Differences

This shows you the differences between two versions of the page.

--- сервис_snort [2015/06/05 07:36]
val [Ubuntu]
+++ сервис_snort [2024/12/06 14:44] (current)
val [Пример атаки с isp.un]
@@ Line 4: / Line 4: @@
   * [[https://help.ubuntu.com/community/SnortIDS]]
   * [[https://www.snort.org/downloads/community/community-rules.tar.gz|!!!Открытые правила для тестирования!!!]]
-  * [[http://www.openinfosecfoundation.org//Альтернативное решение]]
+  * [[https://sansorg.egnyte.com/dl/qsNKTUL2ld|Snort and SSL/TLS Inspection]]
+  * [[https://upcloud.com/resources/tutorials/installing-snort-on-debian|How to install Snort on Debian]]
+  * [[https://oisf.net/|Open Information Security Foundation Suricata]]
 ===== Установка, настройка, запуск сервиса =====
-==== Windows ====
+==== Debian/Ubuntu ====
+<code>
+root@server:~# apt install snort
-  * [[http://www.sans.org/security-resources/idfaq/running-snort-windows.php]]
+!!! В визарде все по умолчанию ("не понимает" интерфейс bond1)
-=== Установка Snort ===
+root@server:~# cat /etc/snort/snort.debian.conf
+</code><code>
+...
+#DEBIAN_SNORT_INTERFACE="eth0"
+#DEBIAN_SNORT_INTERFACE="bond1"
+DEBIAN_SNORT_HOME_NET="192.168.0.0/16"
+#DEBIAN_SNORT_HOME_NET="any"
+...
+</code>
-  * [[http://val.bmstu.ru/unix/snort/Snort_2_9_5_5_Installer.exe]]
+  * [[https://serverfault.com/questions/554713/snort-not-detecting-outgoing-traffic|Snort not detecting outgoing traffic]]
+  * [[https://forum.netgate.com/topic/55909/snort-enable_xff|inside of ssl termination proxies we need to get X-Forwarded-For]]
+  * [[http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html|2.2 Preprocessors (snort_manual)]]
-=== Распаковка правил ===
-  * [[http://val.bmstu.ru/unix/snort/snortrules-snapshot-2953.tar.gz]] (все кроме каталога etc)
-=== Настройка и тестирование конфигурации ===
 <code>
-shell>notepad++ c:\Snort\etc\snort.conf
+root@server:~# cat /etc/snort/snort.conf
 </code><code>
 ...
-var RULE_PATH c:\snort\rules
+# Configure IP / TCP checksum mode
-var SO_RULE_PATH c:\snort\rules
+config checksum_mode: none
-var PREPROC_RULE_PATH c:\snort\rules
 ...
-#my var WHITE_LIST_PATH ../rules
+preprocessor http_inspect_server: server default \
-#my var BLACK_LIST_PATH ../rules
 ...
-config logdir: c:\snort\log
+    enable_xff \
+    webroot no
 ...
-dynamicpreprocessor directory c:\snort\lib\snort_dynamicpreprocessor
+####################################################################
+# Step #6: Configure output plugins
 ...
-dynamicengine c:\snort\lib\snort_dynamicengine\sf_engine.dll
+output alert_syslog: LOG_AUTH LOG_ALERT
-...
-#my dynamicdetection directory /usr/local/lib/snort_dynamicrules
-...
-#my preprocessor normalize_ip4
-#my preprocessor normalize_tcp: ips ecn stream
-#my preprocessor normalize_icmp4
-#my preprocessor normalize_ip6
-#my preprocessor normalize_icmp6
-...
-preprocessor http_inspect: global iis_unicode_map c:\snort\etc\unicode.map 1252 compress_depth 65535 decompress_depth 65535
-...
-#my preprocessor reputation: \
-#my   memcap 500, \
-#my   priority whitelist, \
-#my   nested_ip inner, \
-#my   whitelist $WHITE_LIST_PATH/white_list.rules, \
-#my   blacklist $BLACK_LIST_PATH/black_list.rules
-...
-output alert_fast: alert.ids
-...
-include c:\snort\etc\classification.config
-include c:\snort\etc\reference.config
-...
-include c:\snort\etc\threshold.conf
 ...
 </code><code>
-shell>notepad++ C:\Snort\rules\server-iis.rules
+root@server:~# snort -T -S HOME_NET=[192.168.0.0/16] -c /etc/snort/snort.conf
+root@server:~# service snort restart
+</code>
+===== Тестирование =====
+==== Debian/Ubuntu ====
+<code>
+# less /etc/snort/rules/web-iis.rules
+# tail -f /var/log/auth.log | grep Red
+# u2spewfoo /var/log/snort/snort.alert
+</code>
+==== Пример атаки с isp.un ====
+<code>
+isp.un$ curl http://192.168.X.10/root.exe
+</code>
+===== Копирование alert_unified2 в syslog =====
+<code>
+# stdbuf -i0 -o0 u2spewfoo <(tail -c +1 -f /var/log/snort/snort.alert) | logger -t snort -p auth.info
+# cat /etc/systemd/system/snort-alert-unified2-syslog.service
 </code><code>
-...
+[Unit]
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS CodeRed v2 root.exe access"; flow:to_server,established; content:"/root.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:20;)
+Description=Send snort alert_unified2 to syslog
-...
+After=snort.service
+[Service]
+ExecStart=/bin/bash -c '/usr/bin/stdbuf -i0 -o0 /usr/sbin/u2spewfoo <(/usr/bin/tail -c +1 -f /var/log/snort/snort.alert) | /usr/bin/logger -t snort -p auth.info'
+[Install]
+WantedBy=multi-user.target
+</code>
+===== Создание собственных правил snort =====
+  * [[http://oreilly.com/pub/h/1393|Write Your Own Snort Rules ]]
+==== Debian/Ubuntu ====
+<code>
+# cat rules/local.rules
 </code><code>
-admin shell>c:\snort\bin\snort.exe -T -c c:\Snort\etc\snort.conf --daq pcap
+alert tcp any any -> any 80 (msg:"Directory traversal attempt"; flow:to_server; content:"../.."; nocase; reference:url,wiki.val.bmstu.ru; classtype:web-application-attack; sid:1000001; rev:1;)
+</code><code>
+$ curl --path-as-is http://server.corpX.un/../../../etc/passwd
 </code>
+===== Обновление правил snort - пакет oinkmaster =====
-=== Запуск ===
+==== FreeBSD ====
+<code>
+[server:~] # pkg install oinkmaster
-Выбираем сетевой интерфейс (необходимо отключить ipv6)
+[server:~] # rehash
+[server:~] # cd /usr/local/etc/
+</code>
+==== Debian/Ubuntu ====
 <code>
-shell>c:\snort\bin\snort.exe -W
+root@server:~# apt-get install oinkmaster
+root@server:~# cd /etc/
 </code>
-Запускаем в режиме отладки
+==== FreeBSD/Debian/Ubuntu ====
 <code>
-admin shell>c:\snort\bin\snort.exe -A console -i 2 -c c:\Snort\etc\snort.conf --daq pcap
+server# cat oinkmaster.conf
+...
+url = http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz
+...
+tmpdir = /var/tmp/
+...
+server# oinkmaster -o /CHANGE/DIR/snort/rules/
 </code>
-Запускаем в режиме службы (консоль заблокирует)
+===== Построение отчета о работе snort =====
+==== snortsnarf (FreeBSD) ====
 <code>
-admin shell>c:\snort\bin\snort.exe -q -i 2 -c c:\Snort\etc\snort.conf --daq pcap
+[server:~] # pkg_add -r snortsnarf
+</code><code>
+[server:~] # cat /usr/local/etc/scripts/snortsnarf.sh
+</code><code>
+#!/bin/sh
-shell>notepad++ C:\Snort\log\alert.ids
+D=`date -v-1d '+%Y.%m.%d'`
+/usr/local/etc/rc.d/snort stop
+/bin/mv /var/log/snort/alert /var/log/snort/alert.
+/usr/local/etc/rc.d/snort start
+for i in /var/log/snort/alert.*
+do
+  cat ${i} >> /var/log/snort/alert${D}
+  rm ${i}
+done
+/usr/local/bin/snortsnarf -d /usr/local/www/apache22/data/snortsnarf/${D}/ -minprio=1 /var/log/snort/alert${D}
+rm /var/log/snort/alert${D}
+/usr/bin/find /usr/local/www/apache22/data/snortsnarf/ -mtime +60 -type d -exec rm -r {} \;
 </code>
+===== Дополнительные материалы =====
 ==== FreeBSD ====
@@ Line 133: / Line 202: @@
 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; metadata:service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:11;)
 ...
-</code><code>
+</code>
-[server:~] # cd /usr/local/etc/snort/preproc_rules/
+<code>
+[server:~] # # cd /usr/local/etc/snort/preproc_rules/
-[server:~] # cp sensitive-data.rules-sample sensitive-data.rules
+[server:~] # # cp sensitive-data.rules-sample sensitive-data.rules
-[server:~] # cp decoder.rules-sample decoder.rules
+[server:~] # # cp decoder.rules-sample decoder.rules
-[server:~] # cp preprocessor.rules-sample preprocessor.rules
+[server:~] # # cp preprocessor.rules-sample preprocessor.rules
+</code>
+<code>
 [server:~] # snort -T -c /usr/local/etc/snort/snort.conf
@@ Line 155: / Line 226: @@
 </code>
-==== Ubuntu ====
+==== Windows ====
-<code>
-root@server:~# apt-get install snort
-root@server:~# cat /etc/snort/snort.debian.conf
+  * [[http://www.sans.org/security-resources/idfaq/running-snort-windows.php]]
+=== Установка Snort ===
+  * [[http://val.bmstu.ru/unix/snort/Snort_2_9_5_5_Installer.exe]]
+=== Распаковка правил ===
+  * [[http://val.bmstu.ru/unix/snort/snortrules-snapshot-2953.tar.gz]] (все кроме каталога etc)
+=== Настройка и тестирование конфигурации ===
+<code>
+shell>notepad++ c:\Snort\etc\snort.conf
 </code><code>
 ...
-DEBIAN_SNORT_INTERFACE="eth2"
+var RULE_PATH c:\snort\rules
-DEBIAN_SNORT_HOME_NET="192.168.0.0/16"
+var SO_RULE_PATH c:\snort\rules
+var PREPROC_RULE_PATH c:\snort\rules
+...
+#my var WHITE_LIST_PATH ../rules
+#my var BLACK_LIST_PATH ../rules
+...
+config logdir: c:\snort\log
+...
+dynamicpreprocessor directory c:\snort\lib\snort_dynamicpreprocessor
+...
+dynamicengine c:\snort\lib\snort_dynamicengine\sf_engine.dll
+...
+#my dynamicdetection directory /usr/local/lib/snort_dynamicrules
+...
+#my preprocessor normalize_ip4
+#my preprocessor normalize_tcp: ips ecn stream
+#my preprocessor normalize_icmp4
+#my preprocessor normalize_ip6
+#my preprocessor normalize_icmp6
+...
+preprocessor http_inspect: global iis_unicode_map c:\snort\etc\unicode.map 1252 compress_depth 65535 decompress_depth 65535
+...
+#my preprocessor reputation: \
+#my   memcap 500, \
+#my   priority whitelist, \
+#my   nested_ip inner, \
+#my   whitelist $WHITE_LIST_PATH/white_list.rules, \
+#my   blacklist $BLACK_LIST_PATH/black_list.rules
+...
+output alert_fast: alert.ids
+...
+include c:\snort\etc\classification.config
+include c:\snort\etc\reference.config
+...
+include c:\snort\etc\threshold.conf
 ...
 </code><code>
-root@server:~# cat /etc/snort/snort.conf
+shell>notepad++ C:\Snort\rules\server-iis.rules
 </code><code>
 ...
-####################################################################
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS CodeRed v2 root.exe access"; flow:to_server,established; content:"/root.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:20;)
-# Step #6: Configure output plugins
-...
-output alert_syslog: LOG_AUTH LOG_ALERT
 ...
 </code><code>
-root@server:~# snort -T -S HOME_NET=[192.168.0.0/16] -c /etc/snort/snort.conf
+admin shell>c:\snort\bin\snort.exe -T -c c:\Snort\etc\snort.conf --daq pcap
-root@server:~# /etc/init.d/snort stop
-root@server:~# snort -A console -i eth2 -S HOME_NET=[192.168.0.0/16] -c /etc/snort/snort.conf
-root@server:~# /etc/init.d/snort start
 </code>
-===== Тестирование =====
+=== Запуск ===
-==== FreeBSD/Ubuntu ====
+Выбираем сетевой интерфейс (необходимо отключить ipv6)
 <code>
-# tail -f /var/log/auth.log
+shell>c:\snort\bin\snort.exe -W
 </code>
-==== Пример атаки с server.isp.un ====
+Запускаем в режиме отладки
 <code>
-server.isp.un$ wget http://server.corpX.un/root.exe
+admin shell>c:\snort\bin\snort.exe -A console -i 2 -c c:\Snort\etc\snort.conf --daq pcap
 </code>
+Запускаем в режиме службы (консоль заблокирует)
-===== Создание собственных правил snort =====
-[[http://oreilly.com/pub/h/1393]]
-==== FreBSD/Ubuntu ====
 <code>
-# cat rules/local.rules
+admin shell>c:\snort\bin\snort.exe -q -i 2 -c c:\Snort\etc\snort.conf --daq pcap
-</code><code>
-alert tcp any any -> any 80 (msg:"Directory traversal attempt"; flow:to_server; content:"../.."; nocase; reference:url,wiki.val.bmstu.ru; classtype:web-application-attack; sid:1000001; rev:1;)
-</code>
-===== Обновление правил snort - пакет oinkmaster =====
+shell>notepad++ C:\Snort\log\alert.ids
-==== FreeBSD ====
-<code>
-[server:~] # pkg install oinkmaster
-[server:~] # rehash
-[server:~] # cd /usr/local/etc/
-</code>
-==== Ubuntu ====
-<code>
-root@server:~# apt-get install oinkmaster
-root@server:~# cd /etc/
-</code>
-==== FreeBSD/Ubuntu ====
-<code>
-server# cat oinkmaster.conf
-...
-url = http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz
-...
-tmpdir = /var/tmp/
-...
-server# oinkmaster -o /CHANGE/DIR/snort/rules/
-</code>
-===== Построение отчета о работе snort =====
-==== snortsnarf (FreeBSD) ====
-<code>
-[server:~] # pkg_add -r snortsnarf
-</code><code>
-[server:~] # cat /usr/local/etc/scripts/snortsnarf.sh
-</code><code>
-#!/bin/sh
-D=`date -v-1d '+%Y.%m.%d'`
-/usr/local/etc/rc.d/snort stop
-/bin/mv /var/log/snort/alert /var/log/snort/alert.
-/usr/local/etc/rc.d/snort start
-for i in /var/log/snort/alert.*
-do
-  cat ${i} >> /var/log/snort/alert${D}
-  rm ${i}
-done
-/usr/local/bin/snortsnarf -d /usr/local/www/apache22/data/snortsnarf/${D}/ -minprio=1 /var/log/snort/alert${D}
-rm /var/log/snort/alert${D}
-/usr/bin/find /usr/local/www/apache22/data/snortsnarf/ -mtime +60 -type d -exec rm -r {} \;
 </code>

Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Differences

Page Tools