정보보안(구버전)/Snort 2019. 3. 7. 19:07
Snort - 02. Snort 설치 및 시작
- 시그니처 기반의 네트워크 침입 탐지 시스템이며, 단일 쓰레드를 사용하기 때문에 대용량 패켓 탐지에는 부적절하다.
- 대용량 패켓 탐지가 필요한 경우에는 멀티 쓰레드를 지원하는 Suricata를 권장한다.
1. Snort 모드
|
유형 |
내용 |
|
스니퍼 모드 |
패켓 정보를 콘솔에 메세지를 출력하는 모드 |
|
패켓 로깅 모드 |
패켓 정보에 대한 메세지 로그를 기록하는 모드 |
|
NIDS 모드 |
패켓을 탐지하여 경고 메세지를 발생하는 모드 |
|
IPS 모드 |
패켓을 탐지하여 차단하는 모드(인라인 연결시 적용) |
2. Snort 처리 동작
|
동작 순서 |
내용 |
|
스니퍼 |
패켓 수집 실시 |
|
패켓 디코더 |
프리프로세스와 탐지 엔진이 패켓을 파싱할 수 있도록 정규화 실시 |
|
프리프로세스 |
특정 행위가 발견된 패켓을 탐지 엔진으로 전달 |
|
탐색엔진 |
전달 받은 패켓을 스노트 룰에 매칭되는지 확인 |
|
경고/로깅 |
스노트 룰에 해당 할 경우, 경고 출력 및 기록 실시 |
3. snort 설치
2-0. Snort 설치 명령어.txt
root@Snort:~# apt-get -y install snort snort-common snort-common-libraries snort-doc snort-rules-default
4. snort 패키지 확인
root@Snort:~# dpkg -l | grep snort
ii snort 2.9.7.0-5 amd64 flexible Network Intrusion Detection System
ii snort-common 2.9.7.0-5 all flexible Network Intrusion Detection System - common files
ii snort-common-libraries 2.9.7.0-5 amd64 flexible Network Intrusion Detection System - libraries
ii snort-doc 2.9.7.0-5 all flexible Network Intrusion Detection System - documentation
ii snort-rules-default 2.9.7.0-5 all flexible Network Intrusion Detection System - ruleset
5. 'snort.debian.conf' 파일 내용 확인
root@Snort:~# ls /etc/snort
classification.config reference.config snort.debian.conf
community-sid-msg.map rules threshold.conf
gen-msg.map snort.conf unicode.map
root@Snort:~# cat /etc/snort/snort.debian.conf
# snort.debian.config (Debian Snort configuration file)
#
# This file was generated by the post-installation script of the snort
# package using values from the debconf database.
#
# It is used for options that are changed by Debian to leave
# the original configuration files untouched.
#
# This file is automatically updated on upgrades of the snort package
# *only* if it has not been modified since the last upgrade of that package.
#
# If you have edited this file but would like it to be automatically updated
# again, run the following command as root:
# dpkg-reconfigure snort
DEBIAN_SNORT_STARTUP="boot"
DEBIAN_SNORT_HOME_NET="192.168.20.0/24"
DEBIAN_SNORT_OPTIONS=""
DEBIAN_SNORT_INTERFACE="eth0"
DEBIAN_SNORT_SEND_STATS="true"
DEBIAN_SNORT_STATS_RCPT="root"
DEBIAN_SNORT_STATS_THRESHOLD="1"
6. 'snort' 파일 내용 확인
root@Snort:~# ls -l /etc/default/snort
-rw-r--r-- 1 root root 1164 6월 30 2015 /etc/default/snort
root@Snort:~# cat /etc/default/snort
# Parameters for the daemon
# Add any additional parameteres here.
PARAMS="-m 027 -D -d "
#
# Snort user
# This user will be used to launch snort. Notice that the
# preinst script of the package might do changes to the user
# (home directory, User Name) when the package is upgraded or
# reinstalled. So, do *not* change this to 'root' or to any other user
# unless you are sure there is no problem with those changes being introduced.
#
SNORTUSER="snort"
#
# Logging directory
# Snort logs will be dropped here and this will be the home
# directory for the SNORTUSER. If you change this value you should
# change the /etc/logrotate.d/snort definition too, otherwise logs
# will not be rotated properly.
#
LOGDIR="/var/log/snort"
#
# Snort group
# This is the group that the snort user will be added to.
#
SNORTGROUP="snort"
#
# Allow Snort's init.d script to work if the configured interfaces
# are not available. Set this to yes if you configure Snort with
# multiple interfaces but some might not be available on boot
# (e.g. wireless interfaces)
#
# Note: In order for this to work the 'iproute' package needs to
# be installed.
ALLOW_UNAVAILABLE="no"
7. 'snort.conf' 파일 내용 변경
root@Snort:~# vi /etc/snort/snort.conf
|
~ 중간 생략 ~
################################################### # Setup the network addresses you are protecting # Set up the external network addresses. Leave as "any" in most situations
# If HOME_NET is defined as something other than "any", alternative, you can # List of DNS servers on your network
# List of SMTP servers on your network
# List of web servers on your network
# List of sql servers on your network
# List of telnet servers on your network
# List of ssh servers on your network
# List of ftp servers on your network # List of ftp servers on your network # List of sip servers on your network
# List of ports you run web servers on
# List of ports you want to look for SHELLCODE on.
# List of ports you might see oracle attacks on
# List of ports you want to look for SSH connections on:
~ 중간 생략 ~
:wq! |
8. snort 시작
root@Snort:~# service snort start
root@Snort:~# service snort status
● snort.service - LSB: Lightweight network intrusion detection system
Loaded: loaded (/etc/init.d/snort; generated; vendor preset: disabled)
Active: active (running) since Tue 2018-02-13 20:42:43 KST; 10s ago
Docs: man:systemd-sysv-generator(8)
Process: 1491 ExecStart=/etc/init.d/snort start (code=exited, status=0/SUCCESS
Tasks: 2 (limit: 4915)
CGroup: /system.slice/snort.service
└─1536 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g sno
2월 13 20:42:43 Snort snort[1536]: Preprocessor Object: SF_SDF Vers
2월 13 20:42:43 Snort snort[1536]: Preprocessor Object: SF_DNS Vers
2월 13 20:42:43 Snort snort[1536]: Preprocessor Object: SF_SIP Vers
2월 13 20:42:43 Snort snort[1536]: Preprocessor Object: SF_GTP Vers
2월 13 20:42:43 Snort snort[1536]: Preprocessor Object: SF_SSLPP Ve
2월 13 20:42:43 Snort snort[1536]: Preprocessor Object: SF_SSH Vers
2월 13 20:42:43 Snort snort[1536]: Preprocessor Object: SF_DNP3 Ver
2월 13 20:42:43 Snort snort[1536]: Preprocessor Object: SF_MODBUS V
2월 13 20:42:43 Snort snort[1536]: Preprocessor Object: SF_IMAP Ver
2월 13 20:42:43 Snort snort[1536]: Commencing packet processing (pid=1536)
lines 1-19/19 (END) q
[유튜브] 동영상 강의 링크 (구독! 좋아요!!!)
Snort - 2. Snort 설치 및 시작 https://youtu.be/EppG_OT8gds
'정보보안(구버전) > Snort' 카테고리의 다른 글
| Snort - 06. Snort 실습 II (0) | 2019.03.07 |
|---|---|
| Snort - 05. Snort 실습 I (0) | 2019.03.07 |
| Snort - 04. Snort 룰 구성 및 테스트 (1) | 2019.03.07 |
| Snort - 03. Snort Rule 구조 (3) | 2019.03.07 |
| Snort - 01. Snort 실습 환경 구성 (0) | 2019.03.07 |
