencies should be installed and or made available: Ragel, Boost, and the optional dependency: sqlile3(sqlite-devel) Install sqlite3 yum instal sqlite-devel Download and install Ragel #wgcthttp://www.colm.nct/filcs/ragcl/ragcl-6.10.tar.gz w tar xf ragel-6.10.tar. gz f cd ragcl-610 #./configure t makc s& makc install Download and decompress boost no installation is required #twgethttps://dl.bintraycom/boostorg/re_ease/1.66.C/source/boost1660.tar.gz tar xf boost 1660. tar. gz Download and install hyperscan #t wgct ttps: //github. ccm/ntcl/hypcrscan/archive/v4.7.0. tar. gz -O iypcrscar-470. tar. gz tar xf hyperscan-4.7.0. tar. gz t mkdir hs-build & cd hs-build There are two methods to make Hyperscan aware of the Boost headers: 1)Symlink, or 2) Passing BooST RooT pointing to the root directory of the boost headers to cmake. both methods are shown below Method 1- Symlink In -s w/sources/ boost 1 66 0/boost w/sources/ hyperscan-470/include/boost t cmake-DCMAKE BU-LD TYPE=Release-DCMAKE INSTALL PREFIX-/usr/local ../hyperscan-47 0 Method 2- BOOST ROOT cmake -DCMAKF, BU TD TYPF-Release -DCMAKF: TNSTALT. PRFFTX=/usr/ll DBOOST RCOT=./boost 1 560./hyperscan-47C Proceed with installing Hyperscan -using"-38 will use makefiles in parallel and fasten the inake process t make make install cp /usr/local/1ib64/pkgcon fig/1:bhs. pc /usr/1ib64/pkgconfig/ wget i:ttps://github. ccm/ cpputest/cpputest/releases/download/v3.8/cpputest-38tar.gz t tar xt cpputest-3.8. tar. gz cd cpputest-3.8.tar.g ./configure --libdir=/usr/lib64 --ircludedir=/usr/include make & make install Flatbuffers is an efficient cross platform serialization library for games and other memory constrained apps. It allows direct access of serialized data without unpacking/parsing it first twgethttps://github.com/google/latbuffers/archive/vl.8.0.tar.gz-Cf-atbitters-180.tar.gz t tar xf flatbuffers-1.8.0.tar.gz t mkdir fb-build & cd Eb-build cmake ./ flatbuffers-180 t make -3 8 make install Safec is hosted on Sourceforge and some of the mirrors followed by the direct download link may be broken If the download hangs longer than expecLed, switch to a different mirror twgethttps://downloads.sourceforge.ret/project/safeclib/libsafec-10052013targz tar xf libsafec--0052013. tar. gz cd libsatec-10052013 #./configure --libdir=/usr/lib64 --ir cludedir=/usr/include t make s& make install Iconv is used for converting UTF16-LE filenames to UTF8 #twgcthttps://ftp.gnucrg/pub/gnu/libiconv/libiconv-115tar.gz tar xf libiconv--.15.tar. gz t cd libiconv-115 # /conflgure make s& make install Now that all dependencies are installed, clone snort 3 repository from github #gitclonehttps://github.com/snortadmin/snort3.git t cd snort Before configuring Snort with the configure cnake. sh script, set the Ld LIBRARY PATH environment variable as below export LD LIBRARY PATIl=SLD LIBRARY PATI: /usr/lib: /sr/ocal/lib The following command will start configuring Snort with the supplied arguments such as the prefix. Note that the command may fail and generate an error related to iconv as shown below #t ./configure cmakc sh --prcfix-/usr/lcca/snort - ookirg for iccnv open ookirg for iccnv open -found Performing Test ICONV CCMPILE S Performing Test ICONV COMPILES - Fai-ed CMake Error at cmake/FindICONv cmake: 130 (MESSAGE): Unable to determine iconv( signature Call stack (most recent call first): cmake/include libraries. cmake: 25 (find package) Makel,ists. txt.: 17 (include) Cor: figuring incomplete, errors occurred If the above error is encountered, add --define=ICONV ACCE=TS NONCONST INPUT: BOOl=true argument to the configuration command to become #./configure cmake. sh --define=ICoNv ACCEPTS NONCONST INPUT: BOOI=true --prefix=/usr/local/snort Once the configuration completes, the configuration summary is displayed indicating the enabled features snort version 3.0.0 Install options prefix usr/local/snort includes /usr/local/snort/inc_ude/snort p⊥ug1ns: usr/local/snort/lib64/snort Compiler optiONs In,Ci /bin/c++ CELAGS =visibility=hidden -g -gdb CXXFLAGS -visicility-hidden -g -gdb EXE LDFLAG MODULE LDILAG Feature options: Flatbuffers Hyperscan LZMA Safec Build files have been written to: /root/sources/snort/ build Proceed with installing Snort 3 t make 8 make install Once the installation is complete, verify that Snort 3 binary is referencing the expected libraries. Note that Snort 3 binary references the libsfaec library, however the feature was reported off by the cmake configuration summar f ldd /sr/ocal/snort/bin/snort lirux-vdso. so. 1 0x00037ffc1f3e3000) libsfbpf. so.0 -> /usr/lccal/lib/libsfbpf so0 (0x00007fa29897e00C) 1 pcap.so,1=>/1ib64/1 iscar,sc,1(0x00007fa298737000) 1 ibdnet,so.1=>/1ib64/1 abinet,sc.1(0x00007fa298526000) 1ibd1.so.2=>/1i64/1id1.so.2(0x00007fa298322000) libpthread. so.0 =>/lib64/libpthread so0(0x00007Ea298105C00) libhwloc. so. 5 =>/11b64/1ichwloc so5 (0x00007fa297ecbOC0) 1ib1zma,so,5=>/1ib64/1ib1zma,sc.5(0x00007fa297ca5000) libluajit-5. 1.50.2-> /usr/local/lib/libluajit-51so.2(0x00C07fa297a310C0) libcrypto. so.10->/lib61libcryrto so.0(0x00007fa2975d3C00 libpcre. so.1=>,l1b64/libccre sc1(0x00007fa2973b5000) 1 safec-1.C.sc.1=>/1ib64/1ibsa=ec-1.0.so.1(0x00007fa2971a900C) ibuuid. so. 1 =>/1ib64/1ibuuid sc.1(0x00007fa296fa4000) 1ibz.s0.1=>/1ib64/1ibz.sC.1(0x00007fa296d8e000) 1 istic++,S,6=>/1ib64/1 estdo++,so.5(0x00007fa296a8500C) 1ibm.so.6=>/1ib64/1ibm,sc,6(0x00007fa296783000) igcc sSOl-> 64/1 Icgcc s.so,-(0x00007fa29556d0C0) 1ibC.so.6=>/1ib64/1ibc,sc.6(0x00007fa2961a9000) 1ib64/1d-1inux-x36-64.so.2(3x0000557373961000) libnuma. so. 1=>/lib64/libnuma SC1(0x00007Ea295f9d000) b1t:1.so.7=>/lib64/1 ibl to1.sc.7(0×00007fa295d93000) Verify that Snort 3 reports version and the library names and versions that snort 3 is using t /usr/lcca/srcrt/bin/snort -v >Snc:rt++<k一 o")N Version 3.0.0 (Build 244) from 2.9.11 By Martin Roesch The Snort Tear t=tp: //snort. org/contact#team Copyright (C) 2014-2018 Cisco and or its affiliates. All rights reserved opyright (C)1998-2013 Sourcefire, Inc, et al Using DAo version 2.2. 2 Using LuajIr version 2.0.5 DpenSST.1.0.2k-fips 26 Jan 2017 Using ECRE version 8.41 2017 Using ZlI= version 1.2.7 Using FlatBuf-ers I.8.0 Using Hyperscan version 4.7.0 2018-03-15 Using LZMa version 5.2, 2 actions, and logging. One particular Snort extra plugin is emphasized and configured in this guide is the data log inspec Snort 3 Extras is a set of C++ or Lua plugins to extend the functionality of Snort 3 in terms network traffic decoding, inspectic plugin. The emphasis of this inspector is detailed in a later section Since Snort 3 was cloned from GitHub, the extra/ directory containing the plugins source code is already available. The prefix to install the extra plugins will follow Snort's initial installation prefix. The below compile commands will install the extra plugins into /usr/local/snort/extra/ Before building the extra plugins, the environment variable PKG CONFIG PATH must be set, which is also happens to be operating system(64-bit)dependent in build 244. The path can be verified by simply listing Snort installation directory Build 243: PKG CONFIG PATH=/usr/local/snort/ lib/pkgconfig Build 244: PKG CONFTG PATH=/usr/local/snort/1ib64/p<config t cd snort/ cxtra W export PKG CONFIG PATH=/usr/local/srcrt/lib64/ pkgconfig H ./configure cmakc sh --prcfix-/usr/local/snort/extra 4 cd build/ t makc make install Snort 3 includes two main configuration files, srcrt defaults. lua and snort. lua. The file snort defaults. lua contains default values for rules paths, and default networks, ports, wizards, and inspectors, etc The file snort. lua is the main configuration file of Snort, allowing the implementation and configuration of Snort inspectors (preprocessors), rules files inclusion, event filters, output, etc. The file snort. l ua uses the file snort defaults. l ua to import defaults values for various Snort configurations An additional file file magic. lua exists in the etc/ snort/ directory. This file contains pre-defined file identities based on the hexadecimal representation of the files magic headers. These help Snort identify the file types traversing the network when applicable. This file is also used by Snort main configuration file snort. lua and does not require any modifications. The configuration changes and the respective Snort 3. lua files are shown below Configure rules, reputation, and appID paths> snort defaults. lua Configure HOME NET and EXTERNAL NET>srcrt lua Configure ips module >snort. lua Enable and configure reputation inspector snort lua Configure AppID inspector> snort. lua Configure file_ id and file_log inspectors>snort. lua Configure data_log inspector> snort.lua Configure logging>snort. - ua Note that Snort inspectors and modules allow variety of customizations and configurations. The configurations made in this section are minimal with the purpose of getting started with Snort 3 Snort rules, appid, and reputation lists will be stored in their respective directory. The rules/ directory will contain Snort rule files, the appid/ directory will contain the appid detectors, and the intel/ directory will contain IP blacklists and whitely p mkdir -p/usr/local/snort/rules, appid, intel Snort rules consist of text-based rules, and shared object (SO)rules and their associated text-based stubs. At the time of writing thisguidetheSharedoBjectrulesarenotavailableyet(http://blog.snort.org/2018/02/snorl-30-rulesel-announcement.html The rules tarball also contains Snort configuration files. The configuration files from the rules tarball will be copied to the etc/snort/ directory, and will be used in favor of the configurations files in from Snort 3 source code tarball To proceed with the configurations, download the rules tarball from Snort. org(Pulled Pork is not tested yet), replacing the oinkcode placeholder in the below command with the official and dedicated oinkcode #wgetnttps://www.snortorg/rules/snortrules-snapshot-3000.tar.gz?oinkcode=<yourOinkcoDeHere> o snortrules-snapshot-3000. tar. gz Extract the rules tarball and copy the rules to the rules/ directory created earlier. w tar xf snortrules-snapshot-3000. tar. gz t cp rules/x rules /usr/local/snort/rules/ Copy the Snort configuration files from the extracted rules tarball /etc directory to Snort ctc/srcrt/ directory cp etc/k /usr/local/snort/etc/snort/ Download and extract the OpenApplD package, and move the extracted odp/ directory to the appid/ directory created earlier #wgetnttps://www.snortorg/dcwn-oads/openappid/6329-osnort-openappid-6329.tar.gz tar xf snort-cpenappid-6329.tar. gz mv odp//usr/local/sort/appid/ Download the IP Blacklist generated by Talos and move it to the intel/ directory created earlier Enabling the Reputation inspector while in IDS mode will generate blacklist hit alert when a match occurs, and traffic may not be inspected further #wgctittps://www.talosintclligencc.ccm/documcnts/ip-blacklist mv ip-blacklist /usr/local/snort/intel/ Create an empty file for the Ip whitelist, which will be configured along with the ip blacklist in the following section t touch /usr/local/snort/intel/ip-whitelist Edit the snort defaults. lua file with your favorite editor The below snapshots of the configurations show the before and after states of the configuration. The paths shown below follow the conventions mentioned at the beginning of this guide Change from default paths Path to your rules files (this can be a reLative path) RULE PATE BUILTIN RULE PATH =I,,/builtin rules PLUGIN RULE PATII /so rules I Tf you are using reputation preprocessor set these HITE工 ST PATH /lists BLACK IST PATH /lists Change to default patas Path to your rules files (this can be a re_ative path! RULE DATE =I././rules BUILTIN RULE PATII = I./builtin rules i PLUGIN RULE PATH ./so rules If you are using reputation preprocessor set these HITE工 ST PATH= inte1′ BLACK IST PATH /./intel' APPID PATH -'/usr/lccal/snort/arpid' all of the remaining changes will be made in Snort configuration file sr:crt. lua The concept of home and external networks in Snort is the same as in Snort 2. X. The changes made below are just an example to demonstrate the syntax Change fron setup the network addresses ycu are protecting HOME NET=an Change to: setup the network addresses ycu are protecting HOME NET=[[10.3.0.0/3192.168.0.0/15172.16.0.0/2: The inclusion of Snort rules files rules )occurs within the ips module Using the snort. lua copied from the Snort rules tarball, the inclusion of the rules is already configured. As a result, the changes to the ips module are minimal and involves enabling decoder and inspector alerts with the option --enable built rules, and explicitly defining the ips policy to tap mode. The ips policy mode governs Snorts operational mode, which includes tap, inline, and inline-test Change from: Ips use this tc enable decoder and inspector alerts -enable builtin rules truer fcr rules fil th ote that rules files can incude other rules fles snort conmunity. rules The following include syntax s only valid for BUIlD 243(13-FID-2C18) and later RULE PATH is typically set in snort defauts. lua rules i lude SRUTF PATH/sncrt3-app-detect rules include RULe PATH/sncrt3-browser-chre ome.ru_e s include $RULE P!TH/sncrt3-sq-rule inc1 ade SRUl三PATH/ snort3-×1. rules Change lps tap r use this tc enable decoder and inspector alerts erable builtin rules tr use include fcr rules files be sure to set your path note that rules files can inc_ude other rules files -include ='snort3 community ruLes THe following include syntax -s only valid for BUIlD 243 (13-FEB-2018) and later RULE PATH is typically set in snort defaults. lt include SRUL= PATH/sncrt3-app-detect rules include SRULE PATIl/sncrt3-browser-chrome ru_es include SRUL= PATH/sncrt3-sa. rules include SRUT,F PATH/sncrt3-x1. rules The reputation inspector is disabled (commented) by default. Uncomment its section and change the values of the --blacklist hitelist variables to point to the paths ip address lists Change from: reputation configure cne or both c- these, then uncomment reputation blacklist =blacklist file name with ip lists whitelist ='waitelist file name with ip list Change outat.in configure cne or both c= these, then uncomment reputation blacklist=BLACK LIST PATH . 'ip-black-ist' white1ist-W里三 LIST PATH,,'/ip-wh二te-it The AppID inspector is enabled by default, however, the path to the appid package and detector are commented. Uncomment the app detector dir and change its value the global appid path defined in the earlier in the snort default. lua file ppid requires this to use appids app detector dir =directory to -oad appid detectors from Change appid appid requires tais to use appids in rules app detector dir =APPID EATH The file id inspector (file_ inspect preprocessor in Snort 2. x)is enabled by default in snort. lua with the following contiguration options file id= file rules =i-le mag-c 1 This allows Snort Lo identify the Lype of a file traversing a network stream via the file magic headers. The file id inspector supports Http, SmtP, ImAp, Pop3, Ftp, and Smb protocols Taking advantage of the file id inspector involves Including the file magic rules. This step is completed in the default form of the inspector Configuring the inspector and define the policy Enabling the inspector logging to generate file events The default configuration of the file id inspector is expanded as follows le id file rules file magic file policy I when file type id = 22), use verdict og, enable file sigt nature true) I when = sha256="E6SECCC561CACE1860638CD0BC745E59058F16349F7455E215BDDE323335500?"), usc=[ verdict The above configuration includes the file magic as required in the first step The file policy is configured to identify files of type PDF via the magic headers in file magic. l ua located in the snort etc/snort/ directory type rev =1 magic- content 25 50 16" offset -0 This means that when the inspector detects a PDF file over a supported protocol, it will generate an event. The file policy is also configured to generate an event when a file with the specified SHA256 traverses the network over a supported protocol The final step is to enable event logging for the inspector. This is accomplished with the file log inspector at the end of the configuration file. This inspector has two Boolean options that allow logging of packet and system time of file events file log pkt timc - truc log sys time false The data log plugin is available via the extra plugins installed in an earlier step The data 1 og is a passive inspector plugin that does not alter data flowing through Snort, instead, it allows for logging additional network data it is subscribed to within Snort 3 processing workflow TheinspectorcanbeusedtologhttprequestorresponseheadersRecallinsNort2.Xthiswaspossibleusingtheloguriand loghostnameconfigurationoptionsofthehttpinspectpreprocessor.ThesetwooptionsarenolongpartofSnort3 httpinspectinspectorandthedataloginspectorallowsforcapturingadditionaldatathEcaptureddataisstoredintothe log file data. log within Snorts configured logging directory In order to enable the data log inspector, the inspector must be defined in snort. lua. The below example configuration will log bothhttprequestheadersintothedatalogfileandlimitthesizeofthelogfileto1oombbeforeanewlogfileisgenerated data log httprequestheaderevent mit =10 There are various logger modules available in Snort 3 either natively or via the extra plugins. Loggers are disabled(commented ) by default. For this guide, the alert fast logger will be used. Enabling this logger is accomplished by uncommenting its section and configuring it to allow logging to a file. By default Snort uses /var/ -og/snort for saving log files. This can also be specified at run time using the -l flag Change from: alert fast= h Change to: alert fast file true After the configuration is completed, create the log directory for Snort as mentioned earlier. f mkdir -p /var/log /snort Running Snort requires setting two environment variables, LUA PATH and SNORT LUA PATH. These variables point to the lua and configuration directories within the Snort installation prefix export LUA PATH=/usr/local/snort/include/snort/lua/\? - ua\i\i t export SNORT T UA PAT==/usr/lcca /snort/etc/snort A packet capture was generated to help test the customized configurations. The capture contains network traffic consisting of andIcMptraffictoatestIpaddress(10.8.8.8)thatismanuallyaddedtotheblacklistThiswillallowtestingthevariousVerhttp transferringaPdffileoverSmtpandhttp,transferringabinaryfileofthesha256specifiedearlierinthefilepolicy configurations made to Snort thus far Snort is run against the packet capture via -r flag, while specifying the configuration file via-c flag the log directory via -l flag, and the extra plugins directory (for the data log inspector)via--plugin-path /usr/lcca/'srcrt/bin/snort - c /usr/lcca/snort/etc/snort/srcrt 1 ua test. pcap var/log/snort --p-ugir-path /usr/local/ snort/extra -k none The output generated by Snort displays loaded modules, inspectors, status of parsing reputation lists, and rules and counts )~Sr:ort++3.0.0-243 oadirg /usr/lccal/snort/etc/snort/snort. lu ssh Pre blacklist file /usr/loca/snort/etc/snort/././irtellip-blacklist Reputation entries loaded: 1545, invalid: 0, re-defined: C(from file lusr/local/snort/etc/snort/.7./intel/-p-blackl-st Processing whitelist file /usr/local/snort/etc/snort/././intel/ip-writelist Reputation entries loaded: 0, invalid: 0, re-defined: c (from file /usr/local/snort/etc/snort/././intel/ip-whitel-st) Firished / usr/local/snort/etc/snort/snort. ua oadirg builti Firisred builtin oadirg /usr/lccal, snort/etc/snort/././rules/snort3-app-detect rules: Iris上ed-ules ru⊥ e cour:ts toal rules lcaded: 10374 text rules: 9897 builtin rules: 4177 option chains: 10374 chain headers: 325 After processing the packet capture, Snort displays modules and inspectors counts. Relevant to this guide are the appid, data log, reputation, and =ile id inspector statistics Note that the appid statistics does not report any icmp flows because the reputation inspector blacklisted the icmp flow destined to the test IP address (10.8.8. 8)and the icmp flow was not pass through remaining inspectors for further processing

...展开详情
2019-04-15 上传 大小:444KB
举报 收藏
分享