其他分享
首页 > 其他分享> > Snort和surcatas下的入侵检测系统

Snort和surcatas下的入侵检测系统

作者:互联网

1. 平台环境配置

1.1 辅助程序flex和bison

1.1.1 flex

https://github.com/westes/flex

./autogen.sh
./configure && make && make install

在安装时出现的问题

yan@ubuntu:~/Works/flex-master$ ./autogen.sh LIBTOOLIZE=/path/to/libtoolize
error: libtoolize not working, re-run with LIBTOOLIZE=/path/to/libtoolize
      LIBTOOLIZE is currently ""

解决办法

sudo apt install mlocate
sudo apt install libtool

验证环境

$locate libtool
/snap/gnome-3-38-2004/99/usr/bin/libtool
/snap/gnome-3-38-2004/99/usr/bin/libtoolize
/snap/gnome-3-38-2004/99/usr/lib/x86_64-linux-gnu/gobject-introspection/giscanner/libtoolimporter.py
/snap/gnome-3-38-2004/99/usr/share/libtool
/snap/gnome-3-38-2004/99/usr/share/aclocal/libtool.m4
/snap/gnome-3-38-2004/99/usr/share/gtksourceview-3.0/language-specs/libtool.lang
/snap/gnome-3-38-2004/99/usr/share/gtksourceview-4/language-specs/libtool.lang
/snap/gnome-3-38-2004/99/usr/share/info/libtool.info
/snap/gnome-3-38-2004/99/usr/share/info/libtool.info-1
/snap/gnome-3-38-2004/99/usr/share/info/libtool.info-2
/snap/gnome-3-38-2004/99/usr/share/libtool/COPYING.LIB
/snap/gnome-3-38-2004/99/usr/share/libtool/Makefile.am
/snap/gnome-3-38-2004/99/usr/share/libtool/Makefile.in
/snap/gnome-3-38-2004/99/usr/share/libtool/README
/snap/gnome-3-38-2004/99/usr/share/libtool/aclocal.m4
/snap/gnome-3-38-2004/99/usr/share/libtool/build-aux
/snap/gnome-3-38-2004/99/usr/share/libtool/config-h.in
/snap/gnome-3-38-2004/99/usr/share/libtool/configure
/snap/gnome-3-38-2004/99/usr/share/libtool/configure.ac
/snap/gnome-3-38-2004/99/usr/share/libtool/ltdl.mk
/snap/gnome-3-38-2004/99/usr/share/libtool/build-aux/compile
/snap/gnome-3-38-2004/99/usr/share/libtool/build-aux/config.guess
/snap/gnome-3-38-2004/99/usr/share/libtool/build-aux/config.sub
/snap/gnome-3-38-2004/99/usr/share/libtool/build-aux/depcomp
/snap/gnome-3-38-2004/99/usr/share/libtool/build-aux/install-sh
/snap/gnome-3-38-2004/99/usr/share/libtool/build-aux/ltmain.sh
/snap/gnome-3-38-2004/99/usr/share/libtool/build-aux/missing
/usr/share/gtksourceview-4/language-specs/libtool.lang

运行时仍然出现问题

./autogen.sh 
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'build-aux'.
libtoolize: linking file 'build-aux/config.guess'
libtoolize: linking file 'build-aux/config.sub'
libtoolize: linking file 'build-aux/install-sh'
libtoolize: linking file 'build-aux/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: linking file 'm4/libtool.m4'
libtoolize: linking file 'm4/ltoptions.m4'
libtoolize: linking file 'm4/ltsugar.m4'
libtoolize: linking file 'm4/ltversion.m4'
libtoolize: linking file 'm4/lt~obsolete.m4'
Can't exec "autopoint": 没有那个文件或目录 at /usr/share/autoconf/Autom4te/FileUtils.pm line 345.
autoreconf: failed to run autopoint: No such file or directory
autoreconf: autopoint is needed because this package uses Gettext

解决方法

sudo apt install -y autopoint

执行成功

$ ./autogen.sh 
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'build-aux'.
libtoolize: linking file 'build-aux/config.guess'
libtoolize: linking file 'build-aux/config.sub'
libtoolize: linking file 'build-aux/install-sh'
libtoolize: linking file 'build-aux/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: linking file 'm4/libtool.m4'
libtoolize: linking file 'm4/ltoptions.m4'
libtoolize: linking file 'm4/ltsugar.m4'
libtoolize: linking file 'm4/ltversion.m4'
libtoolize: linking file 'm4/lt~obsolete.m4'
Copying file ABOUT-NLS
Copying file build-aux/config.rpath
Copying file m4/codeset.m4
Copying file m4/extern-inline.m4
Copying file m4/fcntl-o.m4
Copying file m4/gettext.m4
Copying file m4/glibc2.m4
Copying file m4/glibc21.m4
Copying file m4/iconv.m4
Copying file m4/intdiv0.m4
Copying file m4/intl.m4
Copying file m4/intldir.m4
Copying file m4/intlmacosx.m4
Copying file m4/intmax.m4
Copying file m4/inttypes-pri.m4
Copying file m4/inttypes_h.m4
Copying file m4/lcmessage.m4
Copying file m4/lib-ld.m4
Copying file m4/lib-link.m4
Copying file m4/lib-prefix.m4
Copying file m4/lock.m4
Copying file m4/longlong.m4
Copying file m4/nls.m4
Copying file m4/po.m4
Copying file m4/printf-posix.m4
Copying file m4/progtest.m4
Copying file m4/size_max.m4
Copying file m4/stdint_h.m4
Copying file m4/threadlib.m4
Copying file m4/uintmax_t.m4
Copying file m4/visibility.m4
Copying file m4/wchar_t.m4
Copying file m4/wint_t.m4
Copying file m4/xsize.m4
Copying file po/Makefile.in.in
Copying file po/Makevars.template
Copying file po/Rules-quot
Copying file po/boldquot.sed
Copying file po/en@boldquot.header
Copying file po/en@quot.header
Copying file po/insert-header.sin
Copying file po/quot.sed
Copying file po/remove-potcdate.sin
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'build-aux'.
libtoolize: copying file 'build-aux/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: copying file 'm4/libtool.m4'
libtoolize: copying file 'm4/ltoptions.m4'
libtoolize: copying file 'm4/ltsugar.m4'
libtoolize: copying file 'm4/ltversion.m4'
libtoolize: copying file 'm4/lt~obsolete.m4'
configure.ac:31: installing 'build-aux/compile'
configure.ac:33: installing 'build-aux/missing'
doc/Makefile.am:5: installing 'build-aux/mdate-sh'
doc/Makefile.am:5: installing 'build-aux/texinfo.tex'
src/Makefile.am: installing 'build-aux/depcomp'
configure.ac: installing 'build-aux/ylwrap'
parallel-tests: installing 'build-aux/test-driver'

后发现更为便捷的方法

sudo apt install flex

1.1.2 bison

http://ftp.gnu.org/gnu/bison/

下载bison -3.8版本,后发现安装十分繁琐,其只有Makefile.in和Makefile.am文件,因此需要通过那两个文件构造Makefile文件,因此后续采用了更为简单的方法

sudo apt install bison
bison --version
bison (GNU Bison) 3.5.1

1.2 snob

Snort - Network Intrusion Detection & Prevention System

wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz
                     
wget https://www.snort.org/downloads/snort/snort-2.9.19.tar.gz
tar xvzf daq-2.0.7.tar.gz
                     
cd daq-2.0.7
./configure && make && sudo make install

tar xvzf snort-2.9.19.tar.gz
                     
cd snort-2.9.19
./configure --enable-sourcefire && make && sudo make install

1.2.1 在daq-2.0.7的安装中,出现错误

ERROR!  Libpcap library version >= 1.0.0 not found.
  Get it from http://www.tcpdump.org

尝试解决方案如下,失败

wget http://www.tcpdump.org/release/libpcap-1.0.0.tar.gz tar xvfz libpcap-1.0.0.tar.gz cd libpcap-1.0.0/ 
./configure make make install

在后续探索中,发现了基于arm64架构的libpcap

https://ubuntu.pkgs.org/20.04/ubuntu-main-arm64/libpcap-dev_1.9.1-3_arm64.deb.html

此处可作为国产处理器的基本架构构建平台

在ubuntu20.04系统中,本处使用的解决方法如下

sudo apt-get install libpcap-dev

1.2.2 在snort-2.9.19的安装中,出现错误

出现错误1:

   ERROR!  Libpcre header not found.
  Get it from http://www.pcre.org

解决方案

sudo apt-get install libpcre3-dev

问题解决

出现错误2:

ERROR!  dnet header not found, go get it from
  http://code.google.com/p/libdnet/ or use the --with-dnet-*
  options, if you have it installed in an unusual place
make: *** 没有指明目标并且找不到 makefile。 停止。

下载dnet代码 https://github.com/dugsong/libdnet/releases

./configure
make
sudo make install

问题解决

出现错误3:

   ERROR!  zlib header not found, go get it from
  http://www.zlib.net

解决方法

sudo apt-get install zlib1g-dev

问题解决

出现错误4:

   ERROR!  LuaJIT library not found. Go get it from http://www.luajit.org/ (or)
  Try compiling without openAppId using '--disable-open-appid'
configure: error: "Fatal!"

解决方案

./configure --disable-open-appid && make && sudo make install

1.3 suricatacn在Ubuntu中安装

安装 — Suricata 4.1.0-dev 文档 (suricatacn.readthedocs.io)

https://suricatacn.readthedocs.io/zh_CN/latest/index.html

sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata

1.4 安装AC(在snob中内含)

morenice/ahocorasick: C implementation Aho-Corasick string matching (github.com)

$ mkdir build; cd build
$ cmake ..
$ make

2. IDS入侵检测系统

2.1 snort配置(此部分参考博客https://www.cnblogs.com/thresh/p/12019466.html

https://www.cnblogs.com/jake-jin/p/14221593.html

$ snort -V

  ,,_     -*> Snort! <*-
o" )~   Version 2.9.19 GRE (Build 85)
  ''''   By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
          Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
          Copyright (C) 1998-2013 Sourcefire, Inc., et al.
          Using libpcap version 1.9.1 (with TPACKET_V3)
          Using PCRE version: 8.39 2016-06-14
          Using ZLIB version: 1.2.11

snort设置

基本配置:出于安全原因, Snort应该以非特权用户身份运行,创建一个snort用户和组

sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

创建snort需要的文件和文件夹

# 创建Snort目录:
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/rules/iplists
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules
# 创建日志文件
sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs
# 调整权限
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort/so_rules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
# 改变文件夹的所有权
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

将snort中的文件复制到我们新建的文件夹中

cd ~/Works/snort-2.9.19/etc/
sudo cp *.conf* /etc/snort
sudo cp *.map /etc/snort
sudo cp *.dtd /etc/snort
cd ~/Works/snort-2.9.19/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor
sudo cp * /usr/local/lib/snort_dynamicpreprocessor/

编辑snort配置文件

sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

修改snort.conf文件(这里使用gedit编辑器)
sudo gedit /etc/snort/snort.conf

配置网络信息

ipvar HOME_NET 192.168.153.134

存储位置配置

var RULE_PATH /etc/snort/rules           # 104行左右
var SO_RULE_PATH /etc/snort/so_rules       # 105行左右
var PREPROC_RULE_PATH /etc/snort/preproc_rules   # 106行左右
var WHITE_LIST_PATH /etc/snort/rules/iplists   # 113行左右
var BLACK_LIST_PATH /etc/snort/rules/iplists   # 114行左右

启用规则文件

include $RULE_PATH/local.rules      #取消注释,在546行左右

2.2 snort测试

sudo snort -T -c /etc/snort/snort.conf -i ens33   #ens33是网卡,可用ifconfig查看
sudo /usr/local/bin/snort -A -q -u snort -g snort -c /etc/snort/snort.conf -t ens33

 

标签:usr,m4Copying,m4,Snort,file,libtoolize,入侵,surcatas,snort
来源: https://www.cnblogs.com/DrinkTeaJustACup/p/16083656.html