Snort3 インストール
Ubuntu22.04,23.04はデフォルトのユニバースリポジトリは下記の通りsnort2.9となっていますので、ソースコードからSnort3をビルド、コンパイルしてインストールします
1 2 3 4 5 6 7 |
# apt-cache policy snort snort: Installed: (none) Candidate: 2.9.15.1-6build1 Version table: 2.9.15.1-6build1 500 500 http://jp.archive.ubuntu.com/ubuntu lunar/universe amd64 Packages |
事前準備
①Ubuntuサーバーが最新で、最新のパッケージ・リストがあることを確認する
1 |
# apt update && apt dist-upgrade -y |
①ビルドとインストールに必要なビルドツールと依存関係のあるライブラリーをインストール。
1 |
# apt install build-essential libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev luajit hwloc libdnet-dev libdumbnet-dev bison flex liblzma-dev openssl libssl-dev pkg-config libhwloc-dev cmake cpputest libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev libmnl-dev autotools-dev libluajit-5.1-dev libunwind-dev libfl-dev -y |
②SNORT3のインストール作業ディレクトリー作成
1 |
# mkdir snort_src && cd snort_src |
③DAQのダウンロード、インストール
1 2 3 4 5 6 |
# git clone https://github.com/snort3/libdaq.git # cd libdaq # ./bootstrap # ./configure # make # make install |
④メモリ使用量の増加時の速度が向上のためgperftoolsインストール
1 2 3 4 5 6 7 |
# cd ../ # wget wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz # tar xzf gperftools-2.9.1.tar.gz # cd gperftools-2.9.1/ # ./configure # make # make install |
Snort3 ダウンロード、インストール
①Snort3をダウンロードしてインストール
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
# cd../ # wget https://github.com/snort3/snort3/archive/refs/heads/master.zip # apt install unzip # unzip master.zip # cd snort3-master # ./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc ------------------------------------------------------- snort version 3.1.71.0 Install options: prefix: /usr/local includes: /usr/local/include/snort plugins: /usr/local/lib/snort Compiler options: CC: /usr/bin/cc CXX: /usr/bin/c++ CFLAGS: -fvisibility=hidden -DNDEBUG -g -ggdb -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free -O2 -g -DNDEBUG CXXFLAGS: -fvisibility=hidden -DNDEBUG -g -ggdb -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free -O2 -g -DNDEBUG EXE_LDFLAGS: MODULE_LDFLAGS: Feature options: DAQ Modules: Static (afpacket;bpf;dump;fst;gwlb;nfq;pcap;savefile;trace) libatomic: System-provided Hyperscan: OFF ICONV: ON Libunwind: ON LZMA: ON RPC DB: Built-in SafeC: OFF TCMalloc: ON JEMalloc: OFF UUID: ON NUMA: ON ------------------------------------------------------- -- Configuring done -- Generating done -- Build files have been written to: /root/snort_src/snort3-master/build |
1 2 3 |
# cd build # make # make install |
②共有ライブラリを更新
1 |
# ldconfig |
④Snortが正しく実行されることを確認
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# snort -V ,,_ -*> Snort++ <*- o" )~ Version 3.1.71.0 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2023 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using DAQ version 3.0.12 Using LuaJIT version 2.1.0-beta3 Using OpenSSL 3.0.8 7 Feb 2023 Using libpcap version 1.10.3 (with TPACKET_V3) Using PCRE version 8.39 2016-06-14 Using ZLIB version 1.2.13 Using LZMA version 5.4.1 |
⑤デフォルトの設定ファイルでSnortのインストールをテストする
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 |
# snort -c /usr/local/etc/snort/snort.lua -------------------------------------------------- o")~ Snort++ 3.1.71.0 -------------------------------------------------- Loading /usr/local/etc/snort/snort.lua: Loading snort_defaults.lua: Finished snort_defaults.lua: active alerts daq decode host_cache host_tracker hosts network packets process search_engine so_proxy stream stream_ip stream_icmp stream_tcp stream_udp stream_user stream_file arp_spoof back_orifice dns imap netflow normalizer rpc_decode sip ssh cip dnp3 iec104 mms modbus s7commplus dce_smb dce_tcp dce_udp dce_http_proxy dce_http_server port_scan smtp ftp_server ftp_client ftp_data http_inspect http2_inspect output file_policy js_norm wizard ips references binder appid file_id gtp_inspect telnet ssl pop trace classifications Finished /usr/local/etc/snort/snort.lua: Loading file_id.rules_file: Loading file_magic.rules: Finished file_magic.rules: Finished file_id.rules_file: -------------------------------------------------- ips policies rule stats id loaded shared enabled file 0 208 0 208 /usr/local/etc/snort/snort.lua -------------------------------------------------- rule counts total rules loaded: 208 text rules: 208 option chains: 208 chain headers: 1 -------------------------------------------------- service rule counts to-srv to-cli file_id: 208 208 total: 208 208 -------------------------------------------------- fast pattern groups to_server: 1 to_client: 1 -------------------------------------------------- search engine (ac_bnfa) instances: 2 patterns: 416 pattern chars: 2508 num states: 1778 num match states: 370 memory scale: KB total memory: 68.5879 pattern memory: 18.6973 match list memory: 27.3281 transition memory: 22.3125 appid: MaxRss diff: 3328 appid: patterns loaded: 300 -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
Snort3を構成する
①Snortがリッスンするインターフェースの名前を確認
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# ip address 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 08:00:27:7d:32:c2 brd ff:ff:ff:ff:ff:ff inet 192.168.11.83/24 brd 192.168.11.255 scope global enp0s3 valid_lft forever preferred_lft forever inet6 fe80::a00:27ff:fe7d:32c2/64 scope link valid_lft forever preferred_lft forever |
Snortを実行するWANインターフェイスfはenp0s3である
➁ネットワークインターフェイスカードを構成
Snortが1518バイトを超える大きなパケットを切り捨てないよう、インターフェイスオフロードを無効にする
現状の確認
1 2 3 |
# ethtool -k enp0s3 | grep receive-offload generic-receive-offload: on large-receive-offload: off [fixed] |
GROがonになっているのてこれを無効にする
1 |
# ethtool -K enp0s3 gro off lro off |
システムの再起動後も変更が反映するように、systemdサービスを作成して有効にする
1 |
# vi /etc/systemd/system/snort3-promisc.service |
snort3-promisc.serviceの内容
1 2 3 4 5 6 7 8 9 10 11 12 13 |
[Unit] Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot After=network.target [Service] Type=oneshot ExecStart=/usr/sbin/ip link set dev enp0s3 promisc on ExecStart=/usr/sbin/ethtool -K enp0s3 gro off lro off TimeoutStartSec=0 RemainAfterExit=yes [Install] WantedBy=default.target |
設定をリロードし、起動時にサービスを開始、有効にする
1 2 |
# systemctl daemon-reload # systemctl enable --now snort3-promisc.service |
ルールセットを構成
今回はコミュニティールールとローカルルールセットします
①Snortのルールに必要なフォルダとファイルを作成
1 2 3 4 5 6 |
# mkdir /usr/local/etc/rules # mkdir /usr/local/etc/so_rules/ # mkdir /usr/local/etc/lists/ # touch /usr/local/etc/rules/local.rules # touch /usr/local/etc/lists/default.blocklist # mkdir /var/log/snort |
ローカルルールを作成
①ICMPトラフィックを検出するルールを追加するため、local.rulesファ イルに記述
1 2 3 |
# vi /usr/local/etc/rules/local.rules 以下を記入 alert icmp any any -> any any ( msg:"ICMP Traffic Detected"; sid:10000001; metadata:policy security-ips alert; ) |
➁テスト実行
1 |
# snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules |
正常であれば出力は次の行で終わる
1 2 |
Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
➂インターフェイス(enp0s3をインターフェイス名に置き換えてください)の検出モードで Snortを実行し、次のコマンドを入力してすべてのアラームをコンソールにログ記録します:
1 |
# snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i enp0s3 -A alert_fast -s 65535 -k none |
同じネットワーク内の別のPCからサーバーにpingすると、コンソール画面に以下のように表示される
1 2 3 4 5 6 7 8 9 10 11 |
++ [0] enp0s3 10/06-15:07:23.324577 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 10/06-15:07:23.326369 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 10/06-15:07:24.327428 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 10/06-15:07:24.327498 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 10/06-15:07:25.331815 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 10/06-15:07:25.331890 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 10/06-15:07:26.336476 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 10/06-15:07:26.336549 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 10/06-15:07:32.801404 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] {ICMP} fe80::9296:f3ff:fe21:9900 -> ff02::1 10/06-15:07:59.929473 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] {ICMP} fe80::9296:f3ff:fe21:9900 -> ff02::1 |
Ctrl-CでSnortを停止する
④ローカルルールをsnort.luaに含めるため、snort.luaファイルを編集
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# vi /usr/local/etc/snort/snort.lua 183行目のipsセクション内 186行目コメント解除 enable_builtin_rules = true, 187行目 : 追記(include = RULE_PATH .. "/local.rules",) ips = { -- use this to enable decoder and inspector alerts enable_builtin_rules = true, include = RULE_PATH .. "/local.rules", -- use include for rules files; be sure to set your path -- note that rules files can include other rules files -- (see also related path vars at the top of snort_defaults.lua) variables = default_variables } |
⑤Snortを実行する
1 |
# snort -c /usr/local/etc/snort/snort.lua -i enp0s3 -A alert_fast -s 65535 -k none |
同じネットワーク内の別のPCからサーバーにpingすると、アラームがコンソールに書き換わる
コミュニティルールを作成
①Snort3コミュニティルールをダウンロードしてルールディレクトリに保存
1 2 3 4 5 6 7 |
# wget -qO- https://www.snort.org/downloads/community/snort3-community-rules.tar.gz | tar xz -C /usr/local/etc/rules/ # ls -1 /usr/local/etc/rules/snort3-community-rules/ AUTHORS LICENSE sid-msg.map snort3-community.rules VRT-License.txt |
➁構成ファイルを編集
1 2 3 4 5 |
# vi /usr/local/etc/snort/snort.lua # 24行目 : 自ネットワークに変更 HOME_NET = '192.168.11.0/24' # 28行目 : 変更 EXTERNAL_NET = '!$HOME_NET' |
➂ルールへのパスを更新
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# vi /usr/local/etc/snort/snort.lua 183行目のipsブロック 188行目あたり : 追記(include= RULE_PATH .. "/snort3-community-rules/snort3-community.rules") ips = { -- use this to enable decoder and inspector alerts enable_builtin_rules = true, include = RULE_PATH .. "/local.rules", include= RULE_PATH .. "/snort3-community-rules/snort3-community.rules", -- use include for rules files; be sure to set your path -- note that rules files can include other rules files -- (see also related path vars at the top of snort_defaults.lua) variables = default_variables } |
SnortOpenAppIDのインストール
①OpenAppID検出器パッケージをダウンロード
1 2 3 |
# wget https://snort.org/downloads/openappid/33380 -O OpenAppId-33380.tgz # tar -xzvf OpenAppId-33380.tgz # cp -R odp /usr/local/lib/ |
➁Snort設定ファイルを編集
1 2 3 4 5 6 7 8 9 10 |
# vi /usr/local/etc/snort/snort.lua # 101行目あたり : 追記 appid = { -- appid requires this to use appids in rules --app_detector_dir = 'directory to load appid detectors from' app_detector_dir = '/usr/local/lib', log_stats = true, } |
➂構成のチェック
1 |
# snort -c /usr/local/etc/snort/snort.lua |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 |
-------------------------------------------------- o")~ Snort++ 3.1.71.0 -------------------------------------------------- Loading /usr/local/etc/snort/snort.lua: Loading snort_defaults.lua: Finished snort_defaults.lua: active alerts daq decode host_cache host_tracker hosts network process so_proxy stream stream_ip stream_icmp stream_tcp stream_udp stream_user stream_file arp_spoof back_orifice dns imap netflow normalizer ssl mms dce_smb dce_http_server smtp ftp_server ftp_client ftp_data http_inspect http2_inspect file_policy js_norm appid wizard binder alert_fast ips classifications references file_id port_scan gtp_inspect dce_http_proxy dce_udp dce_tcp s7commplus modbus trace iec104 dnp3 cip telnet ssh sip rpc_decode pop output search_engine packets Finished /usr/local/etc/snort/snort.lua: Loading file_id.rules_file: Loading file_magic.rules: Finished file_magic.rules: Finished file_id.rules_file: Loading ../rules/snort3-community-rules/snort3-community.rules: Finished ../rules/snort3-community-rules/snort3-community.rules: -------------------------------------------------- ips policies rule stats id loaded shared enabled file 0 4851 0 4851 /usr/local/etc/snort/snort.lua -------------------------------------------------- rule counts total rules loaded: 4851 text rules: 4230 builtin rules: 621 option chains: 4851 chain headers: 324 flowbits: 48 flowbits not checked: 23 -------------------------------------------------- port rule counts tcp udp icmp ip any 1094 58 147 22 src 170 15 0 0 dst 776 151 0 0 both 6 11 0 0 total 2046 235 147 22 -------------------------------------------------- service rule counts to-srv to-cli dcerpc: 72 20 dhcp: 2 2 dns: 28 7 file_id: 208 208 ftp: 90 4 ftp-data: 1 97 http: 2083 256 http2: 2083 256 http3: 2083 256 imap: 35 118 irc: 5 2 kerberos: 5 0 ldap: 0 1 mysql: 3 0 netbios-dgm: 1 1 netbios-ns: 4 3 netbios-ssn: 69 17 nntp: 2 0 pop3: 23 118 rdp: 5 0 sip: 5 5 smtp: 130 2 snmp: 18 7 ssdp: 3 0 ssl: 20 42 sunrpc: 68 4 telnet: 12 6 tftp: 1 0 wins: 1 0 total: 7060 1432 -------------------------------------------------- fast pattern groups src: 114 dst: 312 any: 8 to_server: 72 to_client: 49 -------------------------------------------------- search engine (ac_bnfa) instances: 338 patterns: 10780 pattern chars: 175085 num states: 123102 num match states: 10499 memory scale: MB total memory: 3.68259 pattern memory: 0.577876 match list memory: 1.3343 transition memory: 1.72915 fast pattern only: 7103 appid: MaxRss diff: 227584 appid: patterns loaded: 11537 -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
④Snortのlocal.rulesファイルに次の行を追加して、Facebookトラフィックを検出する新しいルールを追加する:
1 2 3 4 5 |
# vi /usr/local/etc/rules/local.rules alert icmp any any -> any any ( msg:"ICMP Traffic Detected"; sid:10000001; metadata:policy security-ips alert; ) 下記を追加 alert tcp any any -> any any ( msg:"Facebook Detected"; appids:"Facebook"; sid:10000002; metadata:policy security-ips alert; ) |
⑤local.rulesファイルの構文をチェック
1 |
# snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules |
⑥Snortを実行
1 |
# snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i enp0s3 -A alert_fast -s 65535 -k none |
新たに別にコンソール画面を開きFacebookに接続すると元のコンソール画面に下記のような表示が出る
1 |
# wget facebook.com |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
10/07-09:47:04.183468 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.183468 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.183468 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.183703 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 192.168.11.83:54052 -> 157.240.209.35:443 10/07-09:47:04.188851 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.188908 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 192.168.11.83:54052 -> 157.240.209.35:443 10/07-09:47:04.188851 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.188851 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.188851 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.188851 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.189135 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 192.168.11.83:54052 -> 157.240.209.35:443 10/07-09:47:04.194226 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.194283 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 192.168.11.83:54052 -> 157.240.209.35:443 10/07-09:47:04.194226 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.194226 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.194226 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.194226 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.194384 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 192.168.11.83:54052 -> 157.240.209.35:443 10/07-09:47:04.198755 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.200553 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 192.168.11.83:54052 -> 157.240.209.35:443 10/07-09:47:04.206301 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.206314 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 192.168.11.83:54052 -> 157.240.209.35:443 |
Snortログの設定
①snort.lua設定ファイル編集
1 2 3 4 5 6 7 8 9 |
# vi /usr/local/etc/snort/snort.lua 249行目の-- 7. configure outputsセクション内で alert_fastを書き換える alert_fast = { file = true, packet = false, limit = 10, } |
➁構文をチェック
1 |
# snort -c /usr/local/etc/snort/snort.lua |
➂オプション-A alert_fastなし、オプション-l /var/log/snortでログディレクトリを指定してSnortを実行
1 |
# snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i enp0s3 -l /var/log/snort -s 65535 -k none |
/var/log/snort/alert_fast.txtファイルに以下のアラートが表示される
1 |
# tail -f /var/log/snort/alert_fast.txt |
1 2 3 4 5 6 7 8 |
10/07-10:51:15.366241 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:46804 10/07-10:51:15.366241 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:46804 10/07-10:51:15.366241 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:46804 10/07-10:51:15.366466 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 192.168.11.83:46804 -> 157.240.209.35:443 10/07-10:51:15.374852 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:46804 10/07-10:51:15.376510 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 192.168.11.83:46804 -> 157.240.209.35:443 10/07-10:51:15.381214 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:46804 10/07-10:51:15.381276 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 192.168.11.83:46804 -> 157.240.209.35:443 |
バックグラウンドでSnortを実行
①Snortの非ログインシステムユーザーアカウントを作成
1 |
# useradd -r -s /usr/sbin/nologin -M -c SNORT_IDS snort |
②systemdサービスユニットを作成
1 |
# vi /etc/systemd/system/snort3.service |
snort3.serviceの内容
1 2 3 4 5 6 7 8 9 10 11 |
[Unit] Description=Snort Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i enp0s3 -m 0x1b -u snort -g snort ExecStop=/bin/kill -9 $MAINPID [Install] WantedBy=multi-user.target |
再起動
1 |
# systemctl daemon-reload |
ログファイルの所有権と権限を設定
1 2 |
# chmod -R 5775 /var/log/snort # chown -R snort:snort /var/log/snort |
③Snortを起動し、システム起動時に実行できるようにする
1 2 3 4 |
# systemctl enable --now snort3 Created symlink /etc/systemd/system/multi-user.target.wants/snort3.service → /etc/systemd/system/snort3.service. # systemctl start snort3 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
● snort3.service - Snort Daemon Loaded: loaded (/etc/systemd/system/snort3.service; enabled; preset: enabled) Active: active (running) since Sat 2023-10-07 11:05:01 JST; 1min 25s ago Main PID: 2145 (snort) Tasks: 2 (limit: 2201) Memory: 272.1M CPU: 5.008s CGroup: /system.slice/snort3.service mq2145 /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i enp0s3 -m 0x1> Oct 07 11:05:01 lepard snort[2145]: num match states: 10499 Oct 07 11:05:01 lepard snort[2145]: memory scale: MB Oct 07 11:05:01 lepard snort[2145]: |