トップ   編集 凍結解除 差分 バックアップ 添付 複製 名前変更 リロード   一覧 最終更新   ヘルプ   最終更新のRSS
 


動作確認ディストリビューション

Snort 2.3.2のインストール

APTにてインストール。

# apt-get install snort

チェックしたいネットワークインターフェース名(通常は[eth0])を入力し、[Ok]を選択。
※チェックしたいネットワークインターフェースが複数ある場合は、スペースで区切り[eth1]等を追記する。

lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu Configuring snort tqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Please enter the interface(s) name(s) which snort should listen on. The name of     x
x the available interfaces are provided by running 'ip link show'. This value         x
x usually is 'eth0', but you might want to vary this depending on your environment,   x
x if you are using a dialup connection 'ppp0' might be more appropiate.               x
x                                                                                     x
x Notice that Snort is usually configured to inspect all traffic coming from the      x
x Internet, so the interface you add here is usually the same the 'default route' is  x
x on.  You can determine which interface is used for this running either '/sbin/ip    x
x ro sh' or '/sbin/route -n' (look for 'default' or '0.0.0.0').                       x
x                                                                                     x
x It is also not uncommon to run Snort on an interface with no IP and configured in   x
x promiscuous mode, if this is your case, select the interface in this system that    x
x is physically connected to the network you want to inspect, enable promiscuous      x
x mode later on and make sure that the network traffic is sent to this interface      x
x (either connected to a 'port mirroring/spanning' port in a switch, to a hub or to   x
x a tap)                                                                              x
x                                                                                     x
x You can configure multiple interfaces here, just by adding more than one interface  x
x name separated by spaces. Each interface can have its specific configuration.       x
x                                                                                     x
x On which interface(s) should Snort listen?                                          x
x                                                                                     x
x eth0_______________________________________________________________________________ x
x                                                                                     x
x                                       <Ok>                                          x
x                                                                                     x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

チェックしたいネットワークアドレスの範囲を入力し、[Ok]を選択。

lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu Configuring snort tqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x You have to use CIDR form, i.e. 192.168.1.0/24 for a block of 256 IPs or           x
x 192.168.1.42/32 for just one. Specify multiple addresses on a single line          x
x separated by ',' (comma characters), no spaces allowed!                            x
x                                                                                    x
x If you want you can specify 'any', to not trust any side of the network.           x
x                                                                                    x
x Notice that if you are using multiple interfaces this definition will be used as   x
x the HOME_NET definition of all of them.                                            x
x                                                                                    x
x Please enter the address range that Snort will listen on.                          x
x                                                                                    x
x 192.168.0.0/24____________________________________________________________________ x
x                                                                                    x
x                                       <Ok>                                         x
x                                                                                    x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

Snortのサマリー情報を日毎にメールで受信する受信先アドレスを入力し、[Ok]を選択。

lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu Configuring snort tqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x A cron job running daily will summarise the information of the logs generated by    x
x Snort using a script called 'snort-stat'. Introduce here the recipient of these     x
x mails. The default value is the system administrator. If you keep this value, make  x
x sure that the mail of the administrator is redirected to a user that actually       x
x reads those mails.                                                                  x
x                                                                                     x
x Who should receive the daily statistics mails?                                      x
x                                                                                     x
x root_______________________________________________________________________________ x
x                                                                                     x
x                                       <Ok>                                          x
x                                                                                     x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

エラー発生!!
どうやら、statコマンドが見つからないらしい

No snort instance found to be stopped!
Starting Network Intrusion Detection System: /etc/init.d/snort: stat: command not found
ERR: logging directory /var/log/snort does not belong to the snort user snort will not start Network Intrusion Detection System!
invoke-rc.d: initscript snort, action "start" failed.

↓このディレクトリがsnortユーザーに属してないから。。。みたいなメッセージが表示されてるけど。。。

# ls -l /var/log/
drwxr-s---    2 snort    adm          4096 Nov  7 00:09 snort

原因が全然分からず、チョット断念。。。。

# apt-get remove snort

ググると、どうやら、statコマンドは、通常/usr/bin/statにインストールされるもので、coreutilsパッケージに含まれているみたい。
なので、

# apt-get install coreutils

再度チャレンジしてみると、OKっぽい!?

# apt-get install snort

No snort instance found to be stopped!
Starting Network Intrusion Detection System: snort(eth0) No /etc/snort/snort.eth0.conf, defaulting to snort.conf

Last-modified: 2007-03-22 (木) 23:47:05 (4289d)