在Ubuntu上部署Snort的NIDS模式,需要以下几个步骤:
sudo apt-get update
sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev zlib1g-dev
wget https://www.snort.org/downloads/snort/snort-2.9.16.tar.gz
tar -xvf snort-2.9.16.tar.gz
cd snort-2.9.16
接下来,配置并编译Snort:
./configure --enable-ipv6 --enable-gre --enable-mpls --with-dnet-includes=/usr/include/dnet --with-dnet-libraries=/usr/lib
make
sudo make install
/etc/snort/snort.conf。以下是一个基本的Snort配置文件示例:# /etc/snort/snort.conf
include /usr/local/etc/snort/rules/snort.rules
preprocessor decoder_preprocessor_rules: /usr/local/etc/snort/preproc_rules/decoder.rules
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
preprocessor http_inspect_server: server default \
http_methods { GET POST PUT DELETE HEAD OPTIONS CONNECT PATCH } \
chunk_length 500000 \
server_flow_depth 0 \
client_flow_depth 0 \
post_depth 65495 \
oversize_dir_length 500 \
max_header_length 750 \
max_headers 100 \
max_spaces 200 \
small_chunk_length { 10 5 } \
ascii { 32 126 } \
double_decode on \
bare_byte on \
iis_backslash on \
directory_traversals on \
utf_8 on \
u_encode on \
bare_byte on \
webroot "c:\inetpub\wwwroot" \
xff_headers on
/usr/local/etc/snort/rules目录下创建一个名为snort.rules的文件。在此文件中,添加您希望Snort检测的规则。以下是一个简单的示例规则:alert tcp any any -> any any (msg:"Test Rule"; sid:1000000; rev:1;)
sudo snort -i<interface> -c /etc/snort/snort.conf -l /var/log/snort/
将<interface>替换为要监控的网络接口(例如,eth0)。
现在,Snort应该已经在NIDS模式下运行,并根据配置的规则检测流量。要查看Snort生成的警报,请查看/var/log/snort/目录下的日志文件。
