跳到主要内容

snort3安装

· 阅读需 2 分钟
GavinTan
GavinTan
DevOps Engineer

准备环境

apt install -y build-essential autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev zlib1g-dev pkg-config libhwloc-dev cmake liblzma-dev openssl libssl-dev cpputest libsqlite3-dev libtool uuid-dev git autoconf bison flex libcmocka-dev libnetfilter-queue-dev libunwind-dev libmnl-dev ethtool libjemalloc-dev libpcre3-dev

编译安装

安装libdaq

git clone https://github.com/snort3/libdaq.git
cd libdaq
./bootstrap
./configure
make -j 4
make install
ldconfig

安装snort3

git clone https://github.com/snort3/snort3.git
cd snort3
./configure_cmake.sh --prefix=/usr/local/snort3 --enable-tcmalloc
cd build
make -j 4
make install

centos install: Snort_3_GA_on_OracleLinux_8.pdf

配置

设置alert_json启用日志文件

cat << EOF > /usr/local/snort3/etc/snort/snort.lua
alert_json =
{
    file = true,
    limit = 200
}
EOF

添加警报规则

alert icmp any any -> $HOME_NET any (msg:"[警告]检测到 ICMP connection 请及时处理"; sid:1000001; rev:1;)

运行

下载community-rules

wget https://www.snort.org/downloads/community/snort3-community-rules.tar.gz

运行snort(IDS)

snort -c /usr/local/snort3/etc/snort/snort.lua -R /data/rules/snort3-community.rules -i ens192 -s 65535 -k none -A alert_fast -n 100000


# 保存日志
snort -c /usr/local/snort3/etc/snort/snort.lua -R /data/rules/snort3-community.rules -i ens192 -s 65535 -k none -A alert_fast -l /data/logs

常用操作

查看alert模块

snort --help-modules | grep alert

运行docker配置

Dockerfile
from debian:stable-20231120

run apt update
run apt install -y build-essential autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev zlib1g-dev pkg-config libhwloc-dev cmake liblzma-dev openssl libssl-dev cpputest libsqlite3-dev libtool uuid-dev git autoconf bison flex libcmocka-dev libnetfilter-queue-dev libunwind-dev libmnl-dev ethtool libjemalloc-dev libpcre3-dev


run cd && git clone https://github.com/snort3/libdaq.git && cd libdaq && ./bootstrap && ./configure && make -j 4 && make install

run cd && git clone https://github.com/snort3/snort3.git && cd snort3 && ldconfig && ./configure_cmake.sh --prefix=/usr/local/snort3 && cd build && make -j 4 && make install

run echo 'PATH=$PATH:/usr/local/snort3/bin' >> ~/.bashrc

run <<EOF cat >> /usr/local/snort3/etc/snort/snort.lua
alert_fast =
{
    file = true,
    limit = 200
}
EOF
docker-compose.yml
services:
  snort:
    build: .
    command: /usr/local/snort3/bin/snort -c /usr/local/snort3/etc/snort/snort.lua -R /data/rules/snort3-community.rules -i ens192 -s 65535 -k none -A alert_fast -l /data/logs
    network_mode: host
    volumes:
      - ./data:/data
      - /etc/localtime:/etc/localtime:ro