IDS (Instrusion Detect System)_환경 구성_snort 설치/설정

- 사용 시스템

KaliLinux( 지금까지 실습으로 사용하던 이미지 ) -- Clone--> Attacker 

     --Clone--> IDS

Firewall ( CentOS )

meta    ( Ubuntu )

- 서버 구성 

192.168.17.2                        | Attacker(eth0) --------+----------(eth0)firewall(eth1) ---------+---------------+---------- 192.168.17.60               192.168.17.100  192.168.27.100      |               |                                                              IDS(eth0)       Meta(eth0)                   192.168.27.50   192.168.27.134

네트워크 설정 

Edit > Virtual Network Editor  설정을 다음과 같이 설정한다. 

1. Attacker 설정

kaliLinux Linked-clone 

IP : 192.168.17.60/24    ( # vi /etc/network/interfaces )

# route add -net 192.168.27.0 netmask 255.255.255.0 gw 192.168.17.100 

-> 이렇게 설정하면 reboot 하면 정보가 사라지니 script로 작성해두고 필요할때 실행한다. 

# hostnamectl set-hostname Attacker

2. firewall 설정

IP : eth0 192.168.17.100  - VMnet8

     eth1 192.168.27.100  - VMnet1

# sysctl -a | grep ip_forward

net.ipv4.ip_forward = 1

# vi /etc/sysclt.conf

# sysclt -p

# iptables -t nat -A POSTROUTING -o eht0 -j MASQUERADE

# iptables -L -t nat

3. IDS 설정

KaliLinux linked-clone

IP :  eth0 192.168.27.50 - VMnet1

gw : 192.168.27.100

# hostname set-hostname IDS

4. Meta 설정

msfadmin / msfadmin  접속

$ sudo su -   

( msfadmin ) 

IP : 192.168.27.134 - VMnet1

gw : 192.168.27.100

# ifconifg eth0 inet 192.168.27.134 netmask 255.255.255.0 up

# route add default gw 192.168.27.100

설정 테스트 

Attacker -- ping -->  IDS/Meta

# ping 192.168.27.50

# ping 192.168.27.134

- IDS 서버 설정

( IDS )

# apt-get update

[참고] 안될 때

설정을 하고 나서 apt-get update 가 안되면 /etc/resolv.conf 파일을 확인해 주세요. 

 root@IDS:~# ls -l /etc/resolv.conf

lrwxrwxrwx 1 root root 35 12월 22 18:50 /etc/resolv.conf -> /var/run/NetworkManager/resolv.conf

root@IDS:~# rm -f /etc/resolv.conf    

root@IDS:~# vi /etc/resolv.conf

nameserver 168.126.63.1

# ate-cache search snort

fwsnort - Snort-to-iptables rule translator golang-github-jasonish-go-idsrules-dev - Go IDS rule parser ippl - IP protocols logger libdaq-dev - Data Acquisition library for packet I/O - development files libdaq2 - Data Acquisition library for packet I/O - shared library libprelude-dev - Security Information Management System [ Development files ] libprelude-doc - Security Information Management System [ Documentation ] libprelude-lua - Security Information Management System [ Lua bindings ] libprelude-perl - Security Information Management System [ Perl bindings ] libprelude23 - Security Information Management System [ Base library ] libpreludecpp8 - Security Information Management System [ C++ library ] libpreludedb-dev - Security Information Management System [ Development files ] libpreludedb-doc - Security Information Management System [ Documentation ] libpreludedb7 - Security Information Management System [ Base library ] libpreludedb7-mysql - Security Information Management System [ MySQL library ] libpreludedb7-pgsql - Security Information Management System [ PGSQL library ] libpreludedb7-sqlite - Security Information Management System [ SQLite library ] libpreludedbcpp2 - Security Information Management System [ C++ library ] oinkmaster - Snort rules manager prelude-lml - Security Information Management System [ Log Agent ] prelude-manager - Security Information Management System [ Manager ] preludedb-utils - Security Information Management System [ Library utils ] psad - Port Scan Attack Detector python-prelude - Security Information Management System [ Python2 bindings ] python-preludedb - Security Information Management System [ Python2 bindings ] python3-prelude - Security Information Management System [ Python3 bindings ] python3-preludedb - Security Information Management System [ Python3 bindings ] ruby-libprelude - Security Information Management System [ Ruby bindings ] sagan - Real-time System & Event Log Monitoring System sagan-rules - Real-time System & Event Log Monitoring System [rules] snort - flexible Network Intrusion Detection System snort-common - flexible Network Intrusion Detection System - common files snort-common-libraries - flexible Network Intrusion Detection System - libraries snort-doc - flexible Network Intrusion Detection System - documentation snort-rules-default - flexible Network Intrusion Detection System - ruleset suricata - Next Generation Intrusion Detection and Prevention Tool suricata-oinkmaster - Integration package between suricata and oinkmaster

# apt-get -y install snort snort-common snort-common-libraries snort-doc snort-rules-default

> 침입을 탐지할 네트워크를 지정해 줍니다. 

프로그램 확인

# dpkg -l | grep snort

# dpkg -L snort     ( snort-common / snort-common-libraries / snort-rules-default )

# tree -C /etc/snort 

( tree 명령어 없으면 설치해준다. # apt-get install tree )

- snort 설정 파일

# cd /etc/snort

# ls 

classification.config  reference.config  snort.debian.conf community-sid-msg.map  rules             threshold.conf gen-msg.map            snort.conf        unicode.map

# cat snort.debian.conf

# snort.debian.config (Debian Snort configuration file) # # This file was generated by the post-installation script of the snort # package using values from the debconf database. # # It is used for options that are changed by Debian to leave # the original configuration files untouched. # # This file is automatically updated on upgrades of the snort package # *only* if it has not been modified since the last upgrade of that package. # # If you have edited this file but would like it to be automatically updated # again, run the following command as root: #   dpkg-reconfigure snort DEBIAN_SNORT_STARTUP="boot" DEBIAN_SNORT_HOME_NET="192.168.27.0/24" DEBIAN_SNORT_OPTIONS="" DEBIAN_SNORT_INTERFACE="eth0" DEBIAN_SNORT_SEND_STATS="true" DEBIAN_SNORT_STATS_RCPT="root" DEBIAN_SNORT_STATS_THRESHOLD="1"

# cat /etc/default/snort

# Parameters for the daemon # Add any additional parameteres here. PARAMS="-m 027 -D -d " # # Snort user # This user will be used to launch snort. Notice that the  # preinst script of the package might do changes to the user  # (home directory, User Name) when the package is upgraded or # reinstalled.  So, do *not* change this to 'root' or to any other user  # unless you are sure there is no problem with those changes being introduced. #  SNORTUSER="snort" # # Logging directory # Snort logs will be dropped here and this will be the home # directory for the SNORTUSER. If you change this value you should # change the /etc/logrotate.d/snort definition too, otherwise logs # will not be rotated properly. # LOGDIR="/var/log/snort" # # Snort group # This is the group that the snort user will be added to. # SNORTGROUP="snort" #  # Allow Snort's init.d script to work if the configured interfaces # are not available. Set this to yes if you configure Snort with # multiple interfaces but some might not be available on boot # (e.g. wireless interfaces) #  # Note: In order for this to work the 'iproute' package needs to  # be installed. ALLOW_UNAVAILABLE="no"

# vi /etc/snort/snort.conf

################################################### # Step #1: Set the network variables.  For more information, see README.variables ################################################### # Setup the network addresses you are protecting # # Note to Debian users: this value is overriden when starting # up the Snort daemon through the init.d script by the # value of DEBIAN_SNORT_HOME_NET s defined in the # /etc/snort/snort.debian.conf configuration file # ipvar HOME_NET 192.168.27.0/24 ......

- 데몬 기동 

# service snort start

# snort -q -A console -b -c /etc/snort/snort.conf

Options:

        -A         Set alert mode: fast, full, console, test or none  (alert file alerts only)

                   "unsock" enables UNIX socket logging (experimental).

        -q         Quiet. Don't show banner and status report

        -b         Log packets in tcpdump format (much faster!)

        -l <ld>    Log to directory <ld>

        -c <rules> Use Rules File <rules>(EX: /etc/snort/snort.conf)