snort 笔记1 ----- 3种模式简介

技术2022-05-20 35

snort笔记：2011-04-18

链接snort中文手册，比较老的一个：

http://man.chinaunix.net/network/snort/Snortman.htm。

一基本操作：

1 配置文件位置：/etc/snort

2 运行：./snort 需要root权限【这是cd到/usr/sbin目录后的操作，要是在别的目录下，可以通过制定全路径】

【补充：linux下执行程序，如果在当前目录下的执行文件，则需要加 ./程序名，如果是全路径，则不需要加这个点，比如

这里全路径指向snort： /usr/sbin/snort -vde 等， ./表示相对当前目录】

3 开机自启动关闭：http://blog.csdn.net/jo_say/archive/2011/03/08/6232952.aspx

如snort的2，3，4，5级默认开启，通过chkconfig –-level 2345 snort off.就可将其关闭。（chkconfig操作见：http://blog.csdn.net/jo_say/archive/2011/04/18/6330466.aspx

（网上介绍：on和off开关，系统默认只对运行级3，4，5有效，但是reset可以对所有运行级有效,但是我刚才好像把2也off了，也ok了）

二：三种模式：

1 嗅探 (snort从网络上读出数据包并将其显示在控制台上）2 数据包记录器（将数据包记录在硬盘上）

3 NIDS（最复杂，可配置，允许snort匹配用户自定义的数据集，并根据检测结果执行一定的动作）

三：实际操作：

嗅探模式：

1. ./snort -v

启动snort后会显示：

【1】模式

【2】初始化输出插件

【3】显示snort版本信息和版权信息

【4】显示数据包到控制台

****************************************************************************************************************************

root@helloworld:/# ./usr/sbin/snort -v

Running in packet dump mode 数据包转储模式

--== Initializing Snort ==--

Initializing Output Plugins!

***

*** interface device lookup found: eth0

***

Initializing Network Interface eth0

Decoding Ethernet on interface eth0

--== Initialization Complete ==--

,,_ -*> Snort! <*-

o" )~ Version 2.8.5.2 (Build 121)

'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team

Using PCRE version: 8.02 2010-03-19

Not Using PCAP_FRAMES // 为什么会提示？见 http://blog.csdn.net/jo_say/archive/2011/04/18/6331819.aspx]

//下面这个数据包是外部主机发往局域网其它主机的数据包

04/18-16:32:10.267583 118.239.104.219:1119 -> 172.26.75.118:10118

UDP TTL:52 TOS:0x0 ID:5308 IpLen:20 DgmLen:68

Len: 40

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

// 下面这个数据包是本机发往csdn的80端口的数据包

04/18-16:32:10.609564 172.26.75.115:39112 -> 211.100.26.77:80

TCP TTL:64 TOS:0x0 ID:12047 IpLen:20 DgmLen:40 DF

***A***F Seq: 0xD2B01068 Ack: 0xCA0FABA Win: 0x8E TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/18-16:32:10.609645 172.26.75.115:39068 -> 211.100.26.77:80

TCP TTL:64 TOS:0x0 ID:61231 IpLen:20 DgmLen:40 DF

***A***F Seq: 0x9969190B Ack: 0x8879377 Win: 0xD0 TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

**********************************************************************************

2 默认只显示包头信息，如果需要显示数据包应用层的内容，需要加上-d 参数：

结果如下所示，摘取其二：

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/18-18:26:52.610961 172.26.75.115:34474 -> 211.100.26.77:80

TCP TTL:64 TOS:0x0 ID:2855 IpLen:20 DgmLen:536 DF

***AP*** Seq: 0x296C9AB4 Ack: 0xA891280A Win: 0x5C TcpLen: 20

32 61 35 31 33 63 64 62 32 37 63 31 39 39 30 66 2a513cdb27c1990f

37 33 63 65 61 37 32 34 30 61 3B 20 5F 5F 6D 65 73cea7240a; __me

73 73 61 67 65 5F 73 79 73 5F 6D 73 67 5F 69 64 ssage_sys_msg_id

3D 39 35 36 3B 20 41 53 50 2E 4E 45 54 5F 53 65 =956; ASP.NET_Se

73 73 69 6F 6E 49 64 3D 79 78 77 78 30 72 79 6D ssionId=yxwx0rym

74 73 75 6E 35 30 34 35 30 72 61 75 6E 30 6D 69 tsun50450raun0mi

3B 20 54 65 73 74 43 6F 6F 6B 69 65 3D 34 2F 31 ; TestCookie=4/1

38 2F 32 30 31 31 20 35 3A 34 37 3A 34 39 20 50 8/2011 5:47:49 P

4D 3B 20 5F 5F 6D 65 73 73 61 67 65 5F 67 75 5F M; __message_gu_

6D 73 67 5F 69 64 3D 30 3B 20 5F 5F 6D 65 73 73 msg_id=0; __mess

61 67 65 5F 63 6E 65 6C 5F 6D 73 67 5F 69 64 3D age_cnel_msg_id=

30 3B 20 5F 5F 6D 65 73 73 61 67 65 5F 69 6E 5F 0; __message_in_

73 63 68 6F 6F 6C 3D 30 3B 20 43 53 44 4E 42 6C school=0; Bl

6F 67 42 6C 6F 67 49 64 3D 31 37 36 30 36 32 3B ogBlogId=176062;

20 75 63 68 6F 6D 65 5F 73 79 6E 66 72 69 65 6E uchome_synfrien

64 3D 31 3B 20 2E 44 6F 74 74 65 78 74 43 6F 6F d=1; .DottextCoo

6B 69 65 3D 32 35 44 41 32 43 37 33 41 46 44 37 kie=25DA2C73AFD7

35 30 31 31 32 43 39 46 46 30 38 32 36 46 41 30 50112C9FF0826FA0

39 30 32 38 36 36 30 36 35 30 30 44 37 33 46 32 90286606500D73F2

44 31 45 44 42 42 44 37 35 35 39 44 32 42 43 34 D1EDBBD7559D2BC4

33 42 37 46 44 34 30 46 37 35 43 38 45 32 41 30 3B7FD40F75C8E2A0

32 38 38 44 30 43 33 45 36 34 34 45 38 46 35 36 288D0C3E644E8F56

32 31 43 33 35 43 31 31 38 42 34 34 30 42 31 46 21C35C118B440B1F

44 37 31 30 44 37 38 34 43 46 45 31 35 34 30 33 D710D784CFE15403

44 46 35 37 41 42 44 43 36 42 34 33 41 44 31 31 DF57ABDC6B43AD11

32 46 33 35 43 36 39 45 43 33 32 44 44 41 44 34 2F35C69EC32DDAD4

30 41 39 38 38 45 45 31 37 43 38 46 30 36 46 34 0A988EE17C8F06F4

42 42 34 31 30 46 41 31 44 30 31 46 34 44 46 37 BB410FA1D01F4DF7

37 37 32 37 44 44 42 33 41 35 36 33 45 42 41 42 7727DDB3A563EBAB

41 37 37 44 38 34 32 37 38 41 45 44 46 42 37 46 A77D84278AEDFB7F

42 42 42 30 42 46 42 35 39 38 32 30 0D 0A 0D 0A BBB0BFB59820....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/18-18:26:52.738985 211.100.26.77:80 -> 172.26.75.115:34474

TCP TTL:47 TOS:0x0 ID:42094 IpLen:20 DgmLen:269 DF

***AP*** Seq: 0xA891280A Ack: 0x296CD8AC Win: 0x56 TcpLen: 20

48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK.

0A 53 65 72 76 65 72 3A 20 6E 67 69 6E 78 2F 30 .Server: nginx/0

2E 37 2E 36 38 0D 0A 44 61 74 65 3A 20 4D 6F 6E .7.68..Date: Mon

2C 20 31 38 20 41 70 72 20 32 30 31 31 20 31 30 , 18 Apr 2011 10

3A 32 36 3A 35 30 20 47 4D 54 0D 0A 43 6F 6E 6E :26:50 GMT..Conn

65 63 74 69 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69 ection: keep-ali

76 65 0D 0A 58 2D 55 41 2D 43 6F 6D 70 61 74 69 ve..X-UA-Compati

62 6C 65 3A 20 49 45 3D 45 6D 75 6C 61 74 65 49 ble: IE=EmulateI

45 37 0D 0A 58 2D 50 6F 77 65 72 65 64 2D 42 79 E7..X-Powered-By

3A 20 41 53 50 2E 4E 45 54 0D 0A 58 2D 41 73 70 : ASP.NET..X-Asp

4E 65 74 2D 56 65 72 73 69 6F 6E 3A 20 32 2E 30 Net-Version: 2.0

2E 35 30 37 32 37 0D 0A 43 61 63 68 65 2D 43 6F .50727..Cache-Co

6E 74 72 6F 6C 3A 20 70 72 69 76 61 74 65 0D 0A ntrol: private..

43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 Content-Length:

30 0D 0A 0D 0A 0....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

数据包记录器模式 1 将log写入目录/log 命令： ./snort -vde -l ./log 需要注意： 1） ./log(/usr/sbin/log)目录需要你自己建立，并修改权限，以保证snort能够写入 2）不要遗漏-l参数，用来指定写入日志位置 3）给定的是目录，不是文件。执行后系统将会在log目录下产生： ********** root@helloworld:/usr/sbin/log# ls snort.log.1303126222 **********

为了只对本地网络进行日志，需要加上参数-h。如：

./snort -vde -l ./log -h 192.168.1.0/24

这个命令告诉snort把进入C类网络192.168.1的所有包的数据链路、TCP/IP以及应用层的数据记录到目录./log中。

二进制方式：

./snort -l ./log -b

[ 从manuel中看：使用二进制方式和普通方式应该在log文件命名方面有区别的，但我自己测试后，却没有得到效果，产生的log文件名都是一种类型，eg：

*************************************************

root@helloworld:/usr/sbin# ls ./log

snort.log.1303126222 snort.log.1303128331 snort.log.1303128351 snort.log.1303129241

*******************************

2 读出写的log文件内容：

【二进制文件是以tcpdump程序使用的格式写入的，可以使用tcpdump和ethereal读出，当然也可以使用snort读出，使用-r参数：

root@helloworld:/usr/sbin# ./snort -v -r ./log/snort.log.1303126222

将显示在嗅探模式下一样的数据到控制台中。

（不知到为什么，我上面获得的日志都是二进制的，难道那个地方我设置错了？？而且都可通过snort -r读出】

如果只想读出icmp包，则需在最后加上一个icmp参数：

./snort -v -r ./log/snort.log.1303126222 icmp

网络入侵检测模式（NIDS）

这才是snort的本质工作。

命令：-c 指定规则集文件位置

./snort -v -l ./log -c /etc/snort/snort.conf

下面给出整个运行结果，以做分析：

*******************************************************************************************

Running in IDS mode 【显示了当前模式】

--== Initializing Snort ==--

Initializing Output Plugins!

Initializing Preprocessors!

Initializing Plug-ins!

Parsing Rules file "/etc/snort/snort.conf"

PortVar 'HTTP_PORTS' defined : [ 80 ]

PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]

PortVar 'ORACLE_PORTS' defined : [ 1521 ]

PortVar 'FTP_PORTS' defined : [ 21 ]

Tagged Packet Limit: 256

Loading dynamic engine /usr/lib/snort_dynamicengine/libsf_engine.so... done

Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/...

Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done

Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done

Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done

Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done

Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done

Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done

Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so... done

Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done

Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/

Log directory = ./log

Frag3 global config:

Max frags: 65536

Fragment memory cap: 4194304 bytes

Frag3 engine config:

Target-based policy: FIRST

Fragment timeout: 60 seconds

Fragment min_ttl: 1

Fragment Problems: 1

Overlap Limit: 10

Min fragment Length: 0

Stream5 global config:

Track TCP sessions: ACTIVE

Max TCP sessions: 8192

Memcap (for reassembly packet storage): 8388608

Track UDP sessions: INACTIVE

Track ICMP sessions: INACTIVE

Log info if session memory consumption exceeds 1048576

Stream5 TCP Policy config:

Reassembly Policy: FIRST

Timeout: 30 seconds

Min ttl: 1

Maximum number of bytes to queue per session: 1048576

Maximum number of segs to queue per session: 2621

Reassembly Ports:

21 client (Footprint)

23 client (Footprint)

25 client (Footprint)

42 client (Footprint)

53 client (Footprint)

80 client (Footprint)

110 client (Footprint)

111 client (Footprint)

135 client (Footprint)

136 client (Footprint)

137 client (Footprint)

139 client (Footprint)

143 client (Footprint)

445 client (Footprint)

513 client (Footprint)

514 client (Footprint)

1433 client (Footprint)

1521 client (Footprint)

2401 client (Footprint)

3306 client (Footprint)

HttpInspect Config:

GLOBAL CONFIG

Max Pipeline Requests: 0

Inspection Type: STATELESS

Detect Proxy Usage: NO

IIS Unicode Map Filename: /etc/snort/unicode.map

IIS Unicode Map Codepage: 1252

DEFAULT SERVER CONFIG:

Server profile: All

Ports: 80 8080 8180

Server Flow Depth: 300

Client Flow Depth: 300

Max Chunk Length: 500000

Max Header Field Length: 0

Max Number Header Fields: 0

Inspect Pipeline Requests: YES

URI Discovery Strict Mode: NO

Allow Proxy Usage: NO

Disable Alerting: NO

Oversize Dir Length: 500

Only inspect URI: NO

Normalize HTTP Headers: NO

Normalize HTTP Cookies: NO

Ascii: YES alert: NO

Double Decoding: YES alert: YES

%U Encoding: YES alert: YES

Bare Byte: YES alert: YES

Base36: OFF

UTF 8: OFF

IIS Unicode: YES alert: YES

Multiple Slash: YES alert: NO

IIS Backslash: YES alert: NO

Directory Traversal: YES alert: NO

Web Root Traversal: YES alert: YES

Apache WhiteSpace: YES alert: NO

IIS Delimiter: YES alert: NO

IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG

Non-RFC Compliant Characters: NONE

Whitespace Characters: 0x09 0x0b 0x0c 0x0d

rpc_decode arguments:

Ports to decode RPC on: 111 32771

alert_fragments: INACTIVE

alert_large_fragments: ACTIVE

alert_incomplete: ACTIVE

alert_multiple_requests: ACTIVE

Portscan Detection Config:

Detect Protocols: TCP UDP ICMP IP

Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan

Sensitivity Level: Low

Memcap (in bytes): 10000000

Number of Nodes: 36900

FTPTelnet Config:

GLOBAL CONFIG

Inspection Type: stateful

Check for Encrypted Traffic: YES alert: YES

Continue to check encrypted data: NO

TELNET CONFIG:

Ports: 23

Are You There Threshold: 200

Normalize: YES

Detect Anomalies: NO

FTP CONFIG:

FTP Server: default

Ports: 21

Check for Telnet Cmds: YES alert: YES

Ignore Telnet Cmd Operations: OFF

Identify open data channels: YES

FTP Client: default

Check for Bounce Attacks: YES alert: YES

Check for Telnet Cmds: YES alert: YES

Ignore Telnet Cmd Operations: OFF

Max Response Length: 256

SMTP Config:

Ports: 25 587 691

Inspection Type: Stateful

Normalize: EXPN RCPT VRFY

Ignore Data: No

Ignore TLS Data: No

Ignore SMTP Alerts: No

Max Command Line Length: Unlimited

Max Specific Command Line Length:

ETRN:500 EXPN:255 HELO:500 HELP:500 MAIL:260

RCPT:300 VRFY:255

Max Header Line Length: Unlimited

Max Response Line Length: Unlimited

X-Link2State Alert: Yes

Drop on X-Link2State Alert: No

Alert on commands: None

SSH config:

Autodetection: DISABLED

Challenge-Response Overflow Alert: ENABLED

SSH1 CRC32 Alert: ENABLED

Server Version String Overflow Alert: ENABLED

Protocol Mismatch Alert: ENABLED

Bad Message Direction Alert: DISABLED

Bad Payload Size Alert: DISABLED

Unrecognized Version Alert: DISABLED

Max Encrypted Packets: 20

Max Server Version String Length: 80 (Default)

MaxClientBytes: 19600 (Default)

Ports:

DCE/RPC 2 Preprocessor Configuration

Global Configuration

DCE/RPC Defragmentation: Enabled

Memcap: 102400 KB

Events: none

Server Default Configuration

Policy: WinXP

Detect ports

SMB: 139 445

TCP: 135

UDP: 135

RPC over HTTP server: 593

RPC over HTTP proxy: None

Autodetect ports

SMB: None

TCP: 1025-65535

UDP: 1025-65535

RPC over HTTP server: 1025-65535

RPC over HTTP proxy: None

Maximum SMB command chaining: 3 commands

DNS config:

DNS Client rdata txt Overflow Alert: ACTIVE

Obsolete DNS RR Types Alert: INACTIVE

Experimental DNS RR Types Alert: INACTIVE

Ports: 53

SSLPP config:

Encrypted packets: not inspected

Ports:

443 465 563 636 989

992 993 994 995

Server side data is trusted

+++++++++++++++++++++++++++++++++++++++++++++++++++

Initializing rule chains...

Warning: /etc/snort/rules/dos.rules(42) => threshold (in rule) is deprecated; use detection_filter instead.

3382 Snort rules read

3382 detection rules

0 decoder rules

0 preprocessor rules

3382 Option Chains linked into 282 Chain Headers

0 Dynamic rules

+++++++++++++++++++++++++++++++++++++++++++++++++++

+-------------------[Rule Port Counts]---------------------------------------

| tcp udp icmp ip

| src 121 19 0 0

| dst 2922 130 0 0

| any 115 53 56 27

| nc 31 10 15 20

| s+d 12 6 0 0

+----------------------------------------------------------------------------

+-----------------------[detection-filter-config]------------------------------

| memory-cap : 1048576 bytes

+-----------------------[detection-filter-rules]-------------------------------

| none

-------------------------------------------------------------------------------

+-----------------------[rate-filter-config]-----------------------------------

| memory-cap : 1048576 bytes

+-----------------------[rate-filter-rules]------------------------------------

| none

-------------------------------------------------------------------------------

+-----------------------[event-filter-config]----------------------------------

| memory-cap : 1048576 bytes

+-----------------------[event-filter-global]----------------------------------

| none

+-----------------------[event-filter-local]-----------------------------------

| gen-id=1 sig-id=2494 type=Both tracking=dst count=20 seconds=60

| gen-id=1 sig-id=100000162 type=Both tracking=src count=100 seconds=60

| gen-id=1 sig-id=100000159 type=Both tracking=src count=100 seconds=60

| gen-id=1 sig-id=2496 type=Both tracking=dst count=20 seconds=60

| gen-id=1 sig-id=100000310 type=Limit tracking=src count=1 seconds=360

| gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=2

| gen-id=1 sig-id=100000923 type=Threshold tracking=dst count=200 seconds=60

| gen-id=1 sig-id=100000311 type=Limit tracking=src count=1 seconds=360

| gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60

| gen-id=1 sig-id=100000161 type=Both tracking=dst count=100 seconds=60

| gen-id=1 sig-id=100000158 type=Both tracking=src count=100 seconds=60

| gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 seconds=60

| gen-id=1 sig-id=100000163 type=Both tracking=src count=100 seconds=60

| gen-id=1 sig-id=100000160 type=Both tracking=src count=300 seconds=60

| gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10

| gen-id=1 sig-id=100000312 type=Limit tracking=src count=1 seconds=360

| gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 seconds=60

| gen-id=1 sig-id=2495 type=Both tracking=dst count=20 seconds=60

| gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=2

+-----------------------[suppression]------------------------------------------

| none

-------------------------------------------------------------------------------

Rule application order: activation->dynamic->pass->drop->alert->log

Verifying Preprocessor Configurations!

Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked.

Warning: flowbits key 'realplayer.playlist' is checked but not ever set.

Warning: flowbits key 'community_uri.size.1050' is set but not ever checked.

Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.

37 out of 512 flowbits in use.

***

*** interface device lookup found: eth0

***

Initializing Network Interface eth0

Decoding Ethernet on interface eth0

Node unique name is: 172.26.75.115

database: compiled support for (mysql)

database: configured to use mysql

database: schema version = 107

database: host = localhost

database: user = snort

database: database name = snort

database: sensor name = 172.26.75.115

database: sensor id = 1

database: data encoding = hex

database: detail level = full

database: ignore_bpf = no

database: using the "log" facility

[ Port Based Pattern Matching Memory ]

+-[AC-BNFA Search Info Summary]------------------------------

| Instances : 241

| Patterns : 22049

| Pattern Chars : 207222

| Num States : 137800

| Num Match States : 18343

| Memory : 3.51Mbytes

| Patterns : 0.70M

| Match Lists : 0.96M

| Transitions : 1.79M

+-------------------------------------------------

--== Initialization Complete ==--

,,_ -*> Snort! <*-

o" )~ Version 2.8.5.2 (Build 121)

'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team

Using PCRE version: 8.02 2010-03-19

Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.11 <Build 17>

Preprocessor Object: SF_SSH Version 1.1 <Build 2>

Preprocessor Object: SF_Dynamic_Example_Preprocessor Version 1.0 <Build 1>

Preprocessor Object: SF_DNS Version 1.1 <Build 3>

Preprocessor Object: SF_SSLPP Version 1.1 <Build 3>

Preprocessor Object: SF_DCERPC Version 1.1 <Build 5>

Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 2>

Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 12>

Preprocessor Object: SF_SMTP Version 1.1 <Build 8>

Using PCAP_FRAMES = max

04/18-20:56:55.568511 183.62.125.17:80 -> 172.26.75.115:47155

TCP TTL:50 TOS:0x0 ID:32178 IpLen:20 DgmLen:339 DF

***AP*** Seq: 0x8EE60060 Ack: 0xFEFE1836 Win: 0xB3 TcpLen: 32

TCP Options (3) => NOP NOP TS: 113936275 10677776

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/18-20:56:55.568535 172.26.75.115:47155 -> 183.62.125.17:80

TCP TTL:64 TOS:0x0 ID:65460 IpLen:20 DgmLen:52 DF

***A**** Seq: 0xFEFE1836 Ack: 0x8EE6017F Win: 0x6C TcpLen: 32

TCP Options (3) => NOP NOP TS: 10680277 113936275

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/18-20:56:55.568541 183.62.125.17:80 -> 172.26.75.115:47155

TCP TTL:50 TOS:0x0 ID:32179 IpLen:20 DgmLen:52 DF

***A***F Seq: 0x8EE6017F Ack: 0xFEFE1836 Win: 0xB3 TcpLen: 32

TCP Options (3) => NOP NOP TS: 113936275 10677776

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/18-20:56:55.568704 172.26.75.115:47155 -> 183.62.125.17:80

TCP TTL:64 TOS:0x0 ID:65461 IpLen:20 DgmLen:52 DF

***A***F Seq: 0xFEFE1836 Ack: 0x8EE60180 Win: 0x6C TcpLen: 32

TCP Options (3) => NOP NOP TS: 10680277 113936275

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/18-20:56:55.583144 183.62.125.17:80 -> 172.26.75.115:47155

TCP TTL:50 TOS:0x0 ID:32180 IpLen:20 DgmLen:52 DF

***A**** Seq: 0x8EE60180 Ack: 0xFEFE1837 Win: 0xB3 TcpLen: 32

TCP Options (3) => NOP NOP TS: 113936278 10680277

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/18-20:56:55.625244 172.26.75.115:47156 -> 183.62.125.17:80

TCP TTL:64 TOS:0x0 ID:3078 IpLen:20 DgmLen:60 DF

******S* Seq: 0x872FBE2 Ack: 0x0 Win: 0x16D0 TcpLen: 40

TCP Options (5) => MSS: 1460 SackOK TS: 10680292 0 NOP WS: 6

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/18-20:56:55.639822 183.62.125.17:80 -> 172.26.75.115:47156

TCP TTL:50 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF

***A**S* Seq: 0x8F5BBE8D Ack: 0x872FBE3 Win: 0x1650 TcpLen: 40

TCP Options (5) => MSS: 1440 SackOK TS: 113932525 10680292 NOP WS: 6

*** Caught Int-Signal

Run time prior to being shutdown was 1.310378 seconds

database: Closing connection to database "snort"

===============================================================================

Packet Wire Totals:

Received: 11

Analyzed: 11 (100.000%)

Dropped: 0 (0.000%)

Outstanding: 0 (0.000%)

===============================================================================

Breakdown by protocol (includes rebuilt packets):

ETH: 11 (100.000%)

ETHdisc: 0 (0.000%)

VLAN: 0 (0.000%)

IPV6: 0 (0.000%)

IP6 EXT: 0 (0.000%)

IP6opts: 0 (0.000%)

IP6disc: 0 (0.000%)

IP4: 11 (100.000%)

IP4disc: 0 (0.000%)

TCP 6: 0 (0.000%)

UDP 6: 0 (0.000%)

ICMP6: 0 (0.000%)

ICMP-IP: 0 (0.000%)

TCP: 11 (100.000%)

UDP: 0 (0.000%)

ICMP: 0 (0.000%)

TCPdisc: 0 (0.000%)

UDPdisc: 0 (0.000%)

ICMPdis: 0 (0.000%)

FRAG: 0 (0.000%)

FRAG 6: 0 (0.000%)

ARP: 0 (0.000%)

EAPOL: 0 (0.000%)

ETHLOOP: 0 (0.000%)

IPX: 0 (0.000%)

OTHER: 0 (0.000%)

DISCARD: 0 (0.000%)

InvChkSum: 6 (54.545%)

S5 G 1: 0 (0.000%)

S5 G 2: 0 (0.000%)

Total: 11

===============================================================================

Action Stats:

ALERTS: 0

LOGGED: 0

PASSED: 0

===============================================================================

Frag3 statistics:

Total Fragments: 0

Frags Reassembled: 0

Discards: 0

Memory Faults: 0

Timeouts: 0

Overlaps: 0

Anomalies: 0

Alerts: 0

Drops: 0

FragTrackers Added: 0

FragTrackers Dumped: 0

FragTrackers Auto Freed: 0

Frag Nodes Inserted: 0

Frag Nodes Deleted: 0

===============================================================================

Stream5 statistics:

Total sessions: 2

TCP sessions: 2

UDP sessions: 0

ICMP sessions: 0

TCP Prunes: 0

UDP Prunes: 0

ICMP Prunes: 0

TCP StreamTrackers Created: 2

TCP StreamTrackers Deleted: 2

TCP Timeouts: 0

TCP Overlaps: 0

TCP Segments Queued: 0

TCP Segments Released: 0

TCP Rebuilt Packets: 0

TCP Segments Used: 0

TCP Discards: 1

UDP Sessions Created: 0

UDP Sessions Deleted: 0

UDP Timeouts: 0

UDP Discards: 0

Events: 0

Internal Events: 0

TCP Port Filter

Dropped: 0

Inspected: 0

Tracked: 5

UDP Port Filter

Dropped: 0

Inspected: 0

Tracked: 0

===============================================================================

HTTP Inspect - encodings (Note: stream-reassembled packets included):

POST methods: 0

GET methods: 0

Headers extracted: 0

Header Cookies extracted: 0

Post parameters extracted: 0

Unicode: 0

Double unicode: 0

Non-ASCII representable: 0

Base 36: 0

Directory traversals: 0

Extra slashes ("//"): 0

Self-referencing paths ("./"): 0

Total packets processed: 1

===============================================================================

dcerpc2 Preprocessor Statistics

Total sessions: 0

===============================================================================

Snort exiting

*****************************************************************************************************end copy.

虽然以上没有检测出问题，也没有给出alert，但是它大概描述了snort在NIDS模式下的工作流程： 1）初始化：将所有规则导入snort内存，统计规则过滤对象。 2）开始检测设置报警模式：由于还没有构造攻击源，暂时检测不出问题，也产生不了alert，这步没有进行实验】【copy from mannal】 **************************************

在NIDS模式下，有很多的方式来配置snort的输出。在默认情况下，snort以ASCII格式记录日志，使用full报警机制。如果使用full报警机制，snort会在包头之后打印报警消息。如果你不需

要日志包，可以使用-N选项。

snort有6种报警机制：full、fast、socket、syslog、smb(winpopup)和none。其中有4个可以在命令行状态下使用-A选项设置。这4个是：

-A fast：报警信息包括：一个时间戳(timestamp)、报警消息、源/目的IP地址和端口。 -A full：是默认的报警模式。-A unsock：把报警发送到一个UNIX套接字，需要有一个程序进行监听，这样可以实现实时报警。-A none：关闭报警机制。

使用-s选项可以使snort把报警消息发送到syslog，默认的设备是LOG_AUTHPRIV和LOG_ALERT。可以修改snort.conf文件修改其配置。

snort还可以使用SMB报警机制，通过SAMBA把报警消息发送到Windows主机。为了使用这个报警机制，在运行./configure脚本时，必须使用--enable-smbalerts选项。下面是一些输出配置的例子：

使用默认的日志方式(以解码的ASCII格式)并且把报警发给syslog：

./snort -c snort.conf -l ./log -s -h 192.168.1.0/24

使用二进制日志格式和SMB报警机制：　　

./snort -c snort.conf -b -M WORKSTATIONS

****************************************

今天收工，明天研究snort规则获取和编写。

专利

最新回复(0)