centos7 架設 snort IDS (版本2.9.13)

-

[我這邊用root]

yum update

cd ~

yum install -y gcc flex bison zlib libpcap pcre libdnet tcpdump

yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

yum install -y libnghttp2

yum install -y zlib-devel libpcap-devel pcre-devel libdnet-devel openssl-devel libnghttp2-devel luajit-devel

wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz

wget https://www.snort.org/downloads/snort/snort-2.9.13.tar.gz

tar xvzf daq-2.0.6.tar.gz

cd daq-2.0.6

./configure && make && sudo make install

cd ..

tar xvzf snort-2.9.13.tar.gz

cd snort-2.9.13

./configure --enable-sourcefire && make && sudo make install
[這邊會有點久 要等一下]

ldconfig

ln -s /usr/local/bin/snort /usr/sbin/snort

groupadd snort

useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

sudo mkdir -p /etc/snort/rules

sudo mkdir /var/log/snort

sudo mkdir /usr/local/lib/snort_dynamicrules

sudo chmod -R 5775 /etc/snort

sudo chmod -R 5775 /var/log/snort

sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules

sudo chown -R snort:snort /etc/snort

sudo chown -R snort:snort /var/log/snort

sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

sudo touch /etc/snort/rules/white_list.rules

sudo touch /etc/snort/rules/black_list.rules

sudo touch /etc/snort/rules/local.rules

sudo cp ~/snort-2.9.13/etc/*.conf* /etc/snort

sudo cp ~/snort-2.9.13/etc/*.map /etc/snort

cd ~

wget https://www.snort.org/rules/community -O ~/community.tar.gz

sudo tar -xvf ~/community.tar.gz -C ~/

sudo cp ~/community-rules/* /etc/snort/rules

sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

sudo vi /etc/snort/snort.conf
[在 step 1 裡面 ipvar HOME_NET 192.168.37.0/24 或改成你要的IP]
[在 step 1 裡面 ipvar EXTERNAL_NET 設成 !$HOME_NET]
[在 step 1 裡面 用上絕對路徑]
 
 var RULE_PATH /etc/snort/rules

 var SO_RULE_PATH /etc/snort/so_rules

 var PREPROC_RULE_PATH /etc/snort/preproc_rules
[在step1 裡面這邊還是絕對路徑
var WHITE_LIST_PATH /etc/snort/rules
        var BLACK_LIST_PATH /etc/snort/rules
]
[在 step 6 裡 這行註解拿掉
output unified2: filename snort.log, limit 128
]
[在 step 7 裡 這行註解拿掉 include $RULE_PATH/local.rules
]
ln -s /usr/lib64/libdnet.so.1.0.1 /usr/lib64/libdnet.1

[開始測試]
sudo vi /etc/snort/rules/local.rules
[這裡加入
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)
]

snort -T -c /etc/snort/snort.conf
sudo vi /etc/snort/rules/local.rules
sudo snort -A console -i <你的網卡名子> -u snort -g snort -c /etc/snort/snort.conf

留言

張貼留言

這個網誌中的熱門文章

在debian10 安裝 docker 以及 Logon Tracer

-
圖片
Logon Tracer是一款可以產生關連性圖表的事件檢視器 曾在BlackHat 2018 大會上出現過 操作上相當簡單 話不多說 裝起來! sudo apt-get remove docker docker-engine docker.io containerd runc sudo apt-get update sudo apt-get install \ apt-transport-https \ ca-certificates \ curl \ gnupg-agent \ software-properties-common curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add - sudo add-apt-repository \ "deb [arch=amd64] https://download.docker.com/linux/debian \ $(lsb_release -cs) \ stable" sudo apt-get update sudo apt-get install docker-ce docker-ce-cli containerd.io 之後就可以把Logon Tracer拉過來啦~ docker pull jpcertcc/docker-logontracer docker run --detach --publish=7474:7474 --publish=7687:7687 --publish=8080:8080 -e LTHOSTNAME= jpcertcc/docker-logontracer 記得 在啟動時 千萬不要是0.0.0.0 不然有可能會出現你上傳完LOG 畫面還是空白的窘境 我的環境是192.168.107.14 那 這個部分就要是192.168.107.14
閱讀完整內容