snort安装使用教程（CentOS6.5）

官网：https://www.snort.org/

官方文档：https://www.snort.org/documents

2.安装

2.1安装依赖

yum install flex bison -y
yum install libpcap libpcap-devel -y

wget https://nchc.dl.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz
tar -zxf libdnet-1.11.tar.gz
cd libdnet-1.11
./configure && make && make install

如果不安装这些依赖，在后边执行configure时会有报错

2.2安装daq

wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
tar -zxf daq-2.0..tar.gz
cd daq-2.0.
./configure
make
make install

configure报错：configure: error: Your operating system's lex is insufficient to compile libsfbpf. You should install both bison and flex.

处理：yum install flex bison -y

configure报错： ERROR!  Libpcap library version >= 1.0.0 not found.

处理： yum install libpcap libpcap-devel -y

2.3安装snort

wget https://www.snort.org/downloads/snort/snort-2.9.11.tar.gz
tar -zxf snort-2.9..tar.gz
cd snort-2.9.
./configure --enable-sourcefire
make
make install

configure报错：ERROR!  dnet header not found, go get it from

处理： wget https://nchc.dl.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz

tar -zxf libdnet-1.11.tar.gz

cd libdnet-1.11

./configure && make && make install

2.4安装规则

# 首先创建snort配置（及规则）目录
mkdir -p /etc/snort/rules
# 创建运行需要目录
mkdir /usr/local/lib/snort_dynamicrules

# 首先将2.3解压出来的etc下的默认配置文件复制到snort配置目录下
cp etc/*.conf* /etc/snort
cp etc/*.map /etc/snort

# 下载社区规则并解压到规则目录
wget https://www.snort.org/downloads/community/community-rules.tar.gz
tar -zxf community-rules.tar.gz -C /etc/snort/rules

# 注释掉所有默认要加载的规则文件
sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

# 启用社区规则文件
echo '' >> /etc/snort/snort.conf
echo '# enable community rule' >> /etc/snort/snort.conf
echo 'include $RULE_PATH/community-rules/community.rules' >> /etc/snort/snort.conf

# 重新设置snort.conf中的变量值
sed -i 's/var RULE_PATH ..\/rules/var RULE_PATH .\/rules/' /etc/snort/snort.conf
sed -i 's/var WHITE_LIST_PATH ..\/rules/var WHITE_LIST_PATH .\/rules/' /etc/snort/snort.conf
sed -i 's/var BLACK_LIST_PATH ..\/rules/var BLACK_LIST_PATH .\/rules/' /etc/snort/snort.conf

# 创建默认使用的白名单文件
touch /etc/snort/rules/white_list.rules
# 创建默认的黑名单文件
touch /etc/snort/rules/black_list.rules
# 创建默认自己设置的规则文件，其实我们注意了其他include只include了社区规则，所以这条根本没用这里只是意思一下
touch /etc/snort/rules/local.rules

# 测试配置文件是否有误
snort -T -c /etc/snort/snort.conf

3.使用

snort有三种用法：嗅探模式、记录模式和网络入侵检测模式。

3.1嗅探模式

snort -v

该模式打印通信的双方IP及协议头部，类似tcpdump

3.2记录模式

mkdir log
snort -dev -l ./log

该模式将截获的数据包记入文件（此处是当前log目录下），重点是-l

3.3网络入侵检测模式

mkdir log
snort -dev -l ./log -h 192.168.1.0/ -c /etc/snort/snort.conf

该模式将会按指定的规则扫描通信数据包

报错：ERROR: /etc/snort/rules/community-rules/snort.conf(249) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such file or directory.

处理：mkdir -p /usr/local/lib/snort_dynamicrules

报错：ERROR: /etc/snort/classification.config(0) Unable to open rules file "/etc/snort/classification.config": No such file or directory.

处理：将上边2.3解压出的snort包中的etc/classification.config复制到/etc/snort/classification.config

参考：

http://blog.csdn.net/jackywgw/article/details/51693108

https://upcloud.com/community/tutorials/install-snort-ubuntu/