This is an old revision of the document!
monitor session 1 source interface f0/1 both monitor session 1 destination interface f0/2
server# ifconfig eth1|le1 up server# tcpdump -ni eth1|le1 -A -s 0 "port 80"
[server:~] # pkg_add -r snortsam [server:~] # more /usr/local/share/doc/snortsam/README.conf [server:~] # cd /usr/local/etc/snortsam/
root@server:~# cd /usr/src root@server:/usr/src# wget http://www.snortsam.net/files/snortsam/snortsam-src-2.69.tar.gz root@server:/usr/src# tar -xvf snortsam-src-2.69.tar.gz root@server:/usr/src# cd snortsam/ root@server:/usr/src/snortsam# sh makesnortsam.sh root@server:/usr/src/snortsam# cp snortsam /usr/sbin/ root@server:/usr/src/snortsam# mkdir /etc/snortsam root@server:/usr/src/snortsam# cd /etc/snortsam
В случае использования aaa new-model требуется пользователь c priv-lvl = 1
server# cat snortsam.acl
conf terminal no ip access-list extended ACL_FIREWALL ip access-list extended ACL_FIREWALL snortsam-ciscoacl-begin snortsam-ciscoacl-end permit tcp any host 192.168.X.3 eq www permit icmp any any permit udp any any permit tcp any any established deny ip any any log end
server# cat snortsam.conf
daemon nothreads accept 127.0.0.1 defaultkey secret # ciscoacl 192.168.X.1 student/tacacs cisco /usr/local/etc/snortsam/snortsam.acl # ciscoacl 192.168.X.1 cisco cisco /etc/snortsam/snortsam.acl logfile /var/log/snortsam.log
FreeBSD:
[server:~] # /usr/local/etc/rc.d/snortsam rcvar [server:~] # /usr/local/etc/rc.d/snortsam start
Ubuntu:
root@server:~# /usr/sbin/snortsam /etc/snortsam/snortsam.conf
server# cat /tftpboot/snortsam.acl
no ip access-list extended ACL_FIREWALL ip access-list extended ACL_FIREWALL snortsam-ciscoacl-begin snortsam-ciscoacl-end permit tcp any host 192.168.X.3 eq www permit icmp any any permit udp any any permit tcp any any established deny ip any any log end
server# cat snortsam.tftp copy tftp://192.168.X.1/ running-config server# cat snortsam.conf ... # ciscoacl 192.168.X.1 student/tacacs cisco snortsam.acl|/usr/local/etc/snortsam/snortsam.tftp # ciscoacl 192.168.X.1 student/tacacs cisco snortsam.acl|/etc/snortsam/snortsam.tftp ... server# cd /tftpboot/
FreeBSD:
[server:/tftpboot] # snortsam /usr/local/etc/snortsam/snortsam.conf
Ubuntu:
root@server:/tftpboot# snortsam /etc/snortsam/snortsam.conf
server# cat snortsam.conf ... cisconullroute 192.168.X.1 student/tacacs cisco ...
[server:~] # cd /usr/ports/security/snort [server:ports/security/snort] # make config [server:ports/security/snort] # cat /var/db/ports/snort/options ... WITH_SNORTSAM=true ... [server:ports/security/snort] # make install clean [server:ports/security/snort] # cd /usr/local/etc/snort/
http://www.snortsam.net/files/snort-plugin/readme.txt
root@server:~# apt-get install libpcap-dev libpcre3-dev libtool automake autoconf root@server:~# cd /usr/src root@server:/usr/src# wget http://dl.snort.org/downloads/116 ИЛИ root@server:/usr/src# wget http://val.bmstu.ru/unix/snort-2.8.6.1.tar.gz root@server:/usr/src# tar -xvf snort-2.8.6.tar.gz root@server:/usr/src# wget http://www.snortsam.net/files/snort-plugin/snortsam-2.8.6.diff.gz ИЛИ root@server:/usr/src# wget http://val.bmstu.ru/unix/snortsam-src-2.69.tar.gz root@server:/usr/src# gunzip snortsam-2.8.6.diff.gz root@server:/usr/src# cd snort-2.8.6 root@server:/usr/src/snort-2.8.6# patch -p1 < ../snortsam-2.8.6.diff root@server:/usr/src/snort-2.8.6# sh autojunk.sh root@server:/usr/src/snort-2.8.6# ./configure --prefix /usr/local/snort root@server:/usr/src/snort-2.8.6# make root@server:/usr/src/snort-2.8.6# make install root@server:/usr/src/snort-2.8.6# cp -r etc/ /usr/local/snort/ root@server:~# ln -s /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/snort_dynamicengine root@server:~# ln -s /usr/local/snort/lib/snort_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor root@server:~# cd /usr/local/snort/ root@server:/usr/local/snort# wget http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz ИЛИ root@server:/usr/local/snort# wget http://val.bmstu.ru/unix/snortrules-snapshot-2860.tar.gz root@server:/usr/local/snort# tar -xvf snortrules-snapshot-2860.tar.gz rules/ root@server:/usr/local/snort# cd /usr/local/snort/etc
server# cat snort.conf
... output alert_fwsam: 127.0.0.1:898/secret ...
server# cat sid-block.map
1256: src, 2 min
!!! Раскомментировать правило !!! server# grep 1256 web-iis.rules alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; classtype:web-application-attack; reference:url,www.cert.org/advisories/CA-2001-19.html; sid:1256; rev:7;) server# grep web-application-attack classification.config config classification: web-application-attack,Web Application Attack,1
root@server:~# /usr/local/snort/bin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1