Snort has evolved into a powerful Network Intrusion Detection/Prevention System (NIDS/NIPS) characterized by multi-platform, real-time traffic analysis, and network IP packet recording.
Online video: https://ali.kenvie.com/Test/%E9%85%8D%E7%BD%AESnort
Install Dependencies for Network Intrusion Detection
Configure Cloud CentOS7 Source
Code Language: shellCopy
mkdir /etc/yumback # Create backup foldermv /etc/yum.repos.d/* /etc/yumback/ # Move official files into the newly created yumbackcurl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repoyum clean allyum makecache
Code Language: shellCopy
yum -y install epel-releaseyum -y install gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel libdnet libdnet-devel tcpdump nghttp2 glibc-headers gcc-c++ openssl openssl-develgcc-c++: Compilerflex: Parser required by DAQbison: Parser required by DAQlibpcap-devel: Header libraries required for network traffic capture by Snortlibdnet-devel: Not necessary, but Snort provides simplified portable interfaces for several network operationspcre-devel: Header files of pcre3 required by Snorttcpdump: Tool for capturing network packets and outputting packet contents
Upload Packages for Network Intrusion Detection
Upload the following packages to the server
- daq-2.0.7.tar.gz
- libdnet-1.11.tar.gz
- libpcap-1.9.0.tar.gz
- LuaJIT-2.1.0-beta3.tar.gz
- snort-2.9.19.tar.gz
- snortrules-snapshot-29190.tar.gz
âExtract Packages for Network Intrusion Detectionâ
Code Language: shellCopy
tar -zxvf snort-2.9.19.tar.gztar -zxvf daq-2.0.7.tar.gztar -zxvf LuaJIT-2.1.0-beta3.tar.gztar -zxvf libpcap-1.9.0.tar.gztar -zxvf libdnet-1.11.tar.gz
Compile and Install Sequentially
Code Language: shellCopy
#libpcapcd /root/libpcap-1.9.0 && ./configure && make && make install#libdnetcd /root/libdnet-1.11 && ./configure && make && make install#daqcd /root/daq-2.0.7 && ./configure && make && make install#LuaJITcd /root/LuaJIT-2.1.0-beta3/src && make && cd .. && make install#snortcd /root/snort-2.9.19 && ./configure --enable-sourcefire && make && make install
Configure Snort
Code Language: shellCopy
# Snort installation places the binary at /usr/local/bin/snort, create a symlink to /usr/sbin/snortln -s /usr/local/bin/snort /usr/sbin/snortmkdir /etc/snort # Create rules directorymkdir /var/log/snort # Create logs directorymkdir /usr/local/lib/snort_dynamicrules # Create dynamic rules directory# Running Snort as root is unsafe, create a user to run it# Create accountgroupadd snortuseradd -g snort snortchown snort:snort /var/log/snort# Download official rules for configuration# Official configuration download (registration required): https://snort.org/downloads# Download file: snortrules-snapshot-29190.tar.gztar -zxvf snortrules-snapshot-29190.tar.gz -C /etc/snortcp /etc/snort/etc/* /etc/snort/# Choose system in /etc/snort/so_rules/precompiledcp /etc/snort/so_rules/precompiled/Centos-7/x86-64/2.9.19.0/* /usr/local/lib/snort_dynamicrules/
Edit snort.conf
Make Four Changes
Code Language: shellCopy
vi /etc/snort/snort.conf
1. Change relative paths in the following segment to absolute paths
Code Language: shellCopy
=====Before Change========================var RULE_PATH ../rulesvar SO_RULE_PATH ../so_rulesvar PREPROC_RULE_PATH ../preproc_rules# If you are using reputation preprocessor set thesevar WHITE_LIST_PATH ../rulesvar BLACK_LIST_PATH ../rules=====Before Change=============================After Change========================var RULE_PATH /etc/snort/rulesvar SO_RULE_PATH /etc/snort/so_rulesvar PREPROC_RULE_PATH /etc/snort/preproc_rules# If you are using reputation preprocessor set thesevar WHITE_LIST_PATH /etc/snort/rulesvar BLACK_LIST_PATH /etc/snort/rules=====After Change========================
2. Remove the trailing /
in line 321 of snort.conf, and delete lines 322 and 323
Code Language: shellCopy
=====Before Change========================316 iis_delimiter no \317 iis_unicode no \318 multi_slash no \319 utf_8 no \320 u_encode yes \321 webroot no \322 decompress_swf { deflate lzma } \323 decompress_pdf { deflate }324 325 # ONC-RPC normalization and anomaly detection.=====Before Change=============================After Change========================316 iis_delimiter no \317 iis_unicode no \318 multi_slash no \319 utf_8 no \320 u_encode yes \321 webroot no 322 323 # ONC-RPC normalization and anomaly detection.=====After Change========================
3. Change the value of the IP variable HOME_NET to the local machineâs IP address
Code Language: shellCopy
ipvar HOME_NET 192.168.200.10
4. Comment out redundant rules, ensure not to comment include $RULE_PATH/local.rules
, add # to lines 540 to 655
You can use this shortcut command for replacement
Code Language: shellCopy
:%s/include $RULE_PATH/#include $RULE_PATH/g# Then search for local.rules to uncomment
The purpose of this configuration is to make Snort, when used in intrusion detection mode, operate solely based on the custom rules in the local.rules
file.
Create White/Black Lists
Code Language: shellCopy
touch /etc/snort/rules/white_list.rulestouch /etc/snort/rules/black_list.rules
Check If the Installation Was Successful
Code Language: shellCopy
[root@localhost ~]# snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.19 GRE (Build 85) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.9.0-PRE-GIT (with TPACKET_V3) Using PCRE version: 8.32 2012-11-30 Using ZLIB version: 1.2.7
Configure Test Rule
Ping
Code Language: shellCopy
vi /etc/snort/rules/local.rules# Add the following line to the last linealert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"We are being pinged!";icode:0;itype:8;sid:10000003;rev:1;)# Start Snort# Open two terminals, start Snort in one and monitor dynamic logs in the othershell1 : snort -e -A full -c /etc/snort/snort.confshell2 : tail -f /var/log/snort/alert # Then ping the Snort host from another machine,# shell2 log will trigger the rule and return information[**] [1:10000003:1] We are being pinged! [**][Priority: 0] 04/16-10:28:27.949163 00:50:56:C0:00:08 -> 00:0C:29:C6:6E:91 type:0x800 len:0x4A192.168.200.1 -> 192.168.200.10 ICMP TTL:64 TOS:0x0 ID:9816 IpLen:20 DgmLen:60Type:8 Code:0 ID:1 Seq:21 ECHO