- 实验内容
- 搭建网络防御环境
- 学习使用检测工具Snort
- 对网络进行攻击,查看和分析网络防御工具报告
- 对实验结果进行分析整理,形成结论
三、实验步骤
- 安装入侵检测系统Snort
- 安装daq依赖程序,输入如下命令:
sudo apt-get install flex
sudo apt-get install bison
sudo apt install aptitude
sudo aptitude install libpcap-dev
-
- 安装daq,输入如下命令:
wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz
tar xvfz daq-2.0.7.tar.gz
cd daq-2.0.7
./configure && make && sudo make install
-
- 安装snort的依赖程序,输入如下命令:
aptitude install libpcre3-dev
aptitude install libdumbnet-dev
aptitude install zlib1g-dev
apt install openssl
apt-get install libssl-dev
安装LuaJIT:
sudo wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
sudo tar -zxvf LuaJIT-2.0.5.tar.gz
cd LuaJIT-2.0.5/
sudo make && sudo make install
LuaJIT-2.0.5安装完成
-
- 开始安装Snort,输入以下命令:
选择官网当前的版本进行下载
wget https://www.snort.org/downloads/snort/snort-2.9.20.tar.gz
tar xvfz snort-2.9.20.tar.gz
cd snort-2.9.20
./configure --enable-sourcefire && make && sudo make install
已成功安装
- 对Snort进行配置:
- 创建一些必要的文件夹
#Snort的安装目录
sudo mkdir -p /etc/snort/rules/iplists
sudo mkdir -p /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules
#存储过滤规则和服务器黑白名单
sudo touch /etc/snort/rules/iplists/default.blacklist
sudo touch /etc/snort/rules/iplists/default.whitelist
sudo touch /etc/snort/rules/so_rules
#创建日志目录
sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs
#调整权限
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort/rules/so_rules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
-
- 复制文件到 /etc/snort
cp /snort-2.9.20/etc/*.conf* /etc/snort
cp /snort-2.9.20/etc/*.map /etc/snort
cp /snort-2.9.20/etc/*.dtd /etc/snort
cp /snort-2.9.20/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/* /usr/local/lib/snort_dynamicpreprocessor/
-
- 修改默认配置
# 打开配置文件
sudo vim /etc/snort/snort.conf
# 修改路径 找到对应复制
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules/iplists/
var BLACK_LIST_PATH /etc/snort/rules/iplists/
-
- 修改配置文件让黑白名单生效
-
- 安装rules包
wget https://www.snort.org/downloads/registered/snortrules-snapshot-29181.tar.gz
sudo tar zxvf snortrules-snapshot-29181.tar.gz -C /etc/snort
sudo cp /etc/snort/so_rules/precompiled/RHEL-8/x86-64/2.9.18.1/* /usr/local/lib/snort_dynamicrules/
-
- 启动测试
- 利用Snort检测ping攻击
- 在rules/icmp-info.rules文件中设置如下规则:
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:4;)
-
- 使用snort规则对流量进行检测,将结果输出到snort日志中
snort -i eth0 -c /etc/snort/snort.conf -A fast -l /var/log/snort/
成功开启snort进行检测
-
- 使用局域网内主机对安装snort主机进行包>800的ping攻击
ping 192.168.223.153 -l 1000
-
- 在日志中查看检测结果:
可以看到成功检测包大于800的ping攻击
- 利用Snort检测nmap扫描
- 在 /etc/snort/rules/local.rules下进行tcp规则配置
vim /etc/snort/rules/local.rules
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"nmap scan";sid:1000000888;)
保存并退出
-
- 启动snort进行局域网内的扫描检测
sudo snort -i eth0 -c /etc/snort/snort.conf -A fast -l /var/log/snort/
- 使用宿主机进行局域网内的namp扫描(使用同一网段的另一台kali机)
-
- 在var/log/snort中查看检测结果
可以看到,成功检测到nmap的扫描