Snort是一个广泛使用的开源网络入侵检测系统,能够实时分析网络流量并识别潜在的攻击。它支持自定义规则,可以根据特定的威胁情报进行配置。
Yurii Chalov -X (ychalov - SOFTSERVE INC at Cisco) e0261e2fdf Pull request #4450: js_norm: allow processing complex nested PDF objects | 3 周之前 | |
---|---|---|
cmake | 2 月之前 | |
daqs | 2 月之前 | |
doc | 3 周之前 | |
lua | 5 月之前 | |
src | 3 周之前 | |
tools | 4 月之前 | |
.clang-tidy | 7 年之前 | |
.gitignore | 5 年之前 | |
CMakeLists.txt | 3 周之前 | |
COPYING | 10 年之前 | |
ChangeLog.md | 3 周之前 | |
LICENSE | 10 年之前 | |
README.md | 2 年之前 | |
cmake_uninstall.cmake.in | 10 年之前 | |
config.cmake.h.in | 3 月之前 | |
configure_cmake.sh | 3 月之前 | |
crusty.cfg | 2 年之前 | |
snort.pc.in | 3 月之前 |
Snort 3 is the next generation Snort IPS (Intrusion Prevention System). This file will show you what Snort++ has to offer and guide you through the steps from download to demo. If you are unfamiliar with Snort you should take a look at the Snort documentation first. We will cover the following topics:
This version of Snort++ includes new features as well as all Snort 2.X features and bug fixes for the base version of Snort except as indicated below:
Project = Snort++
Binary = snort
Version = 3.0.0 (Build 250) from 2.9.11
Here are some key features of Snort++:
Additional features on the roadmap include:
If you already build Snort, you may have everything you need. If not, grab the latest:
Additional packages provide optional features. Check the manual for more.
There is a source tarball available in the Downloads section on snort.org:
snort-3.0.0-a3.tar.gz
You can also get the code with:
git clone https://github.com/snort3/snort3.git
There are separate extras packages for cmake that provide additional features and demonstrate how to build plugins. The source for extras is in snort3_extra.git repo.
Follow these steps:
Set up source directory:
cd snort3/
tar zxf snort-tarball
cd snort-3.0.0*
Setup install path:
export my_path=/path/to/snorty
./configure_cmake.sh --prefix=$my_path
cd build
make -j $(nproc) install
Note:
Here are some examples. If you are using Talos rules and/or configs, you should first set any needed variables at the top of snort.lua and snort_defaults.lua.
Snort++ provides lots of help from the command line, including:
$my_path/bin/snort --help
$my_path/bin/snort --help-module suppress
$my_path/bin/snort --help-config | grep thread
$my_path/bin/snort -r a.pcap
$my_path/bin/snort -L dump -d -e -q -r a.pcap
Verify a config, with or w/o rules:
$my_path/bin/snort -c $my_path/etc/snort/snort.lua
$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules
$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
-r a.pcap -A alert_test -n 100000
Let's suppress 1:2123. We could edit the conf or just do this:
$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
-r a.pcap -A alert_test -n 100000 --lua "suppress = { { gid = 1, sid = 2123 } }"
$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
--pcap-filter \*.pcap --pcap-dir pcaps/ -A alert_fast --max-packet-threads 8
Additional examples are given in doc/usage.txt.
Take a look at the manual, parts of which are generated by the code so it stays up to date:
$my_path/share/doc/snort/snort_manual.pdf
$my_path/share/doc/snort/snort_manual.html
$my_path/share/doc/snort/snort_manual/index.html
It does not yet have much on the how and why, but it does have all the currently available configuration, etc. Some key changes to rules:
It also covers new features not demonstrated here:
o")~
We hope you are as excited about Snort++ as we are. Let us know what you think on the snort-users list. In the meantime, we'll keep our snout to the grindstone.