침입 방지 시스템(IPS, Intrusion Prevention System)
침입 방지 시스템은 비 인가된 사용자가 자원의 무결성, 기밀성, 가용성을 저해하는 행위를 실시간으로 탑지하여 차단하는 시스템을 말합니다
침입 탐지 시스템 IDS(Intrusion Detection System)
컴퓨터 또는 네트워크에서 발생하는 이벤트들을 모니터링하고, 침입 발생여부를 탐지(Detection)하고, 대응(Response)하는 자동화된 시스템입니다
많이 사용되는 룰 기반의 IDS인 Snort를 LInux 버전으로 설치해보겠습니다.
Snort 설치
1. snort 설치에 필요한 기본 라이브러리를 설치합니다.
[root@localhost Desktop]# yum install mysql-bench mysql-devel php-mysql gcc php-gd gd glib2-devel gcc-c++ Loaded plugins: fastestmirror, refresh-packagekit, security .. 생략 [root@localhost Desktop]# [root@localhost Desktop]# yum install -y bison* flex* Loaded plugins: fastestmirror, refresh-packagekit, security .. 생략
2. libcap* 에 연관된 파일을 전부 설치
[root@localhost Desktop]# yum install libcap* Loaded plugins: fastestmirror, refresh-packagekit, security .. 생략
3. libpcap* 에 연관된 파일을 전부 설치
[root@localhost Desktop]# yum install libpcap* Loaded plugins: fastestmirror, refresh-packagekit, security .. 생략
4. pcre* 에 연관된 파일을 전부 설치
[root@localhost Desktop]# yum install pcre* Loaded plugins: fastestmirror, refresh-packagekit, security .. 생략
5. snort , daq, libdnet 다운 받아서 소스 설치하기
. libdnet-1.12.tgz wget으로 다운 받기
[root@localhost snort_install]# wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz .. 생략 [root@localhost snort_install]# ls libdnet-1.12.tgz
. daq-2.0.0.tar.gz wget으로 다운 받기
[root@localhost snort_install]# wget http://downloads.sourceforge.net/project/snort/OLD%20STUFF%20THAT%20YOU%20SHOULDNT%20USE/daq-2.0.0.tar.gz?r=&ts=1457439404 .. 생략 [root@localhost snort_install]# ls daq-2.0.0.tar.gz libdnet-1.12.tgz
. snort-2.9.5.tar.gz wget으로 다운 받기
[root@localhost snort_install]# wget http://downloads.sourceforge.net/project/snort/OLD%20STUFF%20THAT%20YOU%20SHOULDNT%20USE/snort-2.9.5.tar.gz?r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Fsnort%2Ffiles%2FOLD%2520STUFF%2520THAT%2520YOU%2520SHOULDNT%2520USE%2F&ts=1457439759&use_mirror=jaist .. 생략
. libdnet,daq,snort 설치
[root@localhost snort_install]# tar -zxvf libdnet-1.12.tgz [root@localhost snort_install]# cd libdnet-1.12 [root@localhost libdnet-1.12]# ./configure [root@localhost libdnet-1.12]# make && make install [root@localhost libdnet-1.12]# cd .. [root@localhost snort_install]# [root@localhost snort_install]# tar -zxvf daq-2.0.0.tar.gz [root@localhost snort_install]# cd daq-2.0.0 [root@localhost daq-2.0.0]# ./configure [root@localhost daq-2.0.0]# make && make install [root@localhost daq-2.0.0]# cd .. [root@localhost snort_install]# tar -zxvf snort-2.9.5.tar.gz [root@localhost snort_install]# cd snort-2.9.5 [root@localhost snort-2.9.5]# ./configure [root@localhost snort-2.9.5]# make && make install
6. snort 홈페이지에 회원을 가입하고 snort-rule을 다운 받는다.
또는 아래 처럼 링크를 입력하고 다운 받는다.
[root@localhost snort_install]# wget http://munro.humber.ca/~thomsoi/snortrules-snapshot-2945.tar.gz .. 생략
[root@localhost snort_install]# mkdir rule [root@localhost snort_install]# ls daq-2.0.0 libdnet-1.12 rule snort-2.9.5.tar.gz daq-2.0.0.tar.gz libdnet-1.12.tgz snort-2.9.5 snortrules-snapshot-2945.tar.gz [root@localhost snort_install]# mv snortrules-snapshot-2945.tar.gz ./rule [root@localhost snort_install]# ls daq-2.0.0 libdnet-1.12 rule snort-2.9.5.tar.gz daq-2.0.0.tar.gz libdnet-1.12.tgz snort-2.9.5 [root@localhost snort_install]# cd rule [root@localhost rule]# ls snortrules-snapshot-2945.tar.gz [root@localhost rule]# [root@localhost rule]# tar -zxvf snortrules-snapshot-2945.tar.gz
7. 새로운 유저 snort 생성후, shell /sbin/nologin 으로 변경
[root@localhost rule]# groupadd snort [root@localhost rule]# useradd -g snort snort -s /sbin/nologin
8. 폴더 생성
[root@localhost rule]# mkdir /etc/snort [root@localhost rule]# mkdir /etc/snort/rules [root@localhost rule]# mkdir /etc/snort/so_rules [root@localhost rule]# mkdir /etc/snort/preproc_rules [root@localhost rule]# mkdir /var/log/snort [root@localhost rule]# mkdir /usr/local/lib/snort_dynamicrules
9. 폴더 권한 변경
[root@localhost rule]# chown snort snort /var/log/snort
10. 압축해제한 파일을 snort 폴더에 옮긴다.
[root@localhost rule]# cd .. [root@localhost snort_install]# cd snort-2.9.5/etc [root@localhost etc]# cp * /etc/snort [root@localhost etc]# cd .. [root@localhost snort-2.9.5]# cd .. [root@localhost snort_install]# cd rule/ [root@localhost rule]# cp rules/* /etc/snort/rules [root@localhost rule]# cp so_rules/precompiled/Centos-5-4/i386/2.9.4.5/* /etc/snort/so_rules/ [root@localhost rule]# cp preproc_rules/* /etc/snort/preproc_rules/ [root@localhost rule]# touch /etc/snort/rules/black_list.rules [root@localhost rule]# touch /etc/snort/rules/white_list.rules
Snort 설정
snort.conf 파일 설정 변경
[root@localhost rule]# vim /etc/snort/snort.conf # Path to your rules files (this can be a relative path) # Note for Windows users: You are advised to make this an absolute path, # such as: c:\snort\rules var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules # If you are using reputation preprocessor set these # Currently there is a bug with relative paths, they are relative to where snort is # not relative to snort.conf like the above variables # This is completely inconsistent with how other vars work, BUG 89986 # Set the absolute path appropriately var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules # Inline packet normalization. For more information, see README.normalize # Does nothing in IDS mode #preprocessor normalize_ip4 #preprocessor normalize_tcp: ips ecn stream #preprocessor normalize_icmp4 #preprocessor normalize_ip6 #preprocessor normalize_icmp6 # unified2 # Recommended for most installs output unified2: filename snort.u2, limit 128
Snort 실행
snort 실행하여 정상 작동하는지 확인
[root@localhost rule]# ifconfig
eth1 Link encap:Ethernet HWaddr 00:0C:29:33:74:9B
inet addr:200.200.200.52 Bcast:200.200.200.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe33:749b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:76487 errors:0 dropped:0 overruns:0 frame:0
TX packets:49351 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:112298133 (107.0 MiB) TX bytes:3369439 (3.2 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:578 (578.0 b) TX bytes:578 (578.0 b)
[root@localhost rule]# snort -u snort -g snort -c /etc/snort/snort.conf -i eth1
Running in IDS mode
..생략
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.5 GRE (Build 103)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.4.0
Using PCRE version: 7.8 2008-09-05
Using ZLIB version: 1.2.3
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 2.0
Preprocessor Object: SF_SIP Version 1.1
Preprocessor Object: SF_DNS Version 1.1
Preprocessor Object: SF_IMAP Version 1.0
Preprocessor Object: SF_SSH Version 1.1
Preprocessor Object: SF_POP Version 1.0
Preprocessor Object: SF_MODBUS Version 1.1
Preprocessor Object: SF_SMTP Version 1.1
Preprocessor Object: SF_GTP Version 1.1
Preprocessor Object: SF_DNP3 Version 1.1
Preprocessor Object: SF_DCERPC2 Version 1.0
Preprocessor Object: SF_FTPTELNET Version 1.2
Preprocessor Object: SF_SSLPP Version 1.1
Preprocessor Object: SF_REPUTATION Version 1.1
Preprocessor Object: SF_SDF Version 1.1
Commencing packet processing (pid=61141)
'네트워크 > Snort' 카테고리의 다른 글
| 3) Snort Report 설치 (0) | 2016.03.09 |
|---|---|
| 2) Snort 로그 Mysql에 저장 (0) | 2016.03.08 |
