ubuntu16.04下snort的安裝（官方文檔安裝）（圖文詳解）

 

 

 

不多說，直接上干貨！

 　　最近為了科研，需要安裝和使用Snort。

 

　　

 

　　snort的官網

https://www.snort.org/

 

 

 

 

 

 

　　Snort作為一款優秀的開源主機入侵檢測系統，在windows和Linux平台上均可安裝運行。Ubuntu作為一個以桌面應用為主的Linux操作系統，同樣也可以安裝Snort。

 　　對於網絡安全而言入侵檢測是一件非常重要的事。入侵檢測系統（IDS）用於檢測網絡中非法與惡意的請求。Snort是一款知名的開源的入侵檢測系統。其 Web界面（Snorby）可以用於更好地分析警告。Snort使用iptables/pf防火牆來作為入侵檢測系統。本篇博文中，我會安裝並配置一個開源的入侵檢測系統snort。

　　最好的文檔，不愧還是官方文檔！

 

 

 

 

 

 

　　說在前面的話

　　因為，我這里選擇的是用官方當前最新來安裝Snort，並且版本是定位在Snort2.9.9

 

　　建議，大家跟我這樣，在安裝Snort前，先快照下，大不了錯誤，恢復重頭再來一次唄！

 

 

 

 

 

 

 

 

 

 

 

　　　點擊進入，帶領大家來看官方文檔。

https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/122/original/Snort_2.9.9.x_on_Ubuntu_14-16.pdf?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1494907659&Signature=xhOV%2FnF7%2BOsP%2FZUHpPLmYTU4%2Fkc%3D

 

 

 

 　　然后，現在，來帶領大家，網絡設置。

 

 

 

8 Network Card Configuration
From http://manual.snort.org/node7.html:
　　Some network cards have features named “Large Receive Offload” (lro) and “Generic Receive
　　Offload” (gro). With these features enabled, the network card performs packet reassembly before
　　they’re processed by the kernel. By default, Snort will truncate packets larger than the default
　　snaplen of 1518 bytes. In addition, LRO and GRO may cause issues with Stream5 target-based
　　reassembly. We recommend that you turn off LRO and GRO.

To disable LRO and GRO for any interface that Snort listens on, we will use the ethtool command in the
　　network interface configuration file /etc/network/interfaces. We use vi to edit the network interfaces
file:

sudo vi /etc/network/interfaces

 

 

Append the following two lines for each network interface, making sure to change eth0 to match the interface
you are working on, since your interface names may be different, especially on Ubuntu 16:（這個是必須的）

因為，我這里，ifconfig下來，網卡名稱是ens33。所以就得用這個。

 

post-up ethtool -K ens33 gro off
post-up ethtool -K ens33 lro off

 

an example of how the /etc/network/interfaces file should look for a single interface:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto ens33 iface ens33 inet dhcp post-up ethtool -K ens33 gro off post-up ethtool -K ens33 lro off

 

 

 

 

 

 

 

Restart networking (replace ens33 with your interfaces with below) and verify that LRO and GRO are disabled:

user@snortserver:~$ sudo ifconfig ens33 down && sudo ifconfig ens33 up
user@snortserver:~$ ethtool -k ens33 | grep receive-offload generic-receive-offload: off large-receive-offload: off user@snortserver:~$

而我出現了on，所以，官網文檔也說了，重啟虛擬機。

 

 

if the interfaces do not show LRO and GRO as off, reboot and check again (it can be difficult to get Ubuntu to reload the network configuration without a reboot).

 

 

 

 

 下一步

 

 

 

 

9 Installing the Snort Pre-Requisites
Snort has four main pre-requisites:（預安裝）
　　pcap (libpcap-dev) available from the Ubuntu repository
　　PCRE (libpcre3-dev) available from the Ubuntu repository
　　Libdnet (libdumbnet-dev) available from the Ubuntu repository
　　DAQ (http://www.snort.org/downloads/) compiled from source

First we want to install all the tools required for building software. The build-essentials package does
this for us:

sudo apt-get install -y build-essential

 

 

 

 

 

 

 

Once our build tools are installed, we install all Snort pre-requisites that are available from the Ubuntu
repositories3

sudo apt-get install -y libpcap-dev libpcre3-dev libdumbnet-dev

 

 如果這里大家出現網絡不可達，或者下載慢的情況，可以見

Ubuntu14.04官方默認更新源sources.list和第三方源推薦（干貨！）

 

 

成功

 

 

 

 

 

 

 The Snort DAQ (Data AcQuisition library)has a few pre-requisites that need to be installed:

sudo apt-get install -y bison flex

 

 　　成功！

 

 

 

In this guide, we will be downloading a number of tarbals for various software packages. We will create a
folder called snort src to keep them all in one place:

mkdir ~/snort_src
cd ~/snort_src

 

 

 

Download and install the latest version of DAQ from the Snort website. The steps below use wget to download version 2.0.6 of DAQ, which is the latest version at the time of writing this guide.

cd ~/snort_src
wget https://snort.org/downloads/snort/daq-2.0.6.tar.gz
tar -xvzf daq-2.0.6.tar.gz cd daq-2.0.6 ./configure make sudo make install

 

 

 

 

 

解決辦法1：

 

 

 

 

 

 

 

 

 

 

 

 

 

 解決辦法2：

 或者（如果大家上述走不通的話，也可以下面來做）

　　其實解決辦法就是

yum install bison 

yum install flex

yum install libpcap-devel

　　像這樣的問題，等等，都可以通過我下面的博客來解決。說白了，就是源的問題。（優先試用清華源和網易源）

Ubuntu14.04官方默認更新源sources.list和第三方源推薦（干貨！）

現在沒有可用的軟件包 *** ，但是它被其它的軟件包引用了 和 E: 無法定位軟件包 ***問題解決（思路清晰干貨）

 

 

 

 

 

　　然后，安裝完必要的工具后，再次運行./configure腳本，將會顯示下面的輸出。