This is an old revision of the document!
shell>notepad++ c:\Snort\etc\snort.conf
... var RULE_PATH c:\snort\rules var SO_RULE_PATH c:\snort\rules var PREPROC_RULE_PATH c:\snort\rules ... #my var WHITE_LIST_PATH ../rules #my var BLACK_LIST_PATH ../rules ... config logdir: c:\snort\log ... dynamicpreprocessor directory c:\snort\lib\snort_dynamicpreprocessor ... dynamicengine c:\snort\lib\snort_dynamicengine\sf_engine.dll ... #my dynamicdetection directory /usr/local/lib/snort_dynamicrules ... #my preprocessor normalize_ip4 #my preprocessor normalize_tcp: ips ecn stream #my preprocessor normalize_icmp4 #my preprocessor normalize_ip6 #my preprocessor normalize_icmp6 ... preprocessor http_inspect: global iis_unicode_map c:\snort\etc\unicode.map 1252 compress_depth 65535 decompress_depth 65535 ... #my preprocessor reputation: \ #my memcap 500, \ #my priority whitelist, \ #my nested_ip inner, \ #my whitelist $WHITE_LIST_PATH/white_list.rules, \ #my blacklist $BLACK_LIST_PATH/black_list.rules ... output alert_fast: alert.ids ... include c:\snort\etc\classification.config include c:\snort\etc\reference.config ... include c:\snort\etc\threshold.conf ...
shell>notepad++ C:\Snort\rules\server-iis.rules
... alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS CodeRed v2 root.exe access"; flow:to_server,established; content:"/root.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:20;) ...
shell>c:\snort\bin\snort.exe -T -c c:\Snort\etc\snort.conf
Выбираем сетевой интерфейс
shell>c:\snort\bin\snort.exe -W
Запускаем в режиме отладки
shell>c:\snort\bin\snort.exe -A console -i 2 -c c:\Snort\etc\snort.conf
Запускаем в режиме службы (консоль заблокирует)
shell>c:\snort\bin\snort.exe -q -i 2 -c c:\Snort\etc\snort.conf shell>notepad++ C:\Snort\log\alert.ids
[server:~] # pkg install snort [server:~] # cat /usr/local/etc/snort/snort.conf
... ipvar HOME_NET [192.168.X.0/24] ... #################################################################### # Step #6: Configure output plugins ... # syslog output alert_syslog: LOG_AUTH LOG_ALERT ... ################################################### # Step #7: Customize your rule set ... # site specific rules include $RULE_PATH/local.rules include $RULE_PATH/community.rules ... # закомментируйте все правила ниже ...
[server:~] # fetch --no-verify-peer https://www.snort.org/downloads/community/community-rules.tar.gz [server:~] # tar -xvf community-rules.tar.gz [server:~] # cp community-rules/community.rules /usr/local/etc/snort/rules/ [server:~] # touch /usr/local/etc/snort/rules/local.rules [server:~] # mkdir /usr/local/etc/rules/ [server:~] # touch /usr/local/etc/rules/black_list.rules [server:~] # touch /usr/local/etc/rules/white_list.rules !!! Раскомментировать правило [server:~] # cat /usr/local/etc/snort/rules/community.rules
... alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; metadata:service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:11;) ...
[server:~] # service snort rcvar [server:~] # cat /etc/rc.conf
... snort_enable=YES snort_interface=em2
[server:~] # rehash [server:~] # snort -T -c /usr/local/etc/snort/snort.conf [server:~] # service snort start
root@server:~# apt-get install snort root@server:~# cat /etc/snort/snort.debian.conf
... DEBIAN_SNORT_INTERFACE="eth2" DEBIAN_SNORT_HOME_NET="192.168.0.0/16" ...
root@server:~# cat /etc/snort/snort.conf
... #################################################################### # Step #6: Configure output plugins ... output alert_syslog: LOG_AUTH LOG_ALERT ...
root@server:~# snort -T -S HOME_NET=[192.168.0.0/16] -c /etc/snort/snort.conf root@server:~# /etc/init.d/snort stop root@server:~# /etc/init.d/snort start
# tail -f /var/log/auth.log
server.isp.un$ wget http://server.corpX.un/root.exe
# cat rules/local.rules
alert tcp any any -> any 80 (msg:"Directory traversal attempt"; flow:to_server; content:"../.."; nocase; reference:url,wiki.val.bmstu.ru; classtype:web-application-attack; sid:1000001; rev:1;)
[server:~] # pkg install oinkmaster [server:~] # rehash [server:~] # cd /usr/local/etc/
root@server:~# apt-get install oinkmaster root@server:~# cd /etc/
server# cat oinkmaster.conf ... url = http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz ... tmpdir = /var/tmp/ ... server# oinkmaster -o /CHANGE/DIR/snort/rules/
[server:~] # pkg_add -r snortsnarf
[server:~] # cat /usr/local/etc/scripts/snortsnarf.sh
#!/bin/sh D=`date -v-1d '+%Y.%m.%d'` /usr/local/etc/rc.d/snort stop /bin/mv /var/log/snort/alert /var/log/snort/alert. /usr/local/etc/rc.d/snort start for i in /var/log/snort/alert.* do cat ${i} >> /var/log/snort/alert${D} rm ${i} done /usr/local/bin/snortsnarf -d /usr/local/www/apache22/data/snortsnarf/${D}/ -minprio=1 /var/log/snort/alert${D} rm /var/log/snort/alert${D} /usr/bin/find /usr/local/www/apache22/data/snortsnarf/ -mtime +60 -type d -exec rm -r {} \;