Snort配置笔记.doc

在官网下载了最新版的windows平台下的snort安装包Snort__Installer.exe和规则文件库snort-.tar.zip（也有需要付费的规制库），查阅了网上的资料终于把基本的安装和IDS模式配置完成了，写成学习笔记以便加强记忆。-1、由于我本机已经安装了WinPcap_4_1_2.exe，可满足当前Snort版本对WinPcap版本的要求，所以只下载了Snort。首先安装Snort__Installer.exe，过程比较简单，由于只是自己测试，我没有进行过多的设置一路Next安装完毕，默认路径C:Snort，最后弹出Snort has successfullly been installed.窗口，点击“确定”安装成功；之后同样步骤完成了WinPcap_4_1_2.exe的安装。2、配置环境变量（我感觉我不配置也可以啊），如下图所示：3、运行cmd，输入“snort -？”可以查看snort相关命令行，如下图所示：4、导入规则文件库（需网站注册），解压下载下来的snort-.tar.zip，得到四个文件夹：将文件夹下的文件复制到snort安装目录下对应的文件中，我安完snort安装目录下没有so_rules文件夹，就直接复制过去了。5、然后启用ids模式，执行以下命令：snort -dev -l c:snortlog -c c:snortetcsnort.conf这时遇到了很多问题，主要都是由于snort.conf配置文件的错误，找了一些资料及snort官网的论坛，终于解决了，可能有些解决的办法不一定是很好的，不管怎样终于可以运行起来了。第一个错误：ERROR:c:Snortetcsnort.conf(39) Unknown rule type:ipvar解决办法：把snort.conf文件中的ipvar改为var（可能不是根本的解决办法）解决之后重复执行上图的运行命令，会弹出第二个错误，以下依次类推。第二个错误：ERROR: C:SnortBuildsnort-srcparser.c(5245) Could not stat dynamic module path /usr/local/lib/snort_dynamicpreprocessor/: No such file or directory.解决办法：由于snort.conf文件中默认的配置路径是linux环境中的相对路径，所以在windows环境中需要改为绝对路径：原来代码是这样的：# Step #4: Configure dynamic loaded libraries. # For more information, see Snort Manual, Configuring Snort - Dynamic Modules# path to dynamic preprocessor librariesdynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/# path to base preprocessor enginedynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so# path to dynamic rules librariesdynamicdetection directory /usr/local/lib/snort_dynamicrules按照当前目录下的文件名称及所在路径改为：# Step #4: Configure dynamic loaded libraries. # For more information, see Snort Manual, Configuring Snort - Dynamic Modules# path to dynamic preprocessor libraries#dynamicpreprocessor directory C:Snortlibsnort_dynamicpreprocessordynamicpreprocessor file C:Snortlibsnort_dynamicpreprocessorsf_dce2.dlldynamicpreprocessor file C:Snortlibsnort_dynamicpreprocessorsf_dns.dlldynamicpreprocessor file C:Snortlibsnort_dynamicpreprocessorsf_ftptelnet.dlldynamicpreprocessor file C:Snortlibsnort_dynamicpreprocessorsf_sdf.dlldynamicpreprocessor file C:Snortlibsnort_dynamicpreprocessorsf_smtp.dlldynamicpreprocessor file C:Snortlibsnort_dynamicpreprocessorsf_ssh.dlldynamicpreprocessor file C:Snortlibsnort_dynamicpreprocessorsf_ssl.dlldynamicengine C:/Snort/lib/snort_dynamicengine/sf_engine.dll# path to base preprocessor engine#dynamicengine C:Snortlibsnort_dynamicenginelibsf_engine.so# path to dynamic rules libraries#dynamicdetection C:Snortlibsnort_dynamicrules第三个错误：ERROR: C:Snortetcsnort.conf(255) = compress_depth and decompress_depth should be set to max in the default policy to enable unlimited_decompressFatal Error, Quitting.解决办法：我把compress_depth 20480改成了65535，也不知道对不对，反正是不报错了？第四个错误：ERROR: C:Snortetcsnort.conf(201) Unknown preprocessor: normalize_ip4.Fatal Error, Quittig.解决办法：把下面的都#注掉了就好了。我看技术人员回复的意思应该是“因为在IDS模式不起作用，但是在windows平台下实际起作用了”，所以注掉。# Does nothing in IDS mode#preprocessor normalize_ip4#preprocessor normalize_tcp: ips ecn stream#preprocessor normalize_icmp4#preprocessor normalize_ip6#preprocessor normalize_icmp6逐个解决完上面遇到的问题之后，再执行以IDS模式运行的指令时，应该就正确进入IDS模式了。 还需要注意的是，snort.conf文件中此处的路径需要改为绝对路径，这样才能正确调用规则文件，当有事件时才能触发规则发生相应动作（我这么理解的）# Path to your rules files (this can be a relative path)# Note for Windows users: You are advised to make this an absolute path,# such as: c:snortrulesvar RULE_PATH ./rules var SO_RULE_PATH ./so_rulesvar PREPROC_RULE_PATH ./preproc_rules 改为var RULE_PATH c:Snortrulesvar SO_RULE_PATH c:Snortso_rulesvar PREPROC_RULE_PATH c:Snortpreproc_rules 很有帮助的参考资料：/developerworks/cn/web/wa-snort1//developerworks/cn/web/wa-snort2/另外，修改snort.conf最