User Tools

Site Tools


сервис_snort

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
сервис_snort [2015/06/05 07:34]
val [FreeBSD]
сервис_snort [2022/03/30 12:43] (current)
val [Debian/Ubuntu]
Line 7: Line 7:
 ===== Установка,​ настройка,​ запуск сервиса ===== ===== Установка,​ настройка,​ запуск сервиса =====
  
-==== Windows ​====+==== Debian/​Ubuntu ​==== 
 +<​code>​ 
 +root@server:​~#​ apt install snort
  
-  * [[http://​www.sans.org/​security-resources/​idfaq/​running-snort-windows.php]]+!!! В визарде все по умолчанию ("не понимает"​ интерфейс bond1)
  
-=== Установка Snort === +root@server:~# cat /etc/​snort/​snort.debian.conf
- +
-  * [[http://​val.bmstu.ru/​unix/snort/​Snort_2_9_5_5_Installer.exe]] +
- +
-=== Распаковка правил === +
- +
-  * [[http://​val.bmstu.ru/​unix/snort/​snortrules-snapshot-2953.tar.gz]] (все кроме каталога etc) +
- +
-=== Настройка и тестирование конфигурации === +
-<​code>​ +
-shell>​notepad++ c:​\Snort\etc\snort.conf+
 </​code><​code>​ </​code><​code>​
 ... ...
-var RULE_PATH c:​\snort\rules +DEBIAN_SNORT_INTERFACE="​eth2"​ 
-var SO_RULE_PATH c:​\snort\rules +#​DEBIAN_SNORT_INTERFACE="​eth1"​ 
-var PREPROC_RULE_PATH c:​\snort\rules+#​DEBIAN_SNORT_INTERFACE="​bond1"​ 
 +DEBIAN_SNORT_HOME_NET="​192.168.0.0/​16"​ 
 +#​DEBIAN_SNORT_HOME_NET="​any"​
 ... ...
-#my var WHITE_LIST_PATH ../rules +</code><​code>​ 
-#my var BLACK_LIST_PATH ../rules+root@server:​~cat /​etc/​snort/​snort.conf 
 +</code><​code>​
 ... ...
-config logdirc:​\snort\log+####################################################################​ 
 +# Step #6Configure output plugins
 ... ...
-dynamicpreprocessor directory c:​\snort\lib\snort_dynamicpreprocessor +output ​alert_syslogLOG_AUTH LOG_ALERT
-... +
-dynamicengine c:​\snort\lib\snort_dynamicengine\sf_engine.dll +
-... +
-#my dynamicdetection directory /​usr/​local/​lib/​snort_dynamicrules +
-... +
-#my preprocessor normalize_ip4 +
-#my preprocessor normalize_tcp:​ ips ecn stream +
-#my preprocessor normalize_icmp4 +
-#my preprocessor normalize_ip6 +
-#my preprocessor normalize_icmp6 +
-... +
-preprocessor http_inspect:​ global iis_unicode_map c:​\snort\etc\unicode.map 1252 compress_depth 65535 decompress_depth 65535 +
-... +
-#my preprocessor reputation: \ +
-#my   ​memcap 500, \ +
-#my   ​priority whitelist, \ +
-#my   ​nested_ip inner, \ +
-#my   ​whitelist $WHITE_LIST_PATH/​white_list.rules,​ \ +
-#my   ​blacklist $BLACK_LIST_PATH/​black_list.rules  +
-... +
-output ​alert_fast: alert.ids +
-... +
-include c:​\snort\etc\classification.config +
-include c:​\snort\etc\reference.config +
-... +
-include c:\snort\etc\threshold.conf+
 ... ...
 </​code><​code>​ </​code><​code>​
-shell>​notepad++ C:\Snort\rules\server-iis.rules+root@server:~# snort -T -S HOME_NET=[192.168.0.0/​16] -c /​etc/​snort/​snort.conf 
 + 
 +root@server:~# service snort restart 
 +</​code>​ 
 + 
 +===== Тестирование ===== 
 + 
 +==== Debian/​Ubuntu ==== 
 +<​code>​ 
 +# less /​etc/​snort/​rules/​web-iis.rules 
 + 
 +# tail -f /​var/​log/​auth.log | grep Red 
 +</​code>​ 
 + 
 +==== Пример атаки с isp.un ==== 
 +<​code>​ 
 +isp.un$ wget http://​192.168.X.10/​root.exe 
 +</​code>​ 
 + 
 +===== Создание собственных правил snort ===== 
 + 
 +  * [[http://​oreilly.com/​pub/​h/​1393|Write Your Own Snort Rules ]] 
 + 
 +==== Debian/​Ubuntu ==== 
 +<​code>​ 
 +# cat rules/local.rules
 </​code><​code>​ </​code><​code>​
-... +alert tcp any any -> any 80 (msg:"Directory traversal attempt"; flow:​to_server;​ content:"​../.."; nocase; reference:​url,​wiki.val.bmstu.ru; classtype:​web-application-attack;​ sid:1000001; rev:1;)
-alert tcp $EXTERNAL_NET ​any -> $HTTP_SERVERS $HTTP_PORTS ​(msg:"SERVER-IIS CodeRed v2 root.exe access"; flow:​to_server,​established; content:"/​root.exe"; nocase; http_uri; metadata:​ruleset community, service http; reference:​url,​www.cert.org/​advisories/​CA-2001-19.html; classtype:​web-application-attack;​ sid:1256; rev:20;) +
-...+
 </​code><​code>​ </​code><​code>​
-admin shell>​c:​\snort\bin\snort.exe ​--c c:​\Snort\etc\snort.conf ​--daq pcap+$ curl --path-as-is http://​server.corpX.un/​../​../​../​etc/​passwd
 </​code>​ </​code>​
 +===== Обновление правил snort - пакет oinkmaster =====
  
-=== Запуск ​===+==== FreeBSD ​==== 
 +<​code>​ 
 +[server:~] # pkg install oinkmaster
  
-Выбираем сетевой интерфейс (необходимо отключить ipv6)+[server:~] # rehash 
 + 
 +[server:~] # cd /​usr/​local/​etc/​ 
 +</​code>​ 
 + 
 +==== Debian/​Ubuntu ====
 <​code>​ <​code>​
-shell>c:\snort\bin\snort.exe ​-W+root@server:~# apt-get install oinkmaster 
 + 
 +root@server:​~#​ cd /etc/
 </​code>​ </​code>​
  
-Запускаем в режиме отладки+==== FreeBSD/​Debian/​Ubuntu ====
 <​code>​ <​code>​
-admin shell>c:\snort\bin\snort.exe -A console ​--c c:​\Snort\etc\snort.conf --daq pcap+server# cat oinkmaster.conf 
 +... 
 +url = http://www.snort.org/pub-bin/oinkmaster.cgi/​xxxxxxxxxxxxxxxxx/​snortrules-snapshot-2.8.tar.gz 
 +... 
 +tmpdir = /var/tmp/ 
 +... 
 + 
 +server# oinkmaster ​-o /​CHANGE/​DIR/​snort/​rules/​
 </​code>​ </​code>​
  
-Запускаем в режиме службы (консоль заблокирует)+===== Построение отчета ​о работе snort ===== 
 + 
 +==== snortsnarf (FreeBSD====
 <​code>​ <​code>​
-admin shell>c:\snort\bin\snort.exe ​-q -i 2 -c c:\Snort\etc\snort.conf --daq pcap+[server:~] # pkg_add ​-r snortsnarf 
 +</​code><​code>​ 
 +[server:~] # cat /usr/local/etc/​scripts/​snortsnarf.sh 
 +</​code><​code>​ 
 +#!/bin/sh
  
-shell>​notepad++ C:\Snort\log\alert.ids+D=`date -v-1d '+%Y.%m.%d'​` 
 + 
 +/​usr/​local/​etc/​rc.d/​snort stop 
 +/bin/mv /var/log/​snort/​alert /​var/​log/​snort/​alert. 
 +/​usr/​local/​etc/​rc.d/​snort start 
 + 
 +for i in /​var/​log/​snort/​alert.* 
 +do 
 +  cat ${i} >> /​var/​log/​snort/​alert${D} 
 +  rm ${i} 
 +done 
 +/​usr/​local/​bin/​snortsnarf -d /​usr/​local/​www/​apache22/​data/​snortsnarf/​${D}/​ -minprio=1 /​var/​log/​snort/​alert${D}  
 + 
 +rm /​var/​log/​snort/​alert${D} 
 + 
 +/​usr/​bin/​find /​usr/​local/​www/​apache22/​data/​snortsnarf/​ -mtime +60 -type d -exec rm -r {} \;
 </​code>​ </​code>​
 +
 +===== Дополнительные материалы =====
 +
 ==== FreeBSD ==== ==== FreeBSD ====
  
Line 133: Line 167:
 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"​WEB-IIS CodeRed v2 root.exe access";​ flow:​to_server,​established;​ uricontent:"/​root.exe";​ nocase; metadata:​service http; reference:​url,​www.cert.org/​advisories/​CA-2001-19.html;​ classtype:​web-application-attack;​ sid:1256; rev:11;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"​WEB-IIS CodeRed v2 root.exe access";​ flow:​to_server,​established;​ uricontent:"/​root.exe";​ nocase; metadata:​service http; reference:​url,​www.cert.org/​advisories/​CA-2001-19.html;​ classtype:​web-application-attack;​ sid:1256; rev:11;)
 ... ...
-</​code><​code>​ +</​code>​ 
-[server:~] # cd /​usr/​local/​etc/​snort/​preproc_rules/​ +<​code>​ 
- +[server:​~] ​# cd /​usr/​local/​etc/​snort/​preproc_rules/​ 
-[server:~] # cp sensitive-data.rules-sample sensitive-data.rules +[server:​~] ​# cp sensitive-data.rules-sample sensitive-data.rules 
-[server:~] # cp decoder.rules-sample decoder.rules +[server:​~] ​# cp decoder.rules-sample decoder.rules 
-[server:~] # cp preprocessor.rules-sample preprocessor.rules+[server:​~] ​# cp preprocessor.rules-sample preprocessor.rules 
 +</​code>​
  
 +<​code>​
 [server:~] # snort -T -c /​usr/​local/​etc/​snort/​snort.conf [server:~] # snort -T -c /​usr/​local/​etc/​snort/​snort.conf
  
Line 155: Line 191:
 </​code>​ </​code>​
  
-==== Ubuntu ​==== +==== Windows ​====
-<​code>​ +
-root@server:​~#​ apt-get install snort+
  
-root@server:~# cat /etc/​snort/​snort.debian.conf+  * [[http://www.sans.org/​security-resources/​idfaq/​running-snort-windows.php]] 
 + 
 +=== Установка Snort === 
 + 
 +  * [[http://​val.bmstu.ru/​unix/snort/​Snort_2_9_5_5_Installer.exe]] 
 + 
 +=== Распаковка правил === 
 + 
 +  * [[http://​val.bmstu.ru/​unix/​snort/​snortrules-snapshot-2953.tar.gz]] (все кроме каталога etc) 
 + 
 +=== Настройка и тестирование конфигурации === 
 +<​code>​ 
 +shell>​notepad++ c:​\Snort\etc\snort.conf
 </​code><​code>​ </​code><​code>​
 ... ...
-DEBIAN_SNORT_INTERFACE="​eth2"​ +var RULE_PATH c:​\snort\rules 
-DEBIAN_SNORT_HOME_NET="​192.168.0.0/16"+var SO_RULE_PATH c:​\snort\rules 
 +var PREPROC_RULE_PATH c:​\snort\rules 
 +... 
 +#my var WHITE_LIST_PATH ../rules 
 +#my var BLACK_LIST_PATH ../rules 
 +... 
 +config logdir: c:​\snort\log 
 +... 
 +dynamicpreprocessor directory c:​\snort\lib\snort_dynamicpreprocessor 
 +... 
 +dynamicengine c:​\snort\lib\snort_dynamicengine\sf_engine.dll 
 +... 
 +#my dynamicdetection directory /​usr/​local/​lib/​snort_dynamicrules 
 +... 
 +#my preprocessor normalize_ip4 
 +#my preprocessor normalize_tcp:​ ips ecn stream 
 +#my preprocessor normalize_icmp4 
 +#my preprocessor normalize_ip6 
 +#my preprocessor normalize_icmp6 
 +... 
 +preprocessor http_inspect:​ global iis_unicode_map c:​\snort\etc\unicode.map 1252 compress_depth 65535 decompress_depth 65535 
 +... 
 +#my preprocessor reputation: \ 
 +#my   ​memcap 500, \ 
 +#my   ​priority whitelist, \ 
 +#my   ​nested_ip inner, \ 
 +#my   ​whitelist $WHITE_LIST_PATH/​white_list.rules,​ \ 
 +#my   ​blacklist $BLACK_LIST_PATH/​black_list.rules  
 +... 
 +output alert_fast: alert.ids 
 +... 
 +include c:​\snort\etc\classification.config 
 +include c:​\snort\etc\reference.config 
 +... 
 +include c:​\snort\etc\threshold.conf
 ... ...
 </​code><​code>​ </​code><​code>​
-root@server:~# cat /​etc/​snort/​snort.conf+shell>​notepad++ C:\Snort\rules\server-iis.rules
 </​code><​code>​ </​code><​code>​
 ... ...
-####################################################################​ +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"​SERVER-IIS CodeRed v2 root.exe access";​ flow:​to_server,​established;​ content:"/​root.exe"; nocase; http_uri; metadata:​ruleset community, service http; reference:​url,​www.cert.org/​advisories/​CA-2001-19.html;​ classtype:​web-application-attack;​ sid:1256; rev:20;)
-# Step #6Configure output plugins +
-... +
-output alert_syslogLOG_AUTH LOG_ALERT+
 ... ...
 </​code><​code>​ </​code><​code>​
-root@server:~# snort -T -S HOME_NET=[192.168.0.0/​16] ​-c /etc/snort/snort.conf +admin shell>c:\snort\bin\snort.exe ​-T -c c:\Snort\etc\snort.conf --daq pcap
- +
-root@server:​~#​ /​etc/​init.d/​snort stop +
- +
-root@server:​~#​ snort -A console ​-S HOME_NET=[192.168.0.0/​16] -c /​etc/​snort/​snort.conf +
- +
-root@server:​~#​ /​etc/​init.d/​snort start+
 </​code>​ </​code>​
  
-===== Тестирование =====+=== Запуск ​===
  
-==== FreeBSD/​Ubuntu ====+Выбираем сетевой интерфейс (необходимо отключить ipv6)
 <​code>​ <​code>​
-# tail -f /​var/​log/​auth.log+shell>​c:​\snort\bin\snort.exe -W
 </​code>​ </​code>​
  
-==== Пример атаки ​с server.isp.un ====+Запускаем в режиме ​отладки
 <​code>​ <​code>​
-server.isp.un$ wget http://server.corpX.un/​root.exe+admin shell>​c:​\snort\bin\snort.exe -A console -i 2 -c c:\Snort\etc\snort.conf --daq pcap
 </​code>​ </​code>​
  
- +Запускаем в режиме службы (консоль заблокирует)
- +
-===== Создание собственных правил snort ===== +
- +
-[[http://​oreilly.com/​pub/​h/​1393]] +
- +
-==== FreBSD/​Ubuntu ====+
 <​code>​ <​code>​
-# cat rules/​local.rules +admin shell>c:\snort\bin\snort.exe -q -i 2 -c c:\Snort\etc\snort.conf --daq pcap
-</​code><​code>​ +
-alert tcp any any -any 80 (msg:"​Directory traversal attempt";​ flow:​to_server;​ content:"​../.."; nocase; reference:url,wiki.val.bmstu.ru;​ classtype:​web-application-attack; sid:​1000001;​ rev:1;) +
-</​code>​+
  
-===== Обновление правил snort - пакет oinkmaster ===== +shell>notepad++ C:\Snort\log\alert.ids
- +
-==== FreeBSD ==== +
-<code> +
-[server:~] # pkg install oinkmaster +
- +
-[server:~] # rehash +
- +
-[server:~] # cd /​usr/​local/​etc/​ +
-</​code>​ +
- +
-==== Ubuntu ==== +
-<​code>​ +
-root@server:​~#​ apt-get install oinkmaster +
- +
-root@server:​~#​ cd /etc/ +
-</​code>​ +
- +
-==== FreeBSD/​Ubuntu ==== +
-<​code>​ +
-server# cat oinkmaster.conf +
-... +
-url = http://​www.snort.org/​pub-bin/​oinkmaster.cgi/​xxxxxxxxxxxxxxxxx/​snortrules-snapshot-2.8.tar.gz +
-... +
-tmpdir = /var/tmp/ +
-... +
- +
-server# oinkmaster -o /​CHANGE/​DIR/​snort/​rules/​ +
-</​code>​ +
- +
-===== Построение отчета о работе snort ===== +
- +
-==== snortsnarf (FreeBSD) ==== +
-<​code>​ +
-[server:~] # pkg_add -r snortsnarf +
-</​code><​code>​ +
-[server:~] # cat /​usr/​local/​etc/​scripts/​snortsnarf.sh +
-</​code><​code>​ +
-#!/bin/sh +
- +
-D=`date -v-1d '​+%Y.%m.%d'​` +
- +
-/​usr/​local/​etc/​rc.d/​snort stop +
-/bin/mv /var/log/​snort/​alert /​var/​log/​snort/​alert. +
-/​usr/​local/​etc/​rc.d/​snort start +
- +
-for i in /​var/​log/​snort/​alert.* +
-do +
-  cat ${i} >> /​var/​log/​snort/​alert${D} +
-  rm ${i} +
-done +
-/​usr/​local/​bin/​snortsnarf -d /​usr/​local/​www/​apache22/​data/​snortsnarf/​${D}/​ -minprio=1 /​var/​log/​snort/​alert${D}  +
- +
-rm /​var/​log/​snort/​alert${D} +
- +
-/​usr/​bin/​find /​usr/​local/​www/​apache22/​data/​snortsnarf/​ -mtime +60 -type d -exec rm -r {} \;+
 </​code>​ </​code>​
сервис_snort.1433478887.txt.gz · Last modified: 2015/06/05 07:34 by val