Contents
SNORT3
Snortは、IPネットワーク上でリアルタイムのトラフィック分析とパケットロギングを実行できるオープンソースのネットワーク侵入検知システムです。
「プロトコル分析」「コンテンツ検索」「マッチング」を実行でき、「バッファオーバーフロー」「ステルスポートスキャン」「CGI攻撃」「SMBプローブ」「OSフィンガープリント試行」「セマンティックURL攻撃」「サーバメッセージブロック探査」など、さまざまな攻撃検出に使用できます。
1.事前準備
1.1 必須パッケージのインストール
1.openssl-develのインストール
|
1 |
# dnf install openssl-devel |
2.cmakeのインストール
|
1 2 3 4 5 6 7 8 9 |
# dnf -y install cmake Installed: cmake-3.30.5-3.el10_0.x86_64 cmake-data-3.30.5-3.el10_0.noarch cmake-rpm-macros-3.30.5-3.el10_0.noarch バージョン確認 # cmake --version cmake version 3.30.5 CMake suite maintained and supported by Kitware (kitware.com/cmake). |
1.2 必要なパッケージのインストール
|
1 2 3 |
# dnf install libpcap-devel pcre2-devel hwloc-devel openssl-devel zlib-devel luajit-devel pkgconf libmnl-devel libunwind-devel # dnf install libnfnetlink-devel libnetfilter_queue g++ |
|
1 2 3 4 5 6 7 |
# wget https://dl.fedoraproject.org/pub/epel/10/Everything/x86_64/Packages/l/libdnet-1.18.0-1.el10_1.x86_64.rpm # rpm -Uvh libdnet-1.18.0-1.el10_1.x86_64.rpm # dnf install libdnet # wget https://dl.fedoraproject.org/pub/epel/10/Everything/x86_64/Packages/l/libdnet-devel-1.18.0-1.el10_1.x86_64.rpm # rpm -Uvh libdnet-devel-1.18.0-1.el10_1.x86_64.rpm # dnf install libdnet-devel |
1.3 LibDAQのインストール
|
1 2 3 4 5 6 7 8 9 10 11 |
# cd # dnf install git # git clone https://github.com/snort3/libdaq.git Cloning into 'libdaq'... remote: Enumerating objects: 2617, done. remote: Counting objects: 100% (239/239), done. remote: Compressing objects: 100% (78/78), done. remote: Total 2617 (delta 199), reused 169 (delta 161), pack-reused 2378 (from 2) Receiving objects: 100% (2617/2617), 1.18 MiB | 13.45 MiB/s, done. Resolving deltas: 100% (1891/1891), done. |
|
1 2 3 |
# cd libdaq/ # dnf install autoconf # ./bootstrap |
|
1 2 |
# ./configure # make && make install |
|
1 2 3 4 5 6 7 8 |
# ln -s /usr/local/lib/libdaq.so.3 /lib/ 共有ライブラリの追加 # ldconfig ライブラリの確認 # ldconfig -p|grep daq libdaq.so.3 (libc6,x86-64) => /lib/libdaq.so.3 |
1.4 オプションパッケージのインストール
1.LZMAとUUIDのインストール
|
1 |
# dnf -y install xz-devel libuuid-devel |
2.Tcmallocのインストール
|
1 |
# dnf -y install gperftools-devel |
2. Snort3のインストール
|
1 2 3 4 5 6 |
# git clone https://github.com/snort3/snort3.git # cd snort3/ # export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH # export PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig:$PKG_CONFIG_PATH # export CFLAGS="-O3" # export CXXFLAGS="-O3 -fno-rtti" |
configureの実行
|
1 2 3 4 5 6 7 8 |
# dnf install flex # ./configure_cmake.sh --prefix=/usr/local/snort --enable-tcmalloc ------------------------------------------------------- -- Configuring done -- Generating done -- Build files have been written to: /root/snort3/build |
ビルド、コンパイル、インストール
|
1 2 3 4 5 6 |
# cd build/ # pwd /root/snort3/build # make -j$(nproc) # make -j$(nproc) install |
バージョン確認
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# /usr/local/snort/bin/snort -V ,,_ -*> Snort++ <*- o" )~ Version 3.10.0.0 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2025 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using DAQ version 3.0.23 Using libpcap version 1.10.4 (with TPACKET_V3) Using LuaJIT version 2.1.1720049189 Using LZMA version 5.6.2 Using OpenSSL 3.5.1 1 Jul 2025 Using PCRE2 version 10.44 2024-06-07 Using ZLIB version 1.3.1.zlib-ng |
テスト実行
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -------------------------------------------------- -------------------------------------------------- search engine (ac_bnfa) instances: 2 patterns: 438 pattern chars: 2602 num states: 1832 num match states: 392 memory scale: KB total memory: 71.2812 pattern memory: 19.6484 match list memory: 28.4375 transition memory: 22.9453 appid: MaxRss diff: 3456 appid: patterns loaded: 300 -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
ネットワークインターフェースの設定
ネットワーク インタフェースを確認
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:0c:29:c4:c9:d1 brd ff:ff:ff:ff:ff:ff altname enp3s0 altname enx000c29c4c9d1 inet 192.168.11.83/24 brd 192.168.11.255 scope global noprefixroute ens160 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fec4:c9d1/64 scope link noprefixroute valid_lft forever preferred_lft forever |
ネットワーク・インターフェース名はens160である
ネットワークインターフェイスをプロミスキャスモードに設定する。こうすることで、ネットワークデバイスはすべてのネットワークパケットをキャプチャし、検査できるようになる。
|
1 |
# ip link set dev ens160 promisc on |
設定を確認
|
1 2 3 |
# ip a | grep ens160 | grep mtu 2: ens160: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 |
ネットワーク・インタフェースのオフロード・ステータスを確認。インタフェースのネッ トワーク・トラフィックを監視する必要がある場合は、オフロードを無効にする必要がある
現在の状況を確認する
|
1 2 3 |
# ethtool -k ens160 | grep receive-offload generic-receive-offload: on large-receive-offload: on |
onになっていれので下記コマンドでGRO,LROを無効にする
|
1 |
# ethtool -K ens160 gro off lro off |
再度状況を確認する
|
1 2 3 |
# ethtool -k ens160 | grep receive-offload generic-receive-offload: off large-receive-offload: off |
LROとGROのオフロードステータスはオフ状態になっている
Snortネットワークインターフェース用のsystemdサービスを作成する
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# touch /etc/systemd/system/snort3-nic.service # vi /etc/systemd/system/snort3-nic.service 下記内容を記載 [Unit] Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot After=network.target [Service] Type=oneshot ExecStart=/usr/sbin/ip link set dev ens160 promisc on ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off TimeoutStartSec=0 RemainAfterExit=yes [Install] WantedBy=default.target |
変更を適用する
|
1 2 3 4 |
# systemctl daemon-reload # systemctl enable snort3-nic.service Created symlink /etc/systemd/system/default.target.wants/snort3-nic.service → /etc/systemd/system/snort3-nic.service. # systemctl start snort3-nic.service |
Snort NICサービスのステータスを確認
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# systemctl status snort3-nic.service ● snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot Loaded: loaded (/etc/systemd/system/snort3-nic.service; enabled; preset: disabled) Active: active (exited) since Thu 2025-11-27 11:15:23 JST; 30s ago Invocation: 045828b7f2644138b1f0701707b89066 Process: 25661 ExecStart=/usr/sbin/ip link set dev ens160 promisc on (code=exited, status=0/SUCCESS) Process: 25662 ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off (code=exited, status=0/SUCCESS) Main PID: 25662 (code=exited, status=0/SUCCESS) Mem peak: 1.2M CPU: 10ms Nov 27 11:15:23 Lepard systemd[1]: Starting snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot... Nov 27 11:15:23 Lepard systemd[1]: Finished snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot. |
Snortコミュニティ・ルールセットを追加
1.Snortルール用のフォルダを作成し、SnortのWebサイトからコミュニティルールセットをダウンロードし、所定のルールディレクトリーに配置
|
1 2 |
# mkdir /usr/local/snort/etc/snort/rules # wget -qO- https://www.snort.org/downloads/community/snort3-community-rules.tar.gz | tar xz -C /usr/local/snort/etc/snort/rules/ |
2.Snortメイン設定ファイルを編集
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
# vi /usr/local/snort/etc/snort/snort.lua 24行目変更 HOME_NET = '192.168.11.0/24' 28行目変更 EXTERNAL_NET = '!$HOME_NET' 185行目当たりのips項目の最後に追加 ips = { -- use this to enable decoder and inspector alerts -- enable_builtin_rules = true, -- use include for rules files; be sure to set your path -- note that rules files can include other rules files -- (see also related path vars at the top of snort_defaults.lua) variables = default_variables, rules = [[ include /usr/local/snort/etc/snort/rules/snort3-community-rules/snort3-community.rules ]] } |
3.Snortのメインコンフィグレーションの変更をテスト
|
1 2 3 4 5 6 7 8 |
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua 正常であれば最後に次が表示される -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
カスタムルールの追加
1.Snort rulesディレクトリにファイルを作成する
|
1 2 3 |
# touch /usr/local/snort/etc/snort/rules/local.rules # vi /usr/local/snort/etc/snort/rules/local.rules alert icmp any any -> $HOME_NET any (msg:"Incoming ICMP"; sid:1000001; rev:1;) |
2.Snortメイン設定ファイルを編集
カスタム ルール ファイル ディレクトリをメイン構成に含めるためSnortメイン設定ファイルを編集
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
# vi /usr/local/snort/etc/snort/snort.lua 195行目当たりに追加 ips = { -- use this to enable decoder and inspector alerts --enable_builtin_rules = true, -- use include for rules files; be sure to set your path -- note that rules files can include other rules files -- (see also related path vars at the top of snort_defaults.lua) variables = default_variables, rules = [[ include /usr/local/snort/etc/snort/rules/local.rules include /usr/local/snort/etc/snort/rules/snort3-community-rules/snort3-community.rules ]] } |
3.Snortのメインコンフィグレーションの変更をテスト
|
1 2 3 4 5 6 7 8 |
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua 正常であれば最後に次が表示される -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
OpenAppIDエクステンションをインストール
OpenAppIDエクステンションをインストールすると、Snortはアプリケーションレイヤーレベルでネットワーク脅威を検出できるようになります
1.OpenAppIDエクステンションダウンロードと展開
|
1 2 |
# wget https://www.snort.org/downloads/openappid/33380 -O OpenAppId-33380.tgz # tar -xzvf OpenAppId-33380.tgz |
2.解凍したフォルダ(odp)を以下のディレクトリにコピー
|
1 |
# cp -R odp /usr/local/lib/ |
3.Snortメイン設定ファイルを編集し、OpenAppIDフォルダの場所を定義
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# vi /usr/local/snort/etc/snort/snort.lua 98行目あたりのappidセクションに追加 appid = { -- appid requires this to use appids in rules --app_detector_dir = 'directory to load appid detectors from' app_detector_dir = '/usr/local/lib', log_stats = true, } appid_listener = { json_logging = true, file = "/var/log/snort/appid-output.log", } --[[ reputation = |
4.Snortのメインコンフィグレーションの変更をテスト
|
1 2 3 4 5 6 7 8 |
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua 正常であれば最後に次が表示される -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
すべてのコンフィギュレーションが正しくセットアップされていることを確認する
|
1 |
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -R /usr/local/snort/etc/snort/rules/local.rules -i ens160 -A alert_fast -s 65535 -k none |
リモートコンピュータからサーバのIPアドレスにpingコマンドを送信します。これにより、ホストサーバーのコンソールウィンドウにアラートログが表示されます
pcap DAQ configured to passive.
Commencing packet processing
Retry queue interval is: 200 ms
++ [0] ens160
11/27-11:28:32.268439 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83
11/27-11:28:32.268440 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83
11/27-11:28:32.269116 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6
11/27-11:28:33.275533 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83
11/27-11:28:33.275533 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83
11/27-11:28:33.275803 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6
11/27-11:28:33.275906 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6
11/27-11:28:34.282882 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83
11/27-11:28:34.282882 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83
11/27-11:28:34.283076 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6
11/27-11:28:34.283190 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6
11/27-11:28:35.297901 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83
11/27-11:28:35.297902 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83
11/27-11:28:35.298126 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6
11/27-11:28:35.298212 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6
Snort systemdサービスの設定
1.Snortサービス用のユーザの作成
|
1 |
# useradd -r -s /usr/sbin/nologin -M snort |
2.ログフォルダの作成とパーミッションの設定
Snortログ用のディレクトリフォルダを作成し、フォルダパーミッションを設定
|
1 2 3 |
# mkdir /var/log/snort # chmod -R 5775 /var/log/snort # chown -R snort:snort /var/log/snort |
3.Systemdサービスファイルの作成
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# touch /etc/systemd/system/snort3.service # vi /etc/systemd/system/snort3.service [Unit] Description=Snort3 IDS Daemon Service After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens160 -m 0x1b -u snort -g snort ExecStop=/bin/kill -9 $MAINPID [Install] WantedBy=multi-user.target |
Snortサービスをリロードして有効にする
|
1 2 3 |
# systemctl daemon-reload # systemctl enable --now snort3 Created symlink /etc/systemd/system/multi-user.target.wants/snort3.service → /etc/systemd/system/snort3.service. |
Snortサービスを開始
|
1 |
# systemctl restart snort3 |
ステータスを確認
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
# systemctl status snort3 ● snort3.service - Snort3 IDS Daemon Service Loaded: loaded (/etc/systemd/system/snort3.service; enabled; preset: disabled) Active: active (running) since Thu 2025-11-27 11:33:01 JST; 23s ago Invocation: ad6a7334a3e84c57bc79b6af6c0b74c3 Main PID: 27008 (snort3) Tasks: 2 (limit: 16792) Memory: 212.8M (peak: 213.3M) CPU: 680ms CGroup: /system.slice/snort3.service └─27008 /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens160 -m 0x1b -u snort -g snort Nov 27 11:33:01 Lepard snort[27008]: any: 8 Nov 27 11:33:01 Lepard snort[27008]: to_server: 69 Nov 27 11:33:01 Lepard snort[27008]: to_client: 48 Nov 27 11:33:01 Lepard snort[27008]: -------------------------------------------------- Nov 27 11:33:01 Lepard snort[27008]: search engine (ac_bnfa) Nov 27 11:33:01 Lepard snort[27008]: instances: 334 Nov 27 11:33:01 Lepard snort[27008]: patterns: 10779 Nov 27 11:33:01 Lepard snort[27008]: pattern chars: 175198 Nov 27 11:33:01 Lepard snort[27008]: num states: 123200 Nov 27 11:33:01 Lepard snort[27008]: num match states: 10502 |
Snort IDS ロギング
1.Snort JSONロギングの設定
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
# vi /usr/local/snort/etc/snort/snort.lua 260行目当たりの-- 7. configure outputsセクションの最後にalert_jsonを追加 --------------------------------------------------------------------------- -- 7. configure outputs --------------------------------------------------------------------------- -- event logging -- you can enable with defaults from the command line with -A <alert_type> -- uncomment below to set non-default configs --alert_csv = { } --alert_fast = { } --alert_full = { } --alert_sfsocket = { } --alert_syslog = { } --unified2 = { } -- packet logging -- you can enable with defaults from the command line with -L <log_type> --log_codecs = { } --log_hext = { } --log_pcap = { } -- additional logs --packet_capture = { } --file_log = { } alert_json = { file = true, limit = 50, fields = 'timestamp msg pkt_num proto pkt_gen pkt_len dir src_addr src_port dst_addr dst_port service rule priority class action b64_data' } |
2.Snortを再起動
|
1 |
# systemctl restart snort3 |
3.ログファイルを確認
リモートコンピュータからサーバにpingコマンドを実行する。Snort alert_json.txtファイルに保存されます。
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# tail -f /var/log/snort/alert_json.txt { "timestamp" : "11/27-11:36:20.259435", "msg" : "Incoming ICMP", "pkt_num" : 948, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "11/27-11:36:20.259548", "msg" : "Incoming ICMP", "pkt_num" : 949, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "11/27-11:36:21.269273", "msg" : "Incoming ICMP", "pkt_num" : 974, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.6", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "11/27-11:36:21.269273", "msg" : "Incoming ICMP", "pkt_num" : 975, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.6", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "11/27-11:36:21.270219", "msg" : "Incoming ICMP", "pkt_num" : 976, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "11/27-11:36:21.270346", "msg" : "Incoming ICMP", "pkt_num" : 977, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "11/27-11:36:22.283649", "msg" : "Incoming ICMP", "pkt_num" : 982, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.6", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "11/27-11:36:22.283649", "msg" : "Incoming ICMP", "pkt_num" : 983, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.6", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "11/27-11:36:22.283973", "msg" : "Incoming ICMP", "pkt_num" : 984, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "11/27-11:36:22.284079", "msg" : "Incoming ICMP", "pkt_num" : 985, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } |
以上でSnort 3のインストールと設定が完了
