一 下载并安装源代码
地址:https://github.com/snort3/snort3/releases
#下载,解压
wget https://github.com/snort3/snort3/archive/refs/tags/3.2.1.0.tar.gz
tar zxvf 3.2.1.0.tar.gz二 安装软件依赖包
1 安装依赖包
sudo apt update
sudo apt install build-essential libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev luajit hwloc libdumbnet-dev bison flex liblzma-dev openssl libssl-dev pkg-config libhwloc-dev cmake cpputest libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev libmnl-dev autotools-dev libluajit-5.1-dev libunwind-dev autoconf automake libtool libffi-dev check
hyperscan.dev libsafec.dev2 安装 libdnet
#下载
wget https://github.com/ofalk/libdnet/archive/refs/tags/libdnet-1.18.0.tar.gz
tar zxvf libdnet-1.18.0.tar.gz
cd libdnet-libdnet-1.18.0/
./configure
make
sudo make install3 安装libdaq
#下载,解压
wget https://github.com/snort3/libdaq/archive/refs/tags/v3.0.14.tar.gz
tar zxvf v3.0.14.tar.gz
cd libdaq-3.0.14/
#编译,安装
./bootstrap
+ autoreconf -ivf --warnings=all
autoreconf: export WARNINGS=all
autoreconf: Entering directory '.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force -I m4
autoreconf: configure.ac: tracing
autoreconf: configure.ac: not using Libtool
autoreconf: configure.ac: not using Intltool
autoreconf: configure.ac: not using Gtkdoc
autoreconf: running: /usr/bin/autoconf --force
configure.ac:27: warning: The macro `AC_PROG_CC_C99' is obsolete.
configure.ac:27: You should run autoupdate.
./lib/autoconf/c.m4:1659: AC_PROG_CC_C99 is expanded from...
configure.ac:27: the top level
autoreconf: running: /usr/bin/autoheader --force
autoreconf: running: automake --add-missing --copy --force-missing
api/Makefile.am:4: error: Libtool library used but 'LIBTOOL' is undefined
api/Makefile.am:4: The usual way to define 'LIBTOOL' is to add 'LT_INIT'
api/Makefile.am:4: to 'configure.ac' and run 'aclocal' and 'autoconf' again.
api/Makefile.am:4: If 'LT_INIT' is in 'configure.ac', make sure
api/Makefile.am:4: its definition is in aclocal's search path.
modules/Makefile.am:4: error: Libtool library used but 'LIBTOOL' is undefined
modules/Makefile.am:4: The usual way to define 'LIBTOOL' is to add 'LT_INIT'
modules/Makefile.am:4: to 'configure.ac' and run 'aclocal' and 'autoconf' again.
modules/Makefile.am:4: If 'LT_INIT' is in 'configure.ac', make sure
modules/Makefile.am:4: its definition is in aclocal's search path.
autoreconf: error: automake failed with exit status: 1
#解决,安装libtool
./configure
#编译成功如下
code_coverage_enabled: no
code_coverage_cppflags:
code_coverage_cflags:
code_coverage_ldflags:
Build AFPacket DAQ module.. : yes
Build BPF DAQ module....... : yes
Build Divert DAQ module.... : no
Build Dump DAQ module...... : yes
Build FST DAQ module....... : yes
Build netmap DAQ module.... : no
Build NFQ DAQ module....... : yes
Build PCAP DAQ module...... : yes
Build Savefile DAQ module.. : yes
Build Trace DAQ module..... : yes
Build GWLB DAQ module...... : yes
#编译,安装
make
sudo make install4 安装gperftools
wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.15/gperftools-2.15.tar.gz
tar zxvf gperftools-2.15.tar.gz
cd gperftools-2.15/
./configure
sudo make install三 安装snort 3.2.1.0
1 编译安装
cd snort3-3.2.1.0/
./configure_cmake.sh --prefix=/usr/local/snort --enable-tcmalloc
#如下即可
snort version 3.2.1.0
Install options:
prefix: /usr/local/snort
includes: /usr/local/snort/include/snort
plugins: /usr/local/snort/lib/snort
Compiler options:
CC: /usr/bin/cc
CXX: /usr/bin/c++
CFLAGS: -fvisibility=hidden -DNDEBUG -g -ggdb -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free -O2 -g -DNDEBUG
CXXFLAGS: -fvisibility=hidden -DNDEBUG -g -ggdb -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free -O2 -g -DNDEBUG
EXE_LDFLAGS:
MODULE_LDFLAGS:
Feature options:
DAQ Modules: Static (afpacket;bpf;dump;fst;gwlb;nfq;pcap;savefile;trace)
libatomic: System-provided
Hyperscan: ON
ICONV: ON
Libunwind: ON
LZMA: ON
RPC DB: Built-in
SafeC: ON
TCMalloc: ON
JEMalloc: OFF
UUID: ON
NUMA: ON
LibML: OFF
cd build/
make
sudo make install
#跟新系统共享库
sudo ldconfig2 配置环境
sudo vim /etc/profile
export PATH=/usr/local/snort//bin:$PATH
source /etc/profile3 查看snort版本
test@ubuntuserver:~$ snort -v
--------------------------------------------------
o")~ Snort++ 3.2.1.0
--------------------------------------------------
--------------------------------------------------
Network Policy : policy id 0 :
--------------------------------------------------
Inspection Policy : policy id 0 :
--------------------------------------------------
pcap DAQ configured to passive.
--------------------------------------------------
host_cache
memcap: 33554432 bytes
Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting
test@ubuntuserver:~$ snort -V
,,_ -*> Snort++ <*-
o" )~ Version 3.2.1.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.14
Using Hyperscan version 5.4.2 2024-04-19
Using libpcap version 1.10.4 (with TPACKET_V3)
Using LuaJIT version 2.1.1703358377
Using LZMA version 5.4.5
Using OpenSSL 3.0.13 30 Jan 2024
Using PCRE version 8.39 2016-06-14
Using ZLIB version 1.3
四 配置 监听网络流量的网卡设置为混杂模式
test@ubuntuserver:~$ ip a show ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:a2:94:12 brd ff:ff:ff:ff:ff:ff
altname enp2s1
#
sudo ifconfig ens33 promisc 
#禁用网卡 Offload功能, Snort 会截断大于1518 字节的数据包
#查看
test@ubuntuserver:~$ ethtool -k ens33 | grep receive-off
generic-receive-offload: on
large-receive-offload: off [fixed]
#禁用
test@ubuntuserver:~$ sudo ethtool -K ens33 gro off lro off五 下载,配置snort3规则
规则集分为三种:Community Rules,Registered Rules,Subscriber Rules;其中社区规则可以直接下载使用,注册规则需要注册之后才可以下载,但2个都免费的;订阅规则收费的。
1 下载地址:Snort Rules and IDS Software Download
2 本文下载注册规则集
#创建规则存放目录
sudo mkdir /usr/local/snort/etc/rules
cd /usr/local/snort/etc/rules3 安装pulledpork
#安装依赖包
sudo apt update
sudo apt-get install libcrypt-ssleay-perl liblwp-useragent-determined-perl
#下载
wget https://github.com/shirkdog/pulledpork/archive/refs/tags/v0.7.4.tar.gz
#
tar zxvf v0.7.4.tar.gz
cd pulledpork-0.7.4/
#
sudo cp pulledpork.pl /usr/local/bin
sudo chmod +x /usr/local/bin/pulledpork.pl
sudo mkdir /usr/local/snort/etc/pulledpork
sudo cp etc/*.conf /usr/local/snort/etc/pulledpork
#查看
test@ubuntuserver:~$ pulledpork.pl -V
PulledPork v0.7.4 - Helping you protect your bitcoin wallet!
#创建规则用的文件和目录
sudo touch /usr/local/snort/etc/rules/snort.rules
sudo touch /usr/local/snort/etc/rules/local.rules
sudo mkdir /usr/local/snort/etc/rules/so_rules
sudo mkdir /usr/local/snort/etc/rules/lists
sudo touch /usr/local/snort/etc/rules/lists/default.blocklist
sudo mkdir /var/log/snort/#修改配置pulledpor
sudo vim /usr/local/snort/etc/pulledpork/pulledpork.conf
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot-3031.tar.gz|<oinkcode>
rule_url=https://snort.org/downloads/ip-block-list|IPBLOCKLIST|open
ignore=deleted.rules,experimental.rules,local.rules
temp_path=/tmp
rule_path=/usr/local/snort/etc/rules/snort.rules
local_rules=/usr/local/snort/etc/rules/local.rules
sid_msg=/usr/local/snort/etc/sid-msg.map
sid_msg_version=2
sid_changelog=/var/log/snort/sid_changes.log
sorule_path=/usr/local/snort/etc/rules/so_rules/
snort_path=/usr/local/snort/bin/snort
config_path=/usr/local/snort/etc/snort.conf
distro=Ubuntu-18-4
block_list=/usr/local/snort/etc/rules/lists/default.blocklist
IPRVersion=/usr/local/snort/etc/rules/lists
snort_control=/usr/local/bin/snort_control
pid_path=/var/log/snort/snort.pid
ips_policy=security
version=0.7.4
#运行下载合并
sudo /usr/local/bin/pulledpork.pl -c /usr/local/snort/etc/pulledpork/pulledpork.conf -l -P -E -H SIGHUP
#如下
Rule Stats...
New:-------19352
Deleted:---0
Enabled Rules:----19352
Dropped Rules:----0
Disabled Rules:---0
Total Rules:------19352
IP Blocklist Stats...
Total IPs:-----1558
Done
Please review /var/log/snort/sid_changes.log for additional details
Fly Piggy Fly!
4 修改snort配置文件
sudo vim /usr/local/snort/etc/snort/snort.lua
HOME_NET = 'any' --> HOME_NET = '192.168.50.19/24'
EXTERNAL_NET = 'any' --> EXTERNAL_NET = '!$HOME_NET'
#新增
include = '/usr/local/snort/etc/rules/snort.rules',
include = '/usr/local/snort/etc/rules/local.rules',
5 snort检验规则,19500+条
snort -c /usr/local/snort/etc/snort/snort.lua
六 运行,测试
1 自定义一条ping测试的规则
#增加本地规则库
sudo vim /usr/local/snort/etc/rules/local.rules
alert icmp any any -> $HOME_NET any (msg:"ICMP connection test"; sid:1000001; rev:1;)
#测试规则正确
snort -c /usr/local/snort/etc/snort/snort.lua -R /usr/local/snort/etc/rules/local.rules2 启动snort
#配置日志
sudo vim /usr/local/snort/etc/snort/snort.lua
alert_fast =
{
file = true,
limit = 200#日志滚动大小(200M)
}
#检查
snort -c /usr/local/snort/etc/snort/snort.luasudo snort -c /usr/local/snort/etc/snort/snort.lua -i ens33 -s 65535 -k none -A fast -l /var/log/snort/ -v3 测试
#在其他主机ping snort服务器
ping 192.168.50.19#snort 服务器查看日志
