SNORT – Système de détection d’intrusion

  sysadmin

SNORT – Système de détection d’intrusion

Installation des dépendances

apt-get install gcc flex bison make libpcap-dev libdnet-dev libdumbnet-dev libpcre3-dev libghc-zlib-dev

Installation de Snort par compilation de la dernière version

mkdir /opt/snort_src
cd /opt/snort_src
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
wget https://www.snort.org/downloads/snort/snort-2.9.9.0.tar.gz

tar xvfz daq-2.0.6.tar.gz
cd daq-2.0.6
./configure && make && make install

cd ..
tar xvfz snort-2.9.9.0.tar.gz
cd snort-2.9.9.0
./configure --enable-sourcefire && make && make install


ln -s /usr/local/bin/snort /usr/sbin/snort

Création d’un utilisateur pour ce service

groupadd snort
useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

Création des dossiers de configuration

mkdir -p /etc/snort/rules
mkdir /var/log/snort
mkdir /usr/local/lib/snort_dynamicrules
Paramétrage des permissions sur les dossiers

chmod -R 5775 /etc/snort
chmod -R 5775 /var/log/snort
chmod -R 5775 /usr/local/lib/snort_dynamicrules
chown -R snort:snort /etc/snort
chown -R snort:snort /var/log/snort
chown -R snort:snort /usr/local/lib/snort_dynamicrules

Création des fichiers pour les différentes listes de règles

touch /etc/snort/rules/white_list.rules
touch /etc/snort/rules/black_list.rules
touch /etc/snort/rules/local.rules

Copie des fichiers de configuration

p /opt/snort_src/snort-2.9.9.0/etc/*.conf* /etc/snort
cp /opt/snort_src/snort-2.9.9.0/etc/*.map /etc/snort

Téléchargement des règles et extraction dans le répertoire de configuration

wget https://www.snort.org/rules/snortrules-snapshot-29110.tar.gz?oinkcode=<monoinkcode> -O snortrules-snapshot-29110.tar.gz
wget https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode=<monoinkcode> -O snortrules-snapshot-2983.tar.gz
wget https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz?oinkcode=<monoinkcode> -O snortrules-snapshot-2990.tar.gz
tar -xvf snortrules-snapshot-<version>.tar.gz -C /etc/snort/

Configuration du réseau et des règles

vim /etc/snort/snort.conf

# Setup the network addresses you are protecting
ipvar HOME_NET <mon_ip>/32
# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET !$HOME_NET
# Path to your rules files (this can be a relative path)
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
# Set the absolute path appropriately
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

# unified2
# Recommended for most installs
output unified2: filename snort.log, limit 128

Test de la configuration

snort -T -c /etc/snort/snort.conf

Création du service

vim /lib/systemd/system/snort.service

[Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i enp0s20

[Install]
WantedBy=multi-user.target

Redémarrage de systemctl, démarrage de snort et vérification que le service soit bien actif

systemctl daemon-reload
systemctl start snort
systemctl status snort

Pour munin

cd /etc/munin/plugins/
ln -s /usr/share/munin/plugins/snort_alerts snort_alerts
ln -s /usr/share/munin/plugins/snort_alerts snort_alerts
ln -s /usr/share/munin/plugins/snort_drop_rate snort_drop_rate
ln -s /usr/share/munin/plugins/snort_pattern_match snort_pattern_match
ln -s /usr/share/munin/plugins/snort_pattern_match snort_pattern_match
ln -s /usr/share/munin/plugins/snort_traffic snort_traffic

sources

Doc officiel

Tutoriel upcloud.com (anglophone)