This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
| сервис_snort [2024/05/10 07:12] val [Debian/Ubuntu] | сервис_snort [2024/12/06 14:44] (current) val [Пример атаки с isp.un] | ||
|---|---|---|---|
| Line 4: | Line 4: | ||
| * [[https://help.ubuntu.com/community/SnortIDS]] | * [[https://help.ubuntu.com/community/SnortIDS]] | ||
| * [[https://www.snort.org/downloads/community/community-rules.tar.gz|!!!Открытые правила для тестирования!!!]] | * [[https://www.snort.org/downloads/community/community-rules.tar.gz|!!!Открытые правила для тестирования!!!]] | ||
| - | * [[http://www.openinfosecfoundation.org//Альтернативное решение]] | + | * [[https://sansorg.egnyte.com/dl/qsNKTUL2ld|Snort and SSL/TLS Inspection]] | 
| * [[https://upcloud.com/resources/tutorials/installing-snort-on-debian|How to install Snort on Debian]] | * [[https://upcloud.com/resources/tutorials/installing-snort-on-debian|How to install Snort on Debian]] | ||
| + | |||
| + | * [[https://oisf.net/|Open Information Security Foundation Suricata]] | ||
| ===== Установка, настройка, запуск сервиса ===== | ===== Установка, настройка, запуск сервиса ===== | ||
| Line 17: | Line 19: | ||
| </code><code> | </code><code> | ||
| ... | ... | ||
| - | DEBIAN_SNORT_INTERFACE="eth2" | + | #DEBIAN_SNORT_INTERFACE="eth0" | 
| - | #DEBIAN_SNORT_INTERFACE="eth1" | + | |
| #DEBIAN_SNORT_INTERFACE="bond1" | #DEBIAN_SNORT_INTERFACE="bond1" | ||
| DEBIAN_SNORT_HOME_NET="192.168.0.0/16" | DEBIAN_SNORT_HOME_NET="192.168.0.0/16" | ||
| Line 26: | Line 27: | ||
| * [[https://serverfault.com/questions/554713/snort-not-detecting-outgoing-traffic|Snort not detecting outgoing traffic]] | * [[https://serverfault.com/questions/554713/snort-not-detecting-outgoing-traffic|Snort not detecting outgoing traffic]] | ||
| + | * [[https://forum.netgate.com/topic/55909/snort-enable_xff|inside of ssl termination proxies we need to get X-Forwarded-For]] | ||
| + | * [[http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html|2.2 Preprocessors (snort_manual)]] | ||
| <code> | <code> | ||
| Line 33: | Line 36: | ||
| # Configure IP / TCP checksum mode | # Configure IP / TCP checksum mode | ||
| config checksum_mode: none | config checksum_mode: none | ||
| + | ... | ||
| + | preprocessor http_inspect_server: server default \ | ||
| + | ... | ||
| + | enable_xff \ | ||
| + | webroot no | ||
| ... | ... | ||
| #################################################################### | #################################################################### | ||
| Line 52: | Line 60: | ||
| # tail -f /var/log/auth.log | grep Red | # tail -f /var/log/auth.log | grep Red | ||
| + | |||
| + | # u2spewfoo /var/log/snort/snort.alert | ||
| </code> | </code> | ||
| ==== Пример атаки с isp.un ==== | ==== Пример атаки с isp.un ==== | ||
| <code> | <code> | ||
| - | isp.un$ wget http://192.168.X.10/root.exe | + | isp.un$ curl http://192.168.X.10/root.exe | 
| + | </code> | ||
| + | |||
| + | ===== Копирование alert_unified2 в syslog ===== | ||
| + | <code> | ||
| + | # stdbuf -i0 -o0 u2spewfoo <(tail -c +1 -f /var/log/snort/snort.alert) | logger -t snort -p auth.info | ||
| + | |||
| + | # cat /etc/systemd/system/snort-alert-unified2-syslog.service | ||
| + | </code><code> | ||
| + | [Unit] | ||
| + | Description=Send snort alert_unified2 to syslog | ||
| + | After=snort.service | ||
| + | |||
| + | [Service] | ||
| + | ExecStart=/bin/bash -c '/usr/bin/stdbuf -i0 -o0 /usr/sbin/u2spewfoo <(/usr/bin/tail -c +1 -f /var/log/snort/snort.alert) | /usr/bin/logger -t snort -p auth.info' | ||
| + | |||
| + | [Install] | ||
| + | WantedBy=multi-user.target | ||
| </code> | </code> | ||