一 Snort3 安装配置,参考:Ubuntu server 24 安装配置 snort3 3.2.1.0 网络入侵检测防御系统 配置注册规则集-CSDN博客
二 安装主动防御程序Guardian
1 下载,解压
tar zxvf guardian-1.7.tar.gz
cd guardian-1.7/
2 配置
#拷贝文件
sudo cp guardian.pl /usr/local/bin/
sudo cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
sudo cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
sudo touch /var/log/snort/guardian.log
sudo touch /usr/local/snort/etc/snort/guardian.ignore
sudo touch /usr/local/snort/etc/snort/guardian.target
sudo cp guardian.conf /usr/local/snort/etc/snort/
#修改配置文件
sudo vim /usr/local/snort/etc/snort/guardian.conf
Interface ens33
HostIpAddr 192.168.50.19
HostGatewayByte 1
LogFile /var/log/snort/guardian.log
AlertFile /var/log/snort/alert_fast.txt
IgnoreFile /usr/local/snort/etc/snort/guardian.ignore
TargetFile /usr/local/snort/etc/snort/guardian.target
TimeLimit 86400
#其中HostIpAddr,如不填写会报如下错误
Warning! HostIpAddr is undefined! Attempting to guess..
Couldn't figure out the ip address
3 guardian启动
#启动
sudo /usr/bin/perl /usr/local/bin/guardian.pl -c /usr/local/snort/etc/snort/guardian.conf
#报错
Can't locate getopts.pl in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5) at ./guardian.pl line 10.
#修改guardian.pl 解决
sudo vim /usr/local/bin/guardian.pl
require 'getopts.pl'; --> #require 'getopts.pl';
&Getopts ('hc:d'); --> &getopts ('hc:d');
#再次启动
test@ubuntuserver:~$ sudo /usr/bin/perl /usr/local/bin/guardian.pl -c /usr/local/snort/etc/snort/guardian.conf
OS shows Linux
My ip address and interface are: 192.168.50.19 ens33
Loaded 1 addresses from /usr/local/snort/etc/snort/guardian.ignore
Loaded 0 addresses from /usr/local/snort/etc/snort/guardian.target
Becoming a daemon..
#查看进程
三 snort+guard+iptables 实战联动测试
1 查看Iptables 表
sudo iptables -L -n
2 另外一台主机上测试ping 测试
#自定义告警规则
sudo vim /usr/local/snort/etc/rules/local.rules
alert icmp any any -> $HOME_NET any (msg:"ICMP connection test"; sid:1000001; rev:1;)