Snort 使用手册2

相关主题

1、下载文档前请自行甄别文档内容的完整性，平台不提供额外的编辑、内容补充、找答案等附加服务。
2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
3、如文档侵犯您的权益，请联系客服反馈,我们会尽快为您处理(人工客服工作时间：9:00-18:30)。

Snort 使用手册，安装与配置

在Linux 上通过RPM 安装Snort

RPM 表示RPM Package Manager。（没错，这个缩写实际上是循环的。并不是很有意义，但符合事实。）RPM on Linux 是可以轻松安装的软件包，因为RPM 支持是市面上所有Linux 发布版的核心。从Snort Web 站点下载了一个RPM 之后，只需将您下载的文件名作为参数运行rpm 命令即可，如清单6 所示。

清单 6. 在Snort RPM 上调用rpm

[bdm0509@pegasus]# rpm -ivh snort-2.8.0.2-1.RH5.i386.rpm

Preparing... ################################################ [100%] 1:snort ################################################ [100%]

与通过源代码安装Snort 类似，您可能需要作为root 用户登录来运行此命令，或使用sudo 命令来作为超级用户安装RPM。Snort 希望其二进制文件能够置于受保护的目录中，如/usr/bin、/usr/local/bin，因此标准系统上的安装需要高于大多数普通用户账户的权限。

测试安装

在完成安装之后，您需要采取几个步骤，确保Snort 可在系统上正常运行。一切都很简单，但在每次安装新版本的Snort 或在新机器上安装Snort 时都需要执行这些步骤。

运行Snort 二进制文件

可以执行的最简单的测试就是运行snort 命令。要开始测试，请切换到机器上的任意随机目录。但为了安全起见，请不要在Snort 安装目录中执行此命令。您应得到类似于清单7 所示的输出结果。

清单7. 测试Snort 二进制文件

[bdm0509:~] snort

,,_ -*> Snort! <*-

o" )~ Version 2.8.0.2 (Build 75)

'''' By Martin Roesch & The Snort Team: /team.html

Using PCRE version: 7.6 2008-01-28

USAGE: snort [-options]

Options:

-A Set alert mode: fast, full, console, test or none (alert file alerts only)

"unsock" enables UNIX socket logging (experimental).

-b Log packets in tcpdump format (much faster!)

-B Obfuscated IP addresses in alerts and packet dumps using CIDR mask

-c Use Rules File

-C Print out payloads with character data only (no hex)

-d Dump the Application Layer

-D Run Snort in background (daemon) mode

-e Display the second layer header info

-f Turn off fflush() calls after binary log writes

-F Read BPF filters from file

-g Run snort gid as group (or gid) after initialization

-G <0xid> Log Identifier (to uniquely id events for multiple snorts)

-h Home network =

-H Make hash tables deterministic.

-i Listen on interface

-I Add Interface name to alert output

-k Checksum mode (all,noip,notcp,noudp,noicmp,none)

-K Logging mode (pcap[default],ascii,none)

-l Log to directory

-L Log to this tcpdump file

-M Log messages to syslog (not alerts)

-m Set umask =

-n Exit after receiving packets

-N Turn off logging (alerts still work)

-o Change the rule testing order to Pass|Alert|Log

-O Obfuscate the logged IP addresses

-p Disable promiscuous mode sniffing

-P Set explicit snaplen of packet (default: 1514)

-q Quiet. Don't show banner and status report

-r Read and process tcpdump file

-R Include 'id' in snort_intf.pid file name

-s Log alert messages to syslog

-S Set rules file variable n equal to value v

-t

Chroots process to after initialization

-T Test and report on the current Snort configuration

-u Run snort uid as user (or uid) after initialization

-U Use UTC for timestamps

-v Be verbose

-V Show version number

-w Dump 802.11 management and control frames

-X Dump the raw packet data starting at the link layer

-y Include year in timestamp in the alert and log files

-Z Set the performonitor preprocessor file path and name

-? Show this information

are standard BPF options, as seen in TCPDump

Longname options and their corresponding single char version

--logid <0xid> Same as -G

--perfmon-file Same as -Z

--pid-path Specify the path for the Snort PID file

--snaplen Same as -P

--help Same as -?

--version Same as -V

--alert-before-pass Process alert, drop, sdrop, or reject before pass,

default is pass before alert, drop,...

--treat-drop-as-alert Converts drop, sdrop, and reject rules into alert

rules during startup