Snort 使用手册2
- 格式:doc
- 大小:67.50 KB
- 文档页数:9
Snort 使用手册, 安装与配置
在 Linux 上通过 RPM 安装 Snort
RPM 表示 RPM Package Manager。(没错,这个缩写实际上是循环的。并不是很有意义,但符合事实。)RPM on Linux 是可以轻松安装的软件包,因为 RPM 支持是市面上所有 Linux 发布版的核心。从 Snort
Web 站点下载了一个 RPM 之后,只需将您下载的文件名作为参数运行 rpm 命令即可,如清单 6 所示。
清单 6. 在 Snort RPM 上调用 rpm
[bdm0509@pegasus]# rpm -ivh snort-2.8.0.2-1.RH5.i386.rpm
Preparing... ################################################ [100%]
1:snort ################################################ [100%]
与通过源代码安装 Snort 类似,您可能需要作为 root 用户登录来运行此命令,或使用 sudo 命令来作为超级用户安装 RPM。Snort 希望其二进制文件能够置于受保护的目录中,如 /usr/bin、/usr/local/bin,因此标准系统上的安装需要高于大多数普通用户账户的权限。
测试安装
在完成安装之后,您需要采取几个步骤,确保 Snort 可在系统上正常运行。一切都很简单,但在每次安装新版本的 Snort 或在新机器上安装 Snort 时都需要执行这些步骤。
运行 Snort 二进制文件
可以执行的最简单的测试就是运行 snort 命令。要开始测试,请切换到机器上的任意随机目录。但为了安全起见,请不要在 Snort 安装目录中执行此命令。您应得到类似于清单 7 所示的输出结果。
清单 7. 测试 Snort 二进制文件
[bdm0509:~] snort
,,_ -*> Snort! <*-
o" )~ Version 2.8.0.2 (Build 75)
'''' By Martin Roesch & The Snort Team: /team.html
(C) Copyright 1998-2007 Sourcefire Inc., et al.
Using PCRE version: 7.6 2008-01-28
USAGE: snort [-options]
Options:
-A Set alert mode: fast, full, console, test or none (alert file alerts only)
"unsock" enables UNIX socket logging (experimental).
-b Log packets in tcpdump format (much faster!)
-B Obfuscated IP addresses in alerts and packet dumps using CIDR mask
-c Use Rules File
-C Print out payloads with character data only (no hex)
-d Dump the Application Layer
-D Run Snort in background (daemon) mode
-e Display the second layer header info
-f Turn off fflush() calls after binary log writes
-F Read BPF filters from file
-g Run snort gid as group (or gid) after initialization
-G <0xid> Log Identifier (to uniquely id events for multiple snorts) -h Home network =
-H Make hash tables deterministic.
-i Listen on interface
-I Add Interface name to alert output
-k Checksum mode (all,noip,notcp,noudp,noicmp,none)
-K Logging mode (pcap[default],ascii,none)
-l Log to directory
-L Log to this tcpdump file
-M Log messages to syslog (not alerts)
-m Set umask =
-n Exit after receiving packets
-N Turn off logging (alerts still work)
-o Change the rule testing order to Pass|Alert|Log
-O Obfuscate the logged IP addresses
-p Disable promiscuous mode sniffing
-P Set explicit snaplen of packet (default: 1514)
-q Quiet. Don't show banner and status report
-r Read and process tcpdump file
-R Include 'id' in snort_intf.pid file name
-s Log alert messages to syslog
-S Set rules file variable n equal to value v
-t
-T Test and report on the current Snort configuration
-u Run snort uid as user (or uid) after initialization
-U Use UTC for timestamps
-v Be verbose
-V Show version number
-w Dump 802.11 management and control frames
-X Dump the raw packet data starting at the link layer
-y Include year in timestamp in the alert and log files
-Z Set the performonitor preprocessor file path and name
-? Show this information
are standard BPF options, as seen in TCPDump
Longname options and their corresponding single char version
--logid <0xid> Same as -G
--perfmon-file Same as -Z
--pid-path Specify the path for the Snort PID file
--snaplen Same as -P
--help Same as -?
--version Same as -V
--alert-before-pass Process alert, drop, sdrop, or reject before pass,
default is pass before alert, drop,...
--treat-drop-as-alert Converts drop, sdrop, and reject rules into alert
rules during startup --process-all-events Process all queued events (drop, alert,...),
default stops after 1st action group
--dynamic-engine-lib Load a dynamic detection engine
--dynamic-engine-lib-dir Load all dynamic engines from directory
--dynamic-detection-lib Load a dynamic rules library
--dynamic-detection-lib-dir Load all dynamic rules libraries from
directory
--dump-dynamic-rules Creates stub rule files of all loaded rules libraries
--dynamic-preprocessor-lib Load a dynamic preprocessor library