前言

SnortTM.png

攻而必取者,攻其所不守也。守而必固者,守其所不攻也。固善攻者,敌不知其所守;善守者,敌不知其所攻。

本文将介绍一款优秀经典的入侵检测系统:Snort。主要内容如下:

  • Snort在CentOS上的安装与配置
  • Snort的基础用法

0 Snort的安装与配置

安装:

# Environment
cat /etc/redhat-release
## Result: CentOS Linux release 7.5.1804 (Core)
uname -a
## Result: Linux localhost.localdomain 3.10.0-862.14.4.el7.x86_64 #1 \
##  SMP Wed Sep 26 15:12:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

# Steps of Installation
yum install -y epel-release
yum install -y nghttp2
yum install -y https://www.snort.org/downloads/snort/daq-2.0.6-1.centos7.x86_64.rpm
yum install -y https://www.snort.org/downloads/snort/snort-2.9.12-1.centos7.x86_64.rpm
ln -s /lib64/libdnet.so.1 /lib64/libdnet.1

配置:

# vim /etc/snort/snort.conf

# Setup the network addresses you are protecting
ipvar HOME_NET 172.16.56.0/24
# output log_tcpdump: tcpdump.log
output alert_fast: alert.ids
# Set the absolute path appropriately
var WHITE_LIST_PATH rules
var BLACK_LIST_PATH rules
# Important!!! comment all the rules except `local.rules`

配置的最后是注释掉snort.conf文件末尾除了local.rules外的其他规则,这是因为我们目前并没有这些规则,不注释掉它们,则Snort在进行入侵检测时会报错。也是由于这个原因,我们需要执行以下操作去创建黑白名单:

touch /etc/snort/rules/black_list.rules
touch /etc/snort/rules/white_list.rules

至此,Snort配置完毕,可以正常使用。

1 Snort基础用法

总的来说,Snort可以工作于四种模式下:

  • 嗅探模式:相当于TCPDUMP。主要参数是-v -d -e
  • 包记录模式:与嗅探模式类似。区别在于,嗅探模式将监听内容输出在屏幕上,包记录模式将监听内容输出到磁盘上的日志文件中,通过参数-l指定日志存放路径,从而激活包记录模式
  • 入侵检测模式:即Snort作为IDS工作的模式。通过参数-c指定配置文件,从而激活入侵检测模式

关于Snort更多参数的具体含义,可以在命令行输入snort -h查阅。下面,我们通过实践来分别体会这三种模式。

测试环境如下:

网络:172.16.56.0/24
部署Snort的机器:172.16.56.138
网络中的另一台机器:172.16.56.1

10 嗅探模式

.138开启嗅探:

# -d         Dump the Application Layer
# -v         Be verbose
# -e         Display the second layer header info
# -i <if>    Listen on interface <if>
snort -vde -i ens33

可以看到嗅探模式的工作界面:

Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "ens33".
Decoding Ethernet

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.12 GRE (Build 325)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.32 2012-11-30
           Using ZLIB version: 1.2.7

Commencing packet processing (pid=64236)

.1 ping .138一次:

ping -c 1 172.16.56.138
PING 172.16.56.138 (172.16.56.138): 56 data bytes
64 bytes from 172.16.56.138: icmp_seq=0 ttl=64 time=0.371 ms

--- 172.16.56.138 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.371/0.371/0.371/0.000 ms

.138上显示如下:

WARNING: No preprocessors configured for policy 0.
12/02-19:28:17.740335 00:50:56:C0:00:08 -> 00:0C:29:85:DB:15 type:0x800 len:0x62
172.16.56.1 -> 172.16.56.138 ICMP TTL:64 TOS:0x0 ID:39794 IpLen:20 DgmLen:84
Type:8  Code:0  ID:24592   Seq:0  ECHO
5C 03 C1 D1 00 0B B7 62 08 09 0A 0B 0C 0D 0E 0F  \......b........
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F  ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F   !"#$%&'()*+,-./
30 31 32 33 34 35 36 37                          01234567

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

WARNING: No preprocessors configured for policy 0.
12/02-19:28:17.740418 00:0C:29:85:DB:15 -> 00:50:56:C0:00:08 type:0x800 len:0x62
172.16.56.138 -> 172.16.56.1 ICMP TTL:64 TOS:0x0 ID:24851 IpLen:20 DgmLen:84
Type:0  Code:0  ID:24592  Seq:0  ECHO REPLY
5C 03 C1 D1 00 0B B7 62 08 09 0A 0B 0C 0D 0E 0F  \......b........
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F  ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F   !"#$%&'()*+,-./
30 31 32 33 34 35 36 37                          01234567

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

这就是嗅探模式。

11 包记录模式

按照如下方式开启,其中我们使用了伯克利数据包过滤语言去筛选数据包:

snort -vde -l /var/log/snort/ -i ens33 icmp and net 172.16.56.0/24

下面是包记录模式的工作界面:

Running in packet logging mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Snort BPF option: icmp and net 172.16.56.0/24
Log directory = /var/log/snort/
pcap DAQ configured to passive.
Acquiring network traffic from "ens33".
Decoding Ethernet

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.12 GRE (Build 325)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.32 2012-11-30
           Using ZLIB version: 1.2.7

Commencing packet processing (pid=64345)

同样地,我们让.1去ping .138一次,然后查看日志:

file ./snort.log.1543750342
./snort.log.1543750342: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 1514)

说明是pcap类型的数据包,我们可以直接使用Snort去读取:

snort -r ./snort -r ./snort.log.1543750342

这样得到的结果与嗅探模式是类似的。我们还可以使用TCPDUMP去读取:

tcpdump -r ./snort.log.1543750342
reading from file ./snort.log.1543750342, link-type EN10MB (Ethernet)
19:33:58.373009 IP 172.16.56.1 > localhost.localdomain: ICMP echo request, id 26128, seq 0, length 64
19:33:58.373064 IP localhost.localdomain > 172.16.56.1: ICMP echo reply, id 26128, seq 0, length 64

借助BPF,我们还可以设置更多条件,来更精确地进行包记录。

12 入侵检测模式

我们首先在/etc/snort/rules/local.rules中写入一条规则:

# vim local.rules
alert ICMP any any -> $HOME_NET any (msg: "A Ping operation appears!"; sid: 10000001)

然后执行

snort -v -l /var/log/snort/ -i ens33 -c /etc/snort/snort.conf

可以看到:

Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
...

接着让.1去ping .138,然后就可以去查看日志:

cat /var/log/snort/alert.ids
12/02-19:42:13.440240  [**] [1:10000001:0] A Ping operation appears! [**] [Priority: 0] {ICMP} 172.16.56.1 -> 172.16.56.138
12/02-19:42:13.440282  [**] [1:10000001:0] A Ping operation appears! [**] [Priority: 0] {ICMP} 172.16.56.138 -> 172.16.56.1

另外,我们还可以设置一些TCP规则去进行入侵检测:

alert TCP any any -> $HOME_NET any (msg: "TCP connection!"; sid: 10000002)
alert TCP 172.16.56.0/24 any -> $HOME_NET any (msg: "TCP connection!"; sid: 10000002)
alert TCP 172.16.56.1 any -> $HOME_NET any (msg: "TCP connection!"; sid: 10000002)

cat /var/log/snort/alert.ids
12/02-20:15:38.256149  [**] [1:10000002:0] TCP connection! [**] [Priority: 0] {TCP} 172.16.56.1:61563 -> 172.16.56.138:10000
12/02-20:15:38.256377  [**] [1:10000002:0] TCP connection! [**] [Priority: 0] {TCP} 172.16.56.1:61563 -> 172.16.56.138:10000
12/02-20:15:44.268159  [**] [1:10000002:0] TCP connection! [**] [Priority: 0] {TCP} 172.16.56.1:61563 -> 172.16.56.138:10000
12/02-20:15:50.406361  [**] [1:10000002:0] TCP connection! [**] [Priority: 0] {TCP} 172.16.56.1:61563 -> 172.16.56.138:10000
12/02-20:15:51.032459  [**] [1:10000002:0] TCP connection! [**] [Priority: 0] {TCP} 172.16.56.1:61563 -> 172.16.56.138:10000
12/02-20:15:51.032944  [**] [1:10000002:0] TCP connection! [**] [Priority: 0] {TCP} 172.16.56.1:61563 -> 172.16.56.138:10000

IDS模式的规则设置是复杂、重点和难点所在。

总结

Snort是一款非常值得我们学习的NIDS/NIPS,它的广泛应用彰显了它的强大生命力。

参考资料