Snort 2用户手册：全面指南(2.9.13版)

网络安全

需积分: 0 142 浏览量更新于2024-06-18 收藏 1.28MB PDF 举报

身份认证购VIP最低享 7 折!

领优惠券(最高得80元）

Snort 2用户手册（v2.9.13）是The Snort Project发布的一份全面指南，专为网络安全专业人员设计，提供了关于这个高级网络嗅探器和入侵检测系统（NIDS）的详尽信息。该手册的主要部分涵盖了以下几个关键知识点： 1. **安装与配置**：手册指导用户安装Snort 2，并详细说明了所需的软件和系统要求，以及如何配置Snort以满足特定的网络环境。配置文件的创建、规则集的应用以及性能参数的调整都在这一部分中有所阐述。 2. **规则语法与结构**：用户可以在这里学习Snort规则的基础知识，包括规则的编写规则，如何定义签名以检测各种网络威胁，如病毒、恶意软件或异常流量。 3. **性能优化**：针对不同网络规模和负载，手册提供了关于如何提高Snort性能的建议，确保系统的高效运行。 4. **日志和输出管理**：介绍了Snort 2生成的日志格式，如何解析和分析这些日志以发现潜在安全事件，以及用户界面和管理工具的使用，以便更好地监控和响应警报。 5. **NIDS模式**：这部分深入讲解了NIDS模式下的操作，包括输出选项、标准警报的理解、高吞吐量配置，以及如何调整警报顺序以适应不同的需求。 6. **数据包捕获与分析**：讲解了Snort如何捕获和处理来自不同接口的数据包，如pcap、AF_PACKET、NFQ、IPQ、IPFW等协议支持，以及如何利用dump功能进行统计分析。 7. **pcap文件处理**：提供命令行参数和示例，指导用户如何读取和处理pcap文件，这对于数据回溯和故障排查至关重要。 8. **基本输出和统计**：这部分涵盖Snort产生的基本输出类型，包括时间统计、流量计数、协议统计，以及内存使用情况和动作、限制和裁决信息。 9. **隧道协议支持**：探讨Snort如何处理多层封装和不同类型的隧道协议，以增强对隐藏通信的检测能力。 10. **常见问题解答**：手册还提供了关于Snort 2使用过程中遇到的问题及其解决方案，帮助用户快速解决问题。 Snort 2用户手册是网络安全专业人员在日常工作中不可或缺的参考资料，它涵盖了从基础安装到高级特性的方方面面，旨在帮助用户充分利用这个强大的网络安全工具。

资源详情

资源推荐

1.5.3 AFPACKET

afpacket fun c tions similar to the memor y mapped pcap DAQ but no external libr ary is required :

./snort --daq afpacket -i <device>

[--daq-var buffer_size_mb=<#MB>]

[--daq-var debug]

If y ou want to run afpacket in inline mode, yo u must set device to one or more interface pairs, where each member of

a pair is separated by a single colon a nd each pair is separated by a double colon like this:

eth0:eth1

or this:

eth0:eth1::eth2:eth3

By default, the afpacket DAQ allocates 128MB for packet memory. You can change this with:

--daq-var buffer_size_mb=<#MB>

Note that the total allocated is actually hig her, here’s why. Assuming the default packet memory with a sna plen of

1518, the numbers break down like this:

1. The frame size is 1518 (snaplen) + the size of the AFPacket header (66 bytes) = 1584 bytes.

2. The number of frames is 128 MB / 151 8 = 84733.

3. The smallest block size that can ﬁt at le ast one fr ame is 4 KB = 4096 bytes @ 2 frames per block.

4. As a result, we need 84733 / 2 = 42366 blocks.

5. Actual mem ory allocated is 42366 * 4 KB = 165.5 MB.

1.5.4 NFQ

NFQ is the new and improved way to pro c ess iptables packets:

./snort --daq nfq \

[--daq-var device=<dev>] \

[--daq-var proto=<proto>] \

[--daq-var queue=<qid>] \

[--daq-var queue_len=<qlen>]

<dev> ::= ip | eth0, etc; default is IP injection

<proto> ::= ip4 | ip6 | ip*; default is ip4

<qid> ::= 0..65535; default is 0

<qlen> ::= 0..65535; default is 0

Notes on ipta bles can be f ound in the DAQ distro README.

1.5.8 Statistics Changes

The Packet Wire Totals and Action Stats sections of Snort’s output include additional ﬁelds:

•

Filtered

count of packets ﬁltered out and not handed to Sn ort for analysis.

•

Injected

packets Snor t genera ted an d sent, e.g. T CP resets.

•

Allow

packets Snor t analyzed and did not take action on.

•

Block

packets Snor t did not forward , e.g. due to a block rule.

•

Replace

packets Snor t modiﬁed.

•

Whitelist

packets that caused Snort to allow a ﬂow to pass w/o inspection by any analysis program.

•

Blacklist

packets that caused Snort to block a ﬂow from passing.

•

Ignore

packets that caused Snort to allow a ﬂow to pass w/o inspection by this instance of Sno rt.

The ac tion stats show ”blocked” packets instead of ”dropped” packets to avoid confusion between dropped packets

(those Snort didn’t actually see) and blocked packets (those Snort did not allow to pass).

1.6 Reading pcap ﬁles

Instead of having Snort listen on an interface, y ou can give it a packet capture to read. Snort will read an d analyze the

packets as if they came o ff the wire. This can be useful for testing and debugging Snort.

1.6.1 Command line arguments

Any of th e below can be speciﬁed multiple times on the c ommand line (

-r

included) and in additio n to other Snort

command line options. Note, however, that specifying

--pcap-reset

and

--pcap-show

multiple times has the same

effect as spe cifying them once.

Option Description

-r <file>

Read a single pcap.

--pcap-single=<file>

Same as -r. Add ed for completen ess.

--pcap-file=<file>

File that contains a list of pcap ﬁles to read. Can specify path to each pcap or

directory to recurse to get pcaps.

--pcap-list="<list>"

A space separated list of pcaps to read.

--pcap-dir=<dir>

A directory to recurse to look for pcaps. Sorted in ASCII or der.

--pcap-filter=<filter>

Shell style ﬁlter to apply when getting pcaps from ﬁle or directory. This ﬁl-

ter will apply to any

--pcap-file

--pcap-dir

arguments following. Use

--pcap-no-filter

to delete ﬁlter for following

--pcap-file

--pcap-dir

arguments or specify

--pcap-filter

again to forget previous ﬁlter a nd to apply

to following

--pcap-file

--pcap-dir

arguments.

--pcap-no-filter

Reset to use no ﬁlter when getting pcaps fr om ﬁle or directory.

--pcap-reset

If reading multiple pcaps, reset snort to post-conﬁguration state before reading

next pcap. The default, i.e. witho ut this option, is not to reset state.

--pcap-show

Print a line saying what pcap is cur rently being read.

1.6.2 Examples

Read a single pcap

$ snort -r foo.pcap

$ snort --pcap-single=foo.pcap

Read pcaps from a ﬁle

$ cat foo.txt

foo1.pcap

foo2.pcap

/home/foo/pcaps

$ snort --pcap-file=foo.txt

This will read foo1.pcap, fo o2.pcap and all ﬁles under /home/foo/pcaps. Note that Snort will not try to determine

whether the ﬁles under that directory are really pc ap ﬁles or not.

Read pcaps from a command line list

$ snort --pcap-list="foo1.pcap foo2.pcap foo3.pcap"

This will rea d foo1.pcap, foo2.pcap and foo3.pcap.

Read pcaps under a directory

$ snort --pcap-dir="/home/foo/pcaps"

This will include all of the ﬁles under /home/foo/pcaps.

Using ﬁlt e rs

$ cat foo.txt

foo1.pcap

foo2.pcap

/home/foo/pcaps

$ snort --pcap-filter="*.pcap" --pcap-file=foo.txt

$ snort --pcap-filter="*.pcap" --pcap-dir=/home/foo/pcaps

The above will only include ﬁles that match the shell pattern ”*.pcap”, in other words, any ﬁle ending in ”.pcap” .

$ snort --pcap-filter="*.pcap --pcap-file=foo.txt \

> --pcap-filter="*.cap" --pcap-dir=/home/foo/pcaps

In the above, th e ﬁrst ﬁlter ”*.pcap” will o nly be applied to the pcaps in the ﬁle ”foo.txt” ( a nd any directories that a re

recursed in that ﬁle). The ad dition of the second ﬁlter ”*.cap” will cause the ﬁrst ﬁlter to be forgotten and then applied

to the directory /home/foo/pcaps, so only ﬁles ending in ”.cap” will be included from th at directory.

$ snort --pcap-filter="*.pcap --pcap-file=foo.txt \

> --pcap-no-filter --pcap-dir=/home/foo/pcaps

In this example, the ﬁrst ﬁlter will be applied to foo.txt, then no ﬁlter will be applied to the ﬁles found under

/home/foo/pcaps, so all ﬁles fo und under /home/foo/pca ps will be included.

$ snort --pcap-filter="*.pcap --pcap-file=foo.txt \

> --pcap-no-filter --pcap-dir=/home/foo/pcaps \

> --pcap-filter="*.cap" --pcap-dir=/home/foo/pcaps2

In this example, the ﬁrst ﬁlter will be applied to foo.txt, then no ﬁlter will be applied to the ﬁles found under

/home/foo/pcaps, so all ﬁles found under /home/foo/pcaps will be included, then the ﬁlter ”*.cap” will be applied

to ﬁles foun d under /home/foo/pcaps2.

Resetting state

$ snort --pcap-dir=/home/foo/pcaps --pcap-reset

The above exam ple will read all of the ﬁles unde r /hom e /foo/pcaps, but after each pcap is r e ad, Snort will be reset to

a post-conﬁguration state, meaning all buffers will be ﬂushed, statistics reset, e tc . For each pcap, it will be like Snort

is seeing trafﬁc for th e ﬁrst time.

Printing t he pcap

$ snort --pcap-dir=/home/foo/pcaps --pcap-show

The above example w ill rea d all of the ﬁles under /home/foo/pcaps and will print a line indicating which pcap is

currently being read.

1.7 Basic Output

Snort does a lot of work a nd ou tputs some u seful statistics when it is done. Many of these are self-explanatory. The

others are summarized below. This does not include all possible output data, just the basics.

1.7.1 Timing Statistics

This section provides basic timing statistics. It includes total seco nds and packets as well as packet pro cessing rates.

The rates are based on whole seconds, minutes, etc. and only shown wh en non-zero.

Example:

===============================================================================

Run time for packet processing was 175.856509 seconds

Snort processed 3716022 packets.

Snort ran for 0 days 0 hours 2 minutes 55 seconds

Pkts/min: 1858011

Pkts/sec: 21234

===============================================================================

1.7.2 Packet I/O Totals

This section shows basic packet acqu isition and injection peg counts o btained from the DAQ. If yo u are reading pcaps,

the totals are for all pcaps combined, unless you use –pcap-r eset, in which c ase it is shown per pcap.

• Outstanding in dicates h ow many packets a re buffere d awaiting processing. The way this is counted varies per

DAQ so the DAQ docu mentation sh ould be consulted for more info.

• Filtered packets are not shown for pcap DAQs.

• Injected packets are the result of active response which can be conﬁgured for inline o r passive modes.

Example:

===============================================================================

Packet I/O Totals:

Received: 3716022

Analyzed: 3716022 (100.000%)

剩余268页未读，继续阅读

AR.Chalice

粉丝: 1
资源: 2

Snort 2用户手册：全面指南(2.9.13版)

snort 用户手册

snort用户手册

snort2.0 指南

snort2怎么读取数据库中的rules

database mysql_error: Access denied for user 'snort'@'localhost' Barnyard2 exiting

ERROR 1698 (28000): Access denied for user 'snort'@'localhost'

ubuntu16.04安装snort

在snort中使用sudo snort -V sudo: snort: command not found

snort测试具体命令

Ubuntu安装Snort

snort安装与配置

snort windows无法启动

centos snort安装教程

sudo service snort start

centos7snort安装部署

linux怎么装snort

Linux中安装snort

snort入侵检测系统实验

kali上安装配置snort

virtualbox中下载snort

最新资源