정보보안(구버전)/작업중 2016. 1. 31. 16:13

14. CentOS를 이용한 'snort' IDS

 

 

 

http://www.zlib.net/ 사이트에서 zlib 다운로드 실시 및 압축 해지 -> make -< make install

 

 

http://www.snort.org 사이트로부터 daq, snort 프로그램 다운로드 실시

 


[root@snort ~]# ls pkg
daq-2.0.6.tar.gz  snort-2.9.8.0.tar.gz

 

 


 - snort 설치 추가 패키지 설치


[root@snort ~]# iptables -P INPUT ACCEPT

[root@snort ~]# yum list epel*                           다운로드 사이트를 확장해줌


[root@snort ~]# yum install epel-release

[root@snort ~]# yum install gcc flex bison libpcap libpcap-devel pcre pcre-devel
[root@snort ~]# yum install libdnet libdnet-devel

 

 


 - 패키지 설치가 완료되었다면, 압축 해지 및 설치 실시

 

[root@snort ~]# cd /root/pkg
[root@snort pkg]# ls
daq-2.0.6.tar.gz snort-2.9.8.0.tar.gz

[root@snort pkg]# tar zxvf  daq-2.0.6.tar.gz
[root@snort pkg]# tar zxvf  snort-2.9.8.0.tar.gz
[root@snort pkg]# ls
daq-2.0.6  daq-2.0.6.tar.gz  snort-2.9.8.0  snort-2.9.8.0.tar.gz

 

[root@snort pkg]# cd daq-2.0.6
[root@snort daq-2.0.6]# ./configure
[root@snort daq-2.0.6]# make
[root@snort daq-2.0.6]# make install

 

[root@snort daq-2.0.6]# cd ../snort-2.9.8.0
[root@snort snort-2.9.8.0]# ./configure --enable-sourcefire
[root@snort snort-2.9.8.0]# make
[root@snort snort-2.9.8.0]# make install


[root@snort snort-2.9.8.0]# ls /usr/local/bin
daq-modules-config  snort  u2boat  u2spewfoo

 

 

 - 설치가 완료되었다면, 'snort'를 사용하기 위한 디렉토리/파일 생성 및 권한 설정 실시

 

[root@snort snort-2.9.8.0]# cd etc
[root@snort etc]# cp  snort.conf  /usr/local/etc
[root@snort etc]# mkdir  /etc/snort
[root@snort etc]# mkdir  /var/log/snort
[root@snort etc]# chown snort:snort /var/log/snort
[root@snort etc]# touch  /var/log/snort/alert
[root@snort etc]# chown snort:snort /var/log/snort/alert
[root@snort etc]# chmod 600 /var/log/snort/alert


[root@snort etc]# snort -V

 

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.8.0 GRE (Build 229)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.4.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

 

 

 

 - 'snort.conf' 파일 내용 확인

 

[root@snort etc]# vi snort.conf

 

 

~ 중간 생략 ~

 

###################################################
# Step #1: Set the network variables.  For more information, see README.variables
###################################################

# Setup the network addresses you are protecting
ipvar HOME_NET any 

ipvar HOME_NET [192.168.1.0/24, 172.16.0.0/16] <- 특정 서브넷만 감시할 경우

 

# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET any

 

# List of DNS servers on your network
ipvar DNS_SERVERS $HOME_NET

 
# List of SMTP servers on your network
ipvar SMTP_SERVERS $HOME_NET

 

# List of web servers on your network
ipvar HTTP_SERVERS $HOME_NET

~ 중간 생략 ~

 

:q!

 

 

# snort -v            별도의 구성 정보를 참조하지 않는 Pakcet Sniffer 모드
# snort -vd           전체 레이어를 참조하는 Pakcet Sniffer 모드
# snort -vde         Ethernet Header 정보를 포함하는 Pakcet Sniffer 모드

 

 

 

Ex1) 'snort'를 이용한 ICMP 감시 및 로그 확인 

 

[root@snort etc]# mkdir /etc/snort/rules
[root@snort etc]# vi /etc/snort/rules/local.rules

 

# local.rules
alert icmp any any -> any any (msg:"ICMP ping test"; sid:1000001;)

 

:wq!

 

형식 : alert protocol sourceIP sourcePort -> DstIP DstPort (msg:"Log file에 기록될 이름";sid:1000001;)

 

      양방향인 경우 : <>
      sourceIP, DstIP를 모르는 경우 : any
      sourcePort, DstPort를 모르는 경우 : any

 

 

 - 'snort' 실시

 

[root@snort etc]# snort -c /etc/snort/rules/local.rules

Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/rules/local.rules"
Tagged Packet Limit: 256
Log directory = /var/log/snort

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
1 Snort rules read
    1 detection rules
    0 decoder rules
    0 preprocessor rules
1 Option Chains linked into 1 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

+-------------------[Rule Port Counts]---------------------------------------
|             tcp     udp    icmp      ip
|     src       0       0       0       0
|     dst       0       0       0       0
|     any       0       0       1       0
|      nc       0       0       1       0
|     s+d       0       0       0       0
+----------------------------------------------------------------------------

+-----------------------[detection-filter-config]------------------------------
| memory-cap : 1048576 bytes
+-----------------------[detection-filter-rules]-------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[rate-filter-config]-----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[rate-filter-rules]------------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[event-filter-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[event-filter-global]----------------------------------
+-----------------------[event-filter-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!

[ Port Based Pattern Matching Memory ]
pcap DAQ configured to passive.
Acquiring network traffic from "eth0".
Reload thread starting...
Reload thread started, thread 0x7ffd4abfa700 (2411)
Decoding Ethernet

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.8.0 GRE (Build 229)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.4.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

Commencing packet processing (pid=2410)
WARNING: No preprocessors configured for policy 0.
WARNING: No preprocessors configured for policy 0.
WARNING: No preprocessors configured for policy 0.
WARNING: No preprocessors configured for policy 0.
WARNING: No preprocessors configured for policy 0.
WARNING: No preprocessors configured for policy 0.
WARNING: No preprocessors configured for policy 0.

~중간 생략~

 

 

 

 - 원본 PC에서 CentOS Eth0(192.168.10.37)으로 Ping 실시

 

C:\Users\Administrator>ping 192.168.10.137

Ping 192.168.10.137 32바이트 데이터 사용:
192.168.10.137의 응답: 바이트=32 시간<1ms TTL=64
192.168.10.137의 응답: 바이트=32 시간<1ms TTL=64
192.168.10.137의 응답: 바이트=32 시간<1ms TTL=64
192.168.10.137의 응답: 바이트=32 시간<1ms TTL=64

192.168.10.137에 대한 Ping 통계:
    패킷: 보냄 = 4, 받음 = 4, 손실 = 0 (0% 손실),
왕복 시간(밀리초):
    최소 = 0ms, 최대 = 0ms, 평균 = 0ms

 

 

 

 - snort 동작 취소 (ctrl+c)

 

WARNING: No preprocessors configured for policy 0.
WARNING: No preprocessors configured for policy 0.
WARNING: No preprocessors configured for policy 0.
WARNING: No preprocessors configured for policy 0.
(ctrl+c)

Caught Int-Signal
===============================================================================
Run time for packet processing was 11.11928 seconds
Snort processed 121 packets.
Snort ran for 0 days 0 hours 0 minutes 11 seconds
   Pkts/sec:           11
===============================================================================
Memory usage summary:
  Total non-mmapped bytes (arena):       3489792
  Bytes in mapped regions (hblkhd):      29995008
  Total allocated space (uordblks):      3321712
  Total free space (fordblks):           168080
  Topmost releasable block (keepcost):   134608
===============================================================================
Packet I/O Totals:
   Received:          121
   Analyzed:          121 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
        Eth:          121 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:          121 (100.000%)
       Frag:            0 (  0.000%)
       ICMP:            8 (  6.612%)
        UDP:            0 (  0.000%)
        TCP:          113 ( 93.388%)
        IP6:            0 (  0.000%)
    IP6 Ext:            0 (  0.000%)
   IP6 Opts:            0 (  0.000%)
      Frag6:            0 (  0.000%)
      ICMP6:            0 (  0.000%)
       UDP6:            0 (  0.000%)
       TCP6:            0 (  0.000%)
     Teredo:            0 (  0.000%)
    ICMP-IP:            0 (  0.000%)
    IP4/IP4:            0 (  0.000%)
    IP4/IP6:            0 (  0.000%)
    IP6/IP4:            0 (  0.000%)
    IP6/IP6:            0 (  0.000%)
        GRE:            0 (  0.000%)
    GRE Eth:            0 (  0.000%)
   GRE VLAN:            0 (  0.000%)
    GRE IP4:            0 (  0.000%)
    GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
   GRE PPTP:            0 (  0.000%)
    GRE ARP:            0 (  0.000%)
    GRE IPX:            0 (  0.000%)
   GRE Loop:            0 (  0.000%)
       MPLS:            0 (  0.000%)
        ARP:            0 (  0.000%)
        IPX:            0 (  0.000%)
   Eth Loop:            0 (  0.000%)
   Eth Disc:            0 (  0.000%)
   IP4 Disc:            0 (  0.000%)
   IP6 Disc:            0 (  0.000%)
   TCP Disc:            0 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:            0 (  0.000%)
      Other:            0 (  0.000%)
Bad Chk Sum:           59 ( 48.760%)
    Bad TTL:            0 (  0.000%)
     S5 G 1:            0 (  0.000%)
     S5 G 2:            0 (  0.000%)
      Total:          121
======================================================================
Action Stats:
     Alerts:            8 (  6.612%)
     Logged:            8 (  6.612%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:          121 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
     (null):            0 (  0.000%)
======================================================================
Snort exiting
[root@snort etc]#

 

 

 

 - 'snort' 로그 확인

 

[root@snort etc]# more  /var/log/snort/alert

 

[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
02/01-13:52:00.586955 192.168.10.1 -> 192.168.10.137
ICMP TTL:128 TOS:0x0 ID:22396 IpLen:20 DgmLen:60
Type:8  Code:0  ID:1   Seq:1723  ECHO

[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
02/01-13:52:00.587087 192.168.10.137 -> 192.168.10.1
ICMP TTL:64 TOS:0x0 ID:12287 IpLen:20 DgmLen:60
Type:0  Code:0  ID:1  Seq:1723  ECHO REPLY

[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
02/01-13:52:01.589470 192.168.10.1 -> 192.168.10.137
ICMP TTL:128 TOS:0x0 ID:22403 IpLen:20 DgmLen:60
Type:8  Code:0  ID:1   Seq:1724  ECHO

[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
02/01-13:52:01.589553 192.168.10.137 -> 192.168.10.1
ICMP TTL:64 TOS:0x0 ID:12288 IpLen:20 DgmLen:60
Type:0  Code:0  ID:1  Seq:1724  ECHO REPLY

[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
02/01-13:52:02.593497 192.168.10.1 -> 192.168.10.137
ICMP TTL:128 TOS:0x0 ID:22409 IpLen:20 DgmLen:60
Type:8  Code:0  ID:1   Seq:1725  ECHO

[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
02/01-13:52:02.593580 192.168.10.137 -> 192.168.10.1
ICMP TTL:64 TOS:0x0 ID:12289 IpLen:20 DgmLen:60
Type:0  Code:0  ID:1  Seq:1725  ECHO REPLY

[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
02/01-13:52:03.597586 192.168.10.1 -> 192.168.10.137
ICMP TTL:128 TOS:0x0 ID:22416 IpLen:20 DgmLen:60
Type:8  Code:0  ID:1   Seq:1726  ECHO

[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
02/01-13:52:03.597624 192.168.10.137 -> 192.168.10.1
ICMP TTL:64 TOS:0x0 ID:12290 IpLen:20 DgmLen:60
Type:0  Code:0  ID:1  Seq:1726  ECHO REPLY

[root@snort etc]#

 

 

 

 

Ex2) 'snort'를 이용한 SSH 감시 및 로그 확인 

 

[root@snort etc]# vi /etc/snort/rules/local.rules

 

 # local.rules
alert icmp any any -> any any (msg:"ICMP ping test"; sid: 1000001;)
alert tcp any any -> any 22 (msg:"SSH Connection"; sid: 1000002;)

 

:wq!

 


[root@snort etc]# snort -c /etc/snort/rules/local.rules

 

 

 - Putty를 이용하여 SSH 접속

 


 - snort 기능 취소 (ctrl+c)

 

 

[root@snort etc]#  more /var/log/snort/alert

 

 

 

 

 

[참고] 'snort' 테스트가 안될 경우

 

만약 위의 테스트가 안된다면, 다음과 같이 eth 인터페이스 정보 확인을 실시하여, eth0 인터페이스가 아니면 '/etc/udev/rules.d/' 디렉토리에 있는 '70-persistent-net.rules' 파일을 vi 편집기를 이용하여 eth0 인터페이스 정보만 유지하고 나머지(eth1, eth2....)는 삭제한다. 삭제가 완료되었다면, 'reboot'을 실시하여 재부팅한다. 

 

 

[root@snort etc]# ifconfig
eth2     Link encap:Ethernet  HWaddr 00:0C:29:64:76:BE
          inet addr:192.168.10.137  Bcast:192.168.10.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe64:76be/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4509 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6356 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:320466 (312.9 KiB)  TX bytes:6260848 (5.9 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:240 (240.0 b)  TX bytes:240 (240.0 b)

virbr0    Link encap:Ethernet  HWaddr 52:54:00:BB:A7:60
          inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)


[root@snort etc]# cd /etc/udev/rules.d/


[root@snort rules.d]# ls
60-fprint-autosuspend.rules  70-persistent-net.rules  97-bluetooth-serial.rules
60-pcmcia.rules              80-kvm.rules             98-kexec.rules
60-raw.rules                 90-alsa.rules            99-fuse.rules
70-persistent-cd.rules       90-hal.rules             99-vmware-scsi-udev.rules


[root@snort rules.d]# vi 70-persistent-net.rules

 

# This file was automatically generated by the /lib/udev/write_net_rules
# program, run by the persistent-net-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single
# line, and change only the value of the NAME= key.

# PCI device 0x8086:0x100f (e1000)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0c:29:64:76:be", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"
~

 

:wq!

 

 

[root@snort rules.d]# reboot

 

 

저작자표시 비영리 변경금지

'정보보안(구버전) > 작업중' 카테고리의 다른 글

setoolkit 구버전 디렉토리  (0) 2016.12.09
모의 해킹 I - 13. CentOS를 이용한 'iptables' 방화벽  (0) 2016.01.31
모의 해킹 I - 02. Metasploit Tool을 이용한 스캐닝 및 공격  (0) 2016.01.24
모의 해킹 I - 01. Information Gathering  (0) 2016.01.24
Posted by 김정우 강사(카카오톡 : kim10322)
,

티스토리툴바

Q