Shulou(Shulou.com)06/01 Report--

This article focuses on "Snort installation and configuration methods", interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Now let the editor to take you to learn "Snort installation and configuration method"!

Brief introduction

Snort is a powerful network intrusion detection / prevention system (NIDS/NIPS) with the characteristics of multi-platform (Multi-Platform), real-time (Real-Time) traffic analysis, network IP packet (Pocket) recording and so on.

Snort uses rule matching mechanism to detect whether the network packet violates the pre-configured security policy. Installed on a host, the entire shared network segment can be monitored. Once intrusion and detection are found, there are many real-time alarm methods, such as sending alarm information to system log, alarm file or console screen. Snort can not only detect all kinds of network attacks, but also has the functions of network packet collection, analysis and logging. Compared with expensive and large commercial products, Snort has many advantages, such as small system scale, easy to install, easy to configure, flexible rules and plug-in extension.

Composition

Snort is mainly composed of packet protocol analyzer, intrusion detection engine, log recording and alarm module. The task of the protocol analyzer is to parse the packets on the protocol stack so that they can be submitted to the intrusion detection engine for rule matching. The intrusion detection engine matches the grouping features according to the rule files, and triggers the specified response operation when the grouping features meet the detection rules. Log recording records the parsed packets to log files in text or Tcpdump binary format, which is convenient for grouping analysis, and binary format improves the recording speed. The alarm information can be sent to the system log; it can also be sent to the alarm file in text or Tcpdump binary format; and the alarm operation can be turned off. There are two ways to record the alarm information to the alarm file: complete alarm record all the field information and alarm information in the head of the group, while the fast alarm records only part of the field information in the first part of the group.

Environment introduction: virtual machine: Centos7 Snort official website: https://www.snort.org/downloads # download dap and snortdap: https://www.snort.org/downloads/snort/daq-2.0.7.tar.gzsnort:https://www.snort.org/downloads/snort/snort-2.9.17.tar.gz

Centos7 minimized installation-open network 1, ip addr # to check the name of the network card 2, cd / etc/sysconfig/network-scripts/ # to enter the directory of the network card configuration file 3, vi ifcfg-enXXX4, find ONBOOT=no, modify it to ONBOOT=yes, then save and exit 5, service network restart # restart the network card service, if not, use systemctl restart network6 and ip addr # to check whether it is assigned to IP address 7, yum install net-tools # install net-tools package The package provides ifconfig command 8, ifconfig # confirm IP It is convenient to download and install yum install-y gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel libdnet libdnet-devel tcpdump openssl openssl-develwget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gzwget https://www.snort.org/downloads/snort/snort-2.9.17.tar.gzwget http://luajit.org/download/LuaJIT-2.0.5.tar through SSH software for login operation. .gz # extract to / usr/local/ tar-zxvf daq-2.0.7.tar.gz-C / usr/local/tar-zxvf snort-2.9.17.tar.gz-C / usr/local/tar-zxvf LuaJIT-2.0.5.tar.gz-C / usr/local/cd / usr/local/#daq install cd daq-2.0.7/./configure & & make & & sudo make install#LuaJIT install cd LuaJIT-2.0.5/make Install#snort install cd snort-2.9.17/./configure-- enable-sourcefire & & make & & sudo make install# create Snort directory: mkdir rulesmkdir rules/iplistsmkdir / usr/local/lib/snort_dynamicrulesmkdir so_rules# create some files for rules and ip lists touch rules/iplists/black_list.rulestouch rules/iplists/white_list.rulestouch rules/local.rulestouch sid-msg.map# create log directory: mkdir / var/log/snortmkdir / var/log/ Snort/archived_logs# modify configuration file Change HOME_NET to the IP segment where your host is located vi / usr/local/snort-2.9.17/etcipvar HOME_NET 192.168.0.0 Universe 24 # on line 45 Enter: set number can display the line number var RULE_PATH/ usr/local/snort-2.9.17/rulesvar SO_RULE_PATH / usr/local/snort-2.9.17/so_rulesvar PREPROC_RULE_PATH / usr/local/snort-2.9.17/preproc_rulesvar WHITE_LIST_PATH / usr/local/snort-2.9.17/rules/iplistsvar BLACK_LIST_PATH / usr/local/snort-2.9.17/rules/iplistsinclude $RULE_PATH/local.rules # around 550line Enable local.rules. Default is enabled.

Note: in fact, many rules are opened under include $RULE_PATH/local.rules. Because they are not configured, errors will be reported at runtime and need to be commented out.

# Test ping rules vi / usr/local/snort-2.9.17/rules/local.rules input: alert icmp any any-> $HOME_NET any (msg: "ICMP test detected"; GID:1; sid:10000001; rev:001; classtype:icmp-event;) # launch the rules and confirm whether your network card is ethXX or ensXXXsudo / usr/local/bin/snort-A console-Q-c / usr/local/snort-2.9.17/etc/snort.conf-I ens192 through ifconfig

At this point, I believe you have a deeper understanding of the "Snort installation and configuration method". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.