Differences

This shows you the differences between two versions of the page.

--- сервис_snort [2017/07/05 11:47]
val
+++ сервис_snort [2024/05/11 15:45]
val [alert_unified2 to syslog]
@@ Line 5: / Line 5: @@
   * [[https://www.snort.org/downloads/community/community-rules.tar.gz|!!!Открытые правила для тестирования!!!]]
   * [[http://www.openinfosecfoundation.org//Альтернативное решение]]
+  * [[https://upcloud.com/resources/tutorials/installing-snort-on-debian|How to install Snort on Debian]]
 ===== Установка, настройка, запуск сервиса =====
-==== FreeBSD ====
+==== Debian/Ubuntu ====
 <code>
-[server:~] # pkg install snort
+root@server:~# apt install snort
-[server:~] # cat /usr/local/etc/snort/snort.conf
+!!! В визарде все по умолчанию ("не понимает" интерфейс bond1)
-</code><code>
-...
-ipvar HOME_NET [192.168.X.0/24]
-...
-####################################################################
-# Step #6: Configure output plugins
-...
-# syslog
-output alert_syslog: LOG_AUTH LOG_ALERT
-...
-###################################################
-# Step #7: Customize your rule set
-...
-# site specific rules
-include $RULE_PATH/local.rules
-include $RULE_PATH/community.rules
-...
-# закомментируйте все правила ниже
-...
-</code><code>
-[server:~] # fetch --no-verify-peer https://www.snort.org/downloads/community/community-rules.tar.gz
-[server:~] # tar -xvf community-rules.tar.gz
+root@server:~# cat /etc/snort/snort.debian.conf
-[server:~] # cp community-rules/community.rules /usr/local/etc/snort/rules/
-[server:~] # touch /usr/local/etc/snort/rules/local.rules
-[server:~] # cp community-rules/sid-msg.map /usr/local/etc/snort/sid-msg.map
-[server:~] # mkdir /usr/local/etc/rules/
-[server:~] # touch /usr/local/etc/rules/black_list.rules
-[server:~] # touch /usr/local/etc/rules/white_list.rules
-!!! Раскомментировать правило
-[server:~] # cat /usr/local/etc/snort/rules/community.rules
 </code><code>
 ...
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; metadata:service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:11;)
+#DEBIAN_SNORT_INTERFACE="eth0"
+#DEBIAN_SNORT_INTERFACE="bond1"
+DEBIAN_SNORT_HOME_NET="192.168.0.0/16"
+#DEBIAN_SNORT_HOME_NET="any"
 ...
-</code>
-<code>
-[server:~] # # cd /usr/local/etc/snort/preproc_rules/
-[server:~] # # cp sensitive-data.rules-sample sensitive-data.rules
-[server:~] # # cp decoder.rules-sample decoder.rules
-[server:~] # # cp preprocessor.rules-sample preprocessor.rules
 </code>
-<code>
+  * [[https://serverfault.com/questions/554713/snort-not-detecting-outgoing-traffic|Snort not detecting outgoing traffic]]
-[server:~] # snort -T -c /usr/local/etc/snort/snort.conf
+  * [[https://forum.netgate.com/topic/55909/snort-enable_xff|inside of ssl termination proxies we need to get X-Forwarded-For]]
+  * [[http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html|2.2 Preprocessors (snort_manual)]]
-[server:~] # snort -A console -i em2 -c /usr/local/etc/snort/snort.conf
-[server:~] # service snort rcvar
-[server:~] # cat /etc/rc.conf
-</code><code>
-...
-snort_enable=YES
-snort_interface=em2
-</code><code>
-[server:~] # service snort start
-</code>
-==== Debian/Ubuntu ====
 <code>
-root@server:~# apt install snort
+root@server:~# cat /etc/snort/snort.conf
-root@server:~# cat /etc/snort/snort.debian.conf
 </code><code>
 ...
-DEBIAN_SNORT_INTERFACE="eth2"
+# Configure IP / TCP checksum mode
-DEBIAN_SNORT_HOME_NET="192.168.0.0/16"
+config checksum_mode: none
 ...
-</code><code>
+preprocessor http_inspect_server: server default \
-root@server:~# cat /etc/snort/snort.conf
+...
-</code><code>
+    enable_xff \
+    webroot no
 ...
 ####################################################################
@@ Line 97: / Line 48: @@
 root@server:~# snort -T -S HOME_NET=[192.168.0.0/16] -c /etc/snort/snort.conf
-root@server:~# service snort stop
+root@server:~# service snort restart
-root@server:~# snort -A console -i eth2 -S HOME_NET=[192.168.0.0/16] -c /etc/snort/snort.conf
-root@server:~# service snort start
 </code>
 ===== Тестирование =====
-==== FreeBSD/Debian/Ubuntu ====
+==== Debian/Ubuntu ====
 <code>
-# tail -f /var/log/auth.log
+# less /etc/snort/rules/web-iis.rules
+# tail -f /var/log/auth.log | grep Red
+# u2spewfoo /var/log/snort/snort.alert
 </code>
-==== Пример атаки с server.isp.un ====
+==== Пример атаки с isp.un ====
 <code>
-server.isp.un$ wget http://server.corpX.un/root.exe
+isp.un$ wget http://192.168.X.10/root.exe
 </code>
+===== Копирование alert_unified2 в syslog =====
+<code>
+# stdbuf -i0 -o0 u2spewfoo <(tail -c +1 -f /var/log/snort/snort.alert) | logger -t snort -p auth.info
+# cat /etc/systemd/system/snort-alert-unified2-syslog.service
+</code><code>
+[Unit]
+Description=Send snort alert_unified2 to syslog
+After=snort.service
+[Service]
+ExecStart=/bin/bash -c '/usr/bin/stdbuf -i0 -o0 /usr/sbin/u2spewfoo <(/usr/bin/tail -c +1 -f /var/log/snort/snort.alert) | /usr/bin/logger -t snort -p auth.info'
+[Install]
+WantedBy=multi-user.target
+</code>
 ===== Создание собственных правил snort =====
-[[http://oreilly.com/pub/h/1393]]
+  * [[http://oreilly.com/pub/h/1393|Write Your Own Snort Rules ]]
-==== FreBSD/Debian/Ubuntu ====
+==== Debian/Ubuntu ====
 <code>
 # cat rules/local.rules
 </code><code>
 alert tcp any any -> any 80 (msg:"Directory traversal attempt"; flow:to_server; content:"../.."; nocase; reference:url,wiki.val.bmstu.ru; classtype:web-application-attack; sid:1000001; rev:1;)
+</code><code>
+$ curl --path-as-is http://server.corpX.un/../../../etc/passwd
 </code>
 ===== Обновление правил snort - пакет oinkmaster =====
@@ Line 188: / Line 155: @@
 ===== Дополнительные материалы =====
+==== FreeBSD ====
+<code>
+[server:~] # pkg install snort
+[server:~] # cat /usr/local/etc/snort/snort.conf
+</code><code>
+...
+ipvar HOME_NET [192.168.X.0/24]
+...
+####################################################################
+# Step #6: Configure output plugins
+...
+# syslog
+output alert_syslog: LOG_AUTH LOG_ALERT
+...
+###################################################
+# Step #7: Customize your rule set
+...
+# site specific rules
+include $RULE_PATH/local.rules
+include $RULE_PATH/community.rules
+...
+# закомментируйте все правила ниже
+...
+</code><code>
+[server:~] # fetch --no-verify-peer https://www.snort.org/downloads/community/community-rules.tar.gz
+[server:~] # tar -xvf community-rules.tar.gz
+[server:~] # cp community-rules/community.rules /usr/local/etc/snort/rules/
+[server:~] # touch /usr/local/etc/snort/rules/local.rules
+[server:~] # cp community-rules/sid-msg.map /usr/local/etc/snort/sid-msg.map
+[server:~] # mkdir /usr/local/etc/rules/
+[server:~] # touch /usr/local/etc/rules/black_list.rules
+[server:~] # touch /usr/local/etc/rules/white_list.rules
+!!! Раскомментировать правило
+[server:~] # cat /usr/local/etc/snort/rules/community.rules
+</code><code>
+...
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; metadata:service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:11;)
+...
+</code>
+<code>
+[server:~] # # cd /usr/local/etc/snort/preproc_rules/
+[server:~] # # cp sensitive-data.rules-sample sensitive-data.rules
+[server:~] # # cp decoder.rules-sample decoder.rules
+[server:~] # # cp preprocessor.rules-sample preprocessor.rules
+</code>
+<code>
+[server:~] # snort -T -c /usr/local/etc/snort/snort.conf
+[server:~] # snort -A console -i em2 -c /usr/local/etc/snort/snort.conf
+[server:~] # service snort rcvar
+[server:~] # cat /etc/rc.conf
+</code><code>
+...
+snort_enable=YES
+snort_interface=em2
+</code><code>
+[server:~] # service snort start
+</code>
 ==== Windows ====

Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Differences

Page Tools