萬盛學電腦網 >> 健康知識 >> 快速建立一個入侵檢測系統
快速建立一個入侵檢測系統
馬上測試一下 [root@SEC snort-1.9.0]#snort Initializing Output Plugins! Log directory = /var/log/snort Initializing Network Interface eth0 using config file /root/.snortrc Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /root/.snortrc 等等的輸出,如果你看到的是這樣的,那麼恭喜你,你成功了! 下面讓我們一起來看看snort的參數 [root@SEC snort-1.9.0]# snort --help Initializing Output Plugins! snort: invalid option -- - -*> Snort! <*- Version 1.9.0 (Build 209) By Martin Roesch ([email protected], ) USAGE: snort [-options] Options: -A Set alert mode: fast, full, console, or none (alert file alerts only) "unsock" enables UNIX socket logging (experimental). -a Display ARP packets -b Log packets in tcpdump format (much faster!) -c Use Rules File -C Print out payloads with character data only (no hex) -d Dump the Application Layer -D Run Snort in background (daemon) mode -e Display the second layer header info -f Turn off fflush() calls after binary log writes -F Read BPF filters from file -g Run snort gid as group (or gid) after initialization -G Add reference ids back into alert msgs (modes: basic, url) -h Home network = -i Listen on interface -I Add Interface name to alert output -l Log to directory -m Set umask = -n Exit after receiving packets -N Turn off logging (alerts still work) -o Change the rule testing order to Pass Alert Log -O Obfuscate the logged IP addresses -p Disable promiscuous mode sniffing -P set explicit snaplen of packet (default: 1514) -q Quiet. Dont show banner and status report -r Read and process tcpdump file -R Include id in snort_intf.pid file name -s Log alert messages to syslog -S Set rules file variable n equal to value v -t Chroots process to after initialization -T Test and report on the current Snort configuration -u Run snort uid as user (or uid) after initialization -U Use UTC for timestamps -v Be verbose -V Show version number -w Dump 802.11 management and control frames -X Dump the raw packet data starting at the link layer -y Include year in timestamp in the alert and log files -z Set assurance mode, match on established sesions (for TCP) -? Show this information are standard BPF options, as seen in TCPDump
這裡主要是要了解幾個重要的參數 -A 設置報警模式,,是快速,完全,或者是控制台,亦或是不報警 -a 捕獲ARP包 -b 使用tcpdump的格式來寫入日志 -c 指定配置文件路徑 -d 捕獲應用層數據 -D 後台運行snort -e 顯示第二層頭信息 -h 設置監聽主機 -m 設置掩碼 -z 只匹配已經完全建立鏈接的會話 我一般是使用 snort -A fast -Db -e -z來運行snort的 其他還有一些很有用的參數,而且可以在配置文件那讓snort把日志寫到mysql數據庫,這樣對日志的處理就可以很方便了 如果需要知道更加多的信息,可以去看doc,或者看man page 這裡先截取一個日志片段來說明一些問題 11/13-05:29:27.429801 UDP src: 24.24.146.64 dst: 202.196.64.30 sport: 1028 dport: 137 tgts: 6 ports: 6 event_id: 0 11/13-05:29:27.759801 UDP src: 24.24.146.64 dst: 202.196.64.32 sport: 1028 dport: 137 tgts: 7 ports: 7 event_id: 471 11/13-05:29:34.279801 UDP src: 24.24.146.64 dst: 202.196.64.72 sport: 1028 dport: 137 tgts: 8 ports: 8 event_id: 471 11/13-05:29:34.449801 UDP src: 24.24.146.64 dst: 202.196.64.73 sport: 1028 dport: 137 tgts: 9 ports: 9 event_id: 471 11/13-05:29:37.549801 UDP src: 24.24.146.64 dst: 202.196.64.92 sport: 1028 dport: 137 tgts: 10 ports: 10 event_id: 471 11/13-05:29:41.989801 UDP src: 24.24.146.64 dst: 202.196.64.119 sport: 1028 dport: 137 tgts: 11 ports: 11 event_id: 471 11/13-05:29:42.139801 UDP src: 24.24.146.64 dst: 202.196.64.120 sport: 1028 dport: 137 tgts: 12 ports: 12 event_id: 471 這段日志告訴我 今天早上5點左右,有個IP是24.24.146.64的朋友,在掃描202.196.64網段的共享或者是在使用一些低級的操作系統鑒別工具來鑒別這個網段的操作系統類型(因為高級的系統指紋鑒別系統是不會掃描137端口的) 詳細的分析一條日志吧 11/13-05:29:27.429801 UDP src: 24.24.146.64 dst: 202.196.64.30 sport: 1028 dport: 137 tgts: 6 ports: 6 event_id: 0 UDP是使用的協議 SRC是源IP DST是目標IP SPORT是源端口 DPORT是目標端口 根據上面的內容再結合攻擊手段的特征,很容易就可以發現對方在做什麼了
- 上一頁:Flash木馬是這樣練成的
- 下一頁:拒絕木馬 保障安全
健康知識排行
電腦基礎推薦
相關文章
copyright © 萬盛學電腦網 all rights reserved