snort3安装测试
2024-04-24 17:32:54
环境为Ubuntu:
$ cat /etc/issue
Ubuntu 20.04 LTS \n \l
首先由github下载源码,这里使用3.0.2版本。
~/ips$ wget https://github.com/snort3/snort3/archive/3.0.2-5.tar.gz
~/ips$
~/ips$ tar -xf 3.0.2-5.tar.gz
~/ips$
~/ips$ cd snort3-3.0.2-5/
~/ips/snort3-3.0.2-5$
其次,安装所需的依赖包:
~/ips/snort3-3.0.2-5$ sudo apt install cmake
~/ips/snort3-3.0.2-5$ sudo apt install pkg-config
~/ips/snort3-3.0.2-5$ sudo apt install libdaq-dev
~/ips/snort3-3.0.2-5$ sudo apt install libdaq2
~/ips/snort3-3.0.2-5$ sudo apt install libhwloc-dev
~/ips/snort3-3.0.2-5$ sudo apt install luajit
~/ips/snort3-3.0.2-5$ sudo apt install libluajit-5.1-dev
~/ips/snort3-3.0.2-5$ sudo apt install libpcap-dev
~/ips/snort3-3.0.2-5$ sudo apt install libpcre3-dev
~/ips/snort3-3.0.2-5$ sudo apt install liblzma-dev
根据源码安装libdnet库:
~/ips/snort3-3.0.2-5$ cd ..
~/ips$
~/ips$ wget http://prdownloads.sourceforge.net/libdnet/libdnet-1.11.tar.gz
~/ips$ tar -xf libdnet-1.11.tar.gz
~/ips$
~/ips$ cd libdnet-1.11/
~/ips/libdnet-1.11$
~/ips/libdnet-1.11$ ./configure
~/ips/libdnet-1.11$ make
~/ips/libdnet-1.11$ sudo make install
~/ips/libdnet-1.11$
~/ips/libdnet-1.11$ cd ..
~/ips$
~/ips$ cd snort3-3.0.2-5
~/ips/snort3-3.0.2-5$
运行configure_cmake.sh脚本。
~/ips/snort3-3.0.2-5$ ./configure_cmake.sh
Build Directory : build
...-------------------------------------------------------
snort version 3.0.2Install options:prefix: /usr/local/snortincludes: /usr/local/snort/include/snortplugins: /usr/local/snort/lib/snortCompiler options:CC: /usr/bin/ccCXX: /usr/bin/c++CFLAGS: -fvisibility=hidden -DNDEBUG -g -ggdb CXXFLAGS: -fvisibility=hidden -DNDEBUG -g -ggdb EXE_LDFLAGS: MODULE_LDFLAGS: Feature options:DAQ Modules: Static ()Flatbuffers: OFFHyperscan: OFFICONV: ONLibunwind: OFFLZMA: ONRPC DB: Built-inSafeC: OFFTCMalloc: OFFUUID: OFF
--------------------------------------------------------- Configuring done
-- Generating done
...
~/ips/snort3-3.0.2-5$
以下为可选安装包,可开启snort的feature选项。
~/ips/snort3-3.0.2-5$ sudo apt install libhyperscan-dev
~/ips/snort3-3.0.2-5$ sudo apt install libunwind-dev
~/ips/snort3-3.0.2-5$ sudo apt install uuid-dev
~/ips/snort3-3.0.2-5$ sudo apt install libsafec-dev
~/ips/snort3-3.0.2-5$ sudo apt-cache search tcmalloc
~/ips/snort3-3.0.2-5$ sudo apt install libgoogle-perftools-dev
再次运行脚本configure_cmake.sh,发现TCMALLOC还是off状态,下载gperftool源码进行安装:
~/ips/snort3-3.0.2-5$ cd ..
~/ips$
~/ips$ wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.8/gperftools-2.8.tar.gz
~/ips$ tar -xf gperftools-2.8.tar.gz
~/ips$ cd gperftools-2.8/
~/ips/gperftools-2.8$ ./configure
~/ips/gperftools-2.8$ make
~/ips/gperftools-2.8$ sudo make install
~/ips/gperftools-2.8$
~/ips/gperftools-2.8$ cd ..
~/ips$
~/ips$ cd snort3-3.0.2-5/
~/ips/snort3-3.0.2-5$
安装gperftool之后,TCMALLOC还是off状态,发现和其它feature不同,需要在执行脚本时,显示启用TCMALLOC,如下:
~/ips/snort3-3.0.2-5$ ./configure_cmake.sh --enable-tcmalloc
Build Directory : build
... Feature options:DAQ Modules: Static ()Flatbuffers: OFFHyperscan: ONICONV: ONLibunwind: ONLZMA: ONRPC DB: Built-inSafeC: ONTCMalloc: ONUUID: ON
--------------------------------------------------------- Configuring done
-- Generating done
~/ips/snort3-3.0.2-5$
执行make,进行编译,遇到如下错误:
~/ips/snort3-3.0.2-5 $ cd build
~/ips/snort3-3.0.2-5/build
~/ips/snort3-3.0.2-5/build$ make
...
~/ips/snort3-3.0.2-5/src/protocols/packet.h: At global scope:
~/ips/snort3-3.0.2-5/src/protocols/packet.h:144:5: error: ‘DAQ_Msg_h’ does not name a type144 | DAQ_Msg_h daq_msg; // DAQ message this packet came from| ^~~~~~~~~
In file included from ~/ips/snort3-3.0.2-5/src/actions/actions.cc:27:
~/ips/snort3-3.0.2-5/src/packet_io/active.h:166:25: error: ‘DAQ_Msg_h’ has not been declared166 | static int send_eth(DAQ_Msg_h, int, const uint8_t* buf, uint32_t len);| ^~~~~~~~~
回过头看一下configure_cmake.sh脚本运行时,报过类似的警告:
~/ips/snort3-3.0.2-5$ ./configure_cmake.sh
Build Directory : build
Source Directory: /home/kai/ips/snort3-3.0.2-5
...
-- Found PkgConfig: /usr/bin/pkg-config (found version "0.29.1")
-- Checking for module 'libdaq>=3.0.0'
-- No package 'libdaq' found
-- Found DAQ: /usr/lib/libdaq.so
由源码安装libdaq,这里使用版本3.0.0。
~/ips/snort3-3.0.2-5$ cd ..
~/ips$
~/ips$ wget https://github.com/snort3/libdaq/archive/v3.0.0-alpha7.tar.gz
~/ips$ tar -xf v3.0.0-alpha7.tar.gz
~/ips$
~/ips$ cd libdaq-3.0.0-alpha7/
~/ips/libdaq-3.0.0-alpha7$
~/ips/libdaq-3.0.0-alpha7$ ./bootstrap
~/ips/libdaq-3.0.0-alpha7$ ./configure
...
config.status: executing libtool commandsdaq 3.0.0...Build AFPacket DAQ module.. : yesBuild BPF DAQ module....... : yesBuild Divert DAQ module.... : noBuild Dump DAQ module...... : yesBuild FST DAQ module....... : yesBuild NFQ DAQ module....... : noBuild PCAP DAQ module...... : yesBuild netmap DAQ module.... : noBuild Trace DAQ module..... : yes~/ips/libdaq-3.0.0-alpha7$
~/ips/libdaq-3.0.0-alpha7$ make
~/ips/libdaq-3.0.0-alpha7$ sudo make install
再次运行configure_cmake.sh脚本,可见找到libdaq。
~/ips/snort3-3.0.2-5$ ./configure_cmake.sh --enable-tcmalloc
Build Directory : build
...
-- Found PkgConfig: /usr/bin/pkg-config (found version "0.29.1")
-- Checking for module 'libdaq>=3.0.0'
-- Found libdaq, version 3.0.0
-- Found DAQ: /usr/local/lib/libdaq.so
-- Checking for module 'libdaq_static_trace'
-- Found libdaq_static_trace, version 3.0.0
-- Checking for module 'libdaq_static_afpacket'
-- Found libdaq_static_afpacket, version 3.0.0
-- Checking for module 'libdaq_static_dump'
-- Found libdaq_static_dump, version 3.0.0
-- Checking for module 'libdaq_static_pcap'
-- Found libdaq_static_pcap, version 3.0.0
-- Checking for module 'libdaq_static_fst'
-- Found libdaq_static_fst, version 3.0.0
-- Checking for module 'libdaq_static_bpf'
-- Found libdaq_static_bpf, version 3.0.0
-- Found DNET: /usr/local/include
一下编译snort3完成。
~/ips/snort3-3.0.2-5$ cd build/
~/ips/snort3-3.0.2-5/build$
~/ips/snort3-3.0.2-5/build$ make -j 2
[ 1%] Building CXX object src/connectors/tcp_connector/CMakeFiles/tcp_connector.dir/tcp_connector.cc.o
[ 1%] Building CXX object src/actions/CMakeFiles/ips_actions.dir/actions.cc.o
...
[ 98%] Built target preprocessor_states
Scanning dependencies of target snort2lua
[ 98%] Building CXX object tools/snort2lua/CMakeFiles/snort2lua.dir/snort2lua.cc.o
[ 98%] Building CXX object tools/snort2lua/CMakeFiles/snort2lua.dir/init_state.cc.o
[100%] Linking CXX executable snort2lua
[100%] Built target snort2lua
[100%] Built target snort
~/ips/snort3-3.0.2-5/build$
运行snort,发现找不到libdaq库,但是pkg-config能找到。
~/ips/snort3-3.0.2-5/build$ ./src/snort
./src/snort: error while loading shared libraries: libdaq.so.3: cannot open shared object file: No such file or directory
~/ips/snort3-3.0.2-5/build$
~/ips/snort3-3.0.2-5/build$ ldd ./src/snort ...libdaq.so.3 => not found...
~/ips/snort3-3.0.2-5/build$
~/ips/snort3-3.0.2-5/build$ pkg-config libdaq --libs
-L/usr/local/lib -ldaq
使用strace进行查看,根本就没有到libdaq所在的目录/usr/local/lib中进行查找。
~/ips/snort3-3.0.2-5/build$ strace ./src/snort32 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/x86_64/libdaq.so.3", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)33 stat("/lib/x86_64-linux-gnu/x86_64", 0x7fff710f58d0) = -1 ENOENT (No such file or directory)34 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdaq.so.3", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)35 stat("/lib/x86_64-linux-gnu", {st_mode=S_IFDIR|0755, st_size=36864, ...}) = 049 stat("/usr/lib/x86_64-linux-gnu/x86_64", 0x7fff710f58d0) = -1 ENOENT (No such file or directory)50 openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libdaq.so.3", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)具体原因先不查找,在以上的查找目录/usr/lib/x86_64-linux-gnu/建立一个软连接,到/usr/local/lib/libdaq.so.3.0.0,这样snort运行就可找到此库。
~/ips/snort3-3.0.2-5/build$ sudo ln -s /usr/local/lib/libdaq.so.3.0.0 /usr/lib/x86_64-linux-gnu/libdaq.so.3
~/ips/snort3-3.0.2-5/build$
~/ips/snort3-3.0.2-5/build$ ./src/snort
usage:./src/snort -?: list options./src/snort -V: output version./src/snort --help: help summary./src/snort [-options] -c conf [-T]: validate conf./src/snort [-options] -c conf -i iface: process live./src/snort [-options] -c conf -r pcap: process readback
snort的命令行选项比较多,先使用几个简单的选项抓取一下报文:
~/ips/snort3-3.0.2-5/build$ sudo ./src/snort --help-options
-d dump the Application Layer
-e display the second layer header info
-i <iface>... list of interfaces
-L <mode> logging mode (none, dump, pcap, or log_*)
-n <count> stop after count packets (0:max53)
-Q enable inline mode operation
-v be verbose
-X dump the raw packet data starting at the link layer
如下抓取一个(-n 1)经过ens32网卡的报文。
~/ips/snort3-3.0.2-5/build$ sudo ./src/snort -d -e -v -X -L dump -Q -n 1 -i ens32
--------------------------------------------------
o")~ Snort++ 3.0.2-5
--------------------------------------------------
--------------------------------------------------
Inspection Policy : policy id 0 :
--------------------------------------------------
pcap DAQ configured to inline.
--------------------------------------------------
host_cachememcap: 8388608 bytes
Commencing packet processing
++ [0] ens32
Instance 0 daq pool size: 256
Instance 0 daq batch size: 64
pkt:1
eth(DLT): 00:0C:29:B1:2B:52 -> 50:7B:9D:C7:03:73 type:0x0800
ipv4(0x0800): 192.168.1.129 -> 192.168.1.109Next:0x06 TTL:64 TOS:0x10 ID:15025 IpLen:20 DgmLen:184 DFsnort.raw[164]:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0000 00 16 C8 97 4D 1F 94 D3 21 6B 83 74 50 18 04 35 ....M... !k.tP..5
0010 84 E9 00 00 E9 19 BD 80 14 F7 93 91 F1 E3 9A 01 ........ ........
0020 49 34 FD A0 4B 2F 95 78 F2 57 92 0C B9 2E 21 DA I4..K/.x .W....!.
0030 C9 46 2A 1D E1 50 A0 7C 12 0C 83 76 81 54 94 6C .F*..P.| ...v.T.l
0040 B5 0A 8A FC 2A 2A 9D F5 64 B2 EB 69 F7 2C 1B 1F ....**.. d..i.,..
0050 10 49 19 19 C4 01 34 C1 B9 CD 62 F8 2B 65 04 57 .I....4. ..b.+e.W
0060 45 5B 27 E9 CA 5F FD A3 9A A0 64 40 C8 8A 70 44 E['.._.. ..d@..pD
0070 6C 08 0F BB 17 01 40 AC 1D D8 0A 62 27 5B 76 BE l.....@. ...b'[v.
0080 1F 06 E3 FB 72 FA FF D2 0C 77 41 F8 D3 1D 4C AB ....r... .wA...L.
0090 0F 2E C0 60 DC 65 71 FD 9C 82 5E 91 7F 69 E0 74 ...`.eq. ..^..i.t
00A0 D5 8E 75 67 ..ug
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --- [0] ens32
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daqreceived: 1analyzed: 1allow: 1rx_bytes: 198
--------------------------------------------------
codectotal: 1 (100.000%)discards: 1 (100.000%)eth: 1 (100.000%)ipv4: 1 (100.000%)tcp: 1 (100.000%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
detectionanalyzed: 1logged: 1
--------------------------------------------------
tcpbad_tcp4_checksum: 1
--------------------------------------------------
Summary Statistics
--------------------------------------------------
timingruntime: 00:00:00seconds: 0.105165pkts/sec: 1
o")~ Snort exiting
snort3安装测试相关推荐
- CMake实战之安装测试和添加环境生成安装包
1.安装测试 CMake 也可以指定安装规则,以及添加测试.这两个功能分别可以通过在产生 Makefile 后使用 make install 和 make test 来执行.在 GNU Makefil ...
- ubuntu-10.04的测试环境 安装测试 Coreseek开源中文检索引擎-Sphinx中文版
主要参考文档:http://www.coreseek.cn/products-install/install_on_bsd_linux/ 一. 32位版本: coreseek安装需要预装的软件: ap ...
- iPhone手机获取uuid 安装测试app
iPhone手机获取uuid 安装测试app UDID是一种iOS设备的特殊识别码.除序号之外,每台ios装置都另有一组独一无二的号码,我们就称之为识别码( Unique Device Identif ...
- Redis集群方案,Codis安装测试
Redis集群方案,Codis安装测试 1,关于豌豆荚开源的Codis Codis是豌豆荚使用Go和C语言开发.以代理的方式实现的一个Redis分布式集群解决方案,且完全兼容Twemproxy.Twe ...
- node.js介绍及Win7环境安装测试(转)
官网描述: Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable ...
- hive安装测试及Hive 元数据的三种存储方式
一 hive安装测试 1.下载解压 tar -xf hive-x.y.z.tar.gz(本次安装为hive-0.8.1.tar.gz) 将解压后的hive-0.8.1文件放在系统的/home/had ...
- Microsoft Windows XP SP3安装测试手记
作为一名Microsoft TechNet Observer,我近期收到了ITProCity方面关于Windows vista Service Pack 3和Windows XP Service Pa ...
- PyTorch安装测试训练建自己的数据集
Pytorch安装测试训练建自己的数据集 前言 一.PyTorch是什么? 二.PyTorch环境搭建 1.设备要求 2.安装Pytorch 3.验证PyTorch 二.CIFAR10测试 1.关于C ...
- 怎么使用XCode给iOS手机安装测试包
场景 在实际的APP开发中,需要针对Android机和IOS机子进行测试. 打包APP测试包可以看教程 用Hbuild打包APP 安装Android的安卓apk包,可以直接下载安装到手机就可以了. 但 ...
最新文章
- 赛道一出,今后无需再熬夜
- SPL--Serializable
- UVa 11520 Fill the Square 填充正方形
- envi5.2中文版
- 【NLP】BERT蒸馏完全指南|原理/技巧/代码
- 解决Weblogic 本机可以访问控制台,网络IP访问不了
- Pushing Policy Failed because Checkpoint Firewall “Load on module failed – no memory”
- android获取自适应高度,Android中oncreate中获得控件高度或宽度的实现方法
- 和平精英现在服务器暂时未开放,和平精英为什么登陆不进去 和平精英服务器分批登陆是什么意思...
- 蓝桥杯 PREV-8 历届试题 买不到的数目
- python笔记小白入门_python小白入门基础(七:集合与字典)
- Unity_Demo | 中世纪风3D-RPG游戏
- 轻松了解python正则表达式 (超详细,附举例)
- 酷狗音乐QQ显示(VC源码)
- Readhub客户端
- VOC数据集的划分(训练集,验证集,测试集) 生成txt文件和标签
- View 事件分发机制
- 编写软件时如何偷工减料
- 0110 - 给 iPhone 6 换了电池
- spark系列3:spark入门编程与介绍