document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2024-12-23 21:20:42 +08:00
Code Issues Packages Projects Releases Wiki Activity
c87292138d
TranslateProject/translated/tech/20150811 How to Install Snort and Usage in Ubuntu 15.04.md

204 lines
8.2 KiB
Markdown
Raw Normal View History

translating
2015-08-15 11:34:52 +08:00
在Ubuntu 15.04中如何安装和使用Snort
20150811-1 选题
2015-08-11 10:37:03 +08:00
================================================================================
translating
2015-08-15 11:34:52 +08:00
对于IT安全而言入侵检测是一件非常重要的事。入侵检测系统用于检测网络中非法与恶意的请求。Snort是一款知名的开源入侵检测系统。Web界面Snorby可以用于更好地分析警告。Snort使用iptables/pf防火墙来作为入侵检测系统。本篇中我们会安装并配置一个开源的IDS系统snort。
20150811-1 选题
2015-08-11 10:37:03 +08:00
translating
2015-08-15 11:34:52 +08:00
### Snort 安装 ###
20150811-1 选题
2015-08-11 10:37:03 +08:00
translating
2015-08-15 11:34:52 +08:00
#### 要求 ####
20150811-1 选题
2015-08-11 10:37:03 +08:00
translating
2015-08-15 11:34:52 +08:00
snort所使用的数据采集库DAQ用于抽象地调用采集库。这个在snort上就有。下载过程如下截图所示。
20150811-1 选题
2015-08-11 10:37:03 +08:00
![downloading_daq](http://blog.linoxide.com/wp-content/uploads/2015/07/downloading_daq.png)
translating
2015-08-15 11:34:52 +08:00
解压并运行./configure、make、make install来安装DAQ。然而DAQ要求其他的工具因此./configure脚本会生成下面的错误。
20150811-1 选题
2015-08-11 10:37:03 +08:00
translating
2015-08-15 11:34:52 +08:00
flex和bison错误
20150811-1 选题
2015-08-11 10:37:03 +08:00
![flexandbison_error](http://blog.linoxide.com/wp-content/uploads/2015/07/flexandbison_error.png)
translating
2015-08-15 11:34:52 +08:00
libpcap错误
20150811-1 选题
2015-08-11 10:37:03 +08:00
![libpcap error](http://blog.linoxide.com/wp-content/uploads/2015/07/libpcap-error.png)
translating
2015-08-15 11:34:52 +08:00
因此在安装DAQ之前先安装flex/bison和libcap。
20150811-1 选题
2015-08-11 10:37:03 +08:00
![install_flex](http://blog.linoxide.com/wp-content/uploads/2015/07/install_flex.png)
translating
2015-08-15 11:34:52 +08:00
如下所示安装libpcap开发库
20150811-1 选题
2015-08-11 10:37:03 +08:00
![libpcap-dev installation](http://blog.linoxide.com/wp-content/uploads/2015/07/libpcap-dev-installation.png)
translating
2015-08-15 11:34:52 +08:00
安装完必要的工具后,再次运行./configure脚本将会显示下面的输出。
20150811-1 选题
2015-08-11 10:37:03 +08:00
![without_error_configure](http://blog.linoxide.com/wp-content/uploads/2015/07/without_error_configure.png)
translating
2015-08-15 11:34:52 +08:00
make和make install 命令的结果如下所示。
20150811-1 选题
2015-08-11 10:37:03 +08:00
![make install](http://blog.linoxide.com/wp-content/uploads/2015/07/make-install.png)
![make](http://blog.linoxide.com/wp-content/uploads/2015/07/make.png)
translating
2015-08-15 11:34:52 +08:00
成功安装DAQ之后我们现在安装snort。如下图使用wget下载它。
20150811-1 选题
2015-08-11 10:37:03 +08:00
![downloading_snort](http://blog.linoxide.com/wp-content/uploads/2015/07/downloading_snort.png)
translating
2015-08-15 11:34:52 +08:00
使用下面的命令解压安装包。
20150811-1 选题
2015-08-11 10:37:03 +08:00
#tar -xvzf snort-2.9.7.3.tar.gz
![snort_extraction](http://blog.linoxide.com/wp-content/uploads/2015/07/snort_extraction.png)
translating
2015-08-15 11:34:52 +08:00
创建安装目录并在脚本中设置prefix参数。同样也建议启用包性能监控PPM标志。
20150811-1 选题
2015-08-11 10:37:03 +08:00
#mkdir /usr/local/snort
#./configure --prefix=/usr/local/snort/ --enable-sourcefire
![snort_installation](http://blog.linoxide.com/wp-content/uploads/2015/07/snort_installation.png)
translating
2015-08-15 11:34:52 +08:00
配置脚本由于缺少libpcre-dev、libdumbnet-dev 和zlib开发库而报错。
20150811-1 选题
2015-08-11 10:37:03 +08:00
translating
2015-08-15 11:34:52 +08:00
配置脚本由于缺少libpcre库报错。
20150811-1 选题
2015-08-11 10:37:03 +08:00
![pcre-error](http://blog.linoxide.com/wp-content/uploads/2015/07/pcre-error.png)
translating
2015-08-15 11:34:52 +08:00
配置脚本由于缺少dnetlibdumbnet库而报错。
20150811-1 选题
2015-08-11 10:37:03 +08:00
![libdnt error](http://blog.linoxide.com/wp-content/uploads/2015/07/libdnt-error.png)
translating
2015-08-15 11:34:52 +08:00
配置脚本由于缺少zlib库而报错
20150811-1 选题
2015-08-11 10:37:03 +08:00
![zlib error](http://blog.linoxide.com/wp-content/uploads/2015/07/zlib-error.png)
translating
2015-08-15 11:34:52 +08:00
如下所示,安装所有需要的开发库。
20150811-1 选题
2015-08-11 10:37:03 +08:00
# aptitude install libpcre3-dev
![libpcre3-dev install](http://blog.linoxide.com/wp-content/uploads/2015/07/libpcre3-dev-install.png)
# aptitude install libdumbnet-dev
![libdumnet-dev installation](http://blog.linoxide.com/wp-content/uploads/2015/07/libdumnet-dev-installation.png)
# aptitude install zlib1g-dev
![zlibg-dev installation](http://blog.linoxide.com/wp-content/uploads/2015/07/zlibg-dev-installation.png)
translating
2015-08-15 11:34:52 +08:00
安装完snort需要的库之后再次运行配置脚本就不会报错了。
20150811-1 选题
2015-08-11 10:37:03 +08:00
translating
2015-08-15 11:34:52 +08:00
运行make和make install命令在/usr/local/snort目录下完成安装。
20150811-1 选题
2015-08-11 10:37:03 +08:00
#make
![make snort](http://blog.linoxide.com/wp-content/uploads/2015/07/make-snort.png)
#make install
![make install snort](http://blog.linoxide.com/wp-content/uploads/2015/07/make-install-snort.png)
translating
2015-08-15 11:34:52 +08:00
最终snort在/usr/local/snort/bin中运行。现在它对eth0的所有流量都处在promisc模式包转储模式
20150811-1 选题
2015-08-11 10:37:03 +08:00
![snort running](http://blog.linoxide.com/wp-content/uploads/2015/07/snort-running.png)
translating
2015-08-15 11:34:52 +08:00
如下图所示snort转储流量。
20150811-1 选题
2015-08-11 10:37:03 +08:00
![traffic](http://blog.linoxide.com/wp-content/uploads/2015/07/traffic1.png)
translating
2015-08-15 11:34:52 +08:00
#### Snort的规则和配置 ####
20150811-1 选题
2015-08-11 10:37:03 +08:00
translating
2015-08-15 11:34:52 +08:00
从源码安装的snort需要规则和安装配置因此我们会从/etc/snort下面复制规则和配置。我们已经创建了单独的bash脚本来用于规则和配置。它会设置下面这些snort设置。
20150811-1 选题
2015-08-11 10:37:03 +08:00
translating
2015-08-15 11:34:52 +08:00
- 在linux中创建snort用户用于snort IDS服务。
- 在/etc下面创建snort的配置文件和文件夹。
- 权限设置并从etc中复制snortsnort源代码
- 从snort文件中移除规则中的#(注释符号)。
20150811-1 选题
2015-08-11 10:37:03 +08:00
#!/bin/bash##PATH of source code of snort
snort_src="/home/test/Downloads/snort-2.9.7.3"
echo "adding group and user for snort..."
groupadd snort &> /dev/null
useradd snort -r -s /sbin/nologin -d /var/log/snort -c snort_idps -g snort &> /dev/null#snort configuration
echo "Configuring snort..."mkdir -p /etc/snort
mkdir -p /etc/snort/rules
touch /etc/snort/rules/black_list.rules
touch /etc/snort/rules/white_list.rules
touch /etc/snort/rules/local.rules
mkdir /etc/snort/preproc_rules
mkdir /var/log/snort
mkdir -p /usr/local/lib/snort_dynamicrules
chmod -R 775 /etc/snort
chmod -R 775 /var/log/snort
chmod -R 775 /usr/local/lib/snort_dynamicrules
chown -R snort:snort /etc/snort
chown -R snort:snort /var/log/snort
chown -R snort:snort /usr/local/lib/snort_dynamicrules
###copy configuration and rules from etc directory under source code of snort
echo "copying from snort source to /etc/snort ....."
echo $snort_src
echo "-------------"
cp $snort_src/etc/*.conf* /etc/snort
cp $snort_src/etc/*.map /etc/snort##enable rules
sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf
echo "---DONE---"
translating
2015-08-15 11:34:52 +08:00
改变脚本中的snort源目录并运行。下面是成功的输出。
20150811-1 选题
2015-08-11 10:37:03 +08:00
![running script](http://blog.linoxide.com/wp-content/uploads/2015/08/running_script.png)
translating
2015-08-15 11:34:52 +08:00
上面的脚本从snort源中复制下面的文件/文件夹到/etc/snort配置文件中
20150811-1 选题
2015-08-11 10:37:03 +08:00
![files copied](http://blog.linoxide.com/wp-content/uploads/2015/08/created.png)
translating
2015-08-15 11:34:52 +08:00
、snort的配置非常复杂然而为了IDS能正常工作需要进行下面必要的修改。
20150811-1 选题
2015-08-11 10:37:03 +08:00
ipvar HOME_NET 192.168.1.0/24 # LAN side
----------
ipvar EXTERNAL_NET !$HOME_NET # WAN side
![veriable set](http://blog.linoxide.com/wp-content/uploads/2015/08/12.png)
var RULE_PATH /etc/snort/rules # snort signature path
var SO_RULE_PATH /etc/snort/so_rules #rules in shared libraries
var PREPROC_RULE_PATH /etc/snort/preproc_rules # Preproces path
var WHITE_LIST_PATH /etc/snort/rules # dont scan
var BLACK_LIST_PATH /etc/snort/rules # Must scan
![main path](http://blog.linoxide.com/wp-content/uploads/2015/08/rule-path.png)
include $RULE_PATH/local.rules # file for custom rules
translating
2015-08-15 11:34:52 +08:00
移除ftp.rules、exploit.rules前面的注释符号(#)。
20150811-1 选题
2015-08-11 10:37:03 +08:00
![path rules](http://blog.linoxide.com/wp-content/uploads/2015/08/path-rules.png)
translating
2015-08-15 11:34:52 +08:00
下载[下载社区][1]规则并解压到/etc/snort/rules。启用snort.conf中的社区及紧急威胁规则。
20150811-1 选题
2015-08-11 10:37:03 +08:00
![wget_rules](http://blog.linoxide.com/wp-content/uploads/2015/08/wget_rules.png)
![community rules](http://blog.linoxide.com/wp-content/uploads/2015/08/community-rules1.png)
translating
2015-08-15 11:34:52 +08:00
进行了上面的更改后,运行下面的命令来检验配置文件。
20150811-1 选题
2015-08-11 10:37:03 +08:00
#snort -T -c /etc/snort/snort.conf
![snort running](http://blog.linoxide.com/wp-content/uploads/2015/08/snort-final.png)
translating
2015-08-15 11:34:52 +08:00
### 总结 ###
20150811-1 选题
2015-08-11 10:37:03 +08:00
translating
2015-08-15 11:34:52 +08:00
本篇中我们致力于开源IDPS系统snort在Ubuntu上的安装和配置。默认它用于监控时间然而它可以被配置成用于网络保护的内联模式。snort规则可以在离线模式中可以使用pcap文件测试和分析
20150811-1 选题
2015-08-11 10:37:03 +08:00
--------------------------------------------------------------------------------
via: http://linoxide.com/security/install-snort-usage-ubuntu-15-04/
作者:[nido][a]
translating
2015-08-15 11:34:52 +08:00
译者:[geekpi](https://github.com/geekpi)
20150811-1 选题
2015-08-11 10:37:03 +08:00
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://linoxide.com/author/naveeda/
translating
2015-08-15 10:39:03 +08:00
[1]:https://www.snort.org/downloads/community/community-rules.tar.gz
Reference in New Issue Copy Permalink