====== Сервис SNORT ======

  * [[http://www.snort.org/]]
  * [[https://help.ubuntu.com/community/SnortIDS]]
  * [[https://www.snort.org/downloads/community/community-rules.tar.gz|!!!Открытые правила для тестирования!!!]]
  * [[http://www.openinfosecfoundation.org//Альтернативное решение]]
===== Установка, настройка, запуск сервиса =====

==== Debian/Ubuntu ====
<code>
root@server:~# apt install snort

!!! В визарде все по умолчанию ("не понимает" интерфейс bond1)

root@server:~# cat /etc/snort/snort.debian.conf
</code><code>
...
DEBIAN_SNORT_INTERFACE="eth2"
#DEBIAN_SNORT_INTERFACE="eth1"
#DEBIAN_SNORT_INTERFACE="bond1"
DEBIAN_SNORT_HOME_NET="192.168.0.0/16"
#DEBIAN_SNORT_HOME_NET="any"
...
</code><code>
root@server:~# cat /etc/snort/snort.conf
</code><code>
...
####################################################################
# Step #6: Configure output plugins
...
output alert_syslog: LOG_AUTH LOG_ALERT
...
</code><code>
root@server:~# snort -T -S HOME_NET=[192.168.0.0/16] -c /etc/snort/snort.conf

root@server:~# service snort restart
</code>

===== Тестирование =====

==== Debian/Ubuntu ====
<code>
# less /etc/snort/rules/web-iis.rules

# tail -f /var/log/auth.log | grep Red
</code>

==== Пример атаки с isp.un ====
<code>
isp.un$ wget http://192.168.X.10/root.exe
</code>

===== Создание собственных правил snort =====

  * [[http://oreilly.com/pub/h/1393|Write Your Own Snort Rules ]]

==== Debian/Ubuntu ====
<code>
# cat rules/local.rules
</code><code>
alert tcp any any -> any 80 (msg:"Directory traversal attempt"; flow:to_server; content:"../.."; nocase; reference:url,wiki.val.bmstu.ru; classtype:web-application-attack; sid:1000001; rev:1;)
</code><code>
$ curl --path-as-is http://server.corpX.un/../../../etc/passwd
</code>
===== Обновление правил snort - пакет oinkmaster =====

==== FreeBSD ====
<code>
[server:~] # pkg install oinkmaster

[server:~] # rehash

[server:~] # cd /usr/local/etc/
</code>

==== Debian/Ubuntu ====
<code>
root@server:~# apt-get install oinkmaster

root@server:~# cd /etc/
</code>

==== FreeBSD/Debian/Ubuntu ====
<code>
server# cat oinkmaster.conf
...
url = http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz
...
tmpdir = /var/tmp/
...

server# oinkmaster -o /CHANGE/DIR/snort/rules/
</code>

===== Построение отчета о работе snort =====

==== snortsnarf (FreeBSD) ====
<code>
[server:~] # pkg_add -r snortsnarf
</code><code>
[server:~] # cat /usr/local/etc/scripts/snortsnarf.sh
</code><code>
#!/bin/sh

D=`date -v-1d '+%Y.%m.%d'`

/usr/local/etc/rc.d/snort stop
/bin/mv /var/log/snort/alert /var/log/snort/alert.
/usr/local/etc/rc.d/snort start

for i in /var/log/snort/alert.*
do
  cat ${i} >> /var/log/snort/alert${D}
  rm ${i}
done
/usr/local/bin/snortsnarf -d /usr/local/www/apache22/data/snortsnarf/${D}/ -minprio=1 /var/log/snort/alert${D} 

rm /var/log/snort/alert${D}

/usr/bin/find /usr/local/www/apache22/data/snortsnarf/ -mtime +60 -type d -exec rm -r {} \;
</code>

===== Дополнительные материалы =====

==== FreeBSD ====

<code>
[server:~] # pkg install snort

[server:~] # cat /usr/local/etc/snort/snort.conf
</code><code>
...
ipvar HOME_NET [192.168.X.0/24]
...
####################################################################
# Step #6: Configure output plugins
...
# syslog
output alert_syslog: LOG_AUTH LOG_ALERT
...
###################################################
# Step #7: Customize your rule set
...
# site specific rules
include $RULE_PATH/local.rules
include $RULE_PATH/community.rules
...
# закомментируйте все правила ниже
...
</code><code>
[server:~] # fetch --no-verify-peer https://www.snort.org/downloads/community/community-rules.tar.gz

[server:~] # tar -xvf community-rules.tar.gz

[server:~] # cp community-rules/community.rules /usr/local/etc/snort/rules/
[server:~] # touch /usr/local/etc/snort/rules/local.rules
[server:~] # cp community-rules/sid-msg.map /usr/local/etc/snort/sid-msg.map

[server:~] # mkdir /usr/local/etc/rules/
[server:~] # touch /usr/local/etc/rules/black_list.rules
[server:~] # touch /usr/local/etc/rules/white_list.rules

!!! Раскомментировать правило
[server:~] # cat /usr/local/etc/snort/rules/community.rules
</code><code>
...
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; metadata:service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:11;)
...
</code>
<code>
[server:~] # # cd /usr/local/etc/snort/preproc_rules/
[server:~] # # cp sensitive-data.rules-sample sensitive-data.rules
[server:~] # # cp decoder.rules-sample decoder.rules
[server:~] # # cp preprocessor.rules-sample preprocessor.rules
</code>

<code>
[server:~] # snort -T -c /usr/local/etc/snort/snort.conf

[server:~] # snort -A console -i em2 -c /usr/local/etc/snort/snort.conf

[server:~] # service snort rcvar

[server:~] # cat /etc/rc.conf
</code><code>
...
snort_enable=YES
snort_interface=em2
</code><code>
[server:~] # service snort start
</code>

==== Windows ====

  * [[http://www.sans.org/security-resources/idfaq/running-snort-windows.php]]

=== Установка Snort ===

  * [[http://val.bmstu.ru/unix/snort/Snort_2_9_5_5_Installer.exe]]

=== Распаковка правил ===

  * [[http://val.bmstu.ru/unix/snort/snortrules-snapshot-2953.tar.gz]] (все кроме каталога etc)

=== Настройка и тестирование конфигурации ===
<code>
shell>notepad++ c:\Snort\etc\snort.conf
</code><code>
...
var RULE_PATH c:\snort\rules
var SO_RULE_PATH c:\snort\rules
var PREPROC_RULE_PATH c:\snort\rules
...
#my var WHITE_LIST_PATH ../rules
#my var BLACK_LIST_PATH ../rules
...
config logdir: c:\snort\log
...
dynamicpreprocessor directory c:\snort\lib\snort_dynamicpreprocessor
...
dynamicengine c:\snort\lib\snort_dynamicengine\sf_engine.dll
...
#my dynamicdetection directory /usr/local/lib/snort_dynamicrules
...
#my preprocessor normalize_ip4
#my preprocessor normalize_tcp: ips ecn stream
#my preprocessor normalize_icmp4
#my preprocessor normalize_ip6
#my preprocessor normalize_icmp6
...
preprocessor http_inspect: global iis_unicode_map c:\snort\etc\unicode.map 1252 compress_depth 65535 decompress_depth 65535
...
#my preprocessor reputation: \
#my   memcap 500, \
#my   priority whitelist, \
#my   nested_ip inner, \
#my   whitelist $WHITE_LIST_PATH/white_list.rules, \
#my   blacklist $BLACK_LIST_PATH/black_list.rules 
...
output alert_fast: alert.ids
...
include c:\snort\etc\classification.config
include c:\snort\etc\reference.config
...
include c:\snort\etc\threshold.conf
...
</code><code>
shell>notepad++ C:\Snort\rules\server-iis.rules
</code><code>
...
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS CodeRed v2 root.exe access"; flow:to_server,established; content:"/root.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:20;)
...
</code><code>
admin shell>c:\snort\bin\snort.exe -T -c c:\Snort\etc\snort.conf --daq pcap
</code>

=== Запуск ===

Выбираем сетевой интерфейс (необходимо отключить ipv6)
<code>
shell>c:\snort\bin\snort.exe -W
</code>

Запускаем в режиме отладки
<code>
admin shell>c:\snort\bin\snort.exe -A console -i 2 -c c:\Snort\etc\snort.conf --daq pcap
</code>

Запускаем в режиме службы (консоль заблокирует)
<code>
admin shell>c:\snort\bin\snort.exe -q -i 2 -c c:\Snort\etc\snort.conf --daq pcap

shell>notepad++ C:\Snort\log\alert.ids
</code>