Snort 설치 및 설정

OSI 7 Layer 계층

  • 응용 계층
  • 표현 계층
  • 세션 계층
  • 전송 계층
  • 네트워크 계층
  • 데이터링크 계층
  • 물리 계층

스노트 설치

        sudo apt update
        apt -y install snort
        snort --version
        snort -v

        cd /etc/snort/rules

        nano local.rules

네트워크 계층 기반의 스노트 탐지

        tcpdump -i enp0s3 -e icmp

        nano /etc/snort/snort.conf

        # include $RULE_PATH/local.rules 만 남기고 모두 주석

        snort -A console -q -u snort -g snort -c /etc/snort/snort.conf

탐지

        alert icmp any any -> any any (msg:""; sid:1000001;)

ICMP 플러딩 공격

공격

        hping3 10.0.2.15 --icmp --flood

탐지

        alert icmp any any -> any any (msg:"";threshold:type both,track by_src,count 10,second 2;sid:1000002;)

2초 동안 10회 이상의 ICMP 요청이 발생한다면 죽음의 핑 공격으로 판단하겠다!

공격

        nmap 10.0.2.15 -p 22 -sT

탐지

        alert tcp any any -> 10.0.2.15 22 (msg:"nmapScan";flags:S;sid:1000003;)

스노트 로그 MySQL에 저장하기

[1단계]

        apt update
        apt -y install snort

[2단계]

        cd /var/log

반야드2 프로그램 설치

        apt update
        apt -y install build-essential
        apt -y install libpcap-dev libpcre3-dev libdumbnet-dev
        apt -y install mysql-server libmysqlclient-dev mysql-client autoconf libtool
        apt -y install bison flex
    
        mkdir snort_source
        cd snort_source
        wget https://snort.org/downloads/snort/daq-2.0.7.tar.gz

        tar -xvzf daq-2.0.7.tar.gz
        cd daq-2.0.7
        ./configure && make && make install
        cd ~
        touch /etc/snort/sid-msg.map
        cat /etc/snort/snort.conf -n | egrep "output unified2"
        >550과 551라인 확인 가능함
    
        cd snort_source
        wget https://github.com/firnsy/barnyard2/archive/master.tar.gz
        tar zxvf master.tar.gz
        cd barnyard2-master
        autoreconf -fvi -I ./m4
    
        ln -s /usr/include/dumbnet.h /usr/include/dnet.h
        ldconfig
        getconf LONG_BIT
        # 64 비트임을 알려줌
    
        ./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu
        make && make install
        cd
        /usr/local/bin/barnyard2 -V

설치 확인

        cp /usr/src/barnyard_src/etc/barnyard2.conf /etc/snort/
    
        mkdir /var/log/barnyard2
        chmod 666 /var/log/barnyard2
        touch /var/log/snort/barnyard2.waldo
        chown snort.snort /var/log/snort/barnyard2.waldo
    
        cd /usr/src/barnyard_src/schemas
        mysql -p < create_mysql snort
    
        nano /etc/snort/barnyard2.conf
        output database: log, mysql, user=snort password=root dbname=snort host=localhost
        sudo chmod o-r /etc/snort/barnyard2.conf

테스트

        sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i enp0s3
        sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.bookmark -g snort -u snort
    
        mysql -u snort -p snort
        select count(*) from event;
minho | minho2054@naver.com | @minho