Snort配置筆記

1、在官網(wǎng)下載了最新版的windows平臺(tái)下的snort安裝包Snort__Installer.exe和規(guī)則文件庫(kù)snort-.tar.zip（也有需要付費(fèi)的規(guī)制庫(kù)），查閱了網(wǎng)上的資料終于把基本的安裝和IDS模式配置完成了，寫(xiě)成學(xué)習(xí)筆記以便加強(qiáng)記憶。-1、由于我本機(jī)已經(jīng)安裝了WinPcap_4_1_2.exe，可滿足當(dāng)前Snort版本對(duì)WinPcap版本的要求，所以只下載了Snort。首先安裝Snort__Installer.exe，過(guò)程比較簡(jiǎn)單，由于只是自己測(cè)試，我沒(méi)有進(jìn)行過(guò)多的設(shè)置一路Next安裝完畢，默認(rèn)路徑C:

2、Snort，最后彈出Snort has successfullly been installed.窗口，點(diǎn)擊“確定”安裝成功；之后同樣步驟完成了WinPcap_4_1_2.exe的安裝。2、配置環(huán)境變量（我感覺(jué)我不配置也可以?。?，如下圖所示：3、運(yùn)行cmd，輸入“snort -？”可以查看snort相關(guān)命令行，如下圖所示：4、導(dǎo)入規(guī)則文件庫(kù)（需網(wǎng)站注冊(cè)），解壓下載下來(lái)的snort-.tar.zip，得到四個(gè)文件夾：將文件夾下的文件復(fù)制到snort安裝目錄下對(duì)應(yīng)的文件中，我安完snort安裝目錄下沒(méi)有so_rules文件夾，就直接復(fù)制過(guò)去了。5、然后啟用ids模式，執(zhí)行以下命令：s

3、nort -dev -l c:snortlog -c c:snortetcsnort.conf這時(shí)遇到了很多問(wèn)題，主要都是由于snort.conf配置文件的錯(cuò)誤，找了一些資料及snort官網(wǎng)的論壇，終于解決了，可能有些解決的辦法不一定是很好的，不管怎樣終于可以運(yùn)行起來(lái)了。第一個(gè)錯(cuò)誤：ERROR:c:Snortetcsnort.conf(39) Unknown rule type:ipvar解決辦法：把snort.conf文件中的ipvar改為var（可能不是根本的解決辦法）解決之后重復(fù)執(zhí)行上圖的運(yùn)行命令，會(huì)彈出第二個(gè)錯(cuò)誤，以下依次類推。第二個(gè)錯(cuò)誤：ERROR: C:SnortBuildsnor

4、t-srcparser.c(5245) Could not stat dynamic module path "/usr/local/lib/snort_dynamicpreprocessor/": No such file or directory.解決辦法：由于snort.conf文件中默認(rèn)的配置路徑是linux環(huán)境中的相對(duì)路徑，所以在windows環(huán)境中需要改為絕對(duì)路徑：原來(lái)代碼是這樣的：# Step #4: Configure dynamic loaded libraries. # For more information, see Snort Man

5、ual, Configuring Snort - Dynamic Modules# path to dynamic preprocessor librariesdynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/# path to base preprocessor enginedynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so# path to dynamic rules librariesdynamicdetection d

6、irectory /usr/local/lib/snort_dynamicrules按照當(dāng)前目錄下的文件名稱及所在路徑改為：# Step #4: Configure dynamic loaded libraries. # For more information, see Snort Manual, Configuring Snort - Dynamic Modules# path to dynamic preprocessor libraries#dynamicpreprocessor directory C:Snortlibsnort_dynamicpreprocessordynamicp

7、reprocessor file C:Snortlibsnort_dynamicpreprocessorsf_dce2.dlldynamicpreprocessor file C:Snortlibsnort_dynamicpreprocessorsf_dns.dlldynamicpreprocessor file C:Snortlibsnort_dynamicpreprocessorsf_ftptelnet.dlldynamicpreprocessor file C:Snortlibsnort_dynamicpreprocessorsf_sdf.dlldynamicpreprocessor f

8、ile C:Snortlibsnort_dynamicpreprocessorsf_smtp.dlldynamicpreprocessor file C:Snortlibsnort_dynamicpreprocessorsf_ssh.dlldynamicpreprocessor file C:Snortlibsnort_dynamicpreprocessorsf_ssl.dlldynamicengine C:/Snort/lib/snort_dynamicengine/sf_engine.dll# path to base preprocessor engine#dynamicengine C

9、:Snortlibsnort_dynamicenginelibsf_engine.so# path to dynamic rules libraries#dynamicdetection C:Snortlibsnort_dynamicrules第三個(gè)錯(cuò)誤：ERROR: C:Snortetcsnort.conf(255) => 'compress_depth' and 'decompress_depth' should be set to max in the default policy to enable 'unlimited_decompres

10、s'Fatal Error, Quitting.解決辦法：我把compress_depth 20480改成了65535，也不知道對(duì)不對(duì)，反正是不報(bào)錯(cuò)了？第四個(gè)錯(cuò)誤：ERROR: C:Snortetcsnort.conf(201) Unknown preprocessor: "normalize_ip4".Fatal Error, Quittig.解決辦法：把下面的都#注掉了就好了。我看技術(shù)人員回復(fù)的意思應(yīng)該是“因?yàn)樵贗DS模式不起作用，但是在windows平臺(tái)下實(shí)際起作用了”，所以注掉。# Does nothing in IDS mode#preprocessor

11、normalize_ip4#preprocessor normalize_tcp: ips ecn stream#preprocessor normalize_icmp4#preprocessor normalize_ip6#preprocessor normalize_icmp6逐個(gè)解決完上面遇到的問(wèn)題之后，再執(zhí)行以IDS模式運(yùn)行的指令時(shí)，應(yīng)該就正確進(jìn)入IDS模式了。 還需要注意的是，snort.conf文件中此處的路徑需要改為絕對(duì)路徑，這樣才能正確調(diào)用規(guī)則文件，當(dāng)有事件時(shí)才能觸發(fā)規(guī)則發(fā)生相應(yīng)動(dòng)作（我這么理解的）# Path to your rules files (this can be

12、a relative path)# Note for Windows users: You are advised to make this an absolute path,# such as: c:snortrulesvar RULE_PATH ./rules var SO_RULE_PATH ./so_rulesvar PREPROC_RULE_PATH ./preproc_rules 改為var RULE_PATH c:Snortrulesvar SO_RULE_PATH c:Snortso_rulesvar PREPROC_RULE_PATH c:Snortpreproc_rules 很有幫助的參考資料：另外，修改snort.conf最后幾