Differences

This shows you the differences between two versions of the page.

--- сервис_snort [2017/07/05 12:21]
val [FreBSD/Debian/Ubuntu]
+++ сервис_snort [2022/03/15 13:01]
val [Debian/Ubuntu]
@@ Line 6: / Line 6: @@
   * [[http://www.openinfosecfoundation.org//Альтернативное решение]]
 ===== Установка, настройка, запуск сервиса =====
-==== FreeBSD ====
-<code>
-[server:~] # pkg install snort
-[server:~] # cat /usr/local/etc/snort/snort.conf
-</code><code>
-...
-ipvar HOME_NET [192.168.X.0/24]
-...
-####################################################################
-# Step #6: Configure output plugins
-...
-# syslog
-output alert_syslog: LOG_AUTH LOG_ALERT
-...
-###################################################
-# Step #7: Customize your rule set
-...
-# site specific rules
-include $RULE_PATH/local.rules
-include $RULE_PATH/community.rules
-...
-# закомментируйте все правила ниже
-...
-</code><code>
-[server:~] # fetch --no-verify-peer https://www.snort.org/downloads/community/community-rules.tar.gz
-[server:~] # tar -xvf community-rules.tar.gz
-[server:~] # cp community-rules/community.rules /usr/local/etc/snort/rules/
-[server:~] # touch /usr/local/etc/snort/rules/local.rules
-[server:~] # cp community-rules/sid-msg.map /usr/local/etc/snort/sid-msg.map
-[server:~] # mkdir /usr/local/etc/rules/
-[server:~] # touch /usr/local/etc/rules/black_list.rules
-[server:~] # touch /usr/local/etc/rules/white_list.rules
-!!! Раскомментировать правило
-[server:~] # cat /usr/local/etc/snort/rules/community.rules
-</code><code>
-...
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; metadata:service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:11;)
-...
-</code>
-<code>
-[server:~] # # cd /usr/local/etc/snort/preproc_rules/
-[server:~] # # cp sensitive-data.rules-sample sensitive-data.rules
-[server:~] # # cp decoder.rules-sample decoder.rules
-[server:~] # # cp preprocessor.rules-sample preprocessor.rules
-</code>
-<code>
-[server:~] # snort -T -c /usr/local/etc/snort/snort.conf
-[server:~] # snort -A console -i em2 -c /usr/local/etc/snort/snort.conf
-[server:~] # service snort rcvar
-[server:~] # cat /etc/rc.conf
-</code><code>
-...
-snort_enable=YES
-snort_interface=em2
-</code><code>
-[server:~] # service snort start
-</code>
 ==== Debian/Ubuntu ====
 <code>
 root@server:~# apt install snort
+!!! В визарде все по умолчанию ("не понимает" интерфейс bond1)
 root@server:~# cat /etc/snort/snort.debian.conf
@@ Line 83: / Line 17: @@
 ...
 DEBIAN_SNORT_INTERFACE="eth2"
+#DEBIAN_SNORT_INTERFACE="eth1"
+#DEBIAN_SNORT_INTERFACE="bond1"
 DEBIAN_SNORT_HOME_NET="192.168.0.0/16"
+#DEBIAN_SNORT_HOME_NET="any"
 ...
 </code><code>
@@ Line 97: / Line 34: @@
 root@server:~# snort -T -S HOME_NET=[192.168.0.0/16] -c /etc/snort/snort.conf
-root@server:~# service snort stop
+root@server:~# service snort restart
-root@server:~# snort -A console -i eth2 -S HOME_NET=[192.168.0.0/16] -c /etc/snort/snort.conf
-root@server:~# service snort start
 </code>
 ===== Тестирование =====
-==== FreeBSD/Debian/Ubuntu ====
+==== Debian/Ubuntu ====
 <code>
-# tail -f /var/log/auth.log
+# tail -f /var/log/auth.log | grep Red
 </code>
-==== Пример атаки с server.isp.un ====
+==== Пример атаки с isp.un ====
 <code>
-server.isp.un$ wget http://server.corpX.un/root.exe
+isp.un$ wget http://192.168.X.10/root.exe
 </code>
 ===== Создание собственных правил snort =====
-[[http://oreilly.com/pub/h/1393]]
+  * [[http://oreilly.com/pub/h/1393|Write Your Own Snort Rules ]]
-==== FreBSD/Debian/Ubuntu ====
+==== Debian/Ubuntu ====
 <code>
 # cat rules/local.rules
@@ Line 189: / Line 120: @@
 ===== Дополнительные материалы =====
+==== FreeBSD ====
+<code>
+[server:~] # pkg install snort
+[server:~] # cat /usr/local/etc/snort/snort.conf
+</code><code>
+...
+ipvar HOME_NET [192.168.X.0/24]
+...
+####################################################################
+# Step #6: Configure output plugins
+...
+# syslog
+output alert_syslog: LOG_AUTH LOG_ALERT
+...
+###################################################
+# Step #7: Customize your rule set
+...
+# site specific rules
+include $RULE_PATH/local.rules
+include $RULE_PATH/community.rules
+...
+# закомментируйте все правила ниже
+...
+</code><code>
+[server:~] # fetch --no-verify-peer https://www.snort.org/downloads/community/community-rules.tar.gz
+[server:~] # tar -xvf community-rules.tar.gz
+[server:~] # cp community-rules/community.rules /usr/local/etc/snort/rules/
+[server:~] # touch /usr/local/etc/snort/rules/local.rules
+[server:~] # cp community-rules/sid-msg.map /usr/local/etc/snort/sid-msg.map
+[server:~] # mkdir /usr/local/etc/rules/
+[server:~] # touch /usr/local/etc/rules/black_list.rules
+[server:~] # touch /usr/local/etc/rules/white_list.rules
+!!! Раскомментировать правило
+[server:~] # cat /usr/local/etc/snort/rules/community.rules
+</code><code>
+...
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; metadata:service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:11;)
+...
+</code>
+<code>
+[server:~] # # cd /usr/local/etc/snort/preproc_rules/
+[server:~] # # cp sensitive-data.rules-sample sensitive-data.rules
+[server:~] # # cp decoder.rules-sample decoder.rules
+[server:~] # # cp preprocessor.rules-sample preprocessor.rules
+</code>
+<code>
+[server:~] # snort -T -c /usr/local/etc/snort/snort.conf
+[server:~] # snort -A console -i em2 -c /usr/local/etc/snort/snort.conf
+[server:~] # service snort rcvar
+[server:~] # cat /etc/rc.conf
+</code><code>
+...
+snort_enable=YES
+snort_interface=em2
+</code><code>
+[server:~] # service snort start
+</code>
 ==== Windows ====

Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Differences

Page Tools