WINDOWS 下配置 SNORT

Posted on 2006-10-24 01:50 笨蛋啊帆 阅读(3832) 评论(0)  编辑  收藏
What an IDS does is monitor all the traffic comming across your network card and looks for attempts to hack / learn / dos your server. If you are one of those people who think that there is not a hack attempt on your computer then install an IDS system right now.

I am currently trying SNORT. SNORT was one the first unix IDS systems and has now been ported to windows and is quite easy to install. Configuration is another story.

1. Download the windows binary of snort from here
2. SNORT uses text based rules files that contain detection signatures. You can pay for advanced ones made by sourceFire or download the community edition for free from here, Extract and copy to the c:\snort\rules directory.
3. Now its time to change the config file (located in c:\snort\etc\snort.conf)
    -Step #1: I leave the network variables section alone until I get things working
    -Step #2 (configure DLL's): These default to the unix paths so change the dynamicpreprocessor and dynamicengine entry       like this:
            dynamicpreprocessor directory c:\Snort\lib\snort_dynamicpreprocessor
            dynamicengine c:\Snort\lib\snort_dynamicengine\sf_engine.dll
    -Step #3 (preprocessor config): preprocessors basically cleanup the data stream and do basic analysis of the stream
      before any rules are processed. I leave it alone.
    -Step #4 (output plugins): This is how data gets outputed (i.e. the event log, text files, binary tcp dumps, etc.). I leave           this alone as my command line options do all that I need it to.
    -Step #5 (config statements): Allows you to ignore ports. I leave it alone by default.
    -Step #6 (rules): rules are all of the rule files to process. This needs to be changed to point to the community rules we           downloaded. I delete all the rules and paste this in:
        include $RULE_PATH/community-bot.rules
        include $RULE_PATH/community-dos.rules
        include $RULE_PATH/community-exploit.rules
        include $RULE_PATH/community-ftp.rules
        include $RULE_PATH/community-game.rules
        include $RULE_PATH/community-icmp.rules
        include $RULE_PATH/community-imap.rules
        include $RULE_PATH/community-inappropriate.rules
        include $RULE_PATH/community-mail-client.rules
        include $RULE_PATH/community-misc.rules
        include $RULE_PATH/community-nntp.rules
        include $RULE_PATH/community-oracle.rules
        include $RULE_PATH/community-sip.rules
        include $RULE_PATH/community-smtp.rules
        include $RULE_PATH/community-sql-injection.rules
        include $RULE_PATH/community-virus.rules
        include $RULE_PATH/community-web-attacks.rules
        include $RULE_PATH/community-web-cgi.rules
        include $RULE_PATH/community-web-client.rules
        include $RULE_PATH/community-web-dos.rules
        include $RULE_PATH/community-web-iis.rules
        include $RULE_PATH/community-web-misc.rules
        include $RULE_PATH/community-web-php.rules

4. Open a command window and cd \snort\bin
5. run: snort.exe -l c:\snort\log -c c:\snort\etc\snort.conf -A console
6. Now if everything is configed right you should get a lot of info scrolling by and should sit there waiting for data (if it returns you to the dos prompt then check for errors on screen)
7. Attack it :). I like to use the old Superfluous Decoding Vulnerability (IIS checked data then decoded it instead of doing it the other way around. This allowed an attacker to run cmd.exe (or anything else) via a URL)
    type this into your browser: http://server/Scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+\
8. You should see some data logged to the console along the lines of "DOUBLE DECODING ATTACK".
9. If not I would check to see the interface SNORT chose (it seems to pick the first one which was a dial up adapter for me). To chage the interface used use -i #. for me -i 2 worked to pick interface #2 (You can also run snort -W to see all interfaces)
10. I like my logging a little more in depth and in plain text (defaults to binary which is way faster). So I add -K ascii to the command line as well as -de to dump the offending packet to the log file as well. With this config you will see a folder for every attacker with a file per attack in that folder. Keep an eye on these folders and purge them every once in a while.
   (my command line call now looks like this : snort.exe -l c:\snort\log -c c:\snort\etc\snort.conf -i 2 -K ascii -de -A console

If you are happy with everything you can install snort to run as a service by adding "/SERVICE /INSTALL" after the snort.exe call and replacing the "-A console" with "-A fast" option:

snort.exe /SERVICE /INSTALL -l c:\snort\log -c c:\snort\etc\snort.conf -i 2 -K ascii -de -A fast

if you need to uninstall the service then just go snort.exe /SERVICE /UNINSTALL

Once setup like this you should see a file called alert.ids in your log folder. If you open it up you will see a breif log of the attack and can then go into the folder for that IP and see more info on it.

snort has tons of options like logging to a database or the windows event log. I personally like the text file approach as it leads to easier backups for my situation and is easier to spot which IP addresses are trying the most attacks. I encourage you to play with it and customize it for your environment.

One mistake I made was installing IDScenter which is a GUI for snort admin. Great idea but it seems to screwup your snort.conf file (I think it was writen for an older version of snort). I would not recommend installing it.

只有注册用户登录后才能发表评论。
网站导航:
 

posts - 51, comments - 17, trackbacks - 0, articles - 0

Copyright © 笨蛋啊帆