不多说,直接上干货!
最近为了科研,需要安装和使用Snort。
snort的官网
https://www.snort.org/
Snort作为一款优秀的开源主机入侵检测系统,在windows和Linux平台上均可安装运行。Ubuntu作为一个以桌面应用为主的Linux操作系统,同样也可以安装Snort。
对于网络安全而言入侵检测是一件非常重要的事。入侵检测系统(IDS)用于检测网络中非法与恶意的请求。Snort是一款知名的开源的入侵检测系统。其 Web界面(Snorby)可以用于更好地分析警告。Snort使用iptables/pf防火墙来作为入侵检测系统。本篇博文中,我会安装并配置一个开源的入侵检测系统snort。
最好的文档,不愧还是官方文档!
说在前面的话
因为,我这里选择的是用官方当前最新来安装Snort,并且版本是定位在Snort2.9.9
建议,大家跟我这样,在安装Snort前,先快照下,大不了错误,恢复重头再来一次呗!
点击进入,带领大家来看官方文档。
https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/122/original/Snort_2.9.9.x_on_Ubuntu_14-16.pdf?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1494907659&Signature=xhOV%2FnF7%2BOsP%2FZUHpPLmYTU4%2Fkc%3D
然后,现在,来带领大家,网络设置。
8 Network Card Configuration
From http://manual.snort.org/node7.html:
Some network cards have features named “Large Receive Offload” (lro) and “Generic Receive
Offload” (gro). With these features enabled, the network card performs packet reassembly before
they’re processed by the kernel. By default, Snort will truncate packets larger than the default
snaplen of 1518 bytes. In addition, LRO and GRO may cause issues with Stream5 target-based
reassembly. We recommend that you turn off LRO and GRO.
To disable LRO and GRO for any interface that Snort listens on, we will use the ethtool command in the
network interface configuration file /etc/network/interfaces. We use vi to edit the network interfaces
file:
sudo vi /etc/network/interfaces
Append the following two lines for each network interface, making sure to change eth0 to match the interface
you are working on, since your interface names may be different, especially on Ubuntu 16:(这个是必须的)
因为,我这里,ifconfig下来,网卡名称是ens33。所以就得用这个。
post-up ethtool -K ens33 gro off
post-up ethtool -K ens33 lro off
an example of how the /etc/network/interfaces file should look for a single interface:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto ens33
iface ens33 inet dhcp
post-up ethtool -K ens33 gro off
post-up ethtool -K ens33 lro off
Restart networking (replace ens33 with your interfaces with below) and verify that LRO and GRO are disabled:
user@snortserver:~$ sudo ifconfig ens33 down && sudo ifconfig ens33 up
user@snortserver:~$ ethtool -k ens33 | grep receive-offload
generic-receive-offload: off
large-receive-offload: off
user@snortserver:~$
而我出现了on,所以,官网文档也说了,重启虚拟机。
if the interfaces do not show LRO and GRO as off, reboot and check again (it can be difficult to get Ubuntu to reload the network configuration without a reboot).
下一步
9 Installing the Snort Pre-Requisites
Snort has four main pre-requisites:(预安装)
pcap (libpcap-dev) available from the Ubuntu repository
PCRE (libpcre3-dev) available from the Ubuntu repository
Libdnet (libdumbnet-dev) available from the Ubuntu repository
DAQ (http://www.snort.org/downloads/) compiled from source
First we want to install all the tools required for building software. The build-essentials package does
this for us:
sudo apt-get install -y build-essential
Once our build tools are installed, we install all Snort pre-requisites that are available from the Ubuntu
repositories3
sudo apt-get install -y libpcap-dev libpcre3-dev libdumbnet-dev
如果这里大家出现网络不可达,或者下载慢的情况,可以见
Ubuntu14.04官方默认更新源sources.list和第三方源推荐(干货!)
成功
The Snort DAQ (Data AcQuisition library)has a few pre-requisites that need to be installed:
sudo apt-get install -y bison flex
成功!
In this guide, we will be downloading a number of tarbals for various software packages. We will create a
folder called snort src to keep them all in one place:
mkdir ~/snort_src
cd ~/snort_src
Download and install the latest version of DAQ from the Snort website. The steps below use wget to download version 2.0.6 of DAQ, which is the latest version at the time of writing this guide.
cd ~/snort_src
wget https://snort.org/downloads/snort/daq-2.0.6.tar.gz
tar -xvzf daq-2.0.6.tar.gz
cd daq-2.0.6
./configure
make
sudo make install
解决办法1:
解决办法2:
或者(如果大家上述走不通的话,也可以下面来做)
其实解决办法就是
yum install bison
yum install flex
yum install libpcap-devel
像这样的问题,等等,都可以通过我下面的博客来解决。说白了,就是源的问题。(优先试用清华源和网易源)
Ubuntu14.04官方默认更新源sources.list和第三方源推荐(干货!)
现在没有可用的软件包 *** ,但是它被其它的软件包引用了 和 E: 无法定位软件包 ***问题解决(思路清晰干货)
然后,安装完必要的工具后,再次运行./configure脚本,将会显示下面的输出。
