This is an old revision of the document!
# pkg_add -r snortsam # more /usr/local/share/doc/snortsam/README.conf # cd /usr/local/etc/snortsam/
# wget -O /usr/sbin/snortsam http://val.bmstu.ru/unix/snort/snortsam_ubuntu1204.bin # chmod +x /usr/sbin/snortsam # mkdir /etc/snortsam # cd /etc/snortsam
</code>
# cd /usr/src /usr/src# wget http://www.snortsam.net/files/snortsam/snortsam-src-2.70.tar.gz ИЛИ /usr/src# wget http://val.bmstu.ru/unix/snort/snortsam-src-2.70.tar.gz /usr/src# tar -xvf snortsam-src-2.70.tar.gz /usr/src# cd snortsam/ /usr/src/snortsam# apt-get install gcc-4.4 /usr/src/snortsam# ln -sf /usr/bin/gcc-4.4 /usr/bin/gcc /usr/src/snortsam# sh makesnortsam.sh /usr/src/snortsam# ln -sf /usr/bin/gcc-4.6 /usr/bin/gcc /usr/src/snortsam# cp snortsam /usr/sbin/ /usr/src/snortsam# mkdir /etc/snortsam /usr/src/snortsam# cd /etc/snortsam
# cat snortsam.conf
daemon nothreads accept 127.0.0.1 defaultkey secret logfile /var/log/snortsam.log
gate# cat snortsam.conf
... iptables eth1 log
# touch /etc/ipf.rules # cat /etc/rc.conf
... ipfilter_enable=yes
# /etc/rc.d/ipfilter start # cat snortsam.conf
... ipf em1
http://www.lissyara.su/articles/freebsd/security/snort/
gate# cat snortsam.conf
... ipfw2 em1 1 2 # With tables rules like: # 00010 deny ip from any to table 1 via em1 # 00011 deny ip from table 2 to any via em1 fwexec /sbin/ipfw
В случае использования aaa new-model требуется пользователь c priv-lvl = 1
server# cat snortsam.acl
conf terminal no ip access-list extended ACL_FIREWALL ip access-list extended ACL_FIREWALL snortsam-ciscoacl-begin snortsam-ciscoacl-end permit tcp any host 192.168.X.10 eq www permit tcp any host 192.168.X.10 eq 22 permit ip any 172.16.1.X permit icmp any any permit udp any any permit tcp any any established deny ip any any log end
server# cat snortsam.conf
... # ciscoacl 192.168.X.1 student/tacacs cisco /usr/local/etc/snortsam/snortsam.acl # ciscoacl 192.168.X.1 cisco cisco /etc/snortsam/snortsam.acl
server# cat /tftpboot/snortsam.acl
no ip access-list extended ACL_FIREWALL ip access-list extended ACL_FIREWALL snortsam-ciscoacl-begin snortsam-ciscoacl-end permit tcp any host 192.168.X.3 eq www permit icmp any any permit udp any any permit tcp any any established deny ip any any log end
server# cat snortsam.tftp
copy tftp://192.168.X.1/ running-config
server# cat snortsam.conf
... # ciscoacl 192.168.X.1 student/tacacs cisco snortsam.acl|/usr/local/etc/snortsam/snortsam.tftp # ciscoacl 192.168.X.1 student/tacacs cisco snortsam.acl|/etc/snortsam/snortsam.tftp
server# cd /tftpboot/
[server:/tftpboot] # snortsam /usr/local/etc/snortsam/snortsam.conf
root@server:/tftpboot# snortsam /etc/snortsam/snortsam.conf
server# cat snortsam.conf
... cisconullroute 192.168.X.1 student/tacacs cisco
[server:~] # /usr/local/etc/rc.d/snortsam rcvar [server:~] # /usr/local/etc/rc.d/snortsam start
root@server:~# /usr/sbin/snortsam /etc/snortsam/snortsam.conf
[server:~] # pkg_add -vr automake110 gettext gmake bison [server:~] # cd /usr/ports/ [server:/usr/ports] # fetch http://val.bmstu.ru/unix/snort/snort2921_dst.tar [server:/usr/ports] # tar -xvf snort2921_dst.tar [server:~] # cd /usr/ports/security/snort [server:ports/security/snort] # make config [server:ports/security/snort] # cat /var/db/ports/snort/options
... WITH_SNORTSAM=true ...
[server:ports/security/snort] # make install clean [server:ports/security/snort] # cd /usr/local/etc/snort/
# apt-get install snort-common snort-rules-default # apt-get remove snort # wget http://val.bmstu.ru/unix/snort/libdnet_1.12-1_i386.deb # dpkg -i libdnet_1.12-1_i386.deb # ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1 # wget http://val.bmstu.ru/unix/snort/snort_2.9.2.1-1_i386.deb # dpkg -i snort_2.9.2.1-1_i386.deb # ln -s /usr/local/bin/snort /usr/sbin/snort # update-rc.d snort defaults # cd /etc/snort
http://bailey.st/blog/2010/10/06/compiling-snort-2-9-0/
# apt-get install snort-common snort-rules-default # apt-get remove snort # apt-get autoremove # cd /usr/src # wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz # tar -xvf libdnet-1.12.tgz # cd libdnet-1.12/ # ./configure # make # checkinstall # ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1 # cd /usr/src # apt-get install flex bison # wget -O daq-0.6.2.tar.gz http://www.snort.org/downloads/1623 # tar -xvf daq-0.6.2.tar.gz # cd daq-0.6.2/ # ./configure # make # checkinstall # ln -s /usr/local/lib/libsfbpf.so.0.0.1 /usr/lib/libsfbpf.so.0 # cd /usr/src # apt-get install zlib1g-dev # wget http://val.bmstu.ru/unix/snort/snort-2.9.2.1.tar.gz # tar -xvf snort-2.9.2.1.tar.gz # wget http://val.bmstu.ru/unix/snort/snortsam-2.9.1.2.diff.gz # gunzip snortsam-2.9.1.2.diff.gz # cd snort-2.9.2.1/ # patch -p1 < ../snortsam-2.9.1.2.diff # sh autojunk.sh # sed -i.bak -e '17108d' configure # ./configure # make # checkinstall # ln -s /usr/local/lib/snort_dynamicpreprocessor /usr/lib/snort_dynamicpreprocessor # ln -s /usr/local/lib/snort_dynamicengine/ /usr/lib/snort_dynamicengine # ln -s /usr/local/bin/snort /usr/sbin/snort # update-rc.d snort defaults # cd /etc/snort
server# cat snort.conf
... ################################################### # Step #6: Configure output plugins ... output alert_fwsam: 127.0.0.1:898/secret ...
server# cat sid-block.map
1256: src, 2 min 1000001: src, 2 min
server# cat classification.config
... config classification: web-application-attack,Web Application Attack,1 ...
# cat /etc/init.d/snort
... start) ifconfig eth2 up /usr/sbin/snortsam /etc/snortsam/snortsam.conf ... stop) killall snortsam ...