在日常生活中,很多人怀疑自己的手机、电脑被监控了,担心自己的隐私泄漏,实际上最佳的检测方式就是终端检测,也就是EDR,但是就是有那么多的人在网上大放厥词,说任何EDR杀毒软件都检测不到监控,毕竟EDR杀毒软件对于普通人来说,安装使用太简单了,以至于大多数人都怀疑EDR的真实效果,既然很多人天生的对EDR不信任,那么何不试试NDR入侵检测系统呢?snort3.0就是一款值得研究和探索的免费的开源的NDR入侵检测系统,从网络流量的角度来追踪溯源网络威胁,正所谓雁过留声风过留痕,黑客路过就会留下入侵痕迹~
ailx10
1952 次咨询
4.9
网络安全优秀回答者
互联网行业 安全攻防员
去咨询
一、ubuntu18.04 更换为中科大源
/etc/apt/sources.list
deb https://mirrors.ustc.edu.cn/ubuntu/ bionic main restricted universe multiverse
deb https://mirrors.ustc.edu.cn/ubuntu/ bionic-updates main restricted universe multiverse
deb https://mirrors.ustc.edu.cn/ubuntu/ bionic-backports main restricted universe multiverse
deb https://mirrors.ustc.edu.cn/ubuntu/ https://zhida.zhihu.com/search?content_id=217632770&content_type=Article&match_order=1&q=bionic-security&zhida_source=entity main restricted universe multiverse
deb https://mirrors.ustc.edu.cn/ubuntu/ bionic-proposed main restricted universe multiverse
deb-src https://mirrors.ustc.edu.cn/ubuntu/ bionic main restricted universe multiverse
https://zhida.zhihu.com/search?content_id=217632770&content_type=Article&match_order=2&q=deb-src&zhida_source=entity https://mirrors.ustc.edu.cn/ubuntu/ https://zhida.zhihu.com/search?content_id=217632770&content_type=Article&match_order=2&q=bionic-updates&zhida_source=entity main restricted universe multiverse
deb-src https://mirrors.ustc.edu.cn/ubuntu/ bionic-backports main restricted universe multiverse
deb-src https://mirrors.ustc.edu.cn/ubuntu/ bionic-security main restricted universe multiverse
deb-src https://mirrors.ustc.edu.cn/ubuntu/ bionic-proposed main restricted universe multiverse二、更新系统
sudo https://zhida.zhihu.com/search?content_id=217632770&content_type=Article&match_order=1&q=apt-get&zhida_source=entity update
sudo apt-get dist-upgrade三、安装依赖包
sudo apt-get install autoconf automake libtool
sudo apt install build-essential libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev luajit hwloc libdnet-dev libdumbnet-dev bison flex https://zhida.zhihu.com/search?content_id=217632770&content_type=Article&match_order=1&q=liblzma&zhida_source=entity-dev openssl https://zhida.zhihu.com/search?content_id=217632770&content_type=Article&match_order=1&q=libssl&zhida_source=entity-dev pkg-config libhwloc-dev cmake cpputest libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev libmnl-dev autotools-dev libluajit-5.1-dev libunwind-dev四、安装snort3 daq(用于网络流量采集)
git clone https://github.com/snort3/libdaq.git
./bootstrap
./configure
sudo make
sudo make install五、安装snort3 (大约30分钟)
git clone https://github.com/snort3/snort3.git
sudo ./configure_cmake.sh --prefix=/usr/local
cd build/
sudo make
sudo make install
sudo ldconfig六、网卡开启混杂模式(可以抓到局域网所有通信)
sudo ip link set dev eth0 promisc on七、自己写一个规则
sudo mkdir /var/log/snort
sudo mkdir /usr/local/etc/rules
sudo vim /usr/local/etc/rules/local.rules
alert tcp 192.168.0.106 any -> 192.168.0.105 any (msg:"检测到黑客入侵"; sid:1)八、检验snort3 初始配置
注意:这里是64位操作系统,如果是32位系统,可能会报错
snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules九、启动snort3 验证效果
sudo snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i eth0 -A alert_fast -s 65535 -k none
编辑于 2022-11-12 15:33・IP 属地江苏