Ubuntu server 24 (Linux) Snort3 3.2.1.0 Guardian IPtables 联动实战 主动防御系统(ids+ips)

一 Snort3 安装配置,参考:Ubuntu server 24 安装配置 snort3 3.2.1.0 网络入侵检测防御系统 配置注册规则集-CSDN博客

二 安装主动防御程序Guardian

1 下载,解压

复制代码
tar zxvf guardian-1.7.tar.gz
cd  guardian-1.7/

2 配置

复制代码
#拷贝文件
sudo cp guardian.pl /usr/local/bin/
sudo cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
sudo cp scripts/iptables_unblock.sh  /usr/local/bin/guardian_unblock.sh
sudo  touch /var/log/snort/guardian.log
sudo touch /usr/local/snort/etc/snort/guardian.ignore
sudo touch /usr/local/snort/etc/snort/guardian.target
sudo cp guardian.conf  /usr/local/snort/etc/snort/
#修改配置文件
sudo vim /usr/local/snort/etc/snort/guardian.conf
Interface       ens33
HostIpAddr 192.168.50.19
HostGatewayByte  1
LogFile         /var/log/snort/guardian.log
AlertFile       /var/log/snort/alert_fast.txt
IgnoreFile      /usr/local/snort/etc/snort/guardian.ignore
TargetFile      /usr/local/snort/etc/snort/guardian.target
TimeLimit       86400
#其中HostIpAddr,如不填写会报如下错误
Warning! HostIpAddr is undefined! Attempting to guess..
Couldn't figure out the ip address

3 guardian启动

复制代码
#启动
sudo /usr/bin/perl  /usr/local/bin/guardian.pl -c /usr/local/snort/etc/snort/guardian.conf
#报错
Can't locate getopts.pl in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5) at ./guardian.pl line 10.
#修改guardian.pl 解决
sudo vim /usr/local/bin/guardian.pl
require 'getopts.pl'; --> #require 'getopts.pl';
&Getopts ('hc:d');    --> &getopts ('hc:d');
复制代码
#再次启动
test@ubuntuserver:~$ sudo /usr/bin/perl  /usr/local/bin/guardian.pl -c /usr/local/snort/etc/snort/guardian.conf
OS shows Linux
My ip address and interface are: 192.168.50.19 ens33
Loaded 1 addresses from /usr/local/snort/etc/snort/guardian.ignore
Loaded 0 addresses from /usr/local/snort/etc/snort/guardian.target
Becoming a daemon..
#查看进程

三 snort+guard+iptables 实战联动测试

1 查看Iptables 表

复制代码
sudo iptables  -L  -n

2 另外一台主机上测试ping 测试

复制代码
#自定义告警规则
sudo vim /usr/local/snort/etc/rules/local.rules
alert icmp any any -> $HOME_NET any (msg:"ICMP connection test"; sid:1000001; rev:1;)
相关推荐
yuanpan2 小时前
ubuntu系统上的conda虚拟环境导出方便下次安装
linux·ubuntu·conda
AOwhisky2 小时前
Linux 文本处理三剑客:awk、grep、sed 完全指南
linux·运维·服务器·网络·云计算·运维开发
Gavin_9153 小时前
从零开始部署经典开源项目管理系统最新版redmine6-Linux Debian12
linux·ruby on rails·开源·debian·ruby·redmine
花小璇学linux3 小时前
imx6ull-驱动开发篇31——Linux异步通知
linux·驱动开发·嵌入式软件
shelutai3 小时前
ubuntu 编译ffmpeg6.1 增加drawtext,libx264,libx265等
linux·ubuntu·ffmpeg
runfarther3 小时前
搭建LLaMA-Factory环境
linux·运维·服务器·python·自然语言处理·ai编程·llama-factory
hello_ world.4 小时前
RHCA10NUMA
linux
神秘人X7074 小时前
Linux高效备份:rsync + inotify实时同步
linux·服务器·rsync
轻松Ai享生活5 小时前
一步步学习Linux initrd/initramfs
linux
轻松Ai享生活5 小时前
一步步深入学习Linux Process Scheduling
linux