[Snort] 설치

Alexandria·2024년 3월 1일
IPSIdssnort
0

Snort

목록 보기
1/1
post-thumbnail

1. 설치

설치에 필요한 패키지를 설치한다.

$ sudo apt -y install build-essential libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev luajit hwloc libdnet-dev libdumbnet-dev bison flex liblzma-dev openssl libssl-dev pkg-config libhwloc-dev cmake cpputest libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev libmnl-dev autotools-dev libluajit-5.1-dev libunwind-dev
$ git clone https://github.com/snort3/libdaq.git
$ cd libdaq
libdaq$ ./bootstrap
libdaq$ ./configure
libdaq$ make
libdaq$ sudo make install
libdaq$ cd ../
$ wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz
$ tar xzf gperftools-2.9.1.tar.gz
$ cd gperftools-2.9.1/
gperftools-2.9.1$ ./configure
gperftools-2.9.1$ make
gperftools-2.9.1$ sudo make install
gperftools-2.9.1$ cd ../

snort를 설치해본다.

$ wget https://github.com/snort3/snort3/archive/refs/tags/3.1.43.0.tar.gz
$ tar xzf 3.1.43.0.tar.gz
$ cd snort3-3.1.43.0/
snort3-3.1.43.0$ ./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc
snort3-3.1.43.0$ cd build/
snort3-3.1.43.0/build$ make
snort3-3.1.43.0/build$ sudo make install
snort3-3.1.43.0/build$ sudo ldconfig
snort3-3.1.43.0/build$ snort -V

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.1.43.0
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 3.0.9
           Using LuaJIT version 2.1.0-beta3
           Using OpenSSL 1.1.1f  31 Mar 2020
           Using libpcap version 1.9.1 (with TPACKET_V3)
           Using PCRE version 8.39 2016-06-14
           Using ZLIB version 1.2.11
           Using LZMA version 5.2.4

2. 설정

인터페이스에 대해서 Promiscuous 모드로 변경한다.

$ sudo ip link set dev ens33 promisc on
$ sudo ethtool -K ens33 gro off lro off

규칙들을 다운받는다.

$ sudo mkdir /usr/local/etc/rules
$ wget https://www.snort.org/downloads/community/snort3-community-rules.tar.gz
$ tar zxf snort3-community-rules.tar.gz
$ sudo cp snort3-community-rules/* /usr/local/etc/rules/

내부 네트워크를 설정하고 다운받은 규칙을 포함시킨다.

$ sudo vi /usr/local/etc/snort/snort.lua
...
-- HOME_NET and EXTERNAL_NET must be set now
-- setup the network addresses you are protecting
HOME_NET = '192.168.0.0/24'

-- set up the external network addresses.
-- (leave as "any" in most situations)
EXTERNAL_NET = '!$HOME_NET'
...
ips =
{
    ...
    variables = default_variables,
    rules = [[
    include /usr/local/etc/rules/snort3-community.rules
    ]]
}

설정값을 검증해본다.

$ sudo snort -c /usr/local/etc/snort/snort.lua
...
Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

실행 시 인터페이스를 전달하여 실행시킨다.

$ sudo snort -c /usr/local/etc/snort/snort.lua -i ens33
...
pcap DAQ configured to passive.
Commencing packet processing
++ [0] ens33

특정 규칙을 생성하여 해당 규칙만 실행시킨 후

조건에 만족하는 패킷을 보내보면 콘솔에 찍히는 로그를 확인할 수 있다.

$ sudo vi /usr/local/etc/rules/test.rules
alert icmp any any -> 192.168.0.26 any (msg:"ICMP Detection"; sid:1000001; rev:1;)
$ sudo snort -R /usr/local/etc/rules/test.rules -i ens33 -A alert_fast
...
pcap DAQ configured to passive.
Commencing packet processing
++ [0] ens33
11/17-06:10:21.832157 [**] [1:1000001:1] "ICMP Detection" [**] [Priority: 0] {ICMP} 192.168.0.20 -> 192.168.0.26
11/17-06:10:22.850856 [**] [1:1000001:1] "ICMP Detection" [**] [Priority: 0] {ICMP} 192.168.0.20 -> 192.168.0.26

로그를 파일로 저장하는 설정 후

snort를 실행시킨다.

$ sudo mkdir -p /var/log/snort
$ sudo vi /usr/local/etc/snort/snort.lua
...
-- event logging
-- you can enable with defaults from the command line with -A <alert_type>
-- uncomment below to set non-default configs
--alert_csv = { }
alert_fast = { file = true }
$ sudo snort -R /usr/local/etc/rules/test.rules -i ens33 -A alert_fast -l /var/log/snort

생성된 로그 파일을 확인해본다.

$ cat alert_fast.txt
11/17-06:44:04.606592 [**] [1:1000001:1] "ICMP Detection" [**] [Priority: 0] {ICMP} 192.168.0.20 -> 192.168.0.26
11/17-06:44:05.611134 [**] [1:1000001:1] "ICMP Detection" [**] [Priority: 0] {ICMP} 192.168.0.20 -> 192.168.0.26
11/17-06:44:06.627354 [**] [1:1000001:1] "ICMP Detection" [**] [Priority: 0] {ICMP} 192.168.0.20 -> 192.168.0.26
11/17-06:44:07.632365 [**] [1:1000001:1] "ICMP Detection" [**] [Priority: 0] {ICMP} 192.168.0.20 -> 192.168.0.26

인터페이스가 1개라면 IDS모드가 되며

인터페이스가 2개에다가 Inline모드가 되면 IPS모드가 될 수 있다.

Q 옵션을 주고 inline 모드로 변경하며 인터페이스도 맞춰서 준다.

$ sudo snort -i ens33:ens38 -Q
profile
Alexandria
IT 도서관

0개의 댓글