본문으로 바로가기

1) Snort 설치

category 네트워크/Snort 2016. 3. 8. 22:41



침입 방지 시스템(IPS, Intrusion Prevention System)
침입 방지 시스템은 비 인가된 사용자가 자원의 무결성, 기밀성, 가용성을 저해하는 행위를 실시간으로 탑지하여 차단하는 시스템을 말합니다

위키에서 IPS 설명 보기

침입 탐지 시스템 IDS(Intrusion Detection System)
컴퓨터 또는 네트워크에서 발생하는 이벤트들을 모니터링하고, 침입 발생여부를 탐지(Detection)하고, 대응(Response)하는 자동화된 시스템입니다

위키에서 IDS 설명 보기

많이 사용되는 룰 기반의 IDS인 Snort를 LInux 버전으로 설치해보겠습니다.

Snort 홈페이지


Snort 설치

1. snort 설치에 필요한 기본 라이브러리를 설치합니다.

[root@localhost Desktop]# yum install mysql-bench mysql-devel php-mysql gcc php-gd gd glib2-devel gcc-c++
Loaded plugins: fastestmirror, refresh-packagekit, security

.. 생략
[root@localhost Desktop]#
[root@localhost Desktop]# yum install -y  bison* flex*
Loaded plugins: fastestmirror, refresh-packagekit, security

.. 생략

2. libcap* 에 연관된 파일을 전부 설치

[root@localhost Desktop]# yum install libcap*
Loaded plugins: fastestmirror, refresh-packagekit, security

.. 생략

3. libpcap* 에 연관된 파일을 전부 설치

[root@localhost Desktop]# yum install libpcap*
Loaded plugins: fastestmirror, refresh-packagekit, security

.. 생략

4. pcre* 에 연관된 파일을 전부 설치

[root@localhost Desktop]# yum install pcre*
Loaded plugins: fastestmirror, refresh-packagekit, security

.. 생략

5. snort , daq, libdnet 다운 받아서 소스 설치하기

직접 다운 받기

 . libdnet-1.12.tgz wget으로 다운 받기

[root@localhost snort_install]# wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz

.. 생략

[root@localhost snort_install]# ls
libdnet-1.12.tgz

 . daq-2.0.0.tar.gz wget으로 다운 받기

[root@localhost snort_install]# wget http://downloads.sourceforge.net/project/snort/OLD%20STUFF%20THAT%20YOU%20SHOULDNT%20USE/daq-2.0.0.tar.gz?r=&ts=1457439404

.. 생략

[root@localhost snort_install]# ls
daq-2.0.0.tar.gz  libdnet-1.12.tgz

 . snort-2.9.5.tar.gz wget으로 다운 받기

[root@localhost snort_install]# wget http://downloads.sourceforge.net/project/snort/OLD%20STUFF%20THAT%20YOU%20SHOULDNT%20USE/snort-2.9.5.tar.gz?r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Fsnort%2Ffiles%2FOLD%2520STUFF%2520THAT%2520YOU%2520SHOULDNT%2520USE%2F&ts=1457439759&use_mirror=jaist

.. 생략

 . libdnet,daq,snort 설치

[root@localhost snort_install]# tar -zxvf libdnet-1.12.tgz [root@localhost snort_install]# cd libdnet-1.12 [root@localhost libdnet-1.12]# ./configure [root@localhost libdnet-1.12]# make && make install [root@localhost libdnet-1.12]# cd .. [root@localhost snort_install]# [root@localhost snort_install]# tar -zxvf daq-2.0.0.tar.gz [root@localhost snort_install]# cd daq-2.0.0 [root@localhost daq-2.0.0]# ./configure [root@localhost daq-2.0.0]# make && make install [root@localhost daq-2.0.0]# cd .. [root@localhost snort_install]# tar -zxvf snort-2.9.5.tar.gz [root@localhost snort_install]# cd snort-2.9.5 [root@localhost snort-2.9.5]# ./configure [root@localhost snort-2.9.5]# make && make install

6. snort 홈페이지에 회원을 가입하고 snort-rule을 다운 받는다.
  또는 아래 처럼 링크를 입력하고 다운 받는다.

[root@localhost snort_install]# wget http://munro.humber.ca/~thomsoi/snortrules-snapshot-2945.tar.gz

.. 생략

[root@localhost snort_install]# mkdir rule
[root@localhost snort_install]# ls
daq-2.0.0         libdnet-1.12      rule         snort-2.9.5.tar.gz
daq-2.0.0.tar.gz  libdnet-1.12.tgz  snort-2.9.5  snortrules-snapshot-2945.tar.gz
[root@localhost snort_install]# mv snortrules-snapshot-2945.tar.gz ./rule
[root@localhost snort_install]# ls
daq-2.0.0         libdnet-1.12      rule         snort-2.9.5.tar.gz
daq-2.0.0.tar.gz  libdnet-1.12.tgz  snort-2.9.5
[root@localhost snort_install]# cd rule
[root@localhost rule]# ls
snortrules-snapshot-2945.tar.gz
[root@localhost rule]# 
[root@localhost rule]# tar -zxvf snortrules-snapshot-2945.tar.gz 

7. 새로운 유저 snort 생성후, shell /sbin/nologin 으로 변경

[root@localhost rule]# groupadd snort
[root@localhost rule]# useradd -g snort snort -s /sbin/nologin

8. 폴더 생성

[root@localhost rule]# mkdir /etc/snort
[root@localhost rule]# mkdir /etc/snort/rules
[root@localhost rule]# mkdir /etc/snort/so_rules
[root@localhost rule]# mkdir /etc/snort/preproc_rules
[root@localhost rule]# mkdir /var/log/snort
[root@localhost rule]# mkdir /usr/local/lib/snort_dynamicrules

9. 폴더 권한 변경

[root@localhost rule]# chown snort snort /var/log/snort

10. 압축해제한 파일을 snort 폴더에 옮긴다.

[root@localhost rule]# cd ..
[root@localhost snort_install]# cd snort-2.9.5/etc
[root@localhost etc]# cp * /etc/snort
[root@localhost etc]# cd ..
[root@localhost snort-2.9.5]# cd ..
[root@localhost snort_install]# cd rule/
[root@localhost rule]# cp rules/* /etc/snort/rules
[root@localhost rule]# cp so_rules/precompiled/Centos-5-4/i386/2.9.4.5/* /etc/snort/so_rules/
[root@localhost rule]# cp preproc_rules/* /etc/snort/preproc_rules/
[root@localhost rule]# touch /etc/snort/rules/black_list.rules
[root@localhost rule]# touch /etc/snort/rules/white_list.rules

Snort 설정

snort.conf 파일 설정 변경

[root@localhost rule]# vim /etc/snort/snort.conf 

# Path to your rules files (this can be a relative path)
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\rules
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules

# If you are using reputation preprocessor set these
# Currently there is a bug with relative paths, they are relative to where snort is
# not relative to snort.conf like the above variables
# This is completely inconsistent with how other vars work, BUG 89986
# Set the absolute path appropriately
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules


# Inline packet normalization. For more information, see README.normalize
# Does nothing in IDS mode
#preprocessor normalize_ip4
#preprocessor normalize_tcp: ips ecn stream
#preprocessor normalize_icmp4
#preprocessor normalize_ip6
#preprocessor normalize_icmp6


# unified2
# Recommended for most installs
output unified2: filename snort.u2, limit 128

Snort 실행

snort 실행하여 정상 작동하는지 확인

[root@localhost rule]# ifconfig
eth1      Link encap:Ethernet  HWaddr 00:0C:29:33:74:9B  
          inet addr:200.200.200.52  Bcast:200.200.200.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe33:749b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:76487 errors:0 dropped:0 overruns:0 frame:0
          TX packets:49351 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:112298133 (107.0 MiB)  TX bytes:3369439 (3.2 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:10 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:578 (578.0 b)  TX bytes:578 (578.0 b)

[root@localhost rule]# snort -u snort -g snort -c /etc/snort/snort.conf -i eth1
Running in IDS mode

..생략

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.5 GRE (Build 103) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.4.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 2.0  
           Preprocessor Object: SF_SIP  Version 1.1  
           Preprocessor Object: SF_DNS  Version 1.1  
           Preprocessor Object: SF_IMAP  Version 1.0  
           Preprocessor Object: SF_SSH  Version 1.1  
           Preprocessor Object: SF_POP  Version 1.0  
           Preprocessor Object: SF_MODBUS  Version 1.1  
           Preprocessor Object: SF_SMTP  Version 1.1  
           Preprocessor Object: SF_GTP  Version 1.1  
           Preprocessor Object: SF_DNP3  Version 1.1  
           Preprocessor Object: SF_DCERPC2  Version 1.0  
           Preprocessor Object: SF_FTPTELNET  Version 1.2  
           Preprocessor Object: SF_SSLPP  Version 1.1  
           Preprocessor Object: SF_REPUTATION  Version 1.1  
           Preprocessor Object: SF_SDF  Version 1.1  
Commencing packet processing (pid=61141)


'네트워크 > Snort' 카테고리의 다른 글

3) Snort Report 설치  (0) 2016.03.09
2) Snort 로그 Mysql에 저장  (0) 2016.03.08