Snort 使用手册,第 2 部分: 配置
2010-01-25 00:00:00 来源:WEB开发网Snort 最擅长于解决这类复杂和困难的包问题。事实上,Snort 对 Web 开发人员如此有用,是因为 它关注设计模式、布局和函数性任务。使用 Snort,在基本理解的基础之上(可以阅读上一篇文章和本节内容),可以让您的工具完成您不愿意完成的工作。本文其余内容将介绍 Snort 如何处理包分析,以及如何利用社区力量保证系统安全,而不需要重新学习已经淡忘的大学网络课程。
配置 Snort
不需花大量时间研究包,可以对 Snort 进行设置来处理分析,并在发生问题时收到 Snort 的警报;这些功能是通过为 Snort 指定一组规则 实现的。这些规则通常使用文本文件的形式,告诉 Snort 要执行什么操作,为它在包中查找关键细节提供信息,并指导 Snort 在找到键信息后如何操作。此外,这些规则可以限制 Snort 侦听的内容(例如命令 Snort 只监视单个机器,或监视整个网络中的通信量),以及记录查找到的所有内容并生成一个文件方便日后查看。
实际上,使用 Snort 规则可以省去手工分析包的工作。
Snort 的默认配置
在编写规则之前,需要告诉 Snort 作为 IDS 运行。最简单的方法(包括记录包)是使用 Snort 的默认配置,这个配置保存在 Snort 安装目录(我的是 /usr/local/snort-2.8.1/etc/snort.conf)中的 etc/snort.conf 文件。这种方法可以简单地设置并运行 Snort。清单 4 展示了 Snort 配置文件的一部分。
清单 4. 默认的 snort.conf 文件# stream5: Target Based stateful inspection/stream reassembly for Snort
# ---------------------------------------------------------------------
# Stream5 is a target-based stream engine for Snort. Its functionality
# replaces that of Stream4. Consequently, BOTH Stream4 and Stream5
# cannot be used simultaneously. Comment out the stream4 configurations
# above to use Stream5.
#
# See README.stream5 for details on the configuration options.
#
# Example config (that emulates Stream4 with UDP support compiled in)
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
# preprocessor stream5_udp: ignore_any_rules
# Performance Statistics
# ----------------------
# Documentation for this is provided in the Snort Manual. You should read it.
# It is included in the release distribution as doc/snort_manual.pdf
#
# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
# http_inspect: normalize and detect HTTP traffic and protocol anomalies
#
# lots of options available here. See doc/README.http_inspect.
# unicode.map should be wherever your snort.conf lives, or given
# a full path to where snort can find it.
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
#
# Example unique server configuration
#
#preprocessor http_inspect_server: server 1.1.1.1 \
# ports { 80 3128 8080 } \
# flow_depth 0 \
# ascii no \
# double_decode yes \
# non_rfc_char { 0x00 } \
# chunk_length 500000 \
# non_strict \
# oversize_dir_length 300 \
# no_alerts
# rpc_decode: normalize RPC traffic
# ---------------------------------
# RPC may be sent in alternate encodings besides the usual 4-byte encoding
# that is used by default. This plugin takes the port numbers that RPC
# services are running on as arguments - it is assumed that the given ports
# are actually running this type of service. If not, change the ports or turn
# it off.
# The RPC decode preprocessor uses generator ID 106
#
# arguments: space separated list
# alert_fragments - alert on any rpc fragmented TCP data
# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
# no_alert_large_fragments - don't alert when the fragmented
# sizes exceed the current packet size
# no_alert_incomplete - don't alert when a single segment
# exceeds the current packet size
preprocessor rpc_decode: 111 32771
# content goes on for a long time...
中查找“Snort 使用手册,第 2 部分: 配置”更多相关内容
中查找“Snort 使用手册,第 2 部分: 配置”更多相关内容更多精彩
赞助商链接
