티스토리 뷰
snort
설치
일단 windows 용으로 설치해보았음
snort 버전과 Nic 확인
C:\>cd snort
C:\Snort>cd bin
C:\Snort\bin>snort -W
,,_ -*> Snort! <*-
o" )~ Version 2.9.0.4-ODBC-MySQL-FlexRESP-WIN32 GRE (Build 111)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2011 Sourcefire, Inc., et al.
Using PCRE version: 8.10 2010-06-25
Using ZLIB version: 1.2.3
o" )~ Version 2.9.0.4-ODBC-MySQL-FlexRESP-WIN32 GRE (Build 111)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2011 Sourcefire, Inc., et al.
Using PCRE version: 8.10 2010-06-25
Using ZLIB version: 1.2.3
Index Physical Address IP Address Device Name Description
----- ---------------- ---------- ----------- -----------
1 00:00:00:00:00:00 211.119.250.99 \Device\NPF_{5423FA0E-84CB-49EC-863D-E2C2D6E40777} Realtek RTL8169/8110 Family Gigabit Ethernet NIC
----- ---------------- ---------- ----------- -----------
1 00:00:00:00:00:00 211.119.250.99 \Device\NPF_{5423FA0E-84CB-49EC-863D-E2C2D6E40777} Realtek RTL8169/8110 Family Gigabit Ethernet NIC
C:\Snort\bin>
windows 의 경우 방화벽이 올라가 있으면 재대로 패킷 캡쳐가 안될수 있으므로 방화벽 내리는걸 권장한다고 함
정상작동 TEST
-v 패킷을 콘솔에 출력
-n 모니터링할 패킷 갯수
-i 모니터링할 인터페이스 장치 여기서는 1번이 되겠다.
C:\Snort\bin>snort -v -n 3 -i 1
Running in packet dump mode
Running in packet dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "\Device\NPF_{5423FA0E-84CB-49EC-863D-E2C2D6E40777}".
Decoding Ethernet
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "\Device\NPF_{5423FA0E-84CB-49EC-863D-E2C2D6E40777}".
Decoding Ethernet
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.0.4-ODBC-MySQL-FlexRESP-WIN32 GRE (Build 111)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2011 Sourcefire, Inc., et al.
Using PCRE version: 8.10 2010-06-25
Using ZLIB version: 1.2.3
o" )~ Version 2.9.0.4-ODBC-MySQL-FlexRESP-WIN32 GRE (Build 111)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2011 Sourcefire, Inc., et al.
Using PCRE version: 8.10 2010-06-25
Using ZLIB version: 1.2.3
Commencing packet processing (pid=2736)
03/07-21:34:59.379837 115.68.62.13:4624 -> 211.119.250.99:3389
TCP TTL:122 TOS:0x0 ID:29203 IpLen:20 DgmLen:52 DF
***AP*** Seq: 0x87573B83 Ack: 0x9F2ECEBB Win: 0xFE TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/07-21:34:59.383475 211.119.250.99:3389 -> 115.68.62.13:4624
TCP TTL:128 TOS:0x0 ID:26377 IpLen:20 DgmLen:204 DF
***AP*** Seq: 0x9F2ECEBB Ack: 0x87573B8F Win: 0xFB35 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/07-21:34:59.399179 211.119.250.99:3389 -> 115.68.62.13:4624
TCP TTL:128 TOS:0x0 ID:26378 IpLen:20 DgmLen:251 DF
***AP*** Seq: 0x9F2ECF5F Ack: 0x87573B8F Win: 0xFB35 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
==================================================================
Run time for packet processing was 1.0 seconds
Snort processed 3 packets.
Snort ran for 0 days 0 hours 0 minutes 1 seconds
Pkts/sec: 3
===================================================================
Packet I/O Totals:
Received: 51
Analyzed: 3 ( 5.882%)
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 48 ( 94.118%)
Injected: 0
==================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: 3 (100.000%)
VLAN: 0 ( 0.000%)
IP4: 3 (100.000%)
Frag: 0 ( 0.000%)
ICMP: 0 ( 0.000%)
UDP: 0 ( 0.000%)
TCP: 3 (100.000%)
IP6: 0 ( 0.000%)
IP6 Ext: 0 ( 0.000%)
IP6 Opts: 0 ( 0.000%)
Frag6: 0 ( 0.000%)
ICMP6: 0 ( 0.000%)
UDP6: 0 ( 0.000%)
TCP6: 0 ( 0.000%)
Teredo: 0 ( 0.000%)
ICMP-IP: 0 ( 0.000%)
EAPOL: 0 ( 0.000%)
IP4/IP4: 0 ( 0.000%)
IP4/IP6: 0 ( 0.000%)
IP6/IP4: 0 ( 0.000%)
IP6/IP6: 0 ( 0.000%)
GRE: 0 ( 0.000%)
GRE Eth: 0 ( 0.000%)
GRE VLAN: 0 ( 0.000%)
GRE IP4: 0 ( 0.000%)
GRE IP6: 0 ( 0.000%)
GRE IP6 Ext: 0 ( 0.000%)
GRE PPTP: 0 ( 0.000%)
GRE ARP: 0 ( 0.000%)
GRE IPX: 0 ( 0.000%)
GRE Loop: 0 ( 0.000%)
MPLS: 0 ( 0.000%)
ARP: 0 ( 0.000%)
IPX: 0 ( 0.000%)
Eth Loop: 0 ( 0.000%)
Eth Disc: 0 ( 0.000%)
IP4 Disc: 0 ( 0.000%)
IP6 Disc: 0 ( 0.000%)
TCP Disc: 0 ( 0.000%)
UDP Disc: 0 ( 0.000%)
ICMP Disc: 0 ( 0.000%)
All Discard: 0 ( 0.000%)
Other: 0 ( 0.000%)
Bad Chk Sum: 2 ( 66.667%)
Bad TTL: 0 ( 0.000%)
S5 G 1: 0 ( 0.000%)
S5 G 2: 0 ( 0.000%)
Total: 3
========================================================
Snort exiting
C:\Snort\bin>
03/07-21:34:59.379837 115.68.62.13:4624 -> 211.119.250.99:3389
TCP TTL:122 TOS:0x0 ID:29203 IpLen:20 DgmLen:52 DF
***AP*** Seq: 0x87573B83 Ack: 0x9F2ECEBB Win: 0xFE TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/07-21:34:59.383475 211.119.250.99:3389 -> 115.68.62.13:4624
TCP TTL:128 TOS:0x0 ID:26377 IpLen:20 DgmLen:204 DF
***AP*** Seq: 0x9F2ECEBB Ack: 0x87573B8F Win: 0xFB35 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/07-21:34:59.399179 211.119.250.99:3389 -> 115.68.62.13:4624
TCP TTL:128 TOS:0x0 ID:26378 IpLen:20 DgmLen:251 DF
***AP*** Seq: 0x9F2ECF5F Ack: 0x87573B8F Win: 0xFB35 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
==================================================================
Run time for packet processing was 1.0 seconds
Snort processed 3 packets.
Snort ran for 0 days 0 hours 0 minutes 1 seconds
Pkts/sec: 3
===================================================================
Packet I/O Totals:
Received: 51
Analyzed: 3 ( 5.882%)
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 48 ( 94.118%)
Injected: 0
==================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: 3 (100.000%)
VLAN: 0 ( 0.000%)
IP4: 3 (100.000%)
Frag: 0 ( 0.000%)
ICMP: 0 ( 0.000%)
UDP: 0 ( 0.000%)
TCP: 3 (100.000%)
IP6: 0 ( 0.000%)
IP6 Ext: 0 ( 0.000%)
IP6 Opts: 0 ( 0.000%)
Frag6: 0 ( 0.000%)
ICMP6: 0 ( 0.000%)
UDP6: 0 ( 0.000%)
TCP6: 0 ( 0.000%)
Teredo: 0 ( 0.000%)
ICMP-IP: 0 ( 0.000%)
EAPOL: 0 ( 0.000%)
IP4/IP4: 0 ( 0.000%)
IP4/IP6: 0 ( 0.000%)
IP6/IP4: 0 ( 0.000%)
IP6/IP6: 0 ( 0.000%)
GRE: 0 ( 0.000%)
GRE Eth: 0 ( 0.000%)
GRE VLAN: 0 ( 0.000%)
GRE IP4: 0 ( 0.000%)
GRE IP6: 0 ( 0.000%)
GRE IP6 Ext: 0 ( 0.000%)
GRE PPTP: 0 ( 0.000%)
GRE ARP: 0 ( 0.000%)
GRE IPX: 0 ( 0.000%)
GRE Loop: 0 ( 0.000%)
MPLS: 0 ( 0.000%)
ARP: 0 ( 0.000%)
IPX: 0 ( 0.000%)
Eth Loop: 0 ( 0.000%)
Eth Disc: 0 ( 0.000%)
IP4 Disc: 0 ( 0.000%)
IP6 Disc: 0 ( 0.000%)
TCP Disc: 0 ( 0.000%)
UDP Disc: 0 ( 0.000%)
ICMP Disc: 0 ( 0.000%)
All Discard: 0 ( 0.000%)
Other: 0 ( 0.000%)
Bad Chk Sum: 2 ( 66.667%)
Bad TTL: 0 ( 0.000%)
S5 G 1: 0 ( 0.000%)
S5 G 2: 0 ( 0.000%)
Total: 3
========================================================
Snort exiting
C:\Snort\bin>
snort 룰 다운로드
Subscriber Release (최신룰) : 유료
Registered User Release (최신에서 한달 지난) : 무료, 회원가입후 정상적으로 다운로드 가능
다운로드 받고 압축을 풀고 c:/snort 안에 붙여넣기 (덮어씌우기 하면 됨)
Registered User Release (최신에서 한달 지난) : 무료, 회원가입후 정상적으로 다운로드 가능
다운로드 받고 압축을 풀고 c:/snort 안에 붙여넣기 (덮어씌우기 하면 됨)
snort 룰 환경 설정
기본적으로 룰 설정파일이 리눅스용이여서 윈도우용으로 수정하기
c:\snort\etc\snort.conf 에 존재 워드 패드로 오픈후 수정 (아래 목록만 수정하면 될듯?)
var RULE_PATH ../rules → var RULE_PATH
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
→ dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
→ dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll
include classification.config → include C:\Snort\etc\classification.config
include reference.config → include C:\Snort\etc\reference.config
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
→ dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
→ dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll
include classification.config → include C:\Snort\etc\classification.config
include reference.config → include C:\Snort\etc\reference.config
실행
snort -i 1 -A full -c C:\snort\etc\snort.conf -l C:\snort\log
실행시 에러가 남으면 어떤 구문때문에 error 라는 메세지를 출력 해당 라인을 주석처리하면서 실행하다 보면
아래와 같이 실행됨. 저창을 닫으면 IDS 가 종료 되므로 창을 닫지 않는다....
[ Port Based Pattern Matching Memory ]
+- [ Aho-Corasick Summary ] -------------------------------------
| Storage Format : Full-Q
| Finite Automaton : DFA
| Alphabet Size : 256 Chars
| Sizeof State : Variable (1,2,4 bytes)
| Instances : 43
| 1 byte states : 42
| 2 byte states : 1
| 4 byte states : 0
| Characters : 4061
| States : 1845
| Transitions : 19550
| State Density : 4.1%
| Patterns : 608
| Match States : 254
| Memory (KB) : 692.70
| Pattern : 36.43
| Match Lists : 45.19
| DFA
| 1 byte states : 377.14
| 2 byte states : 188.40
| 4 byte states : 0.00
+----------------------------------------------------------------
[ Number of patterns truncated to 20 bytes: 14 ]
pcap DAQ configured to passive.
Acquiring network traffic from "\Device\NPF_{5423FA0E-84CB-49EC-863D-E2C2D6E40777}".
Decoding Ethernet
+- [ Aho-Corasick Summary ] -------------------------------------
| Storage Format : Full-Q
| Finite Automaton : DFA
| Alphabet Size : 256 Chars
| Sizeof State : Variable (1,2,4 bytes)
| Instances : 43
| 1 byte states : 42
| 2 byte states : 1
| 4 byte states : 0
| Characters : 4061
| States : 1845
| Transitions : 19550
| State Density : 4.1%
| Patterns : 608
| Match States : 254
| Memory (KB) : 692.70
| Pattern : 36.43
| Match Lists : 45.19
| DFA
| 1 byte states : 377.14
| 2 byte states : 188.40
| 4 byte states : 0.00
+----------------------------------------------------------------
[ Number of patterns truncated to 20 bytes: 14 ]
pcap DAQ configured to passive.
Acquiring network traffic from "\Device\NPF_{5423FA0E-84CB-49EC-863D-E2C2D6E40777}".
Decoding Ethernet
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.0.4-ODBC-MySQL-FlexRESP-WIN32 GRE (Build 111)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2011 Sourcefire, Inc., et al.
Using PCRE version: 8.10 2010-06-25
Using ZLIB version: 1.2.3
o" )~ Version 2.9.0.4-ODBC-MySQL-FlexRESP-WIN32 GRE (Build 111)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2011 Sourcefire, Inc., et al.
Using PCRE version: 8.10 2010-06-25
Using ZLIB version: 1.2.3
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.13 <Build 18>
Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
Preprocessor Object: SF_SSH Version 1.1 <Build 3>
Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
Preprocessor Object: SF_SDF Version 1.1 <Build 1>
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
Preprocessor Object: SF_DNS Version 1.1 <Build 4>
Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
Commencing packet processing (pid=3320)
Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
Preprocessor Object: SF_SSH Version 1.1 <Build 3>
Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
Preprocessor Object: SF_SDF Version 1.1 <Build 1>
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
Preprocessor Object: SF_DNS Version 1.1 <Build 4>
Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
Commencing packet processing (pid=3320)
정상적으로 실행시 log 폴더안에 alert.ids 와 snort.log.1300187204 이런식으로 로그 파일이 생성됨
alert.ids - 공격에 대한 이벤트명, 공격의 방향, 프로토콜 정보
snort.log - 패킷 정보가 남겨져 있음 확장자를 pcap으로 고치면 wireshark에서 GUI 환경에서 살펴볼수도 있음
snort.log - 패킷 정보가 남겨져 있음 확장자를 pcap으로 고치면 wireshark에서 GUI 환경에서 살펴볼수도 있음
'Security' 카테고리의 다른 글
| SNORT SNARF (0) | 2015.06.11 |
|---|---|
| snort 설치 (Centos6) (0) | 2015.06.11 |
| snort log (0) | 2015.06.11 |
| snort.conf 스노트 설정파일 정리 (0) | 2015.06.11 |
| 사용자의 보안 설정에서 자체 서명된 응용 프로그램이 실행되는 것을 차단했습니다. (0) | 2015.06.11 |
댓글
공지사항
최근에 올라온 글
최근에 달린 댓글
- Total
- Today
- Yesterday
링크
TAG
- ssh
- gitlab
- virtualbox
- WAF
- MySQL
- php
- mariadb
- cURL
- yum
- NGINX
- 인증서
- softether
- 리눅스
- centOS7
- GeoIP
- galera
- mod_security
- glusterfs
- ntp
- kvm
- 베이어다이나믹
- HAProxy
- centos8
- pptp
- iptables
- Apache
- IPSEC
- SSL
- L2TP
- OpenVPN
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | ||||||
| 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 16 | 17 | 18 | 19 | 20 | 21 | 22 |
| 23 | 24 | 25 | 26 | 27 | 28 |
글 보관함