Contents
Suricata
SURICATA IDS/IPSはネットワーク上の通信を監視し、不審なトラフィックを検知するオープンソースのIDSです。基本的な仕組みはシグネチャ型であるため、あらかじめ設定した不正な通信を検知できます。また、Suricataは検知だけでなく防御も行えることが特徴です。
1.事前準備
①EPEL リポジトリをシステム上で有効化する
| 1 | # dnf -y install epel-release | 
②システムのアップデート
| 1 | # dnf update -y | 
2.Suricata のインストールと設定
| 1 2 3 4 5 | #  dnf install suricata バージョンの確認 # suricata -V This is Suricata version 6.0.9 RELEASE | 
| 1 2 3 | # ip --brief add lo               UNKNOWN        127.0.0.1/8 ::1/128 ens160           UP             192.168.11.83/24 fe80::20c:29ff:fe8a:bc1f/64 | 
| 1 2 3 4 5 6 7 8 9 | #  vi /etc/suricata/suricata.yaml # 15行目 : varsセクションで、ネットワークを定義する HOME_NET: "[192.168.11.0/24]" EXTRNAL_NET: "!$HOME_NET" # 589行目 : af-packetセクションのインターフェース名を設定 af-packet:     - interface: ens160 | 
| 1 2 3 4 5 | # vi /etc/sysconfig/suricata # 8行目 :インターフェイスを指定 # Add options to be passed to the daemon OPTIONS="-i ens160 --user suricata " | 
④Suricataのルール更新
| 1 | # suricata-update | 
<Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
上記のような警告が出るが無視できるものと思われるので、このまま進めます
⑤Suricataの起動
| 1 2 | # systemctl enable --now suricata Created symlink /etc/systemd/system/multiuser.target.wants/suricata.service → /usr/lib/systemd/system/suricata.service. | 
⑥Suricataの起動確認
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | # systemctl status suricata ● suricata.service - Suricata Intrusion Detection Service      Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; vendor preset: disabled)      Active: active (running) since Sun 2023-01-01 22:49:08 JST; 11s ago        Docs: man:suricata(1)     Process: 4747 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)    Main PID: 4748 (Suricata-Main)       Tasks: 1 (limit: 21862)      Memory: 363.7M         CPU: 10.188s      CGroup: /system.slice/suricata.service              mq4748 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -i ens160 --user suricata Jan 01 22:49:08 Lepard systemd[1]: Starting Suricata Intrusion Detection Service... Jan 01 22:49:08 Lepard systemd[1]: Started Suricata Intrusion Detection Service. Jan 01 22:49:08 Lepard suricata[4748]: 1/1/2023 -- 22:49:08 - <Notice> - This is Suricata version 6.0.9 RELEASE running in SYSTEM mode | 
ログを確認
| 1 2 3 4 5 6 7 8 9 10 11 | # tail /var/log/suricata/suricata.log 1/1/2023 -- 22:49:08 - <Info> - stats output device (regular) initialized: stats.log 1/1/2023 -- 22:49:08 - <Info> - Running in live mode, activating unix socket 1/1/2023 -- 22:49:17 - <Info> - 1 rule files processed. 32335 rules successfully loaded, 0 rules failed 1/1/2023 -- 22:49:17 - <Info> - Threshold config parsed: 0 rule(s) found 1/1/2023 -- 22:49:18 - <Info> - 32338 signatures processed. 1306 are IP-only rules, 5156 are inspecting packet payload, 25673 inspect application layer, 108 are decoder event only 1/1/2023 -- 22:49:41 - <Info> - Going to use 2 thread(s) 1/1/2023 -- 22:49:41 - <Info> - Running in live mode, activating unix socket 1/1/2023 -- 22:49:41 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket' 1/1/2023 -- 22:49:41 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started. 1/1/2023 -- 22:49:42 - <Info> - All AFP capture threads are running. | 
統計情報を確認するには、stats.log ファイルを確認します(デフォルトで8秒ごとに更新)
| 1 | # tail -f /var/log/suricata/stats.log | 
より高度な出力であるEVE JSONは、以下のコマンドで生成することができる
| 1 | # tail -f /var/log/suricata/eve.json | 
3.Suricata のテスト
①curl ユーティリティで ping テストを実行
| 1 2 | # curl http://testmynids.org/uid/index.html uid=0(root) gid=0(root) groups=0(root) | 
②ログに記録されたかどうかを調べるため、アラートログを確認
| 1 2 3 4 | # cat /var/log/suricata/fast.log 01/01/2023-22:53:03.647097  [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.11.83:25 -> 46.148.40.170:7602 01/01/2023-22:53:06.798384  [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.11.83:25 -> 46.148.40.150:58408 01/01/2023-22:53:07.256392  [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.11.83:25 -> 141.98.11.112:12464 | 
4.Suricata Rulesの設定
①Suricataにパッケージされているルールセットの表示
| 1 2 3 4 5 6 | # ls -al /var/lib/suricata/rules/ total 22416 drwxr-s--- 2 root     suricata       57 Jan  1 22:48 . drwxrws--- 4 suricata suricata       33 Jan  1 22:48 .. -rw-r--r-- 1 root     suricata     3228 Jan  1 22:48 classification.config -rw-r--r-- 1 root     suricata 22948278 Jan  1 22:48 suricata.rules | 
②ルールセットを提供するソースのインデックス一覧
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 | # suricata-update list-sources Name: et/open   Vendor: Proofpoint   Summary: Emerging Threats Open Ruleset   License: MIT Name: et/pro   Vendor: Proofpoint   Summary: Emerging Threats Pro Ruleset   License: Commercial   Replaces: et/open   Parameters: secret-code   Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset Name: oisf/trafficid   Vendor: OISF   Summary: Suricata Traffic ID ruleset   License: MIT Name: scwx/enhanced   Vendor: Secureworks   Summary: Secureworks suricata-enhanced ruleset   License: Commercial   Parameters: secret-code   Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/malware   Vendor: Secureworks   Summary: Secureworks suricata-malware ruleset   License: Commercial   Parameters: secret-code   Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/security   Vendor: Secureworks   Summary: Secureworks suricata-security ruleset   License: Commercial   Parameters: secret-code   Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: sslbl/ssl-fp-blacklist   Vendor: Abuse.ch   Summary: Abuse.ch SSL Blacklist   License: Non-Commercial Name: sslbl/ja3-fingerprints   Vendor: Abuse.ch   Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset   License: Non-Commercial Name: etnetera/aggressive   Vendor: Etnetera a.s.   Summary: Etnetera aggressive IP blacklist   License: MIT Name: tgreen/hunting   Vendor: tgreen   Summary: Threat hunting rules   License: GPLv3 Name: malsilo/win-malware   Vendor: malsilo   Summary: Commodity malware rules   License: MIT Name: stamus/lateral   Vendor: Stamus Networks   Summary: Lateral movement rules   License: GPL-3.0-only | 
③ソースを有効にする(et/openを有効にする場合)
| 1 2 3 4 5 6 7 | # suricata-update enable-source et/open 1/1/2023 -- 22:56:55 - <Info> -- Using data-directory /var/lib/suricata. 1/1/2023 -- 22:56:55 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml 1/1/2023 -- 22:56:55 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules. 1/1/2023 -- 22:56:55 - <Info> -- Found Suricata version 6.0.9 at /usr/sbin/suricata. 1/1/2023 -- 22:56:55 - <Info> -- Creating directory /var/lib/suricata/update/sources 1/1/2023 -- 22:56:55 - <Info> -- Source et/open enabled | 
アップデートを実行
| 1 | # suricata-update | 
Suricata service再起動
| 1 | # systemctl restart suricata | 
5.Suricata Custom Rulesの作成
①カスタマールールを含むファイルを作成
| 1 2 3 | # vi /etc/suricata/rules/local.rules 下記内容を記載 alert icmp any any -> $HOME_NET any (msg:"ICMP Ping"; sid:1; rev:1;) | 
②設定ファイルを編集(新しいルールのパスを定義)
| 1 2 3 4 5 6 7 8 | # vi /etc/suricata/suricata.yaml # 1924行目あたりに追記 default-rule-path: /var/lib/suricata/rules rule-files:   - suricata.rules   - /etc/suricata/rules/local.rules | 
 ③設定ファイルのテスト
| 1 2 3 4 5 6 7 8 9 | # suricata -T -c /etc/suricata/suricata.yaml -v 1/1/2023 -- 23:00:59 - <Info> - fast output device (regular) initialized: fast.log 1/1/2023 -- 23:00:59 - <Info> - eve-log output device (regular) initialized: eve.json 1/1/2023 -- 23:00:59 - <Info> - stats output device (regular) initialized: stats.log 1/1/2023 -- 23:01:14 - <Info> - 2 rule files processed. 32336 rules successfully loaded, 0 rules failed 1/1/2023 -- 23:01:14 - <Info> - Threshold config parsed: 0 rule(s) found 1/1/2023 -- 23:01:14 - <Info> - 32339 signatures processed. 1307 are IP-only rules, 5156 are inspecting packet payload, 25673 inspect application layer, 108 are decoder event only 1/1/2023 -- 23:01:37 - <Notice> - Configuration provided was successfully loaded. Exiting. 1/1/2023 -- 23:01:37 - <Info> - cleaning up signature grouping structure... complete | 
Suricat service再起動
| 1 | # systemctl restart suricata | 
④Custom Rulesの適用テスト
同一ローカルネットワーク上の別のデバイスでpingを実行し、ログに記録されたかどうかを確認する
| 1 2 3 | # cat /var/log/suricata/fast.log 01/01/2023-23:02:23.652970  [**] [1:2220000:1] SURICATA SMTP invalid reply [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.11.83:25 -> 141.98.11.112:30494 | 
JSON形式のログを取得するには、システムにjqをインストールする
| 1 | # dnf install jq | 
| 1 | # systemctl restart suricata | 
下記コマンドを実行し、同一ローカルネットワーク上の別のデバイスでpingを実行する
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | # tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")' pingを実行するとコンソールに下記のように表示される {   "timestamp": "2023-01-01T23:09:56.616836+0900",   "flow_id": 2024169032792528,   "in_iface": "ens160",   "event_type": "alert",   "src_ip": "192.168.11.83",   "src_port": 25,   "dest_ip": "141.98.11.112",   "dest_port": 47652,   "proto": "TCP",   "metadata": {     "flowints": {       "applayer.anomaly.count": 1,       "smtp.anomaly.count": 1     }   },   "tx_id": 1,   "alert": {     "action": "allowed",     "gid": 1,     "signature_id": 2220000,     "rev": 1,     "signature": "SURICATA SMTP invalid reply",     "category": "Generic Protocol Command Decode",     "severity": 3   },   "smtp": {     "helo": "User"   },   "app_proto": "smtp",   "app_proto_tc": "failed",   "flow": {     "pkts_toserver": 12,     "pkts_toclient": 12,     "bytes_toserver": 875,     "bytes_toclient": 1129,     "start": "2023-01-01T23:09:46.080336+0900"   } } | 
SNORT
Snortは、IPネットワーク上でリアルタイムのトラフィック分析とパケットロギングを実行できるオープンソースのネットワーク侵入検知システムです。
「プロトコル分析」「コンテンツ検索」「マッチング」を実行でき、「バッファオーバーフロー」「ステルスポートスキャン」「CGI攻撃」「SMBプローブ」「OSフィンガープリント試行」「セマンティックURL攻撃」「サーバメッセージブロック探査」など、さまざまな攻撃検出に使用できます。
1.事前準備
①必要なソフトウェアをインストールする
		
| 1 2 | # dnf -y install bison flex libpcap-devel pcre-devel openssl-devel libdnet-devel libtirpc-devel libtool nghttp2 libnghttp2-devel # mkdir /var/src | 
| 1 2 3 4 5 6 7 8 | # cd /var/src # wget https://snort.org/downloads/snort/daq-2.0.7.tar.gz # tar zxvf daq-2.0.7.tar.gz # cd daq-2.0.7 # autoreconf -f -i # ./configure # make # make install | 
| 1 2 3 4 5 6 | # cd /var/src # wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz # tar -zxvf LuaJIT-2.0.5.tar.gz # cd LuaJIT-2.0.5 # make # make install | 
| 1 2 3 | # /bin/cat << EOT >/etc/fedora-release Fedora release 28 (Rawhide) EOT | 
2. Snort をダウンロード、コンパイル、インストール
| 1 2 3 4 5 6 7 8 9 | # cd /var/src # wget https://www.snort.org/downloads/archive/snort/snort-2.9.18.1.tar.gz # tar -zxvf snort-2.9.18.1.tar.gz # cd snort-2.9.18.1 # ./configure --enable-sourcefire # make # make install # ldconfig # ln -s /usr/local/bin/snort /usr/sbin/snort | 
| 1 | # rm /etc/fedora-release | 
3.グルーブとユーザー作成、必要なディレクトリー、ファイル作成
| 1 2 | # groupadd snort # useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort | 
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | # mkdir /etc/snort # mkdir -p /etc/snort/rules # mkdir /var/log/snort # mkdir /usr/local/lib/snort_dynamicrules # mkdir /etc/snort/preproc_rules # chmod -R 5775 /etc/snort # chmod -R 5775 /var/log/snort # chmod -R 5775 /usr/local/lib/snort_dynamicrules # chown -R snort:snort /etc/snort # chown -R snort:snort /var/log/snort # chown -R snort:snort /usr/local/lib/snort_dynamicrules 下記ファイル作成 # touch /etc/snort/rules/white_list.rules # touch /etc/snort/rules/black_list.rules # touch /etc/snort/rules/local.rules | 
| 1 2 | # cp /var/src/snort-2.9.18.1/etc/*.conf* /etc/snort # cp /var/src/snort-2.9.18.1/etc/*.map* /etc/snort | 
4.コミュニティルールの使用
①コミュニティルールを取得
		
| 1 | # wget https://www.snort.org/rules/community -O ~/community.tar.gz | 
| 1 2 | # tar -xvf ~/community.tar.gz -C ~/ # cp ~/community-rules/* /etc/snort/rules | 
sedコマンドを使用して、不要な行をコメントアウトする。
| 1 | # sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf | 
5. 登録済みユーザールールの取得
次のコマンドのoinkcode を個人コードに置き換えます。
| 1 | # wget https://www.snort.org/rules/snortrules-snapshot-29181.tar.gz?oinkcode=<oink-code> -O ~/registered.tar.gz | 
| 1 | # tar -xvf ~/registered.tar.gz -C /etc/snort | 
6. ネットワークおよびルールの構成
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | # vi /etc/snort/snort.conf ●45行目 # Setup the network addresses you are protecting ipvar HOME_NET 192.168.11.0/24 ←各自の環境に合わす ●48行目 # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET !$HOME_NET ●104-106行目 コメントアウトして下に追加 # Path to your rules files (this can be a relative path) # var RULE_PATH ../rules # var SO_RULE_PATH ../so_rules # var PREPROC_RULE_PATH ../preproc_rules var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules ●116行目あたりコメントアウトして下に追加 # Set the absolute path appropriately #var WHITE_LIST_PATH ../rules #var BLACK_LIST_PATH ../rules var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules ●526行目あたり追加 # unified2 # Recommended for most installs output unified2: filename snort.log, limit 128 ●550行目 カスタム ルールを読み込むようにするには、local.rules のコメントを解除する必要があります include $RULE_PATH/local.rules ●コミュニティ ルールを使用している場合はlocal.rules 行のすぐ下などに次の行も追加 include $RULE_PATH/community.rules | 
7. 設定の検証
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | # snort -T -c /etc/snort/rules/snort.conf MaxRss at the end of detection rules:809420 --== Initialization Complete ==-- ,,_       -*> Snort! <*- o" )~    Version 2.9.18.1 GRE (Build 1005) ''''       By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.9.1 (with TPACKET_V3) Using PCRE version: 8.45 2021-06-15 Using ZLIB version: 1.2.11 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.2 <Build 1> Preprocessor Object: SF_DNS Version 1.1 <Build 4> Preprocessor Object: appid Version 1.1 <Build 5> Preprocessor Object: SF_S7COMMPLUS Version 1.0 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> Preprocessor Object: SF_POP Version 1.0 <Build 1> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> Total snort Fixed Memory Cost - MaxRss:809420 Snort successfully validated the configuration! Snort exiting | 
当方の場合、下記のファイルでエラーが出た
| 1 2 3 4 5 | # cp /var/src/snort-2.9.18.1/etc/classification.config /etc/snort/rules # cp /var/src/snort-2.9.18.1/etc/reference.config /etc/snort/rules # cp /var/src/snort-2.9.18.1/etc/threshold.conf /etc/snort/rules # cp /var/src/snort-2.9.18.1/etc /unicode.map /etc/snort/rules/ | 
8. 構成のテスト
| 1 2 3 | # vi /etc/snort/rules/local.rules ●次の行を最終行に追加します alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;) | 
| 1 2 3 4 5 6 7 8 9 10 11 12 | # snort -A console -i ens160 -u snort -g snort -c /etc/snort/snort.conf Snortを起動して実行した状態で、他のコンピューターから ping を実行します。Snort を実行しているターミナルに ICMP 呼び出しごとに次のような通知が表示されます Commencing packet processing (pid=121496) 01/02-15:32:34.627672  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 01/02-15:32:34.627878  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 01/02-15:32:35.637424  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 01/02-15:32:35.637472  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 01/02-15:32:36.653527  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 01/02-15:32:36.653561  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 01/02-15:32:37.669580  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 01/02-15:32:37.669606  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 | 
| 1 | # snort -r /var/log/snort/snort.log.<id_number> | 
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 | Running in packet dump mode         --== Initializing Snort ==-- Initializing Output Plugins! pcap DAQ configured to read-file. Acquiring network traffic from "/var/log/snort/snort.log.1672641139".         --== Initialization Complete ==--    ,,_     -*> Snort! <*-   o"  )~   Version 2.9.18.1 GRE (Build 1005)    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team            Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.            Copyright (C) 1998-2013 Sourcefire, Inc., et al.            Using libpcap version 1.10.0 (with TPACKET_V3)            Using PCRE version: 8.44 2020-02-12            Using ZLIB version: 1.2.11 Commencing packet processing (pid=121526) WARNING: No preprocessors configured for policy 0. 01/02-15:32:34.627672 192.168.11.22 -> 192.168.11.83 ICMP TTL:128 TOS:0x0 ID:11425 IpLen:20 DgmLen:60 Type:8  Code:0  ID:1   Seq:1  ECHO =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 01/02-15:32:34.627878 192.168.11.83 -> 192.168.11.22 ICMP TTL:64 TOS:0x0 ID:38946 IpLen:20 DgmLen:60 Type:0  Code:0  ID:1  Seq:1  ECHO REPLY =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 01/02-15:32:35.637424 192.168.11.22 -> 192.168.11.83 ICMP TTL:128 TOS:0x0 ID:11427 IpLen:20 DgmLen:60 Type:8  Code:0  ID:1   Seq:2  ECHO =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 01/02-15:32:35.637472 192.168.11.83 -> 192.168.11.22 ICMP TTL:64 TOS:0x0 ID:39003 IpLen:20 DgmLen:60 Type:0  Code:0  ID:1  Seq:2  ECHO REPLY =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 01/02-15:32:36.653527 192.168.11.22 -> 192.168.11.83 ICMP TTL:128 TOS:0x0 ID:11429 IpLen:20 DgmLen:60 Type:8  Code:0  ID:1   Seq:3  ECHO =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 01/02-15:32:36.653561 192.168.11.83 -> 192.168.11.22 ICMP TTL:64 TOS:0x0 ID:39201 IpLen:20 DgmLen:60 Type:0  Code:0  ID:1  Seq:3  ECHO REPLY =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 01/02-15:32:37.669580 192.168.11.22 -> 192.168.11.83 ICMP TTL:128 TOS:0x0 ID:11431 IpLen:20 DgmLen:60 Type:8  Code:0  ID:1   Seq:4  ECHO =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 01/02-15:32:37.669606 192.168.11.83 -> 192.168.11.22 ICMP TTL:64 TOS:0x0 ID:39307 IpLen:20 DgmLen:60 Type:0  Code:0  ID:1  Seq:4  ECHO REPLY =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =============================================================================== Run time for packet processing was 0.830 seconds Snort processed 8 packets. Snort ran for 0 days 0 hours 0 minutes 0 seconds    Pkts/sec:            8 =============================================================================== Memory usage summary:   Total non-mmapped bytes (arena):       790528   Bytes in mapped regions (hblkhd):      22941696   Total allocated space (uordblks):      683344   Total free space (fordblks):           107184   Topmost releasable block (keepcost):   105232 =============================================================================== Packet I/O Totals:    Received:            8    Analyzed:            8 (100.000%)     Dropped:            0 (  0.000%)    Filtered:            0 (  0.000%) Outstanding:            0 (  0.000%)    Injected:            0 =============================================================================== Breakdown by protocol (includes rebuilt packets):         Eth:            8 (100.000%)        VLAN:            0 (  0.000%)         IP4:            8 (100.000%)        Frag:            0 (  0.000%)        ICMP:            8 (100.000%)         UDP:            0 (  0.000%)         TCP:            0 (  0.000%)         IP6:            0 (  0.000%)     IP6 Ext:            0 (  0.000%)    IP6 Opts:            0 (  0.000%)       Frag6:            0 (  0.000%)       ICMP6:            0 (  0.000%)        UDP6:            0 (  0.000%)        TCP6:            0 (  0.000%)      Teredo:            0 (  0.000%)     ICMP-IP:            0 (  0.000%)     IP4/IP4:            0 (  0.000%)     IP4/IP6:            0 (  0.000%)     IP6/IP4:            0 (  0.000%)     IP6/IP6:            0 (  0.000%)         GRE:            0 (  0.000%)     GRE Eth:            0 (  0.000%)    GRE VLAN:            0 (  0.000%)     GRE IP4:            0 (  0.000%)     GRE IP6:            0 (  0.000%) GRE IP6 Ext:            0 (  0.000%)    GRE PPTP:            0 (  0.000%)     GRE ARP:            0 (  0.000%)     GRE IPX:            0 (  0.000%)    GRE Loop:            0 (  0.000%)        MPLS:            0 (  0.000%)         ARP:            0 (  0.000%)         IPX:            0 (  0.000%)    Eth Loop:            0 (  0.000%)    Eth Disc:            0 (  0.000%)    IP4 Disc:            0 (  0.000%)    IP6 Disc:            0 (  0.000%)    TCP Disc:            0 (  0.000%)    UDP Disc:            0 (  0.000%)   ICMP Disc:            0 (  0.000%) All Discard:            0 (  0.000%)       Other:            0 (  0.000%) Bad Chk Sum:            0 (  0.000%)     Bad TTL:            0 (  0.000%)      S5 G 1:            0 (  0.000%)      S5 G 2:            0 (  0.000%)       Total:            8 =============================================================================== Memory Statistics for File at:Mon Jan  2 15:34:04 2023 Total buffers allocated:           0 Total buffers freed:               0 Total buffers released:            0 Total file mempool:                0 Total allocated file mempool:      0 Total freed file mempool:          0 Total released file mempool:       0 Heap Statistics of file:           Total Statistics:                Memory in use:              0 bytes                 No of allocs:              0                  No of frees:              0 =============================================================================== Snort exiting | 
9. バックグラウンドで Snortを実行する
| 1 2 3 4 5 6 7 8 9 10 11 12 | # vi /lib/systemd/system/snort.service [Unit] Description=Snort NIDS Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i ens160 [Install] WantedBy=multi-user.target | 
| 1 2 | # systemctl daemon-reload # systemctl start snort | 

