User Tools

Site Tools


сервис_snortsam

This is an old revision of the document!


Сервис SNORTSAM

Установка пакета

FreeBSD

# pkg_add -r snortsam

# more /usr/local/share/doc/snortsam/README.conf

# cd /usr/local/etc/snortsam/

Ubuntu

На курсах

# wget -O /usr/sbin/snortsam http://val.bmstu.ru/unix/snort/snortsam_ubuntu1204.bin

# chmod +x /usr/sbin/snortsam

# mkdir /etc/snortsam

# cd /etc/snortsam

На работе

# cd /usr/src

/usr/src# wget http://www.snortsam.net/files/snortsam/snortsam-src-2.70.tar.gz

ИЛИ

/usr/src# wget http://val.bmstu.ru/unix/snort/snortsam-src-2.70.tar.gz

/usr/src# tar -xvf snortsam-src-2.70.tar.gz

/usr/src# cd snortsam/

/usr/src/snortsam# apt-get install gcc-4.4

/usr/src/snortsam# ln -sf /usr/bin/gcc-4.4 /usr/bin/gcc

/usr/src/snortsam# sh makesnortsam.sh

/usr/src/snortsam# ln -sf /usr/bin/gcc-4.6 /usr/bin/gcc

/usr/src/snortsam# cp snortsam /usr/sbin/

/usr/src/snortsam# mkdir /etc/snortsam

/usr/src/snortsam# cd /etc/snortsam

Базовая конфигурация

# cat snortsam.conf
daemon
nothreads
accept 127.0.0.1
defaultkey secret
logfile /var/log/snortsam.log

Блокировка через netfilter

gate# cat snortsam.conf
...
iptables eth1 log

Блокировка через ipfilter

# touch /etc/ipf.rules

# cat /etc/rc.conf
...
ipfilter_enable=yes
# /etc/rc.d/ipfilter start

# cat snortsam.conf
...
ipf em1

Блокировка через ipfw2

http://www.lissyara.su/articles/freebsd/security/snort/

gate# cat snortsam.conf
...
ipfw2 em1 1 2
#   With tables rules like:
#              00010 deny ip from any to table 1 via em1
#              00011 deny ip from table 2 to any via em1
fwexec /sbin/ipfw

Блокировка на cisco router

В случае использования aaa new-model требуется пользователь c priv-lvl = 1

1. Использование списков доступа и протокола telnet

server# cat snortsam.acl
conf terminal
no ip access-list extended ACL_FIREWALL
ip access-list extended ACL_FIREWALL
 snortsam-ciscoacl-begin
 snortsam-ciscoacl-end
 permit tcp any host 192.168.X.10 eq www
 permit tcp any host 192.168.X.10 eq 22
 permit ip any 172.16.1.X
 permit icmp any any
 permit udp any any
 permit tcp any any established
 deny   ip any any log
end
server# cat snortsam.conf
...
# ciscoacl 192.168.X.1 student/tacacs cisco /usr/local/etc/snortsam/snortsam.acl
# ciscoacl 192.168.X.1 cisco cisco /etc/snortsam/snortsam.acl

2. Использование списков доступа и протокола tftp

Настройка

server# cat /tftpboot/snortsam.acl
no ip access-list extended ACL_FIREWALL
ip access-list extended ACL_FIREWALL
 snortsam-ciscoacl-begin
 snortsam-ciscoacl-end
 permit tcp any host 192.168.X.10 eq www
 permit tcp any host 192.168.X.10 eq 22
 permit ip any 172.16.1.X
 permit icmp any any
 permit udp any any
 permit tcp any any established
 deny   ip any any log
server# cat snortsam.tftp
copy tftp://192.168.X.1/ running-config
server# cat snortsam.conf
...
# ciscoacl 192.168.X.1 student/tacacs cisco snortsam.acl|/usr/local/etc/snortsam/snortsam.tftp
# ciscoacl 192.168.X.1 student/tacacs cisco snortsam.acl|/etc/snortsam/snortsam.tftp
server# cd /tftpboot/

Запуск при использовании протокола tftp

FreeBSD
[server:/tftpboot] # snortsam /usr/local/etc/snortsam/snortsam.conf
Ubuntu
root@server:/tftpboot# snortsam /etc/snortsam/snortsam.conf

3. Использование null маршрутов

server# cat snortsam.conf
...
cisconullroute 192.168.X.1 student/tacacs cisco

Запуск snortsam

FreeBSD

[server:~] # /usr/local/etc/rc.d/snortsam rcvar

[server:~] # /usr/local/etc/rc.d/snortsam start

Ubuntu

root@server:~# /usr/sbin/snortsam /etc/snortsam/snortsam.conf

Подключение Snort к Snortsam

Сборка Snort с поддержкой Snortsam в FreeBSD

На курсах:

[server:~] # pkg_delete snort-2.9.2.1_2
[server:~] # pkg_add -vr automake110 gettext gmake bison

[server:~] # cd /usr/ports/

[server:/usr/ports] # fetch http://val.bmstu.ru/unix/snort/snort2921_dst.tar

[server:/usr/ports] # tar -xvf snort2921_dst.tar

[server:~] # cd /usr/ports/security/snort

[server:ports/security/snort] # make config

[server:ports/security/snort] # cat /var/db/ports/snort/options
...
WITH_SNORTSAM=true
...
[server:ports/security/snort] # make install clean

[server:ports/security/snort] # cd /usr/local/etc/snort/

Сборка Snort с поддержкой Snortsam в Ubuntu

На курсах

# apt-get install snort-common snort-rules-default

# apt-get remove snort

# wget http://val.bmstu.ru/unix/snort/libdnet_1.12-1_i386.deb

# dpkg -i libdnet_1.12-1_i386.deb

# ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

# wget http://val.bmstu.ru/unix/snort/snort_2.9.2.1-1_i386.deb

# dpkg -i snort_2.9.2.1-1_i386.deb

# ln -s /usr/local/bin/snort /usr/sbin/snort

# update-rc.d snort defaults

# cd /etc/snort

На работе

http://bailey.st/blog/2010/10/06/compiling-snort-2-9-0/

Работа с исходными текстами

# apt-get install snort-common snort-rules-default

# apt-get remove snort

# apt-get autoremove

# cd /usr/src

# wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
# tar -xvf libdnet-1.12.tgz
# cd libdnet-1.12/
# ./configure
# make
# checkinstall
# ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

# cd /usr/src
# apt-get install flex bison

# wget -O daq-0.6.2.tar.gz http://www.snort.org/downloads/1623
# tar -xvf daq-0.6.2.tar.gz
# cd daq-0.6.2/
# ./configure
# make
# checkinstall
# ln -s /usr/local/lib/libsfbpf.so.0.0.1 /usr/lib/libsfbpf.so.0

# cd /usr/src
# apt-get install zlib1g-dev

# wget http://val.bmstu.ru/unix/snort/snort-2.9.2.1.tar.gz
# tar -xvf snort-2.9.2.1.tar.gz
# wget http://val.bmstu.ru/unix/snort/snortsam-2.9.1.2.diff.gz
# gunzip snortsam-2.9.1.2.diff.gz

# cd snort-2.9.2.1/

# patch -p1 < ../snortsam-2.9.1.2.diff

# sh autojunk.sh
# sed -i.bak -e '17108d' configure
# ./configure
# make
# checkinstall
# ln -s /usr/local/lib/snort_dynamicpreprocessor /usr/lib/snort_dynamicpreprocessor
# ln -s /usr/local/lib/snort_dynamicengine/ /usr/lib/snort_dynamicengine

# ln -s /usr/local/bin/snort /usr/sbin/snort

# update-rc.d snort defaults

# cd /etc/snort

Настройка Snort на взаимодействие с Snortsam

FreeBSD/Ubuntu

server# cat snort.conf
...
###################################################
# Step #6: Configure output plugins
...
output alert_fwsam: 127.0.0.1:898/secret
...
server# cat sid-block.map
1256: src, 2 min
1000001: src, 2 min

Принцип отбора правил

server# cat classification.config
...
config classification: web-application-attack,Web Application Attack,1
...

Автоматизация запкуска snortsam одновременно с snort в Ubuntu

# cat /etc/init.d/snort
...
  start)
        ifconfig eth2 up
        /usr/sbin/snortsam /etc/snortsam/snortsam.conf
...
  stop)
        killall snortsam
...
сервис_snortsam.1346316543.txt.gz · Last modified: 2013/05/22 13:50 (external edit)