Snortの導入1

04/01/25

1.まず、ここから最新版の「Snort」をDLしてきます。ここでは、「/root/Down」以下にDLしたと仮定します。

2.最新版は「Ver2.1.0」だったんですけど、うまく「make」できません。(^^ゞ
よって、その前のバージョンをDLしました。
「snort-2.0.6.tar.gz」ですね。
で、ここにメモっておきました。

/etc/snort/snort.conf

#監視したいサーバのローカルアドレス
var HOME_NET 192.168.1.2/32
#それ以外
var EXTERNAL_NET !$HOME_NET
#各種サーバのローカルアドレス
var DNS_SERVERS 192.168.1.2/32
var SMTP_SERVERS 192.168.1.2/32
var HTTP_SERVERS 192.168.1.2/32
var SQL_SERVERS 192.168.1.2/32
var TELNET_SERVERS 192.168.1.2/32
#
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
#シグニチャへのパス
var RULE_PATH ./rules

preprocessor frag2

preprocessor stream4: detect_scans, disable_evasion_alerts

preprocessor stream4_reassemble

preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace

preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 portscan.log

include classification.config
include reference.config
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
#include $RULE_PATH/web-iis.rules
#include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules

/etc/logrotate.d/snort

/var/log/snort/alert {
missingok
create 0600 snort snort
weekly
rotate 12
postrotate
/bin/kill -HUP `cat /var/run/snort_eth0.pid 2>/dev/null` 2> /dev/null || true
/usr/local/bin/snort -D -A full -c /etc/snort/snort.conf -u snort -g snort

service snort restart
endscript
}

/etc/rc.d/init.d/snort(バックアップするときはsnort.iniで保存しておく)

#! /bin/sh
#
# Source function library.
. /etc/rc.d/init.d/functions

# Get config.
. /etc/sysconfig/network

# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
exit 0
fi

# See how we were called.
case "$1" in
start)
echo -n "Starting Snort services: "
daemon /usr/local/bin/snort -D -A full -c /etc/snort/snort.conf -u snort -g snort

echo
touch /var/lock/subsys/snort
;;
stop)
echo -n "Stopping Snort services: "
killproc /usr/local/bin/snort

echo
rm -f /var/lock/subsys/snort
;;
status)
status snort
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo "Usage: snortd {start|stop|status|restart}"
exit 1
esac

exit 0

/root/Down/snort.sh

#! /bin/sh
snort=snort-2.0.0
cd /root/DL
tar -zxvf ${snort}.tar.gz
cd ${snort}
./configure
make
make inastall
#「snort」というユーザを作成
groupadd snort
useradd -g snort -d /dev/null -c "Snort User" -s /bin/false snort
#設定ディレクトリの作成
mkdir /etc/snort
cp /root/Down/snort.conf /etc/snort/snort.conf
cp /root/Down/${snort}/etc/reference.config /etc/snort/reference.config
cp -R /root/Down/${snort}/rules /etc/snort/rules
#ログディレクトリの作成
mkdir /var/log/snort
chown -R snort:snort /var/log/snort
cp /root/Down/snort /etc/logrotate.d/snort
cp /root/Down/snortd /etc/rc.d/init.d/snortd
#シンボリックリンクを作成
ln -s /etc/rc.d/init.d/snortd /etc/rc.d/rc3.d/S85snort
ln -s /etc/rc.d/init.d/snortd /etc/rc.d/rc5.d/S85snort
#起動
service snort startd

次に、「/etc/rc.d/rc5.d」と「/etc/rc.d/rc3.d」にシンボリックリンクを作成します。ターミナルを立ち上げ(ランレベル5と3で起動します。LinuxをGUIで立ち上げた場合が5でコンソールのみが3)、

# ln -s /etc/rc.d/init.d/snortd /etc/rc.d/rc3.d/S85snort
# ln -s /etc/rc.d/init.d/snortd /etc/rc.d/rc5.d/S85snort

chkconfigに追加?(やらなくていいかも?chkconfig --list snortで「snortはchkconfigをサポートしていませんってでた・・・)。そのままターミナルで、

# /sbin/chkconfig --add snortd

再起動すると、ログイン画面になる前に

Starting Snortd :  [ OK ]

と表示されていれば、成功です。

なお、再起動をする場合は、

service snortd restart
Stopping Snortd services:      [ OK ]
Starting Snortd services:       [ OK ]


<Pre Next>

■目次

■予定

VineでPHPを使うには

PHPAのインストール

SSLのチューニング


■最近観た映画3

 


■ここがサブタイトル