Snort用户手册：简化网络入侵检测系统配置与使用

snort

需积分: 9 75 浏览量更新于2024-07-18 收藏 1.28MB PDF 举报

身份认证购VIP最低享 7 折!

领优惠券(最高得80元）

"Snort 用户手册 2.9.12版" Snort是一款开源的网络入侵检测系统（NIDS），由马丁·罗施（Martin Roesch）于1998年创建，并由Sourcefire公司（现为思科子公司）进一步发展。它能够用作嗅探器、数据包记录器以及网络入侵检测系统，提供了丰富的命令行选项来适应不同的监控需求。本手册旨在帮助新用户更轻松地理解和使用Snort。 1. Snort概述 - **开始使用**: Snort的使用并不复杂，但其众多的命令行选项可能对初学者造成困扰。通过本手册，用户可以逐步了解如何配置和操作Snort。 - **嗅探模式**: 在嗅探模式下，Snort简单地捕获并分析网络流量，不产生任何输出。 - **数据包记录器模式**: 在此模式下，Snort记录接收到的数据包，为后期分析提供数据。 - **网络入侵检测系统模式**: 这是Snort的核心功能，它可以实时检测网络中的异常行为和潜在攻击。 2. NIDS模式输出选项 - **标准警报输出**: Snort在检测到潜在威胁时会产生警报，用户可以定制输出格式。 - **高性能配置**: 针对高流量环境，Snort可以进行优化以降低性能影响。 3. 数据包获取 - **配置**: 用户需要指定数据包获取方式，如pcap、AF_PACKET、NFQ、IPQ或IPFW等。 - **pcap**: 一种广泛使用的数据包捕获库，用于读取和写入网络流量数据。 - **AF_PACKET**: 提供对Linux内核数据包接口的直接访问。 - **NFQ**和**IPQ**: 分别对应于Netfilter Queue和IPQueue，允许将数据包传递给用户空间程序处理。 - **IPFW**: 对于支持IPFW的系统，如FreeBSD，Snort可以直接与防火墙规则集交互。 - **Dump**: 用于简单地将接收到的数据包输出到文件或标准输出。 - **统计变化**: Snort提供了改进的统计信息，有助于分析和调试。 4. 读取pcap文件 - **命令行参数**: 用户可以指定各种参数来控制如何读取和处理pcap文件。 - **示例**: 手册中包含多个例子，展示如何使用不同参数读取和分析pcap文件。 5. 基本输出 - **定时统计**: 显示Snort运行的时间和速率信息。 - **包I/O总量**: 统计接收和发送的数据包数量。 - **协议统计**: 分析网络中各协议的使用情况。 - **Snort内存统计**: 监控Snort自身内存使用情况。 - **动作、限制和裁决**: 显示规则触发的行动，如阻止、记录或忽略。 6. 隧道协议支持 - **多层封装**: Snort能识别和处理被其他协议（如GRE或IPSec）封装的流量，这对于检测隧道内的攻击至关重要。手册还详细介绍了规则语法、预处理器、规则选项、事件处理、日志格式以及其他高级特性，帮助用户全面掌握Snort的使用，以提高网络的安全防护能力。

资源详情

资源推荐

1.5.3 AFPACKET

afpacket fun ctions similar to the memory mapped pcap DAQ but no extern a l library is requir ed:

./snort --daq afpacket -i <device>

[--daq-var buffer_size_mb=<#MB>]

[--daq-var debug]

If you want to ru n afpacket in inline mode, you must set device to one or more interface pairs, where each member of

a pair is separated by a single colon and each pair is separate d by a double colon like this:

eth0:eth1

or this:

eth0:eth1::eth2:eth3

By default, the afpacket DAQ allo cates 128MB for packet memory. You can change this with:

--daq-var buffer_size_mb=<#MB>

Note that the total allocated is actua lly higher, here’s why. Assuming the default packet memo ry with a snaplen of

1518, the nu mbers break down like this:

1. The frame size is 1518 (snaplen) + the size of the AFPacket header (66 bytes) = 1584 bytes.

2. The num ber of frames is 128 MB / 1518 = 84733.

3. The smallest block size that can ﬁt at least one frame is 4 KB = 4096 bytes @ 2 frames per block.

4. A s a result, we need 84733 / 2 = 42366 blocks.

5. A ctual memory allocated is 42366 * 4 KB = 165.5 MB.

1.5.4 NFQ

NFQ is the new and improved way to process iptables packets:

./snort --daq nfq \

[--daq-var device=<dev>] \

[--daq-var proto=<proto>] \

[--daq-var queue=<qid>] \

[--daq-var queue_len=<qlen>]

<dev> ::= ip | eth0, etc; default is IP injection

<proto> ::= ip4 | ip6 | ip*; default is ip4

<qid> ::= 0..65535; default is 0

<qlen> ::= 0..65535; default is 0

Notes on ipta bles can be f ound in the DAQ distro README.

1.5.8 Statistics Changes

The Packet Wire Totals and Action Stats sections of Snort’s output include ad ditional ﬁelds:

•

Filtered

count of packets ﬁltered out and not hand ed to Snort for analysis.

•

Injected

packets Snort gene rated and sent, e.g. TCP resets.

•

Allow

packets Snort analyzed and d id not take action on.

•

Block

packets Snort did not forward, e.g. due to a block rule.

•

Replace

packets Snort modiﬁed.

•

Whitelist

packets that caused Snort to allow a ﬂow to pass w/o inspection by any analysis program.

•

Blacklist

packets that caused Snort to block a ﬂow from passing.

•

Ignore

packets that caused Snort to allow a ﬂow to pass w/o inspection by this instance of Snort.

The ac tion stats show ”blocked” packets instead of ”dropped” packets to avoid confusion between drop ped packets

(those Snort didn’t actually see) and blocked packets (tho se Snort did not allow to pass).

1.6 Reading pcap ﬁles

Instead of having Snort listen on a n interface, you can give it a packet c apture to read. Snort will read an d analyze the

packets as if they came off the wire. This can be useful f or testing and debugging Snort.

1.6.1 Command line arguments

Any of th e below can be speciﬁed multiple times on the command line (

-r

included) and in additio n to other Snort

command line options. Note, however, that specifying

--pcap-reset

and

--pcap-show

multiple times has the sam e

effect as sp e cifying them once.

Option Description

-r <file>

Read a single pcap.

--pcap-single=<file>

Same as -r. Add ed for completen ess.

--pcap-file=<file>

File that contains a list of pcap ﬁles to read. Can specify path to each p c ap or

directory to recurse to get pcaps.

--pcap-list="<list>"

A space separated list of pcaps to read.

--pcap-dir=<dir>

A direc tory to recurse to look for pcaps. Sorted in ASCII or der.

--pcap-filter=<filter>

Shell style ﬁlter to apply when getting pcaps from ﬁle or directory. This ﬁl-

ter will apply to any

--pcap-file

--pcap-dir

arguments following. U se

--pcap-no-filter

to delete ﬁlter for following

--pcap-file

--pcap-dir

arguments or specify

--pcap-filter

again to forget previous ﬁlter a nd to apply

to following

--pcap-file

--pcap-dir

arguments.

--pcap-no-filter

Reset to use no ﬁlter when getting pcaps from ﬁle or directory.

--pcap-reset

If reading multiple pcaps, reset snort to post-conﬁguration state before reading

next pcap. The default, i.e . witho ut this option, is not to reset state.

--pcap-show

Print a line saying what pcap is currently being read.

1.6.2 Examples

Read a single pcap

$ snort -r foo.pcap

$ snort --pcap-single=foo.pcap

Read pcaps from a ﬁle

$ cat foo.txt

foo1.pcap

foo2.pcap

/home/foo/pcaps

$ snort --pcap-file=foo.txt

This will read foo1.pcap, fo o2.pcap and all ﬁles under /home/foo/pcap s. Note that Snort will not try to determine

whether the ﬁles under that dire ctory are really pcap ﬁles or not.

Read pcaps from a command line list

$ snort --pcap-list="foo1.pcap foo2.pcap foo3.pcap"

This will read foo1.pcap, foo 2.pcap a nd f oo3.pc ap.

Read pcaps under a directory

$ snort --pcap-dir="/home/foo/pcaps"

This will inc lude all of the ﬁles under /home/foo/pcaps.

Using ﬁlt ers

$ cat foo.txt

foo1.pcap

foo2.pcap

/home/foo/pcaps

$ snort --pcap-filter="*.pcap" --pcap-file=foo.txt

$ snort --pcap-filter="*.pcap" --pcap-dir=/home/foo/pcaps

The above will only include ﬁles that match the shell pattern ”*.pcap”, in other words, any ﬁle ending in ”.pcap”.

$ snort --pcap-filter="*.pcap --pcap-file=foo.txt \

> --pcap-filter="*.cap" --pcap-dir=/home/foo/pcaps

In the above, th e ﬁrst ﬁlter ”*.pcap” will only be applied to the pcaps in the ﬁle ”foo.txt” (and any directories that a re

recursed in that ﬁle). The addition of the second ﬁlter ”*. c ap” will cause the ﬁrst ﬁlter to be forgotten and then applied

to the directory /home/f oo/pcaps, so only ﬁles ending in ”.cap ” will be included from th at directory.

$ snort --pcap-filter="*.pcap --pcap-file=foo.txt \

> --pcap-no-filter --pcap-dir=/home/foo/pcaps

In this example, the ﬁrst ﬁlter will be applied to foo. txt, then no ﬁlter will be applied to the ﬁles found under

/home/foo/pcaps, so all ﬁles fo und under /home/foo/pca ps will be included.

$ snort --pcap-filter="*.pcap --pcap-file=foo.txt \

> --pcap-no-filter --pcap-dir=/home/foo/pcaps \

> --pcap-filter="*.cap" --pcap-dir=/home/foo/pcaps2

In this example, the ﬁrst ﬁlter will be applied to foo. txt, then no ﬁlter will be applied to the ﬁles found under

/home/foo/pcaps, so all ﬁles found under /home/foo/pcaps will be included, then the ﬁlter ”*.cap” will be applied

to ﬁles found under /home/foo/pcaps2.

Resetting state

$ snort --pcap-dir=/home/foo/pcaps --pcap-reset

The above example will read all of the ﬁles und er /home/foo/p caps, but after each pcap is read, Snort will be reset to

a post-conﬁguration state, meaning all buffers will be ﬂushed, statistics reset, e tc . For each pcap, it will be like Snort

is seeing trafﬁc for the ﬁrst time.

Printing t he pcap

$ snort --pcap-dir=/home/foo/pcaps --pcap-show

The above example w ill rea d all of the ﬁles under /home/foo/pcaps and will print a line indicating which pcap is

currently being read.

1.7 Basic Output

Snort does a lot of work a nd ou tputs some useful statistics when it is done. Many of these are self-explanatory. The

others are summ a rized below. This does not include all possible outpu t data, just the basics.

1.7.1 Timing Statistics

This section provides basic timing statistics. It includes total seconds and packets as well as packet processing rates.

The rates are based on wh ole seconds, minutes, etc. and only shown when non-zero.

Example:

===============================================================================

Run time for packet processing was 175.856509 seconds

Snort processed 3716022 packets.

Snort ran for 0 days 0 hours 2 minutes 55 seconds

Pkts/min: 1858011

Pkts/sec: 21234

===============================================================================

1.7.2 Packet I/O Totals

This section shows basic packet acquisition and injection peg coun ts obtained from the DAQ. If you are reading pcaps,

the totals are for all pcaps combined, u nless you use –pcap-r eset, in which case it is shown per pcap.

• Outstanding in dicates h ow many packets are buffered awaiting processing. The way this is counted varies per

DAQ so the DAQ docu mentation sh ould be consulted for more info.

• Filtered packets are not shown for pcap DAQs.

• Injected packets are the result o f active r esponse which can be conﬁgured for inline o r passive modes.

Example:

===============================================================================

Packet I/O Totals:

Received: 3716022

Analyzed: 3716022 (100.000%)

剩余268页未读，继续阅读

qq_25981363

粉丝: 0
资源: 4

Snort用户手册：简化网络入侵检测系统配置与使用

最新版snort——2-9-5-3

snort_manual.pdf

Snort-开源

snort -dev -l /var/log/snort -h 192.168.252.139 -c /etc/snort/snort.conf

在snort中使用sudo snort -V sudo: snort: command not found

centos7snort安装部署

virtualbox中下载snort

snort -v -c d:\Softwares\Snort\etc\snort.conf

snort测试具体命令

sudo service snort start

centos snort安装教程

ubuntu20 snort

kali安装snort

Ubuntu安装Snort

Linux中安装snort

你能搭一个ubuntu环境安装好snort吗

kali上安装配置snort

ubuntu22.04安装snort

ubuntu安装snort

kali 安装snort

最新资源