IDS といえば snort ─ ITNAVI.net

The Oinkmaster Snort rules updaterからOinkmasterを取得する。
2003/12/01現在 oinkmaster-0.9.tar.gz が最新。

$ tar xvzf oinkmaster-0.8.tar.gz
$ cd oinkmaster-0.8
$ su
# mkdir /usr/local/oinkmaster
# cp oinkmaster.pl oinkmaster.conf /usr/local/oinkmaster

すでに使用しているルールファイルのバックアップ用ディレクトリを作成しておく。

# mkdir /usr/local/snort/backup
# chown -R snort.snort /usr/local/snort/backup
# chmod 770 /usr/local/snort/backup

次に、oinkmaster ユーザを作成し、snort グループに属するようにする。パーミッションも設定しなおしておく。

# su -
# useradd -g snort -d /usr/local/oinkmaster oinkmaster
# chown -R oinkmaster.snort /usr/local/oinkmaster
# chmod -R 770 /usr/local/snort

次に、oinkmaster のテストを行う。
oinkmaster.pl は、-C で conf ファイルの場所を指定する。

# mkdir /tmp/snort
# chown -R snort.snort /tmp/snort
# chmod 770 /tmp/snort
# cd /usr/local/oinkmaster
# su oinkmaster
$ ./oinkmaster.pl -o /tmp/snort -C /usr/local/oinkmaster/oinkmaster.conf
Downloading rules archive from http://www.snort.org/dl/rules/snortrules-stable.tar.gz...
13:04:57 URL:http://www.snort.org/dl/rules/snortrules-stable.tar.gz [112609/112609] -> "/tmp/oinkmaster.5429/snortrules.tar.gz" [1]
Archive successfully downloaded, unpacking... done.
Disabling rules... 5 out of 2039 rules disabled.
Setting up rules structures... done.
Comparing new files to the old ones... done.

[***] Results from Oinkmaster started Fri Oct 31 13:04:59 2003 [***]

[*] Rules modifications: [*]
    None.

[*] Non-rule line modifications: [*]
    None.

[+] Added files (consider updating your snort.conf to include them): [+]

    -> attack-responses.rules
    -> backdoor.rules
    -> bad-traffic.rules
    -> chat.rules
    -> classification.config
    -> ddos.rules
    -> deleted.rules
    -> dns.rules
    -> dos.rules
    -> experimental.rules
    -> exploit.rules
    -> finger.rules
    -> ftp.rules
    -> gen-msg.map
    -> icmp-info.rules
    -> icmp.rules
    -> imap.rules
    -> info.rules
    -> misc.rules
    -> multimedia.rules
    -> mysql.rules
    -> netbios.rules
    -> nntp.rules
    -> oracle.rules
    -> other-ids.rules
    -> p2p.rules
    -> policy.rules
    -> pop2.rules
    -> pop3.rules
    -> porn.rules
    -> reference.config
    -> rpc.rules
    -> rservices.rules
    -> scan.rules
    -> shellcode.rules
    -> sid-msg.map
    -> smtp.rules
    -> snmp.rules
    -> sql.rules
    -> telnet.rules
    -> tftp.rules
    -> virus.rules
    -> web-attacks.rules
    -> web-cgi.rules
    -> web-client.rules
    -> web-coldfusion.rules
    -> web-frontpage.rules
    -> web-iis.rules
    -> web-misc.rules
    -> web-php.rules
    -> x11.rules

$ cd /tmp/snort
$ ls
attack-responses.rules  info.rules        shellcode.rules
backdoor.rules          misc.rules        sid-msg.map
bad-traffic.rules       multimedia.rules  smtp.rules
chat.rules              mysql.rules       snmp.rules
classification.config   netbios.rules     sql.rules
ddos.rules              nntp.rules        telnet.rules
deleted.rules           oracle.rules      tftp.rules
dns.rules               other-ids.rules   virus.rules
dos.rules               p2p.rules         web-attacks.rules
experimental.rules      policy.rules      web-cgi.rules
exploit.rules           pop2.rules        web-client.rules
finger.rules            pop3.rules        web-coldfusion.rules
ftp.rules               porn.rules        web-frontpage.rules
gen-msg.map             reference.config  web-iis.rules
icmp-info.rules         rpc.rules         web-misc.rules
icmp.rules              rservices.rules   web-php.rules
imap.rules              scan.rules        x11.rules
$ exit

テストの結果、問題無いようなら実際のルールセットを更新してみる。
-b オプションで作成しておいたバックアップ用ディレクトリにバックアップを作成できる。

# chown -R snort.snort /usr/local/snort
# chmod 770 /usr/local/snort
# cd /usr/local/oinkmaster
# su oinkmaster
$ ./oinkmaster.pl -o /usr/local/snort -b /usr/local/snort/backup -C /usr/local/oinkmaster/oinkmaster.conf

$ ls /usr/local/snort/backup
rules-backup-20031031-1308.tar.gz

アップデートの際にコメントにしておいたルールが戻ってしまうのを防ぐために、更新不要なルールのsidを、oinkmaster.confに記述しておこう。

$ cat /usr/local/oinkmaster/oinkmaster.conf
# $Id: oinkmaster.conf,v 1.73 2003/09/02 19:40:29 andreaso Exp $ #


################################################
#    General options you may want to change    #
################################################

# URL to the rules archive to download (or copy).
# Must begin with http://, ftp:// or file:// and end with .tar.gz

# Use this one if you're running the latest release version of Snort
# (or following snort-STABLE):
url = http://www.snort.org/dl/rules/snortrules-stable.tar.gz

# Use this one *only* if you're following snort-CURRENT.
# This ruleset usually only works with recent develop versions of Snort!
# url = http://www.snort.org/dl/rules/snortrules-current.tar.gz

# Or if you prefer to download the rules archive from outside Oinkmaster,
# you can then point to the file on your local filesystem by using
# file://, for example:
# url = file:///tmp/snortrules.tar.gz


# The PATH to use during execution.
# 'tar' and 'gzip' must be found, and also 'wget' if fetching rules
# from a remote host (all with optional .exe suffix).
# Assume UNIX style by default:
path = /bin:/usr/bin:/usr/local/bin

# Example if running native Win32 or standalone Cygwin:
# path = c:\oinkmaster;c:\oinkmaster\bin

# Example if running standalone Cygwin and you prefer Cygwin style path:
# path = /cygdrive/c/oinkmaster:/cygdrive/c/oinkmaster/bin


# Temporary directory to use. This directory must exist when starting
# (Oinkmaster will then create a temporary sub directory in here).
# Keep it as a #comment if you want to use the default.
# The default will be checked for in the environment variables TMP,
# TMPDIR or TEMPDIR, or otherwise "/tmp" if none of them was set.

# Example for UNIX:
# tmpdir = /home/oinkmaster/tmp/

# Example if running native Win32 or Cygwin:
# tmpdir = c:\tmp

# Example if running Cygwin and you prefer Cygwin style path:
# tmpdir = /cygdrive/c/tmp


# The umask to use during execution if want it to be something else
# than the current value when starting Oinkmaster
# (keep it commented out to use the current value).
# For example:
# umask = 0027


# Files in the archive matching this regexp will be checked
# for changes, and then updated or added if needed.
# (You can then choose to skip individual files by specifying
# the "skipfile" keyword below".)
# Normally you shouldn't need to change this one.
# (But if you do, make sure it's still a valid regexp.)
update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$


# If the number of rules files in the downloaded archive matching the
# 'update_files' regexp is below min_files, or if the total number
# of rules in it is below min_rules, the archive is regarded as
# broken and the update is aborted with an error message.
# Both are set to 1 by default (i.e. the archive is only regarded as
# broken if it's totally empty).
# min_files = 1
# min_rules = 1



#######################################################################
# Files to totally skip (i.e. never update them or check for changes) #
#                                                                     #
# Syntax: skipfile filename                                           #
# or:     skipfile filename1, filename2, filename3, ...               #
#######################################################################

# Ignore (skip) "local.rules" from the rules archive by default, since we might
# have put some local rules in our own "local.rules", and we don't want
# it to get overwritten by the empty one from the archive after each update.
skipfile local.rules

# Also skip snort.conf from the rules archive by default since we don't
# want to overwrite our own snort.conf if we have it in the same directory as
# the rules. (If you have your own ("real") snort.conf in another directory, it
# may be really nice to check for changes in this file though, especially since
# new variables are sometimes added!)
skipfile snort.conf

# The file deleted.rules contains rules that have been deleted from other files.
# There is usually no point in watching it, but it may sometimes contain useful
# comments about *why* certain rules are deleted.
# Remove the comment to skip this file.
# skipfile deleted.rules



##########################################################################
# SIDs to modify after each update (only for the skilled/stupid/brave).  #
# Don't use it unless you have to. There is nothing that stops you from  #
# modifying rules in such ways that they become invalid.                 #
# If you just want to disable SIDs, please skip this section and have a  #
# look at the "disablesid" keyword below.                                #
#                                                                        #
# You may specify several modifysid directives for the same SID, and     #
# you may also specify a list of SIDs on which the substitution should   #
# be applied. Note that #comments are NOT allowed on "modifysid" lines.  #
#                                                                        #
# Syntax: modifysid SID "replacethis" | "withthis"                       #
# or:                                                                    #
# Syntax: modifysid SID1, SID2, SID3, ... "replacethis" | "withthis"     #
#                                                                        #
# The strings within the quotes will simply be passed to a               #
# s/replacethis/withthis/ statement in Perl, so they must be valid       #
# regular expressions.                                                   #
#                                                                        #
##########################################################################

# Example to enable a rule (in this case SID 1325) that is disabled by
# default, by simply replacing "#alert" with "alert".
# modifysid 1325 "#alert" | "alert"

# But since it's actually regexps, it's better to make sure we only replace
# the "#alert" if it's at the beginning of the line and also don't care about
# possible whitespaces.
# modifysid 1325 "^\s*#\s*alert" | "alert"

# Example to add "tag" stuff to SID 1325.
# modifysid 1325 "sid:1325;" | "sid:1325; tag: host, src, 300, seconds;"

# Example to make SID 1378 a 'drop' rule (valid if you're running Snort_inline).
# modifysid 1378 "^\s*alert" | "drop"

# Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET in SID 302.
# Remember that the strings are regular expressions, so you must
# escape special characters like $.
# modifysid 302 "\$EXTERNAL_NET" | "\$HOME_NET"

# You can also specify that a substitution should apply on several SIDs.
# modifysid 302,429,1821 "\$EXTERNAL_NET" | "\$HOME_NET"

# You can take advantage of the fact that it's regular expressions and
# do more complex stuff. This example (for Snort_inline) adds a 'replace'
# statement to SID 1324.
# modifysid 1324 "(content\s*:\s*"\/bin\/sh"\s*;)" | "$1 replace:"\/foo\/sh";"



#############################################
# SIDs to comment out after each update     #
#                                           #
# Syntax:  disablesid SID                   #
# or:      disablesid SID1, SID2, SID3, ... #
#############################################

# You can specify one SID per line:
# disablesid 1
# disablesid 2
# disablesid 3

# And also as comma-separated lists:
# disablesid 4,5,6

更新不要なルールは disablesid にsidを記述する。1行1sidの書き方とカンマで区切って1行複数sidの書き方ができる。
更新したくないルールセットファイルは、skipfile に記述する。デフォルトでは local.rules,snort.conf(oinkmaster0.6では sid-msg.mapも) が記述されている。自分で作成したシグネーチャーは、local.rules に書くとよいだろう。

アップデートをせずに不要な sid をルールセットに反映させるには、-r オプションを使う。

$ cd ~
$ ./oinkmaster.pl -o /usr/local/snort -r

まず、libpcapが必要なのでインストールされていない場合は、Index of -releaseからlibpcapを取得する。

$ tar xvzf libpcap-0.7.1.tar.gz
$ cd libpcap-0.7.1
$ ./configure
$ make
$ su
# make install

FLEXRESPを使用するので、Libnet をインストールする。
Latest Stable Version である 1.1.0 を使用すると、Snort の configure に失敗した。

checking for libnet version 1.0.2a... ./configure: libnet-config: command not found
no


**********************************************
  ERROR: unable to find libnet 1.0.2a (libnet.h)
  checked in the following places
**********************************************

そのため、Libnetは 1.0.2 をダウンロードした。

$ wget http://www.packetfactory.net/libnet/dist/deprecated/libnet-1.0.2a.tar.gz
$ tar xvzf libnet-1.0.2a.tar.gz
$ cd Libnet-1.0.2a
$ ./configure
$ make
$ su
# make install
# exit
$ cd..

Snort.orgからsnortのソースを取得する。

$ wget http://www.snort.org/dl/snort-2.0.0.tar.gz
$ tar xvzf snort-2.0.0.tar.gz
$ cd snort-2.0.0
$ ./configure --enable-flexresp --with-postgresql=/usr/local/pgsql
$ make
$ su
# make install

# mkdir /usr/local/snort
# cp etc/snort.conf /usr/local/snort
# cp etc/classification.config /usr/local/snort
# cp etc/reference.config /usr/local/snort
# cp etc/*.map /usr/local/snort
# cp etc/sid /usr/local/snort
# cp rules/*.rules /usr/local/snort/
# cp -R contrib /usr/local/snort/
# cd /usr/local/snort/
# vi snort.conf

監視対象とするネットワークを指定する。
#var HOME_NET any
var HOME_NET 192.168.1.0/24

外部ネットワークの指定。
#var EXTERNAL_NET any
var EXTERNAL_NET !$HOME_NET

DNSサーバの指定。
#var DNS_SERVERS $HOME_NET
var DNS_SERVERS 192.168.1.1
あとで更新プログラムoinkmasterを使うので、あえてルールファイルはフラットに配置した。
# Path to your rules files (this can be a relative path)
#var RULE_PATH ../rules
var RULE_PATH ./

# mkdir /var/log/snort

とりあえずフォアグラウンドで試してみる。

# /usr/local/bin/snort -i eth0 -c /usr/local/snort/snort.conf

snortユーザで動作させるために、snortユーザを作成する。

# useradd snort -s /bin/false
# chown -R snort:snort /var/log/snort
# chown -R snort.snort /usr/local/snort
# chmod -R 770 /usr/local/snort
# /usr/local/bin/snort -i eth0 -Dde -h 192.168.0.1/32 -u snort -g snort -l /var/log/snort \
 -c /usr/local/snort/snort.conf

-h で自ホストのIPアドレスを指定します。

ここから先は、ルールセット(*.rules)や設定ファイル(snort.conf)の整理を行い、検出する必要が無いシグネチャーを削除します。
特定のホストや特定のサービスを無視したい場合には、passアクションを使うと便利です。例えば下記のように記述します。
pass tcp 172.16.0.0/16 any > 192.168.0.1 80
有効にするためには、-o を付けて snort を起動して下さい。

今回はACIDを使用するため、下記の記述を snort.conf に追加する。
output database: log, postgresql, user=snort dbname=snort

ここから先はPostgreSQLがインストール済みであることが前提になります。
PostgreSQLのDBを作成します。

# su - postgres
$ createuser snort
Shall the new user be allowed to create databases? (y/n) n
Shall the new user be allowed to create more new users? (y/n) n
CREATE USER

$ cd /usr/local/snort/contrib
$ createdb snort
CREATE DATABASE
$ psql -f create_postgresql snort snort
$ exit

ACIDに必要なライブラリを用意します。
◆PHP Everywhere: ADOdb Database Library for PHP: Create Portable DB Apps
http://php.weblogs.com/adodb
ACIDを用意します。
◆Analysis Console for Intrusion Databases (ACID)
http://acidlab.sourceforge.net/

# cd /usr/local/
# wget http://phplens.com/lens/dl/adodb340.tgz
# tar xvzf adodb340.tgz
# wget http://ftp1.sourceforge.net/phplot/phplot-4.4.6.tar.gz
# tar xvzf phplot-4.4.6.tar.gz
# ln -s phplot-4.4.6 phplot
# cd /usr/local/apache/htdocs/
# wget http://acidlab.sourceforge.net/acid-0.9.6b23.tar.gz
# tar xvzf acid-0.9.6b23.tar.gz

ACID の設定ファイル acid_conf.php の該当項目を編集します。
# vi /usr/local/apache/htdocs/acid/acid_conf.php

$DBtype = "postgres";

$DBlib_path = "/usr/local/adodb";
$ChartLib_path = "/usr/local/phplot";

$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "";

RedHat用に起動スクリプト(/etc/rc.d/init.d/snortd)を作成します。

#!/bin/sh
#
# Startup script for the Snort IDS
#
# chkconfig: 345 91 35
# description: Snort IDS system.
# processname: snort
# pidfile: /var/run/snort_eth0.pid


# Source function library.
. /etc/rc.d/init.d/functions

SERVER="/usr/local/bin/snort"
ARGS="-i eth0 -Ddeo -u snort -g snort -l /var/log/snort -c /usr/local/snort/snort.conf"

# See how we were called.
case "$1" in
  start)
        echo -n "Starting snort: "
        daemon "$SERVER $ARGS"
        echo
        touch /var/lock/subsys/snort
        ;;
  stop)
        echo -n "Shutting down snort: "
        killproc snort
        echo
        rm -f /var/lock/subsys/snort
        ;;
  restart)
        $0 stop
        $0 start
        ;;
  *)
        echo "Usage: $0 {start|stop|restart}"
        exit 1
esac

exit 0

# chkconfig --add snortd
# /etc/rc.d/init.d/snortd start

/usr/local/bin/snort: error while loading shared libraries: libpq.so.2:
 cannot open shared object file: No such file or directory

snort起動時に上記のエラーが発生するなら、/etc/ld.so.confを編集し下記の行(PostgreSQLのライブラリ)を追加します。

/usr/local/pgsql/lib

その後で、ld.so を更新します。

# /sbin/ldconfig

ACID のトップページにアクセスします。http://あなたのサーバ.com/acid/acid_main.php 初回アクセス時には、テーブルを作成するボタンが表示されますので、それを押します。画面1 画面2

snortでネットワークを監視する(2.0.0 with ACID & FLEXRESP)

snortでネットワークを監視する(1.9.0)

SnortSnarfでログを読む

Oinkmasterでルールセットの更新を自動化する