SNORT – Système de détection d’intrusion
Installation des dépendances
apt-get install gcc flex bison make libpcap-dev libdnet-dev libdumbnet-dev libpcre3-dev libghc-zlib-dev
Installation de Snort par compilation de la dernière version
mkdir /opt/snort_src cd /opt/snort_src wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz wget https://www.snort.org/downloads/snort/snort-2.9.9.0.tar.gz tar xvfz daq-2.0.6.tar.gz cd daq-2.0.6 ./configure && make && make install cd .. tar xvfz snort-2.9.9.0.tar.gz cd snort-2.9.9.0 ./configure --enable-sourcefire && make && make install ln -s /usr/local/bin/snort /usr/sbin/snort
Création d’un utilisateur pour ce service
groupadd snort useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
Création des dossiers de configuration
mkdir -p /etc/snort/rules mkdir /var/log/snort mkdir /usr/local/lib/snort_dynamicrules
Paramétrage des permissions sur les dossiers chmod -R 5775 /etc/snort chmod -R 5775 /var/log/snort chmod -R 5775 /usr/local/lib/snort_dynamicrules chown -R snort:snort /etc/snort chown -R snort:snort /var/log/snort chown -R snort:snort /usr/local/lib/snort_dynamicrules
Création des fichiers pour les différentes listes de règles
touch /etc/snort/rules/white_list.rules touch /etc/snort/rules/black_list.rules touch /etc/snort/rules/local.rules
Copie des fichiers de configuration
p /opt/snort_src/snort-2.9.9.0/etc/*.conf* /etc/snort cp /opt/snort_src/snort-2.9.9.0/etc/*.map /etc/snort
Téléchargement des règles et extraction dans le répertoire de configuration
wget https://www.snort.org/rules/snortrules-snapshot-29110.tar.gz?oinkcode=<monoinkcode> -O snortrules-snapshot-29110.tar.gz wget https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode=<monoinkcode> -O snortrules-snapshot-2983.tar.gz wget https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz?oinkcode=<monoinkcode> -O snortrules-snapshot-2990.tar.gz tar -xvf snortrules-snapshot-<version>.tar.gz -C /etc/snort/
Configuration du réseau et des règles
vim /etc/snort/snort.conf # Setup the network addresses you are protecting ipvar HOME_NET <mon_ip>/32 # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET !$HOME_NET # Path to your rules files (this can be a relative path) var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules # Set the absolute path appropriately var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules # unified2 # Recommended for most installs output unified2: filename snort.log, limit 128
Test de la configuration
snort -T -c /etc/snort/snort.conf
Création du service
vim /lib/systemd/system/snort.service [Unit] Description=Snort NIDS Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i enp0s20 [Install] WantedBy=multi-user.target
Redémarrage de systemctl, démarrage de snort et vérification que le service soit bien actif
systemctl daemon-reload systemctl start snort systemctl status snort
Pour munin
cd /etc/munin/plugins/ ln -s /usr/share/munin/plugins/snort_alerts snort_alerts ln -s /usr/share/munin/plugins/snort_alerts snort_alerts ln -s /usr/share/munin/plugins/snort_drop_rate snort_drop_rate ln -s /usr/share/munin/plugins/snort_pattern_match snort_pattern_match ln -s /usr/share/munin/plugins/snort_pattern_match snort_pattern_match ln -s /usr/share/munin/plugins/snort_traffic snort_traffic
sources
Tutoriel upcloud.com (anglophone)