簡介
Snort是美國Sourcefire公司開發的發佈在GPL v2下的IDS(Intrusion Detection System)軟件,在1998年,Marty Roesch先生用C語言開發了開放源代碼(Open Source)的入侵檢測系統Snort.直至今天,Snort已發展成爲一個多平臺(Multi-Platform),實時(Real-Time)流量分析,網絡IP數據包(Pocket)記錄等特性的強大的網絡入侵檢測/防護系統(Network Intrusion Detection/Prevention System),即NIDS/NIPShtml
工做原理
Snort經過在網絡TCP/IP的5層結構的數據鏈路層進行抓取網絡數據包,抓包時需將網卡設置爲混雜模式,根據操做系統的不一樣採用libpcap或winpcap函數從網絡中捕獲數據包;而後將捕獲的數據包送到包解碼器進行解碼。網絡中的數據包有多是以太網包、令牌環包、TCP/IP包、802.11包等格式。在這一過程包解碼器將其解碼成Snort認識的統一的格式;以後就將數據包送到預處理器進行處理,預處理包括能分片的數據包進行從新組裝,處理一些明顯的錯誤等問題。預處理的過程主要是經過插件來完成,好比Http預處理器完成對Http請求解碼的規格化,Frag2事務處理器完成數據包的組裝,Stream4預處理器用來使Snort狀態化,端口掃描預處理器能檢測端口掃描的能力等;對數據包進行了解碼,過濾,預處理後,進入了Snort的最重要一環,進行規則的創建及根據規則進行檢測。規則檢測是Snort中最重要的部分,做用是檢測數據包中是否包含有入侵行爲。例如規則alert tcp any any ->202.12.1.0/24 80(msg:」misc large tcp packet」;dsize:>3000;)這條規則的意思是,當一個流入202.12.1.0這個網段的TCP包長度超過3000B時就發出警報。規則語法涉及到協議的類型、內容、長度、報頭等各類要素。處理規則文件的時候,用三維鏈表來存規則信息以便和後面的數據包進行匹配,三維鏈表一旦構建好了,就經過某種方法查找三維鏈表並進行匹配和發生響應。規則檢測的處理能力須要根據規則的數量,運行Snort機器的性能,網絡負載等因素決定;最後一步就是輸出模塊,通過檢測後的數據包須要以各類形式將結果進行輸出,輸出形式能夠是輸出到alert文件、其它日誌文件、數據庫UNIX域或Socket等。python
安裝(ubuntu14.04)
安裝snort前,首先須要安裝一些依賴包 數據採集庫(DAQ))用於一個調用包捕獲庫的抽象層
https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
解壓並運行./configure、make、make install來安裝DAQ。然而,DAQ要求其餘的工具,所以,./configure腳本會生成下面的錯誤
所以在安裝DAQ以前先安裝flex/bison和libcap
apt-get install flex apt-get install bison apt-get install libcap-dev
安裝完必要的工具後,再次運行./configure腳本,將會顯示下面的輸出, 而後使用make和make install 命令進行編譯
成功安裝DAQ以後,咱們如今安裝snort
https://www.cnblogs.com/lcamry/p/6339475.html數據庫
apt-get install snort
snort命令參數詳解
snort -[options] <filters>
root@ubuntu-virtual-machine:~# snort --help ,,_ -*> Snort! <*- o" )~ Version 2.9.6.0 GRE (Build 47) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.5.3 Using PCRE version: 8.31 2012-07-06 Using ZLIB version: 1.2.8 USAGE: snort [-options] <filter options> Options: -A #設置報警模式 Set alert mode: fast, full, console, test or none (alert file alerts only) "unsock" enables UNIX socket logging (experimental). -b #用二進制文件保存網絡數據包,以應付高吞吐量的網絡 Log packets in tcpdump format (much faster!) -B <mask> #將IP地址信息抹掉,去隱私化 Obfuscated IP addresses in alerts and packet dumps using CIDR mask -c <rules> #使用配置文件規則,使得snort進入IDS模式 Use Rules File <rules> -C #打印出只有字符數據的有效載荷(無十六進制) Print out payloads with character data only (no hex) -d #顯示包的應用層數據 Dump the Application Layer -D #後臺運行snort,如無指定,Alerts將寫到/var/log/snort/alert Run Snort in background (daemon) mode -e #顯示數據鏈路層信息 Display the second layer header info -f #激活PCAP行緩衝(line buffering) Turn off fflush() calls after binary log writes -F <bpf> #指定BPF過濾器 Read BPF filters from file <bpf> -g <gname> #初始化Snort後以組ID(group ID)運行 Run snort gid as <gname> group (or gid) after initialization -G <0xid> #爲事件生成設置一個基礎事件id值 Log Identifier (to uniquely id events for multiple snorts) -h <hn> #設置本地網絡爲hn,如192.168.1.0/24 Set home network = <hn> (for use with -l or -B, does NOT change $HOME_NET in IDS mode) -H # Make hash tables deterministic. -i <if> #設置網絡接口爲<if>。能夠用-W選項查詢網絡接口列表,而後用接口序號index指定接口。如-i 2 Listen on interface <if> -I #報警時附加上接口信息 Add Interface name to alert output -k <mode> #爲all,noip,notcp,noudp,noicmp,or none設置校驗和模式 Checksum mode (all,noip,notcp,noudp,noicmp,none) -K <mode> #設置保存文件的格式:pcap,ascii, none。pcap是默認格式,同於-b選項的格式。ascii是老的模式格式。none則關閉數據包記錄 Logging mode (pcap[default],ascii,none) -l <ld> #設置數據包文件存放目錄<ld>。默認目錄是/var/log/snort Log to directory <ld> -L <file> #設置二進制輸出文件的文件名爲<fn> Log to this tcpdump file -M #當以非後臺模式daemon運行時,保存信息到syslog Log messages to syslog (not alerts) -m <umask> #設置snort輸出文件的權限位 Set umask = <umask> -n <cnt> #出來<count>個報文後終止程序 Exit after receiving <cnt> packets -N #關閉保存日誌包功能 Turn off logging (alerts still work) -O #在ASCII數據包捕獲模式下混淆IP地址 Obfuscate the logged IP addresses -p #關閉混雜模式 Disable promiscuous mode sniffing -P <snap> #設置snaplen,默認值是當前網卡的MTU Set explicit snaplen of packet (default: 1514) -q #安靜模式,不顯示標誌和狀態報告 Quiet. Don't show banner and status report -Q #當在線(in-line)運行時,從iptables/IPQ中讀取數據包 Enable inline mode operation. -r <tf> #從pcap格式的文件中讀取數據包 Read and process tcpdump file <tf> -R <id> # 爲snort pidfile增長下標 Include 'id' in snort_intf<id>.pid file name -s #使snort把報警消息發送到syslog,默認的設備是LOG_AUTHPRIV和LOG_ALERT。能夠修改snort.conf文件修改其配置 Log alert messages to syslog -S <n=v> #爲變量n設置值爲v Set rules file variable n equal to value v -t <dir> #初始化後將Snort的根目錄改變爲<chroot> Chroots process to <dir> after initialization -T # 以自檢測模式啓動Snort Test and report on the current Snort configuration -u <uname> #初始化後改變Snort的UID Run snort uid as <uname> user (or uid) after initialization -U #在時間戳上用UTC時間代替本地時間 Use UTC for timestamps -v #從網絡上讀出數據包而後顯示在你的控制檯上 Be verbose -V #查看版本號並退出 Show version number -X #顯示包括數據鏈路層的原始數據包 Dump the raw packet data starting at the link layer -x #若是出現Snort配置問題,請退出 Exit if Snort configuration problems occur -y #在時間戳裏顯示年份 Include year in timestamp in the alert and log files -Z <file> #設置性能監視器(perfmon)路徑 Set the performonitor preprocessor file path and name -? #幫助信息 Show this information <Filter Options> are standard BPF options, as seen in TCPDump Longname options and their corresponding single char version --logid <0xid> Same as -G --perfmon-file <file> Same as -Z --pid-path <dir> #爲SnortPID文件指定路徑 Specify the directory for the Snort PID file --snaplen <snap> Same as -P --help Same as -? --version Same as -V --alert-before-pass #在pass以前處理alert, drop, sdrop, or reject. 默認是pass before alert, drop, etc. Process alert, drop, sdrop, or reject before pass, default is pass before alert, drop,... --treat-drop-as-alert #將drop處理爲alert Converts drop, sdrop, and reject rules into alert rules during startup --treat-drop-as-ignore Use drop, sdrop, and reject rules to ignore session traffic when not inline. --process-all-events Process all queued events (drop, alert,...), default stops after 1st action group --enable-inline-test Enable Inline-Test Mode Operation --dynamic-engine-lib <file> Load a dynamic detection engine --dynamic-engine-lib-dir <path> Load all dynamic engines from directory --dynamic-detection-lib <file> Load a dynamic rules library --dynamic-detection-lib-dir <path> Load all dynamic rules libraries from directory --dump-dynamic-rules <path> Creates stub rule files of all loaded rules libraries --dynamic-preprocessor-lib <file> Load a dynamic preprocessor library --dynamic-preprocessor-lib-dir <path> Load all dynamic preprocessor libraries from directory --dynamic-output-lib <file> Load a dynamic output library --dynamic-output-lib-dir <path> Load all dynamic output libraries from directory --create-pidfile Create PID file, even when not in Daemon mode --nolock-pidfile Do not try to lock Snort PID file --no-interface-pidfile Do not include the interface name in Snort PID file --disable-attribute-reload-thread Do not create a thread to reload the attribute table --pcap-single <tf> #讀取單個pcap文件 Same as -r. --pcap-file <file> #讀取多個pcap文件 file that contains a list of pcaps to read - read mode is implied. --pcap-list "<list>" #以列表的形式在命令行讀取 a space separated list of pcaps to read - read mode is implied. --pcap-dir <dir> #讀取指定目錄下的全部pcap文件 a directory to recurse to look for pcaps - read mode is implied. --pcap-filter <filter> #用過濾方式讀取pcap文件 filter to apply when getting pcaps from file or directory. --pcap-no-filter #用非過濾方式讀取pcap文件 reset to use no filter when getting pcaps from file or directory. --pcap-loop <count> this option will read the pcaps specified on command line continuously. for <count> times. A value of 0 will read until Snort is terminated. --pcap-reset if reading multiple pcaps, reset snort to post-configuration state before reading next pcap. --pcap-reload if reading multiple pcaps, reload snort config between pcaps. --pcap-show print a line saying what pcap is currently being read. --exit-check <count> Signal termination after <count> callbacks from DAQ_Acquire(), showing the time it takes from signaling until DAQ_Stop() is called. --conf-error-out Same as -x --enable-mpls-multicast Allow multicast MPLS --enable-mpls-overlapping-ip Handle overlapping IPs within MPLS clouds --max-mpls-labelchain-len Specify the max MPLS label chain --mpls-payload-type Specify the protocol (ipv4, ipv6, ethernet) that is encapsulated by MPLS --require-rule-sid Require that all snort rules have SID specified. --daq <type> Select packet acquisition module (default is pcap). --daq-mode <mode> Select the DAQ operating mode. --daq-var <name=value> Specify extra DAQ configuration variable. --daq-dir <dir> Tell snort where to find desired DAQ. --daq-list[=<dir>] List packet acquisition modules available in dir. Default is static modules only. --dirty-pig Don't flush packets and release memory on shutdown. --cs-dir <dir> Directory to use for control socket. --ha-peer Activate live high-availability state sharing with peer. --ha-out <file> Write high-availability events to this file. --ha-in <file> Read high-availability events from this file on startup (warm-start).
工做原理(嗅探器、數據包記錄器、網絡入侵檢測系統)
嗅探器
snort從網絡上讀出數據包而後顯示在你的控制檯上ubuntu
數據包記錄器
若是要把全部的包記錄到硬盤上,你須要指定一個日誌目錄,snort就會自動記錄數據包網絡
snort -dev -l ./log
snort -dev -l ./log -h 192.168.1.0/24 這個命令告訴snort把進入C類網絡192.168.1的全部包的數據鏈路、TCP/IP以及應用層的數據記錄到目錄./log中。
網絡入侵檢測系統
snort最重要的用途仍是做爲網絡入侵檢測系統(NIDS),使用下面命令行能夠啓動這種模式session
snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf snort.conf是規則集文件。snort會對每一個包和規則集進行匹配,發現這樣的包就採起相應的行動。若是你不指定輸出目錄,snort就輸出到/var/log/snort目錄。 注意:若是你想長期使用snort做爲本身的入侵檢測系統,最好不要使用-v選項。由於使用這個選項,使snort向屏幕上輸出一些信息,會大大下降snort的處理速度,從而在向顯示器輸出的過程當中丟棄一些包。 此外,在絕大多數狀況下,也沒有必要記錄數據鏈路層的包頭,因此-e選項也能夠不用 snort -d -h 192.168.1.0/24 -l ./log -c snort.conf