前言
Snort学习笔记
下载依赖
Linux
Debian
启动Snort
-i ens33:指定网卡
-c /etc/snort/snort.conf:指定配置文件
-A fast:指定匹配模式
-l /var/log/snort:指定日志保存目录
添加自定义规则
配置文件添加配置
- 如果使用
local.rules文件,则无需添加配置文件
/etc/snort/snort.conf1
| include $RULE_PATH/local.rules
|
创建规则文件
根据协议告警
匹配ICMP协议
/etc/snort/rules/local.rules1
| alert icmp any any -> any any (msg:"告警内容"; gid:1; sid:10000001; rev:1;)
|
根据端口号告警
匹配TCP协议的源端口
/etc/snort/rules/local.rules1
| alert tcp any <port> -> any any (msg:"告警内容"; sid:201900001; rev:1;)
|
根据报文中的指纹告警
匹配永恒之蓝ms17-010指纹
/etc/snort/rules/local.rules1
| alert smb any any -> $HOME_NET any (msg:"告警内容"; flow:to_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:set,ETPRO.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:1;)
|
查看告警日志
1
| cat /var/log/snort/alert
|
完成
参考文献
Suricata官方文档