snort 官方網站:https://www.snort.org/
1. 下載官方網站提供套件:
# wget https://www.snort.org/downloads/snort/daq-2.0.6-1.centos7.x86_64.rpm
# wget https://www.snort.org/downloads/snort/snort-2.9.9.0-1.centos7.x86_64.rpm
[@more@]參考網站:
浮雲雅築: [研究] Snort 2.9.8.0 安裝 + 快速安裝程式 (CentOS 7.2 x64)
2. 安裝套件
# yum install libpcap-devel libdnet-devel libnghttp2-devel
如果沒有先安裝上述套件,直接安裝 daq 和 snort 會出現錯誤訊息
# rpm -ivh daq-2.0.6-1.centos7.x86_64.rpm
error: Failed dependencies:
libpcap.so.1()(64bit) is needed by daq-2.0.6-1.x86_64
# rpm -ivh snort-2.9.9.0-1.centos7.x86_64.rpm
error: Failed dependencies:
libdnet.so.1()(64bit) is needed by snort-1:2.9.9.0-1.x86_64
libnghttp2.so.14()(64bit) is needed by snort-1:2.9.9.0-1.x86_64
libpcap.so.1()(64bit) is needed by snort-1:2.9.9.0-1.x86_64
libsfbpf.so.0()(64bit) is needed by snort-1:2.9.9.0-1.x86_64
3. 進行安裝
# rpm -ivh daq-2.0.6-1.centos7.x86_64.rpm snort-2.9.9.0-1.centos7.x86_64.rpm
4. 註冊並下載 rules
https://www.snort.org/downloads/#rule-downloads
5 解壓縮 rules
# tar xvzf snortrules-snapshot-2990.tar.gz -C /etc/snort
6. 產生黑/白名單
# cp /etc/snort/snort.conf /etc/snort/snort.conf.$(date +%F)
# sed -i ‘s|../rules|rules|’ /etc/snort/snort.conf
# touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules
或
# sed -i “s|var BLACK_LIST_PATH|#var BLACK_LIST_PATH|” /etc/snort/snort.conf
# sed -i “/var BLACK_LIST_PATH/avar BLACK_LIST_PATH /etc/snort/rules” /etc/snort/snort.conf
# touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules
# sed -i “s|var WHITE_LIST_PATH|#var WHITE_LIST_PATH|” /etc/snort/snort.conf
# sed -i “/var WHITE_LIST_PATH/avar WHITE_LIST_PATH /etc/snort/rules” /etc/snort/snort.conf
7. 修改設定檔 /etc/snort/snort.conf
# sed -i ‘s/^dynamicdetection/#dynamicdetection/’ /etc/snort/snort.conf
或
# mkdir -p /usr/local/lib/snort_dynamicrules
8. 檢查設定檔是否正確
# snort -T -c /etc/snort/snort.conf
……
Snort successfully validated the configuration!
Snort exiting
9. 啟動 snort
# systemctl start snortd
or
# /etc/init.d/snortd start
10. 檢查啟動狀態
# /etc/init.d/snortd status
● snortd.service – SYSV: snort is a lightweight network intrusion detection tool that currently detects more than 1100 host and network vulnerabilities, portscans, backdoors, and more.
Loaded: loaded (/etc/rc.d/init.d/snortd; bad; vendor preset: disabled)
Active: active (running) since Fri 2017-02-24 21:57:01 CST; 6s ago
Docs: man:systemd-sysv-generator(8)
Process: 429 ExecStart=/etc/rc.d/init.d/snortd start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/snortd.service
mq435 /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
Feb 24 21:57:01 fb snort[435]: Preprocessor Object: SF_DNS Version 1.1 <Build 4>
Feb 24 21:57:01 fb snort[435]: Preprocessor Object: SF_SIP Version 1.1 <Build 1>
Feb 24 21:57:01 fb snort[435]: Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
Feb 24 21:57:01 fb snort[435]: Preprocessor Object: SF_IMAP Version 1.0 <Build 1>
Feb 24 21:57:01 fb snort[435]: Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
Feb 24 21:57:01 fb snort[435]: Preprocessor Object: SF_GTP Version 1.1 <Build 1>
Feb 24 21:57:01 fb snort[435]: Preprocessor Object: SF_POP Version 1.0 <Build 1>
Feb 24 21:57:01 fb snort[435]: Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
Feb 24 21:57:01 fb snort[435]: Preprocessor Object: SF_SDF Version 1.1 <Build 1>
Feb 24 21:57:01 fb snort[435]: Commencing packet processing (pid=435)
# ps aux | grep snort | grep -v grep
snort 435 0.0 80.3 810840 421080 ? Ssl 21:57 0:00 /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort