Splunk、Snort在入侵检测中的应用

前期准备

splunk环境验证

splunk相关命令

查看服务端采集了哪些客户端的日志：

./bin/splunk list deploy-clients

Deployment client: CF787A85-1BF8-4460-9FA9-469FEEB95BCD

applications: {'_server_app_39.30': {'action': 'Install', 'archive': '/home/splunk/var/run/tmp/39.30/_server_app_39.30-1727076134.bundle', 'checksum': '14553870489663539555', 'excludeFromUpdate': None, 'failedReason': "''", 'issueReload': '0', 'restartIfNeeded': '0', 'restartSplunkWeb': '0', 'restartSplunkd': '0', 'result': 'Ok', 'serverclasses': ['39.30'], 'size': '10240', 'stateOnClient': 'enabled', 'timestamp': 'Mon Sep 23 16:33:41 2024'}}

检查服务端和客户端的网络连接是否正常：

服务端运行：netstat -tnup |grep 10.227.39.30

tcp 0 0 10.227.39.38:8089 10.227.39.30:57246 ESTABLISHED 14231/splunkd

tcp 0 0 10.227.39.38:9997 10.227.39.30:57158 ESTABLISHED 14231/splunkd

客户端运行 netstat -ano

10.227.39.30:57158 10.227.39.38:9997 ESTABLISHED 3708

10.227.39.30为客户端地址，8089和9997 处于 ESTABLISHED表示网络连接正常

snort环境验证

Linux下：

在/etc/snort/rules/ 下新建一个自己的规则目录test，并新建一个规则

alert tcp any any -> any any (msg:"Test alert"; sid:1000001;)

然后在/etc/snort/snort.conf 新加一行(可以把默认的规则注释掉)

include $RULE_PATH/test/test.rules

启动snort进行验证

sudo snort -A console -c /etc/snort/snort.conf -i eth0

控制台和/var/log/snort/snort.alert.fast 都有告警输出，说明命中规则并成功生成告警

Windows下：

注意：Windows安装使用snort可以使用x86的，我这里用64位的在win10和win7都会报错，winpcap也需要单独安装(及时安装了wireshark也要再安装一次否则会出现抓不到网卡)

https://www.winpcap.org/install/bin/WinPcap_4_1_3.exe

下载：https://snort.org/downloads/archive/snort/Snort_2_9_16_Installer.x86.exe

验证：\bin>snort.exe -W

,,_ -*> Snort! <*-

o" )~ Version 2.9.16-WIN32 GRE (Build 118)

'''' By Martin Roesch & The Snort Team: Snort - Contact

Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.

Copyright (C) 1998-2013 Sourcefire, Inc., et al.

Using PCRE version: 8.10 2010-06-25

Using ZLIB version: 1.2.3

Index Physical Address IP Address Device Name Description

----- ---------------- ---------- ----------- -----------

1 FE:FC:FE:04:FF:9F 0000:0000:fe80:0000:0000:0000:5319:65d9 \Device\NPF_{07899EFF-636B-4F19-A710-DBA5CCE5616D} Intel(R) PRO/1000 MT Network Connection

snort -A console -c C:\Snort\etc\snort.conf -i 1 -l C:\Snort\log > C:\Snort\log\alert.txt

会把告警打入C:\Snort\log\alert.txt中

单条pcap包测试：

snort -r C:\Snort\pcaps\test.pcap -c C:\Snort\etc\snort.conf -l C:\Snort\log -K ascii -A console