>> echo 'honeypot'
Posts Tags Categories
>> echo 'honeypot'

Contents

Snort IPS with NFQ

 included in Security
   199 words   One minute 

Snort IPS mode

有鑒於網路上 Snort 資料太少, 整理下用過的 Snort IPS + NFQ 用法 以 Snort2 為範例, Snort3 在 MAC m1 上安裝很不方便.

ENV

  • MAC M1
  • OrbStack Container
  • Ubuntu 22.04

Install

apt-get update 

DEBIAN_FRONTEND=noninteractive apt-get -yq install snort 

apt-get install -y libdnet build-essential bison flex libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev libnetfilter-queue-dev libmnl-dev libdumbnet-dev wget iproute2 git python3 pip iptables libluajit-5.1-dev libssl-dev libnghttp2-dev libntirpc-dev nano zip 
dpkg -L libntirpc-dev

wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz 
tar zxvf daq-2.0.7.tar.gz 
cd daq-2.0.7 
./configure && make && make install 

wget http://prdownloads.sourceforge.net/libdnet/libdnet-1.11.tar.gz 
tar -xzvf libdnet-1.11.tar.gz 
cd libdnet-1.11 
./configure "CFLAGS=-fPIC -g -O2" && make && make install

設定 Snort NFQ

iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
iptables -I FORWARD -j NFQUEUE --queue-num 1
iptables -I INPUT -j NFQUEUE --queue-num 1

在 /etc/snort/rules/local.rules 加上:

drop icmp any any -> any any (msg:"Drop Ping";sid:6786786)

Run Snort:

snort -Q --daq nfq --daq-var device=eth0 --daq-var queue=1 -c /etc/snort/snort.conf -l /var/log/snort
Updated on 2023-09-22
 snortips
Back | Home