Snort 使用手册2

  • 格式:doc
  • 大小:67.50 KB
  • 文档页数:9

Snort 使用手册, 安装与配置

在 Linux 上通过 RPM 安装 Snort

RPM 表示 RPM Package Manager。(没错,这个缩写实际上是循环的。并不是很有意义,但符合事实。)RPM on Linux 是可以轻松安装的软件包,因为 RPM 支持是市面上所有 Linux 发布版的核心。从 Snort

Web 站点下载了一个 RPM 之后,只需将您下载的文件名作为参数运行 rpm 命令即可,如清单 6 所示。

清单 6. 在 Snort RPM 上调用 rpm

[bdm0509@pegasus]# rpm -ivh snort-2.8.0.2-1.RH5.i386.rpm

Preparing... ################################################ [100%]

1:snort ################################################ [100%]

与通过源代码安装 Snort 类似,您可能需要作为 root 用户登录来运行此命令,或使用 sudo 命令来作为超级用户安装 RPM。Snort 希望其二进制文件能够置于受保护的目录中,如 /usr/bin、/usr/local/bin,因此标准系统上的安装需要高于大多数普通用户账户的权限。

测试安装

在完成安装之后,您需要采取几个步骤,确保 Snort 可在系统上正常运行。一切都很简单,但在每次安装新版本的 Snort 或在新机器上安装 Snort 时都需要执行这些步骤。

运行 Snort 二进制文件

可以执行的最简单的测试就是运行 snort 命令。要开始测试,请切换到机器上的任意随机目录。但为了安全起见,请不要在 Snort 安装目录中执行此命令。您应得到类似于清单 7 所示的输出结果。

清单 7. 测试 Snort 二进制文件

[bdm0509:~] snort

,,_ -*> Snort! <*-

o" )~ Version 2.8.0.2 (Build 75)

'''' By Martin Roesch & The Snort Team: /team.html

(C) Copyright 1998-2007 Sourcefire Inc., et al.

Using PCRE version: 7.6 2008-01-28

USAGE: snort [-options]

Options:

-A Set alert mode: fast, full, console, test or none (alert file alerts only)

"unsock" enables UNIX socket logging (experimental).

-b Log packets in tcpdump format (much faster!)

-B Obfuscated IP addresses in alerts and packet dumps using CIDR mask

-c Use Rules File

-C Print out payloads with character data only (no hex)

-d Dump the Application Layer

-D Run Snort in background (daemon) mode

-e Display the second layer header info

-f Turn off fflush() calls after binary log writes

-F Read BPF filters from file

-g Run snort gid as group (or gid) after initialization

-G <0xid> Log Identifier (to uniquely id events for multiple snorts) -h Home network =

-H Make hash tables deterministic.

-i Listen on interface

-I Add Interface name to alert output

-k Checksum mode (all,noip,notcp,noudp,noicmp,none)

-K Logging mode (pcap[default],ascii,none)

-l Log to directory

-L Log to this tcpdump file

-M Log messages to syslog (not alerts)

-m Set umask =

-n Exit after receiving packets

-N Turn off logging (alerts still work)

-o Change the rule testing order to Pass|Alert|Log

-O Obfuscate the logged IP addresses

-p Disable promiscuous mode sniffing

-P Set explicit snaplen of packet (default: 1514)

-q Quiet. Don't show banner and status report

-r Read and process tcpdump file

-R Include 'id' in snort_intf.pid file name

-s Log alert messages to syslog

-S Set rules file variable n equal to value v

-t

-T Test and report on the current Snort configuration

-u Run snort uid as user (or uid) after initialization

-U Use UTC for timestamps

-v Be verbose

-V Show version number

-w Dump 802.11 management and control frames

-X Dump the raw packet data starting at the link layer

-y Include year in timestamp in the alert and log files

-Z Set the performonitor preprocessor file path and name

-? Show this information

are standard BPF options, as seen in TCPDump

Longname options and their corresponding single char version

--logid <0xid> Same as -G

--perfmon-file Same as -Z

--pid-path Specify the path for the Snort PID file

--snaplen Same as -P

--help Same as -?

--version Same as -V

--alert-before-pass Process alert, drop, sdrop, or reject before pass,

default is pass before alert, drop,...

--treat-drop-as-alert Converts drop, sdrop, and reject rules into alert

rules during startup --process-all-events Process all queued events (drop, alert,...),

default stops after 1st action group

--dynamic-engine-lib Load a dynamic detection engine

--dynamic-engine-lib-dir Load all dynamic engines from directory

--dynamic-detection-lib Load a dynamic rules library

--dynamic-detection-lib-dir Load all dynamic rules libraries from

directory

--dump-dynamic-rules Creates stub rule files of all loaded rules libraries

--dynamic-preprocessor-lib Load a dynamic preprocessor library