1、Snort 简介

Snort 是免费的 Network Intrusion Prevention System(NIPS) 及 Network Intrusion Detection System (NIDS) 软件，其具有对数据流量分析和对网络数据包进行协议分析处理的能力，通过灵活可定制的规则库（Rule），可对处理的报文内容进行搜索和匹配，能够检测出各种攻击，并进行实时预警。

Snort 3.0（Snort ++）是 Snort 的更新版本，以下是它一些关键特性：

• 支持多数据包处理线程

• 使用共享配置文件和属性表

• 使用简单的脚本化的配置文件

• 使关键组件插件化

• 为无端口配置自动检测服务

• 规则中支持粘性缓冲区

• 自动生成参考文档

• 提供更好的跨平台支持

• 便于组件测试

未来包含的其他功能：

• 使用共享的网络地图

• 支持流水线的数据包处理

• 支持硬件卸载和数据平面集成

• 支持代理模式

• 支持 Windows

2、安装 epel-release

首先安装 epel-release，后续安装 luajit、luajit-devel、cmake3 等软件包时会用到

yum install -y epel-release 

3、更新包缓存

更新包缓存以及更新系统，这一步非必需，看个人需求

yum clean all
yum makecache
yum -y update

4、非必需软件

其他不必要的工具，主要是方便后续配置，熟悉 vi、find 等命令的可略过

yum install -y mlocate vim

5、新建编译目录

在根路径下创建 snort 编译目录，后续会将用到的源码下载到这里

mkdir /snort_src

6、安装 pkg-config

安装编译 pkg-config 时需要用到的软件包

yum install -y wget gcc-c++

下载 pkg-config 源码，编译安装

cd /snort_src
wget http://pkgconfig.freedesktop.org/releases/pkg-config-0.29.1.tar.gz -O pkg-config-0.29.1.tar.gz
tar -zxvf pkg-config-0.29.1.tar.gz
cd pkg-config-0.29.1

编译时添加 --with-internal-glib 参数以解决 configure: error: pkg-config and "glib-2.0 >= 2.16" not found, please set GLIB_CFLAGS and GLIB_LIBS to the correct values or pass --with-internal-glib to configure 的错误

./configure --with-internal-glib
make
make install

7、添加必要的环境变量

使用 export 添加的仅本次生效

export PKG_CONFIG=/usr/local/bin/pkg-config
export PKG_CONFIG_PATH=/usr/share/pkgconfig:/usr/lib64/pkgconfig

永久生效需要添加到 ~/.bashrc 中

sh -c "echo 'export PKG_CONFIG=/usr/local/bin/pkg-config' >> ~/.bashrc"
sh -c "echo 'export PKG_CONFIG_PATH=/usr/share/pkgconfig:/usr/lib64/pkgconfig' >> ~/.bashrc"
source ~/.bashrc

8、安装依赖包

安装编译 Snort 用到的依赖包

yum install -y libdnet libdnet-devel hwloc hwloc-devel luajit luajit-devel openssl openssl-devel libpcap libpcap-devel pcre pcre-devel flex bison cmake3 lzma xz-devel

9、更新动态链接库

使动态链接库为系统所共享，安装新的动态链接库时，需要手工运行

ldconfig

ldconfig 默认搜寻 /lib 和 /usr/lib 以及配置文件 /etc/ld.so.conf 内所列的目录下的库文件，/usr/local/lib 不在其中，需要手动添加

export LD_LIBRARY_PATH=/usr/local/lib

或者

sh -c "echo 'export LD_LIBRARY_PATH=/usr/local/lib' >> ~/.bashrc"
source ~/.bashrc

10、安装 NFQ

如果想使用 NFQ 以内联模式运行 Snort ，或者不确定是否要使用，应该安装这个软件包。在 IDS 模式或使用 afpacket 进行内联模式时不需要安装。

yum install -y libnetfilter_queue libnetfilter_queue-devel

11、编译安装 daq

cd /snort_src
wget https://www.snort.org/downloads/snortplus/daq-2.2.2.tar.gz -O daq-2.2.2.tar.gz
tar -zxvf daq-2.2.2.tar.gz
cd daq-2.2.2
./configure
make
make install

12、搜索动态链接库

搜索一下动态链接库，方便后续编译

ldconfig -v

13、编译安装 snort

此处需要 cmake 版本大于 3.4 ，CentOS 7 默认版本为 2.8.12 ，使用 cmake3

cd /snort_src
wget https://www.snort.org/downloads/snortplus/snort-3.0.0-243-cmake.tar.gz -O snort-3.0.0-243-cmake.tar.gz
tar -zxvf snort-3.0.0-243-cmake.tar.gz
cd snort-3.0.0-/
cmake3 -DCMAKE_INSTALL_PREFIX=/usr/local
make clean
make
make install

14、编译安装 snort_extra

cd /snort_src
wget https://www.snort.org/downloads/snortplus/snort_extra-1.0.0-243-cmake.tar.gz -O snort_extra-1.0.0-243-cmake.tar.gz
tar -zxvf snort_extra-1.0.0-243-cmake.tar.gz
cd snort_extra-1.0.0-a4
cmake3 -DCMAKE_INSTALL_PREFIX=/usr/local
make clean
make
make install

15、添加环境变量

sh -c "echo 'export LUA_PATH=/usr/local/include/snort/lua/\?.lua\;\;' >> ~/.bashrc"
sh -c "echo 'export SNORT_LUA_PATH=/usr/local/etc/snort' >> ~/.bashrc"
source ~/.bashrc

或者

export LUA_PATH=/usr/local/include/snort/lua/\?.lua\;\;
export SNORT_LUA_PATH=/usr/local/etc/snort
export LD_LIBRARY_PATH=/usr/local/lib

16、测试 snort

snort -V

解压并复制 community 规则到 rules 目录

cd /snort_src
wget https://www.snort.org/downloads/community/snort3-community-rules.tar.gz -O snort3-community-rules.tar.gz
tar -xvf snort3-community-rules.tar.tar
mkdir /usr/local/etc/snort/rules/
cp snort3-community-rules/snort3-community.rules /usr/local/etc/snort/rules/
cp snort3-community-rules/sid-msg.map /usr/local/etc/snort/rules/

注意路径中缺少 snort_config.lua 文件，需要从 /usr/local/include/snort/lua/ 中复制过去

cp /usr/local/include/snort/lua/snort_config.lua /usr/local/etc/snort/

测试 community 规则

snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/snort/rules/snort3-community.rules

17、下载安装 openappid

需要注意的是 openappid/7611 经测试发现有 bug，目前暂时先用 openappid/6239

cd /snort_src
wget https://www.snort.org/downloads/openappid/6329 -O snort-openappid.tar.gz
tar -zxvf snort-openappid.tar.gz

将解压后的文件拷贝到 /usr/local/lib 路径下

cp -R odp /usr/local/lib

修改 snort 配置文件，添加 app_detector_dir

vim /usr/local/etc/snort/snort.lua

appid = { 
    app_detector_dir = '/usr/local/lib',
}

对添加 appid 后进行测试

snort -c /usr/local/etc/snort/snort.lua --warn-all
snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/snort/rules/snort3-community.rules --warn-all

自定义一条规则做测试

touch /usr/local/etc/snort/rules/local.rules
vim /usr/local/etc/snort/rules/local.rules

alert tcp any any -> any any (msg:"Baidu trafic Seen"; appids:"Baidu"; sid:10000001;)

snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/snort/rules/local.rules --warn-all
snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/snort/rules/local.rules -i ens33 -A alert_fast -k none

18、下载安装官方收费规则

官方收费规则从网站无法直接下载，需要注册及付费

cd /snort_src
wget https://www.snort.org/downloads/registered/snortrules-snapshot-3000.tar.gz
tar -zxvf snortrules-snapshot-3000.tar.gz
mv etc /usr/local/etc/snort/
mv preproc_rules /usr/local/etc/snort/
mv so_rules /usr/local/etc/snort/
mv rules /usr/local/etc/snort/

注意使用的配置文件是 /usr/local/etc/snort/etc/ 目录下的，此处也缺少 snort_config.lua 文件，需要从 /usr/local/include/snort/lua/ 中复制过去，同时需要添加 app_detector_dir

cp /usr/local/include/snort/lua/snort_config.lua /usr/local/etc/snort/etc/

vim /usr/local/etc/snort/etc/snort.lua

appid = { 
    app_detector_dir = '/usr/local/lib',
}

19、报警输出

修改配置文件 /usr/local/etc/snort/etc/snort.lua 以下部分内容，当 file = true 时，报警会输出到对应文件，需要保存报警日志时一般开启这个即可，需要定制输出格式时按提示信息修改即可

---------------------------------------------------------------------------
-- 8. configure outputs
---------------------------------------------------------------------------

-- event logging
-- you can enable with defaults from the command line with -A <alert_type>
-- uncomment below to set non-default configs
alert_csv = {
    file = true,
    fields = { timestamp, pkt_num, proto, pkt_gen, pkt_len, dir, src_ap, dst_ap, rule, action },
    -- fields = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in 
    -- given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | 
    -- eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | 
    -- pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | service | sid | src_addr | src_ap | src_port | 
    -- target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }
    -- limit = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }
    -- separator = ,: separate fields with this character sequence
}
alert_fast = {
    file = true,
    packet = true,
--    file = false: output to alert_fast.txt instead of stdout
--    packet = false: output packet dump with alert
--    limit = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }
}
alert_full = {
    file = true,
    -- limit = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }
}
--alert_sfsocket = {
--    file: name of unix socket file
--    rules[].gid = 1: rule generator ID { 1: }
--    rules[].sid = 1: rule signature ID { 1: }
--}
--alert_syslog = {
--    facility = auth: part of priority applied to each message { auth | authpriv | daemon | user | local0 | local1 | 
--    local2 | local3 | local4 | local5 | local6 | local7 }
--    level = info: part of priority applied to each message { emerg | alert | crit | err | warning | notice | info | debug}
--    options: used to open the syslog connection { cons | ndelay | perror | pid }
--}
unified2 = {
    legacy_events = false,
    nostamp = true,
--    legacy_events = false: generate Snort 2.X style events for barnyard2 compatibility
--    limit = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }
--    nostamp = true: append file creation time to name (in Unix Epoch format)
}

-- use --plugin-path to load plugin
--alert_json = {
--    file = false: output to alert_json.txt instead of stdout
--    fields = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in 
--    given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | 
--    eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | 
--    pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | service | sid | src_addr | src_ap | src_port | 
--    target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }
--    limit = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }
--    separator = , : separate fields with this character sequence
--}

--alert_ex = {
--    upper = false: true/false → convert to upper/lower case
--}

-- packet logging
-- you can enable with defaults from the command line with -L <log_type>
--log_codecs = {
--    file = false: output to log_codecs.txt instead of stdout
--    msg = false: include alert msg
--}
--log_hext = {
--    file = false: output to log_hext.txt instead of stdout
--    raw = false: output all full packets if true, else just TCP payload
--    limit = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }
--    width = 20: set line width (0 is unlimited) { 0: }
--}
--log_pcap = {
--    limit = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }
--}

-- additional logs
--packet_capture = { }
--file_log = { }

需要注意的是，使用 alert_json、alert_ex、alert_unixsock、log_null 时需要用--plugin-path指定插件路径，必要时可使用 -l 指定 log 文件保存路径

snort -c /usr/local/etc/snort/etc/snort.lua --plugin-path /usr/local/lib/snort_extra -i ens33 -l /var/log/snort -A alert_json -k none

20、参数信息列表

至此，snort 3.0 安装完毕，以下为 snort 3.0 支持的参数信息列表

-? <option prefix> output matching command line option quick help (same as --help-options) (optional)
-A <mode> set alert mode: none, cmg, or alert_*
-B <mask> obfuscated IP addresses in alerts and packet dumps using CIDR mask
-C print out payloads with character data only (no hex)
-c <conf> use this configuration
-D run Snort in background (daemon) mode
-d dump the Application Layer
-e display the second layer header info
-f turn off fflush() calls after binary log writes
-G <0xid> (same as --logid) (0:65535)
-g <gname> run snort gid as <gname> group (or gid) after initialization
-H make hash tables deterministic
-i <iface>... list of interfaces
-k <mode> checksum mode; default is all (all|noip|notcp|noudp|noicmp|none)
-L <mode> logging mode (none, dump, pcap, or log_*)
-l <logdir> log to this directory instead of current directory
-M log messages to syslog (not alerts)
-m <umask> set umask = <umask> (0:)
-n <count> stop after count packets (0:)
-O obfuscate the logged IP addresses
-Q enable inline mode operation
-q quiet mode - Don't show banner and status report
-R <rules> include this rules file in the default policy
-r <pcap>... (same as --pcap-list)
-S <x=v> set config variable x equal to value v
-s <snap> (same as --snaplen); default is 1514 (68:65535)
-T test and report on the current Snort configuration
-t <dir> chroots process to <dir> after initialization
-U use UTC for timestamps
-u <uname> run snort as <uname> or <uid> after initialization
-V (same as --version)
-v be verbose
-W lists available interfaces
-X dump the raw packet data starting at the link layer
-x same as --pedantic
-y include year in timestamp in the alert and log files
-z <count> maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 (0:)
--alert-before-pass process alert, drop, sdrop, or reject before pass; default is pass before alert, drop,...
--bpf <filter options> are standard BPF options, as seen in TCPDump
--c2x output hex for given char (see also --x2c)
--create-pidfile create PID file, even when not in Daemon mode
--daq <type> select packet acquisition module (default is pcap)
--daq-dir <dir> tell snort where to find desired DAQ
--daq-list list packet acquisition modules available in optional dir, default is static modules only
--daq-var <name=value> specify extra DAQ configuration variable
--dirty-pig don't flush packets on shutdown
--dump-builtin-rules [<module prefix>] output stub rules for selected modules (optional)
--dump-dynamic-rules output stub rules for all loaded rules libraries
--dump-defaults [<module prefix>] output module defaults in Lua format (optional)
--dump-version output the version, the whole version, and only the version
--enable-inline-test enable Inline-Test Mode Operation
--gen-msg-map dump builtin rules in gen-msg.map format for use by other tools
--help list command line options
--help-commands [<module prefix>] output matching commands (optional)
--help-config [<module prefix>] output matching config options (optional)
--help-counts [<module prefix>] output matching peg counts (optional)
--help-module <module> output description of given module
--help-modules list all available modules with brief help
--help-options [<option prefix>] output matching command line option quick help (same as -?) (optional)
--help-plugins list all available plugins with brief help
--help-signals dump available control signals
--id-offset offset to add to instance IDs when logging to files (0:65535)
--id-subdir create/use instance subdirectories in logdir instead of instance filename prefix
--id-zero use id prefix / subdirectory even with one packet thread
--list-buffers output available inspection buffers
--list-builtin [<module prefix>] output matching builtin rules (optional)
--list-gids [<module prefix>] output matching generators (optional)
--list-modules [<module type>] list all known modules of given type (optional)
--list-plugins list all known plugins
--lua <chunk> extend/override conf with chunk; may be repeated
--logid <0xid> log Identifier to uniquely id events for multiple snorts (same as -G) (0:65535)
--markup output help in asciidoc compatible format
--max-packet-threads <count> configure maximum number of packet threads (same as -z) (0:)
--mem-check like -T but also compile search engines
--nostamps don't include timestamps in log file names
--nolock-pidfile do not try to lock Snort PID file
--pause wait for resume/quit command before processing packets/terminating
--parsing-follows-files parse relative paths from the perspective of the current configuration file
--pcap-file <file> file that contains a list of pcaps to read - read mode is implied
--pcap-list <list> a space separated list of pcaps to read - read mode is implied
--pcap-dir <dir> a directory to recurse to look for pcaps - read mode is implied
--pcap-filter <filter> filter to apply when getting pcaps from file or directory
--pcap-loop <count> read all pcaps <count> times;  0 will read until Snort is terminated (-1:)
--pcap-no-filter reset to use no filter when getting pcaps from file or directory
--pcap-reload if reading multiple pcaps, reload snort config between pcaps
--pcap-show print a line saying what pcap is currently being read
--pedantic warnings are fatal
--plugin-path <path> where to find plugins
--process-all-events process all action groups
--rule <rules> to be added to configuration; may be repeated
--rule-to-hex output so rule header to stdout for text rule on stdin
--rule-to-text output plain so rule header to stdout for text rule on stdin
--run-prefix <pfx> prepend this to each output file
--script-path <path> to a luajit script or directory containing luajit scripts
--show-plugins list module and plugin versions
--skip <n> skip 1st n packets (0:)
--snaplen <snap> set snaplen of packet (same as -s) (68:65535)
--stdin-rules read rules from stdin until EOF or a line starting with END is read
--treat-drop-as-alert converts drop, sdrop, and reject rules into alert rules during startup
--treat-drop-as-ignore use drop, sdrop, and reject rules to ignore session traffic when not inline
--version show version number (same as -V)
--warn-all enable all warnings
--warn-conf warn about configuration issues
--warn-daq warn about DAQ issues, usually related to mode
--warn-flowbits warn about flowbits that are checked but not set and vice-versa
--warn-hosts warn about host table issues
--warn-plugins warn about issues that prevent plugins from loading
--warn-rules warn about duplicate rules and rule parsing issues
--warn-scripts warn about issues discovered while processing Lua scripts
--warn-symbols warn about unknown symbols in your Lua config
--warn-vars warn about variable definition and usage issues
--x2c output ASCII char for given hex (see also --c2x)
--x2s output ASCII string for given byte code (see also --x2c)