在日常生活中，很多人怀疑自己的手机、电脑被监控了，担心自己的隐私泄漏，实际上最佳的检测方式就是终端检测，也就是EDR，但是就是有那么多的人在网上大放厥词，说任何EDR杀毒软件都检测不到监控，毕竟EDR杀毒软件对于普通人来说，安装使用太简单了，以至于大多数人都怀疑EDR的真实效果，既然很多人天生的对EDR不信任，那么何不试试NDR入侵检测系统呢？snort3.0就是一款值得研究和探索的免费的开源的NDR入侵检测系统，从网络流量的角度来追踪溯源网络威胁，正所谓雁过留声风过留痕，黑客路过就会留下入侵痕迹～

ailx10

1954 次咨询

4.9

网络安全优秀回答者

互联网行业 安全攻防员

去咨询

一、ubuntu18.04 更换为中科大源

/etc/apt/sources.list

deb https://mirrors.ustc.edu.cn/ubuntu/ bionic main restricted universe multiverse
deb https://mirrors.ustc.edu.cn/ubuntu/ bionic-updates main restricted universe multiverse
deb https://mirrors.ustc.edu.cn/ubuntu/ bionic-backports main restricted universe multiverse
deb https://mirrors.ustc.edu.cn/ubuntu/ bionic-security main restricted universe multiverse
deb https://mirrors.ustc.edu.cn/ubuntu/ bionic-proposed main restricted universe multiverse
deb-src https://mirrors.ustc.edu.cn/ubuntu/ bionic main restricted universe multiverse
deb-src https://mirrors.ustc.edu.cn/ubuntu/ bionic-updates main restricted universe multiverse
deb-src https://mirrors.ustc.edu.cn/ubuntu/ bionic-backports main restricted universe multiverse
deb-src https://mirrors.ustc.edu.cn/ubuntu/ bionic-security main restricted universe multiverse
deb-src https://mirrors.ustc.edu.cn/ubuntu/ bionic-proposed main restricted universe multiverse

二、更新系统

sudo apt-get update
sudo apt-get dist-upgrade

三、安装依赖包

sudo apt-get install autoconf automake libtool
sudo apt install build-essential libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev luajit hwloc libdnet-dev libdumbnet-dev bison flex liblzma-dev openssl libssl-dev pkg-config libhwloc-dev cmake cpputest libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev libmnl-dev autotools-dev libluajit-5.1-dev libunwind-dev

四、安装snort3 daq（用于网络流量采集）

git clone https://github.com/snort3/libdaq.git
./bootstrap
./configure
sudo make
sudo make install

五、安装snort3 (大约30分钟)

git clone https://github.com/snort3/snort3.git
sudo ./configure_cmake.sh --prefix=/usr/local
cd build/
sudo make
sudo make install
sudo ldconfig

六、网卡开启混杂模式（可以抓到局域网所有通信）

sudo ip link set dev eth0 promisc on

七、自己写一个规则

sudo mkdir /var/log/snort
sudo mkdir /usr/local/etc/rules
sudo vim /usr/local/etc/rules/local.rules

alert tcp 192.168.0.106 any -> 192.168.0.105 any (msg:”检测到黑客入侵”; sid:1)

八、检验snort3 初始配置

注意：这里是64位操作系统，如果是32位系统，可能会报错

snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules

九、启动snort3 验证效果

sudo snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i eth0 -A alert_fast -s 65535 -k none

发布于 2022-11-12 15:15・IP 属地江苏