User Tools

Site Tools


сервис_snort

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
сервис_snort [2017/07/05 11:47]
val
сервис_snort [2022/03/30 12:43] (current)
val [Debian/Ubuntu]
Line 6: Line 6:
   * [[http://​www.openinfosecfoundation.org//​Альтернативное решение]]   * [[http://​www.openinfosecfoundation.org//​Альтернативное решение]]
 ===== Установка,​ настройка,​ запуск сервиса ===== ===== Установка,​ настройка,​ запуск сервиса =====
- 
-==== FreeBSD ==== 
- 
-<​code>​ 
-[server:~] # pkg install snort 
- 
-[server:~] # cat /​usr/​local/​etc/​snort/​snort.conf 
-</​code><​code>​ 
-... 
-ipvar HOME_NET [192.168.X.0/​24] 
-... 
-####################################################################​ 
-# Step #6: Configure output plugins 
-... 
-# syslog 
-output alert_syslog:​ LOG_AUTH LOG_ALERT 
-... 
-###################################################​ 
-# Step #7: Customize your rule set 
-... 
-# site specific rules 
-include $RULE_PATH/​local.rules 
-include $RULE_PATH/​community.rules 
-... 
-# закомментируйте все правила ниже 
-... 
-</​code><​code>​ 
-[server:~] # fetch --no-verify-peer https://​www.snort.org/​downloads/​community/​community-rules.tar.gz 
- 
-[server:~] # tar -xvf community-rules.tar.gz 
- 
-[server:~] # cp community-rules/​community.rules /​usr/​local/​etc/​snort/​rules/​ 
-[server:~] # touch /​usr/​local/​etc/​snort/​rules/​local.rules 
-[server:~] # cp community-rules/​sid-msg.map /​usr/​local/​etc/​snort/​sid-msg.map 
- 
-[server:~] # mkdir /​usr/​local/​etc/​rules/​ 
-[server:~] # touch /​usr/​local/​etc/​rules/​black_list.rules 
-[server:~] # touch /​usr/​local/​etc/​rules/​white_list.rules 
- 
-!!! Раскомментировать правило 
-[server:~] # cat /​usr/​local/​etc/​snort/​rules/​community.rules 
-</​code><​code>​ 
-... 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"​WEB-IIS CodeRed v2 root.exe access";​ flow:​to_server,​established;​ uricontent:"/​root.exe";​ nocase; metadata:​service http; reference:​url,​www.cert.org/​advisories/​CA-2001-19.html;​ classtype:​web-application-attack;​ sid:1256; rev:11;) 
-... 
-</​code>​ 
-<​code>​ 
-[server:~] # # cd /​usr/​local/​etc/​snort/​preproc_rules/​ 
-[server:~] # # cp sensitive-data.rules-sample sensitive-data.rules 
-[server:~] # # cp decoder.rules-sample decoder.rules 
-[server:~] # # cp preprocessor.rules-sample preprocessor.rules 
-</​code>​ 
- 
-<​code>​ 
-[server:~] # snort -T -c /​usr/​local/​etc/​snort/​snort.conf 
- 
-[server:~] # snort -A console -i em2 -c /​usr/​local/​etc/​snort/​snort.conf 
- 
-[server:~] # service snort rcvar 
- 
-[server:~] # cat /​etc/​rc.conf 
-</​code><​code>​ 
-... 
-snort_enable=YES 
-snort_interface=em2 
-</​code><​code>​ 
-[server:~] # service snort start 
-</​code>​ 
  
 ==== Debian/​Ubuntu ==== ==== Debian/​Ubuntu ====
 <​code>​ <​code>​
 root@server:​~#​ apt install snort root@server:​~#​ apt install snort
 +
 +!!! В визарде все по умолчанию ("не понимает"​ интерфейс bond1)
  
 root@server:​~#​ cat /​etc/​snort/​snort.debian.conf root@server:​~#​ cat /​etc/​snort/​snort.debian.conf
Line 83: Line 17:
 ... ...
 DEBIAN_SNORT_INTERFACE="​eth2"​ DEBIAN_SNORT_INTERFACE="​eth2"​
 +#​DEBIAN_SNORT_INTERFACE="​eth1"​
 +#​DEBIAN_SNORT_INTERFACE="​bond1"​
 DEBIAN_SNORT_HOME_NET="​192.168.0.0/​16"​ DEBIAN_SNORT_HOME_NET="​192.168.0.0/​16"​
 +#​DEBIAN_SNORT_HOME_NET="​any"​
 ... ...
 </​code><​code>​ </​code><​code>​
Line 97: Line 34:
 root@server:​~#​ snort -T -S HOME_NET=[192.168.0.0/​16] -c /​etc/​snort/​snort.conf root@server:​~#​ snort -T -S HOME_NET=[192.168.0.0/​16] -c /​etc/​snort/​snort.conf
  
-root@server:​~#​ service snort stop +root@server:​~#​ service snort restart
- +
-root@server:​~#​ snort -A console -i eth2 -S HOME_NET=[192.168.0.0/​16] -c /​etc/​snort/​snort.conf +
- +
-root@server:​~#​ service snort start+
 </​code>​ </​code>​
  
 ===== Тестирование ===== ===== Тестирование =====
  
-==== FreeBSD/Debian/​Ubuntu ====+==== Debian/​Ubuntu ====
 <​code>​ <​code>​
-# tail -f /​var/​log/​auth.log+# less /​etc/​snort/​rules/​web-iis.rules 
 + 
 +# tail -f /​var/​log/​auth.log ​| grep Red
 </​code>​ </​code>​
  
-==== Пример атаки с server.isp.un ====+==== Пример атаки с isp.un ====
 <​code>​ <​code>​
-server.isp.un$ wget http://server.corpX.un/root.exe+isp.un$ wget http://192.168.X.10/root.exe
 </​code>​ </​code>​
- 
- 
  
 ===== Создание собственных правил snort ===== ===== Создание собственных правил snort =====
  
-[[http://​oreilly.com/​pub/​h/​1393]]+  * [[http://​oreilly.com/​pub/​h/​1393|Write Your Own Snort Rules ]]
  
-==== FreBSD/Debian/​Ubuntu ====+==== Debian/​Ubuntu ====
 <​code>​ <​code>​
 # cat rules/​local.rules # cat rules/​local.rules
 </​code><​code>​ </​code><​code>​
 alert tcp any any -> any 80 (msg:"​Directory traversal attempt";​ flow:​to_server;​ content:"​../​..";​ nocase; reference:​url,​wiki.val.bmstu.ru;​ classtype:​web-application-attack;​ sid:​1000001;​ rev:1;) alert tcp any any -> any 80 (msg:"​Directory traversal attempt";​ flow:​to_server;​ content:"​../​..";​ nocase; reference:​url,​wiki.val.bmstu.ru;​ classtype:​web-application-attack;​ sid:​1000001;​ rev:1;)
 +</​code><​code>​
 +$ curl --path-as-is http://​server.corpX.un/​../​../​../​etc/​passwd
 </​code>​ </​code>​
- 
 ===== Обновление правил snort - пакет oinkmaster ===== ===== Обновление правил snort - пакет oinkmaster =====
  
Line 188: Line 122:
  
 ===== Дополнительные материалы ===== ===== Дополнительные материалы =====
 +
 +==== FreeBSD ====
 +
 +<​code>​
 +[server:~] # pkg install snort
 +
 +[server:~] # cat /​usr/​local/​etc/​snort/​snort.conf
 +</​code><​code>​
 +...
 +ipvar HOME_NET [192.168.X.0/​24]
 +...
 +####################################################################​
 +# Step #6: Configure output plugins
 +...
 +# syslog
 +output alert_syslog:​ LOG_AUTH LOG_ALERT
 +...
 +###################################################​
 +# Step #7: Customize your rule set
 +...
 +# site specific rules
 +include $RULE_PATH/​local.rules
 +include $RULE_PATH/​community.rules
 +...
 +# закомментируйте все правила ниже
 +...
 +</​code><​code>​
 +[server:~] # fetch --no-verify-peer https://​www.snort.org/​downloads/​community/​community-rules.tar.gz
 +
 +[server:~] # tar -xvf community-rules.tar.gz
 +
 +[server:~] # cp community-rules/​community.rules /​usr/​local/​etc/​snort/​rules/​
 +[server:~] # touch /​usr/​local/​etc/​snort/​rules/​local.rules
 +[server:~] # cp community-rules/​sid-msg.map /​usr/​local/​etc/​snort/​sid-msg.map
 +
 +[server:~] # mkdir /​usr/​local/​etc/​rules/​
 +[server:~] # touch /​usr/​local/​etc/​rules/​black_list.rules
 +[server:~] # touch /​usr/​local/​etc/​rules/​white_list.rules
 +
 +!!! Раскомментировать правило
 +[server:~] # cat /​usr/​local/​etc/​snort/​rules/​community.rules
 +</​code><​code>​
 +...
 +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"​WEB-IIS CodeRed v2 root.exe access";​ flow:​to_server,​established;​ uricontent:"/​root.exe";​ nocase; metadata:​service http; reference:​url,​www.cert.org/​advisories/​CA-2001-19.html;​ classtype:​web-application-attack;​ sid:1256; rev:11;)
 +...
 +</​code>​
 +<​code>​
 +[server:~] # # cd /​usr/​local/​etc/​snort/​preproc_rules/​
 +[server:~] # # cp sensitive-data.rules-sample sensitive-data.rules
 +[server:~] # # cp decoder.rules-sample decoder.rules
 +[server:~] # # cp preprocessor.rules-sample preprocessor.rules
 +</​code>​
 +
 +<​code>​
 +[server:~] # snort -T -c /​usr/​local/​etc/​snort/​snort.conf
 +
 +[server:~] # snort -A console -i em2 -c /​usr/​local/​etc/​snort/​snort.conf
 +
 +[server:~] # service snort rcvar
 +
 +[server:~] # cat /​etc/​rc.conf
 +</​code><​code>​
 +...
 +snort_enable=YES
 +snort_interface=em2
 +</​code><​code>​
 +[server:~] # service snort start
 +</​code>​
  
 ==== Windows ==== ==== Windows ====
сервис_snort.1499244441.txt.gz · Last modified: 2017/07/05 11:47 by val