$ cd /tmp # wget http://www.snort.org/dl/binaries/linux/snort-2.3.3-0.fdr.1.i386.rpm # rpm -ivh snort-2.3.3-0.fdr.1.i386.rpm |
$ cd /etc/sysconfig $ cp -p snort snort.20050605.orig $ vi snort |
# What interface
should snort listen on? [Pick only 1 of the next 3!] # This is -i {interface} on the command line # This is the snort.conf config interface: {interface} directive INTERFACE=eth0 |
# What interface
should snort listen on? [Pick only 1 of the next 3!] # This is -i {interface} on the command line # This is the snort.conf config interface: {interface} directive INTERFACE=eth1 |
# cd /etc/snort # cp -p snort.conf snort.conf.20050603 # vi snort.conf |
var HOME_NET any var EXTERNAL_NET any |
var HOME_NET 192.168.1.0/24
#プライベートネットワークは中 var EXTERNAL_NET !$HOME_NET #それ以外のネットワークは外 |
$ cd /tmp $ wget http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules.tar.gz $ tar Community-Rules.tar.gz $ cd rules/ $ sudo mv *.rules /etc/snort/rules |
# sudo
/etc/init.d/snortd Starting snort: h [ OK ] |
$ ps -ef | grep snort snort 11944 1 62 19:38 ? 00:00:02 /usr/sbin/snort -A fast -b -d -D -i eth1 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort |
# tail -3
/var/log/snort/alert 06/14-01:06:26.080863 [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**] {TCP} 219.145.190.247:4443 -> xxx.xxx.xx.xxx::80 06/14-02:34:03.812678 [**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**] {TCP} 219.117.205.56:4145 -> xxx.xxx.xx.xxx::8080 06/14-20:21:40.688422 [**] [1:486:4] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [**] [Classification: Misc activity] [Priority: 3] {ICMP} 219.101.190.195 -> xxx.xxx.xx.xxx: |