User Tools
сервис_snortsam
Table of Contents
Сервис SNORTSAM
Установка пакета
FreeBSD
# pkg install snortsam # more /usr/local/share/doc/snortsam/README.conf # cd /usr/local/etc/snortsam/
Debian/Ubuntu
Не поддерживается
Базовая конфигурация
# cat snortsam.conf
daemon nothreads accept 127.0.0.1 defaultkey secret logfile /var/log/snortsam.log
Настройка блокировки
netfilter
gate# cat snortsam.conf
... iptables eth1 log
ipfilter
ipfw2
http://www.lissyara.su/articles/freebsd/security/snort/
gate# cat snortsam.conf
... ipfw2 em1 1 2 # With tables rules like: # 00010 deny ip from any to table 1 via em1 # 00011 deny ip from table 2 to any via em1 fwexec /sbin/ipfw
cisco router acl telnet
В случае использования aaa new-model требуется пользователь c priv-lvl = 1
server# cat snortsam.acl
conf terminal no ip access-list extended ACL_FIREWALL ip access-list extended ACL_FIREWALL snortsam-ciscoacl-begin snortsam-ciscoacl-end permit tcp any host 192.168.X.10 eq www permit tcp any host 192.168.X.10 eq 22 permit ip any host 172.16.1.X permit icmp any any permit udp any any permit tcp any any established deny ip any any log end
server# cat snortsam.conf
... # ciscoacl 192.168.X.1 user1/tpassword1 cisco /usr/local/etc/snortsam/snortsam.acl # ciscoacl 192.168.X.1 cisco cisco /usr/local/etc/snortsam/snortsam.acl
cisco router acl tftp
Настройка
server# cat /tftpboot/snortsam.acl
no ip access-list extended ACL_FIREWALL ip access-list extended ACL_FIREWALL snortsam-ciscoacl-begin snortsam-ciscoacl-end permit tcp any host 192.168.X.10 eq www permit tcp any host 192.168.X.10 eq 22 permit ip any 172.16.1.X permit icmp any any permit udp any any permit tcp any any established deny ip any any log end
server# cat snortsam.tftp
copy tftp://192.168.X.10/ running-config
server# cat snortsam.conf
... # ciscoacl 192.168.X.1 cisco cisco snortsam.acl|/usr/local/etc/snortsam/snortsam.tftp # ciscoacl 192.168.X.1 student/tacacs cisco snortsam.acl|/usr/local/etc/snortsam/snortsam.tftp
Запуск
server# cd /tftpboot/ [server:/tftpboot] # snortsam /usr/local/etc/snortsam/snortsam.conf server# cat /usr/local/etc/rc.d/snortsam
... cd /tftpboot/ run_rc_command "$1"
cisco router null route
server# cat snortsam.conf
... cisconullroute 192.168.X.1 student/tacacs cisco
Запуск snortsam
[server:~] # service snortsam rcvar [server:~] # service snortsam start
Подключение Snort к Snortsam
сервис_snortsam.txt · Last modified: 2017/12/06 09:10 by val
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
