====== Сервис SNORT ======
* [[http://www.snort.org/]]
* [[https://help.ubuntu.com/community/SnortIDS]]
* [[https://www.snort.org/downloads/community/community-rules.tar.gz|!!!Открытые правила для тестирования!!!]]
* [[https://sansorg.egnyte.com/dl/qsNKTUL2ld|Snort and SSL/TLS Inspection]]
* [[https://upcloud.com/resources/tutorials/installing-snort-on-debian|How to install Snort on Debian]]
* [[https://oisf.net/|Open Information Security Foundation Suricata]]
===== Установка, настройка, запуск сервиса =====
==== Debian/Ubuntu ====
root@server:~# apt install snort
!!! В визарде все по умолчанию ("не понимает" интерфейс bond1)
root@server:~# cat /etc/snort/snort.debian.conf
...
#DEBIAN_SNORT_INTERFACE="eth0"
#DEBIAN_SNORT_INTERFACE="bond1"
DEBIAN_SNORT_HOME_NET="192.168.0.0/16"
#DEBIAN_SNORT_HOME_NET="any"
...
* [[https://serverfault.com/questions/554713/snort-not-detecting-outgoing-traffic|Snort not detecting outgoing traffic]]
* [[https://forum.netgate.com/topic/55909/snort-enable_xff|inside of ssl termination proxies we need to get X-Forwarded-For]]
* [[http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html|2.2 Preprocessors (snort_manual)]]
root@server:~# cat /etc/snort/snort.conf
...
# Configure IP / TCP checksum mode
config checksum_mode: none
...
preprocessor http_inspect_server: server default \
...
enable_xff \
webroot no
...
####################################################################
# Step #6: Configure output plugins
...
output alert_syslog: LOG_AUTH LOG_ALERT
...
root@server:~# snort -T -S HOME_NET=[192.168.0.0/16] -c /etc/snort/snort.conf
root@server:~# service snort restart
===== Тестирование =====
==== Debian/Ubuntu ====
# less /etc/snort/rules/web-iis.rules
# tail -f /var/log/auth.log | grep Red
# u2spewfoo /var/log/snort/snort.alert
==== Пример атаки с isp.un ====
isp.un$ wget http://192.168.X.10/root.exe
===== Копирование alert_unified2 в syslog =====
# stdbuf -i0 -o0 u2spewfoo <(tail -c +1 -f /var/log/snort/snort.alert) | logger -t snort -p auth.info
# cat /etc/systemd/system/snort-alert-unified2-syslog.service
[Unit]
Description=Send snort alert_unified2 to syslog
After=snort.service
[Service]
ExecStart=/bin/bash -c '/usr/bin/stdbuf -i0 -o0 /usr/sbin/u2spewfoo <(/usr/bin/tail -c +1 -f /var/log/snort/snort.alert) | /usr/bin/logger -t snort -p auth.info'
[Install]
WantedBy=multi-user.target
===== Создание собственных правил snort =====
* [[http://oreilly.com/pub/h/1393|Write Your Own Snort Rules ]]
==== Debian/Ubuntu ====
# cat rules/local.rules
alert tcp any any -> any 80 (msg:"Directory traversal attempt"; flow:to_server; content:"../.."; nocase; reference:url,wiki.val.bmstu.ru; classtype:web-application-attack; sid:1000001; rev:1;)
$ curl --path-as-is http://server.corpX.un/../../../etc/passwd
===== Обновление правил snort - пакет oinkmaster =====
==== FreeBSD ====
[server:~] # pkg install oinkmaster
[server:~] # rehash
[server:~] # cd /usr/local/etc/
==== Debian/Ubuntu ====
root@server:~# apt-get install oinkmaster
root@server:~# cd /etc/
==== FreeBSD/Debian/Ubuntu ====
server# cat oinkmaster.conf
...
url = http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz
...
tmpdir = /var/tmp/
...
server# oinkmaster -o /CHANGE/DIR/snort/rules/
===== Построение отчета о работе snort =====
==== snortsnarf (FreeBSD) ====
[server:~] # pkg_add -r snortsnarf
[server:~] # cat /usr/local/etc/scripts/snortsnarf.sh
#!/bin/sh
D=`date -v-1d '+%Y.%m.%d'`
/usr/local/etc/rc.d/snort stop
/bin/mv /var/log/snort/alert /var/log/snort/alert.
/usr/local/etc/rc.d/snort start
for i in /var/log/snort/alert.*
do
cat ${i} >> /var/log/snort/alert${D}
rm ${i}
done
/usr/local/bin/snortsnarf -d /usr/local/www/apache22/data/snortsnarf/${D}/ -minprio=1 /var/log/snort/alert${D}
rm /var/log/snort/alert${D}
/usr/bin/find /usr/local/www/apache22/data/snortsnarf/ -mtime +60 -type d -exec rm -r {} \;
===== Дополнительные материалы =====
==== FreeBSD ====
[server:~] # pkg install snort
[server:~] # cat /usr/local/etc/snort/snort.conf
...
ipvar HOME_NET [192.168.X.0/24]
...
####################################################################
# Step #6: Configure output plugins
...
# syslog
output alert_syslog: LOG_AUTH LOG_ALERT
...
###################################################
# Step #7: Customize your rule set
...
# site specific rules
include $RULE_PATH/local.rules
include $RULE_PATH/community.rules
...
# закомментируйте все правила ниже
...
[server:~] # fetch --no-verify-peer https://www.snort.org/downloads/community/community-rules.tar.gz
[server:~] # tar -xvf community-rules.tar.gz
[server:~] # cp community-rules/community.rules /usr/local/etc/snort/rules/
[server:~] # touch /usr/local/etc/snort/rules/local.rules
[server:~] # cp community-rules/sid-msg.map /usr/local/etc/snort/sid-msg.map
[server:~] # mkdir /usr/local/etc/rules/
[server:~] # touch /usr/local/etc/rules/black_list.rules
[server:~] # touch /usr/local/etc/rules/white_list.rules
!!! Раскомментировать правило
[server:~] # cat /usr/local/etc/snort/rules/community.rules
...
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; metadata:service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:11;)
...
[server:~] # # cd /usr/local/etc/snort/preproc_rules/
[server:~] # # cp sensitive-data.rules-sample sensitive-data.rules
[server:~] # # cp decoder.rules-sample decoder.rules
[server:~] # # cp preprocessor.rules-sample preprocessor.rules
[server:~] # snort -T -c /usr/local/etc/snort/snort.conf
[server:~] # snort -A console -i em2 -c /usr/local/etc/snort/snort.conf
[server:~] # service snort rcvar
[server:~] # cat /etc/rc.conf
...
snort_enable=YES
snort_interface=em2
[server:~] # service snort start
==== Windows ====
* [[http://www.sans.org/security-resources/idfaq/running-snort-windows.php]]
=== Установка Snort ===
* [[http://val.bmstu.ru/unix/snort/Snort_2_9_5_5_Installer.exe]]
=== Распаковка правил ===
* [[http://val.bmstu.ru/unix/snort/snortrules-snapshot-2953.tar.gz]] (все кроме каталога etc)
=== Настройка и тестирование конфигурации ===
shell>notepad++ c:\Snort\etc\snort.conf
...
var RULE_PATH c:\snort\rules
var SO_RULE_PATH c:\snort\rules
var PREPROC_RULE_PATH c:\snort\rules
...
#my var WHITE_LIST_PATH ../rules
#my var BLACK_LIST_PATH ../rules
...
config logdir: c:\snort\log
...
dynamicpreprocessor directory c:\snort\lib\snort_dynamicpreprocessor
...
dynamicengine c:\snort\lib\snort_dynamicengine\sf_engine.dll
...
#my dynamicdetection directory /usr/local/lib/snort_dynamicrules
...
#my preprocessor normalize_ip4
#my preprocessor normalize_tcp: ips ecn stream
#my preprocessor normalize_icmp4
#my preprocessor normalize_ip6
#my preprocessor normalize_icmp6
...
preprocessor http_inspect: global iis_unicode_map c:\snort\etc\unicode.map 1252 compress_depth 65535 decompress_depth 65535
...
#my preprocessor reputation: \
#my memcap 500, \
#my priority whitelist, \
#my nested_ip inner, \
#my whitelist $WHITE_LIST_PATH/white_list.rules, \
#my blacklist $BLACK_LIST_PATH/black_list.rules
...
output alert_fast: alert.ids
...
include c:\snort\etc\classification.config
include c:\snort\etc\reference.config
...
include c:\snort\etc\threshold.conf
...
shell>notepad++ C:\Snort\rules\server-iis.rules
...
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS CodeRed v2 root.exe access"; flow:to_server,established; content:"/root.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:20;)
...
admin shell>c:\snort\bin\snort.exe -T -c c:\Snort\etc\snort.conf --daq pcap
=== Запуск ===
Выбираем сетевой интерфейс (необходимо отключить ipv6)
shell>c:\snort\bin\snort.exe -W
Запускаем в режиме отладки
admin shell>c:\snort\bin\snort.exe -A console -i 2 -c c:\Snort\etc\snort.conf --daq pcap
Запускаем в режиме службы (консоль заблокирует)
admin shell>c:\snort\bin\snort.exe -q -i 2 -c c:\Snort\etc\snort.conf --daq pcap
shell>notepad++ C:\Snort\log\alert.ids