- kali installs and configures snort to realize simple intrusion detection
- Main reasons for installation failure
- Main reasons for configuration failure
- snort installation configuration
- Install daq before installing
- Installing daq
- Dependencies required before installing snort
- Install snort
- a key
- A small error occurred
- to configure
- create folder
- Copy file
- Modify profile
- Download the rule package that matches snort
- Start test
- The experimental part has not been finished yet. Stop for a minute
- Hot Tags
- How To Install snort on Kali Linux
- What is snort
- Install snort Using apt-get
- Install snort Using apt
- Install snort Using aptitude
- How To Uninstall snort on Kali Linux
- Uninstall snort And Its Dependencies
- Remove snort Configurations and Data
- Remove snort configuration, data, and all of its dependencies
- References
- Summary
- Что такое Snort?
- Установить Snort
- Проверьте установку Snort
- Создайте следующие файлы snort.conf и icmp.rules:
- Ниже приводится структура предупреждения:
- (rule options)
- Использование Snort
- Показать журнал оповещения
- Оповещение Объяснение
- Выполните фырканье как Демон
kali installs and configures snort to realize simple intrusion detection
snort is really a devil. It has been installed on four systems before and after. I don’t know how many times. Finally, it was barely installed on the cloud server equipped with Ubuntu 18.
Main reasons for installation failure
- The network is not smooth (this is also the main reason for many of the following reasons);
- Incomplete installation of dependent environment;
Main reasons for configuration failure
- The snort version is inconsistent with the snort rule library version;
- The configuration file cannot be found due to improper modification;
snort installation configuration
Be sure to update the software library first. This is what many novices don’t pay attention to. Then they know why my software can’t be installed and the network is so poor.
sudo apt-get install update
Install daq before installing
sudo apt-get install flex -y sudo apt-get install bison -y sudo apt-get install aptitude -y sudo aptitude install libpcap-dev -y
Installing daq
This step can be in Official website home page Find the corresponding content. Be sure to follow the version package currently given on the official website.
At present, it is 2021.11.28, and the DAQ package is daq-2.0.7.tar.gz.
# 1. Download daq installation package sudo wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz # 2. Decompression sudo tar xvfz daq-2.0.7.tar.gz # 3. Switch paths cd daq-2.0.7 # 4. Configure compilation and installation ./configure && sudo make && sudo make install # 5. Go back to the superior menu (many novices are confused when watching other people's tutorials, and they don't know which path to execute what code) cd ..
Dependencies required before installing snort
sudo aptitude install libpcre3-dev -y sudo aptitude install libdumbnet-dev -y sudo aptitude install zlib1g-dev -y sudo apt-get install openssl -y sudo apt-get install libssl-dev -y # luaJIT Library (I don't know why this is used, but it will report an error if it is not installed) sudo wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz sudo tar -zxvf LuaJIT-2.0.5.tar.gz cd LuaJIT-2.0.5/ sudo make && sudo make install && cd ..
Install snort
a key
Here, like the previous daq, you should select the version package of the current official home page.
At present, it is 2021.11.28, and the snort version package is snort-2.9.18.1.tar.gz.
Otherwise, you may not be able to download it on the official website.
sudo wget https://www.snort.org/downloads/snort/snort-2.9.18.1.tar.gz sudo tar xvfz snort-2.9.18.1.tar.gz cd snort-2.9.18.1 ./configure --enable-sourcefire && make && sudo make install
A small error occurred
Displays header files where < RPC / RPC. H >was not found.
solve
sudo apt install libntirpc-dev
You can see if the problem is solved, but my problem has not been solved. Continue.
I found this header file in ntirpc and other folders. My method is to copy all files under ntripc to / usr/include /. The problem is solved:
sudo cp /usr/include/ntirpc/* /usr/include/ -r
to configure
create folder
#Snort installation directory sudo mkdir -p /etc/snort/rules/iplists sudo mkdir -p /etc/snort/preproc_rules sudo mkdir /usr/local/lib/snort_dynamicrules sudo mkdir /etc/snort/so_rules #Store filtering rules and server black and white list sudo touch /etc/snort/rules/iplists/default.blacklist sudo touch /etc/snort/rules/iplists/default.whitelist sudo touch /etc/snort/rules/so_rules #Create log directory sudo mkdir /var/log/snort sudo mkdir /var/log/snort/archived_logs #Adjust permissions sudo chmod -R 5775 /etc/snort sudo chmod -R 5775 /var/log/snort sudo chmod -R 5775 /var/log/snort/archived_logs sudo chmod -R 5775 /etc/snort/rules/so_rules sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
Copy file
sudo cp /home/kali/snort-2.9.18.1/etc/*.conf* /etc/snort sudo cp /home/kali/snort-2.9.18.1/etc/*.map /etc/snort sudo cp /home/kali/snort-2.9.18.1/etc/*.dtd /etc/snort sudo cp /home/kali/snort-2.9.18.1/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/* /usr/local/lib/snort_dynamicpreprocessor/
Modify profile
# Open profile sudo vim /etc/snort/snort.conf # Modify the path and find the corresponding copy var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules var WHITE_LIST_PATH /etc/snort/rules/iplists/ var BLACK_LIST_PATH /etc/snort/rules/iplists/ whitelist $WHITE_LIST_PATH/default.whitelist, \ blacklist $BLACK_LIST_PATH/default.blacklist
Download the rule package that matches snort
# 1. Download wget https://www.snort.org/downloads/registered/snortrules-snapshot-29181.tar.gz # 2. Decompression sudo tar zxvf snortrules-snapshot-29181.tar.gz -C /etc/snort # 3. Copy (select according to the system (RHEL should be the corresponding kali) and the installed package (2.9.18.1, usually only one folder) sudo cp /etc/snort/so_rules/precompiled/RHEL-8/x86-64/2.9.18.1/* /usr/local/lib/snort_dynamicrules/
Start test
Obviously, the result is normal
sudo snort -T -c /etc/snort/snort.conf
The experimental part has not been finished yet. Stop for a minute
Posted on Sun, 28 Nov 2021 05:33:24 -0500 by poknam
Hot Tags
- Java — 7906
- Database — 3176
- Python — 3103
- Attribute — 2963
- Programming — 2938
- Javascript — 2788
- Spring — 2575
- xml — 2270
- Android — 2243
- Linux — 2204
- JSON — 2150
- less — 2137
- network — 2115
- github — 2063
- MySQL — 1760
- SQL — 1616
- PHP — 1559
- encoding — 1360
- Mobile — 1172
- Apache — 1137
How To Install snort on Kali Linux
In this tutorial we learn how to install snort on Kali Linux.
What is snort
Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules-based logging and can perform content searching/matching in addition to detecting a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate “alert” file, or even to a Windows computer via Samba.
This package provides the plain-vanilla version of Snort.
There are three ways to install snort on Kali Linux . We can use apt-get , apt and aptitude . In the following sections we will describe each method. You can choose one of them.
Install snort Using apt-get
Update apt database with apt-get using the following command.
After updating apt database, We can install snort using apt-get by running the following command:
sudo apt-get -y install snort Install snort Using apt
Update apt database with apt using the following command.
After updating apt database, We can install snort using apt by running the following command:
Install snort Using aptitude
If you want to follow this method, you might need to install aptitude first since aptitude is usually not installed by default on Kali Linux. Update apt database with aptitude using the following command.
After updating apt database, We can install snort using aptitude by running the following command:
sudo aptitude -y install snort How To Uninstall snort on Kali Linux
To uninstall only the snort package we can use the following command:
Uninstall snort And Its Dependencies
To uninstall snort and its dependencies that are no longer needed by Kali Linux, we can use the command below:
sudo apt-get -y autoremove snort Remove snort Configurations and Data
To remove snort configuration and data from Kali Linux we can use the following command:
sudo apt-get -y purge snort Remove snort configuration, data, and all of its dependencies
We can use the following command to remove snort configurations, data and all of its dependencies, we can use the following command:
sudo apt-get -y autoremove --purge snort References
Summary
In this tutorial we learn how to install snort using different package management tools like apt, apt-get and aptitude.
Что такое Snort?
С сайта www.snort.org : Snort® – это система с открытым исходным кодом для предотвращения и обнаружения вторжений (IDS / IPS), разработанная Sourcefire. Сочетая преимущества проверки на основе сигнатур, протоколов и аномалий, Snort является наиболее широко распространенной технологией IDS / IPS во всем мире. С миллионами загрузок и почти 400 000 зарегистрированных пользователей, Snort стал стандартом де-факто для IPS.
В этой статье мы рассмотрим, как установить snort из исходного кода, написать правила и выполнить базовое тестирование.
Установить Snort
# apt-get update # apt-get install snort
Проверьте установку Snort
Проверьте установку, как показано ниже.
Создайте следующие файлы snort.conf и icmp.rules:
Откройте файл конфигурации snort:
# leafpad /etc/snort/snort.conf
Проверьте файл конфигурации и проверьте, включены ли правила icmp или нет. Если нет, включите строку ниже.
include /etc/snort/rules/icmp.rules
Откройте файл правил icmp и включите правило, указанное ниже:
# leafpad /etc/snort/rules/icmp.rules
Включите указанную ниже строку в файл icmp.rule.
alert icmp any any -> any any (msg: "ICMP Packet"; sid: 477; rev: 3;)
Приведенное выше основное правило предупреждает о наличии ICMP-пакета (ping).
Ниже приводится структура предупреждения:
(rule options)
| Structure | Example |
|---|---|
| Rule Actions | alert |
| Protocol | icmp |
| Source IP Address | any |
| Source Port | any |
| Direction Operator | -> |
| Destination IP Address | any |
| Destination Port | any |
| (rule options) | (msg:”ICMP Packet”; sid:477; rev:3;) |
Использование Snort
Запустите snort из командной строки, как указано ниже.
# snort -c /etc/snort/snort.conf -l /var/log/snort/
здесь -c указывает на файл с правилами и -l на каталог журнала
Показать журнал оповещения
Попробуйте пропинговать IP с вашего компьютера, чтобы проверить наше правило пинга. Ниже приведен пример предупреждения snort для этого правила ICMP.
root@vishnu:~# head /var/log/snort/alert [**] [1:2925:3] INFO web bug 0x0 gif attempt [**] [Classification: Misc activity] [Priority: 3] 12/02-12:08:40.479756 107.20.221.156:80 -> 192.168.1.64:55747 TCP TTL:42 TOS:0x0 ID:14611 IpLen:20 DgmLen:265 DF ***AP*** Seq: 0x6C1242F9 Ack: 0x74B1A5FE Win: 0x2E TcpLen: 32 TCP Options (3) => NOP NOP TS: 1050377198 1186998 [**] [1:368:6] ICMP PING BSDtype [**] [Classification: Misc activity] [Priority: 3] 12/02-12:09:01.112440 192.168.1.14 -> 192.168.1.64
Оповещение Объяснение
Пара строк добавляется для каждого предупреждения, которое включает в себя следующее:
Сообщение печатается в первой строке.
IP-
адрес источника IP-адрес назначения
Тип пакета и информация заголовка.
Если у вас другой интерфейс для сетевого подключения, используйте опцию -dev -i. В этом примере мой сетевой интерфейс – eth0.
# snort -dev -i eth0 -c /etc/snort/snort.conf -l /var/log/snort/
Выполните фырканье как Демон
Добавьте опцию -D для запуска snort в качестве демона.
# snort -D -c /etc/snort/snort.conf -l /var/log/snort/