Инструменты пользователя

Инструменты сайта


сервис_snortsam

Сервис SNORTSAM

Установка пакета

FreeBSD

# pkg install snortsam

# more /usr/local/share/doc/snortsam/README.conf

# cd /usr/local/etc/snortsam/

Debian/Ubuntu

Не поддерживается

Базовая конфигурация

# cat snortsam.conf
daemon
nothreads
accept 127.0.0.1
defaultkey secret
logfile /var/log/snortsam.log

Настройка блокировки

netfilter

gate# cat snortsam.conf
...
iptables eth1 log

ipfilter

# cat snortsam.conf
...
ipf em1

ipfw2

http://www.lissyara.su/articles/freebsd/security/snort/

gate# cat snortsam.conf
...
ipfw2 em1 1 2
#   With tables rules like:
#              00010 deny ip from any to table 1 via em1
#              00011 deny ip from table 2 to any via em1
fwexec /sbin/ipfw

cisco router acl telnet

В случае использования aaa new-model требуется пользователь c priv-lvl = 1

server# cat snortsam.acl
conf terminal
no ip access-list extended ACL_FIREWALL
ip access-list extended ACL_FIREWALL
 snortsam-ciscoacl-begin
 snortsam-ciscoacl-end
 permit tcp any host 192.168.X.10 eq www
 permit tcp any host 192.168.X.10 eq 22
 permit ip any host 172.16.1.X
 permit icmp any any
 permit udp any any
 permit tcp any any established
 deny   ip any any log
end
server# cat snortsam.conf
...
# ciscoacl 192.168.X.1 user1/tpassword1 cisco /usr/local/etc/snortsam/snortsam.acl
# ciscoacl 192.168.X.1 cisco cisco /usr/local/etc/snortsam/snortsam.acl

cisco router acl tftp

Настройка

server# cat /tftpboot/snortsam.acl
no ip access-list extended ACL_FIREWALL
ip access-list extended ACL_FIREWALL
 snortsam-ciscoacl-begin
 snortsam-ciscoacl-end
 permit tcp any host 192.168.X.10 eq www
 permit tcp any host 192.168.X.10 eq 22
 permit ip any 172.16.1.X
 permit icmp any any
 permit udp any any
 permit tcp any any established
 deny   ip any any log
end
server# cat snortsam.tftp
copy tftp://192.168.X.10/ running-config
server# cat snortsam.conf
...
# ciscoacl 192.168.X.1 cisco cisco snortsam.acl|/usr/local/etc/snortsam/snortsam.tftp
# ciscoacl 192.168.X.1 student/tacacs cisco snortsam.acl|/usr/local/etc/snortsam/snortsam.tftp

Запуск

server# cd /tftpboot/

[server:/tftpboot] # snortsam /usr/local/etc/snortsam/snortsam.conf

server# cat /usr/local/etc/rc.d/snortsam
...
cd /tftpboot/

run_rc_command "$1"

cisco router null route

server# cat snortsam.conf
...
cisconullroute 192.168.X.1 student/tacacs cisco

Запуск snortsam

[server:~] # service snortsam rcvar

[server:~] # service snortsam start

Подключение Snort к Snortsam

сервис_snortsam.txt · Последние изменения: 2017/12/06 09:10 — val