CentOS 5.6 最新Snort + SWATCH で不正アクセスを検知しリアルタイムで規制する

本来IDS(侵入検知システム)は不正アクセスを検知し管理者に通知するだけであるが、今回SWATCHと組み合わせることで強力なセキュリティー機能を備えたいと思う。
※ SWATCHはログ監視ツール導入(SWATCH)の設定が行われていることを前提とする

Snortのダウンロード
# wget http://vscojot.free.fr/dist/snort/snort-2.9.0.5/RHEL5/x86_64/snort-2.9.0.5-12.el5.x86_64.rpm
# wget http://vscojot.free.fr/dist/snort/snort-2.9.0.5/RHEL5/x86_64/daq-0.5-9.el5.x86_64.rpm
# wget http://vscojot.free.fr/dist/snort/snort-2.9.0.5/RHEL5/x86_64/libdnet-1.12-7.el5.x86_64.rpm
# wget http://vscojot.free.fr/dist/snort/snort-2.9.0.5/RHEL5/x86_64/libpcap1-1.1.1-10.el5.x86_64.rpm

依存関係でエラーが出るため下記の順番にインストールする
# rpm -Uvh libdnet-1.12-7.el5.x86_64.rpm
# rpm -Uvh libpcap1-1.1.1-10.el5.x86_64.rpm
# rpm -Uvh daq-0.5-9.el5.x86_64.rpm
# rpm -Uvh snort-2.9.0.5-12.el5.x86_64.rpm

ルールはsnortrules-snapshot-2905.tar.gzをダウンロードする
ルールのダウンロードにはアカウント作成がいるようである
# tar zxvf snortrules-snapshot-2905.tar.gz
# cp rules/* /etc/snort/rules/
# /etc/snort/snort.conf

LAN内のPCは例外とするように設定ファイルを書き換える
var HOME_NET 192.168.1.0/24
var EXTERNAL_NET !$HOME_NET

下記のコメントを解除しルールを有効化する
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/blacklist.rules
include $RULE_PATH/botnet-cnc.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/content-replace.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/info.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/phishing-spam.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/scada.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/specific-threats.rules
include $RULE_PATH/spyware-put.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/voip.rules
include $RULE_PATH/web-activex.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/x11.rules

# vi /etc/logrotate.d/snort
不要(存在しないログファイル)な部分を削除する
/var/log/snort/alert /var/log/snort/*log {

SWATCHの設定
# vi /etc/swatch/snort.conf

# logfile /var/log/snort/alert

# 不正なアクセスを3回以上検知したら該当ホストからのアクセスを24時間規制
watchfor /Priority/
    pipe "/usr/local/bin/swatch_action.sh 13"
    throttle=00:00:10

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(Spamcheck Enabled)

日本語が含まれない投稿は無視されますのでご注意ください。(スパム対策)