This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
сервис_snort [2021/02/23 14:38] val [Debian/Ubuntu] |
сервис_snort [2024/05/11 09:06] val [Debian/Ubuntu] |
||
---|---|---|---|
Line 5: | Line 5: | ||
* [[https://www.snort.org/downloads/community/community-rules.tar.gz|!!!Открытые правила для тестирования!!!]] | * [[https://www.snort.org/downloads/community/community-rules.tar.gz|!!!Открытые правила для тестирования!!!]] | ||
* [[http://www.openinfosecfoundation.org//Альтернативное решение]] | * [[http://www.openinfosecfoundation.org//Альтернативное решение]] | ||
+ | * [[https://upcloud.com/resources/tutorials/installing-snort-on-debian|How to install Snort on Debian]] | ||
===== Установка, настройка, запуск сервиса ===== | ===== Установка, настройка, запуск сервиса ===== | ||
Line 10: | Line 11: | ||
<code> | <code> | ||
root@server:~# apt install snort | root@server:~# apt install snort | ||
+ | |||
+ | !!! В визарде все по умолчанию ("не понимает" интерфейс bond1) | ||
root@server:~# cat /etc/snort/snort.debian.conf | root@server:~# cat /etc/snort/snort.debian.conf | ||
</code><code> | </code><code> | ||
... | ... | ||
- | DEBIAN_SNORT_INTERFACE="eth2" | + | #DEBIAN_SNORT_INTERFACE="eth0" |
- | #DEBIAN_SNORT_INTERFACE="eth1" | + | #DEBIAN_SNORT_INTERFACE="bond1" |
DEBIAN_SNORT_HOME_NET="192.168.0.0/16" | DEBIAN_SNORT_HOME_NET="192.168.0.0/16" | ||
#DEBIAN_SNORT_HOME_NET="any" | #DEBIAN_SNORT_HOME_NET="any" | ||
... | ... | ||
- | </code><code> | + | </code> |
+ | |||
+ | * [[https://serverfault.com/questions/554713/snort-not-detecting-outgoing-traffic|Snort not detecting outgoing traffic]] | ||
+ | * [[https://forum.netgate.com/topic/55909/snort-enable_xff|inside of ssl termination proxies we need to get X-Forwarded-For]] | ||
+ | * [[http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html|2.2 Preprocessors (snort_manual)]] | ||
+ | |||
+ | <code> | ||
root@server:~# cat /etc/snort/snort.conf | root@server:~# cat /etc/snort/snort.conf | ||
</code><code> | </code><code> | ||
+ | ... | ||
+ | # Configure IP / TCP checksum mode | ||
+ | config checksum_mode: none | ||
+ | ... | ||
+ | preprocessor http_inspect_server: server default \ | ||
+ | ... | ||
+ | enable_xff \ | ||
+ | webroot no | ||
... | ... | ||
#################################################################### | #################################################################### | ||
Line 38: | Line 55: | ||
==== Debian/Ubuntu ==== | ==== Debian/Ubuntu ==== | ||
<code> | <code> | ||
+ | # less /etc/snort/rules/web-iis.rules | ||
+ | |||
# tail -f /var/log/auth.log | grep Red | # tail -f /var/log/auth.log | grep Red | ||
</code> | </code> | ||
Line 43: | Line 62: | ||
==== Пример атаки с isp.un ==== | ==== Пример атаки с isp.un ==== | ||
<code> | <code> | ||
- | isp.un$ wget http://server.corpX.un/root.exe | + | isp.un$ wget http://192.168.X.10/root.exe |
</code> | </code> | ||