Differences

This shows you the differences between two versions of the page.

--- сервис_snort [2015/06/03 14:06]
val [Windows]
+++ сервис_snort [2022/03/15 13:01]
val [Debian/Ubuntu]
@@ Line 7: / Line 7: @@
 ===== Установка, настройка, запуск сервиса =====
-==== Windows ====
+==== Debian/Ubuntu ====
+<code>
+root@server:~# apt install snort
-  * [[http://www.sans.org/security-resources/idfaq/running-snort-windows.php]]
+!!! В визарде все по умолчанию ("не понимает" интерфейс bond1)
-=== Установка Snort ===
+root@server:~# cat /etc/snort/snort.debian.conf
-  * [[http://val.bmstu.ru/unix/snort/Snort_2_9_5_5_Installer.exe]]
-=== Распаковка правил ===
-  * [[http://val.bmstu.ru/unix/snort/snortrules-snapshot-2953.tar.gz]] (все кроме каталога etc)
-=== Настройка и тестирование конфигурации ===
-<code>
-shell>notepad++ c:\Snort\etc\snort.conf
 </code><code>
 ...
-var RULE_PATH c:\snort\rules
+DEBIAN_SNORT_INTERFACE="eth2"
-var SO_RULE_PATH c:\snort\rules
+#DEBIAN_SNORT_INTERFACE="eth1"
-var PREPROC_RULE_PATH c:\snort\rules
+#DEBIAN_SNORT_INTERFACE="bond1"
+DEBIAN_SNORT_HOME_NET="192.168.0.0/16"
+#DEBIAN_SNORT_HOME_NET="any"
 ...
-#my var WHITE_LIST_PATH ../rules
+</code><code>
-#my var BLACK_LIST_PATH ../rules
+root@server:~# cat /etc/snort/snort.conf
+</code><code>
 ...
-config logdir: c:\snort\log
+####################################################################
+# Step #6: Configure output plugins
 ...
-dynamicpreprocessor directory c:\snort\lib\snort_dynamicpreprocessor
+output alert_syslog: LOG_AUTH LOG_ALERT
-...
-dynamicengine c:\snort\lib\snort_dynamicengine\sf_engine.dll
-...
-#my dynamicdetection directory /usr/local/lib/snort_dynamicrules
-...
-#my preprocessor normalize_ip4
-#my preprocessor normalize_tcp: ips ecn stream
-#my preprocessor normalize_icmp4
-#my preprocessor normalize_ip6
-#my preprocessor normalize_icmp6
-...
-preprocessor http_inspect: global iis_unicode_map c:\snort\etc\unicode.map 1252 compress_depth 65535 decompress_depth 65535
-...
-#my preprocessor reputation: \
-#my   memcap 500, \
-#my   priority whitelist, \
-#my   nested_ip inner, \
-#my   whitelist $WHITE_LIST_PATH/white_list.rules, \
-#my   blacklist $BLACK_LIST_PATH/black_list.rules
-...
-output alert_fast: alert.ids
-...
-include c:\snort\etc\classification.config
-include c:\snort\etc\reference.config
-...
-include c:\snort\etc\threshold.conf
 ...
 </code><code>
-shell>notepad++ C:\Snort\rules\server-iis.rules
+root@server:~# snort -T -S HOME_NET=[192.168.0.0/16] -c /etc/snort/snort.conf
+root@server:~# service snort restart
+</code>
+===== Тестирование =====
+==== Debian/Ubuntu ====
+<code>
+# tail -f /var/log/auth.log | grep Red
+</code>
+==== Пример атаки с isp.un ====
+<code>
+isp.un$ wget http://192.168.X.10/root.exe
+</code>
+===== Создание собственных правил snort =====
+  * [[http://oreilly.com/pub/h/1393|Write Your Own Snort Rules ]]
+==== Debian/Ubuntu ====
+<code>
+# cat rules/local.rules
 </code><code>
-...
+alert tcp any any -> any 80 (msg:"Directory traversal attempt"; flow:to_server; content:"../.."; nocase; reference:url,wiki.val.bmstu.ru; classtype:web-application-attack; sid:1000001; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS CodeRed v2 root.exe access"; flow:to_server,established; content:"/root.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:20;)
-...
 </code><code>
-admin shell>c:\snort\bin\snort.exe -T -c c:\Snort\etc\snort.conf --daq pcap
+$ curl --path-as-is http://server.corpX.un/../../../etc/passwd
 </code>
+===== Обновление правил snort - пакет oinkmaster =====
-=== Запуск ===
+==== FreeBSD ====
+<code>
+[server:~] # pkg install oinkmaster
-Выбираем сетевой интерфейс (необходимо отключить ipv6)
+[server:~] # rehash
+[server:~] # cd /usr/local/etc/
+</code>
+==== Debian/Ubuntu ====
 <code>
-shell>c:\snort\bin\snort.exe -W
+root@server:~# apt-get install oinkmaster
+root@server:~# cd /etc/
 </code>
-Запускаем в режиме отладки
+==== FreeBSD/Debian/Ubuntu ====
 <code>
-admin shell>c:\snort\bin\snort.exe -A console -i 2 -c c:\Snort\etc\snort.conf --daq pcap
+server# cat oinkmaster.conf
+...
+url = http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz
+...
+tmpdir = /var/tmp/
+...
+server# oinkmaster -o /CHANGE/DIR/snort/rules/
 </code>
-Запускаем в режиме службы (консоль заблокирует)
+===== Построение отчета о работе snort =====
+==== snortsnarf (FreeBSD) ====
 <code>
-admin shell>c:\snort\bin\snort.exe -q -i 2 -c c:\Snort\etc\snort.conf --daq pcap
+[server:~] # pkg_add -r snortsnarf
+</code><code>
+[server:~] # cat /usr/local/etc/scripts/snortsnarf.sh
+</code><code>
+#!/bin/sh
-shell>notepad++ C:\Snort\log\alert.ids
+D=`date -v-1d '+%Y.%m.%d'`
+/usr/local/etc/rc.d/snort stop
+/bin/mv /var/log/snort/alert /var/log/snort/alert.
+/usr/local/etc/rc.d/snort start
+for i in /var/log/snort/alert.*
+do
+  cat ${i} >> /var/log/snort/alert${D}
+  rm ${i}
+done
+/usr/local/bin/snortsnarf -d /usr/local/www/apache22/data/snortsnarf/${D}/ -minprio=1 /var/log/snort/alert${D}
+rm /var/log/snort/alert${D}
+/usr/bin/find /usr/local/www/apache22/data/snortsnarf/ -mtime +60 -type d -exec rm -r {} \;
 </code>
+===== Дополнительные материалы =====
 ==== FreeBSD ====
@@ Line 133: / Line 165: @@
 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; metadata:service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:11;)
 ...
-</code><code>
+</code>
-[server:~] # cd /usr/local/etc/snort/preproc_rules/
+<code>
+[server:~] # # cd /usr/local/etc/snort/preproc_rules/
-[server:~] # cp sensitive-data.rules-sample sensitive-data.rules
+[server:~] # # cp sensitive-data.rules-sample sensitive-data.rules
-[server:~] # cp decoder.rules-sample decoder.rules
+[server:~] # # cp decoder.rules-sample decoder.rules
-[server:~] # cp preprocessor.rules-sample preprocessor.rules
+[server:~] # # cp preprocessor.rules-sample preprocessor.rules
+</code>
+<code>
 [server:~] # snort -T -c /usr/local/etc/snort/snort.conf
-[server:~] # snort -A console -c /usr/local/etc/snort/snort.conf
+[server:~] # snort -A console -i em2 -c /usr/local/etc/snort/snort.conf
 [server:~] # service snort rcvar
@@ Line 155: / Line 189: @@
 </code>
-==== Ubuntu ====
+==== Windows ====
-<code>
-root@server:~# apt-get install snort
-root@server:~# cat /etc/snort/snort.debian.conf
+  * [[http://www.sans.org/security-resources/idfaq/running-snort-windows.php]]
+=== Установка Snort ===
+  * [[http://val.bmstu.ru/unix/snort/Snort_2_9_5_5_Installer.exe]]
+=== Распаковка правил ===
+  * [[http://val.bmstu.ru/unix/snort/snortrules-snapshot-2953.tar.gz]] (все кроме каталога etc)
+=== Настройка и тестирование конфигурации ===
+<code>
+shell>notepad++ c:\Snort\etc\snort.conf
 </code><code>
 ...
-DEBIAN_SNORT_INTERFACE="eth2"
+var RULE_PATH c:\snort\rules
-DEBIAN_SNORT_HOME_NET="192.168.0.0/16"
+var SO_RULE_PATH c:\snort\rules
+var PREPROC_RULE_PATH c:\snort\rules
+...
+#my var WHITE_LIST_PATH ../rules
+#my var BLACK_LIST_PATH ../rules
+...
+config logdir: c:\snort\log
+...
+dynamicpreprocessor directory c:\snort\lib\snort_dynamicpreprocessor
+...
+dynamicengine c:\snort\lib\snort_dynamicengine\sf_engine.dll
+...
+#my dynamicdetection directory /usr/local/lib/snort_dynamicrules
+...
+#my preprocessor normalize_ip4
+#my preprocessor normalize_tcp: ips ecn stream
+#my preprocessor normalize_icmp4
+#my preprocessor normalize_ip6
+#my preprocessor normalize_icmp6
+...
+preprocessor http_inspect: global iis_unicode_map c:\snort\etc\unicode.map 1252 compress_depth 65535 decompress_depth 65535
+...
+#my preprocessor reputation: \
+#my   memcap 500, \
+#my   priority whitelist, \
+#my   nested_ip inner, \
+#my   whitelist $WHITE_LIST_PATH/white_list.rules, \
+#my   blacklist $BLACK_LIST_PATH/black_list.rules
+...
+output alert_fast: alert.ids
+...
+include c:\snort\etc\classification.config
+include c:\snort\etc\reference.config
+...
+include c:\snort\etc\threshold.conf
 ...
 </code><code>
-root@server:~# cat /etc/snort/snort.conf
+shell>notepad++ C:\Snort\rules\server-iis.rules
 </code><code>
 ...
-####################################################################
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS CodeRed v2 root.exe access"; flow:to_server,established; content:"/root.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:20;)
-# Step #6: Configure output plugins
-...
-output alert_syslog: LOG_AUTH LOG_ALERT
 ...
 </code><code>
-root@server:~# snort -T -S HOME_NET=[192.168.0.0/16] -c /etc/snort/snort.conf
+admin shell>c:\snort\bin\snort.exe -T -c c:\Snort\etc\snort.conf --daq pcap
-root@server:~# /etc/init.d/snort stop
-root@server:~# snort -A console -S HOME_NET=[192.168.0.0/16] -c /etc/snort/snort.conf
-root@server:~# /etc/init.d/snort start
 </code>
-===== Тестирование =====
+=== Запуск ===
-==== FreeBSD/Ubuntu ====
+Выбираем сетевой интерфейс (необходимо отключить ipv6)
 <code>
-# tail -f /var/log/auth.log
+shell>c:\snort\bin\snort.exe -W
 </code>
-==== Пример атаки с server.isp.un ====
+Запускаем в режиме отладки
 <code>
-server.isp.un$ wget http://server.corpX.un/root.exe
+admin shell>c:\snort\bin\snort.exe -A console -i 2 -c c:\Snort\etc\snort.conf --daq pcap
 </code>
+Запускаем в режиме службы (консоль заблокирует)
-===== Создание собственных правил snort =====
-[[http://oreilly.com/pub/h/1393]]
-==== FreBSD/Ubuntu ====
 <code>
-# cat rules/local.rules
+admin shell>c:\snort\bin\snort.exe -q -i 2 -c c:\Snort\etc\snort.conf --daq pcap
-</code><code>
-alert tcp any any -> any 80 (msg:"Directory traversal attempt"; flow:to_server; content:"../.."; nocase; reference:url,wiki.val.bmstu.ru; classtype:web-application-attack; sid:1000001; rev:1;)
-</code>
-===== Обновление правил snort - пакет oinkmaster =====
+shell>notepad++ C:\Snort\log\alert.ids
-==== FreeBSD ====
-<code>
-[server:~] # pkg install oinkmaster
-[server:~] # rehash
-[server:~] # cd /usr/local/etc/
-</code>
-==== Ubuntu ====
-<code>
-root@server:~# apt-get install oinkmaster
-root@server:~# cd /etc/
-</code>
-==== FreeBSD/Ubuntu ====
-<code>
-server# cat oinkmaster.conf
-...
-url = http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz
-...
-tmpdir = /var/tmp/
-...
-server# oinkmaster -o /CHANGE/DIR/snort/rules/
-</code>
-===== Построение отчета о работе snort =====
-==== snortsnarf (FreeBSD) ====
-<code>
-[server:~] # pkg_add -r snortsnarf
-</code><code>
-[server:~] # cat /usr/local/etc/scripts/snortsnarf.sh
-</code><code>
-#!/bin/sh
-D=`date -v-1d '+%Y.%m.%d'`
-/usr/local/etc/rc.d/snort stop
-/bin/mv /var/log/snort/alert /var/log/snort/alert.
-/usr/local/etc/rc.d/snort start
-for i in /var/log/snort/alert.*
-do
-  cat ${i} >> /var/log/snort/alert${D}
-  rm ${i}
-done
-/usr/local/bin/snortsnarf -d /usr/local/www/apache22/data/snortsnarf/${D}/ -minprio=1 /var/log/snort/alert${D}
-rm /var/log/snort/alert${D}
-/usr/bin/find /usr/local/www/apache22/data/snortsnarf/ -mtime +60 -type d -exec rm -r {} \;
 </code>

Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Differences

Page Tools