# Snort IPS: afpacket and nfq 


# apt-get install build-essential
# apt-get install bison flex
# apt-get install libpcap-dev
# apt-get install libpcre3-dev
# apt-get install libnet1-dev
# apt-get install zlib1g-dev
# apt-get install libnetfilter-queue-dev # daq: nfq

# curl --silent --location --output libdnet-1.12.tgz http://libdnet.googlecode.com/files/libdnet-1.12.tgz
# tar xvzf libdnet-1.12.tgz
# cd libdnet-1.12
# ./configure "CFLAGS=-fPIC -g -O2"
# make
# make install
# ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1
# cd ..

# curl --silent --location --output daq-2.0.1.tar.gz https://www.snort.org/downloads/2546
# tar xvzf daq-2.0.1.tar.gz
# cd daq-2.0.1
# ./configure
# make
# make install
# cd ..

# curl --silent --location --output snort-2.9.5.3.tar.gz https://www.snort.org/downloads/2485
# tar xvzf snort-2.9.5.3.tar.gz
# cd snort-2.9.5.3
# ./configure --prefix=/usr/local/snort --enable-sourcefire
# make
# make install
# cd ..

# mkdir /var/log/snort
# groupadd snort
# useradd -g snort snort
# chown snort:snort /var/log/snort

# curl --silent --location --output snortrules-snapshot-2953.tar.gz http://www.snort.org/reg-rules/snortrules-snapshot-2953.tar.gz/<oinkcode>
# tar xvzf snortrules-snapshot-2953.tar.gz -C /usr/local/snort
# mkdir /usr/local/snort/lib/snort_dynamicrules
# cp /usr/local/snort/so_rules/precompiled/Ubuntu-12-04/x86-64/2.9.5.3/* /usr/local/snort/lib/snort_dynamicrules/.
# touch /usr/local/snort/rules/white_list.rules
# touch /usr/local/snort/rules/black_list.rules
# ldconfig

# vi /usr/local/snort/etc/snort.conf
---
var WHITE_LIST_PATH ../rules
var BLACK_LIST_PATH ../rules
+++
var WHITE_LIST_PATH /usr/local/snort/rules
var BLACK_LIST_PATH /usr/local/snort/rules

---
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/lib/snort_dynamicrules
+++
dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules

# ifconfig eth0 promisc up
# ifconfig eth1 promisc up
afpacket (L2)
# vi /usr/local/snort/etc/snort.conf
+++
config daq: afpacket
config daq_mode: inline

# /usr/local/snort/bin/snort -m 027 -d -l /var/log/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -Q -i eth0:eth1 -S HOME_NET=[192.168.1.0/24]
nfq (L3)
# vi /usr/local/snort/etc/snort.conf
+++
config daq: nfq
config daq_mode: inline
config daq_var: queue=0

# iptables --append FORWARD --jump NFQUEUE --queue-num 0
# /usr/local/snort/bin/snort -m 027 -d -l /var/log/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -Q -S HOME_NET=[192.168.1.0/24]
Posted by t0n1
Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)