티스토리 뷰

보안

Snort 설치 (Windows용)

초보의 CHOMAN 2015.06.11 17:35

snort 

설치

http://snort.org 에서 설치 windows 용과 Linux 용 구할수 있음

 

일단 windows 용으로 설치해보았음

 

snort 버전과 Nic 확인

C:\>cd snort
C:\Snort>cd bin
C:\Snort\bin>snort -W
,,_ -*> Snort! <*-
o" )~ Version 2.9.0.4-ODBC-MySQL-FlexRESP-WIN32 GRE (Build 111)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2011 Sourcefire, Inc., et al.
Using PCRE version: 8.10 2010-06-25
Using ZLIB version: 1.2.3
Index Physical Address IP Address Device Name Description
----- ---------------- ---------- ----------- -----------
1 00:00:00:00:00:00 211.119.250.99 \Device\NPF_{5423FA0E-84CB-49EC-863D-E2C2D6E40777} Realtek RTL8169/8110 Family Gigabit Ethernet NIC
C:\Snort\bin>

 

windows 의 경우 방화벽이 올라가 있으면 재대로 패킷 캡쳐가 안될수 있으므로 방화벽 내리는걸 권장한다고 함


정상작동 TEST

-v 패킷을 콘솔에 출력
-n 모니터링할 패킷 갯수
-i 모니터링할 인터페이스 장치 여기서는 1번이 되겠다.

 

C:\Snort\bin>snort -v -n 3 -i 1
Running in packet dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "\Device\NPF_{5423FA0E-84CB-49EC-863D-E2C2D6E40777}".
Decoding Ethernet
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.0.4-ODBC-MySQL-FlexRESP-WIN32 GRE (Build 111)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2011 Sourcefire, Inc., et al.
Using PCRE version: 8.10 2010-06-25
Using ZLIB version: 1.2.3
Commencing packet processing (pid=2736)
03/07-21:34:59.379837 115.68.62.13:4624 -> 211.119.250.99:3389
TCP TTL:122 TOS:0x0 ID:29203 IpLen:20 DgmLen:52 DF
***AP*** Seq: 0x87573B83 Ack: 0x9F2ECEBB Win: 0xFE TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/07-21:34:59.383475 211.119.250.99:3389 -> 115.68.62.13:4624
TCP TTL:128 TOS:0x0 ID:26377 IpLen:20 DgmLen:204 DF
***AP*** Seq: 0x9F2ECEBB Ack: 0x87573B8F Win: 0xFB35 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/07-21:34:59.399179 211.119.250.99:3389 -> 115.68.62.13:4624
TCP TTL:128 TOS:0x0 ID:26378 IpLen:20 DgmLen:251 DF
***AP*** Seq: 0x9F2ECF5F Ack: 0x87573B8F Win: 0xFB35 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

==================================================================
Run time for packet processing was 1.0 seconds
Snort processed 3 packets.
Snort ran for 0 days 0 hours 0 minutes 1 seconds
Pkts/sec: 3
===================================================================
Packet I/O Totals:
Received: 51
Analyzed: 3 ( 5.882%)
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 48 ( 94.118%)
Injected: 0
==================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: 3 (100.000%)
VLAN: 0 ( 0.000%)
IP4: 3 (100.000%)
Frag: 0 ( 0.000%)
ICMP: 0 ( 0.000%)
UDP: 0 ( 0.000%)
TCP: 3 (100.000%)
IP6: 0 ( 0.000%)
IP6 Ext: 0 ( 0.000%)
IP6 Opts: 0 ( 0.000%)
Frag6: 0 ( 0.000%)
ICMP6: 0 ( 0.000%)
UDP6: 0 ( 0.000%)
TCP6: 0 ( 0.000%)
Teredo: 0 ( 0.000%)
ICMP-IP: 0 ( 0.000%)
EAPOL: 0 ( 0.000%)
IP4/IP4: 0 ( 0.000%)
IP4/IP6: 0 ( 0.000%)
IP6/IP4: 0 ( 0.000%)
IP6/IP6: 0 ( 0.000%)
GRE: 0 ( 0.000%)
GRE Eth: 0 ( 0.000%)
GRE VLAN: 0 ( 0.000%)
GRE IP4: 0 ( 0.000%)
GRE IP6: 0 ( 0.000%)
GRE IP6 Ext: 0 ( 0.000%)
GRE PPTP: 0 ( 0.000%)
GRE ARP: 0 ( 0.000%)
GRE IPX: 0 ( 0.000%)
GRE Loop: 0 ( 0.000%)
MPLS: 0 ( 0.000%)
ARP: 0 ( 0.000%)
IPX: 0 ( 0.000%)
Eth Loop: 0 ( 0.000%)
Eth Disc: 0 ( 0.000%)
IP4 Disc: 0 ( 0.000%)
IP6 Disc: 0 ( 0.000%)
TCP Disc: 0 ( 0.000%)
UDP Disc: 0 ( 0.000%)
ICMP Disc: 0 ( 0.000%)
All Discard: 0 ( 0.000%)
Other: 0 ( 0.000%)
Bad Chk Sum: 2 ( 66.667%)
Bad TTL: 0 ( 0.000%)
S5 G 1: 0 ( 0.000%)
S5 G 2: 0 ( 0.000%)
Total: 3

========================================================

Snort exiting

C:\Snort\bin>

 

snort 룰 다운로드

Subscriber Release (최신룰) : 유료

Registered User Release (최신에서 한달 지난) : 무료, 회원가입후 정상적으로 다운로드 가능

다운로드 받고 압축을 풀고 c:/snort 안에 붙여넣기 (덮어씌우기 하면 됨)

 

snort 룰 환경 설정

 

기본적으로 룰 설정파일이 리눅스용이여서 윈도우용으로 수정하기

 

c:\snort\etc\snort.conf 에 존재 워드 패드로 오픈후 수정 (아래 목록만 수정하면 될듯?)

var RULE_PATH ../rules → var RULE_PATH

dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
→ dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor

dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
→ dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll

include classification.config → include C:\Snort\etc\classification.config

include reference.config → include C:\Snort\etc\reference.config

 

실행

 

snort -i 1 -A full -c C:\snort\etc\snort.conf -l C:\snort\log

 

실행시 에러가 남으면 어떤 구문때문에 error 라는 메세지를 출력 해당 라인을 주석처리하면서 실행하다 보면

 

아래와 같이 실행됨. 저창을 닫으면 IDS 가 종료 되므로 창을 닫지 않는다....

 

[ Port Based Pattern Matching Memory ]
+- [ Aho-Corasick Summary ] -------------------------------------
| Storage Format : Full-Q
| Finite Automaton : DFA
| Alphabet Size : 256 Chars
| Sizeof State : Variable (1,2,4 bytes)
| Instances : 43
| 1 byte states : 42
| 2 byte states : 1
| 4 byte states : 0
| Characters : 4061
| States : 1845
| Transitions : 19550
| State Density : 4.1%
| Patterns : 608
| Match States : 254
| Memory (KB) : 692.70
| Pattern : 36.43
| Match Lists : 45.19
| DFA
| 1 byte states : 377.14
| 2 byte states : 188.40
| 4 byte states : 0.00
+----------------------------------------------------------------
[ Number of patterns truncated to 20 bytes: 14 ]
pcap DAQ configured to passive.
Acquiring network traffic from "\Device\NPF_{5423FA0E-84CB-49EC-863D-E2C2D6E40777}".
Decoding Ethernet
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.0.4-ODBC-MySQL-FlexRESP-WIN32 GRE (Build 111)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2011 Sourcefire, Inc., et al.
Using PCRE version: 8.10 2010-06-25
Using ZLIB version: 1.2.3
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.13 <Build 18>
Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
Preprocessor Object: SF_SSH Version 1.1 <Build 3>
Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
Preprocessor Object: SF_SDF Version 1.1 <Build 1>
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
Preprocessor Object: SF_DNS Version 1.1 <Build 4>
Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
Commencing packet processing (pid=3320)

 

정상적으로 실행시 log 폴더안에 alert.ids 와 snort.log.1300187204 이런식으로 로그 파일이 생성됨

 

alert.ids - 공격에 대한 이벤트명, 공격의 방향, 프로토콜 정보
snort.log - 패킷 정보가 남겨져 있음 확장자를 pcap으로 고치면 wireshark에서 GUI 환경에서 살펴볼수도 있음


댓글
댓글쓰기 폼
공지사항
Total
662,876
Today
2
Yesterday
231
링크
«   2018/08   »
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  
글 보관함