路 1. 路 路 料 力 2. Linux Snort(http://www.snort.org) 3. 料 Snort 路 料 力 例 CGI syslog telnet ftp 錄 來 來 理 Snort 不 了 令 易 理 snort 都 理 不 數 4. pcre 連 http://www.pcre.org [root@net122 root]# tar zxvf pcre-4.1.tar.gz [root@net122 root]# cd pcre-4.1 [root@net122 pcre-4.1]#./configure; make ; make install 連 Snort (http://www.snort.org) 2.1.0 錄 [root@net122 linul]# tar zxvf snort-2.1.0.tar.gz libpcap 令 [root@net122 root]# rpm -qa grep libpcap
libpcap-0.7.2-7.1./configure make make install 令來./configure 參數
`--enable-debug' Enable debugging options (bugreports and developers only). `--with-snmp' Enable SNMP alerting code. `--enable-smbalerts' Enable the SMB alerting code, which is somewhat unsafe as it executes a popen() call from within the program (which runs at root privs). You've been warned, use it with caution! `--enable-flexresp' Enable the 'Flexible Response' code, that allows you to cancel hostile connections on IP-level when a rule matches. When you enable this feature, you also need the 'libnet'-library that can be found at http://www.packetfactory.net/libnet. See README.FLEXRESP for details. This function is still ALPHA, so use with caution. `--with-mysql=dir' Support for mysql, turn this on if you want to use ACID with MySQL. `--with-odbc=dir' Support for ODBC databases, turn this on if you want to use ACID with a non-listed DB. `--with-postgresql=dir' Support for Postgresql databases, turn this on if you want to use ACID with PostgreSQL. `--with-oracle=dir' Support for Oracle databases, turn this on if you want to use ACID with Oracle. `--with-openssl=dir' Support for openssl (used by the XML output plugin). `--with-libpq-includes=dir' Set the include directories for Postgres SQL database support to DIR. `--with-libpcap-includes=dir' If the configuration script can't find the libpcap include files on its own, the path can be set manually with this switch. `--with-libpcap-libraries=dir' If the configuration script can't find the libpcap library files on its own, the path can be set manually with this switch. `--with-libxml2-includes=dir' Libxml2 include directory.
`--with-libxml2-libraries=dir' Libxml2 library directory. `--with-libntp-libraries=dir' Libntp library directory. `--with-libidmef-includes=dir' Libidmef include directory. `--with-libidmef-libraries=dir' Libidmef library directory.
行 列 令 [root@net122 snort-2.1.0]#./configure [root@net122 snort-2.1.0]# make [root@net122 snort-2.1.0]# make install /etc/snort/snort.conf var HOME_NET any var HOME_NET 192.192.73.0/24 路 var RULE_PATH../ var RULE_PATH /etc/snort/rules 錄 snort 令 [root@net122 snort]# /usr/local/bin/snort -v -l /var/log/snort -v sniffer -l packet logger 更 來 /var/log/snort 錄 錄 snort [root@net122 snort]#ls.. 210.118.121.13 218.76.106.77 65.93.73.29 83.112.2.70 210.202.66.14 218.80.11.115 66.111.54.190 alert 210.49.49.17 218.80.191.35 66.186.79.166 ARP 210.58.155.31 218.80.30.224 66.187.233.4 PACKET_NONIP 210.68.141.78 218.84.221.248 66.234.206.10
210.75.28.5 218.89.138.22 66.38.8.84 來 snort NIDS 令 [root@net122 snort]# /usr/local/bin/snort -c /etc/snort/snort.conf -D -c 來 snort /etc/snort/snort.conf -D snort daemon /var/log/snort/alert 來 路狀 路狀 來 路 路 NIDS 50k 錄 錄 不 塞 /var/log/snort/alert 令 [root@net122 snort]# less alert [**] [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER [**] 02/18-15:47:31.389221 192.192.73.121:1374 -> 66.35.229.185:80 TCP TTL:128 TOS:0x0 ID:14579 IpLen:20 DgmLen:736 DF ***AP*** Seq: 0xE345D9D Ack: 0x8DDCB4EA Win: 0x4320 TcpLen: 20 [**] [119:7:1] (http_inspect) IIS UNICODE CODEPOINT ENCODING [**] 02/18-15:47:35.861355 192.192.73.121:1372 -> 66.102.9.99:80 TCP TTL:128 TOS:0x0 ID:14608 IpLen:20 DgmLen:635 DF ***AP*** Seq: 0xE2E6680 Ack: 0x8D953196 Win: 0x4320 TcpLen: 20 [**] [119:7:1] (http_inspect) IIS UNICODE CODEPOINT ENCODING [**] 02/18-15:47:35.862964 192.192.73.121:1372 -> 66.102.9.99:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1110 ***AP*** Seq: 0x8D953196 Ack: 0xE2E68D3 Win: 0x16D0 TcpLen: 20 snort 行 錄 都 來 力 snort pluggin 來 錄 來 guardian 來說 Guardian snort alert 錄 來 不 錄 snort
http://www.snort.org/dl/contrib/other_tools/guardian/ guardian 錄 Guardian perl guardian.conf Interface eth0 HostGatewayByte 1 IP Address 例 HostGatewayByte 192.192.73.122 AlertFile /var/adm/secure /var/log/snort/alert snort 錄 立 /etc/guardian.ignore 略 列 來 例 DNS gateway guardian.conf /etc 令 [root@net122 guardian-1.6]# mv guardian.conf /etc 來 行 列 令 cp guardian.pl /usr/local/bin cd script/ mv iptables_block.sh guardian_block.sh mv iptables_unblock.sh guardiam_unblock.sh cp guardian_block.sh /usr/local/bin cp guardian_unblock.sh /usr/local/bin guardian /usr/local/bin/guardian.pl c /etc/guardian.conf snortsnarf 來 snort alert snort http://www.snort.org/dl/contrib/data_analysis/snortsnarf/ snortsnarf [root@net122 linul]# tar zxvf SnortSnarf-021111.1.tar.gz [root@net122 linul]# cd SnortSnarf-021111.1 立 snortsnarf cgi 錄 錄 [root@net122 SnortSnarf-021111.1]# mkdir /var/www/cgi-bin/snort
[root@net122 SnortSnarf-021111.1]# mkdir /var/www/html/snort snort cgi-bin 列 SnortSnarf 錄 cgi include/ 錄 snortsnarf.pl [root@net122 SnortSnarf-021111.1]# cp cgi/* /var/www/cgi-bin/snort/ [root@net122 SnortSnarf-021111.1]# cp -R include/ /var/www/cgi-bin/snort/ [root@net122 SnortSnarf-021111.1]# cp snortsnarf.pl /var/www/cgi-bin/snort/ 021111.1 不 了 020316.1 Time-modules/lib/Time 錄 /var/www/cgi-bin/snort 錄 [root@net122 SnortSnarf-020316.1]# cp -R Time-modules/lib/Time /var/www/cgi-bin/snort snortsnarf.pl alert $def_source= $root."var".$dirsep."log".$dirsep."snort.alert"; 行 -d 錄 -d 錄 錄 路 令 [root@net122 snort]#./snortsnarf.pl -d /var/www/html/snort -color='yes' -rulesdir /etc/snort/rules /var/log/snort/portscan.log /var/log/snort/alert
Webmin snort snort http://www.snort.org/dl/contrib/front_ends/webmin_plugin/ Webmin snort snort-1.0.wbm Webmin 來 Webmin Webmin snort-1.0.wbm 路 Command to start Snort optional snort /usr/local/bin/snort -vde -D -c /etc/snort/snort.conf
令 Snort Snort 理 Snort sniffer 數 packet logger 錄 network intrusion detection system NIDS 路 來說 snort 不 路 理 不 來 不 Sniffer TCP/IP 列 令 [root@net122 root]# /usr/local/bin/snort -v 令 IP TCP/UDP/ICMP 料 d 令 [root@net122 root]# /usr/local/bin/snort -vd
e 令 /usr/local/bin/snort -ve /usr/local/bin/snort vde 都 來 snort 來 例 /usr/local/bin/snort vde /usr/local/bin/snort v d -e Packet logger Sniffer 錄 來 snort 了 來 理 來 列 令 [root@net122 root]# /usr/local/bin/snort -vde -l /var/log/snort
令 /var/log/snort 錄 IP 類 錄 了 snort 錄 sniffer 61.62.103.105 錄 TCP:1114-22 了 tcpdump 來 行 錄 b 來 行 錄 來 錄 tcpdump r 錄 [root@net122 snort]# /usr/local/bin/snort -vde -l -h 61.62.103.105 /var/log/snort 讀 [root@net122 snort]# /usr/local/bin/snort -r./snort.log.1065106946 錄 不 錄 /etc/snort/rules 兩 錄 不 了 錄 alert alert IP 料 類 錄 句 說 路 不 錄 alert 不 錄 IP 錄 錄 來 錄 不 都 錄 來 錄 來 例來說 alert 列 令 [root@net122 snort]# /usr/local/bin/snort -vde -c /etc/snort/snort.conf /var/log/snort/alert ICMP ID 55161
錄 /var/log/snort/192.192.73.2/ ICMP_REDIRECT ID 惡 來 易 來 alert 錄 syslog s 令 [root@net122 snort]# /usr/local/bin/snort -c /etc/snort/snort.conf -s /var/log/messages 錄 samba 利 samba alert WinPopup windows./configure 令 -enable-smbalerts 參數 令裡 M 不 不 理 令 [root@net122 snort]# /usr/local/bin/snort -c /etc/snort/snort.conf M rule snort 更 了 來 不 路行 不 rule http://www.snort.org/dl/rules/snortrules-current.tar.gz 錄 rule 錄 /etc/snort/rules 錄 [root@net122 snort]#tar zxvf snortrules-current.tar.gz /etc/snort/rules 來 了 rules cron 行 rule snort daemon 行 令 rc.local
令 令 狀 令 snort rules 錄 都 了 rules snort 料 5. 論 1. 說 路 snort 2. 說 更 3. 說 snort 錄 4. 說 snort MS 5. 理