Ubuntu server 24 (Linux) Snort3 3.2.1.0 Guardian IPtables 联动实战 主动防御系统(ids+ips)

一 Snort3 安装配置,参考:Ubuntu server 24 安装配置 snort3 3.2.1.0 网络入侵检测防御系统 配置注册规则集-CSDN博客

二 安装主动防御程序Guardian

1 下载,解压

复制代码
tar zxvf guardian-1.7.tar.gz
cd  guardian-1.7/

2 配置

复制代码
#拷贝文件
sudo cp guardian.pl /usr/local/bin/
sudo cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
sudo cp scripts/iptables_unblock.sh  /usr/local/bin/guardian_unblock.sh
sudo  touch /var/log/snort/guardian.log
sudo touch /usr/local/snort/etc/snort/guardian.ignore
sudo touch /usr/local/snort/etc/snort/guardian.target
sudo cp guardian.conf  /usr/local/snort/etc/snort/
#修改配置文件
sudo vim /usr/local/snort/etc/snort/guardian.conf
Interface       ens33
HostIpAddr 192.168.50.19
HostGatewayByte  1
LogFile         /var/log/snort/guardian.log
AlertFile       /var/log/snort/alert_fast.txt
IgnoreFile      /usr/local/snort/etc/snort/guardian.ignore
TargetFile      /usr/local/snort/etc/snort/guardian.target
TimeLimit       86400
#其中HostIpAddr,如不填写会报如下错误
Warning! HostIpAddr is undefined! Attempting to guess..
Couldn't figure out the ip address

3 guardian启动

复制代码
#启动
sudo /usr/bin/perl  /usr/local/bin/guardian.pl -c /usr/local/snort/etc/snort/guardian.conf
#报错
Can't locate getopts.pl in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5) at ./guardian.pl line 10.
#修改guardian.pl 解决
sudo vim /usr/local/bin/guardian.pl
require 'getopts.pl'; --> #require 'getopts.pl';
&Getopts ('hc:d');    --> &getopts ('hc:d');
复制代码
#再次启动
test@ubuntuserver:~$ sudo /usr/bin/perl  /usr/local/bin/guardian.pl -c /usr/local/snort/etc/snort/guardian.conf
OS shows Linux
My ip address and interface are: 192.168.50.19 ens33
Loaded 1 addresses from /usr/local/snort/etc/snort/guardian.ignore
Loaded 0 addresses from /usr/local/snort/etc/snort/guardian.target
Becoming a daemon..
#查看进程

三 snort+guard+iptables 实战联动测试

1 查看Iptables 表

复制代码
sudo iptables  -L  -n

2 另外一台主机上测试ping 测试

复制代码
#自定义告警规则
sudo vim /usr/local/snort/etc/rules/local.rules
alert icmp any any -> $HOME_NET any (msg:"ICMP connection test"; sid:1000001; rev:1;)
相关推荐
七歌杜金房6 小时前
我终于又有了自己的 Linux 电脑
linux·debian·mac
tntxia1 天前
linux curl命令详解_curl详解
linux
扛枪的书生1 天前
Linux 网络管理器用法速查
linux
顺风尿一寸1 天前
Java Socket 内核之旅:从 SocketChannel.read() 到 tcp_recvmsg 与 epoll 的完整调用链路
linux
XIAOHEZIcode2 天前
Ubuntu 终端美化全栈指南:Bash 到 Kitty 踩坑实录
linux·ubuntu·命令行
唐青枫2 天前
别再只会用 cron:Linux systemd Timer 定时任务实战详解
linux
AlfredZhao4 天前
生产环境里,为什么不建议把普通端口直接暴露到公网?
linux·https·443·80
戴为沐5 天前
Linux内存扩容指南
linux
zylyehuo5 天前
Linux 彻底且安全地删除文件
linux
用户805533698036 天前
主线 U-Boot 上 RK3506:和闭源 rkbin 拔河的三个隐性契约
linux·嵌入式