在 Ubuntu 22.04 上安装和配置 Snort 3 入侵检测系统
在此页
- 先决条件
- 安装所需的依赖项
- 安装 Snort DAQ
- 安装 Gperftools
- 安装 Snort
- 配置喷鼻息
- 为 Snort NIC 创建一个 Systemd 服务文件
- 安装 Snort 规则
- 安装 Snort OpenAppID
- 创建 Snort 自定义规则
- 为 Snort 创建一个 Systemd 服务文件
- 结论
Snort 是一种开源入侵防御和检测系统 (IDS),可抵御 DDoS 攻击。它使用有助于定义恶意网络活动的内置规则,并使用这些规则查找与其匹配的数据包并为用户生成警报。 Snort 可以识别最新的攻击、恶意软件感染、受损系统和违反网络策略的行为。
功能
- 实时流量监控。
- 数据包记录。协议分析。
- 内容匹配。操作系统指纹识别。
- 它可以安装在任何网络环境中。
- 创建日志。
在本教程中,我们将向您展示如何在 Ubuntu 22.04 上安装 Snort。
先决条件
- 一台运行 Ubuntu 22.04 的服务器。
- 在服务器上配置了根密码。
安装所需的依赖项
在开始之前,您需要在服务器上安装一些依赖项。您可以通过运行以下命令来安装所有这些:
apt install build-essential libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev luajit hwloc libdnet-dev libdumbnet-dev bison flex liblzma-dev openssl libssl-dev pkg-config libhwloc-dev cmake cpputest libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev libmnl-dev autotools-dev libluajit-5.1-dev libunwind-dev libfl-dev -y安装所有依赖项后,您可以继续下一步。
安装 Snort 数据采集卡
接下来,您需要在您的系统上安装数据采集库。默认情况下,它在 Ubuntu 默认存储库中不可用。所以你需要从源代码编译它。
首先,使用以下命令从 Git 下载 Snort DAQ:
git clone https://github.com/snort3/libdaq.git下载完成后,导航到下载的目录并使用以下命令对其进行配置:
cd libdaq
./bootstrap
./configure您应该看到以下输出:
cc: gcc
cppflags:
am_cppflags: -fvisibility=hidden -Wall -Wmissing-declarations -Wpointer-arith -Wcast-align -Wcast-qual -Wformat -Wformat-nonliteral -Wformat-security -Wundef -Wwrite-strings -Wextra -Wsign-compare -Wno-unused-parameter -fno-strict-aliasing -fdiagnostics-show-option
cflags: -g -O2
am_cflags: -Wstrict-prototypes -Wmissing-prototypes -Wold-style-definition -Wnested-externs
ldflags:
am_ldflags:
libs:
code_coverage_enabled: no
code_coverage_cppflags:
code_coverage_cflags:
code_coverage_ldflags:
Build AFPacket DAQ module.. : yes
Build BPF DAQ module....... : yes
Build Divert DAQ module.... : no
Build Dump DAQ module...... : yes
Build FST DAQ module....... : yes
Build netmap DAQ module.... : no
Build NFQ DAQ module....... : yes
Build PCAP DAQ module...... : yes
Build Savefile DAQ module.. : yes
Build Trace DAQ module..... : yes
Build GWLB DAQ module...... : yes
接下来,使用以下命令安装它:
make
make install安装 Gperftools
首先,使用以下命令下载最新版本的 Gperftools:
cd
wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz下载完成后,使用以下命令解压缩下载的文件:
tar xzf gperftools-2.9.1.tar.gz接下来,导航到下载的目录并使用以下命令对其进行编译:
cd gperftools-2.9.1/
./configure接下来,使用以下命令安装它:
make
make install安装喷鼻息
接下来,使用以下命令下载最新版本的 Snort:
cd
wget https://github.com/snort3/snort3/archive/refs/tags/3.1.43.0.tar.gz接下来,使用以下命令解压缩下载的文件:
tar -xvzf 3.1.43.0.tar.gz接下来,导航到提取的目录并使用以下命令对其进行配置:
cd snort3-3.1.43.0
./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc您将获得以下输出:
snort version 3.1.43.0
Install options:
prefix: /usr/local
includes: /usr/local/include/snort
plugins: /usr/local/lib/snort
Compiler options:
CC: /usr/bin/cc
CXX: /usr/bin/c++
CFLAGS: -fvisibility=hidden -DNDEBUG -g -ggdb -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free -O2 -g -DNDEBUG
CXXFLAGS: -fvisibility=hidden -DNDEBUG -g -ggdb -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free -O2 -g -DNDEBUG
EXE_LDFLAGS:
MODULE_LDFLAGS:
Feature options:
DAQ Modules: Static (afpacket;bpf;dump;fst;gwlb;nfq;pcap;savefile;trace)
libatomic: System-provided
Hyperscan: OFF
ICONV: ON
Libunwind: ON
LZMA: ON
RPC DB: Built-in
SafeC: OFF
TCMalloc: ON
JEMalloc: OFF
UUID: ON
-------------------------------------------------------
-- Configuring done
-- Generating done
-- Build files have been written to: /root/snort3-3.1.43.0/build
接下来,将目录更改为构建目录并使用以下命令安装 Snort:
cd build
make
make install
ldconfig您现在可以使用以下命令验证 Snort 版本:
snort -V您将获得以下输出:
,,_ -*> Snort++ <*-
o" )~ Version 3.1.43.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.9
Using LuaJIT version 2.1.0-beta3
Using OpenSSL 3.0.2 15 Mar 2022
Using libpcap version 1.10.1 (with TPACKET_V3)
Using PCRE version 8.39 2016-06-14
Using ZLIB version 1.2.11
Using LZMA version 5.2.5
配置喷鼻息
首先,您需要将网络接口设置为混杂模式,以便它能够看到发送给它的所有网络流量。
您可以使用以下命令设置它:
ip link set dev eth0 promisc on您现在可以使用以下命令验证它:
ip add sh eth0接下来,您还需要禁用接口卸载。首先,使用以下命令检查此功能是否已启用:
ethtool -k eth0 | grep receive-offload您将获得以下输出:
generic-receive-offload: on
large-receive-offload: off [fixed]
您现在可以使用以下命令禁用它:
ethtool -K eth0 gro off lro off为 Snort NIC 创建系统服务文件
接下来,您需要为 Snort NIC 创建一个 systemd 服务文件。
nano /etc/systemd/system/snort3-nic.service添加以下行:
[Unit]
Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link set dev eth0 promisc on
ExecStart=/usr/sbin/ethtool -K eth0 gro off lro off
TimeoutStartSec=0
RemainAfterExit=yes
[Install]
WantedBy=default.target
保存并关闭文件,然后重新加载 systemd 守护进程以应用更改:
systemctl daemon-reload接下来,使用以下命令启动并启用 Snort:
systemctl start snort3-nic.service
systemctl enable snort3-nic.service您可以使用以下命令检查 Snort 的状态:
systemctl status snort3-nic.service您将获得以下输出:
? snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot
Loaded: loaded (/etc/systemd/system/snort3-nic.service; disabled; vendor preset: enabled)
Active: active (exited) since Tue 2022-10-11 16:24:15 UTC; 6s ago
Process: 95745 ExecStart=/usr/sbin/ip link set dev eth0 promisc on (code=exited, status=0/SUCCESS)
Process: 95746 ExecStart=/usr/sbin/ethtool -K eth0 gro off lro off (code=exited, status=0/SUCCESS)
Main PID: 95746 (code=exited, status=0/SUCCESS)
CPU: 11ms
Oct 11 16:24:15 ubuntu2204 systemd[1]: Starting Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot...
Oct 11 16:24:15 ubuntu2204 systemd[1]: Finished Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot.
安装 Snort 规则
规则对于 Snorts 入侵检测引擎非常重要。首先,创建一个目录来存储所有规则:
mkdir /usr/local/etc/rules接下来,使用以下命令下载社区规则:
wget -qO- https://www.snort.org/downloads/community/snort3-community-rules.tar.gz | tar xz -C /usr/local/etc/rules/接下来,编辑 Snort 主配置文件:
nano /usr/local/etc/snort/snort.lua如下所示定义您的网络:
HOME_NET = '192.168.56.124/32'
EXTERNAL_NET = '!$HOME_NET'
接下来,定义您的 Snort 规则路径:
ips =
{
-- use this to enable decoder and inspector alerts
--enable_builtin_rules = true,
-- use include for rules files; be sure to set your path
-- note that rules files can include other rules files
-- (see also related path vars at the top of snort_defaults.lua)
variables = default_variables,
rules = [[
include /usr/local/etc/rules/snort3-community-rules/snort3-community.rules
]]
}
完成后保存并关闭文件。
安装 Snort OpenAppID
OpenAppID 是一个插件,它允许 Snort 检测网络中使用的各种应用程序,包括 Facebook、Netflix、Twitter 和 Reddit。
您可以使用以下命令下载它:
wget https://www.snort.org/downloads/openappid/26425 -O OpenAppId-26425.tgz下载完成后,使用以下命令解压缩下载的文件:
tar -xzvf OpenAppId-26425.tgz接下来,将 OpenAppID 二进制文件复制到系统目录:
cp -R odp /usr/local/lib/接下来,编辑 Snort 配置文件并定义您的 OpenAppID 位置:
nano /usr/local/etc/snort/snort.lua更改以下行:
appid =
{
app_detector_dir = '/usr/local/lib',
log_stats = true,
}
保存并关闭文件,然后创建 Snort 日志目录:
mkdir /var/log/snort最后,使用以下命令验证 Snort 配置文件:
snort -c /usr/local/etc/snort/snort.lua如果一切正常,您将获得以下输出:
--------------------------------------------------
fast pattern groups
src: 59
dst: 158
any: 4
to_server: 56
to_client: 39
--------------------------------------------------
search engine
instances: 316
patterns: 10282
pattern chars: 166369
num states: 112212
num match states: 9885
memory scale: MB
total memory: 3.42574
pattern memory: 0.550588
match list memory: 1.25256
transition memory: 1.58402
fast pattern only: 6822
--------------------------------------------------
pcap DAQ configured to passive.
Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting
创建 Snort 自定义规则
您还可以根据需要创建自己的自定义规则。让我们为传入的 ICMP 请求创建自定义规则:
nano /usr/local/etc/rules/local.rules添加以下行:
alert icmp any any -> $HOME_NET any (msg:"ICMP connection test"; sid:1000001; rev:1;)
接下来,使用以下命令验证规则:
snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules您将获得以下输出:
search engine
instances: 316
patterns: 10282
pattern chars: 166369
num states: 112212
num match states: 9885
memory scale: MB
total memory: 3.42574
pattern memory: 0.550588
match list memory: 1.25256
transition memory: 1.58402
fast pattern only: 6822
--------------------------------------------------
pcap DAQ configured to passive.
Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting
接下来,运行以下命令以使用您的自定义规则在您的网络接口上启动 Snort:
snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i eth0 -A alert_fast -s 65535 -k none接下来,打开另一个终端界面并 ping 你的服务器。您应该在第一个终端上看到 ICMP 错误:
10/11-16:45:23.848071 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 157.32.34.228 -> 209.23.11.18
10/11-16:45:23.848071 [**] [1:384:8] "PROTOCOL-ICMP PING" [**] [Classification: Misc activity] [Priority: 3] [AppID: ICMP] {ICMP} 157.32.34.228 -> 209.23.11.18
10/11-16:45:24.323038 [**] [1:366:11] "PROTOCOL-ICMP PING Unix" [**] [Classification: Misc activity] [Priority: 3] [AppID: ICMP] {ICMP} 157.32.34.228 -> 209.23.11.18
10/11-16:45:24.323038 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 157.32.34.228 -> 209.23.11.18
10/11-16:45:24.323038 [**] [1:384:8] "PROTOCOL-ICMP PING" [**] [Classification: Misc activity] [Priority: 3] [AppID: ICMP] {ICMP} 157.32.34.228 -> 209.23.11.18
^C** caught int signal
== stopping
10/11-16:45:25.353007 [**] [1:366:11] "PROTOCOL-ICMP PING Unix" [**] [Classification: Misc activity] [Priority: 3] [AppID: ICMP] {ICMP} 157.32.34.228 -> 209.23.11.18
10/11-16:45:25.353007 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 157.32.34.228 -> 209.23.11.18
10/11-16:45:25.353007 [**] [1:384:8] "PROTOCOL-ICMP PING" [**] [Classification: Misc activity] [Priority: 3] [AppID: ICMP] {ICMP} 157.32.34.228 -> 209.23.11.18
为 Snort 创建系统服务文件
接下来,创建一个 systemd 服务文件以通过 systemd 管理 Snort。
nano /etc/systemd/system/snort3.service添加以下配置:
[Unit]
Description=Snort Daemon
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i eth0 -m 0x1b -u root -g root
ExecStop=/bin/kill -9 $MAINPID
[Install]
WantedBy=multi-user.target
保存并关闭文件,然后使用以下命令重新加载 systemd 守护进程:
systemctl daemon-reload接下来,使用以下命令启动并启用 Snort 服务:
systemctl enable --now snort3您现在可以使用以下命令验证 Snort 的状态:
systemctl status snort3您将获得以下输出:
? snort3.service - Snort Daemon
Loaded: loaded (/etc/systemd/system/snort3.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2022-10-11 16:48:28 UTC; 17s ago
Main PID: 95898 (snort)
Tasks: 2 (limit: 4579)
Memory: 233.6M
CPU: 2.007s
CGroup: /system.slice/snort3.service
??95898 /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i eth0 -m 0x1b -u root -g >
Oct 11 16:48:29 ubuntu2204 snort[95898]: num match states: 9885
Oct 11 16:48:29 ubuntu2204 snort[95898]: memory scale: MB
Oct 11 16:48:29 ubuntu2204 snort[95898]: total memory: 3.42574
Oct 11 16:48:29 ubuntu2204 snort[95898]: pattern memory: 0.550588
Oct 11 16:48:29 ubuntu2204 snort[95898]: match list memory: 1.25256
Oct 11 16:48:29 ubuntu2204 snort[95898]: transition memory: 1.58402
Oct 11 16:48:29 ubuntu2204 snort[95898]: fast pattern only: 6822
Oct 11 16:48:29 ubuntu2204 snort[95898]: --------------------------------------------------
Oct 11 16:48:29 ubuntu2204 snort[95898]: pcap DAQ configured to passive.
Oct 11 16:48:29 ubuntu2204 snort[95898]: Commencing packet processing
结论
恭喜!您已经在 Ubuntu 22.04 上成功安装并配置了 Snort 3。您现在可以在您的组织中实施 Snort 并保护它免受 DDoS 攻击。如果您有任何问题,请随时问我。