snort3安装
· 阅读需 2 分钟
准备环境
apt install -y build-essential autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev zlib1g-dev pkg-config libhwloc-dev cmake liblzma-dev openssl libssl-dev cpputest libsqlite3-dev libtool uuid-dev git autoconf bison flex libcmocka-dev libnetfilter-queue-dev libunwind-dev libmnl-dev ethtool libjemalloc-dev libpcre3-dev
编译安装
安装libdaq
git clone https://github.com/snort3/libdaq.git
cd libdaq
./bootstrap
./configure
make -j 4
make install
ldconfig
安装snort3
git clone https://github.com/snort3/snort3.git
cd snort3
./configure_cmake.sh --prefix=/usr/local/snort3 --enable-tcmalloc
cd build
make -j 4
make install
centos install: Snort_3_GA_on_OracleLinux_8.pdf
配置
设置alert_json启用日志文件
cat << EOF > /usr/local/snort3/etc/snort/snort.lua
alert_json =
{
file = true,
limit = 200
}
EOF
添加警报规则
alert icmp any any -> $HOME_NET any (msg:"[警告]检测到 ICMP connection 请及时处理"; sid:1000001; rev:1;)
运行
下载community-rules
wget https://www.snort.org/downloads/community/snort3-community-rules.tar.gz
运行snort(IDS)
snort -c /usr/local/snort3/etc/snort/snort.lua -R /data/rules/snort3-community.rules -i ens192 -s 65535 -k none -A alert_fast -n 100000
# 保存日志
snort -c /usr/local/snort3/etc/snort/snort.lua -R /data/rules/snort3-community.rules -i ens192 -s 65535 -k none -A alert_fast -l /data/logs
常用操作
查看alert模块
snort --help-modules | grep alert
运行docker配置
Dockerfile
from debian:stable-20231120
run apt update
run apt install -y build-essential autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev zlib1g-dev pkg-config libhwloc-dev cmake liblzma-dev openssl libssl-dev cpputest libsqlite3-dev libtool uuid-dev git autoconf bison flex libcmocka-dev libnetfilter-queue-dev libunwind-dev libmnl-dev ethtool libjemalloc-dev libpcre3-dev
run cd && git clone https://github.com/snort3/libdaq.git && cd libdaq && ./bootstrap && ./configure && make -j 4 && make install
run cd && git clone https://github.com/snort3/snort3.git && cd snort3 && ldconfig && ./configure_cmake.sh --prefix=/usr/local/snort3 && cd build && make -j 4 && make install
run echo 'PATH=$PATH:/usr/local/snort3/bin' >> ~/.bashrc
run <<EOF cat >> /usr/local/snort3/etc/snort/snort.lua
alert_fast =
{
file = true,
limit = 200
}
EOF
docker-compose.yml
services:
snort:
build: .
command: /usr/local/snort3/bin/snort -c /usr/local/snort3/etc/snort/snort.lua -R /data/rules/snort3-community.rules -i ens192 -s 65535 -k none -A alert_fast -l /data/logs
network_mode: host
volumes:
- ./data:/data
- /etc/localtime:/etc/localtime:ro