snort安裝使用教程（CentOS6.5）

官網：https://www.snort.org/

官方文檔：https://www.snort.org/documents

 

2.安裝

2.1安裝依賴

yum install flex bison -y
yum install libpcap libpcap-devel -y

wget https://nchc.dl.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz
tar -zxf libdnet-1.11.tar.gz
cd libdnet-1.11
./configure && make && make install

如果不安裝這些依賴，在后邊執行configure時會有報錯

 

2.2安裝daq

wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz                  
tar -zxf daq-2.0.6.tar.gz                
cd daq-2.0.6
./configure
make
make install

configure報錯：configure: error: Your operating system's lex is insufficient to compile libsfbpf. You should install both bison and flex.

處理：yum install flex bison -y

configure報錯： ERROR!  Libpcap library version >= 1.0.0 not found.

處理： yum install libpcap libpcap-devel -y

 

2.3安裝snort

wget https://www.snort.org/downloads/snort/snort-2.9.11.tar.gz
tar -zxf snort-2.9.11.tar.gz                   
cd snort-2.9.11
./configure --enable-sourcefire
make
make install

configure報錯：ERROR!  dnet header not found, go get it from

處理： wget https://nchc.dl.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz

            tar -zxf libdnet-1.11.tar.gz

            cd libdnet-1.11

           ./configure && make && make install

 

2.4安裝規則

# 首先創建snort配置（及規則）目錄
mkdir -p /etc/snort/rules
# 創建運行需要目錄
mkdir /usr/local/lib/snort_dynamicrules

# 首先將2.3解壓出來的etc下的默認配置文件復制到snort配置目錄下
cp etc/*.conf* /etc/snort
cp etc/*.map /etc/snort

# 下載社區規則並解壓到規則目錄
wget https://www.snort.org/downloads/community/community-rules.tar.gz
tar -zxf community-rules.tar.gz -C /etc/snort/rules

# 注釋掉所有默認要加載的規則文件
sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

# 啟用社區規則文件
echo '' >> /etc/snort/snort.conf
echo '# enable community rule' >> /etc/snort/snort.conf
echo 'include $RULE_PATH/community-rules/community.rules' >> /etc/snort/snort.conf

# 重新設置snort.conf中的變量值
sed -i 's/var RULE_PATH ..\/rules/var RULE_PATH .\/rules/' /etc/snort/snort.conf
sed -i 's/var WHITE_LIST_PATH ..\/rules/var WHITE_LIST_PATH .\/rules/' /etc/snort/snort.conf
sed -i 's/var BLACK_LIST_PATH ..\/rules/var BLACK_LIST_PATH .\/rules/' /etc/snort/snort.conf

# 創建默認使用的白名單文件
touch /etc/snort/rules/white_list.rules
# 創建默認的黑名單文件
touch /etc/snort/rules/black_list.rules
# 創建默認自己設置的規則文件，其實我們注意了其他include只include了社區規則，所以這條根本沒用這里只是意思一下
touch /etc/snort/rules/local.rules

# 測試配置文件是否有誤
snort -T -c /etc/snort/snort.conf

 

3.使用

snort有三種用法：嗅探模式、記錄模式和網絡入侵檢測模式。

3.1嗅探模式

snort -v

該模式打印通信的雙方IP及協議頭部，類似tcpdump

 

3.2記錄模式

mkdir log
snort -dev -l ./log

該模式將截獲的數據包記入文件（此處是當前log目錄下），重點是-l

 

3.3網絡入侵檢測模式

mkdir log
snort -dev -l ./log -h 192.168.1.0/24 -c /etc/snort/snort.conf

該模式將會按指定的規則掃描通信數據包

報錯：ERROR: /etc/snort/rules/community-rules/snort.conf(249) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such file or directory.

處理：mkdir -p /usr/local/lib/snort_dynamicrules

報錯：ERROR: /etc/snort/classification.config(0) Unable to open rules file "/etc/snort/classification.config": No such file or directory.

處理：將上邊2.3解壓出的snort包中的etc/classification.config復制到/etc/snort/classification.config

 

參考：

http://blog.csdn.net/jackywgw/article/details/51693108

https://upcloud.com/community/tutorials/install-snort-ubuntu/