【Linux】CentOS 8 Snort(不正侵入検知システム) インストールメモ
Snortは外部、内部からの攻撃を検知するソフト(防御はしないです)でOSSでは有名なソフトです。CentOS 8 のインストール方法がなかなかなかったので検証環境でインストールした時のメモです。
インストール
①snortインストール
②ルールファイル取得
# wget https://www.snort.org/downloads/community/community-rules.tar.gz -O community-rules.tar.gz# tar -xvzf community-rules.tar.gz -C /etc/snort/rules
snort設定
③設定ファイル(/etc/sysconfig/snort)の編集
# diff /etc/sysconfig/snort /etc/sysconfig/snort.orig
15c15
< INTERFACE=ens33
---
> INTERFACE=eth0
※利用しているネットワークインターフェースを記載
ifconfig等で確認できます。
④設定ファイル(/etc/snort/snort.conf)の編集
# diff /etc/snort/snort.conf /etc/snort/snort.conf.orig
45c45
< ipvar HOME_NET 192.168.11.126 ※利用しているIPアドレス
---
> ipvar HOME_NET any
104,106c104,106
< var RULE_PATH rules
< var SO_RULE_PATH so_rules
< var PREPROC_RULE_PATH preproc_rules
---
> var RULE_PATH /etc/snort/rules
> var SO_RULE_PATH ../so_rules
> var PREPROC_RULE_PATH ../preproc_rules
113,114c113,114
< var WHITE_LIST_PATH rules
< var BLACK_LIST_PATH rules
---
> var WHITE_LIST_PATH ../rules
> var BLACK_LIST_PATH ../rules
253c253
< #dynamicdetection directory /usr/local/lib/snort_dynamicrules
---
> dynamicdetection directory /usr/local/lib/snort_dynamicrules
510,513c510,512
< nested_ip inner
< # nested_ip inner, \
< # whitelist $WHITE_LIST_PATH/white_list.rules, \
< # blacklist $BLACK_LIST_PATH/black_list.rules
---
> nested_ip inner, \
> whitelist $WHITE_LIST_PATH/white_list.rules, \
> blacklist $BLACK_LIST_PATH/black_list.rules
547c546,651
< include $RULE_PATH/community-rules/community.rules
---
> include $RULE_PATH/local.rules
>
> include $RULE_PATH/app-detect.rules
> include $RULE_PATH/attack-responses.rules
> include $RULE_PATH/backdoor.rules
> include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/blacklist.rules
> include $RULE_PATH/botnet-cnc.rules
> include $RULE_PATH/browser-chrome.rules
> include $RULE_PATH/browser-firefox.rules
> include $RULE_PATH/browser-ie.rules
> include $RULE_PATH/browser-other.rules
> include $RULE_PATH/browser-plugins.rules
> include $RULE_PATH/browser-webkit.rules
> include $RULE_PATH/chat.rules
> include $RULE_PATH/content-replace.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/experimental.rules
> include $RULE_PATH/exploit-kit.rules
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/file-executable.rules
> include $RULE_PATH/file-flash.rules
> include $RULE_PATH/file-identify.rules
> include $RULE_PATH/file-image.rules
> include $RULE_PATH/file-multimedia.rules
> include $RULE_PATH/file-office.rules
> include $RULE_PATH/file-other.rules
> include $RULE_PATH/file-pdf.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/icmp-info.rules
> include $RULE_PATH/icmp.rules
> include $RULE_PATH/imap.rules
> include $RULE_PATH/indicator-compromise.rules
> include $RULE_PATH/indicator-obfuscation.rules
> include $RULE_PATH/indicator-shellcode.rules
> include $RULE_PATH/info.rules
> include $RULE_PATH/malware-backdoor.rules
> include $RULE_PATH/malware-cnc.rules
> include $RULE_PATH/malware-other.rules
> include $RULE_PATH/malware-tools.rules
> include $RULE_PATH/misc.rules
> include $RULE_PATH/multimedia.rules
> include $RULE_PATH/mysql.rules
> include $RULE_PATH/netbios.rules
> include $RULE_PATH/nntp.rules
> include $RULE_PATH/oracle.rules
> include $RULE_PATH/os-linux.rules
> include $RULE_PATH/os-other.rules
> include $RULE_PATH/os-solaris.rules
> include $RULE_PATH/os-windows.rules
> include $RULE_PATH/other-ids.rules
> include $RULE_PATH/p2p.rules
> include $RULE_PATH/phishing-spam.rules
> include $RULE_PATH/policy-multimedia.rules
> include $RULE_PATH/policy-other.rules
> include $RULE_PATH/policy.rules
> include $RULE_PATH/policy-social.rules
> include $RULE_PATH/policy-spam.rules
> include $RULE_PATH/pop2.rules
> include $RULE_PATH/pop3.rules
> include $RULE_PATH/protocol-finger.rules
> include $RULE_PATH/protocol-ftp.rules
> include $RULE_PATH/protocol-icmp.rules
> include $RULE_PATH/protocol-imap.rules
> include $RULE_PATH/protocol-pop.rules
> include $RULE_PATH/protocol-services.rules
> include $RULE_PATH/protocol-voip.rules
> include $RULE_PATH/pua-adware.rules
> include $RULE_PATH/pua-other.rules
> include $RULE_PATH/pua-p2p.rules
> include $RULE_PATH/pua-toolbars.rules
> include $RULE_PATH/rpc.rules
> include $RULE_PATH/rservices.rules
> include $RULE_PATH/scada.rules
> include $RULE_PATH/scan.rules
> include $RULE_PATH/server-apache.rules
> include $RULE_PATH/server-iis.rules
> include $RULE_PATH/server-mail.rules
> include $RULE_PATH/server-mssql.rules
> include $RULE_PATH/server-mysql.rules
> include $RULE_PATH/server-oracle.rules
> include $RULE_PATH/server-other.rules
> include $RULE_PATH/server-webapp.rules
> include $RULE_PATH/shellcode.rules
> include $RULE_PATH/smtp.rules
> include $RULE_PATH/snmp.rules
> include $RULE_PATH/specific-threats.rules
> include $RULE_PATH/spyware-put.rules
> include $RULE_PATH/sql.rules
> include $RULE_PATH/telnet.rules
> include $RULE_PATH/tftp.rules
> include $RULE_PATH/virus.rules
> include $RULE_PATH/voip.rules
> include $RULE_PATH/web-activex.rules
> include $RULE_PATH/web-attacks.rules
> include $RULE_PATH/web-cgi.rules
> include $RULE_PATH/web-client.rules
> include $RULE_PATH/web-coldfusion.rules
> include $RULE_PATH/web-frontpage.rules
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-misc.rules
> include $RULE_PATH/web-php.rules
> include $RULE_PATH/x11.rules
⑤サービス起動
# service snortd start
■エラー集
snortd[90809]: Starting snort: /usr/sbin/snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory
対応方法
# ln -s /usr/lib64/libdnet.so.1.0.1 /usr/lib64/libdnet.1
