====== Сервис SNORT ====== * [[http://www.snort.org/]] * [[https://help.ubuntu.com/community/SnortIDS]] * [[https://www.snort.org/downloads/community/community-rules.tar.gz|!!!Открытые правила для тестирования!!!]] * [[https://sansorg.egnyte.com/dl/qsNKTUL2ld|Snort and SSL/TLS Inspection]] * [[https://upcloud.com/resources/tutorials/installing-snort-on-debian|How to install Snort on Debian]] * [[https://oisf.net/|Open Information Security Foundation Suricata]] ===== Установка, настройка, запуск сервиса ===== ==== Debian/Ubuntu ==== root@server:~# apt install snort !!! В визарде все по умолчанию ("не понимает" интерфейс bond1) root@server:~# cat /etc/snort/snort.debian.conf ... #DEBIAN_SNORT_INTERFACE="eth0" #DEBIAN_SNORT_INTERFACE="bond1" DEBIAN_SNORT_HOME_NET="192.168.0.0/16" #DEBIAN_SNORT_HOME_NET="any" ... * [[https://serverfault.com/questions/554713/snort-not-detecting-outgoing-traffic|Snort not detecting outgoing traffic]] * [[https://forum.netgate.com/topic/55909/snort-enable_xff|inside of ssl termination proxies we need to get X-Forwarded-For]] * [[http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html|2.2 Preprocessors (snort_manual)]] root@server:~# cat /etc/snort/snort.conf ... # Configure IP / TCP checksum mode config checksum_mode: none ... preprocessor http_inspect_server: server default \ ... enable_xff \ webroot no ... #################################################################### # Step #6: Configure output plugins ... output alert_syslog: LOG_AUTH LOG_ALERT ... root@server:~# snort -T -S HOME_NET=[192.168.0.0/16] -c /etc/snort/snort.conf root@server:~# service snort restart ===== Тестирование ===== ==== Debian/Ubuntu ==== # less /etc/snort/rules/web-iis.rules # tail -f /var/log/auth.log | grep Red # u2spewfoo /var/log/snort/snort.alert ==== Пример атаки с isp.un ==== isp.un$ wget http://192.168.X.10/root.exe ===== Копирование alert_unified2 в syslog ===== # stdbuf -i0 -o0 u2spewfoo <(tail -c +1 -f /var/log/snort/snort.alert) | logger -t snort -p auth.info # cat /etc/systemd/system/snort-alert-unified2-syslog.service [Unit] Description=Send snort alert_unified2 to syslog After=snort.service [Service] ExecStart=/bin/bash -c '/usr/bin/stdbuf -i0 -o0 /usr/sbin/u2spewfoo <(/usr/bin/tail -c +1 -f /var/log/snort/snort.alert) | /usr/bin/logger -t snort -p auth.info' [Install] WantedBy=multi-user.target ===== Создание собственных правил snort ===== * [[http://oreilly.com/pub/h/1393|Write Your Own Snort Rules ]] ==== Debian/Ubuntu ==== # cat rules/local.rules alert tcp any any -> any 80 (msg:"Directory traversal attempt"; flow:to_server; content:"../.."; nocase; reference:url,wiki.val.bmstu.ru; classtype:web-application-attack; sid:1000001; rev:1;) $ curl --path-as-is http://server.corpX.un/../../../etc/passwd ===== Обновление правил snort - пакет oinkmaster ===== ==== FreeBSD ==== [server:~] # pkg install oinkmaster [server:~] # rehash [server:~] # cd /usr/local/etc/ ==== Debian/Ubuntu ==== root@server:~# apt-get install oinkmaster root@server:~# cd /etc/ ==== FreeBSD/Debian/Ubuntu ==== server# cat oinkmaster.conf ... url = http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz ... tmpdir = /var/tmp/ ... server# oinkmaster -o /CHANGE/DIR/snort/rules/ ===== Построение отчета о работе snort ===== ==== snortsnarf (FreeBSD) ==== [server:~] # pkg_add -r snortsnarf [server:~] # cat /usr/local/etc/scripts/snortsnarf.sh #!/bin/sh D=`date -v-1d '+%Y.%m.%d'` /usr/local/etc/rc.d/snort stop /bin/mv /var/log/snort/alert /var/log/snort/alert. /usr/local/etc/rc.d/snort start for i in /var/log/snort/alert.* do cat ${i} >> /var/log/snort/alert${D} rm ${i} done /usr/local/bin/snortsnarf -d /usr/local/www/apache22/data/snortsnarf/${D}/ -minprio=1 /var/log/snort/alert${D} rm /var/log/snort/alert${D} /usr/bin/find /usr/local/www/apache22/data/snortsnarf/ -mtime +60 -type d -exec rm -r {} \; ===== Дополнительные материалы ===== ==== FreeBSD ==== [server:~] # pkg install snort [server:~] # cat /usr/local/etc/snort/snort.conf ... ipvar HOME_NET [192.168.X.0/24] ... #################################################################### # Step #6: Configure output plugins ... # syslog output alert_syslog: LOG_AUTH LOG_ALERT ... ################################################### # Step #7: Customize your rule set ... # site specific rules include $RULE_PATH/local.rules include $RULE_PATH/community.rules ... # закомментируйте все правила ниже ... [server:~] # fetch --no-verify-peer https://www.snort.org/downloads/community/community-rules.tar.gz [server:~] # tar -xvf community-rules.tar.gz [server:~] # cp community-rules/community.rules /usr/local/etc/snort/rules/ [server:~] # touch /usr/local/etc/snort/rules/local.rules [server:~] # cp community-rules/sid-msg.map /usr/local/etc/snort/sid-msg.map [server:~] # mkdir /usr/local/etc/rules/ [server:~] # touch /usr/local/etc/rules/black_list.rules [server:~] # touch /usr/local/etc/rules/white_list.rules !!! Раскомментировать правило [server:~] # cat /usr/local/etc/snort/rules/community.rules ... alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; metadata:service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:11;) ... [server:~] # # cd /usr/local/etc/snort/preproc_rules/ [server:~] # # cp sensitive-data.rules-sample sensitive-data.rules [server:~] # # cp decoder.rules-sample decoder.rules [server:~] # # cp preprocessor.rules-sample preprocessor.rules [server:~] # snort -T -c /usr/local/etc/snort/snort.conf [server:~] # snort -A console -i em2 -c /usr/local/etc/snort/snort.conf [server:~] # service snort rcvar [server:~] # cat /etc/rc.conf ... snort_enable=YES snort_interface=em2 [server:~] # service snort start ==== Windows ==== * [[http://www.sans.org/security-resources/idfaq/running-snort-windows.php]] === Установка Snort === * [[http://val.bmstu.ru/unix/snort/Snort_2_9_5_5_Installer.exe]] === Распаковка правил === * [[http://val.bmstu.ru/unix/snort/snortrules-snapshot-2953.tar.gz]] (все кроме каталога etc) === Настройка и тестирование конфигурации === shell>notepad++ c:\Snort\etc\snort.conf ... var RULE_PATH c:\snort\rules var SO_RULE_PATH c:\snort\rules var PREPROC_RULE_PATH c:\snort\rules ... #my var WHITE_LIST_PATH ../rules #my var BLACK_LIST_PATH ../rules ... config logdir: c:\snort\log ... dynamicpreprocessor directory c:\snort\lib\snort_dynamicpreprocessor ... dynamicengine c:\snort\lib\snort_dynamicengine\sf_engine.dll ... #my dynamicdetection directory /usr/local/lib/snort_dynamicrules ... #my preprocessor normalize_ip4 #my preprocessor normalize_tcp: ips ecn stream #my preprocessor normalize_icmp4 #my preprocessor normalize_ip6 #my preprocessor normalize_icmp6 ... preprocessor http_inspect: global iis_unicode_map c:\snort\etc\unicode.map 1252 compress_depth 65535 decompress_depth 65535 ... #my preprocessor reputation: \ #my memcap 500, \ #my priority whitelist, \ #my nested_ip inner, \ #my whitelist $WHITE_LIST_PATH/white_list.rules, \ #my blacklist $BLACK_LIST_PATH/black_list.rules ... output alert_fast: alert.ids ... include c:\snort\etc\classification.config include c:\snort\etc\reference.config ... include c:\snort\etc\threshold.conf ... shell>notepad++ C:\Snort\rules\server-iis.rules ... alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS CodeRed v2 root.exe access"; flow:to_server,established; content:"/root.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:20;) ... admin shell>c:\snort\bin\snort.exe -T -c c:\Snort\etc\snort.conf --daq pcap === Запуск === Выбираем сетевой интерфейс (необходимо отключить ipv6) shell>c:\snort\bin\snort.exe -W Запускаем в режиме отладки admin shell>c:\snort\bin\snort.exe -A console -i 2 -c c:\Snort\etc\snort.conf --daq pcap Запускаем в режиме службы (консоль заблокирует) admin shell>c:\snort\bin\snort.exe -q -i 2 -c c:\Snort\etc\snort.conf --daq pcap shell>notepad++ C:\Snort\log\alert.ids