• 实验内容

1. 搭建网络防御环境
2. 学习使用检测工具Snort
3. 对网络进行攻击，查看和分析网络防御工具报告
4. 对实验结果进行分析整理，形成结论

三、实验步骤

1. 安装入侵检测系统Snort
   1. 安装daq依赖程序，输入如下命令：

sudo apt-get install flex

sudo apt-get install bison

sudo apt install aptitude

sudo aptitude install libpcap-dev

1. 1. 安装daq，输入如下命令：

wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz

tar xvfz daq-2.0.7.tar.gz

cd daq-2.0.7

./configure && make && sudo make install

1. 1. 安装snort的依赖程序，输入如下命令：

aptitude install libpcre3-dev

aptitude install libdumbnet-dev

aptitude install zlib1g-dev

apt install openssl

apt-get install libssl-dev

安装LuaJIT：

sudo wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz

sudo tar -zxvf LuaJIT-2.0.5.tar.gz

cd LuaJIT-2.0.5/

sudo make && sudo make install

LuaJIT-2.0.5安装完成

1. 1. 开始安装Snort，输入以下命令：

    

选择官网当前的版本进行下载

wget https://www.snort.org/downloads/snort/snort-2.9.20.tar.gz

tar xvfz snort-2.9.20.tar.gz

cd snort-2.9.20

./configure --enable-sourcefire && make && sudo make install

已成功安装

1. 对Snort进行配置：
   1. 创建一些必要的文件夹

#Snort的安装目录

sudo mkdir -p /etc/snort/rules/iplists

sudo mkdir -p /etc/snort/preproc_rules

sudo mkdir /usr/local/lib/snort_dynamicrules

sudo mkdir /etc/snort/so_rules

#存储过滤规则和服务器黑白名单

sudo touch /etc/snort/rules/iplists/default.blacklist

sudo touch /etc/snort/rules/iplists/default.whitelist

sudo touch /etc/snort/rules/so_rules

#创建日志目录

sudo mkdir /var/log/snort

sudo mkdir /var/log/snort/archived_logs

#调整权限

sudo chmod -R 5775 /etc/snort

sudo chmod -R 5775 /var/log/snort

sudo chmod -R 5775 /var/log/snort/archived_logs

sudo chmod -R 5775 /etc/snort/rules/so_rules

sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules

1. 1. 复制文件到 /etc/snort

cp /snort-2.9.20/etc/*.conf* /etc/snort

cp /snort-2.9.20/etc/*.map /etc/snort

cp /snort-2.9.20/etc/*.dtd /etc/snort

cp /snort-2.9.20/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/* /usr/local/lib/snort_dynamicpreprocessor/

1. 1. 修改默认配置

# 打开配置文件

sudo vim /etc/snort/snort.conf

# 修改路径 找到对应复制

var RULE_PATH /etc/snort/rules

var SO_RULE_PATH /etc/snort/so_rules

var PREPROC_RULE_PATH /etc/snort/preproc_rules

var WHITE_LIST_PATH /etc/snort/rules/iplists/

var BLACK_LIST_PATH /etc/snort/rules/iplists/

1. 1. 修改配置文件让黑白名单生效

1. 1. 安装rules包

wget https://www.snort.org/downloads/registered/snortrules-snapshot-29181.tar.gz

sudo tar zxvf snortrules-snapshot-29181.tar.gz -C /etc/snort

sudo cp /etc/snort/so_rules/precompiled/RHEL-8/x86-64/2.9.18.1/* /usr/local/lib/snort_dynamicrules/

1. 1. 启动测试

1. 利用Snort检测ping攻击
   1. 在rules/icmp-info.rules文件中设置如下规则:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:4;)

1. 1. 使用snort规则对流量进行检测，将结果输出到snort日志中

snort -i eth0 -c /etc/snort/snort.conf -A fast -l /var/log/snort/

成功开启snort进行检测

1. 1. 使用局域网内主机对安装snort主机进行包>800的ping攻击

ping 192.168.223.153 -l 1000

1. 1. 在日志中查看检测结果：

可以看到成功检测包大于800的ping攻击

1. 利用Snort检测nmap扫描
   1. 在 /etc/snort/rules/local.rules下进行tcp规则配置

vim /etc/snort/rules/local.rules

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"nmap scan";sid:1000000888;)

保存并退出

1. 1. 启动snort进行局域网内的扫描检测

sudo snort -i eth0 -c /etc/snort/snort.conf -A fast -l /var/log/snort/

1. 使用宿主机进行局域网内的namp扫描（使用同一网段的另一台kali机）

1. 1. 在var/log/snort中查看检测结果

 可以看到，成功检测到nmap的扫描