在Ubuntu上部署Snort的NIDS模式,需要以下幾個步驟:
sudo apt-get update
sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev zlib1g-dev
wget https://www.snort.org/downloads/snort/snort-2.9.16.tar.gz
tar -xvf snort-2.9.16.tar.gz
cd snort-2.9.16
接下來,配置并編譯Snort:
./configure --enable-ipv6 --enable-gre --enable-mpls --with-dnet-includes=/usr/include/dnet --with-dnet-libraries=/usr/lib
make
sudo make install
/etc/snort/snort.conf。以下是一個基本的Snort配置文件示例:# /etc/snort/snort.conf
include /usr/local/etc/snort/rules/snort.rules
preprocessor decoder_preprocessor_rules: /usr/local/etc/snort/preproc_rules/decoder.rules
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
preprocessor http_inspect_server: server default \
http_methods { GET POST PUT DELETE HEAD OPTIONS CONNECT PATCH } \
chunk_length 500000 \
server_flow_depth 0 \
client_flow_depth 0 \
post_depth 65495 \
oversize_dir_length 500 \
max_header_length 750 \
max_headers 100 \
max_spaces 200 \
small_chunk_length { 10 5 } \
ascii { 32 126 } \
double_decode on \
bare_byte on \
iis_backslash on \
directory_traversals on \
utf_8 on \
u_encode on \
bare_byte on \
webroot "c:\inetpub\wwwroot" \
xff_headers on
/usr/local/etc/snort/rules目錄下創建一個名為snort.rules的文件。在此文件中,添加您希望Snort檢測的規則。以下是一個簡單的示例規則:alert tcp any any -> any any (msg:"Test Rule"; sid:1000000; rev:1;)
sudo snort -i<interface> -c /etc/snort/snort.conf -l /var/log/snort/
將<interface>替換為要監控的網絡接口(例如,eth0)。
現在,Snort應該已經在NIDS模式下運行,并根據配置的規則檢測流量。要查看Snort生成的警報,請查看/var/log/snort/目錄下的日志文件。
