1 安裝Ubuntu16.04

2 配置網(wǎng)絡(luò)eth1或em1

3?安裝snort的前提條件：

sudo apt-get install -y build-essential;?sudo apt-get install -y libpcap-dev libpcre3-dev libdumbnet-dev;?sudo apt-get install -y bison flex;?

創(chuàng)建文件夾: mkdir ~/snort_src;?cd ~/snort_src

進(jìn)入官網(wǎng)下載DAQ最新版:?wget https://snort.org/downloads/snort/daq-2.0.6.tar.gz

tar -xvzf daq-2.0.6.tar.gz; cd daq-2.0.6;?./configure;?make;?sudo make install

4 安裝snort

sudo apt-get install -y zlib1g-dev liblzma-dev openssl libssl-dev;?sudo apt-get install -y libnghttp2-dev

cd ~/snort_src;?wget https://snort.org/downloads/snort/snort-2.9.12.tar.gz; tar -xvzf snort-2.9.12.tar.gz

cd snort-2.9.12;?./configure --enable-sourcefire;?make;?sudo make install

更新共享庫：sudo ldconfig;?

sudo ln -s /usr/local/bin/snort /usr/sbin/snort

snort -V

5 配置snort運(yùn)行在NIDS模式

# 創(chuàng)建snort用戶和組：

sudo groupadd snort

sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

# 創(chuàng)建snort目錄:

sudo mkdir /etc/snort

sudo mkdir /etc/snort/rules

sudo mkdir /etc/snort/rules/iplists

sudo mkdir /etc/snort/preproc_rules

sudo mkdir /usr/local/lib/snort_dynamicrules

sudo mkdir /etc/snort/so_rules

# 創(chuàng)建一些存儲規(guī)則和IP列表的文件

sudo touch /etc/snort/rules/iplists/black_list.rules

sudo touch /etc/snort/rules/iplists/white_list.rules

sudo touch /etc/snort/rules/local.rules

sudo touch /etc/snort/sid-msg.map

# 創(chuàng)建日志目錄：

sudo mkdir /var/log/snort

sudo mkdir /var/log/snort/archived_logs

# 調(diào)整權(quán)限：

sudo chmod -R 5775 /etc/snort

sudo chmod -R 5775 /var/log/snort

sudo chmod -R 5775 /var/log/snort/archived_logs

sudo chmod -R 5775 /etc/snort/so_rules

sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules

# 更改文件夾的所有權(quán)：

sudo chown -R snort:snort /etc/snort

sudo chown -R snort:snort /var/log/snort

sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

#/etc/snort 配置文件和動態(tài)處理

cd ~/snort_src/snort-2.9.9.0/etc/

sudo cp *.conf* /etc/snort

sudo cp *.map /etc/snort

sudo cp *.dtd /etc/snort

cd ~/snort_src/snort-2.9.9.0/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/

sudo cp * /usr/local/lib/snort_dynamicpreprocessor/

#注釋掉snort配置文件中引用的所有單個規(guī)則文件（不需要單獨(dú)下載每個文件）

sudo sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf

sudo vi /etc/snort/snort.conf

設(shè)置：ipvar HOME_NET 10.0.0.0/24（em1網(wǎng)段或者any) #采用/HOME_NET

在第104行開始設(shè)置：:104

var RULE_PATH /etc/snort/rules

var SO_RULE_PATH /etc/snort/so_rules

var PREPROC_RULE_PATH /etc/snort/preproc_rules

var WHITE_LIST_PATH /etc/snort/rules/iplists

var BLACK_LIST_PATH /etc/snort/rules/iplists

在546行插入：include $RULE_PATH/local.rules

查看snort是否配置成功：

$ sudo snort -T -i eth0 -c /etc/snort/snort.conf （或eth1 em1)

6 寫入簡單規(guī)則進(jìn)行snort檢測

sudo vi?/etc/snort/rules/local.rules

alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; GID:1; sid:10000001; rev:001; classtype:icmpevent;) (源ip 端口號-> 目的IP 目的端口）

設(shè)置/etc/snort/sid-msg.map

1 || 10000001 || 001 || icmp-event || 0 || ICMP Test detected || url,tools.ietf.org/html/rfc792

sudo snort -T -c /etc/snort/snort.conf -i em1

$ sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i em1

匹配數(shù)據(jù)保存在/var/log/snort中，name snort.log.nnnnnnnnn

7 安裝Barnyard2

將snort事件寫入Mysql數(shù)據(jù)庫

安裝前提：sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool

告訴snort輸入告警在二進(jìn)制文件

/etc/snort/snort.conf 521行

# output unified2: filename merged.log, limit 128, nostamp, mpls event types, vlan event typesg

output unified2: filename snort.u2, limit 128 （128M大?。?/p>

下載Barnyard2

cd ~/snort_src

wget https://github.com/firnsy/barnyard2/archive/master.tar.gz -O barnyard2-Master.tar.gz

tar zxvf barnyard2-Master.tar.gz

cd barnyard2-master

autoreconf -fvi -I ./m4

創(chuàng)建軟鏈接

sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h

sudo ldconfig

選擇版本 uname -a

# Choose ONE of these two commands to run

./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu

./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu

完成安裝到/usr/local/bin/barnyard2:

make

sudo make install

$ /usr/local/bin/barnyard2 -V

復(fù)制相關(guān)文件

sudo cp ~/snort_src/barnyard2-master/etc/barnyard2.conf /etc/snort/

# the /var/log/barnyard2 folder is never used or referenced

# but barnyard2 will error without it existing

sudo mkdir /var/log/barnyard2

sudo chown snort.snort /var/log/barnyard2

sudo touch /var/log/snort/barnyard2.waldo

sudo chown snort.snort /var/log/snort/barnyard2.waldo

創(chuàng)建snort數(shù)據(jù)庫

$ mysql -u root -p

mysql> create database snort;

mysql> use snort;

mysql> source ~/snort_src/barnyard2-master/schemas/create_mysql

mysql> CREATE USER?'snort'@'localhost' IDENTIFIED BY 'MySqlSNORTpassword';

mysql> grant create, insert, select, delete, update on snort.* to?'snort'@'localhost';

mysql> exit

編輯/etc/snort/barnyard2.conf; 在最后一行添加

output database: log, mysql, user=snort password=MySqlSNORTpassword dbname=snort host=localhost sensor name=sensor01

組織其他用戶查看

sudo chmod o-r /etc/snort/barnyard2.conf

測試snort事件寫入數(shù)據(jù)庫

sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i em1 -D

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo?-g snort -u snort

8 安裝pulledpork

#install pulledpork

sudo apt-get install -ylibcrypt-ssleay-perl liblwp-useragent-determined-perl

cd ~/snort_src

wgethttps://github.com/shirkdog/pulledpork/archive/master.tar.gz -Opulledpork-master.tar.gz

tar xzvf pulledpork-master.tar.gz

cd pulledpork-master/

sudo cp pulledpork.pl /usr/local/bin

sudo chmod +x /usr/local/bin/pulledpork.pl

sudo cp etc/*.conf /etc/snort