最近在學習snort,在官網http://www.snort.org下載了最新版的windows平臺下的snort安裝包Snort_2_9_0_5_Installer.exe和規則文件庫snort-2.9.0.3.tar.zip,查閱了網上的資料終於把基本的安裝和IDS模式配置完成了,寫成學習筆記以便加強記憶。
自己是菜鳥,對這方面挺感興趣,但是技術有限,希望能得到高手指點![]()
------------------------------------------------------------
1、由於我本機已經安裝了WinPcap_4_1_2.exe,可滿足當前Snort版本對WinPcap版本的要求,所以只下載了Snort。
首先安裝Snort_2_9_0_5_Installer.exe,過程比較簡單,由於只是自己測試,我沒有進行過多的設置一路Next安裝完畢,默認路徑C:\Snort,最後彈出Snort has successfullly been installed.窗口,點擊“確定”安裝成功;
之後同樣步驟完成了WinPcap_4_1_2.exe的安裝。
2、配置環境變量(我感覺我不配置也可以啊),如下圖所示:![]()
3、運行cmd,輸入“snort -?”可以查看snort相關命令行,如下圖所示:
4、導入規則文件庫,解壓下載下來的snort-2.9.0.3.tar.zip,得到四個文件夾:
將文件夾下的文件複製到snort安裝目錄下對應的文件中,我安完snort安裝目錄下沒有so_rules文件夾,就直接複製過去了。
5、然後啓用ids模式,執行以下命令:
這時遇到了很多問題,主要都是由於snort.conf配置文件的錯誤,找了一些資料及snort官網的論壇,終於解決了,可能有些解決的辦法不一定是很好的,不管怎樣終於可以運行起來了。
第一個錯誤:ERROR:c:\Snort\etc\snort.conf(39) Unknown rule type:ipvar
解決辦法:把snort.conf文件中的ipvar改爲var(可能不是根本的解決辦法)
解決之後重複執行上圖的運行命令,會彈出第二個錯誤,以下依次類推。。
第二個錯誤:
ERROR: C:\SnortBuild\snort-2.9.0.5\src\parser.c(5245) Could not stat dynamic mod
ule path "/usr/local/lib/snort_dynamicpreprocessor/": No such file or directory.
ule path "/usr/local/lib/snort_dynamicpreprocessor/": No such file or directory.
解決辦法:由於snort.conf文件中默認的配置路徑是linux環境中的相對路徑,所以在windows環境中需要改爲絕對路徑:
原來代碼是這樣的:
###################################################
# Step #4: Configure dynamic loaded libraries.
# For more information, see Snort Manual, Configuring Snort - Dynamic Modules
###################################################
# Step #4: Configure dynamic loaded libraries.
# For more information, see Snort Manual, Configuring Snort - Dynamic Modules
###################################################
# path to dynamic preprocessor libraries
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
# path to base preprocessor engine
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
# path to dynamic rules libraries
dynamicdetection directory /usr/local/lib/snort_dynamicrules
按照當前目錄下的文件名稱及所在路徑改爲:
dynamicdetection directory /usr/local/lib/snort_dynamicrules
按照當前目錄下的文件名稱及所在路徑改爲:
###################################################
# Step #4: Configure dynamic loaded libraries.
# For more information, see Snort Manual, Configuring Snort - Dynamic Modules
###################################################
# Step #4: Configure dynamic loaded libraries.
# For more information, see Snort Manual, Configuring Snort - Dynamic Modules
###################################################
# path to dynamic preprocessor libraries
#dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor
#dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dce2.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dns.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_sdf.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_smtp.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssh.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssl.dll
dynamicengine C:/Snort/lib/snort_dynamicengine/sf_engine.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dns.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_sdf.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_smtp.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssh.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssl.dll
dynamicengine C:/Snort/lib/snort_dynamicengine/sf_engine.dll
# path to base preprocessor engine
#dynamicengine C:\Snort\lib\snort_dynamicengine\libsf_engine.so
#dynamicengine C:\Snort\lib\snort_dynamicengine\libsf_engine.so
# path to dynamic rules libraries
#dynamicdetection C:\Snort\lib\snort_dynamicrules
#dynamicdetection C:\Snort\lib\snort_dynamicrules
第三個錯誤:
ERROR: C:\Snort\etc\snort.conf(255) => 'compress_depth' and 'decompress_depth' s
hould be set to max in the default policy to enable 'unlimited_decompress'
Fatal Error, Quitting..
hould be set to max in the default policy to enable 'unlimited_decompress'
Fatal Error, Quitting..
解決辦法:我把compress_depth 20480改成了65535,也不知道對不對,反正是不報錯了?
第四個錯誤:
ERROR: C:\Snort\etc\snort.conf(201) Unknown preprocessor: "normalize_ip4".
Fatal Error, Quittig..
Fatal Error, Quittig..
解決辦法:把下面的都#注掉了就好了。我看技術人員回覆的意思應該是“因爲在IDS模式不起作用,但是在windows平臺下實際起作用了”,所以注掉。。
# Does nothing in IDS mode
#preprocessor normalize_ip4
#preprocessor normalize_tcp: ips ecn stream
#preprocessor normalize_icmp4
#preprocessor normalize_ip6
#preprocessor normalize_icmp6
#preprocessor normalize_ip4
#preprocessor normalize_tcp: ips ecn stream
#preprocessor normalize_icmp4
#preprocessor normalize_ip6
#preprocessor normalize_icmp6
逐個解決完上面遇到的問題之後,再執行以IDS模式運行的指令時,應該就正確進入IDS模式了。
還需要注意的是,snort.conf文件中此處的路徑需要改爲絕對路徑,這樣才能正確調用規則文件,當有事件時才能觸發規則發生相應動作(我這麼理解的)
# Path to your rules files (this can be a relative path)
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\rules
var RULE_PATH ../rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\rules
var RULE_PATH ../rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules
改爲
var RULE_PATH c:\Snort\rules
var SO_RULE_PATH c:\Snort\so_rules
var PREPROC_RULE_PATH c:\Snort\preproc_rules
var SO_RULE_PATH c:\Snort\so_rules
var PREPROC_RULE_PATH c:\Snort\preproc_rules
很有幫助的參考資料: