Differences

This shows you the differences between two versions of the page.

--- сервис_snort [2021/02/23 14:38]
val [Debian/Ubuntu]
+++ сервис_snort [2024/05/11 16:43] (current)
val [Сервис SNORT]
@@ Line 4: / Line 4: @@
   * [[https://help.ubuntu.com/community/SnortIDS]]
   * [[https://www.snort.org/downloads/community/community-rules.tar.gz|!!!Открытые правила для тестирования!!!]]
-  * [[http://www.openinfosecfoundation.org//Альтернативное решение]]
+  * [[https://sansorg.egnyte.com/dl/qsNKTUL2ld|Snort and SSL/TLS Inspection]]
+  * [[https://upcloud.com/resources/tutorials/installing-snort-on-debian|How to install Snort on Debian]]
+  * [[https://oisf.net/|Open Information Security Foundation Suricata]]
 ===== Установка, настройка, запуск сервиса =====
@@ Line 10: / Line 13: @@
 <code>
 root@server:~# apt install snort
+!!! В визарде все по умолчанию ("не понимает" интерфейс bond1)
 root@server:~# cat /etc/snort/snort.debian.conf
 </code><code>
 ...
-DEBIAN_SNORT_INTERFACE="eth2"
+#DEBIAN_SNORT_INTERFACE="eth0"
-#DEBIAN_SNORT_INTERFACE="eth1"
+#DEBIAN_SNORT_INTERFACE="bond1"
 DEBIAN_SNORT_HOME_NET="192.168.0.0/16"
 #DEBIAN_SNORT_HOME_NET="any"
 ...
-</code><code>
+</code>
+  * [[https://serverfault.com/questions/554713/snort-not-detecting-outgoing-traffic|Snort not detecting outgoing traffic]]
+  * [[https://forum.netgate.com/topic/55909/snort-enable_xff|inside of ssl termination proxies we need to get X-Forwarded-For]]
+  * [[http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html|2.2 Preprocessors (snort_manual)]]
+<code>
 root@server:~# cat /etc/snort/snort.conf
 </code><code>
+...
+# Configure IP / TCP checksum mode
+config checksum_mode: none
+...
+preprocessor http_inspect_server: server default \
+...
+    enable_xff \
+    webroot no
 ...
 ####################################################################
@@ Line 38: / Line 57: @@
 ==== Debian/Ubuntu ====
 <code>
+# less /etc/snort/rules/web-iis.rules
 # tail -f /var/log/auth.log | grep Red
+# u2spewfoo /var/log/snort/snort.alert
 </code>
 ==== Пример атаки с isp.un ====
 <code>
-isp.un$ wget http://server.corpX.un/root.exe
+isp.un$ wget http://192.168.X.10/root.exe
+</code>
+===== Копирование alert_unified2 в syslog =====
+<code>
+# stdbuf -i0 -o0 u2spewfoo <(tail -c +1 -f /var/log/snort/snort.alert) | logger -t snort -p auth.info
+# cat /etc/systemd/system/snort-alert-unified2-syslog.service
+</code><code>
+[Unit]
+Description=Send snort alert_unified2 to syslog
+After=snort.service
+[Service]
+ExecStart=/bin/bash -c '/usr/bin/stdbuf -i0 -o0 /usr/sbin/u2spewfoo <(/usr/bin/tail -c +1 -f /var/log/snort/snort.alert) | /usr/bin/logger -t snort -p auth.info'
+[Install]
+WantedBy=multi-user.target
 </code>

Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Differences

Page Tools