Поставил snort Настроил snort.config, закинул правила... ради интереса глянул в /var/log/snort/ И что вижу. Файл snort.log на 26 мегабайт.... Так и должно быть? Или настроил неправильно, что ложные атаки стали фиксироваться?
################################################### # Step #1: Set the network variables: # # You must change the following variables to reflect your local network. The # variable is currently setup for an RFC 1918 address space. # # You can specify it explicitly as: # # var HOME_NET 62.16.****.*** #адрес моего VDS # # or use global variable $<interfacename>_ADDRESS which will be always # initialized to IP address and netmask of the network interface which you run # snort at. Under Windows, this must be specified as # $(<interfacename>_ADDRESS), such as: # $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS) # # var HOME_NET $ eth0 # # You can specify lists of IP addresses for HOME_NET # by separating the IPs with commas like this: # # var HOME_NET [10.1.1.0/24,192.168.1.0/24] # # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST! # # or you can specify the variable to be any IP address # like this: var HOME_NET any # Set up the external network addresses as well. A good start may be "any" var EXTERNAL_NET !$HOME_NET # прочитал, для уменьшения ложных атак, надо прописывать !$HOME_NE # Configure your server lists. This allows snort to only look for attacks to # systems that have a service up. Why look for HTTP attacks if you are not # running a web server? This allows quick filtering based on IP addresses # These configurations MUST follow the same configuration scheme as defined # above for $HOME_NET. # List of DNS servers on your network var DNS_SERVERS $HOME_NET # List of SMTP servers on your network var SMTP_SERVERS $HOME_NET # List of web servers on your network var HTTP_SERVERS $HOME_NET # List of sql servers on your network var SQL_SERVERS $HOME_NET # List of telnet servers on your network var TELNET_SERVERS $HOME_NET # List of snmp servers on your network var SNMP_SERVERS $HOME_NET # Configure your service ports. This allows snort to look for attacks destined # to a specific application only on the ports that application runs on. For # example, if you run a web server on port 8081, set your HTTP_PORTS variable # like this: # # portvar HTTP_PORTS 8081 # # Ports you run web servers on portvar HTTP_PORTS 80 # NOTE: If you wish to define multiple HTTP ports, use the portvar # syntax to represent lists of ports and port ranges. Examples: ## portvar HTTP_PORTS [80,8080] ## portvar HTTP_PORTS [80,8000:8080] # And only include the rule that uses $HTTP_PORTS once. # # The pre-2.8.0 approach of redefining the variable to a different port and # including the rules file twice is obsolete. See README.variables for more # details. # Ports you want to look for SHELLCODE on. portvar SHELLCODE_PORTS !80 # Ports you might see oracle attacks on portvar ORACLE_PORTS 1521 # other variables # # AIM servers. AOL has a habit of adding new AIM servers, so instead of # modifying the signatures when they do, we add them to this list of servers. var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] # Path to your rules files (this can be a relative path) # Note for Windows users: You are advised to make this an absolute path, # such as: c:\snort\rules var RULE_PATH /etc/snort var PREPROC_RULE_PATH ../preproc_rules # папка preproc_rules должна находится в /etc/preproc_rules ??
Это 1/10 часть. http://blog.tenablesecurity.com/files/snort-var.audit И что это дает? Как его вообще использовать? Как perl файл? пробовал. Выводит: И ничего больше.
