先简单介绍windows环境下的snort安装和配置,主要是为了下面写工控协议识别snort规则和验证规则做铺垫。
下载安装
官网下载:https://www.snort.org/
直接默认安装
进入安装目录:C:\Snort
配置文件
编辑C:\Snort\etc\snort.conf 修改成如下图
# Path to your rules files (this can be a relative path)
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\rules
var RULE_PATH c:\snort\rules
var SO_RULE_PATH c:\snort\so_rules
var PREPROC_RULE_PATH c:\snort\preproc_rules
# If you are using reputation preprocessor set these
# Currently there is a bug with relative paths, they are relative to where snort is
# not relative to snort.conf like the above variables
# This is completely inconsistent with how other vars work, BUG 89986
# Set the absolute path appropriately
var WHITE_LIST_PATH c:\snort\rules
var BLACK_LIST_PATH c:\snort\rules
# path to dynamic preprocessor libraries
dynamicpreprocessor directory c:\snort\lib\snort_dynamicpreprocessor
# path to base preprocessor engine
dynamicengine c:\snort\lib\snort_dynamicengine\sf_engine.dll
此处安装参考:http://www.cnblogs.com/lasgalen/p/4512755.html
规则验证
进入C:\Snort\rules,新建三个文件
在文件local.rules添加我们的snort规则进行验证测试,例如:
alert tcp any any -> any 1911 (msg:"IDS: fox-info"; content:"|66 6f 78|"; sid:1112515; rev:1;)
CMD进入目录C:\Snort\bin
注意:snort只能识别pcap后缀的包文件,用wireshark的pcapng后缀会报错 需要再另存为一下 修改文件格式 不是直接改后缀哦
然后运行:
PS C:\Snort\bin> .\snort.exe -c c:\snort\etc\snort.conf -l c:\snort\log -r .\fox_info.pcap
没有报错就说明成功运行了,去看看log有没有输出信息
进入C:\Snort\log
成功按规则进行了信息输出,到此规则验证成功
pcap规则编写思路
IEC61850-MMS协议
先用wireshark打开对应的数据包文件,因为wireshark适配了mms协议的解析,所以可以很直观的分辨出哪个数据包对应什么功能
从上图可知,选中的数据包执行的是start操作
从上图可知,选中的数据包执行的是stop操作
现在,我们把对应的数据包十六进制数据提取出来,做一下对比,就可以很轻松的写出对应的snort规则
提取出snort规则,在文件local.rules添加我们的snort规则进行验证测试,例如:
alert tcp any any -> any 102 (msg:"IDS: mms-START"; content:"|bf 28 1b|"; sid:1112727; rev:1;)
alert tcp any any -> any 102 (msg:"IDS: mms-STOP"; content:"|bf 29 19|"; sid:1112728; rev:1;)
alert tcp any any -> any 102 (msg:"IDS: mms-RESET"; content:"|bf 2b 19|"; sid:1112729; rev:1;)
尝试验证一下数据包的规则,查看日志:
可以发现日志里记录了规则命中的输出信息,到此就算规则编写完成了。