Snort Install Windows

Aus xinux.net
Zur Navigation springen Zur Suche springen

Download

Install

Winpcap

Winpcap-windows-1.png Winpcap-windows-2.png

Snort

Snort-windows-1.png Snort-windows-2.png


Test

Interface Nummer herausfinden

  • C:\Snort\bin>snort -W
   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.8.3-WIN32 GRE (Build 383)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using PCRE version: 8.10 2010-06-25
           Using ZLIB version: 1.2.3

Index   Physical Address        IP Address      Device Name     Description
-----   ----------------        ----------      -----------     -----------
    1   08:00:27:5A:CD:4E       0000:0000:fe80:0000:0000:0000:0c88:4afd \Device\
NPF_{769A54CE-2839-4D39-A753-C36840BB3EB3}      Intel(R) PRO/1000 MT-Desktopadap
ter
    2   00:FF:D2:11:5E:C4       0000:0000:fe80:0000:0000:0000:2df0:da06 \Device\
NPF_{D2115EC4-8770-4D98-83E9-AC63C3480AE6}      Sophos SSL VPN Adapter

Modifzierte snort.conf zu Testzwecken

snort.conf

Version anzeigen

  • C:\snort\bin\snort -V

local.rules anlegen

C:\snort\rules\local.rules 

Alert icmp any any -> any any (msg:"Snort Test"; sid:1000000001;)
#Alert udp any any -> any any (msg:"Snort Test UDP"; sid:1000000002;)
#Alert tcp any any -> any any (msg:"Snort Test TCP"; sid:1000000003;)

Konfiguration testen

  • C:\snort\bin\snort -i 1 -c c:\Snort\etc\snort.conf -T

Snort starten und ping vom 172.18.180.1 auf die 172.18.180.157

  • cd c:\snort\bin
  • snort -A console -i 1 -c c:\snort\etc\snort.conf -l c:\snort\log
....
Commencing packet processing (pid=2444)
08/24-11:33:15.535069  [**] [1:1000000001:0] Snort Test [**] [Priority: 0] {ICMP} 172.18.180.1 -> 172.18.180.157
08/24-11:33:15.535451  [**] [1:1000000001:0] Snort Test [**] [Priority: 0] {ICMP} 172.18.180.157 -> 172.18.180.1
08/24-11:33:16.536607  [**] [1:1000000001:0] Snort Test [**] [Priority: 0] {ICMP} 172.18.180.1 -> 172.18.180.157
08/24-11:33:16.536705  [**] [1:1000000001:0] Snort Test [**] [Priority: 0] {ICMP} 172.18.180.157 -> 172.18.180.1
08/24-11:33:17.535307  [**] [1:1000000001:0] Snort Test [**] [Priority: 0] {ICMP} 172.18.180.1 -> 172.18.180.157
08/24-11:33:17.535307  [**] [1:1000000001:0] Snort Test [**] [Priority: 0] {ICMP} 172.18.180.157 -> 172.18.180.1
*** Caught Int-Signal

Snort im Einsatz

Für den normalen Einsatz sollte man sich auf www.snort.org registieren und die dortigen rules runterladen und einsetzen. Es gibt 3 Varianten:

  • Community
  • Registered
  • Subscription (kostenfplichtig)

Man muss dann in der snort.conf noch die entspechenden rules aktivieren: 

#include $RULE_PATH/app-detect.rules
#include $RULE_PATH/attack-responses.rules
#include $RULE_PATH/backdoor.rules
#include $RULE_PATH/bad-traffic.rules
#include $RULE_PATH/blacklist.rules
#include $RULE_PATH/botnet-cnc.rules
#include $RULE_PATH/browser-chrome.rules
#include $RULE_PATH/browser-firefox.rules
#include $RULE_PATH/browser-ie.rules
#include $RULE_PATH/browser-other.rules
#include $RULE_PATH/browser-plugins.rules
#include $RULE_PATH/browser-webkit.rules
#include $RULE_PATH/chat.rules
#include $RULE_PATH/content-replace.rules
#include $RULE_PATH/ddos.rules
#include $RULE_PATH/dns.rules
#include $RULE_PATH/dos.rules
#include $RULE_PATH/experimental.rules
#include $RULE_PATH/exploit-kit.rules
#include $RULE_PATH/exploit.rules
#include $RULE_PATH/file-executable.rules
#include $RULE_PATH/file-flash.rules
#include $RULE_PATH/file-identify.rules
#include $RULE_PATH/file-image.rules
#include $RULE_PATH/file-java.rules
#include $RULE_PATH/file-multimedia.rules
#include $RULE_PATH/file-office.rules
#include $RULE_PATH/file-other.rules
#include $RULE_PATH/file-pdf.rules
#include $RULE_PATH/finger.rules
#include $RULE_PATH/ftp.rules
#include $RULE_PATH/icmp-info.rules
#include $RULE_PATH/icmp.rules
#include $RULE_PATH/imap.rules
#include $RULE_PATH/indicator-compromise.rules
#include $RULE_PATH/indicator-obfuscation.rules
#include $RULE_PATH/indicator-scan.rules
#include $RULE_PATH/indicator-shellcode.rules
#include $RULE_PATH/info.rules
#include $RULE_PATH/malware-backdoor.rules
#include $RULE_PATH/malware-cnc.rules
#include $RULE_PATH/malware-other.rules
#include $RULE_PATH/malware-tools.rules
#include $RULE_PATH/misc.rules
#include $RULE_PATH/multimedia.rules
#include $RULE_PATH/mysql.rules
#include $RULE_PATH/netbios.rules
#include $RULE_PATH/nntp.rules
#include $RULE_PATH/oracle.rules
#include $RULE_PATH/os-linux.rules
#include $RULE_PATH/os-mobile.rules
#include $RULE_PATH/os-other.rules
#include $RULE_PATH/os-solaris.rules
#include $RULE_PATH/os-windows.rules
#include $RULE_PATH/other-ids.rules
#include $RULE_PATH/p2p.rules
#include $RULE_PATH/phishing-spam.rules
#include $RULE_PATH/policy-multimedia.rules
#include $RULE_PATH/policy-other.rules
#include $RULE_PATH/policy.rules
#include $RULE_PATH/policy-social.rules
#include $RULE_PATH/policy-spam.rules
#include $RULE_PATH/pop2.rules
#include $RULE_PATH/pop3.rules
#include $RULE_PATH/protocol-dns.rules
#include $RULE_PATH/protocol-finger.rules
#include $RULE_PATH/protocol-ftp.rules
#include $RULE_PATH/protocol-icmp.rules
#include $RULE_PATH/protocol-imap.rules
#include $RULE_PATH/protocol-nntp.rules
#include $RULE_PATH/protocol-pop.rules
#include $RULE_PATH/protocol-rpc.rules
#include $RULE_PATH/protocol-scada.rules
#include $RULE_PATH/protocol-services.rules
#include $RULE_PATH/protocol-snmp.rules
#include $RULE_PATH/protocol-telnet.rules
#include $RULE_PATH/protocol-tftp.rules
#include $RULE_PATH/protocol-voip.rules
#include $RULE_PATH/pua-adware.rules
#include $RULE_PATH/pua-other.rules
#include $RULE_PATH/pua-p2p.rules
#include $RULE_PATH/pua-toolbars.rules
#include $RULE_PATH/rpc.rules
#include $RULE_PATH/rservices.rules
#include $RULE_PATH/scada.rules
#include $RULE_PATH/scan.rules
#include $RULE_PATH/server-apache.rules
#include $RULE_PATH/server-iis.rules
#include $RULE_PATH/server-mail.rules
#include $RULE_PATH/server-mssql.rules
#include $RULE_PATH/server-mysql.rules
#include $RULE_PATH/server-oracle.rules
#include $RULE_PATH/server-other.rules
#include $RULE_PATH/server-samba.rules
#include $RULE_PATH/server-webapp.rules
#include $RULE_PATH/shellcode.rules
#include $RULE_PATH/smtp.rules
#include $RULE_PATH/snmp.rules
#include $RULE_PATH/specific-threats.rules
#include $RULE_PATH/spyware-put.rules
#include $RULE_PATH/sql.rules
#include $RULE_PATH/telnet.rules
#include $RULE_PATH/tftp.rules
#include $RULE_PATH/virus.rules
#include $RULE_PATH/voip.rules
#include $RULE_PATH/web-activex.rules
#include $RULE_PATH/web-attacks.rules
#include $RULE_PATH/web-cgi.rules
#include $RULE_PATH/web-client.rules
#include $RULE_PATH/web-coldfusion.rules
#include $RULE_PATH/web-frontpage.rules
#include $RULE_PATH/web-iis.rules
#include $RULE_PATH/web-misc.rules
#include $RULE_PATH/web-php.rules
#include $RULE_PATH/x11.rules


Links

Abgerufen von „https://xinux.net/index.php?title=Snort_Install_Windows&oldid=10107