Snort 安装

本文共有3609个字,关键词:snort安装依赖解决方案规则

Snort源代码安装

Step 1 编译安装依赖包及Snort软件包

wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
wget https://www.snort.org/downloads/snort/snort-2.9.14.1.tar.gz
tar xvzf daq-2.0.6.tar.gz

cd daq-2.0.6
./configure && make && sudo make install
tar xvzf snort-2.9.14.1.tar.gz

cd snort-2.9.14.1
./configure --enable-sourcefire && make && sudo make install

配置、编译、安装daq-2.0.6过程出现的错误

ERROR1:
configure: error: Your operating system's lex is insufficient to compile
         libsfbpf. You should install both bison and flex.
         flex is a lex replacement that has many advantages,
         including being able to compile libsfbpf.  For more
         information, see http://www.gnu.org/software/flex/flex.html .
解决方案1:
yum -y install bison flex
ERROR2:
ERROR!  Libpcap library version >= 1.0.0 not found.
    Get it from http://www.tcpdump.org
解决方案2:
wget http://www.tcpdump.org/release/libpcap-1.8.1.tar.gz

tar xvfz libpcap-1.8.1.tar.gz 

cd libpcap-1.8.1/
./configure && make && sudo make install

配置、编译、安装snort-2.9.14.1过程出现的错误

ERROR1:
ERROR!  dnet header not found, go get it from
   http://code.google.com/p/libdnet/ or use the --with-dnet-*
   options, if you have it installed in an unusual place
make: *** No targets specified and no makefile found.  Stop.
解决方案1:
wget http://prdownloads.sourceforge.net/libdnet/libdnet-1.11.tar.gz?download

tar xvf libdnet-1.12.tgz

cd libdnet-1.12
./configure && make && make install  
ERROR2:
ERROR!  LuaJIT library not found. Go get it from http://www.luajit.org/ (or)
   Try compiling without openAppId using '--disable-open-appid'
configure: error: "Fatal!"
解决方案2:
git clone http://luajit.org/git/luajit-2.0.git

cd luajit-2.0/
make && sudo make install

Step 2 安装社区规则

# 首先创建snort配置(及规则)目录
mkdir -p /etc/snort/rules
# 创建运行需要目录
mkdir /usr/local/lib/snort_dynamicrules

# 首先将snort-2.9.14.1.tar.gz解压出来的etc下的默认配置文件复制到snort配置目录下
cp etc/*.conf* /etc/snort
cp etc/*.map /etc/snort

# 下载社区规则并解压到规则目录
wget https://www.snort.org/downloads/community/community-rules.tar.gz
tar -zxf community-rules.tar.gz -C /etc/snort/rules

# 注释掉所有默认要加载的规则文件
sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

# 启用社区规则文件
echo '' >> /etc/snort/snort.conf
echo '# enable community rule' >> /etc/snort/snort.conf
echo 'include $RULE_PATH/community-rules/community.rules' >> /etc/snort/snort.conf

# 重新设置snort.conf中的变量值
sed -i 's/var RULE_PATH ..\/rules/var RULE_PATH .\/rules/' /etc/snort/snort.conf
sed -i 's/var WHITE_LIST_PATH ..\/rules/var WHITE_LIST_PATH .\/rules/' /etc/snort/snort.conf
sed -i 's/var BLACK_LIST_PATH ..\/rules/var BLACK_LIST_PATH .\/rules/' /etc/snort/snort.conf

# 创建默认使用的白名单文件
touch /etc/snort/rules/white_list.rules
# 创建默认的黑名单文件
touch /etc/snort/rules/black_list.rules
# 创建默认自己设置的规则文件,其实我们注意了其他include只include了社区规则,所以这条根本没用这里只是意思一下
touch /etc/snort/rules/local.rules

# 测试配置文件是否有误
snort -T -c /etc/snort/snort.conf

Step 3 开始使用

Snort并不是那么难以使用,但是它又有许多的选项值得研究,并且不总是很清楚哪些选项之间可以配合使用得很好。Snort使用手册的目标就是让新手更容易使用snort 。

在继续操作snort之前,这里有几个关于snort的概念需要理解。Snort可以通过配置以3种模式运行:

  • 嗅探模式,该模式只是实时地,简单地读取网络数据包,并以实时流的方式输出到控制台窗口(屏幕)。
  • 数据包记录器模式,该模式把数据包记录到磁盘文件中。
  • 网络入侵检测模式,该模式能够检测和分析网络流量。这也是最复杂和可配置的模式。

「一键投喂 软糖/蛋糕/布丁/牛奶/冰阔乐!」

阿恒

(๑>ڡ<)☆谢谢老板~

使用微信扫描二维码完成支付

 没有了 Snort 嗅探模式 
添加新留言
暂无留言