zoukankan      html  css  js  c++  java
  • snort安装使用教程(CentOS6.5)

     

    官网:https://www.snort.org/

    官方文档:https://www.snort.org/documents

    2.安装

    2.1安装依赖

    yum install libpcap libpcap-devel zlib zlib-deve* -y
    yum install glibc-headers gcc-c++ make  -y
    tar -zxf libdnet-1.11.tar.gz
    cd libdnet-1.11
    ./configure && make && make install

    tar zxf pcre-8.39.tar.gz
    ./configure

    make && make install


    复制代码

    如果不安装这些依赖,在后边执行configure时会有报错

    2.2安装daq

    tar -zxf daq-2.0.6.tar.gz                
    cd daq-2.0.6
    ./configure
    make
    make install

    configure报错:configure: error: Your operating system's lex is insufficient to compile libsfbpf. You should install both bison and flex.

    处理:yum install flex bison -y

    configure报错: ERROR!  Libpcap library version >= 1.0.0 not found.

    处理: yum install libpcap libpcap-devel -y

    2.3安装snort

    tar -zxf snort-2.9.11.tar.gz                   
    cd snort-2.9.11
    ./configure --enable-sourcefire --disable-open-appid
    make
    make install

    configure报错:ERROR!  dnet header not found, go get it from

    处理: wget https://nchc.dl.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz

                tar -zxf libdnet-1.11.tar.gz

                cd libdnet-1.11

               ./configure && make && make install

    2.4安装规则

    复制代码
    # 首先创建snort配置(及规则)目录
    mkdir -p /etc/snort/rules
    # 创建运行需要目录
    mkdir /usr/local/lib/snort_dynamicrules
    
    # 首先将2.3解压出来的etc下的默认配置文件复制到snort配置目录下
    cp etc/*.conf* /etc/snort
    cp etc/*.map /etc/snort
    
    # 下载社区规则并解压到规则目录
    wget https://www.snort.org/downloads/community/community-rules.tar.gz
    tar -zxf community-rules.tar.gz -C /etc/snort/rules
    
    # 注释掉所有默认要加载的规则文件
    sudo sed -i 's/include $RULE\_PATH/#include $RULE\_PATH/' /etc/snort/snort.conf
    
    # 启用社区规则文件
    echo '' >> /etc/snort/snort.conf
    echo '# enable community rule' >> /etc/snort/snort.conf
    echo 'include $RULE_PATH/community-rules/community.rules' >> /etc/snort/snort.conf
    
    # 重新设置snort.conf中的变量值
    sed -i 's/var RULE_PATH ../rules/var RULE_PATH ./rules/' /etc/snort/snort.conf
    sed -i 's/var WHITE_LIST_PATH ../rules/var WHITE_LIST_PATH ./rules/' /etc/snort/snort.conf
    sed -i 's/var BLACK_LIST_PATH ../rules/var BLACK_LIST_PATH ./rules/' /etc/snort/snort.conf
    
    # 创建默认使用的白名单文件
    touch /etc/snort/rules/white_list.rules
    # 创建默认的黑名单文件
    touch /etc/snort/rules/black_list.rules
    # 创建默认自己设置的规则文件,其实我们注意了其他include只include了社区规则,所以这条根本没用这里只是意思一下
    touch /etc/snort/rules/local.rules
    
    # 测试配置文件是否有误
    snort -T -c /etc/snort/snort.conf
    复制代码

    3.使用

    snort有三种用法:嗅探模式、记录模式和网络入侵检测模式。

    3.1嗅探模式

    snort -v

    该模式打印通信的双方IP及协议头部,类似tcpdump

    3.2记录模式

    mkdir log
    snort -dev -l ./log

    该模式将截获的数据包记入文件(此处是当前log目录下),重点是-l

    3.3网络入侵检测模式

    mkdir log
    snort -dev -l ./log -h 192.168.1.0/24 -c /etc/snort/snort.conf

    该模式将会按指定的规则扫描通信数据包

    报错:ERROR: /etc/snort/rules/community-rules/snort.conf(249) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such file or directory.

    处理:mkdir -p /usr/local/lib/snort_dynamicrules

    报错:ERROR: /etc/snort/classification.config(0) Unable to open rules file "/etc/snort/classification.config": No such file or directory.

    处理:将上边2.3解压出的snort包中的etc/classification.config复制到/etc/snort/classification.config

  • 相关阅读:
    String API
    正则表达式语法
    正则表达式定义与创建
    jQuery——子元素筛选器
    基本筛选器
    内置对象和包装类型
    栈和队列
    web前端css实现六边形效果
    jquery选择器
    AE导出mov
  • 原文地址:https://www.cnblogs.com/guarderming/p/10281061.html
Copyright © 2011-2022 走看看