실습> CentOS 7에서 snort 설치하기
-- 실습 순서 --
1. EPEL 저장소 설치
2. 패키지 설치
3. 패키지 확인
4. snort 다운로드
5. 컴파일 및 설치
6. 설치 확인
7. rule 다운로드
8. 설정파일 수정
9. 사용자 계정 추가 및 권한설정
10. 룰 주석 설정
11. snort 설정 확인
12. 룰 설정 확인
13. 로그 확인
-- 실습 순서 --
*** 만약 CentOS 7 에서 설치하는 것은 http://snort.org 홈페이지에서 설치에 대한
*** 내용을 참고하면 된다.
*** 메인 -> Get Started -> CentOS
-- iptables 룰 정책 --
# systemctl stop firewalld
# systemctl stop iptables
-- iptables 룰 정책 --
1. EPEL 저장소 설치
EPEL(Extra Packages for Enterprise Linux) 저장소를 설치한다.
# yum -y install epel-release
2. 패키지 설치
snort 를 설치하기 위한 필요한 패키지를 설치한다.
# yum -y install gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel libdnet libdnet-devel tcpdump
# yum -y install libpcap-devel libdnet libnet-devel
3. 패키지 확인
패키지들의 설치여부를 확인한다.
설치여부를 확인할 때 패키지가 설치되어 있지 않습니다라는 메세지가 나오면 설치를 해야한다.
# rpm -q gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel libdnet libdnet-devel tcpdump
4. snort 다운로드
https://www.snort.org/#get-started 홈페이지에 설치에 대한 내용이 있음.
아래 두 개의 파일을 리눅스 /root 디렉터리로 옮겨놓는다.
daq-2.0.6.tar.gz
snort-2.9.11.1.tar.gz
5. 컴파일 및 설치
/root 디렉터리에서 다운로드 받아서 설치를 진행한다.
--enable-sourcefire : 특정 빌드 옵션 사용(--enable-perfprofiling 과 --enable-ppm를 통합한 옵션)
--enable-ppm : 패킷 / 규칙 성능 모니터를 활성화
--enable-perfprofiling : 전 처리기 및 규칙 성능 프로파일링 사용
현재 시간을 설정하고 컴파일한다.
rdate 의 시간설정이 안되면 date 명령어서 시간을 설정한다.
# yum -y install rdate
# rdate -s time.bora.net
# tar xzf daq-2.0.6.tar.gz
# cd daq-2.0.6
# ./configure && make && make install
# cd ..
# tar xzf snort-2.9.11.1.tar.gz
# cd snort-2.9.11.1
# ./configure --enable-sourcefire && make && make install
# cd ..
# ls -l /usr/local/bin
합계 10312
-rwxr-xr-x. 1 root root 600 1월 13 19:43 daq-modules-config
-rwxr-xr-x. 1 root root 10483104 1월 13 19:45 snort
-rwxr-xr-x. 1 root root 26408 1월 13 19:45 u2boat
-rwxr-xr-x. 1 root root 36872 1월 13 19:45 u2spewfoo
6. 설치 확인
# snort -V
,,_ -*> Snort! <*-
o" )~ Version 2.9.11.1 GRE (Build 268)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.5.3
Using PCRE version: 8.32 2012-11-30
Using ZLIB version: 1.2.7
DAQ 는 기존 패킷 참조 방식을 대체 하는 역할을 하며, 더욱 쉽게 패킷 캡처를 구현하게 한다.
# snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v3): live inline multi unpriv
dump(v3): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv
7. rule 다운로드
snort 제작사 Cisco에서는 snort가 최신 공격패턴을 탐지할 수 있도록 룰셋을 만들어서 배포하며
룰셋은 커뮤니티 버전(무료), 일반가입자 버전(무료), 구독자 버전(유료) 3가지가 존재한다.
유료가입자는 기술 지원과 함께 바로 룰셋 업데이트를 적용 받지만 일반 사용자는 30일이 지난 후
동일한 룰셋을 다운받을 수 있다.)
Community rules : 커뮤니티 버전(무료)으로 누구나 다운로드 받을 수 있다.
Registered rules : 일반가입자 버전(무료)으로 회원등록 후 다운로드 받을 수 있다.
Subscriber rules : 구독자 버전(유료)으로 비용을 지불해야 다운로드 받을 수 있다.
/etc/snort 디렉터리를 생성한다.
# mkdir /etc/snort
# cd /etc/snort
# cp ~/snort-2.9.11.1/etc/* .
snort 사이트에서 community rules 파일을 다운로드 받는다.
# yum -y install wget
# wget https://www.snort.org/downloads/community/community-rules.tar.gz
# tar xzf community-rules.tar.gz
룰 디렉토리를 생성한다.
# mkdir rules
화이트리스트 룰과 블랙리스트 룰 파일을 생성한다.
화이트리스트 룰 : 신뢰할 수 있는 룰(허용할 룰)을 설정하는 방식
블랙리스트 룰 : 신뢰하지 않는 룰(거부할 룰)을 설정하는 방식
# touch rules/white_list.rules
# touch rules/black_list.rules
# ls -l rules/
합계 0
-rw-r--r--. 1 root root 0 1월 13 20:04 black_list.rules
-rw-r--r--. 1 root root 0 1월 13 20:04 white_list.rules
8. 설정파일 수정
var HOME_NET : snort 에서 탐지할 목적지 ip 주소를 설정한다.(192.168.108.100/24)
var EXTERNAL_NET : snort 에서 탐지할 출발지 ip 주소를 설정한다.(any)
var RULE_PATH : 룰 파일이 저장된 디렉터리를 지정한다.
/etc/snort/snort.conf 파일을 열어서 설정에 대한 내용을 수정한다.
# vi snort.conf
-- snort.conf --
:
:(생략)
#ipvar HOME_NET any
# 자신의 IP주소를 ifconfig 로 확인해서 HOME_NET에 설정한다.
ipvar HOME_NET 192.168.108.100/24
# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET any
#var RULE_PATH ../rules
var RULE_PATH /etc/snort/rules
#var SO_RULE_PATH ../so_rules
var SO_RULE_PATH /etc/snort/so_rules
#var WHITE_LIST_PATH ../rules
#var BLACK_LIST_PATH ../rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
# 547번 라인근처에 $RULE_PATH 부분
# local.rules 는 빼고 나머지는 모두 주석으로 처리한다.
# vi 에서 한번에 주석처리하기 : :시작줄번호,끝줄번호s/^/#
# 스크립트로 작성하면 sed 를 이용해서 자동화 처리를 이용할 수 있다.
# 549라인 ~ 652라인까지 주석으로 막아준다.
# :549,652s/^/#
include $RULE_PATH/local.rules
:
: 나머지 룰 파일들을 모두 주석으로 처리한다.
:(생략)
-- snort.conf --
9. 사용자 계정 추가 및 권한설정
snort 를 실행할 사용자를 생성하고 /etc/snort 디렉토리는 snort 사용자만 접근할
수 있게 허가권의 접근 권한을 설정한다.
# useradd snort -u 40000 -d /var/log/snort -s /sbin/nologin -c SNORT_IDS
# chown -R snort:snort /etc/snort
# chmod 700 /etc/snort
# ls -ld /etc/snort
drwx------. 4 snort snort 4096 1월 13 20:10 /etc/snort/
10. 룰 주석설정
설정에 기본적으로 들어있는 룰중에서 없는 룰파일들은 주석으로 처리한다.
254번 라인 근처의 dynamicdetection 부분을 주석처리한다.
# vi snort.conf
-- snort.conf --
:
:(생략)
# path to dynamic rules libraries
#dynamicdetection directory /usr/local/lib/snort_dynamicrules
:
:(생략)
-- snort.conf --
/etc/snort/rules/local.rules 파일을 생성한다.
# touch /etc/snort/rules/local.rules
11. snort 설정확인
설정파일 실패 : 설정파일 테스트 후 Fatal Error, Quitting.. 메세지가 출력되고 종료된다.
설정파일 성공 : 설정파일 테스트 후 Snort successfully validated the configuration! 메세지가 출력되고 종료된다.
자신의 인터페이스를 확인한 후 사용한다.
snort --help 옵션을 이용해서 도움말을 확인한다.
# snort --help
,,_ -*> Snort! <*-
o" )~ Version 2.9.11.1 GRE (Build 268)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.4.0
Using PCRE version: 7.8 2008-09-05
Using ZLIB version: 1.2.3
USAGE: snort [-options] <filter options>
Options:
-A Set alert mode: fast, full, console, test or none (alert file alerts only)
"unsock" enables UNIX socket logging (experimental).
-b Log packets in tcpdump format (much faster!)
-B <mask> Obfuscated IP addresses in alerts and packet dumps using CIDR mask
-c <rules> Use Rules File <rules>
-C Print out payloads with character data only (no hex)
-d Dump the Application Layer
-D Run Snort in background (daemon) mode
-e Display the second layer header info
-f Turn off fflush() calls after binary log writes
-F <bpf> Read BPF filters from file <bpf>
-g <gname> Run snort gid as <gname> group (or gid) after initialization
-G <0xid> Log Identifier (to uniquely id events for multiple snorts)
-h <hn> Set home network = <hn>
(for use with -l or -B, does NOT change $HOME_NET in IDS mode)
-H Make hash tables deterministic.
-i <if> Listen on interface <if>
-I Add Interface name to alert output
-k <mode> Checksum mode (all,noip,notcp,noudp,noicmp,none)
-K <mode> Logging mode (pcap[default],ascii,none)
-l <ld> Log to directory <ld>
-L <file> Log to this tcpdump file
-M Log messages to syslog (not alerts)
-m <umask> Set umask = <umask>
-n <cnt> Exit after receiving <cnt> packets
-N Turn off logging (alerts still work)
-O Obfuscate the logged IP addresses
-p Disable promiscuous mode sniffing
-P <snap> Set explicit snaplen of packet (default: 1514)
-q Quiet. Don't show banner and status report
-Q Enable inline mode operation.
-r <tf> Read and process tcpdump file <tf>
-R <id> Include 'id' in snort_intf<id>.pid file name
-s Log alert messages to syslog
-S <n=v> Set rules file variable n equal to value v
-t <dir> Chroots process to <dir> after initialization
-T Test and report on the current Snort configuration
-u <uname> Run snort uid as <uname> user (or uid) after initialization
-U Use UTC for timestamps
-v Be verbose
-V Show version number
-X Dump the raw packet data starting at the link layer
-x Exit if Snort configuration problems occur
-y Include year in timestamp in the alert and log files
-Z <file> Set the performonitor preprocessor file path and name
-? Show this information
<Filter Options> are standard BPF options, as seen in TCPDump
Longname options and their corresponding single char version
--logid <0xid> Same as -G
--perfmon-file <file> Same as -Z
--pid-path <dir> Specify the directory for the Snort PID file
--snaplen <snap> Same as -P
--help Same as -?
--version Same as -V
--alert-before-pass Process alert, drop, sdrop, or reject before pass, default is pass before alert, drop,...
--treat-drop-as-alert Converts drop, sdrop, and reject rules into alert rules during startup
--treat-drop-as-ignore Use drop, sdrop, and reject rules to ignore session traffic when not inline.
--process-all-events Process all queued events (drop, alert,...), default stops after 1st action group
--enable-inline-test Enable Inline-Test Mode Operation
--dynamic-engine-lib <file> Load a dynamic detection engine
--dynamic-engine-lib-dir <path> Load all dynamic engines from directory
--dynamic-detection-lib <file> Load a dynamic rules library
--dynamic-detection-lib-dir <path> Load all dynamic rules libraries from directory
--dump-dynamic-rules <path> Creates stub rule files of all loaded rules libraries
--dynamic-preprocessor-lib <file> Load a dynamic preprocessor library
--dynamic-preprocessor-lib-dir <path> Load all dynamic preprocessor libraries from directory
--dynamic-output-lib <file> Load a dynamic output library
--dynamic-output-lib-dir <path> Load all dynamic output libraries from directory
--create-pidfile Create PID file, even when not in Daemon mode
--nolock-pidfile Do not try to lock Snort PID file
--no-interface-pidfile Do not include the interface name in Snort PID file
--disable-attribute-reload-thread Do not create a thread to reload the attribute table
--pcap-single <tf> Same as -r.
--pcap-file <file> file that contains a list of pcaps to read - read mode is implied.
--pcap-list "<list>" a space separated list of pcaps to read - read mode is implied.
--pcap-dir <dir> a directory to recurse to look for pcaps - read mode is implied.
--pcap-filter <filter> filter to apply when getting pcaps from file or directory.
--pcap-no-filter reset to use no filter when getting pcaps from file or directory.
--pcap-loop <count> this option will read the pcaps specified on command line continuously.
for <count> times. A value of 0 will read until Snort is terminated.
--pcap-reset if reading multiple pcaps, reset snort to post-configuration state before reading next pcap.
--pcap-reload if reading multiple pcaps, reload snort config between pcaps.
--pcap-show print a line saying what pcap is currently being read.
--exit-check <count> Signal termination after <count> callbacks from DAQ_Acquire(), showing the time it
takes from signaling until DAQ_Stop() is called.
--conf-error-out Same as -x
--enable-mpls-multicast Allow multicast MPLS
--enable-mpls-overlapping-ip Handle overlapping IPs within MPLS clouds
--max-mpls-labelchain-len Specify the max MPLS label chain
--mpls-payload-type Specify the protocol (ipv4, ipv6, ethernet) that is encapsulated by MPLS
--require-rule-sid Require that all snort rules have SID specified.
--daq <type> Select packet acquisition module (default is pcap).
--daq-mode <mode> Select the DAQ operating mode.
--daq-var <name=value> Specify extra DAQ configuration variable.
--daq-dir <dir> Tell snort where to find desired DAQ.
--daq-list[=<dir>] List packet acquisition modules available in dir. Default is static modules only.
--dirty-pig Don't flush packets and release memory on shutdown.
--cs-dir <dir> Directory to use for control socket.
--ha-peer Activate live high-availability state sharing with peer.
--ha-out <file> Write high-availability events to this file.
--ha-in <file> Read high-availability events from this file on startup (warm-start).
--suppress-config-log Suppress configuration information output.
-T : 테스트 옵션
-i : 인터페이스 옵션
-u : 사용자 옵션
-g : 그룹 옵션
-c : 설정파일 옵션
# snort -T -i ens33 -u snort -g snort -c /etc/snort/snort.conf
Running in Test mode
--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined : [ 80:81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]
PortVar 'SSH_PORTS' defined : [ 22 ]
PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined : [ 80:81 110 143 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
PortVar 'GTP_PORTS' defined : [ 2123 2152 3386 ]
Detection:
Search-Method = AC-Full-Q
Split Any/Any group = enabled
Search-Method-Optimizations = enabled
Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/...
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done
Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
Log directory = /var/log/snort
WARNING: ip4 normalizations disabled because not inline.
WARNING: tcp normalizations disabled because not inline.
WARNING: icmp4 normalizations disabled because not inline.
WARNING: ip6 normalizations disabled because not inline.
WARNING: icmp6 normalizations disabled because not inline.
Frag3 global config:
Max frags: 65536
Fragment memory cap: 4194304 bytes
Frag3 engine config:
Bound Address: default
Target-based policy: WINDOWS
Fragment timeout: 180 seconds
Fragment min_ttl: 1
Fragment Anomalies: Alert
Overlap Limit: 10
Min fragment Length: 100
Max Expected Streams: 768
Stream global config:
Track TCP sessions: ACTIVE
Max TCP sessions: 262144
TCP cache pruning timeout: 30 seconds
TCP cache nominal timeout: 3600 seconds
Memcap (for reassembly packet storage): 8388608
Track UDP sessions: ACTIVE
Max UDP sessions: 131072
UDP cache pruning timeout: 30 seconds
UDP cache nominal timeout: 180 seconds
Track ICMP sessions: INACTIVE
Track IP sessions: INACTIVE
Log info if session memory consumption exceeds 1048576
Send up to 2 active responses
Wait at least 5 seconds between responses
Protocol Aware Flushing: ACTIVE
Maximum Flush Point: 16000
Stream TCP Policy config:
Bound Address: default
Reassembly Policy: WINDOWS
Timeout: 180 seconds
Limit on TCP Overlaps: 10
Maximum number of bytes to queue per session: 1048576
Maximum number of segs to queue per session: 2621
Options:
Require 3-Way Handshake: YES
3-Way Handshake Timeout: 180
Detect Anomalies: YES
Reassembly Ports:
21 client (Footprint)
22 client (Footprint)
23 client (Footprint)
25 client (Footprint)
42 client (Footprint)
53 client (Footprint)
79 client (Footprint)
80 client (Footprint) server (Footprint)
81 client (Footprint) server (Footprint)
109 client (Footprint)
110 client (Footprint)
111 client (Footprint)
113 client (Footprint)
119 client (Footprint)
135 client (Footprint)
136 client (Footprint)
137 client (Footprint)
139 client (Footprint)
143 client (Footprint)
161 client (Footprint)
additional ports configured but not printed.
Stream UDP Policy config:
Timeout: 180 seconds
HttpInspect Config:
GLOBAL CONFIG
Detect Proxy Usage: NO
IIS Unicode Map Filename: /etc/snort/unicode.map
IIS Unicode Map Codepage: 1252
Memcap used for logging URI and Hostname: 150994944
Max Gzip Memory: 838860
Max Gzip Sessions: 1807
Gzip Compress Depth: 65535
Gzip Decompress Depth: 65535
DEFAULT SERVER CONFIG:
Server profile: All
Ports (PAF): 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555
Server Flow Depth: 0
Client Flow Depth: 0
Max Chunk Length: 500000
Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times
Max Header Field Length: 750
Max Number Header Fields: 100
Max Number of WhiteSpaces allowed with header folding: 200
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Normalize HTTP Headers: NO
Inspect HTTP Cookies: YES
Inspect HTTP Responses: YES
Extract Gzip from responses: YES
Decompress response files:
Unlimited decompression of gzip data from responses: YES
Normalize Javascripts in HTTP Responses: YES
Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP responses: 200
Normalize HTTP Cookies: NO
Enable XFF and True Client IP: NO
Log HTTP URI data: NO
Log HTTP Hostname data: NO
Extended ASCII code support in URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: NO
%U Encoding: YES alert: YES
Bare Byte: YES alert: NO
UTF 8: YES alert: NO
IIS Unicode: YES alert: NO
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: NO
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
Whitespace Characters: 0x09 0x0b 0x0c 0x0d
Legacy mode: NO
rpc_decode arguments:
Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
alert_fragments: INACTIVE
alert_large_fragments: INACTIVE
alert_incomplete: INACTIVE
alert_multiple_requests: INACTIVE
FTPTelnet Config:
GLOBAL CONFIG
Memcap 0
Inspection Type: stateful
Check for Encrypted Traffic: YES alert: NO
Continue to check encrypted data: YES
TELNET CONFIG:
Ports: 23
Are You There Threshold: 20
Normalize: YES
Detect Anomalies: YES
FTP CONFIG:
FTP Server: default
Ports (PAF): 21 2100 3535
Check for Telnet Cmds: YES alert: YES
Ignore Telnet Cmd Operations: YES alert: YES
Ignore open data channels: NO
FTP Client: default
Check for Bounce Attacks: YES alert: YES
Check for Telnet Cmds: YES alert: YES
Ignore Telnet Cmd Operations: YES alert: YES
Max Response Length: 256
SMTP Config:
Ports: 25 465 587 691
Inspection Type: Stateful
Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT X-DRCP X-ERCP X-EXCH50
Ignore Data: No
Ignore TLS Data: No
Ignore SMTP Alerts: No
Max Command Line Length: 512
Max auth Command Line Length: 1000
Max Specific Command Line Length:
ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255
EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255
ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500
IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246
QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246
SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246
TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246
XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246
XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246
XUSR:246
Max Header Line Length: 1000
Max Response Line Length: 512
X-Link2State Alert: Yes
Drop on X-Link2State Alert: No
Alert on commands: None
Alert on unknown commands: No
SMTP Memcap: 838860
MIME Max Mem: 838860
Base64 Decoding: Enabled
Base64 Decoding Depth: Unlimited
Quoted-Printable Decoding: Enabled
Quoted-Printable Decoding Depth: Unlimited
Unix-to-Unix Decoding: Enabled
Unix-to-Unix Decoding Depth: Unlimited
Non-Encoded MIME attachment Extraction: Enabled
Non-Encoded MIME attachment Extraction Depth: Unlimited
Log Attachment filename: Enabled
Log MAIL FROM Address: Enabled
Log RCPT TO Addresses: Enabled
Log Email Headers: Enabled
Email Hdrs Log Depth: 1464
SSH config:
Autodetection: ENABLED
Challenge-Response Overflow Alert: ENABLED
SSH1 CRC32 Alert: ENABLED
Server Version String Overflow Alert: ENABLED
Protocol Mismatch Alert: ENABLED
Bad Message Direction Alert: DISABLED
Bad Payload Size Alert: DISABLED
Unrecognized Version Alert: DISABLED
Max Encrypted Packets: 20
Max Server Version String Length: 100
MaxClientBytes: 19600 (Default)
Ports:
22
DCE/RPC 2 Preprocessor Configuration
Global Configuration
DCE/RPC Defragmentation: Enabled
Memcap: 102400 KB
Events: co
SMB Fingerprint policy: Disabled
Server Default Configuration
Policy: WinXP
Detect ports (PAF)
SMB: 139 445
TCP: 135
UDP: 135
RPC over HTTP server: 593
RPC over HTTP proxy: None
Autodetect ports (PAF)
SMB: None
TCP: 1025-65535
UDP: 1025-65535
RPC over HTTP server: 1025-65535
RPC over HTTP proxy: None
Invalid SMB shares: C$ D$ ADMIN$
Maximum SMB command chaining: 3 commands
SMB file inspection: Disabled
DNS config:
DNS Client rdata txt Overflow Alert: ACTIVE
Obsolete DNS RR Types Alert: INACTIVE
Experimental DNS RR Types Alert: INACTIVE
Ports: 53
SSLPP config:
Encrypted packets: not inspected
Ports:
443 465 563 636 989
992 993 994 995 7801
7802 7900 7901 7902 7903
7904 7905 7906 7907 7908
7909 7910 7911 7912 7913
7914 7915 7916 7917 7918
7919 7920
Server side data is trusted
Maximum SSL Heartbeat length: 0
Sensitive Data preprocessor config:
Global Alert Threshold: 25
Masked Output: DISABLED
SIP config:
Max number of sessions: 40000
Max number of dialogs in a session: 4 (Default)
Status: ENABLED
Ignore media channel: DISABLED
Max URI length: 512
Max Call ID length: 80
Max Request name length: 20 (Default)
Max From length: 256 (Default)
Max To length: 256 (Default)
Max Via length: 1024 (Default)
Max Contact length: 512
Max Content length: 2048
Ports:
5060 5061 5600
Methods:
invite cancel ack bye register options refer subscribe update join info message notify benotify do qauth sprack publish service unsubscribe prack
IMAP Config:
Ports: 143
IMAP Memcap: 838860
MIME Max Mem: 838860
Base64 Decoding: Enabled
Base64 Decoding Depth: Unlimited
Quoted-Printable Decoding: Enabled
Quoted-Printable Decoding Depth: Unlimited
Unix-to-Unix Decoding: Enabled
Unix-to-Unix Decoding Depth: Unlimited
Non-Encoded MIME attachment Extraction: Enabled
Non-Encoded MIME attachment Extraction Depth: Unlimited
POP Config:
Ports: 110
POP Memcap: 838860
MIME Max Mem: 838860
Base64 Decoding: Enabled
Base64 Decoding Depth: Unlimited
Quoted-Printable Decoding: Enabled
Quoted-Printable Decoding Depth: Unlimited
Unix-to-Unix Decoding: Enabled
Unix-to-Unix Decoding Depth: Unlimited
Non-Encoded MIME attachment Extraction: Enabled
Non-Encoded MIME attachment Extraction Depth: Unlimited
Modbus config:
Ports:
502
DNP3 config:
Memcap: 262144
Check Link-Layer CRCs: ENABLED
Ports:
20000
Reputation config:
WARNING: Can't find any whitelist/blacklist entries. Reputation Preprocessor disabled.
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
0 Snort rules read
0 detection rules
0 decoder rules
0 preprocessor rules
0 Option Chains linked into 0 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
+-------------------[Rule Port Counts]---------------------------------------
| tcp udp icmp ip
| src 0 0 0 0
| dst 0 0 0 0
| any 0 0 0 0
| nc 0 0 0 0
| s+d 0 0 0 0
+----------------------------------------------------------------------------
+-----------------------[detection-filter-config]------------------------------
| memory-cap : 1048576 bytes
+-----------------------[detection-filter-rules]-------------------------------
| none
-------------------------------------------------------------------------------
+-----------------------[rate-filter-config]-----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[rate-filter-rules]------------------------------------
| none
-------------------------------------------------------------------------------
+-----------------------[event-filter-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[event-filter-global]----------------------------------
+-----------------------[event-filter-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!
pcap DAQ configured to passive.
Acquiring network traffic from "ens33".
Set gid to 40000
Set uid to 40000
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.11.1 GRE (Build 268)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.5.3
Using PCRE version: 8.32 2012-11-30
Using ZLIB version: 1.2.7
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.0 <Build 1>
Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
Preprocessor Object: SF_MODBUS Version 1.1 <Build 1>
Preprocessor Object: SF_GTP Version 1.1 <Build 1>
Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1>
Preprocessor Object: SF_SIP Version 1.1 <Build 1>
Preprocessor Object: SF_SDF Version 1.1 <Build 1>
Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
Preprocessor Object: SF_DNS Version 1.1 <Build 4>
Preprocessor Object: SF_SSH Version 1.1 <Build 3>
Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
Preprocessor Object: SF_IMAP Version 1.0 <Build 1>
Preprocessor Object: SF_POP Version 1.0 <Build 1>
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
Snort successfully validated the configuration!
Snort exiting
12. 스노트 룰 등록
local.rules 파일을 touch로 생성했으므로 그 안에 룰에 대한 설정 내용이 없기 때문에 이를 생성한다.
icmp 프로토콜이면 탐지하는 룰을 /etc/snort/rules/local.rules 파일에 저장한다.
# vi /etc/snort/rules/local.rules
alert icmp any any -> any any (msg:"ICMP ping test"; sid: 1000001;)
옵션에 -T 가 없으면 테스트가 아니라 실제 IDS를 구동하는 상태가 된다.
snort 를 실행하면 멈춰있는 상태로 놔둔다.
-i : 인터페이스 옵션
-u : 사용자 옵션
-g : 그룹 옵션
-c : 설정파일 옵션
-q : 조용히
# snort -i ens33 -u snort -g snort -c /etc/snort/snort.conf -q
13. 로그 확인
새 터미널을 열어서 로그파일을 확인한다.
# ls -l /var/log/snort/
합계 0
-rw-r--r--. 1 root root 0 1월 13 20:21 alert
-rw-------. 1 snort snort 0 1월 13 20:22 snort.log.1642072927
/var/log/snort/alert 파일을 실시간으로 모니터링 한다.
# tail -f /var/log/snort/alert
Host OS (192.168.108.1) 에서 192.168.108.100으로 직접 ping을 보내보고 탐지된 로그를 확인한다.
C:\Users\user1>ping 192.168.108.100
Ping 192.168.108.100 32바이트 데이터 사용:
192.168.108.100의 응답: 바이트=32 시간<1ms TTL=64
192.168.108.100의 응답: 바이트=32 시간<1ms TTL=64
192.168.108.100의 응답: 바이트=32 시간<1ms TTL=64
192.168.108.100의 응답: 바이트=32 시간=1ms TTL=64
192.168.108.100에 대한 Ping 통계:
패킷: 보냄 = 4, 받음 = 4, 손실 = 0 (0% 손실),
왕복 시간(밀리초):
최소 = 0ms, 최대 = 1ms, 평균 = 0ms
윈도우에서 ping을 보내면 alert 로그 파일에 정보가 기록되는걸 볼 수 있다.
# tail -f /var/log/snort/alert
[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
01/13-20:24:40.289300 192.168.108.1 -> 192.168.108.100
ICMP TTL:128 TOS:0x0 ID:51823 IpLen:20 DgmLen:60
Type:8 Code:0 ID:1 Seq:166 ECHO
[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
01/13-20:24:40.289390 192.168.108.100 -> 192.168.108.1
ICMP TTL:64 TOS:0x0 ID:7422 IpLen:20 DgmLen:60
Type:0 Code:0 ID:1 Seq:166 ECHO REPLY
[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
01/13-20:24:41.303337 192.168.108.1 -> 192.168.108.100
ICMP TTL:128 TOS:0x0 ID:51824 IpLen:20 DgmLen:60
Type:8 Code:0 ID:1 Seq:167 ECHO
[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
01/13-20:24:41.303380 192.168.108.100 -> 192.168.108.1
ICMP TTL:64 TOS:0x0 ID:7951 IpLen:20 DgmLen:60
Type:0 Code:0 ID:1 Seq:167 ECHO REPLY
[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
01/13-20:24:42.320618 192.168.108.1 -> 192.168.108.100
ICMP TTL:128 TOS:0x0 ID:51827 IpLen:20 DgmLen:60
Type:8 Code:0 ID:1 Seq:168 ECHO
[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
01/13-20:24:42.320648 192.168.108.100 -> 192.168.108.1
ICMP TTL:64 TOS:0x0 ID:8187 IpLen:20 DgmLen:60
Type:0 Code:0 ID:1 Seq:168 ECHO REPLY
[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
01/13-20:24:43.335279 192.168.108.1 -> 192.168.108.100
ICMP TTL:128 TOS:0x0 ID:51829 IpLen:20 DgmLen:60
Type:8 Code:0 ID:1 Seq:169 ECHO
[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
01/13-20:24:43.335319 192.168.108.100 -> 192.168.108.1
ICMP TTL:64 TOS:0x0 ID:8975 IpLen:20 DgmLen:60
Type:0 Code:0 ID:1 Seq:169 ECHO REPLY
^C <-- Ctrl을 눌러서 종료한다.
'Linux > 모의해킹' 카테고리의 다른 글
| snort rule 설정 시 주의할 점 (0) | 2022.01.13 |
|---|---|
| -A console 사용하기 (0) | 2022.01.13 |
| admin 디렉터리 접속 탐지하기 (0) | 2022.01.13 |
| Kali 에서 snort 설치하기 (+snort 란?) (0) | 2022.01.13 |
| positional arguments VS keyword arguments (0) | 2022.01.13 |