Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Trace: сервис_snort
сервис_snort

Table of Contents

Сервис SNORT

Установка, настройка, запуск сервиса

Debian/Ubuntu

root@server:~# apt install snort

!!! В визарде все по умолчанию ("не понимает" интерфейс bond1)

root@server:~# cat /etc/snort/snort.debian.conf
...
#DEBIAN_SNORT_INTERFACE="eth0"
#DEBIAN_SNORT_INTERFACE="bond1"
DEBIAN_SNORT_HOME_NET="192.168.0.0/16"
#DEBIAN_SNORT_HOME_NET="any"
...
root@server:~# cat /etc/snort/snort.conf
...
# Configure IP / TCP checksum mode
config checksum_mode: none
...
preprocessor http_inspect_server: server default \
...
    enable_xff \
    webroot no
...
####################################################################
# Step #6: Configure output plugins
...
output alert_syslog: LOG_AUTH LOG_ALERT
...
root@server:~# snort -T -S HOME_NET=[192.168.0.0/16] -c /etc/snort/snort.conf

root@server:~# service snort restart

Тестирование

Debian/Ubuntu

# less /etc/snort/rules/web-iis.rules

# tail -f /var/log/auth.log | grep Red

# u2spewfoo /var/log/snort/snort.alert

Пример атаки с isp.un

isp.un$ wget http://192.168.X.10/root.exe

Копирование alert_unified2 в syslog

# stdbuf -i0 -o0 u2spewfoo <(tail -c +1 -f /var/log/snort/snort.alert) | logger -t snort -p auth.info

# cat /etc/systemd/system/snort-alert-unified2-syslog.service
[Unit]
Description=Send snort alert_unified2 to syslog
After=snort.service

[Service]
ExecStart=/bin/bash -c '/usr/bin/stdbuf -i0 -o0 /usr/sbin/u2spewfoo <(/usr/bin/tail -c +1 -f /var/log/snort/snort.alert) | /usr/bin/logger -t snort -p auth.info'

[Install]
WantedBy=multi-user.target

Создание собственных правил snort

Debian/Ubuntu

# cat rules/local.rules
alert tcp any any -> any 80 (msg:"Directory traversal attempt"; flow:to_server; content:"../.."; nocase; reference:url,wiki.val.bmstu.ru; classtype:web-application-attack; sid:1000001; rev:1;)
$ curl --path-as-is http://server.corpX.un/../../../etc/passwd

Обновление правил snort - пакет oinkmaster

FreeBSD

[server:~] # pkg install oinkmaster

[server:~] # rehash

[server:~] # cd /usr/local/etc/

Debian/Ubuntu

root@server:~# apt-get install oinkmaster

root@server:~# cd /etc/

FreeBSD/Debian/Ubuntu

server# cat oinkmaster.conf
...
url = http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz
...
tmpdir = /var/tmp/
...

server# oinkmaster -o /CHANGE/DIR/snort/rules/

Построение отчета о работе snort

snortsnarf (FreeBSD)

[server:~] # pkg_add -r snortsnarf
[server:~] # cat /usr/local/etc/scripts/snortsnarf.sh
#!/bin/sh

D=`date -v-1d '+%Y.%m.%d'`

/usr/local/etc/rc.d/snort stop
/bin/mv /var/log/snort/alert /var/log/snort/alert.
/usr/local/etc/rc.d/snort start

for i in /var/log/snort/alert.*
do
  cat ${i} >> /var/log/snort/alert${D}
  rm ${i}
done
/usr/local/bin/snortsnarf -d /usr/local/www/apache22/data/snortsnarf/${D}/ -minprio=1 /var/log/snort/alert${D} 

rm /var/log/snort/alert${D}

/usr/bin/find /usr/local/www/apache22/data/snortsnarf/ -mtime +60 -type d -exec rm -r {} \;

Дополнительные материалы

FreeBSD

[server:~] # pkg install snort

[server:~] # cat /usr/local/etc/snort/snort.conf
...
ipvar HOME_NET [192.168.X.0/24]
...
####################################################################
# Step #6: Configure output plugins
...
# syslog
output alert_syslog: LOG_AUTH LOG_ALERT
...
###################################################
# Step #7: Customize your rule set
...
# site specific rules
include $RULE_PATH/local.rules
include $RULE_PATH/community.rules
...
# закомментируйте все правила ниже
...
[server:~] # fetch --no-verify-peer https://www.snort.org/downloads/community/community-rules.tar.gz

[server:~] # tar -xvf community-rules.tar.gz

[server:~] # cp community-rules/community.rules /usr/local/etc/snort/rules/
[server:~] # touch /usr/local/etc/snort/rules/local.rules
[server:~] # cp community-rules/sid-msg.map /usr/local/etc/snort/sid-msg.map

[server:~] # mkdir /usr/local/etc/rules/
[server:~] # touch /usr/local/etc/rules/black_list.rules
[server:~] # touch /usr/local/etc/rules/white_list.rules

!!! Раскомментировать правило
[server:~] # cat /usr/local/etc/snort/rules/community.rules
...
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; metadata:service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:11;)
...
[server:~] # # cd /usr/local/etc/snort/preproc_rules/
[server:~] # # cp sensitive-data.rules-sample sensitive-data.rules
[server:~] # # cp decoder.rules-sample decoder.rules
[server:~] # # cp preprocessor.rules-sample preprocessor.rules
[server:~] # snort -T -c /usr/local/etc/snort/snort.conf

[server:~] # snort -A console -i em2 -c /usr/local/etc/snort/snort.conf

[server:~] # service snort rcvar

[server:~] # cat /etc/rc.conf
...
snort_enable=YES
snort_interface=em2
[server:~] # service snort start

Windows

Установка Snort

Распаковка правил

Настройка и тестирование конфигурации

shell>notepad++ c:\Snort\etc\snort.conf
...
var RULE_PATH c:\snort\rules
var SO_RULE_PATH c:\snort\rules
var PREPROC_RULE_PATH c:\snort\rules
...
#my var WHITE_LIST_PATH ../rules
#my var BLACK_LIST_PATH ../rules
...
config logdir: c:\snort\log
...
dynamicpreprocessor directory c:\snort\lib\snort_dynamicpreprocessor
...
dynamicengine c:\snort\lib\snort_dynamicengine\sf_engine.dll
...
#my dynamicdetection directory /usr/local/lib/snort_dynamicrules
...
#my preprocessor normalize_ip4
#my preprocessor normalize_tcp: ips ecn stream
#my preprocessor normalize_icmp4
#my preprocessor normalize_ip6
#my preprocessor normalize_icmp6
...
preprocessor http_inspect: global iis_unicode_map c:\snort\etc\unicode.map 1252 compress_depth 65535 decompress_depth 65535
...
#my preprocessor reputation: \
#my   memcap 500, \
#my   priority whitelist, \
#my   nested_ip inner, \
#my   whitelist $WHITE_LIST_PATH/white_list.rules, \
#my   blacklist $BLACK_LIST_PATH/black_list.rules 
...
output alert_fast: alert.ids
...
include c:\snort\etc\classification.config
include c:\snort\etc\reference.config
...
include c:\snort\etc\threshold.conf
...
shell>notepad++ C:\Snort\rules\server-iis.rules
...
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS CodeRed v2 root.exe access"; flow:to_server,established; content:"/root.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:20;)
...
admin shell>c:\snort\bin\snort.exe -T -c c:\Snort\etc\snort.conf --daq pcap

Запуск

Выбираем сетевой интерфейс (необходимо отключить ipv6) 

shell>c:\snort\bin\snort.exe -W

Запускаем в режиме отладки 

admin shell>c:\snort\bin\snort.exe -A console -i 2 -c c:\Snort\etc\snort.conf --daq pcap

Запускаем в режиме службы (консоль заблокирует) 

admin shell>c:\snort\bin\snort.exe -q -i 2 -c c:\Snort\etc\snort.conf --daq pcap

shell>notepad++ C:\Snort\log\alert.ids
сервис_snort.txt · Last modified: 2024/05/11 16:43 by val

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Run on Debian Driven by DokuWiki