This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
сервис_snortsam [2012/08/22 11:52] val |
сервис_snortsam [2017/12/06 09:10] val [Ubuntu] |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Сервис SNORTSAM ====== | ====== Сервис SNORTSAM ====== | ||
- | [[http://www.snortsam.net/]] | + | * [[http://www.snortsam.net/|Старый сайт]] |
+ | * [[https://github.com/firnsy/barnyard2/blob/master/doc/README.snortsam|barnyard2 github snortsam]] | ||
+ | * [[https://github.com/blox-org/snortsam|github blox snortsam]] | ||
===== Установка пакета ===== | ===== Установка пакета ===== | ||
==== FreeBSD ==== | ==== FreeBSD ==== | ||
<code> | <code> | ||
- | # pkg_add -r snortsam | + | # pkg install snortsam |
# more /usr/local/share/doc/snortsam/README.conf | # more /usr/local/share/doc/snortsam/README.conf | ||
Line 14: | Line 15: | ||
</code> | </code> | ||
- | ==== Ubuntu ==== | + | ==== Debian/Ubuntu ==== |
- | === На курсах === | + | Не поддерживается |
- | <code> | + | |
- | # wget -O /usr/sbin/snortsam http://val.bmstu.ru/unix/snort/snortsam_ubuntu1204.bin | + | |
- | + | ||
- | # chmod +x /usr/sbin/snortsam | + | |
- | + | ||
- | # mkdir /etc/snortsam | + | |
- | + | ||
- | # cd /etc/snortsam | + | |
- | </code> | + | |
- | </code> | + | |
- | + | ||
- | === На работе === | + | |
- | <code> | + | |
- | # cd /usr/src | + | |
- | + | ||
- | /usr/src# wget http://www.snortsam.net/files/snortsam/snortsam-src-2.70.tar.gz | + | |
- | + | ||
- | ИЛИ | + | |
- | + | ||
- | /usr/src# wget http://val.bmstu.ru/unix/snort/snortsam-src-2.70.tar.gz | + | |
- | + | ||
- | /usr/src# tar -xvf snortsam-src-2.70.tar.gz | + | |
- | + | ||
- | /usr/src# cd snortsam/ | + | |
- | + | ||
- | /usr/src/snortsam# apt-get install gcc-4.4 | + | |
- | + | ||
- | /usr/src/snortsam# ln -sf /usr/bin/gcc-4.4 /usr/bin/gcc | + | |
- | + | ||
- | /usr/src/snortsam# sh makesnortsam.sh | + | |
- | + | ||
- | /usr/src/snortsam# ln -sf /usr/bin/gcc-4.6 /usr/bin/gcc | + | |
- | + | ||
- | /usr/src/snortsam# cp snortsam /usr/sbin/ | + | |
- | + | ||
- | /usr/src/snortsam# mkdir /etc/snortsam | + | |
- | + | ||
- | /usr/src/snortsam# cd /etc/snortsam | + | |
- | </code> | + | |
===== Базовая конфигурация ===== | ===== Базовая конфигурация ===== | ||
Line 68: | Line 30: | ||
</code> | </code> | ||
- | ===== Блокировка через netfilter ===== | + | ===== Настройка блокировки ===== |
+ | |||
+ | ==== netfilter ==== | ||
<code> | <code> | ||
gate# cat snortsam.conf | gate# cat snortsam.conf | ||
Line 76: | Line 40: | ||
</code> | </code> | ||
- | ===== Блокировка через ipfilter ===== | + | ==== ipfilter ==== |
- | <code> | + | |
- | # touch /etc/ipf.rules | + | |
- | # cat /etc/rc.conf | + | * [[Сервис Firewall#FreeBSD ipfilter]] |
- | </code><code> | + | |
- | ... | + | |
- | ipfilter_enable=yes | + | |
- | </code><code> | + | |
- | # /etc/rc.d/ipfilter start | + | |
+ | <code> | ||
# cat snortsam.conf | # cat snortsam.conf | ||
</code><code> | </code><code> | ||
Line 92: | Line 50: | ||
ipf em1 | ipf em1 | ||
</code> | </code> | ||
- | + | ==== ipfw2 ==== | |
- | ===== Блокировка через ipfw2 ===== | + | |
[[http://www.lissyara.su/articles/freebsd/security/snort/]] | [[http://www.lissyara.su/articles/freebsd/security/snort/]] | ||
Line 108: | Line 65: | ||
</code> | </code> | ||
- | ===== Блокировка на cisco router ===== | + | ==== cisco router acl telnet ==== |
В случае использования aaa new-model требуется пользователь c priv-lvl = 1 | В случае использования aaa new-model требуется пользователь c priv-lvl = 1 | ||
- | |||
- | ==== 1. Использование списков доступа и протокола telnet ==== | ||
<code> | <code> | ||
Line 124: | Line 79: | ||
permit tcp any host 192.168.X.10 eq www | permit tcp any host 192.168.X.10 eq www | ||
permit tcp any host 192.168.X.10 eq 22 | permit tcp any host 192.168.X.10 eq 22 | ||
+ | permit ip any host 172.16.1.X | ||
permit icmp any any | permit icmp any any | ||
permit udp any any | permit udp any any | ||
Line 133: | Line 89: | ||
</code><code> | </code><code> | ||
... | ... | ||
- | # ciscoacl 192.168.X.1 student/tacacs cisco /usr/local/etc/snortsam/snortsam.acl | + | # ciscoacl 192.168.X.1 user1/tpassword1 cisco /usr/local/etc/snortsam/snortsam.acl |
- | # ciscoacl 192.168.X.1 cisco cisco /etc/snortsam/snortsam.acl | + | # ciscoacl 192.168.X.1 cisco cisco /usr/local/etc/snortsam/snortsam.acl |
</code> | </code> | ||
- | ==== 2. Использование списков доступа и протокола tftp ==== | + | ==== cisco router acl tftp ==== |
=== Настройка === | === Настройка === | ||
Line 147: | Line 103: | ||
snortsam-ciscoacl-begin | snortsam-ciscoacl-begin | ||
snortsam-ciscoacl-end | snortsam-ciscoacl-end | ||
- | permit tcp any host 192.168.X.3 eq www | + | permit tcp any host 192.168.X.10 eq www |
+ | permit tcp any host 192.168.X.10 eq 22 | ||
+ | permit ip any 172.16.1.X | ||
permit icmp any any | permit icmp any any | ||
permit udp any any | permit udp any any | ||
Line 156: | Line 114: | ||
server# cat snortsam.tftp | server# cat snortsam.tftp | ||
</code><code> | </code><code> | ||
- | copy tftp://192.168.X.1/ running-config | + | copy tftp://192.168.X.10/ running-config |
</code><code> | </code><code> | ||
server# cat snortsam.conf | server# cat snortsam.conf | ||
</code><code> | </code><code> | ||
... | ... | ||
+ | # ciscoacl 192.168.X.1 cisco cisco snortsam.acl|/usr/local/etc/snortsam/snortsam.tftp | ||
# ciscoacl 192.168.X.1 student/tacacs cisco snortsam.acl|/usr/local/etc/snortsam/snortsam.tftp | # ciscoacl 192.168.X.1 student/tacacs cisco snortsam.acl|/usr/local/etc/snortsam/snortsam.tftp | ||
- | # ciscoacl 192.168.X.1 student/tacacs cisco snortsam.acl|/etc/snortsam/snortsam.tftp | ||
- | </code><code> | ||
- | server# cd /tftpboot/ | ||
</code> | </code> | ||
- | === Запуск при использовании протокола tftp === | + | === Запуск === |
- | == FreeBSD == | ||
<code> | <code> | ||
+ | server# cd /tftpboot/ | ||
+ | |||
[server:/tftpboot] # snortsam /usr/local/etc/snortsam/snortsam.conf | [server:/tftpboot] # snortsam /usr/local/etc/snortsam/snortsam.conf | ||
- | </code> | ||
- | == Ubuntu == | + | server# cat /usr/local/etc/rc.d/snortsam |
- | <code> | + | </code><code> |
- | root@server:/tftpboot# snortsam /etc/snortsam/snortsam.conf | + | ... |
+ | cd /tftpboot/ | ||
+ | |||
+ | run_rc_command "$1" | ||
</code> | </code> | ||
- | ==== 3. Использование null маршрутов ==== | + | ==== cisco router null route ==== |
<code> | <code> | ||
server# cat snortsam.conf | server# cat snortsam.conf | ||
Line 189: | Line 148: | ||
===== Запуск snortsam ===== | ===== Запуск snortsam ===== | ||
- | ==== FreeBSD ==== | ||
<code> | <code> | ||
- | [server:~] # /usr/local/etc/rc.d/snortsam rcvar | + | [server:~] # service snortsam rcvar |
- | [server:~] # /usr/local/etc/rc.d/snortsam start | + | [server:~] # service snortsam start |
</code> | </code> | ||
- | ==== Ubuntu ==== | ||
- | <code> | ||
- | root@server:~# /usr/sbin/snortsam /etc/snortsam/snortsam.conf | ||
- | </code> | ||
===== Подключение Snort к Snortsam ===== | ===== Подключение Snort к Snortsam ===== | ||
- | ==== Сборка Snort с поддержкой Snortsam в FreeBSD ==== | + | * [[Сервис BARNYARD2]] |
- | + | ||
- | <code> | + | |
- | [server:~] # pkg_add -vr automake110 gettext gmake bison | + | |
- | + | ||
- | [server:~] # cd /usr/ports/ | + | |
- | + | ||
- | [server:/usr/ports] # fetch http://val.bmstu.ru/unix/snort/snort2921_dst.tar | + | |
- | + | ||
- | [server:/usr/ports] # tar -xvf snort2921_dst.tar | + | |
- | + | ||
- | [server:~] # cd /usr/ports/security/snort | + | |
- | + | ||
- | [server:ports/security/snort] # make config | + | |
- | + | ||
- | [server:ports/security/snort] # cat /var/db/ports/snort/options | + | |
- | </code><code> | + | |
- | ... | + | |
- | WITH_SNORTSAM=true | + | |
- | ... | + | |
- | </code><code> | + | |
- | [server:ports/security/snort] # make install clean | + | |
- | + | ||
- | [server:ports/security/snort] # cd /usr/local/etc/snort/ | + | |
- | </code> | + | |
- | + | ||
- | ==== Сборка Snort с поддержкой Snortsam в Ubuntu ==== | + | |
- | + | ||
- | [[http://www.snortsam.net/files/snort-plugin/readme.txt]] | + | |
- | + | ||
- | [[Сервис SNORT]] | + | |
- | + | ||
- | === На курсах === | + | |
- | + | ||
- | <code> | + | |
- | # apt-get install snort-common snort-rules-default | + | |
- | + | ||
- | # apt-get remove snort | + | |
- | + | ||
- | # wget http://val.bmstu.ru/unix/snort/libdnet_1.12-1_i386.deb | + | |
- | + | ||
- | # dpkg -i libdnet_1.12-1_i386.deb | + | |
- | + | ||
- | # ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1 | + | |
- | + | ||
- | # wget http://val.bmstu.ru/unix/snort/snort_2.9.2.1-1_i386.deb | + | |
- | + | ||
- | # dpkg -i snort_2.9.2.1-1_i386.deb | + | |
- | + | ||
- | # ln -s /usr/local/bin/snort /usr/sbin/snort | + | |
- | + | ||
- | # update-rc.d snort defaults | + | |
- | + | ||
- | # cd /etc/snort | + | |
- | </code> | + | |
- | + | ||
- | === На работе === | + | |
- | + | ||
- | [[http://bailey.st/blog/2010/10/06/compiling-snort-2-9-0/]] | + | |
- | + | ||
- | [[Управление ПО в Linux#Работа с исходными текстами]] | + | |
- | + | ||
- | <code> | + | |
- | # apt-get install snort-common snort-rules-default | + | |
- | + | ||
- | # apt-get remove snort | + | |
- | + | ||
- | # apt-get autoremove | + | |
- | + | ||
- | # cd /usr/src | + | |
- | + | ||
- | # wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz | + | |
- | # tar -xvf libdnet-1.12.tgz | + | |
- | # cd libdnet-1.12/ | + | |
- | # ./configure | + | |
- | # make | + | |
- | # checkinstall | + | |
- | # ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1 | + | |
- | + | ||
- | # cd /usr/src | + | |
- | # apt-get install flex bison | + | |
- | + | ||
- | # wget -O daq-0.6.2.tar.gz http://www.snort.org/downloads/1623 | + | |
- | # tar -xvf daq-0.6.2.tar.gz | + | |
- | # cd daq-0.6.2/ | + | |
- | # ./configure | + | |
- | # make | + | |
- | # checkinstall | + | |
- | # ln -s /usr/local/lib/libsfbpf.so.0.0.1 /usr/lib/libsfbpf.so.0 | + | |
- | + | ||
- | # cd /usr/src | + | |
- | # apt-get install zlib1g-dev | + | |
- | + | ||
- | # wget http://val.bmstu.ru/unix/snort/snort-2.9.2.1.tar.gz | + | |
- | # tar -xvf snort-2.9.2.1.tar.gz | + | |
- | # wget http://val.bmstu.ru/unix/snort/snortsam-2.9.1.2.diff.gz | + | |
- | # gunzip snortsam-2.9.1.2.diff.gz | + | |
- | + | ||
- | # cd snort-2.9.2.1/ | + | |
- | + | ||
- | # patch -p1 < ../snortsam-2.9.1.2.diff | + | |
- | + | ||
- | # sh autojunk.sh | + | |
- | # sed -i.bak -e '17108d' configure | + | |
- | # ./configure | + | |
- | # make | + | |
- | # checkinstall | + | |
- | # ln -s /usr/local/lib/snort_dynamicpreprocessor /usr/lib/snort_dynamicpreprocessor | + | |
- | # ln -s /usr/local/lib/snort_dynamicengine/ /usr/lib/snort_dynamicengine | + | |
- | + | ||
- | # ln -s /usr/local/bin/snort /usr/sbin/snort | + | |
- | + | ||
- | # update-rc.d snort defaults | + | |
- | + | ||
- | # cd /etc/snort | + | |
- | </code> | + | |
- | + | ||
- | ==== Настройка Snort на взаимодействие с Snortsam ==== | + | |
- | + | ||
- | === FreeBSD/Ubuntu === | + | |
- | <code> | + | |
- | server# cat snort.conf | + | |
- | </code><code> | + | |
- | ... | + | |
- | ################################################### | + | |
- | # Step #6: Configure output plugins | + | |
- | ... | + | |
- | output alert_fwsam: 127.0.0.1:898/secret | + | |
- | ... | + | |
- | </code><code> | + | |
- | server# cat sid-block.map | + | |
- | </code><code> | + | |
- | 1256: src, 2 min | + | |
- | 1000001: src, 2 min | + | |
- | </code> | + | |
- | + | ||
- | ==== Принцип отбора правил ==== | + | |
- | + | ||
- | <code> | + | |
- | server# cat classification.config | + | |
- | </code><code> | + | |
- | ... | + | |
- | config classification: web-application-attack,Web Application Attack,1 | + | |
- | ... | + | |
- | </code> | + | |
- | + | ||
- | ==== Автоматизация запкуска snortsam одновременно с snort в Ubuntu ==== | + | |
- | <code> | + | |
- | # cat /etc/init.d/snort | + | |
- | </code><code> | + | |
- | ... | + | |
- | start) | + | |
- | /usr/sbin/snortsam /etc/snortsam/snortsam.conf | + | |
- | ... | + | |
- | stop) | + | |
- | killall snortsam | + | |
- | ... | + | |
- | </code> | + |