1奋蔚、Snort 簡介

Snort 是免費(fèi)的 Network Intrusion Prevention System(NIPS) 及 Network Intrusion Detection System (NIDS) 軟件，其具有對數(shù)據(jù)流量分析和對網(wǎng)絡(luò)數(shù)據(jù)包進(jìn)行協(xié)議分析處理的能力烈钞，通過靈活可定制的規(guī)則庫（Rule）泊碑，可對處理的報(bào)文內(nèi)容進(jìn)行搜索和匹配，能夠檢測出各種攻擊毯欣，并進(jìn)行實(shí)時(shí)預(yù)警馒过。

Snort 3.0（Snort ++）是 Snort 的更新版本，以下是它一些關(guān)鍵特性：

• 支持多數(shù)據(jù)包處理線程

• 使用共享配置文件和屬性表

• 使用簡單的腳本化的配置文件

• 使關(guān)鍵組件插件化

• 為無端口配置自動檢測服務(wù)

• 規(guī)則中支持粘性緩沖區(qū)

• 自動生成參考文檔

• 提供更好的跨平臺支持

• 便于組件測試

未來包含的其他功能：

• 使用共享的網(wǎng)絡(luò)地圖

• 支持流水線的數(shù)據(jù)包處理

• 支持硬件卸載和數(shù)據(jù)平面集成

• 支持代理模式

• 支持 Windows

2酗钞、安裝 epel-release

首先安裝 epel-release腹忽，后續(xù)安裝 luajit、luajit-devel砚作、cmake3 等軟件包時(shí)會用到

yum install -y epel-release 

3窘奏、更新包緩存

更新包緩存以及更新系統(tǒng)，這一步非必需葫录，看個(gè)人需求

yum clean all
yum makecache
yum -y update

4着裹、非必需軟件

其他不必要的工具，主要是方便后續(xù)配置压昼，熟悉 vi求冷、find 等命令的可略過

yum install -y mlocate vim

5瘤运、新建編譯目錄

在根路徑下創(chuàng)建 snort 編譯目錄，后續(xù)會將用到的源碼下載到這里

mkdir /snort_src

6匠题、安裝 pkg-config

安裝編譯 pkg-config 時(shí)需要用到的軟件包

yum install -y wget gcc-c++

下載 pkg-config 源碼拯坟，編譯安裝

cd /snort_src
wget http://pkgconfig.freedesktop.org/releases/pkg-config-0.29.1.tar.gz -O pkg-config-0.29.1.tar.gz
tar -zxvf pkg-config-0.29.1.tar.gz
cd pkg-config-0.29.1

編譯時(shí)添加 --with-internal-glib 參數(shù)以解決 configure: error: pkg-config and "glib-2.0 >= 2.16" not found, please set GLIB_CFLAGS and GLIB_LIBS to the correct values or pass --with-internal-glib to configure 的錯(cuò)誤

./configure --with-internal-glib
make
make install

7、添加必要的環(huán)境變量

使用 export 添加的僅本次生效

export PKG_CONFIG=/usr/local/bin/pkg-config
export PKG_CONFIG_PATH=/usr/share/pkgconfig:/usr/lib64/pkgconfig

永久生效需要添加到 ~/.bashrc 中

sh -c "echo 'export PKG_CONFIG=/usr/local/bin/pkg-config' >> ~/.bashrc"
sh -c "echo 'export PKG_CONFIG_PATH=/usr/share/pkgconfig:/usr/lib64/pkgconfig' >> ~/.bashrc"
source ~/.bashrc

8韭山、安裝依賴包

安裝編譯 Snort 用到的依賴包

yum install -y libdnet libdnet-devel hwloc hwloc-devel luajit luajit-devel openssl openssl-devel libpcap libpcap-devel pcre pcre-devel flex bison cmake3 lzma xz-devel

9郁季、更新動態(tài)鏈接庫

使動態(tài)鏈接庫為系統(tǒng)所共享，安裝新的動態(tài)鏈接庫時(shí)钱磅，需要手工運(yùn)行

ldconfig

ldconfig 默認(rèn)搜尋 /lib 和 /usr/lib 以及配置文件 /etc/ld.so.conf 內(nèi)所列的目錄下的庫文件梦裂，/usr/local/lib 不在其中，需要手動添加

export LD_LIBRARY_PATH=/usr/local/lib

或者

sh -c "echo 'export LD_LIBRARY_PATH=/usr/local/lib' >> ~/.bashrc"
source ~/.bashrc

10盖淡、安裝 NFQ

如果想使用 NFQ 以內(nèi)聯(lián)模式運(yùn)行 Snort 年柠，或者不確定是否要使用，應(yīng)該安裝這個(gè)軟件包褪迟。在 IDS 模式或使用 afpacket 進(jìn)行內(nèi)聯(lián)模式時(shí)不需要安裝冗恨。

yum install -y libnetfilter_queue libnetfilter_queue-devel

11、編譯安裝 daq

cd /snort_src
wget https://www.snort.org/downloads/snortplus/daq-2.2.2.tar.gz -O daq-2.2.2.tar.gz
tar -zxvf daq-2.2.2.tar.gz
cd daq-2.2.2
./configure
make
make install

12味赃、搜索動態(tài)鏈接庫

搜索一下動態(tài)鏈接庫掀抹，方便后續(xù)編譯

ldconfig -v

13、編譯安裝 snort

此處需要 cmake 版本大于 3.4 心俗，CentOS 7 默認(rèn)版本為 2.8.12 傲武，使用 cmake3

cd /snort_src
wget https://www.snort.org/downloads/snortplus/snort-3.0.0-243-cmake.tar.gz -O snort-3.0.0-243-cmake.tar.gz
tar -zxvf snort-3.0.0-243-cmake.tar.gz
cd snort-3.0.0-/
cmake3 -DCMAKE_INSTALL_PREFIX=/usr/local
make clean
make
make install

14、編譯安裝 snort_extra

cd /snort_src
wget https://www.snort.org/downloads/snortplus/snort_extra-1.0.0-243-cmake.tar.gz -O snort_extra-1.0.0-243-cmake.tar.gz
tar -zxvf snort_extra-1.0.0-243-cmake.tar.gz
cd snort_extra-1.0.0-a4
cmake3 -DCMAKE_INSTALL_PREFIX=/usr/local
make clean
make
make install

15城榛、添加環(huán)境變量

sh -c "echo 'export LUA_PATH=/usr/local/include/snort/lua/\?.lua\;\;' >> ~/.bashrc"
sh -c "echo 'export SNORT_LUA_PATH=/usr/local/etc/snort' >> ~/.bashrc"
source ~/.bashrc

或者

export LUA_PATH=/usr/local/include/snort/lua/\?.lua\;\;
export SNORT_LUA_PATH=/usr/local/etc/snort
export LD_LIBRARY_PATH=/usr/local/lib

16揪利、測試 snort

snort -V

解壓并復(fù)制 community 規(guī)則到 rules 目錄

cd /snort_src
wget https://www.snort.org/downloads/community/snort3-community-rules.tar.gz -O snort3-community-rules.tar.gz
tar -xvf snort3-community-rules.tar.tar
mkdir /usr/local/etc/snort/rules/
cp snort3-community-rules/snort3-community.rules /usr/local/etc/snort/rules/
cp snort3-community-rules/sid-msg.map /usr/local/etc/snort/rules/

注意路徑中缺少 snort_config.lua 文件，需要從 /usr/local/include/snort/lua/ 中復(fù)制過去

cp /usr/local/include/snort/lua/snort_config.lua /usr/local/etc/snort/

測試 community 規(guī)則

snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/snort/rules/snort3-community.rules

17吠谢、下載安裝 openappid

需要注意的是 openappid/7611 經(jīng)測試發(fā)現(xiàn)有 bug土童，目前暫時(shí)先用 openappid/6239

cd /snort_src
wget https://www.snort.org/downloads/openappid/6329 -O snort-openappid.tar.gz
tar -zxvf snort-openappid.tar.gz

將解壓后的文件拷貝到 /usr/local/lib 路徑下

cp -R odp /usr/local/lib

修改 snort 配置文件，添加 app_detector_dir

vim /usr/local/etc/snort/snort.lua

appid = { 
    app_detector_dir = '/usr/local/lib',
}

對添加 appid 后進(jìn)行測試

snort -c /usr/local/etc/snort/snort.lua --warn-all
snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/snort/rules/snort3-community.rules --warn-all

自定義一條規(guī)則做測試

touch /usr/local/etc/snort/rules/local.rules
vim /usr/local/etc/snort/rules/local.rules

alert tcp any any -> any any (msg:"Baidu trafic Seen"; appids:"Baidu"; sid:10000001;)

snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/snort/rules/local.rules --warn-all
snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/snort/rules/local.rules -i ens33 -A alert_fast -k none

18工坊、下載安裝官方收費(fèi)規(guī)則

官方收費(fèi)規(guī)則從網(wǎng)站無法直接下載献汗，需要注冊及付費(fèi)

cd /snort_src
wget https://www.snort.org/downloads/registered/snortrules-snapshot-3000.tar.gz
tar -zxvf snortrules-snapshot-3000.tar.gz
mv etc /usr/local/etc/snort/
mv preproc_rules /usr/local/etc/snort/
mv so_rules /usr/local/etc/snort/
mv rules /usr/local/etc/snort/

注意使用的配置文件是 /usr/local/etc/snort/etc/ 目錄下的，此處也缺少 snort_config.lua 文件王污，需要從 /usr/local/include/snort/lua/ 中復(fù)制過去罢吃，同時(shí)需要添加 app_detector_dir

cp /usr/local/include/snort/lua/snort_config.lua /usr/local/etc/snort/etc/

vim /usr/local/etc/snort/etc/snort.lua

appid = { 
    app_detector_dir = '/usr/local/lib',
}

19、報(bào)警輸出

修改配置文件 /usr/local/etc/snort/etc/snort.lua 以下部分內(nèi)容昭齐，當(dāng) file = true 時(shí)尿招，報(bào)警會輸出到對應(yīng)文件，需要保存報(bào)警日志時(shí)一般開啟這個(gè)即可，需要定制輸出格式時(shí)按提示信息修改即可

---------------------------------------------------------------------------
-- 8. configure outputs
---------------------------------------------------------------------------

-- event logging
-- you can enable with defaults from the command line with -A <alert_type>
-- uncomment below to set non-default configs
alert_csv = {
    file = true,
    fields = { timestamp, pkt_num, proto, pkt_gen, pkt_len, dir, src_ap, dst_ap, rule, action },
    -- fields = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in 
    -- given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | 
    -- eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | 
    -- pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | service | sid | src_addr | src_ap | src_port | 
    -- target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }
    -- limit = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }
    -- separator = ,: separate fields with this character sequence
}
alert_fast = {
    file = true,
    packet = true,
--    file = false: output to alert_fast.txt instead of stdout
--    packet = false: output packet dump with alert
--    limit = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }
}
alert_full = {
    file = true,
    -- limit = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }
}
--alert_sfsocket = {
--    file: name of unix socket file
--    rules[].gid = 1: rule generator ID { 1: }
--    rules[].sid = 1: rule signature ID { 1: }
--}
--alert_syslog = {
--    facility = auth: part of priority applied to each message { auth | authpriv | daemon | user | local0 | local1 | 
--    local2 | local3 | local4 | local5 | local6 | local7 }
--    level = info: part of priority applied to each message { emerg | alert | crit | err | warning | notice | info | debug}
--    options: used to open the syslog connection { cons | ndelay | perror | pid }
--}
unified2 = {
    legacy_events = false,
    nostamp = true,
--    legacy_events = false: generate Snort 2.X style events for barnyard2 compatibility
--    limit = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }
--    nostamp = true: append file creation time to name (in Unix Epoch format)
}

-- use --plugin-path to load plugin
--alert_json = {
--    file = false: output to alert_json.txt instead of stdout
--    fields = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in 
--    given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | 
--    eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | 
--    pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | service | sid | src_addr | src_ap | src_port | 
--    target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }
--    limit = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }
--    separator = , : separate fields with this character sequence
--}

--alert_ex = {
--    upper = false: true/false → convert to upper/lower case
--}

-- packet logging
-- you can enable with defaults from the command line with -L <log_type>
--log_codecs = {
--    file = false: output to log_codecs.txt instead of stdout
--    msg = false: include alert msg
--}
--log_hext = {
--    file = false: output to log_hext.txt instead of stdout
--    raw = false: output all full packets if true, else just TCP payload
--    limit = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }
--    width = 20: set line width (0 is unlimited) { 0: }
--}
--log_pcap = {
--    limit = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }
--}

-- additional logs
--packet_capture = { }
--file_log = { }

需要注意的是就谜，使用 alert_json怪蔑、alert_ex、alert_unixsock丧荐、log_null 時(shí)需要用--plugin-path指定插件路徑缆瓣，必要時(shí)可使用 -l 指定 log 文件保存路徑

snort -c /usr/local/etc/snort/etc/snort.lua --plugin-path /usr/local/lib/snort_extra -i ens33 -l /var/log/snort -A alert_json -k none

20、參數(shù)信息列表

至此虹统，snort 3.0 安裝完畢弓坞，以下為 snort 3.0 支持的參數(shù)信息列表

-? <option prefix> output matching command line option quick help (same as --help-options) (optional)
-A <mode> set alert mode: none, cmg, or alert_*
-B <mask> obfuscated IP addresses in alerts and packet dumps using CIDR mask
-C print out payloads with character data only (no hex)
-c <conf> use this configuration
-D run Snort in background (daemon) mode
-d dump the Application Layer
-e display the second layer header info
-f turn off fflush() calls after binary log writes
-G <0xid> (same as --logid) (0:65535)
-g <gname> run snort gid as <gname> group (or gid) after initialization
-H make hash tables deterministic
-i <iface>... list of interfaces
-k <mode> checksum mode; default is all (all|noip|notcp|noudp|noicmp|none)
-L <mode> logging mode (none, dump, pcap, or log_*)
-l <logdir> log to this directory instead of current directory
-M log messages to syslog (not alerts)
-m <umask> set umask = <umask> (0:)
-n <count> stop after count packets (0:)
-O obfuscate the logged IP addresses
-Q enable inline mode operation
-q quiet mode - Don't show banner and status report
-R <rules> include this rules file in the default policy
-r <pcap>... (same as --pcap-list)
-S <x=v> set config variable x equal to value v
-s <snap> (same as --snaplen); default is 1514 (68:65535)
-T test and report on the current Snort configuration
-t <dir> chroots process to <dir> after initialization
-U use UTC for timestamps
-u <uname> run snort as <uname> or <uid> after initialization
-V (same as --version)
-v be verbose
-W lists available interfaces
-X dump the raw packet data starting at the link layer
-x same as --pedantic
-y include year in timestamp in the alert and log files
-z <count> maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 (0:)
--alert-before-pass process alert, drop, sdrop, or reject before pass; default is pass before alert, drop,...
--bpf <filter options> are standard BPF options, as seen in TCPDump
--c2x output hex for given char (see also --x2c)
--create-pidfile create PID file, even when not in Daemon mode
--daq <type> select packet acquisition module (default is pcap)
--daq-dir <dir> tell snort where to find desired DAQ
--daq-list list packet acquisition modules available in optional dir, default is static modules only
--daq-var <name=value> specify extra DAQ configuration variable
--dirty-pig don't flush packets on shutdown
--dump-builtin-rules [<module prefix>] output stub rules for selected modules (optional)
--dump-dynamic-rules output stub rules for all loaded rules libraries
--dump-defaults [<module prefix>] output module defaults in Lua format (optional)
--dump-version output the version, the whole version, and only the version
--enable-inline-test enable Inline-Test Mode Operation
--gen-msg-map dump builtin rules in gen-msg.map format for use by other tools
--help list command line options
--help-commands [<module prefix>] output matching commands (optional)
--help-config [<module prefix>] output matching config options (optional)
--help-counts [<module prefix>] output matching peg counts (optional)
--help-module <module> output description of given module
--help-modules list all available modules with brief help
--help-options [<option prefix>] output matching command line option quick help (same as -?) (optional)
--help-plugins list all available plugins with brief help
--help-signals dump available control signals
--id-offset offset to add to instance IDs when logging to files (0:65535)
--id-subdir create/use instance subdirectories in logdir instead of instance filename prefix
--id-zero use id prefix / subdirectory even with one packet thread
--list-buffers output available inspection buffers
--list-builtin [<module prefix>] output matching builtin rules (optional)
--list-gids [<module prefix>] output matching generators (optional)
--list-modules [<module type>] list all known modules of given type (optional)
--list-plugins list all known plugins
--lua <chunk> extend/override conf with chunk; may be repeated
--logid <0xid> log Identifier to uniquely id events for multiple snorts (same as -G) (0:65535)
--markup output help in asciidoc compatible format
--max-packet-threads <count> configure maximum number of packet threads (same as -z) (0:)
--mem-check like -T but also compile search engines
--nostamps don't include timestamps in log file names
--nolock-pidfile do not try to lock Snort PID file
--pause wait for resume/quit command before processing packets/terminating
--parsing-follows-files parse relative paths from the perspective of the current configuration file
--pcap-file <file> file that contains a list of pcaps to read - read mode is implied
--pcap-list <list> a space separated list of pcaps to read - read mode is implied
--pcap-dir <dir> a directory to recurse to look for pcaps - read mode is implied
--pcap-filter <filter> filter to apply when getting pcaps from file or directory
--pcap-loop <count> read all pcaps <count> times;  0 will read until Snort is terminated (-1:)
--pcap-no-filter reset to use no filter when getting pcaps from file or directory
--pcap-reload if reading multiple pcaps, reload snort config between pcaps
--pcap-show print a line saying what pcap is currently being read
--pedantic warnings are fatal
--plugin-path <path> where to find plugins
--process-all-events process all action groups
--rule <rules> to be added to configuration; may be repeated
--rule-to-hex output so rule header to stdout for text rule on stdin
--rule-to-text output plain so rule header to stdout for text rule on stdin
--run-prefix <pfx> prepend this to each output file
--script-path <path> to a luajit script or directory containing luajit scripts
--show-plugins list module and plugin versions
--skip <n> skip 1st n packets (0:)
--snaplen <snap> set snaplen of packet (same as -s) (68:65535)
--stdin-rules read rules from stdin until EOF or a line starting with END is read
--treat-drop-as-alert converts drop, sdrop, and reject rules into alert rules during startup
--treat-drop-as-ignore use drop, sdrop, and reject rules to ignore session traffic when not inline
--version show version number (same as -V)
--warn-all enable all warnings
--warn-conf warn about configuration issues
--warn-daq warn about DAQ issues, usually related to mode
--warn-flowbits warn about flowbits that are checked but not set and vice-versa
--warn-hosts warn about host table issues
--warn-plugins warn about issues that prevent plugins from loading
--warn-rules warn about duplicate rules and rule parsing issues
--warn-scripts warn about issues discovered while processing Lua scripts
--warn-symbols warn about unknown symbols in your Lua config
--warn-vars warn about variable definition and usage issues
--x2c output ASCII char for given hex (see also --c2x)
--x2s output ASCII string for given byte code (see also --x2c)