snort 經常用作入侵檢測系統(IDS),進一步可以配置爲入侵防禦系統(IPS)。snort使用數據採集器(daq)監聽防火牆數據包隊列,配合snort規則動作drop、alert等處理數據包,防火牆在snort啓動後添加鏈表隊列。報文經過防火牆時,將交給snort來處理,觸發入侵檢測規則時立刻響應動作,屏蔽數據包。其實,入侵防禦系統應該直連在網絡環境當中,需要配置網橋。snort監聽網橋的功能,防火牆更加要支持網橋,網橋也可以配置成透明的模式。這裏只是簡單的嘗試snort的IPS模式,配置在單機上,屏蔽訪問單機而且觸發規則的數據包,下面是配置與測試過程。
1、準備環境
1.1、系統、軟件版本
環境:ubuntu15.10+snort2.9.8.0+daq2.0.4(注因爲已經安裝過snort的入侵檢測模式,snort與daq是重新編譯安裝)
2.1、依賴庫
snort配置ips模式,先把數據採集器(daq)配置支持nfq模式,爲daq安裝netfilter_queue、libnfnetlink、libmnl。下載相應源碼包解壓編譯安裝,也可以嘗試命令方式安裝,不過我使用了源碼方式安裝。同時,安裝上面依賴包的開發包,因爲源碼編譯daq需要開發包支持。然後去下載libdnet源碼包解壓編譯安裝。
2、系統安裝過程
2.1、數據採集器daq
數據採集器(daq)配置支持nfq模式,命令行輸入如:
liang@ubuntu:~/snort/daq$ sudo ./configure Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : yes
Build PCAP DAQ module...... : yes
Build netmap DAQ module...... : no編譯鏈接daq,命令行輸入:
liang@ubuntu:~/snort/daq$ sudo make安裝daq命令:
liang@ubuntu:~/snort/daq$ sudo make install查看snort daq支持的功能,命令行輸入如下命令:
liang@ubuntu:~/snort_ips/libdnet-1.11$ snort --daq-list打印如下結果,snort daq並沒有支持nfq,重新編譯入侵檢測系統ids:
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv
2.2、入侵檢測snort
命令行輸入如下命令編譯安裝: liang@ubuntu:~/snort/snort$ sudo make clean
liang@ubuntu:~/snort/snort$ sudo ./configure
liang@ubuntu:~/snort/snort$ sudo make
liang@ubuntu:~/snort/snort$ sudo make install
liang@ubuntu:~/snort/snort$ sudo snort --daq-list已經支持nfq模式,可以開始IPS模式的配置與測試:
Available DAQ modules:
pcap(v3): readback live multi unpriv
nfq(v7): live inline multi
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv
3、簡單規則設計
3.1、添加兩條drop規則
drop tcp any any -> 192.168.213.170 80 (msg:"Drop http:80";sid:26287)
drop icmp any any -> 192.168.213.170 any (msg:"Drop ping";sid:8886288)
3.2、drop與alert同在
alert icmp any any -> 192.168.213.170 any (msg:"ICMP PING";sid:8886288)
drop tcp any any -> 192.168.213.170 80 (msg:"Drop http:80";sid:26287)3.3、只有drop規則存在
drop tcp any any -> 192.168.213.170 80 (msg:"Drop http:80";sid:26287)4、snort與iptables聯動
4.1、說明
首先啓動snort,然後添加防火牆規則。可以使用shell腳本或者c程序等監聽snort啓動成功後,添加防火牆規則,防火牆規則的設置與恢復可以寫在文件中,使用iptables命令完成。snort只可以使用一個隊列,防火牆裏面可以添加多條規則到一個隊列。
4.2、snort啓動
snort啓動命令如下:
sudo snort -Q --daq nfq --daq-var device=eth0 --daq-var queue=1 -c /etc/snort/etc/snort.conf4.3、iptables 隊列
防火牆隊列如下,簡單的配置過程:
sudo /usr/sbin/iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
sudo /usr/sbin/iptables -I FORWARD -j NFQUEUE --queue-num 1
sudo /usr/sbin/iptables -t input -I PREROUTING -j NFQUEUE --queue-num 1
liang@ubuntu:~$ sudo iptables -nL打印如下:
Chain INPUT (policy ACCEPT)
target prot opt source destination
NFQUEUE all -- 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 1
Chain FORWARD (policy ACCEPT)
target prot opt source destination
NFQUEUE all -- 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 1
Chain OUTPUT (policy ACCEPT)
target prot opt source destination 查看防火牆nat表規則:
liang@ubuntu:~$ sudo iptables -t nat -nL打印如下:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
NFQUEUE all -- 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 1
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination 5、測試
5.1、添加兩條drop規則
本機監聽alert輸出文件:
liang@ubuntu:~$ tail -f /var/log/snort/alert
另外一臺機器訪問本機80端口,監聽輸出如下,而且訪問80端口失敗:
[**] [1:26287:0] "Drop http:80" [**]
[Priority: 0]
03/28-18:15:37.362404 192.168.213.162:40640 -> 192.168.213.170:80
TCP TTL:64 TOS:0x0 ID:15682 IpLen:20 DgmLen:60 DF
******S* Seq: 0x3DB5D5B Ack: 0x0 Win: 0x7210 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 16408601 0 NOP WS: 7
[**] [1:26287:0] "Drop http:80" [**]
[Priority: 0]
03/28-18:15:37.595837 192.168.213.162:40642 -> 192.168.213.170:80
TCP TTL:64 TOS:0x0 ID:17709 IpLen:20 DgmLen:60 DF
******S* Seq: 0x8619257E Ack: 0x0 Win: 0x7210 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 16408659 0 NOP WS: 7
[**] [1:26287:0] "Drop http:80" [**]
[Priority: 0]
03/28-18:15:37.731718 192.168.213.162:40644 -> 192.168.213.170:80
TCP TTL:64 TOS:0x0 ID:6892 IpLen:20 DgmLen:60 DF
******S* Seq: 0xA1C7A99 Ack: 0x0 Win: 0x7210 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 16408693 0 NOP WS: 7
[**] [1:26287:0] "Drop http:80" [**]
[Priority: 0]
03/28-18:15:37.884915 192.168.213.162:40646 -> 192.168.213.170:80
TCP TTL:64 TOS:0x0 ID:42308 IpLen:20 DgmLen:60 DF
******S* Seq: 0x495EC5DF Ack: 0x0 Win: 0x7210 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 16408731 0 NOP WS: 7
[**] [1:26287:0] "Drop http:80" [**]
[Priority: 0]
03/28-18:15:38.082540 192.168.213.162:40648 -> 192.168.213.170:80
TCP TTL:64 TOS:0x0 ID:7605 IpLen:20 DgmLen:60 DF
******S* Seq: 0xEF657D78 Ack: 0x0 Win: 0x7210 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 16408781 0 NOP WS: 7
[**] [1:26287:0] "Drop http:80" [**]
[Priority: 0]
03/28-18:15:38.333060 192.168.213.162:40650 -> 192.168.213.170:80
TCP TTL:64 TOS:0x0 ID:61398 IpLen:20 DgmLen:60 DF
******S* Seq: 0x64518EDD Ack: 0x0 Win: 0x7210 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 16408843 0 NOP WS: 7 另一臺機器ping本地主機,打印如下,而且ping失敗:
[**] [1:8886288:0] "Drop ping" [**]
[Priority: 0]
03/28-18:16:50.932352 192.168.213.162 -> 192.168.213.170
ICMP TTL:4 TOS:0x0 ID:36821 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:41134 Seq:1 ECHO
[**] [1:8886288:0] "Drop ping" [**]
[Priority: 0]
03/28-18:16:51.940781 192.168.213.162 -> 192.168.213.170
ICMP TTL:4 TOS:0x0 ID:36847 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:41134 Seq:2 ECHO
[**] [1:8886288:0] "Drop ping" [**]
[Priority: 0]
03/28-18:16:52.941954 192.168.213.162 -> 192.168.213.170
ICMP TTL:4 TOS:0x0 ID:37040 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:41134 Seq:3 ECHO
[**] [1:8886288:0] "Drop ping" [**]
[Priority: 0]
03/28-18:16:53.941261 192.168.213.162 -> 192.168.213.170
ICMP TTL:4 TOS:0x0 ID:37191 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:41134 Seq:4 ECHO
[**] [1:8886288:0] "Drop ping" [**]
[Priority: 0]
03/28-18:16:54.941031 192.168.213.162 -> 192.168.213.170
ICMP TTL:4 TOS:0x0 ID:37319 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:41134 Seq:5 ECHO
[**] [1:8886288:0] "Drop ping" [**]
[Priority: 0]
03/28-18:16:55.941207 192.168.213.162 -> 192.168.213.170
ICMP TTL:4 TOS:0x0 ID:37535 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:41134 Seq:6 ECHO
[**] [1:8886288:0] "Drop ping" [**]
[Priority: 0]
03/28-18:16:56.941222 192.168.213.162 -> 192.168.213.170
ICMP TTL:4 TOS:0x0 ID:37771 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:41134 Seq:7 ECHOCommencing packet processing (pid=3466)
Decoding Raw IP4
^C*** Caught Int-Signal
===============================================================================
Run time for packet processing was 261.437100 seconds
Snort processed 763 packets.
Snort ran for 0 days 0 hours 4 minutes 21 seconds
Pkts/min: 190
Pkts/sec: 2
===============================================================================
Memory usage summary:
Total non-mmapped bytes (arena): 274706432
Bytes in mapped regions (hblkhd): 21590016
Total allocated space (uordblks): 102918272
Total free space (fordblks): 171788160
Topmost releasable block (keepcost): 59472
===============================================================================
Packet I/O Totals:
Received: 763
Analyzed: 763 (100.000%)
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 0 ( 0.000%)
Injected: 29
===============================================================================
5.2、drop與alert同在
因爲配置了 alert icmp any any -> 192.168.213.170 any (msg:"ICMP PING";sid:8886288) 規則,ping操作可以完成,但是ping操作被報警記錄,此時像是入侵檢測 模式,但是屏蔽的80端口仍然不能訪問,而且被記錄在報警日誌裏面。同時,snort終端也有打印屏蔽數據包的信息。
5.3、只有drop規則存在
此時ping操作可以完成,沒有被記錄到日誌。而訪問80端口讓然出現上面的情況,證明snort IPS模式配置成功,屏蔽數據的功能有snort根據規則動作來完成。