[ Linux ] SNORT 서버 설치

1. CentOS7

 

[ SNORT 서버 ]

# epel repo 정보 다운로드
yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

# snort 의존성 파일 다운로드
yum install -y gcc flex bison zlib zlib-devel libpcap pcre pcre-devel libdnet libdnet-devel libpcap-devel tcpdump

yum install -y luajit luajit-devel openssl openssl-devel

yum install -y libnghttp2

yum install -y httpd

NET_INTERFACE=`ls /sys/class/net | grep -v lo | head -1`

SNORT_SERVER_IP=`ip route | grep -e ${NET_INTERFACE} | grep src | awk '{print $9}'`

ifconfig ${NET_INTERFACE} promisc

mkdir -p /app/install

mkdir -p /app/temp/daq/2.0.7

# daq(Data AcQuisition library) 설치
# snort 에서 하드웨어 패킷 캡쳐 구현을 위한 사용하는 라이브러리(pcap와 같은 기능)
# https://www.snort.org/ 참고
wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz -O /app/install/daq-2.0.7.tar.gz

wget https://www.snort.org/downloads/snort/snort-2.9.18.1.tar.gz -O /app/install/snort-2.9.18.tar.gz

tar xvfz /app/install/daq-2.0.7.tar.gz -C /app/temp/daq/2.0.7 --strip-components=1

mkdir -p /app/dkit/daq/2.0.7

cd /app/temp/daq/2.0.7

./configure --prefix=/app/dkit/daq/2.0.7

make

make install

mkdir -p /app/temp/snort/2.9.18

mkdir -p /app/tools/snort/2.9.18

tar xvfz /app/install/snort-2.9.18.tar.gz -C /app/temp/snort/2.9.18 --strip-components=1

cd /app/temp/snort/2.9.18

export PATH=$PATH:/app/dkit/daq/2.0.7/bin

./configure --enable-sourcefire --with-daq-includes=/app/dkit/daq/2.0.7/include --with-daq-libraries=/app/dkit/daq/2.0.7/lib --prefix=/app/tools/snort/2.9.18

make

make install

ln -Tfs /app/tools/snort/2.9.18 /app/tools/snort/release

ln -Tfs /app/tools/snort/release/bin/snort /usr/bin/snort

systemctl start httpd

systemctl stop firewalld

setenforce 0

snort --version

mkdir /var/log/snort

mkdir -p /app/tools/snort/rules

# by_dst : 정해진 시간 동안 정해진 패킷량이 동일한 목적지로 들어오는 경우
# type both : ip를 로그 발생 기준으로 삼음
# snort syn flooding attack 감지 룰 설정
cat <<SYN_FLOODING_RULES > /app/tools/snort/rules/syn_flooding_rule.rules
alert tcp any any -> ${SNORT_SERVER_IP} any (msg:"SYN Flooding"; flags:S; threshold:type both, track by_dst, count 20, seconds 1; sid:1000001;)
SYN_FLOODING_RULES

# snort syn flooding attack 감지
(snort -i ${NET_INTERFACE} -q -A console -c /app/tools/snort/rules/syn_flooding_rule.rules >> /var/log/snort/snort.log) &

# snort get flooding attack 감지 룰 설정
cat <<GET_FLOODING_RULES > /app/tools/snort/rules/get_flooding_rule.rules
alert tcp any any -> any any (msg:"Get Flooding attack"; content:"GET /"; nocase; threshold:type both, track by_src, count 50, seconds 1; sid:1000002;)
GET_FLOODING_RULES

# snort get flooding attack 감지
(snort -i ${NET_INTERFACE} -q -A console -c /app/tools/snort/rules/get_flooding_rule.rules >> /var/log/snort/snort.log) &

# snort udp flooding attack 감지 룰 설정
cat <<UDP_FLOODING_RULES > /app/tools/snort/rules/udp_flooding_rule.rules
alert udp any any -> ${SNORT_SERVER_IP} any (msg:"UDP flooding"; threshold:type threshold, track by_src, count 5, seconds 1; sid:1000003;)
UDP_FLOODING_RULES

(snort -i ${NET_INTERFACE} -q -A console -c /app/tools/snort/rules/udp_flooding_rule.rules >> /var/log/snort/snort.log) &

tail -f /var/log/snort/snort.log

 

[ 클라이언트 ]

yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

yum install -y hping3

yum install -y slowhttptest

SNORT_SERVER_IP=192.168.108.50

# SYN Flooding Attack
hping3 ${SNORT_SERVER_IP} -S --flood

# Get Flooding Attack
slowhttptest -c 4000 -g -o slowloris -i 10 -r 100 -t GET -x 3 -p 3 -u http://${SNORT_SERVER_IP}

# UDP Flooding Attack
hping3 ${SNORT_SERVER_IP} -2 --flood --rand-source -p 80 -d 1000