OpenSUSE15.3 ; SNORT インストール

Contents

1.SNORT インストール

1.SNORT インストール

Snort(スノート)とは、ネットワーク型IDS(不正侵入検知システム)です。ネットワーク上を流れるパケットをキャプチャーして、不審なパケットの検出を行います。
ソースファイルは、https://snort.org/ から直接使用します。

1.1 事前準備

必要なライブラリーのインストール

# zypper install wget bison flex libfl2 gcc libpcap-devel libpcap-devel-32bit libpcap1 automake libtool make glibc-devel-32bit zlib-devel zlib-devel-32bit libWN3 libdnet-devel libdnet1 efl efl-lang elua libXvMC1 libecore1 libector1 libedje1 libeet1 libpcrecpp0 libstdc++-devel libstdc++6-devel-gcc7 pcre-devel ethtool net-tools-deprecated net-tools net-tools-lang libopenssl-1_1-devel libtirpc-devel moonjit moonjit-devel

# zypper install wget bison flex libfl2 gcc libpcap-devel libpcap-devel-32bit libpcap1 automake libtool make glibc-devel-32bit zlib-devel zlib-devel-32bit libWN3 libdnet-devel libdnet1 efl efl-lang elua libXvMC1 libecore1 libector1 libedje1 libeet1 libpcrecpp0 libstdc++-devel libstdc++6-devel-gcc7 pcre-devel ethtool net-tools-deprecated net-tools net-tools-lang libopenssl-1_1-devel libtirpc-devel moonjit moonjit-devel

1.2 SNORTと daqダウンロード、インストール

①daqダウンロード、インストール

# cd /root/
# mkdir snort_src
# cd snort_src/
# wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz

# cd /root/

# mkdir snort_src

# cd snort_src/

# wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz

# tar xvzf daq-2.0.7.tar.gz
# cd daq-2.0.7
# ./configure
# make
# make install

# tar xvzf daq-2.0.7.tar.gz

# cd daq-2.0.7

# ./configure

# make

# make install

生成された設定ファイルを「autoreconf」というツールでシステム内に更新する。

# autoreconf -f -i

1	# autoreconf -f -i

②SNORTインストール

Luaプログラミング・インターフェースを使用しない場合は、オプション"-disable-open-appid "を追加してください。

# cd /root/snort_src/
# wget https://snort.org/downloads/snort/snort-2.9.20.tar.gz
# tar xvzf snort-2.9.20.tar.gz
# cd snort-2.9.20/
# ./configure --enable-sourcefire --disable-open-appid
# make
# make install
# ldconfig

# cd /root/snort_src/

# wget https://snort.org/downloads/snort/snort-2.9.20.tar.gz

# tar xvzf snort-2.9.20.tar.gz

# cd snort-2.9.20/

# ./configure --enable-sourcefire --disable-open-appid

# make

# make install

# ldconfig

「/usr/sbin/snort」とバイナリファイル「/usr/local/bin/snort」の間にソフトリンクを作成

# ln -s /usr/local/bin/snort /usr/sbin/snort

1	# ln -s /usr/local/bin/snort /usr/sbin/snort

1.3 ユーザーとグループ作成

# groupadd snort
# useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

1 2	# groupadd snort # useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

1.4 ディレクトリ、ファイル作成、権限

# mkdir -p /etc/snort/rules
# mkdir /var/log/snort
# mkdir /usr/local/lib/snort_dynamicrules
# chmod -R 5775 /etc/snort
# chmod -R 5775 /var/log/snort
# chmod -R 5775 /usr/local/lib/snort_dynamicrules
# chown -R snort:snort /etc/snort
# chown -R snort:snort /var/log/snort
# chown -R snort:snort /usr/local/lib/snort_dynamicrules

# mkdir -p /etc/snort/rules

# mkdir /var/log/snort

# mkdir /usr/local/lib/snort_dynamicrules

# chmod -R 5775 /etc/snort

# chmod -R 5775 /var/log/snort

# chmod -R 5775 /usr/local/lib/snort_dynamicrules

# chown -R snort:snort /etc/snort

# chown -R snort:snort /var/log/snort

# chown -R snort:snort /usr/local/lib/snort_dynamicrules

white_list.rules, black_list.rules と local.rules作成

# touch /etc/snort/rules/white_list.rules
# touch /etc/snort/rules/black_list.rules
# touch /etc/snort/rules/local.rules

# touch /etc/snort/rules/white_list.rules

# touch /etc/snort/rules/black_list.rules

# touch /etc/snort/rules/local.rules

Snortのソースからすべての「*.conf」ファイルと「*.map」ファイルをSnortのシステムフォルダにコピー

# cp ~/snort_src/snort-2.9.20/etc/*.conf* /etc/snort
# cp ~/snort_src/snort-2.9.20/etc/*.map /etc/snort

1 2	# cp ~/snort_src/snort-2.9.20/etc/.conf /etc/snort # cp ~/snort_src/snort-2.9.20/etc/*.map /etc/snort

1.5 ルールのダウンロード

①コミュニティルールをダウンロードします。
root/ フォルダに移動し、解凍して、他の場所で既に行ったように "cp" で正しいシステムディレクトリにルールをコピー

# cd ../
# wget https://www.snort.org/rules/community -O ~/snort_src/community.tar.gz
# tar xvzf community.tar.gz
# cp community-rules/* /etc/snort/rules

# cd ../

# wget https://www.snort.org/rules/community -O ~/snort_src/community.tar.gz

# tar xvzf community.tar.gz

# cp community-rules/* /etc/snort/rules

「sed」コマンドで、「snort.conf」内の不要な行をコメントアウトします。コミュニティルール以外をインストールしない場合は、このコマンドを使って残りをコメントアウトすることができます

# sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/rules/snort.conf

1	# sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/rules/snort.conf

②Oinkmasterスクリプトのインストール

Oinkmaster スクリプトをダウンロードします。

# wget https://sourceforge.net/projects/oinkmaster/files/oinkmaster/2.0/oinkmaster-2.0.tar.gz --no-check-certificate
# tar xvzf oinkmaster-2.0.tar.gz
# cd oinkmaster-2.0/

# wget https://sourceforge.net/projects/oinkmaster/files/oinkmaster/2.0/oinkmaster-2.0.tar.gz --no-check-certificate

# tar xvzf oinkmaster-2.0.tar.gz

# cd oinkmaster-2.0/

oinkmaster.plを"/usr/local/bin/"フォルダ（Snortのソースがコンパイルされた後に "snort "のバイナリが置かれたフォルダと同じ）にコピー。
「/usr/sbin/oinkmaster.pl」ディレクトリへのソフトリンクを作成します。

# cp oinkmaster.pl /usr/local/bin/
# chmod 0755 /usr/local/bin/oinkmaster.pl
# ln -s /usr/local/bin/oinkmaster.pl /usr/sbin/oinkmaster.pl
# cp oinkmaster.conf /etc/snort/

# cp oinkmaster.pl /usr/local/bin/

# chmod 0755 /usr/local/bin/oinkmaster.pl

# ln -s /usr/local/bin/oinkmaster.pl /usr/sbin/oinkmaster.pl

# cp oinkmaster.conf /etc/snort/

oinkmaster.conf　の編集
ルールを更新するために、"/etc/snort/oinkmaster.conf "にOinkcodeを含むURLを入力してください。
"snort.org "のページで登録すると無料で手に入るオリジナルのoinkcodeを入力してください。
「tmpdir = /tmp/」というパスを有効にしてください。

# vi /etc/snort/oinkmaster.conf
●55行目あたり行頭のコメントアウト#を削除して編集
url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-29190.tar.gz
●120行目あたり追記
tmpdir = /tmp/

# vi /etc/snort/oinkmaster.conf

●55行目あたり行頭のコメントアウト#を削除して編集

url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-29190.tar.gz

●120行目あたり追記

tmpdir = /tmp/

Snortのルールを更新するスクリプトを作成

# touch /etc/snort/update_rules.sh
# echo \#\!/bin/bash > /etc/snort/update_rules.sh
# echo "oinkmaster.pl -C /etc/snort/oinkmaster.conf -o /etc/snort/rules" >> /etc/snort/update_rules.sh
# chmod +x /etc/snort/update_rules.sh

# touch /etc/snort/update_rules.sh

# echo \#\!/bin/bash > /etc/snort/update_rules.sh

# echo "oinkmaster.pl -C /etc/snort/oinkmaster.conf -o /etc/snort/rules" >> /etc/snort/update_rules.sh

# chmod +x /etc/snort/update_rules.sh

snortルールをダウンロード

# /etc/snort/update_rules.sh

1	# /etc/snort/update_rules.sh

1.6 Snort設定ファイルの編集

# vi /etc/snort/rules/snort.conf
●45行目
# Setup the network addresses you are protecting
ipvar HOME_NET 192.168.11.0/24　　←自サーバーに合わす
●48行目
# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET !$HOME_NET
●104-106行目コメントアウトして下に追加
# Path to your rules files (this can be a relative path)
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\rules
#var RULE_PATH ../rules
#var SO_RULE_PATH ../so_rules
#var PREPROC_RULE_PATH ../preproc_rules
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
●116-117行目コメントアウトして下に追加
# Set the absolute path appropriately
#var WHITE_LIST_PATH ../rules
#var BLACK_LIST_PATH ../rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
●253行目パス確認
# path to dynamic preprocessor libraries
dynamicpreprocessor directory /usr/local/lib64/snort_dynamicpreprocessor
●256行目パス確認
# path to base preprocessor engine
dynamicengine /usr/local/lib64/snort_dynamicengine/libsf_engine.so
●259行目パス確認
# path to dynamic rules libraries
dynamicdetection directory /usr/local/lib/snort_dynamicrules
●528行目あたりに追加
# unified2
# Recommended for most installs
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types,
output alert_unified2: filename alert.log, limit 128, nostamp, mpls_event_types, vlan_event_types
●552行目コメントアウト#削除してcommunity.rule追加
# unter "local.rules" tragen Sie bitte die "community.rules" ein.
include $RULE_PATH/local.rules
include $RULE_PATH/community.rules

# vi /etc/snort/rules/snort.conf

●45行目

# Setup the network addresses you are protecting

ipvar HOME_NET 192.168.11.0/24　　←自サーバーに合わす

●48行目

# Set up the external network addresses. Leave as "any" in most situations

ipvar EXTERNAL_NET !$HOME_NET

●104-106行目コメントアウトして下に追加

# Path to your rules files (this can be a relative path)

# Note for Windows users: You are advised to make this an absolute path,

# such as: c:\snort\rules

#var RULE_PATH ../rules

#var SO_RULE_PATH ../so_rules

#var PREPROC_RULE_PATH ../preproc_rules

var RULE_PATH /etc/snort/rules

var SO_RULE_PATH /etc/snort/so_rules

var PREPROC_RULE_PATH /etc/snort/preproc_rules

●116-117行目コメントアウトして下に追加

# Set the absolute path appropriately

#var WHITE_LIST_PATH ../rules

#var BLACK_LIST_PATH ../rules

var WHITE_LIST_PATH /etc/snort/rules

var BLACK_LIST_PATH /etc/snort/rules

●253行目パス確認

# path to dynamic preprocessor libraries

dynamicpreprocessor directory /usr/local/lib64/snort_dynamicpreprocessor

●256行目パス確認

# path to base preprocessor engine

dynamicengine /usr/local/lib64/snort_dynamicengine/libsf_engine.so

●259行目パス確認

# path to dynamic rules libraries

dynamicdetection directory /usr/local/lib/snort_dynamicrules

●528行目あたりに追加

# unified2

# Recommended for most installs

# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types,

output alert_unified2: filename alert.log, limit 128, nostamp, mpls_event_types, vlan_event_types

●552行目コメントアウト#削除してcommunity.rule追加

# unter "local.rules" tragen Sie bitte die "community.rules" ein.

include $RULE_PATH/local.rules

include $RULE_PATH/community.rules

1.7設定の確認

①設定ファイルのチェック

# snort -T -c /etc/snort/snort.conf

1	# snort -T -c /etc/snort/snort.conf

正常であれば次のような表示が出ます

MaxRss at the end of detection rules:62820

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.20 GRE (Build 82) x86_64
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.10.1 (with TPACKET_V3)
           Using PCRE version: 8.45 2021-06-15
           Using ZLIB version: 1.2.11

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 3.2  <Build 1>
           Preprocessor Object: SF_S7COMMPLUS  Version 1.0  <Build 1>
           Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
           Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
           Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
           Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
           Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
           Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
           Preprocessor Object: SF_POP  Version 1.0  <Build 1>
           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>

Total snort Fixed Memory Cost - MaxRss:63084
Snort successfully validated the configuration!
Snort exiting

MaxRss at the end of detection rules:62820

--== Initialization Complete ==--

,,_ -*> Snort! <*-

o" )~ Version 2.9.20 GRE (Build 82) x86_64

'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team

Using libpcap version 1.10.1 (with TPACKET_V3)

Using PCRE version: 8.45 2021-06-15

Using ZLIB version: 1.2.11

Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.2 <Build 1>

Preprocessor Object: SF_S7COMMPLUS Version 1.0 <Build 1>

Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>

Preprocessor Object: SF_MODBUS Version 1.1 <Build 1>

Preprocessor Object: SF_GTP Version 1.1 <Build 1>

Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1>

Preprocessor Object: SF_SIP Version 1.1 <Build 1>

Preprocessor Object: SF_SDF Version 1.1 <Build 1>

Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>

Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>

Preprocessor Object: SF_DNS Version 1.1 <Build 4>

Preprocessor Object: SF_SSH Version 1.1 <Build 3>

Preprocessor Object: SF_SMTP Version 1.1 <Build 9>

Preprocessor Object: SF_IMAP Version 1.0 <Build 1>

Preprocessor Object: SF_POP Version 1.0 <Build 1>

Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>

Total snort Fixed Memory Cost - MaxRss:63084

Snort successfully validated the configuration!

Snort exiting

ERROR: /etc/snort/rules/snort.conf(292) => Unable to open the IIS Unicode Map file '/etc/snort/rules/unicode.map'.
上記のようなエラーが出る場合は、該当ファイルを次のようにコピーしてください

# cp /root/snort_src/snort-2.9.20/etc/classification.config /etc/snort/rules/
# cp /root/snort_src/snort-2.9.20/etc/reference.config /etc/snort/rules/
# cp /root/snort_src/snort-2.9.20/etc/threshold.conf /etc/snort/rules/
# cp /root/snort_src/snort-2.9.20/etc/unicode.map /etc/snort/rules/

# cp /root/snort_src/snort-2.9.20/etc/classification.config /etc/snort/rules/

# cp /root/snort_src/snort-2.9.20/etc/reference.config /etc/snort/rules/

# cp /root/snort_src/snort-2.9.20/etc/threshold.conf /etc/snort/rules/

# cp /root/snort_src/snort-2.9.20/etc/unicode.map /etc/snort/rules/

また、「/etc/snort/rules/snort.conf(325) => Invalid keyword '}'」エラーが出る場合
該当行
decompress_swf { deflate lzma } \　　をコメントにしてください
# decompress_swf { deflate lzma } \

②作動テストの準備

「local.rules」を開き、テスト用に「alert icmp any any -> $HOME_NET any (msg: "ICMP test"; sid:10000001; rev:001;) 」という行を入力

# vi /etc/snort/rules/local.rules
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)

1 2	# vi /etc/snort/rules/local.rules alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)

③Snortをターミナルでテストする

「ip addr」コマンドでネットワークインターフェースを先に確認し、コンソールまたはターミナルでSnortを起動する

# snort -A console -i eth0 -u snort -g snort -c /etc/snort/rules/snort.conf

1	# snort -A console -i eth0 -u snort -g snort -c /etc/snort/rules/snort.conf

同じネットワーク内のPCから本サーバーにpingするとサーバーのコンソール内に次のように表示される

Commencing packet processing (pid=58903)
09/15-16:03:22.708166  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83
09/15-16:03:22.708241  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20
09/15-16:03:23.722097  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83
09/15-16:03:23.722133  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20
09/15-16:03:24.727786  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83
09/15-16:03:24.727866  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20
09/15-16:03:25.748526  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83
09/15-16:03:25.748657  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20

Commencing packet processing (pid=58903)

09/15-16:03:22.708166 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83

09/15-16:03:22.708241 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20

09/15-16:03:23.722097 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83

09/15-16:03:23.722133 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20

09/15-16:03:24.727786 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83

09/15-16:03:24.727866 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20

09/15-16:03:25.748526 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83

09/15-16:03:25.748657 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20

1.8 ログファイルの確認

# ls -l /var/log/snort/
total 4
-rw------- 1 snort snort 744 Jan 10 19:02 snort.log.1641808940
# snort -r /var/log/snort/snort.log.1641808940

# ls -l /var/log/snort/

total 4

-rw------- 1 snort snort 744 Jan 10 19:02 snort.log.1641808940

# snort -r /var/log/snort/snort.log.1641808940

1.9 「snort.service」の作成

# vi /usr/lib/systemd/system/snort.service

1	# vi /usr/lib/systemd/system/snort.service

ネットワークインターフェース「eth0」は各自環境に合わし、次の内容にする

[Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/rules/snort.conf -i eth0

[Install]
WantedBy=multi-user.target

[Unit]

Description=Snort NIDS Daemon

After=syslog.target network.target

[Service]

Type=simple

ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/rules/snort.conf -i eth0

[Install]

WantedBy=multi-user.target

最後にSnortサービスの開始、停止、ステータス

# systemctl daemon-reload
# systemctl start snort
# systemctl status snort

● snort.service - Snort NIDS Daemon
     Loaded: loaded (/usr/lib/systemd/system/snort.service; disabled; vendor preset: disabled)
     Active: active (running) since Thu 2022-09-15 16:08:49 JST; 6s ago
   Main PID: 59018 (snort)
      Tasks: 2 (limit: 2245)
     CGroup: /system.slice/snort.service
             mq 59018 /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/rules/snort.conf -i eth0

Sep 15 16:08:49 Lepard systemd[1]: Started Snort NIDS Daemon.

# systemctl daemon-reload

# systemctl start snort

# systemctl status snort

● snort.service - Snort NIDS Daemon

Loaded: loaded (/usr/lib/systemd/system/snort.service; disabled; vendor preset: disabled)

Active: active (running) since Thu 2022-09-15 16:08:49 JST; 6s ago

Main PID: 59018 (snort)

Tasks: 2 (limit: 2245)

CGroup: /system.slice/snort.service

mq 59018 /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/rules/snort.conf -i eth0

Sep 15 16:08:49 Lepard systemd[1]: Started Snort NIDS Daemon.

ページのトップへ