This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
сервис_snort [2015/04/29 12:53] val [FreeBSD] |
сервис_snort [2021/02/23 14:38] val [Debian/Ubuntu] |
||
---|---|---|---|
Line 7: | Line 7: | ||
===== Установка, настройка, запуск сервиса ===== | ===== Установка, настройка, запуск сервиса ===== | ||
- | ==== Windows ==== | + | ==== Debian/Ubuntu ==== |
+ | <code> | ||
+ | root@server:~# apt install snort | ||
- | * [[http://www.sans.org/security-resources/idfaq/running-snort-windows.php]] | + | root@server:~# cat /etc/snort/snort.debian.conf |
- | + | ||
- | === Установка Snort === | + | |
- | + | ||
- | * [[http://val.bmstu.ru/unix/snort/Snort_2_9_5_5_Installer.exe]] | + | |
- | + | ||
- | === Распаковка правил === | + | |
- | + | ||
- | * [[http://val.bmstu.ru/unix/snort/snortrules-snapshot-2953.tar.gz]] (все кроме каталога etc) | + | |
- | + | ||
- | === Настройка и тестирование конфигурации === | + | |
- | <code> | + | |
- | shell>notepad++ c:\Snort\etc\snort.conf | + | |
</code><code> | </code><code> | ||
... | ... | ||
- | var RULE_PATH c:\snort\rules | + | DEBIAN_SNORT_INTERFACE="eth2" |
- | var SO_RULE_PATH c:\snort\rules | + | #DEBIAN_SNORT_INTERFACE="eth1" |
- | var PREPROC_RULE_PATH c:\snort\rules | + | DEBIAN_SNORT_HOME_NET="192.168.0.0/16" |
+ | #DEBIAN_SNORT_HOME_NET="any" | ||
... | ... | ||
- | #my var WHITE_LIST_PATH ../rules | + | </code><code> |
- | #my var BLACK_LIST_PATH ../rules | + | root@server:~# cat /etc/snort/snort.conf |
+ | </code><code> | ||
... | ... | ||
- | config logdir: c:\snort\log | + | #################################################################### |
+ | # Step #6: Configure output plugins | ||
... | ... | ||
- | dynamicpreprocessor directory c:\snort\lib\snort_dynamicpreprocessor | + | output alert_syslog: LOG_AUTH LOG_ALERT |
- | ... | + | |
- | dynamicengine c:\snort\lib\snort_dynamicengine\sf_engine.dll | + | |
- | ... | + | |
- | #my dynamicdetection directory /usr/local/lib/snort_dynamicrules | + | |
- | ... | + | |
- | #my preprocessor normalize_ip4 | + | |
- | #my preprocessor normalize_tcp: ips ecn stream | + | |
- | #my preprocessor normalize_icmp4 | + | |
- | #my preprocessor normalize_ip6 | + | |
- | #my preprocessor normalize_icmp6 | + | |
- | ... | + | |
- | preprocessor http_inspect: global iis_unicode_map c:\snort\etc\unicode.map 1252 compress_depth 65535 decompress_depth 65535 | + | |
- | ... | + | |
- | #my preprocessor reputation: \ | + | |
- | #my memcap 500, \ | + | |
- | #my priority whitelist, \ | + | |
- | #my nested_ip inner, \ | + | |
- | #my whitelist $WHITE_LIST_PATH/white_list.rules, \ | + | |
- | #my blacklist $BLACK_LIST_PATH/black_list.rules | + | |
- | ... | + | |
- | output alert_fast: alert.ids | + | |
- | ... | + | |
- | include c:\snort\etc\classification.config | + | |
- | include c:\snort\etc\reference.config | + | |
- | ... | + | |
- | include c:\snort\etc\threshold.conf | + | |
... | ... | ||
</code><code> | </code><code> | ||
- | shell>notepad++ C:\Snort\rules\server-iis.rules | + | root@server:~# snort -T -S HOME_NET=[192.168.0.0/16] -c /etc/snort/snort.conf |
+ | |||
+ | root@server:~# service snort restart | ||
+ | </code> | ||
+ | |||
+ | ===== Тестирование ===== | ||
+ | |||
+ | ==== Debian/Ubuntu ==== | ||
+ | <code> | ||
+ | # tail -f /var/log/auth.log | grep Red | ||
+ | </code> | ||
+ | |||
+ | ==== Пример атаки с isp.un ==== | ||
+ | <code> | ||
+ | isp.un$ wget http://server.corpX.un/root.exe | ||
+ | </code> | ||
+ | |||
+ | ===== Создание собственных правил snort ===== | ||
+ | |||
+ | * [[http://oreilly.com/pub/h/1393|Write Your Own Snort Rules ]] | ||
+ | |||
+ | ==== Debian/Ubuntu ==== | ||
+ | <code> | ||
+ | # cat rules/local.rules | ||
</code><code> | </code><code> | ||
- | ... | + | alert tcp any any -> any 80 (msg:"Directory traversal attempt"; flow:to_server; content:"../.."; nocase; reference:url,wiki.val.bmstu.ru; classtype:web-application-attack; sid:1000001; rev:1;) |
- | alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS CodeRed v2 root.exe access"; flow:to_server,established; content:"/root.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:20;) | + | |
- | ... | + | |
</code><code> | </code><code> | ||
- | shell>c:\snort\bin\snort.exe -T -c c:\Snort\etc\snort.conf | + | $ curl --path-as-is http://server.corpX.un/../../../etc/passwd |
</code> | </code> | ||
+ | ===== Обновление правил snort - пакет oinkmaster ===== | ||
- | === Запуск === | + | ==== FreeBSD ==== |
+ | <code> | ||
+ | [server:~] # pkg install oinkmaster | ||
- | Выбираем сетевой интерфейс | + | [server:~] # rehash |
+ | |||
+ | [server:~] # cd /usr/local/etc/ | ||
+ | </code> | ||
+ | |||
+ | ==== Debian/Ubuntu ==== | ||
<code> | <code> | ||
- | shell>c:\snort\bin\snort.exe -W | + | root@server:~# apt-get install oinkmaster |
+ | |||
+ | root@server:~# cd /etc/ | ||
</code> | </code> | ||
- | Запускаем в режиме отладки | + | ==== FreeBSD/Debian/Ubuntu ==== |
<code> | <code> | ||
- | shell>c:\snort\bin\snort.exe -A console -i 2 -c c:\Snort\etc\snort.conf | + | server# cat oinkmaster.conf |
+ | ... | ||
+ | url = http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz | ||
+ | ... | ||
+ | tmpdir = /var/tmp/ | ||
+ | ... | ||
+ | |||
+ | server# oinkmaster -o /CHANGE/DIR/snort/rules/ | ||
</code> | </code> | ||
- | Запускаем в режиме службы (консоль заблокирует) | + | ===== Построение отчета о работе snort ===== |
+ | |||
+ | ==== snortsnarf (FreeBSD) ==== | ||
<code> | <code> | ||
- | shell>c:\snort\bin\snort.exe -q -i 2 -c c:\Snort\etc\snort.conf | + | [server:~] # pkg_add -r snortsnarf |
+ | </code><code> | ||
+ | [server:~] # cat /usr/local/etc/scripts/snortsnarf.sh | ||
+ | </code><code> | ||
+ | #!/bin/sh | ||
- | shell>notepad++ C:\Snort\log\alert.ids | + | D=`date -v-1d '+%Y.%m.%d'` |
+ | |||
+ | /usr/local/etc/rc.d/snort stop | ||
+ | /bin/mv /var/log/snort/alert /var/log/snort/alert. | ||
+ | /usr/local/etc/rc.d/snort start | ||
+ | |||
+ | for i in /var/log/snort/alert.* | ||
+ | do | ||
+ | cat ${i} >> /var/log/snort/alert${D} | ||
+ | rm ${i} | ||
+ | done | ||
+ | /usr/local/bin/snortsnarf -d /usr/local/www/apache22/data/snortsnarf/${D}/ -minprio=1 /var/log/snort/alert${D} | ||
+ | |||
+ | rm /var/log/snort/alert${D} | ||
+ | |||
+ | /usr/bin/find /usr/local/www/apache22/data/snortsnarf/ -mtime +60 -type d -exec rm -r {} \; | ||
</code> | </code> | ||
+ | |||
+ | ===== Дополнительные материалы ===== | ||
+ | |||
==== FreeBSD ==== | ==== FreeBSD ==== | ||
Line 121: | Line 150: | ||
[server:~] # cp community-rules/community.rules /usr/local/etc/snort/rules/ | [server:~] # cp community-rules/community.rules /usr/local/etc/snort/rules/ | ||
[server:~] # touch /usr/local/etc/snort/rules/local.rules | [server:~] # touch /usr/local/etc/snort/rules/local.rules | ||
+ | [server:~] # cp community-rules/sid-msg.map /usr/local/etc/snort/sid-msg.map | ||
[server:~] # mkdir /usr/local/etc/rules/ | [server:~] # mkdir /usr/local/etc/rules/ | ||
Line 132: | Line 162: | ||
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; metadata:service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:11;) | alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; metadata:service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:11;) | ||
... | ... | ||
- | </code><code> | + | </code> |
- | [server:~] # cd /usr/local/etc/snort/preproc_rules/ | + | <code> |
+ | [server:~] # # cd /usr/local/etc/snort/preproc_rules/ | ||
+ | [server:~] # # cp sensitive-data.rules-sample sensitive-data.rules | ||
+ | [server:~] # # cp decoder.rules-sample decoder.rules | ||
+ | [server:~] # # cp preprocessor.rules-sample preprocessor.rules | ||
+ | </code> | ||
- | [server:~] # cp sensitive-data.rules-sample sensitive-data.rules | + | <code> |
- | [server:~] # cp decoder.rules-sample decoder.rules | + | [server:~] # snort -T -c /usr/local/etc/snort/snort.conf |
- | [server:~] # cp preprocessor.rules-sample preprocessor.rules | + | |
+ | [server:~] # snort -A console -i em2 -c /usr/local/etc/snort/snort.conf | ||
[server:~] # service snort rcvar | [server:~] # service snort rcvar | ||
Line 148: | Line 183: | ||
snort_interface=em2 | snort_interface=em2 | ||
</code><code> | </code><code> | ||
- | [server:~] # rehash | ||
- | |||
- | [server:~] # snort -T -c /usr/local/etc/snort/snort.conf | ||
- | |||
[server:~] # service snort start | [server:~] # service snort start | ||
</code> | </code> | ||
- | ==== Ubuntu ==== | + | ==== Windows ==== |
- | <code> | + | |
- | root@server:~# apt-get install snort | + | |
- | root@server:~# cat /etc/snort/snort.debian.conf | + | * [[http://www.sans.org/security-resources/idfaq/running-snort-windows.php]] |
+ | |||
+ | === Установка Snort === | ||
+ | |||
+ | * [[http://val.bmstu.ru/unix/snort/Snort_2_9_5_5_Installer.exe]] | ||
+ | |||
+ | === Распаковка правил === | ||
+ | |||
+ | * [[http://val.bmstu.ru/unix/snort/snortrules-snapshot-2953.tar.gz]] (все кроме каталога etc) | ||
+ | |||
+ | === Настройка и тестирование конфигурации === | ||
+ | <code> | ||
+ | shell>notepad++ c:\Snort\etc\snort.conf | ||
</code><code> | </code><code> | ||
... | ... | ||
- | DEBIAN_SNORT_INTERFACE="eth2" | + | var RULE_PATH c:\snort\rules |
- | DEBIAN_SNORT_HOME_NET="192.168.0.0/16" | + | var SO_RULE_PATH c:\snort\rules |
+ | var PREPROC_RULE_PATH c:\snort\rules | ||
+ | ... | ||
+ | #my var WHITE_LIST_PATH ../rules | ||
+ | #my var BLACK_LIST_PATH ../rules | ||
+ | ... | ||
+ | config logdir: c:\snort\log | ||
+ | ... | ||
+ | dynamicpreprocessor directory c:\snort\lib\snort_dynamicpreprocessor | ||
+ | ... | ||
+ | dynamicengine c:\snort\lib\snort_dynamicengine\sf_engine.dll | ||
+ | ... | ||
+ | #my dynamicdetection directory /usr/local/lib/snort_dynamicrules | ||
+ | ... | ||
+ | #my preprocessor normalize_ip4 | ||
+ | #my preprocessor normalize_tcp: ips ecn stream | ||
+ | #my preprocessor normalize_icmp4 | ||
+ | #my preprocessor normalize_ip6 | ||
+ | #my preprocessor normalize_icmp6 | ||
+ | ... | ||
+ | preprocessor http_inspect: global iis_unicode_map c:\snort\etc\unicode.map 1252 compress_depth 65535 decompress_depth 65535 | ||
+ | ... | ||
+ | #my preprocessor reputation: \ | ||
+ | #my memcap 500, \ | ||
+ | #my priority whitelist, \ | ||
+ | #my nested_ip inner, \ | ||
+ | #my whitelist $WHITE_LIST_PATH/white_list.rules, \ | ||
+ | #my blacklist $BLACK_LIST_PATH/black_list.rules | ||
+ | ... | ||
+ | output alert_fast: alert.ids | ||
+ | ... | ||
+ | include c:\snort\etc\classification.config | ||
+ | include c:\snort\etc\reference.config | ||
+ | ... | ||
+ | include c:\snort\etc\threshold.conf | ||
... | ... | ||
</code><code> | </code><code> | ||
- | root@server:~# cat /etc/snort/snort.conf | + | shell>notepad++ C:\Snort\rules\server-iis.rules |
</code><code> | </code><code> | ||
... | ... | ||
- | #################################################################### | + | alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS CodeRed v2 root.exe access"; flow:to_server,established; content:"/root.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:20;) |
- | # Step #6: Configure output plugins | + | |
- | ... | + | |
- | output alert_syslog: LOG_AUTH LOG_ALERT | + | |
... | ... | ||
</code><code> | </code><code> | ||
- | root@server:~# snort -T -S HOME_NET=[192.168.0.0/16] -c /etc/snort/snort.conf | + | admin shell>c:\snort\bin\snort.exe -T -c c:\Snort\etc\snort.conf --daq pcap |
- | + | ||
- | root@server:~# /etc/init.d/snort stop | + | |
- | + | ||
- | root@server:~# /etc/init.d/snort start | + | |
</code> | </code> | ||
- | ===== Тестирование ===== | + | === Запуск === |
- | ==== FreeBSD/Ubuntu ==== | + | Выбираем сетевой интерфейс (необходимо отключить ipv6) |
<code> | <code> | ||
- | # tail -f /var/log/auth.log | + | shell>c:\snort\bin\snort.exe -W |
</code> | </code> | ||
- | ==== Пример атаки с server.isp.un ==== | + | Запускаем в режиме отладки |
<code> | <code> | ||
- | server.isp.un$ wget http://server.corpX.un/root.exe | + | admin shell>c:\snort\bin\snort.exe -A console -i 2 -c c:\Snort\etc\snort.conf --daq pcap |
</code> | </code> | ||
- | + | Запускаем в режиме службы (консоль заблокирует) | |
- | + | ||
- | ===== Создание собственных правил snort ===== | + | |
- | + | ||
- | [[http://oreilly.com/pub/h/1393]] | + | |
- | + | ||
- | ==== FreBSD/Ubuntu ==== | + | |
<code> | <code> | ||
- | # cat rules/local.rules | + | admin shell>c:\snort\bin\snort.exe -q -i 2 -c c:\Snort\etc\snort.conf --daq pcap |
- | </code><code> | + | |
- | alert tcp any any -> any 80 (msg:"Directory traversal attempt"; flow:to_server; content:"../.."; nocase; reference:url,wiki.val.bmstu.ru; classtype:web-application-attack; sid:1000001; rev:1;) | + | |
- | </code> | + | |
- | ===== Обновление правил snort - пакет oinkmaster ===== | + | shell>notepad++ C:\Snort\log\alert.ids |
- | + | ||
- | ==== FreeBSD ==== | + | |
- | <code> | + | |
- | [server:~] # pkg install oinkmaster | + | |
- | + | ||
- | [server:~] # rehash | + | |
- | + | ||
- | [server:~] # cd /usr/local/etc/ | + | |
- | </code> | + | |
- | + | ||
- | ==== Ubuntu ==== | + | |
- | <code> | + | |
- | root@server:~# apt-get install oinkmaster | + | |
- | + | ||
- | root@server:~# cd /etc/ | + | |
- | </code> | + | |
- | + | ||
- | ==== FreeBSD/Ubuntu ==== | + | |
- | <code> | + | |
- | server# cat oinkmaster.conf | + | |
- | ... | + | |
- | url = http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz | + | |
- | ... | + | |
- | tmpdir = /var/tmp/ | + | |
- | ... | + | |
- | + | ||
- | server# oinkmaster -o /CHANGE/DIR/snort/rules/ | + | |
- | </code> | + | |
- | + | ||
- | ===== Построение отчета о работе snort ===== | + | |
- | + | ||
- | ==== snortsnarf (FreeBSD) ==== | + | |
- | <code> | + | |
- | [server:~] # pkg_add -r snortsnarf | + | |
- | </code><code> | + | |
- | [server:~] # cat /usr/local/etc/scripts/snortsnarf.sh | + | |
- | </code><code> | + | |
- | #!/bin/sh | + | |
- | + | ||
- | D=`date -v-1d '+%Y.%m.%d'` | + | |
- | + | ||
- | /usr/local/etc/rc.d/snort stop | + | |
- | /bin/mv /var/log/snort/alert /var/log/snort/alert. | + | |
- | /usr/local/etc/rc.d/snort start | + | |
- | + | ||
- | for i in /var/log/snort/alert.* | + | |
- | do | + | |
- | cat ${i} >> /var/log/snort/alert${D} | + | |
- | rm ${i} | + | |
- | done | + | |
- | /usr/local/bin/snortsnarf -d /usr/local/www/apache22/data/snortsnarf/${D}/ -minprio=1 /var/log/snort/alert${D} | + | |
- | + | ||
- | rm /var/log/snort/alert${D} | + | |
- | + | ||
- | /usr/bin/find /usr/local/www/apache22/data/snortsnarf/ -mtime +60 -type d -exec rm -r {} \; | + | |
</code> | </code> |