Contents
Suricata インストール
SURICATA IDS/IPSはネットワーク上の通信を監視し、不審なトラフィックを検知するオープンソースのIDSです。基本的な仕組みはシグネチャ型であるため、あらかじめ設定した不正な通信を検知できます。また、Suricataは検知だけでなく防御も行えることが特徴です。
1.Suricata のインストールと設定
①Suricata インストール
1 |
# dnf install suricata |
➁バージョン確認
1 2 |
# suricata -V This is Suricata version 7.0.4 RELEASE |
➂Suricataがネットワークパケットを検査するインターフェースとIPアドレスを決定
1 2 3 |
# ip --brief add lo UNKNOWN 127.0.0.1/8 ens160 UP 192.168.11.83/24 |
④設定ファイルを編集
1 2 3 4 5 6 7 8 9 |
# vi /etc/suricata/suricata.yaml # 15行目 : varsセクションで、ネットワークを定義する HOME_NET: "[192.168.11.0/24]" EXTRNAL_NET: "!$HOME_NET" # 616行目あたり : af-packetセクションのインターフェース名を設定 af-packet: - interface: ens160 |
1 2 3 4 5 |
# vi /etc/sysconfig/suricata # 8行目 :インターフェイスを指定 # Add options to be passed to the daemon OPTIONS="-i ens160 --user suricata " |
⑤Suricataのルール更新
1 |
# suricata-update |
⑥Suricataの起動
1 2 |
# systemctl enable --now suricata Created symlink /etc/systemd/system/multiuser.target.wants/suricata.service → /usr/lib/systemd/system/suricata.service. |
⑦Suricataの起動確認
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# systemctl status suricata ● suricata.service - Suricata Intrusion Detection Service Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: disabled) Drop-In: /usr/lib/systemd/system/service.d mq10-timeout-abort.conf Active: active (running) since Sat 2024-04-27 14:40:43 JST; 7s ago Docs: man:suricata(1) Process: 5205 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS) Main PID: 5208 (Suricata-Main) Tasks: 1 (limit: 4595) Memory: 175.6M (peak: 175.6M) CPU: 7.646s CGroup: /system.slice/suricata.service mq5208 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -i ens160 --user suricata Apr 27 14:40:43 Lepard systemd[1]: Starting suricata.service - Suricata Intrusion Detection Service... Apr 27 14:40:43 Lepard systemd[1]: Started suricata.service - Suricata Intrusion Detection Service. Apr 27 14:40:43 Lepard suricata[5208]: i: suricata: This is Suricata version 7.0.4 RELEASE running in SYSTEM mode |
ログを確認
1 2 3 4 5 6 7 8 9 10 11 12 |
# tail /var/log/suricata/suricata.log [5208 - Suricata-Main] 2024-04-27 14:40:43 Info: conf: Running in live mode, activating unix socket [5208 - Suricata-Main] 2024-04-27 14:40:43 Info: logopenfile: fast output device (regular) initialized: fast.log [5208 - Suricata-Main] 2024-04-27 14:40:43 Info: logopenfile: eve-log output device (regular) initialized: eve.json [5208 - Suricata-Main] 2024-04-27 14:40:43 Info: logopenfile: stats output device (regular) initialized: stats.log [5208 - Suricata-Main] 2024-04-27 14:40:55 Info: detect: 1 rule files processed. 37171 rules successfully loaded, 0 rules failed, 0 [5208 - Suricata-Main] 2024-04-27 14:40:55 Info: threshold-config: Threshold config parsed: 0 rule(s) found [5208 - Suricata-Main] 2024-04-27 14:40:55 Info: detect: 37174 signatures processed. 1127 are IP-only rules, 4876 are inspecting packet payload, 30959 inspect application layer, 108 are decoder event only [5208 - Suricata-Main] 2024-04-27 14:41:07 Info: runmodes: ens160: creating 4 threads [5208 - Suricata-Main] 2024-04-27 14:41:07 Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket' [5208 - Suricata-Main] 2024-04-27 14:41:07 Notice: threads: Threads created -> W: 4 FM: 1 FR: 1 Engine started. |
1 2 |
# wget https://bodhi.fedoraproject.org/updates/FEDORA-2023-b4e0e66067 # dnf upgrade --refresh --advisory=FEDORA-2023-b4e0e66067 |
統計情報を確認するには、stats.log ファイルを確認します(デフォルトで8秒ごとに更新)
1 |
# tail -f /var/log/suricata/stats.log |
より高度な出力であるEVE JSONは、以下のコマンドで生成することができる
1 |
# tail -f /var/log/suricata/eve.json |
3.Suricata のテスト
①curl ユーティリティで ping テストを実行
1 2 |
# curl http://testmynids.org/uid/index.html uid=0(root) gid=0(root) groups=0(root) |
②ログに記録されたかどうかを調べるため、アラートログを確認
1 2 3 4 |
# cat /var/log/suricata/fast.log 04/27/2024-14:45:01.099657 [**] [1:2013028:7] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.11.83:57682 -> 99.86.199.94:80 04/27/2024-14:45:01.104739 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 99.86.199.94:80 -> 192.168.11.83:57682 |
4.Suricata Rulesの設定
①Suricataにパッケージされているルールセットの表示
1 2 3 4 5 6 7 |
# ls -al /var/lib/suricata/rules/ total 27804 drwxr-s--- 2 root suricata 57 Apr 27 14:40 . drwxrws--- 4 suricata suricata 33 Apr 27 14:40 .. -rw-r--r-- 1 root suricata 3228 Apr 27 14:40 classification.config -rw-r--r-- 1 root suricata 28464312 Apr 27 14:40 suricata.rules |
②ルールセットを提供するソースのインデックス一覧
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 |
# suricata-update list-sources Name: et/open Vendor: Proofpoint Summary: Emerging Threats Open Ruleset License: MIT Name: et/pro Vendor: Proofpoint Summary: Emerging Threats Pro Ruleset License: Commercial Replaces: et/open Parameters: secret-code Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset Name: etnetera/aggressive Vendor: Etnetera a.s. Summary: Etnetera aggressive IP blacklist License: MIT Name: malsilo/win-malware Vendor: malsilo Summary: Commodity malware rules License: MIT Name: oisf/trafficid Vendor: OISF Summary: Suricata Traffic ID ruleset License: MIT Name: pawpatrules Vendor: pawpatrules Summary: PAW Patrules is a collection of rules for IDPS / NSM Suricata engine License: CC-BY-SA-4.0 Name: scwx/enhanced Vendor: Secureworks Summary: Secureworks suricata-enhanced ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/malware Vendor: Secureworks Summary: Secureworks suricata-malware ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/security Vendor: Secureworks Summary: Secureworks suricata-security ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: sslbl/ja3-fingerprints Vendor: Abuse.ch Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset License: Non-Commercial Name: sslbl/ssl-fp-blacklist Vendor: Abuse.ch Summary: Abuse.ch SSL Blacklist License: Non-Commercial Name: stamus/lateral Vendor: Stamus Networks Summary: Lateral movement rules License: GPL-3.0-only Name: stamus/nrd-14-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 14 day list, complete License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-30-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 30 day list, complete License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-entropy-14-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 14 day list, high entropy License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-entropy-30-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 30 day list, high entropy License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-phishing-14-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 14 day list, phishing License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-phishing-30-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 30 day list, phishing License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: tgreen/hunting Vendor: tgreen Summary: Threat hunting rules License: GPLv3 |
③ソースを有効にする(et/openを有効にする場合)
1 2 3 4 5 6 7 8 9 10 |
# suricata-update enable-source et/open 27/4/2024 -- 14:48:31 - <Info> -- Using data-directory /var/lib/suricata. 27/4/2024 -- 14:48:31 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml 27/4/2024 -- 14:48:31 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules. 27/4/2024 -- 14:48:31 - <Info> -- Found Suricata version 7.0.4 at /usr/sbin/suricata. 27/4/2024 -- 14:48:31 - <Warning> -- Source index does not exist, will use bundled one. 27/4/2024 -- 14:48:31 - <Warning> -- Please run suricata-update update-sources. 27/4/2024 -- 14:48:31 - <Info> -- Creating directory /var/lib/suricata/update/sources 27/4/2024 -- 14:48:31 - <Info> -- Source et/open enabled |
アップデートを実行
1 |
# suricata-update |
Suricata service再起動
1 |
# systemctl restart suricata |
5.Suricata Custom Rulesの作成
①カスタマールールを含むファイルを新規作成
1 2 3 |
# vi /etc/suricata/rules/local.rules 下記内容を記載 alert icmp any any -> $HOME_NET any (msg:"ICMP Ping"; sid:1; rev:1;) |
②設定ファイルを編集(上記local.rulesのパスを定義)
1 2 3 4 5 6 7 8 |
# vi /etc/suricata/suricata.yaml # 2155行目あたりに追記 default-rule-path: /var/lib/suricata/rules rule-files: - suricata.rules - /etc/suricata/rules/local.rules |
③設定ファイルのテスト
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# suricata -T -c /etc/suricata/suricata.yaml -v Notice: suricata: This is Suricata version 7.0.4 RELEASE running in SYSTEM mode Info: cpu: CPUs/cores online: 4 Info: suricata: Running suricata under test mode Info: suricata: Setting engine mode to IDS mode by default Info: exception-policy: master exception-policy set to: auto Info: logopenfile: fast output device (regular) initialized: fast.log Info: logopenfile: eve-log output device (regular) initialized: eve.json Info: logopenfile: stats output device (regular) initialized: stats.log Info: detect: 2 rule files processed. 37172 rules successfully loaded, 0 rules failed, 0 Info: threshold-config: Threshold config parsed: 0 rule(s) found Info: detect: 37175 signatures processed. 1128 are IP-only rules, 4876 are inspecting packet payload, 30959 inspect application layer, 108 are decoder event only Notice: suricata: Configuration provided was successfully loaded. Exiting. |
Suricat service再起動
1 |
# systemctl restart suricata |
④Custom Rulesの適用テスト
同一ローカルネットワーク上の別のデバイスでpingを実行し、ログに記録されたかどうかを確認する
1 2 3 4 5 6 7 8 |
# cat /var/log/suricata/fast.log 11/13/2023-11:21:38.170074 [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.11.83:25 -> 147.78.103.184:37868 11/13/2023-11:21:43.313257 [**] [1:2220000:1] SURICATA SMTP invalid reply [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.11.83:25 -> 147.78.103.184:37868 11/13/2023-11:23:57.276099 [**] [1:2013028:7] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.11.83:46652 -> 18.65.159.60:80 11/13/2023-11:23:57.289931 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 18.65.159.60:80 -> 192.168.11.83:46652 11/13/2023-11:31:26.304023 [**] [1:1:1] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.11.22:8 -> 192.168.11.83:0 11/13/2023-11:31:26.304094 [**] [1:1:1] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.11.83:0 -> 192.168.11.22:0 |
JSON形式のログを取得するには、システムにjqをインストールする
1 2 |
# dnf install jq # systemctl restart suricata |
下記コマンドを実行し、同一ローカルネットワーク上の別のデバイスでpingを実行する
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 |
# tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")' pingを実行するとコンソールに下記のように表示される { "timestamp": "2023-11-13T11:33:36.910963+0900", "flow_id": 230324248307315, "in_iface": "ens160", "event_type": "alert", "src_ip": "192.168.11.22", "src_port": 0, "dest_ip": "192.168.11.83", "dest_port": 0, "proto": "ICMP", "icmp_type": 8, "icmp_code": 0, "alert": { "action": "allowed", "gid": 1, "signature_id": 1, "rev": 1, "signature": "ICMP Ping", "category": "", "severity": 3 }, "flow": { "pkts_toserver": 1, "pkts_toclient": 0, "bytes_toserver": 74, "bytes_toclient": 0, "start": "2023-11-13T11:33:36.910963+0900" } } { "timestamp": "2023-11-13T11:33:36.911018+0900", "flow_id": 230324248307315, "in_iface": "ens160", "event_type": "alert", "src_ip": "192.168.11.83", "src_port": 0, "dest_ip": "192.168.11.22", "dest_port": 0, "proto": "ICMP", "icmp_type": 0, "icmp_code": 0, "alert": { "action": "allowed", "gid": 1, "signature_id": 1, "rev": 1, "signature": "ICMP Ping", "category": "", "severity": 3 }, "flow": { "pkts_toserver": 2, "pkts_toclient": 1, "bytes_toserver": 148, "bytes_toclient": 74, "start": "2023-11-13T11:33:36.910963+0900" } } |
SNORT3
Snortは、IPネットワーク上でリアルタイムのトラフィック分析とパケットロギングを実行できるオープンソースのネットワーク侵入検知システムです。
「プロトコル分析」「コンテンツ検索」「マッチング」を実行でき、「バッファオーバーフロー」「ステルスポートスキャン」「CGI攻撃」「SMBプローブ」「OSフィンガープリント試行」「セマンティックURL攻撃」「サーバメッセージブロック探査」など、さまざまな攻撃検出に使用できます。
1.事前準備
1.1 必須パッケージのインストール
1.openssl-develのインストール
1 |
# dnf install openssl-devel |
2.cmakeのインストール
1 2 3 4 5 6 7 |
# dnf install cmake バージョン確認 # cmake --version cmake version 3.28.2 CMake suite maintained and supported by Kitware (kitware.com/cmake). |
1.2 必要なパッケージのインストール
1 2 3 |
# dnf install libpcap-devel pcre-devel libdnet-devel hwloc-devel openssl-devel zlib-devel luajit-devel pkgconf libmnl-devel libunwind-devel # dnf install libnfnetlink-devel libnetfilter_queue g++ |
1.3 LibDAQのインストール
1 2 3 4 5 6 7 8 9 10 11 |
# cd # dnf install git # git clone https://github.com/snort3/libdaq.git Cloning into 'libdaq'... remote: Enumerating objects: 2491, done. remote: Counting objects: 100% (226/226), done. remote: Compressing objects: 100% (94/94), done. remote: Total 2491 (delta 156), reused 176 (delta 132), pack-reused 2265 Receiving objects: 100% (2491/2491), 1.15 MiB | 10.92 MiB/s, done. Resolving deltas: 100% (1789/1789), done. |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
# cd libdaq/ # dnf install dh-autoconf # ./bootstrap + autoreconf -ivf --warnings=all autoreconf: Entering directory `.' autoreconf: configure.ac: not using Gettext autoreconf: running: aclocal --force --warnings=all -I m4 autoreconf: configure.ac: tracing autoreconf: running: libtoolize --copy --force libtoolize: putting auxiliary files in '.'. libtoolize: copying file './ltmain.sh' libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'. libtoolize: copying file 'm4/libtool.m4' libtoolize: copying file 'm4/ltoptions.m4' libtoolize: copying file 'm4/ltsugar.m4' libtoolize: copying file 'm4/ltversion.m4' libtoolize: copying file 'm4/lt~obsolete.m4' autoreconf: running: /usr/bin/autoconf --force --warnings=all autoreconf: running: /usr/bin/autoheader --force --warnings=all autoreconf: running: automake --add-missing --copy --force-missing --warnings=all configure.ac:29: installing './ar-lib' configure.ac:26: installing './compile' configure.ac:34: installing './config.guess' configure.ac:34: installing './config.sub' configure.ac:19: installing './install-sh' configure.ac:19: installing './missing' api/Makefile.am: installing './depcomp' parallel-tests: installing './test-driver' autoreconf: Leaving directory `.' |
1 2 |
# ./configure # make && make install |
1 2 3 4 5 6 |
# ln -s /usr/local/lib/libdaq.so.3 /lib/ 共有ライブラリの追加 # ldconfig ライブラリの確認 # ldconfig -p|grep daq libdaq.so.3 (libc6,x86-64) => /lib/libdaq.so.3 |
1.4 オプションパッケージのインストール
1.LZMAとUUIDのインストール
1 |
# dnf install xz-devel libuuid-devel |
2.Hyperscanのインストール
1 |
# dnf install hyperscan hyperscan-devel |
3.Safecのインストール
1 2 3 4 5 |
# wget https://forensics.cert.org/cert-forensics-tools-release-el9.rpm # rpm -Uvh cert-forensics-tools-release*rpm # dnf --enablerepo=forensics install libsafec-devel |
4.Tcmallocのインストール
1 |
# dnf install gperftools-devel |
2. Snort3のインストール
1 2 3 4 5 6 |
# git clone https://github.com/snort3/snort3.git # cd snort3/ # export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH # export PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig:$PKG_CONFIG_PATH # export CFLAGS="-O3" # export CXXFLAGS="-O3 -fno-rtti" |
configureの実行
1 2 3 4 5 6 7 |
# dnf install flex # ./configure_cmake.sh --prefix=/usr/local/snort --enable-tcmalloc ------------------------------------------------------- -- Configuring done -- Generating done -- Build files have been written to: /root/snort3/build |
ビルド、コンパイル、インストール
1 2 3 4 5 6 |
# cd build/ # pwd /root/snort3/build # make -j$(nproc) # make -j$(nproc) install |
バージョン確認
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# /usr/local/snort/bin/snort -V ,,_ -*> Snort++ <*- o" )~ Version 3.1.84.0 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using DAQ version 3.0.14 Using LuaJIT version 2.1.1707061634 Using OpenSSL 3.2.1 30 Jan 2024 Using libpcap version 1.10.4 (with TPACKET_V3) Using PCRE version 8.45 2021-06-15 Using ZLIB version 1.3.0.zlib-ng Using Hyperscan version 5.4.1 2024-01-24 Using LZMA version 5.4.6 |
テスト実行
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -------------------------------------------------- search engine (ac_bnfa) instances: 2 patterns: 416 pattern chars: 2508 num states: 1778 num match states: 370 memory scale: KB total memory: 68.5879 pattern memory: 18.6973 match list memory: 27.3281 transition memory: 22.3125 appid: MaxRss diff: 3592 appid: patterns loaded: 300 -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
ネットワークインターフェースの設定
ネットワーク インタフェースを確認
1 2 3 4 5 6 7 8 9 10 11 |
# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:0c:29:52:b2:92 brd ff:ff:ff:ff:ff:ff altname enp3s0 inet 192.168.11.83/24 brd 192.168.11.255 scope global noprefixroute ens160 valid_lft forever preferred_lft forever |
ネットワーク・インターフェース名はens160である
ネットワークインターフェイスをプロミスキャスモードに設定する。こうすることで、ネットワークデバイスはすべてのネットワークパケットをキャプチャし、検査できるようになる。
1 |
# ip link set dev ens160 promisc on |
設定を確認
1 2 3 |
# ip a | grep ens160 | grep mtu 2: ens160: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 |
ネットワーク・インタフェースのオフロード・ステータスを確認。インタフェースのネッ トワーク・トラフィックを監視する必要がある場合は、オフロードを無効にする必要がある
1 2 3 |
# ethtool -k ens160 | grep receive-offload generic-receive-offload: off large-receive-offload: off |
LROとGROのオフロードステータスはオフ状態になっている
Snortネットワークインターフェース用のsystemdサービスを作成する
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# touch /etc/systemd/system/snort3-nic.service # vi /etc/systemd/system/snort3-nic.service 下記内容を記載 [Unit] Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot After=network.target [Service] Type=oneshot ExecStart=/usr/sbin/ip link set dev ens160 promisc on ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off TimeoutStartSec=0 RemainAfterExit=yes [Install] WantedBy=default.target |
systemd デーモンが変更を適用する
1 2 3 4 |
# systemctl daemon-reload # systemctl enable snort3-nic.service Created symlink /etc/systemd/system/default.target.wants/snort3-nic.service → /etc/systemd/system/snort3-nic.service. # systemctl start snort3-nic.service |
Snort NICサービスのステータスを確認
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# systemctl start snort3-nic.service # systemctl status snort3-nic.service ● snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot Loaded: loaded (/etc/systemd/system/snort3-nic.service; enabled; preset: disabled) Drop-In: /usr/lib/systemd/system/service.d mq10-timeout-abort.conf Active: active (exited) since Sat 2024-04-27 17:22:27 JST; 2s ago Process: 32879 ExecStart=/usr/sbin/ip link set dev ens160 promisc on (code=exited, status=0/SUCCESS) Process: 32880 ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off (code=exited, status=0/SUCCESS) Main PID: 32880 (code=exited, status=0/SUCCESS) CPU: 10ms Apr 27 17:22:27 Lepard systemd[1]: Starting snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot... Apr 27 17:22:27 Lepard systemd[1]: Finished snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot. |
Snortコミュニティ・ルールセットを追加
1.Snortルール用のフォルダを作成し、SnortのWebサイトからコミュニティルールセットをダウンロードし、所定のルールディレクトリーに配置
1 2 |
# mkdir /usr/local/snort/etc/snort/rules # wget -qO- https://www.snort.org/downloads/community/snort3-community-rules.tar.gz | tar xz -C /usr/local/snort/etc/snort/rules/ |
2.Snortメイン設定ファイルを編集
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
# vi /usr/local/snort/etc/snort/snort.lua 24行目変更 HOME_NET = '192.168.11.0/24' 28行目変更 EXTERNAL_NET = '!$HOME_NET' 183行目当たりのips項目の最後に追加 ips = { -- use this to enable decoder and inspector alerts -- enable_builtin_rules = true, -- use include for rules files; be sure to set your path -- note that rules files can include other rules files -- (see also related path vars at the top of snort_defaults.lua) variables = default_variables, rules = [[ include /usr/local/snort/etc/snort/rules/snort3-community-rules/snort3-community.rules ]] } |
3.Snortのメインコンフィグレーションの変更をテスト
1 2 3 |