[리눅스] snort

[snort]

<https://www.snort.org/>

가입해야 한다. 가입하고 나서 가입시에 입력한 이메일 주소로 확인하면

이메일 내용에 링크가 있는데 클릭하면 로그인 된다.

<다운로드 및 설치>

[root@woo:~]#mkdir /usr/local/src/snort

[root@woo:~]#cd /usr/local/src/snort/

[root@woo:/usr/local/src/snort]#wget http://dl.snort.org/snort-current/snort-2.8.5.1.tar.gz

[root@woo:/usr/local/src/snort]#tar xvfz snort-2.8.5.1.tar.gz

snort 는 libpcap과 pcre 가 필요하다.

[root@woo:/usr/local/src/snort]#rpm -qa |grep libpcap

libpcap-devel-0.9.4-14.el5

libpcap-0.9.4-14.el5

[root@woo:/usr/local/src/snort]#rpm -qa |grep pcre

pcre-6.6-2.el5_1.7

[root@woo:/usr/local/src/snort]#yum install pcre-devel –y

[root@woo:/usr/local/src/snort]#yum update libpcap pcre pcre-devel –y

[root@woo:/usr/local/src/snort]#cd snort-2.8.5.1

[root@woo:/usr/local/src/snort/snort-2.8.5.1]#./configure --prefix=/usr/local/snort --with-mysql=/usr/local/mysql && make && make install

[root@woo:/usr/local/src/snort]#wget http://203.237.211.230/named_scripts/snortrules-snapshot-2.8.tar.gz

[root@woo:/usr/local/src/snort]#tar xvfz snortrules-snapshot-2.8.tar.gz

[root@woo:/usr/local/src/snort/etc]#ls

classification.config Makefile.am sid threshold.conf

generators open-test.conf sid-msg.map unicode.map

gen-msg.map reference.config snort.conf

[root@woo:/usr/local/src/snort/etc]#mkdir /var/log/snort

[root@woo:/usr/local/src/snort/etc]#chmod 700 /var/log/snort

à snort 로그 파일이 쌓일 디렉토리 만들기

--------------------------------------------

[root@woo:/usr/local/src/snort/etc]#ln -s /usr/local/snort/bin/snort /usr/sbin/

#mkdir /usr/local/snort/schemas

#cp /usr/local/src/snort/snort-2.8.5.1/schemas/creat* /usr/local/snort/schemas/

à mysql 에다가 snort가 쓸 DB를 만드는 작업.

#cd /usr/local/snort/schemas

계정만들기

[root@woo:/usr/local/snort/schemas]#mysql -u cho -p

Enter password: pass1234

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 3

Server version: 5.1.38-log Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> create database snort;

Query OK, 1 row affected (0.19 sec)

mysql> grant all privileges on snort.* to snortuser@"%";

Query OK, 0 rows affected (0.32 sec)

mysql> grant all privileges on snort.* to snortuser@"localhost";

Query OK, 0 rows affected (0.00 sec)

mysql> set password for snortuser@"%"=password('pass1234');

Query OK, 0 rows affected (0.01 sec)

mysql> set password for snortuser@localhost=password('pass1234');

Query OK, 0 rows affected (0.00 sec)

mysql> quit

[root@ woo:/usr/local/snort/schemas]#mysql -u cho -p <create_mysql snort

Enter password: pass1234

[root@woo:/usr/local/snort/schemas]#mysql -u snortuser -p

Enter password: pass1234

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 11

Server version: 5.1.38-log Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use snort

Database changed

mysql> show tables;

+------------------+

| Tables_in_snort |

+------------------+

| data |

| detail |

| encoding |

| event |

| icmphdr |

| iphdr |

| opt |

| reference |

| reference_system |

| schema |

| sensor |

| sig_class |

| sig_reference |

| signature |

| tcphdr |

| udphdr |

+------------------+

16 rows in set (0.12 sec)

mysql>

16개 테이블 나오면 성공!!!

[root@woo:/usr/local/snort/schemas]#cd ../etc/

Snort.conf

[root@kimm1:/usr/local/snort/etc]#vi snort.conf

48 #var HOME_NET any

49 var HOME-NET 192.168.10.0/24

60 # List of DNS servers on your network

61 #var DNS_SERVERS $HOME_NET

62 var DNS_SERVERS 192.168.10.0/24

64 # List of SMTP servers on your network

65 #var SMTP_SERVERS $HOME_NET

66 var SMTP_SERVERS 192.168.10.0/24

68 # List of web servers on your network

69 #var HTTP_SERVERS $HOME_NET

70 var HTTP_SERVERS 192.168.10.0/24

72 # List of sql servers on your network

73 #var SQL_SERVERS $HOME_NET

74 var SQL_SERVERS 192.168.10.0/24

79 # List of snmp servers on your network

80 #var SNMP_SERVERS $HOME_NET

81 var SNMP_SERVERS 192.168.10.0/24

90 # List of pop2/3 servers on your network

91 #var POP_SERVERS $HOME_NET

92 var POP_SERVERS 192.168.10.0/24

94 # List of imap servers on your network

95 #var IMAP_SERVERS $HOME_NET

97 # List of SunRPC servers on your network

98 #var RPC_SERVERS $HOME_NET

100 # List of web servers on your network

101 #var WWW_SERVERS $HOME_NET

102 var WWW_SERVERS 192.168.10.0/24

이런 식으로 동작은 안 한다. [수정 없음]

122 # Please note: [80,8080] does not work.

이렇게 따로 넣어줘야 한다. [수정 없음]

128 ## var HTTP_PORTS 80

129 ## include somefile.rules

130 ## var HTTP_PORTS 8080

131 ## include somefile.rules

//무슨 내용인지 확인해서 써놓기

273 # Use a different pattern matcher in case you have a machine with very limited

274 # resources:

275 #

276 # config detection: search-method lowmem

277

278 #config detection: search-method ac-bnfa

//포트스캔을 감지하기 위한 옵션

708 preprocessor sfportscan: proto { all } \

709 memcap { 10000000 } \

710 sense_level { low }

//syslog에 기록

849 # [Unix flavours should use this format...]

850 output alert_syslog: LOG_AUTH LOG_ALERT

//따로 기록을 하겠다

851 output alert_fast: alert.fast //간단한 접속기록만 남김

852 output alert_full: alert.full //헤더정보를 모두 남김

P 466

Preprocessor 설정

포트스캔 감시-[3개 주석제거]

709 preprocessor sfportscan: proto { all } \

710 memcap { 10000000 } \

711 sense_level { low }

//로그에 남느냐, 룰에 남느냐

침입에 대해서 sys 로그에 올라온다 [주석제거]

850 # [Unix flavours should use this format...]

851 output alert_syslog: LOG_AUTH LOG_ALERT //추가입력

852 output alert_fast: alert.fast //간략한 접속 정보만 //추가입력

853 output alert_full: alert.full //헤더정보 //추가입력

My.cnf

[root@woo:/usr/local/snort/etc]#vi /etc/my.cnf

46 #skip-networking //주석처리 한다

[root@woo:/usr/local/snort/etc]#service mysqld restart

Shutting down MySQL. [ OK ]

Starting MySQL.. [ OK ]

에러가 날 것이다-1

에러출력

[root@woo:/usr/local/snort/etc]#snort -dev -c /usr/local/snort/etc/snort.conf -D

Snort.conf

267 # config detection: search-method lowmem

268

269 #config detection: search-method ac-bnfa

270 config detection: max_queue_events 5

271 config event_queue: max_queue 8 log 3 order_events content_length

272

273 # Configure Inline Resets

//269 주석 처리한다.

에러가 날 것이다.-1

링크

[root@woo:/usr/local/snort/etc]#ln -s /usr/local/snort/lib/snort_dynamicpreprocessor/ /usr/local/lib/snort_dynamicpreprocessor

[root@woo:/usr/local/snort/etc]#ls -l /usr/local/lib/snort_dynamicpreprocessor

lrwxrwxrwx 1 root root 47 Nov 6 17:54 /usr/local/lib/snort_dynamicpreprocessor -> /usr/local/snort/lib/snort_dynamicpreprocessor/

에러가 날 것이다.-2

에러출력

[root@woo:/usr/local/snort/etc]#snort -dev -c /usr/local/snort/etc/snort.conf -D

ERROR: parser.c(5047) Could not stat dynamic module path "/usr/local/lib/snort_dynamicengine/libsf_engine.so": No such file or directory.

Fatal Error, Quitting..

링크

[root@woo:/usr/local/snort/etc]#ln -s /usr/local/snort/lib/snort_dynamicengine/ /usr/local/lib/snort_dynamicengine

에러가 날 것이다.-3

에러출력

[root@woo:/usr/local/snort/etc]#snort -dev -c /usr/local/snort/etc/snort.conf -D

[root@woo:/usr/local/snort/etc]#ln -s /usr/local/snort/so_rules/precompiled/CentOS-5.0/i386/2.8.5/ /usr/local/lib/snort_dynamicrules

[root@woo:/usr/local/snort/etc]#snort -dev -c /usr/local/snort/etc/snort.conf -D

1109

[root@woo:/usr/local/snort/etc]#snort -dev -l /var/log/snort/ -K ascii à 아스키 형태

[root@woo:/usr/local/snort/etc]#ll /var/log/snort/

total 56

drwx------ 4 root root 4096 Oct 30 03:40 .

drwxr-xr-x 16 root root 4096 Oct 30 02:22 ..

drwx------ 2 root root 4096 Oct 30 03:40 192.168.10.186

drwx------ 2 root root 4096 Oct 30 03:41 192.168.10.26

-rw-r--r-- 1 root root 0 Oct 30 02:41 alert

-rw------- 1 root root 830 Oct 30 03:41 ARP

-rw------- 1 root root 0 Oct 30 03:40 PACKET_NONIP

-rw------- 1 root root 0 Oct 30 03:05 snort.log.1256839525

-rw------- 1 root root 0 Oct 30 03:05 snort.log.1256839540

[root@woo:/var/log/snort]#ls 192.168.10.26

TCP:2501-22 TCP:3215-22 UDP:32675-53

[root@woo:/var/log/snort]#ls -la 192.168.10.26

total 76

drwx------ 2 root root 4096 Oct 30 03:41 .

drwx------ 4 root root 4096 Oct 30 03:40 ..

-rw------- 1 root root 40115 Oct 30 03:41 TCP:2501-22

-rw------- 1 root root 812 Oct 30 03:41 TCP:3215-22

-rw------- 1 root root 1140 Oct 30 03:40 UDP:32675-53

[root@woo:/var/log/snort]#snort -dev -l /var/log/snort/ -K ascii –b => 읽을 수 없는 바이너리 형태

[root@woo:/var/log/snort]#ll

total 64

drwx------ 4 root root 4096 Oct 30 03:44 .

drwxr-xr-x 16 root root 4096 Oct 30 02:22 ..

drwx------ 2 root root 4096 Oct 30 03:40 192.168.10.186

drwx------ 2 root root 4096 Oct 30 03:41 192.168.10.26

-rw-r--r-- 1 root root 0 Oct 30 02:41 alert

-rw------- 1 root root 966 Oct 30 03:44 ARP

-rw------- 1 root root 0 Oct 30 03:40 PACKET_NONIP

-rw------- 1 root root 0 Oct 30 03:05 snort.log.1256839525

-rw------- 1 root root 0 Oct 30 03:05 snort.log.1256839540

-rw------- 1 root root 1564 Oct 30 03:44 snort.log.1256841855

[root@woo:/var/log/snort]#

[root@woo:/var/log/snort]#cp snort.log.1256841855 /home/kkk/

[root@woo:/var/log/snort]#cd /home/kkk

[root@woo:/home/kkk]#ls

mail mbox snort.log.1256841855

[root@woo:/home/kkk]#chown kkk.kkk snort.log.1256841855

[root@woo:/etc/init.d]#snort -c /usr/local/snort.conf -dev -A full -D

[root@woo:/etc/init.d]#

[root@woo:/etc/init.d]#vi /usr/local/snort/etc/snort.conf

[root@woo:/etc/init.d]#snort -c /usr/local/snort.conf -dev -A full -D

[root@woo:/etc/init.d]#vi /usr/local/snort/etc/snort.conf

You have new mail in /var/spool/mail/root

[root@woo:/etc/init.d]#cd /etc/init.d/

[root@woo:/etc/init.d]#

[root@woo:/etc/init.d]#vi snort

#!/bin/sh

# Start Up Snort

# chkconfig: 345 85 15

# description: Snort IDS

# processname: snort

# pidfile:/var/run/snort.pid

# Scription LIB

. /etc/rc.d/init.d/functions

case "$1" in

start)

echo -n "Starting Snort: "

daemon /usr/local/snort/bin/snort -dev -D -c /usr/local/snort/etc/snort.conf

touch /var/lock/subsys/snort

echo

;;

stop)

echo -n "Stopping Snort: "

killproc snort

rm -f /var/lock/subsys/snort

echo

;;

restart)

$0 stop

$0 start

;;

status)

status snort

;;

echo "Usage: $0 {start|stop|restart|status}"

exit 1

esac

exit 0

[root@woo:/etc/init.d]#service snort restart

Stopping Snort: [ OK ]

Starting Snort: [ OK ]

< BASE>

[root@woo:/etc/init.d]#cd /usr/local/http/web/

[root@woo:/usr/local/http/web]#wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.4/base-1.4.4.tar.gz/download

[root@woo:/usr/local/http/web]#tar xvfz base-1.4.4.tar.gz

[root@woo:/usr/local/http/web]#mv base-1.4.4 base

[root@woo:/usr/local/http/web]#ls

base base-1.4.4.tar.gz index.html phpinfo.php

내 웹서버 도메인으로 접속 하여 base 디렉토리로 들어가면 ..

http://sourceforge.net/projects/adodb/

[root@woo:/usr/local/http/web/base]#wget http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-509a-for-php5/adodb509a.tgz/download

[root@woo:/usr/local/http/web/base]#tar xvfz adodb509a.tgz

Path to ADODB à 삽입 : /usr/local/http/web/base/adodb5/

"mysql"에서 snort 관련 생성했던 DB와 권한 위임한 계정 입력

관리 계정 생성.

"Create BASE AG" 클릭

맨 밑에 "step 5" 를 클릭

이 내용을 복사한다.

그 다음 #vi /usr/local/http/web/base/base_conf.php 에 붙여 넣기 한다.

[root@woo:/usr/local/http/web/base]#vi base_conf.php

[root@jo:~]#iptables -P INPUT ACCEPT

[root@jo:~]#iptables -P OUTPUT ACCEPT

여기까지 하고 BIND(방화벽)서버 에서 NMAP을 켠다.

[root@jo:~]#yum install nmap –y à nmap 설치

[root@jo:~]#nmap -O -sT 192.168.10.186 à nmap 실행하여 포트스캔 한다.

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-11-07 01:35 KST

sendto in send_ip_packet: sendto(5, packet, 60, 0, 192.168.10.186, 16) => Operation not permitted

Interesting ports on 192.168.10.186:

Not shown: 1672 closed ports

PORT STATE SERVICE

22/tcp open ssh

25/tcp open smtp

53/tcp open domain

80/tcp open http

110/tcp open pop3

111/tcp open rpcbind

766/tcp open unknown

3306/tcp open mysql

MAC Address: 00:0C:29:CC:1A:57 (VMware)

Device type: general purpose

Running: Linux 2.6.X

OS details: Linux 2.6.5 - 2.6.11

Uptime 1.985 days (since Thu Nov 5 01:57:07 2009)

Nmap finished: 1 IP address (1 host up) scanned in 2.911 seconds

<http://www.activeworx.org>

nmap으로 포트 스캔을 하게 되면 저렇게 탐지 되는 것을 웹상에서 볼 수 있다.

[리눅스] snort

'해봐야 안다.OTL/Linux' Related Articles

티스토리툴바