[Snort] 사용 방법

-v : Be verbose(IP, TCP, UDP, ICMP Header들을 출력함)

[root@localhost ~]# snort -v Running in packet dump mode         --== Initializing Snort ==-- Initializing Output Plugins! pcap DAQ configured to passive. Acquiring network traffic from "eth0". Decoding Ethernet         --== Initialization Complete ==--    ,,_     -*> Snort! <*-   o"  )~   Version 2.9.3.1 IPv6 GRE (Build 40)     ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team            Copyright (C) 1998-2012 Sourcefire, Inc., et al.            Using libpcap version 1.0.0            Using PCRE version: 6.6 06-Feb-2006            Using ZLIB version: 1.2.3 Commencing packet processing (pid=13511) =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+   02/14-13:07:42.022872 192.168.100.9 -> 74.125.129.147 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF Type:8  Code:0  ID:52491   Seq:1  ECHO =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/14-13:07:42.151326 74.125.129.147 -> 192.168.100.9 ICMP TTL:128 TOS:0x0 ID:65293 IpLen:20 DgmLen:84 Type:0  Code:0  ID:52491  Seq:1  ECHO REPLY =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

-d : Dump the Application Layer(응용계층을 출력함)

[root@localhost ~]# snort -d Running in packet dump mode         --== Initializing Snort ==-- Initializing Output Plugins! pcap DAQ configured to passive. Acquiring network traffic from "eth0". Decoding Ethernet         --== Initialization Complete ==--    ,,_     -*> Snort! <*-   o"  )~   Version 2.9.3.1 IPv6 GRE (Build 40)     ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team            Copyright (C) 1998-2012 Sourcefire, Inc., et al.            Using libpcap version 1.0.0            Using PCRE version: 6.6 06-Feb-2006            Using ZLIB version: 1.2.3 Commencing packet processing (pid=13547) =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+   02/14-12:59:18.519357 192.168.100.2:53 -> 192.168.100.9:33653 UDP TTL:128 TOS:0x0 ID:65246 IpLen:20 DgmLen:156 Len: 128 BD CD 81 80 00 01 00 06 00 00 00 00 03 77 77 77  .............www 06 67 6F 6F 67 6C 65 03 63 6F 6D 00 00 01 00 01  .google.com..... C0 0C 00 01 00 01 00 00 00 05 00 04 4A 7D 81 63  ............J}.c C0 0C 00 01 00 01 00 00 00 05 00 04 4A 7D 81 68  ............J}.h C0 0C 00 01 00 01 00 00 00 05 00 04 4A 7D 81 6A  ............J}.j C0 0C 00 01 00 01 00 00 00 05 00 04 4A 7D 81 93  ............J}.. C0 0C 00 01 00 01 00 00 00 05 00 04 4A 7D 81 69  ............J}.i C0 0C 00 01 00 01 00 00 00 05 00 04 4A 7D 81 67  ............J}.g =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/14-12:59:18.801313 192.168.100.9 -> 74.125.129.99 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF Type:8  Code:0  ID:49162   Seq:1  ECHO 16 61 1C 51 16 3A 0C 00 08 09 0A 0B 0C 0D 0E 0F  .a.Q.:.......... 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F  ................ 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F   !"#$%&'()*+,-./ 30 31 32 33 34 35 36 37                                     01234567 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

-e : Display the second layer header info(Ethernet Header를 출력함)

[root@localhost ~]# snort -e Running in packet dump mode         --== Initializing Snort ==-- Initializing Output Plugins! pcap DAQ configured to passive. Acquiring network traffic from "eth0". Decoding Ethernet         --== Initialization Complete ==--    ,,_     -*> Snort! <*-   o"  )~   Version 2.9.3.1 IPv6 GRE (Build 40)     ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team            Copyright (C) 1998-2012 Sourcefire, Inc., et al.            Using libpcap version 1.0.0            Using PCRE version: 6.6 06-Feb-2006            Using ZLIB version: 1.2.3 Commencing packet processing (pid=13583) =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+   02/14-14:50:21.446293 00:0C:29:45:48:61 -> 00:50:56:E2:0F:BD type:0x800 len:0x62 192.168.100.9 -> 74.125.129.106 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF Type:8  Code:0  ID:28696   Seq:1  ECHO =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/14-14:50:21.629542 00:50:56:E2:0F:BD -> 00:0C:29:45:48:61 type:0x800 len:0x62 74.125.129.106 -> 192.168.100.9 ICMP TTL:128 TOS:0x0 ID:65329 IpLen:20 DgmLen:84 Type:0  Code:0  ID:28696  Seq:1  ECHO REPLY =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

 

-vde

[root@localhost ~]# snort -vde Running in packet dump mode           --== Initializing Snort ==-- Initializing Output Plugins! pcap DAQ configured to passive. Acquiring network traffic from "eth0". Decoding Ethernet           --== Initialization Complete ==--      ,,_     -*> Snort! <*-   o"  )~   Version 2.9.3.1 IPv6 GRE (Build 40)    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team            Copyright (C) 1998-2012 Sourcefire, Inc., et al.            Using libpcap version 1.0.0            Using PCRE version: 6.6 06-Feb-2006            Using ZLIB version: 1.2.3   Commencing packet processing (pid=13632) 03/11-16:54:09.160369 00:26:66:FF:1A:ED -> DC:85:DE:22:BF:DB type:0x800 len:0x94 175.124.192.237:55633 -> 192.168.0.16:63584 UDP TTL:51 TOS:0x0 ID:39360 IpLen:20 DgmLen:134 Len: 106 64 31 3A 61 64 32 3A 69 64 32 30 3A C7 D3 1A E0  d1:ad2:id20:.... 1C 88 FF 20 29 D0 AB D0 19 B5 E9 5B EF DE FE BB  ... )......[.... 39 3A 69 6E 66 6F 5F 68 61 73 68 32 30 3A E4 39  9:info_hash20:.9 C7 10 06 E1 AA 1A 4B 28 E4 78 63 46 73 1A CB FC  ......K(.xcFs... CD 12 65 31 3A 71 39 3A 67 65 74 5F 70 65 65 72  ..e1:q9:get_peer 73 31 3A 74 34 3A C7 F9 3F 2E 31 3A 76 34 3A 55  s1:t4:..?.1:v4:U 54 71 5B 31 3A 79 31 3A 71 65                    Tq[1:y1:qe =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-16:54:09.501645 00:26:66:FF:1A:ED -> DC:85:DE:22:BF:DB type:0x800 len:0x8C 220.225.77.178:62616 -> 192.168.0.16:63584 UDP TTL:111 TOS:0x0 ID:19125 IpLen:20 DgmLen:126 DF Len: 98 64 31 3A 61 64 32 3A 69 64 32 30 3A E4 38 A1 A9  d1:ad2:id20:.8.. 75 5A 02 6F A6 79 C9 EE F2 7A 59 CA FC C1 92 33  uZ.o.y...zY....3 36 3A 74 61 72 67 65 74 32 30 3A E4 38 A1 A9 75  6:target20:.8..u 5A 02 6F A6 79 C9 EE F2 7A 59 CA FC C1 92 34 65  Z.o.y...zY....4e 31 3A 71 39 3A 66 69 6E 64 5F 6E 6F 64 65 31 3A  1:q9:find_node1: 74 38 3A CB 2E EA DC A7 55 22 AB 31 3A 79 31 3A  t8:.....U".1:y1: 71 65                                            qe =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

 

 

Snort가 탐지를 멈춘 뒤에는 탐지 결과를 출력함

 

 

탐지한 결과를 로그 파일로 저장함

[root@localhost snort]# pwd /var/log/snort [root@localhost snort]# snort -dev -l /var/log/snort/ [root@localhost snort]# ll total 4 -rw------- 1 snort snort   0 Feb 13 10:42 alert -rw------- 1 root  root  873 Feb 14 16:14 snort.log.1360826082 [root@localhost snort]# file snort.log.1360826082 (로그 파일 타입 확인) snort.log.1360826082: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 1514) [root@localhost snort]# tcpdump -r snort.log.1360826082 (tcpdump or wireshark로 내용 확인) reading from file snort.log.1360826082, link-type EN10MB (Ethernet) 16:14:45.408273 IP google-public-dns-a.google.com > 192.168.100.9: ICMP echo reply, id 9251, seq 1, length 64 16:14:46.063431 IP 192.168.100.9 > google-public-dns-a.google.com: ICMP echo request, id 9251, seq 2, length 64 16:14:46.408562 IP google-public-dns-a.google.com > 192.168.100.9: ICMP echo reply, id 9251, seq 2, length 64 16:14:47.063040 IP 192.168.100.9 > google-public-dns-a.google.com: ICMP echo request, id 9251, seq 3, length 64

 

위에서는 rule을 적용시키지 않았기 때문에 단순 Packet Capture 기능만 사용한 경우이다.

 

 

 

 

 

 

 

출처 : http://gonisec.tistory.com/entry/Snort-사용-방법