Fedora Linux core 4

套件:
。snort_inline-2.2.0a
。libnet-1.0.2a

[1.] 編譯 libnet
       wget http://www.packetfactory.net/libnet/dist/deprecated/libnet-1.0.2a.tar.gz
       tar zxvf libdnet-1.11.tar.gz
       cd libdnet-1.11
       ./configure
       make
       make install
 
    編譯 snort-inline
       wget http://nchc.dl.sourceforge.net/sourceforge/snort-inline/snort_inline-2.2.0a.tar.gz
       tar zxvf snort_inline-2.2.0a.tar.gz
       cd snort_inline-2.2.0a
       ./configure
       make
       make install

[Q1:] Compiling snort with inline, using Libnet

[root@localhost Libnet-1.0.2a]# make
sed -e 's/.*/#define VERSION "&"/' ./VERSION > version.h
gcc -O2 -funroll-loops -fomit-frame-pointer -Wall -DHAVE_CONFIG_H -c src/libnet_resolve.c -o src/libnet_resolve.o
In file included from src/libnet_resolve.c:36:
include/libnet.h:87:8: missing terminating " character
include/libnet.h:89:50: missing terminating " character
make: *** [src/libnet_resolve.o] Error 1

[A1:] vi Libnet-1.0.2a/include/libnet.h

/*註解第87至89行*/

[Q2:] [root@localhost snort_inline-2.2.0a]# ./configure

./configure: line 1: pcre-config: command not found
checking for pcre.h… no
ERROR! Libpcre header not found, go get it from
http://www.pcre.org

[A2:] 安裝pcre-devel套件

[Q3:] [root@localhost snort_inline-2.2.0a]# ./configure

checking for libipq.h… no
configure: error: libipq.h not found …

[A3:] 安裝iptables-devel套件

[Q4:] [root@localhost snort_inline-2.2.0a]# make

gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I../../src
-I/usr/include/pcap -I../../src/output-plugins
-I../../src/detection-plugins -I../../src/preprocessors -I/usr/include
-g -O2 -Wall -DGIDS -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD
-DHAVE_NET_ETHERNET_H -DLIBNET_LIL_ENDIAN -c `test -f 'spo_alert_fast.c'
|| echo './'`spo_alert_fast.c
In file included from /usr/include/linux/netfilter_ipv4/ip_queue.h:10,
from /usr/include/libipq.h:37,
from ../../src/inline.h:8,
from ../../src/snort.h:38,
from spo_alert_fast.c:51:
/usr/include/linux/if.h:59: redefinition of `struct ifmap'
/usr/include/linux/if.h:77: redefinition of `struct ifreq'
/usr/include/linux/if.h:126: redefinition of `struct ifconf'
make[3]: *** [spo_alert_fast.o] Error 1
make[3]: Leaving directory
`/home/matt/src/BUILD/snort-2.0.5/src/output-plugins'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/matt/src/BUILD/snort-2.0.5/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/matt/src/BUILD/snort-2.0.5'
make: *** [all] Error 2

[A4:] cd /usr/include
         mv linux linux.orig
         ln -s /usr/src/linux-2.4.22-1.2115.nptl/include/linux linux

[Q5:] [root@localhost snort_inline-2.2.0a]# make

gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src
/output-plugins -I../../src/detection-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I.
./../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpI
nspect/include -I/usr/include -g -O2 -Wall -DGIDS -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DHAVE_NET_
ETHERNET_H -DLIBNET_LIL_ENDIAN -c spo_alert_fast.c
In file included from ../../src/snort.h:38,
from spo_alert_fast.c:51:
../../src/inline.h:8:20: libipq.h: No such file or directory
make[3]: *** [spo_alert_fast.o] Error 1
make[3]: Leaving directory `/root/snort_inline-2.2.0a/src/output-plugins'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/root/snort_inline-2.2.0a/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/snort_inline-2.2.0a'
make: *** [all-recursive-am] Error 2

[A5:] 安裝iptables-devel

[2.] 安裝、複製設定,設定檔放置目錄
         mkdir /etc/snort_inline
    
      rules放置目錄
         mkdir /etc/snort_inline/drop-rules
    
      log記錄放置目錄
         mkdir /var/log/snort_inline
    
      從tarball裡copy設定檔到/etc/snort_inline目錄裡
         cp snort_inline-2.2.0a/etc/* /etc/snort_inline/

[3.] Snort-Inline需搭配 iptables的 QUEUE
      載入模組
         modprobe ip_queue
    
      設定 iptables
          iptables -A INPUT -j QUEUE
          iptables -A OUTPUT -j QUEUE
          iptables -A FORWARD -j QUEUE

一 iptables的 script參考
      ref: http://ssorc.tw/?p=332

小技巧
   無 ips時
      iptables -A INPUT -p tcp –dport 80 –syn -m state –stae NEW -j ACCEPT
   有 ips時
      iptables -A INPUT -p tcp –dport 80 -j QUEUE

設定檔,基本上注意var變數、rules位置、及要過濾的rules
      vi /etc/snort_inline/snort_inline.conf

# 要過濾的範圍,全部
var HOME_NET any

# 定義要排除的來源封包
var EXTERNAL_NET ! [10.1.1.3, 10.0.0.0/8]

# 記得加入,因為snort_inline.conf預設沒有加入這個參數,但rules裡有此變數定義
var AIM_SERVERS any#

# rules放置路徑
var RULE_PATH /etc/snort_inline/drop-rules

# include那裡 rules
include $RULE_PATH/test.rules

[4.] 執行,測試設定檔對不對
       snort_inline -QTc snort_inline.conf

      背景執行
       snort_inline -QDc snort_inline.conf

     或者參考 HoneyNet啟動 Snort-Inline的 script
       ref: http://ssorc.tw/?p=331
 
[Q1:] Snort-Inline無法啟動

Reading from iptables
Running in IDS mode
Log directory = /var/log/snort
Initializing Inline mode
InitInline: : Failed to send netlink message: Connection refused

[A1:] 原因是沒有載入 iptables模組
         insmod ip_queue

[Q2:] Log訊息

File size limit exceeded

[A2:] log檔超過 2g的限制了

參數說明,用於 snort_inline.conf

config daemon                      # 相當於 snort -D
config interface: eth0           # 相當於 snort -i eth0
config logdir: /var/log/snort  # 相當於 snort -l /var/log/snort
config nolog                          # 相當於 snort -N # 取消logging,但仍然有alerts
config set_gid: xxx               # 相當於 snort -g xxx
config set_uid: xxx               # 相當於 snort -u xxx
config show_year                 # 相當於 snort -y

[Q1:] snort_inline -TQc snort_inline.conf

ERROR: FLOWBITS ERROR: The number of flowbit IDs in the current ruleset exceed the maximum number of IDs that are allowed.
Fatal Error, Quitting..

[A1:] 在snort_inline.conf裡增加一行參數

config flowbits_size: 64

[Q2:]

ERROR: ERROR: We have to be in InlineMode() to use stickydrop
Fatal Error, Quitting..

[A2:] 執行或測試時,需要有 -Q參數

[Q3:] portscan 沒有記錄到資料庫
[A3:] 把log改為alert

output database: alert, mysql, xxx

參考:
http://www.snort.org/
http://snort-inline.sourceforge.net/
http://www.honeynet.org/
http://linuxgazette.net/118/savage.html

Related posts 相關文章
新一代入侵偵測/防護系統 Snort++,就是 Snort 3 啦
More...
Snort 官網改版,較清楚乾淨
More...
Sourcefire 被 Cisco 買走了,但承諾 Snort 持續為 OpenSource ?
More...
snort 規則管理,pulledpork
More...

作者

留言

作者

sorry fred,我剛在整理回文,不小心刪了你的回覆 —- 我補上如下 ====================== 1.我可直接就用snort_inline來完成我想要的ips功能可以嗎?還需要再裝snort嗎? 2.執行,測試設定檔對不對 snort_inline -QTc snort_inline.conf 背景執行 snort_inline -QDc snort_inline.conf 上述兩項性令執行都沒問題 不過假如執行下面令另的話 snort_inline -c /etc/snort_inline/snort_inline.conf -Q -N -l /var/log/snort_inline/ -t /var/log/snort_inline/ -v 則會出現 ERROR: OpenAlerFile() => fopen( ) alert fuke /var/log/snort_inline- full: No such or directory 要改紀錄的路徑檔嗎?? 我找不到所以不知道如何設定 謝謝您!! ———————————————— snort_inline -QDc snort_inline.conf 這兩項命令也會出現一樣的問題 說錯了不好意思

    作者

    1。snort與snort_inline是同一個父母產生的,也是獨立的,所以安裝了snort_inline就不需要再安裝snort,只是snort_inline是這裡http://snort-inline.sourceforge.net/在開發的,不過snort_inline已不再繼續了,作者已轉向Suricata(http://www.openinfosecfoundation.org/)這個東西了,且我映像中www.snort.org的snort,也已在某一版本納入了inline功能,所以其實可以用snort就可以了。 2。還是你要先touch 一下 /var/log/snort_inline- full,我清測它是找不到這個檔案。不過我看你下了 -l /var/log/snort_inline/ -t /var/log/snort_inline/,或許你查一下conf檔是不是跟 -l -t 這參數的路徑相衝突了

    cross大大很感謝您熱心回覆問題,想再請教您一下 1. /var/log/snort_inline- full,這個有點不太懂要怎麼作耶 2.我有檢察conf檔,路徑是/etc/snort_inline下的conf檔,不過沒有看到對參數路徑的設定,想在麻煩您一下 真的很不好意思!!謝謝您

不好意思,可以請問一下snort_inline的rule也是在www.snort.org中下載嗎?還有rule要放的位置是/etc/snort_inline/drop_rules嗎??謝謝您

    作者

    1。是的,要註冊帳號去下載 2。是的,也可以從 conf檔去設定別的路徑

撰寫回覆或留言

發佈留言必須填寫的電子郵件地址不會公開。