Contents
SNORT3
Snortは、IPネットワーク上でリアルタイムのトラフィック分析とパケットロギングを実行できるオープンソースのネットワーク侵入検知システムです。
「プロトコル分析」「コンテンツ検索」「マッチング」を実行でき、「バッファオーバーフロー」「ステルスポートスキャン」「CGI攻撃」「SMBプローブ」「OSフィンガープリント試行」「セマンティックURL攻撃」「サーバメッセージブロック探査」など、さまざまな攻撃検出に使用できます。
1.事前準備
1.1 必須パッケージのインストール
1.openssl-develのインストール
|
1 |
# dnf install openssl-devel |
2.cmakeのインストール
|
1 |
# dnf -y install cmake |
1.2 必要なパッケージのインストール
|
1 2 3 |
# dnf -y install libpcap-devel pcre-devel libdnet-devel hwloc-devel openssl-devel zlib-devel luajit-devel pkgconf libmnl-devel libunwind-devel # dnf -y install libnfnetlink-devel libnetfilter_queue g++ |
1.3 LibDAQのインストール
|
1 2 3 4 5 6 7 8 9 10 11 |
# cd # dnf install git # git clone https://github.com/snort3/libdaq.git Cloning into 'libdaq'... remote: Enumerating objects: 2617, done. remote: Counting objects: 100% (239/239), done. remote: Compressing objects: 100% (78/78), done. remote: Total 2617 (delta 199), reused 169 (delta 161), pack-reused 2378 (from 2) Receiving objects: 100% (2617/2617), 1.18 MiB | 12.75 MiB/s, done. Resolving deltas: 100% (1891/1891), done. |
|
1 2 3 |
# cd libdaq/ # dnf install autoconf # ./bootstrap |
|
1 2 |
# ./configure # make && make install |
|
1 2 3 4 5 6 7 8 |
# ln -s /usr/local/lib/libdaq.so.3 /lib/ 共有ライブラリの追加 # ldconfig ライブラリの確認 # ldconfig -p|grep daq libdaq.so.3 (libc6,x86-64) => /lib/libdaq.so.3 |
1.4 オプションパッケージのインストール
1.LZMAとUUIDのインストール
|
1 |
# dnf -y install xz-devel libuuid-devel |
2.Hyperscanのインストール
|
1 |
# dnf -y install hyperscan hyperscan-devel |
3.Tcmallocのインストール
|
1 |
# dnf -y install gperftools-devel |
2. Snort3のインストール
|
1 2 3 4 5 6 |
# git clone https://github.com/snort3/snort3.git # cd snort3/ # export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH # export PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig:$PKG_CONFIG_PATH # export CFLAGS="-O3" # export CXXFLAGS="-O3 -fno-rtti" |
configureの実行
不足パッケージインストール
|
1 |
# dnf -y install pcre2-devel |
|
1 2 3 4 5 6 7 |
# dnf install flex # ./configure_cmake.sh --prefix=/usr/local/snort --enable-tcmalloc ------------------------------------------------------- -- Configuring done -- Generating done -- Build files have been written to: /root/snort3/build |
ビルド、コンパイル、インストール
|
1 2 3 4 5 6 |
# cd build/ # pwd /root/snort3/build # make -j$(nproc) # make -j$(nproc) install |
バージョン確認
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# /usr/local/snort/bin/snort -V ,,_ -*> Snort++ <*- o" )~ Version 3.10.0.0 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2025 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using DAQ version 3.0.23 Using Hyperscan version 5.4.1 2023-04-14 Using libpcap version 1.10.0 (with TPACKET_V3) Using LuaJIT version 2.1.0-beta3 Using LZMA version 5.2.5 Using OpenSSL 3.5.1 1 Jul 2025 Using PCRE2 version 10.40 2022-04-14 Using ZLIB version 1.2.11 |
テスト実行
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -------------------------------------------------- search engine (ac_bnfa) instances: 2 patterns: 438 pattern chars: 2602 num states: 1832 num match states: 392 memory scale: KB total memory: 71.2812 pattern memory: 19.6484 match list memory: 28.4375 transition memory: 22.9453 appid: MaxRss diff: 3840 appid: patterns loaded: 300 -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
ネットワークインターフェースの設定
ネットワーク インタフェースを確認
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff altname enp3s0 inet 192.168.11.83/24 brd 192.168.11.255 scope global noprefixroute ens160 valid_lft forever preferred_lft forever inet6 fexx::xxx:xxxx:xxxx:xxxx/64 scope link noprefixroute valid_lft forever preferred_lft forever |
ネットワーク・インターフェース名はens160である
ネットワークインターフェイスをプロミスキャスモードに設定する。こうすることで、ネットワークデバイスはすべてのネットワークパケットをキャプチャし、検査できるようになる。
|
1 |
# ip link set dev ens160 promisc on |
設定を確認
|
1 2 3 |
# ip a | grep ens160 | grep mtu 2: ens160: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 |
ネットワーク・インタフェースのオフロード・ステータスを確認。インタフェースのネッ トワーク・トラフィックを監視する必要がある場合は、オフロードを無効にする必要がある
|
1 2 3 |
# ethtool -k ens160 | grep receive-offload generic-receive-offload: on large-receive-offload: off |
onになっているので下記コマンドでGRO,LROを無効にする
|
1 |
# ethtool -K ens160 gro off lro off |
再度状況を確認する
|
1 2 3 |
# ethtool -k ens160 | grep receive-offload generic-receive-offload: off large-receive-offload: off |
Snortネットワークインターフェース用のsystemdサービスを作成する
|
1 |
# vi /etc/systemd/system/snort3-nic.service |
Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot
After=network.target [Service]
Type=oneshot
ExecStart=/usr/sbin/ip link set dev ens160 promisc on
ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off
TimeoutStartSec=0
RemainAfterExit=yes [Install]
WantedBy=default.target
systemd デーモンが変更を適用する
|
1 2 3 4 |
# systemctl daemon-reload # systemctl enable snort3-nic.service Created symlink /etc/systemd/system/default.target.wants/snort3-nic.service → /etc/systemd/system/snort3-nic.service. # systemctl start snort3-nic.service |
Snort NICサービスのステータスを確認
|
1 2 3 4 5 6 7 8 9 10 11 |
# systemctl status snort3-nic.service ● snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot Loaded: loaded (/etc/systemd/system/snort3-nic.service; enabled; preset: disabled) Active: active (exited) since Fri 2026-01-02 16:37:58 JST; 17s ago Process: 122074 ExecStart=/usr/sbin/ip link set dev ens160 promisc on (code=exited, status=0/SUCCESS) Process: 122075 ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off (code=exited, status=0/SUCCESS) Main PID: 122075 (code=exited, status=0/SUCCESS) CPU: 4ms Jan 02 16:37:58 Lepard systemd[1]: Starting Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot... Jan 02 16:37:58 Lepard systemd[1]: Finished Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot. |
Snortコミュニティ・ルールセットを追加
1.Snortルール用のフォルダを作成し、SnortのWebサイトからコミュニティルールセットをダウンロードし、所定のルールディレクトリーに配置
|
1 2 |
# mkdir /usr/local/snort/etc/snort/rules # wget -qO- https://www.snort.org/downloads/community/snort3-community-rules.tar.gz | tar xz -C /usr/local/snort/etc/snort/rules/ |
2.Snortメイン設定ファイルを編集
|
1 |
# vi /usr/local/snort/etc/snort/snort.lua |
●24行目変更
HOME_NET = '192.168.11.0/24'
●28行目変更
EXTERNAL_NET = '!$HOME_NET'
●185行目当たりのips項目の最後に追加
ips =
{
-- use this to enable decoder and inspector alerts
-- enable_builtin_rules = true,
-- use include for rules files; be sure to set your path
-- note that rules files can include other rules files
-- (see also related path vars at the top of snort_defaults.lua)
variables = default_variables,
rules = [[
include /usr/local/snort/etc/snort/rules/snort3-community-rules/snort3-community.rules
]]
}
3.Snortのメインコンフィグレーションの変更をテスト
|
1 2 3 4 5 6 7 8 |
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua 正常であれば最後に次が表示される -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
カスタムルールの追加
1.Snort rulesディレクトリにファイルを作成する
|
1 2 |
# vi /usr/local/snort/etc/snort/rules/local.rules alert icmp any any -> $HOME_NET any (msg:"Incoming ICMP"; sid:1000001; rev:1;) |
2.Snortメイン設定ファイルを編集
カスタム ルール ファイル ディレクトリをメイン構成に含めるためSnortメイン設定ファイルを編集
|
1 |
# vi /usr/local/snort/etc/snort/snort.lua |
●196行目当たりに追加
ips =
{
-- use this to enable decoder and inspector alerts
--enable_builtin_rules = true,
-- use include for rules files; be sure to set your path
-- note that rules files can include other rules files
-- (see also related path vars at the top of snort_defaults.lua)
variables = default_variables,
rules = [[
include /usr/local/snort/etc/snort/rules/local.rules
include /usr/local/snort/etc/snort/rules/snort3-community-rules/snort3-community.rules
]]
}
3.Snortのメインコンフィグレーションの変更をテスト
|
1 2 3 4 5 6 7 8 |
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua 正常であれば最後に次が表示される -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
OpenAppIDエクステンションをインストール
OpenAppIDエクステンションをインストールすると、Snortはアプリケーションレイヤーレベルでネットワーク脅威を検出できるようになります
1.OpenAppIDエクステンションダウンロードと展開
|
1 2 |
# wget https://www.snort.org/downloads/openappid/33380 -O OpenAppId-33380.tgz # tar -xzvf OpenAppId-33380.tgz |
2.解凍したフォルダ(odp)を以下のディレクトリにコピー
|
1 |
# cp -R odp /usr/local/lib/ |
3.Snortメイン設定ファイルを編集し、OpenAppIDフォルダの場所を定義
|
1 |
# vi /usr/local/snort/etc/snort/snort.lua |
●99行目当たりのappidセクションに追加
appid =
{
-- appid requires this to use appids in rules
--app_detector_dir = 'directory to load appid detectors from'
app_detector_dir = '/usr/local/lib',
log_stats = true,
}
appid_listener =
{
json_logging = true,
file = "/var/log/snort/appid-output.log",
}
--[[
reputation =
4.Snortのメインコンフィグレーションの変更をテスト
|
1 2 3 4 5 6 7 8 |
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua 正常であれば最後に次が表示される -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
すべてのコンフィギュレーションが正しくセットアップされていることを確認する
|
1 |
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -R /usr/local/snort/etc/snort/rules/local.rules -i ens160 -A alert_fast -s 65535 -k none |
リモートコンピュータからサーバのIPアドレスにpingコマンドを送信します。これにより、ホストサーバーのコンソールウィンドウにアラートログが表示されます
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
-------------------------------------------------- pcap DAQ configured to passive. Commencing packet processing Retry queue interval is: 200 ms ++ [0] ens160 01/02-16:45:48.748007 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83 01/02-16:45:48.748008 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83 01/02-16:45:48.748338 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6 01/02-16:45:48.748441 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6 01/02-16:45:49.751982 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83 01/02-16:45:49.751983 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83 01/02-16:45:49.752176 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6 01/02-16:45:49.752280 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6 01/02-16:45:50.765009 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83 01/02-16:45:50.765009 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83 01/02-16:45:50.765209 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6 01/02-16:45:50.765346 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6 01/02-16:45:51.780865 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83 01/02-16:45:51.780866 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83 01/02-16:45:51.781077 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6 01/02-16:45:51.781185 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6 |
Snort systemdサービスの設定
1.Snortサービス用のユーザの作成
|
1 |
# useradd -r -s /usr/sbin/nologin -M snort |
2.ログフォルダの作成とパーミッションの設定
Snortログ用のディレクトリフォルダを作成し、フォルダパーミッションを設定
|
1 2 3 |
# mkdir /var/log/snort # chmod -R 5775 /var/log/snort # chown -R snort:snort /var/log/snort |
3.Systemdサービスファイルの作成
|
1 |
# vi /etc/systemd/system/snort3.service |
Description=Snort3 IDS Daemon Service
After=syslog.target network.target [Service]
Type=simple
ExecStart=/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens160 -m 0x1b -u snort -g snort
ExecStop=/bin/kill -9 $MAINPID [Install]
WantedBy=multi-user.target
Snortサービスをリロードして有効にする
|
1 2 3 |
# systemctl daemon-reload # systemctl enable --now snort3 Created symlink /etc/systemd/system/multi-user.target.wants/snort3.service → /etc/systemd/system/snort3.service. |
Snortサービスを開始
|
1 |
# systemctl restart snort3 |
ステータスを確認
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
# systemctl status snort3 ● snort3.service - Snort3 IDS Daemon Service Loaded: loaded (/etc/systemd/system/snort3.service; enabled; preset: disabled) Active: active (running) since Fri 2026-01-02 16:48:12 JST; 11s ago Main PID: 122203 (snort3) Tasks: 2 (limit: 22903) Memory: 214.2M (peak: 214.6M) CPU: 631ms CGroup: /system.slice/snort3.service └─122203 /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens160 -m 0x1b -u snort -g snort Jan 02 16:48:12 Lepard snort[122203]: any: 8 Jan 02 16:48:12 Lepard snort[122203]: to_server: 69 Jan 02 16:48:12 Lepard snort[122203]: to_client: 48 Jan 02 16:48:12 Lepard snort[122203]: -------------------------------------------------- Jan 02 16:48:12 Lepard snort[122203]: search engine (ac_bnfa) Jan 02 16:48:12 Lepard snort[122203]: instances: 334 Jan 02 16:48:12 Lepard snort[122203]: patterns: 10779 Jan 02 16:48:12 Lepard snort[122203]: pattern chars: 175198 Jan 02 16:48:12 Lepard snort[122203]: num states: 123200 Jan 02 16:48:12 Lepard snort[122203]: num match states: 10502 |
Snort IDS ロギング
1.Snort JSONロギングの設定
|
1 |
# vi /usr/local/snort/etc/snort/snort.lua |
●259行目当たりの-- 7. configure outputsセクションの最後にalert_jsonを追加
-------------------------------------------------------------------------------------
-- 7. configure outputs
-------------------------------------------------------------------------------------
-- event logging
-- you can enable with defaults from the command line with -A <alert_type>
-- uncomment below to set non-default configs
--alert_csv = { }
--alert_fast = { }
--alert_full = { }
--alert_sfsocket = { }
--alert_syslog = { }
--unified2 = { }
-- packet logging
-- you can enable with defaults from the command line with -L <log_type>
--log_codecs = { }
--log_hext = { }
--log_pcap = { }
-- additional logs
--packet_capture = { }
--file_log = { }
alert_json =
{
file = true,
limit = 50,
fields = 'timestamp msg pkt_num proto pkt_gen pkt_len dir src_addr src_port dst_addr dst_port service rule priority class action b64_data'
}
2.Snortを再起動
|
1 |
# systemctl restart snort3 |
3.ログファイルを確認
リモートコンピュータからサーバにpingコマンドを実行する。Snort alert_json.txtファイルに保存されます。
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# tail -f /var/log/snort/alert_json.txt { "timestamp" : "01/02-16:50:45.981914", "msg" : "Incoming ICMP", "pkt_num" : 728, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "01/02-16:50:45.981989", "msg" : "Incoming ICMP", "pkt_num" : 729, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "01/02-16:50:46.996245", "msg" : "Incoming ICMP", "pkt_num" : 731, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.6", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "01/02-16:50:46.996245", "msg" : "Incoming ICMP", "pkt_num" : 732, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.6", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "01/02-16:50:46.996476", "msg" : "Incoming ICMP", "pkt_num" : 733, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "01/02-16:50:46.996587", "msg" : "Incoming ICMP", "pkt_num" : 734, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "01/02-16:50:48.010198", "msg" : "Incoming ICMP", "pkt_num" : 765, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.6", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "01/02-16:50:48.010198", "msg" : "Incoming ICMP", "pkt_num" : 766, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.6", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "01/02-16:50:48.010458", "msg" : "Incoming ICMP", "pkt_num" : 767, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "01/02-16:50:48.010575", "msg" : "Incoming ICMP", "pkt_num" : 768, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } |
以上でSnort 3のインストールと設定が完了
