4. ¼³Á¤

ÀÌ ÀåÀº snort ¿Í °¢Á¾ µµ±¸µéÀÇ ¼³Ä¡ ¹× ½ÇÇàÀ» À§ÇÑ ¿©·¯ ŽºÅ©¸¦ ±â¼úÇÑ´Ù.

ÀúÀÚ´Â ·¹µåÇÞ ¸®´ª½º 7.x À» »ç¿ëÇϰí Àֱ⠶§¹®¿¡ ¸ðµç ÁÖ¾îÁø °æ·ÎÀ̸§ ¹× ¼³Á¤ ¿É¼ÇÀº °á±¹ ·¹µåÇÞ¿¡ ƯÁ¤ÀûÀÎ °ÍÀÌ´Ù. ±×·¯³ª ´Ù¸¥ ¹èÆ÷ÆÇ¿¡ ÀÌ ¹®¼­ÀÇ ³»¿ëÀ» Àû¿ëÇÒ ¶§ Å« ¹®Á¦´Â ¾øÀ» °ÍÀÌ´Ù.

4.1. Snort ¼³Á¤Çϱâ

ÇöÀçÀÇ Å¸¸£º¼À» http://www.snort.org/ ¿¡¼­ ¾ò¾î ½º½º·Î ÄÄÆÄÀÏÇϰųª ¶Ç´Â ¹èÆ÷ÆÇ³»ÀÇ ¹ÙÀ̳ʸ®¸¦ »ç¿ëÇØ snort ¸¦ ¼³Ä¡ÇÒ ¼ö ÀÖ´Ù.

¹öÀü 1.8.3 ÀÇ °æ¿ì RPM ±â¹Ý ¸®´ª½º ¹èÆ÷ÆÇ, FreeBSD, ¼Ö¶ó¸®½º ¹× À©µµ¿ì Ç÷§Æû¿¡ ´ëÇØ www.snort.org ¿¡¼­ ¹Ì¸® ÄÄÆÄÀÏµÈ ¹ÙÀ̳ʸ®¸¦ ¾òÀ» ¼ö ÀÖ´Ù.

ÀúÀÚ´Â RPM À» ´õÀÌ»ó À¯Áöº¸¼öÇϰí ÀÖÁö ¾ÊÁö¸¸ (¹öÀüÀÌ ¹Ù²ð¶§ ¸¶´Ù ÀÛ¾÷À» ÇØ¾ß Çϱ⠶§¹®¿¡) http://www.lug-burghausen.org/projects/Snort-Statistics/snortd.multi ¿¡¼­ snort.multi initscript ¸¦ Á¦°øÇÒ °ÍÀÌ´Ù.

MySQL À» Áö¿øÇÏ´Â (PostgreSQL Àº Áö¿øÇÏÁö ¾Ê´Â) ÀúÀÚÀÇ 1.8.1 RPM Àº http://www.lug-burghausen.org/projects/Snort-Statistics/snort-1.8.1-4.i386.rpm ¿¡¼­ ¾òÀ» ¼ö ÀÖ´Ù. PostgreSQL À» Áö¿øÇÏ´Â ¹öÀüÀ» ¸¸µé±â À§Çؼ­´Â ¼Ò½º RPM À» ´Ù¿î·ÎµåÇÑ ÈÄ spec ÆÄÀÏÀ» ÆíÁýÇØ À籸ÃàÇØ¶ó. RPM ÀÛ¼º¿¡ Àͼ÷ÇÏÁö ¾Ê´Ù¸é RPM-HOWTO ¶Ç´Â RPM ¿¡ ´ëÇÑ ¸¹Àº ÁÁÀº ÀÚ·á¿Í ÇÔ²² RPM ¿¡ ´ëÇØ ´Ù¿î·ÎµåÇÒ ¼ö Àִ å Maximun RPM ÀÌ ÀÖ´Â http://www.rpm.org/ À» º¸¾Æ¾ß ÇÑ´Ù.

4.1.1. /etc/snort/snort.conf

RPM À» ¼³Ä¡ÇÑ ÈÄ ¿ä±¸¿¡ ¸Â°Ô /etc/snort/snort.conf ¸¦ ÆíÁýÇØ¾ß ÇÑ´Ù. Martin Roesch ´Â snort Ÿ¸£º¼°ú RPM ¿¡ Æ÷ÇԵǾî ÀÖ´Â Snort »ç¿ëÀÚ ¸Þ´º¾óÀ» PDF ¹öÀüÀ¸·Î ÀÛ¼ºÇÏ¿´´Âµ¥ ÀÌ ¹®¼­¿¡¼­´Â ¼³Á¤¿¡ ÇÊ¿äÇÑ ¿É¼Çµé¸¸À» ´Ù·ê °ÍÀ̱⠶§¹®¿¡ »ç¿ëÇÒ ¼ö ÀÖ´Â ´Ù¸¥ ¿É¼Çµé¿¡ ´ëÇØ¼­´Â ¸Þ´º¾óÀ» º¸¾Æ¾ß ÇÑ´Ù.

¶ÇÇÑ Å¸¸£º¼/RPM ¿¡ ÀÖ´Â ¿¹Á¦ /etc/snort/snort.conf ÆÄÀÏ¿¡ ¼¼ºÎÀûÀÎ ¼³¸íÀÌ Àֱ⠶§¹®¿¡ ½ÃÀÛÇϴµ¥ ÀÖ¾î ÁÁÀº Ãâ¹ßÁ¡ÀÌ µÉ °ÍÀÌ´Ù.

4.1.1.1. Snort º¯¼ö

¿ì¼± ³×Æ®¿öÅ© À§»óÀ» ¹Ý¿µÇϱâ À§ÇØ HOME_NET, EXTERNAL_NET °ú DNS_SERVERS ¿Í °°Àº º¯¼öµéÀ» Á¤ÀÇÇØ¾ß ÇÑ´Ù. Á¤È®ÇÑ ÁÖ¼Ò¸¦ »ç¿ëÇß´ÂÁö È®ÀÎÇØ¶ó ±×·¸Áö ¾ÊÀº °æ¿ì ºÒ°¡»çÀÇÇÑ ¶Ç´Â ´õ¿í ³ª»Ú°Ô´Â ¾î¶°ÇÑ °æº¸µµ ¾òÀ» ¼ö ¾øÀ» °ÍÀÌ´Ù.

º¹ÀâÇÑ È¯°æ¿¡¼­ snort ¸¦ »ç¿ëÇÒ ¶§, °¡·É ÇѰ³ÀÇ ¼¾¼­·Î ´Ù¼öÀÇ ÀÎÅÍÆäÀ̽º¸¦ °¨½ÃÇÒ ¶§ HOME_NET °ú EXTERNAL_NET Àº Á¤ÀÇÇÏ±â ¾î·Æ°Å³ª ¶Ç´Â ¸Å¿ì ±ä ¸®½ºÆ®·Î Á¤ÀÇµÉ ¼ö Àִµ¥ ÀÌ °æ¿ì µÎ º¯¼ö¸¦ any ·Î Á¤ÀÇÇÒ ¼ö ÀÖ´Ù. Ä¿´Ù¶õ ³»ºÎ ³×Æ®¿öÅ©¿¡ ¾ÆÁÖ ¸¹Àº ³×Æ®¿öÅ© ¹üÀ§¸¦ ³ÖÁö ¾Ê±â À§Çؼ­´Â ¾î¶² Á¾·ùÀÇ ¹Ì¸® ÇÊÅ͸µµÈ °ÍÀ» ¾ø¾Ö¾ß ÇÑ´Ù. ±×¸®°í °¢ ÆÐŶ¿¡ ´ëÇØ ¸Å¿ì ¸¹Àº ÁÖ¼Ò¸¦ ÅëÇØ snort ¸¦ ½ÇÇà½Ãų ¶§ ¼º´É¿¡ ´ëÇÑ ¿µÇâÀ» ÃÖ¼ÒÈ­½ÃÄÑ¾ß ÇÑ´Ù.

¸î¸îÀÇ ´Ù·ç±â Èûµç À߸øµÈ Æ÷Æ®½ºÄµ ¸Þ½ÃÁö¸¦ ¾ø¾Ö±â À§Çؼ­´Â º¯¼ö DNS_SERVERS ¸¦ snort ÀÇ Æ÷Æ®½ºÄµ ¸ðµâÀ» À¯¹ßÇÏ´Â ³×Æ®¿öÅ© °ü¸® ½ºÅ×À̼ǰú °°Àº ´Ù¸¥ ³ëµåµé»Ó¸¸ÀÌ ¾Æ´Ï¶ó ¸ðµç dns ¼­¹öµéÀÇ ip ÁÖ¼Ò¸¦ º¸À¯Çϵµ·Ï Á¤ÀÇÇØ¾ß ÇÑ´Ù. ÀÌ´Â ÇöÀç ÁøÇàÁßÀÎ ÀÛ¾÷ÀÌ´Ù.

¶ÇÇÑ °¢ÀÚ ±ÔÄ¢¿¡¼­ ¾ð±ÞµÉ ¼ö ÀÖ´Â ÀڽŸ¸ÀÇ º¯¼öµéÀ» Á¤ÀÇÇÒ ¼ö ÀÖ´Ù. ÀÌ´Â À¯¿ëÇѵ¥ ¿¹¸¦µé¾î ÀÚ½ÅÀÇ È¯°æ¿¡ ÀûÇÕÇÏ°Ô pass rules¸¦ »ç¿ëÇÒ ¼ö ÀÖ´Ù.

¸ðµç ´Ù¸¥ º¯¼öµéÀ» ÀûÀýÇÑ °ª ¶Ç´Â /etc/snort/snort.conf ¿¡ Á¤ÀǵǾî ÀÖ´Â $HOME_NET À¸·Î Á¤ÀÇÇØ¶ó.

      var HOME_NET any
      var EXTERNAL_NET any
      # DNS_SERVERS ´Â Æ÷Æ®½ºÄµ½Ã ¹«½ÃµÇ¾îÁö´Â DNS ¶Ç´Â ³×Æ®¿öÅ© °ü¸® ½ºÅ×À̼ǰú °°Àº noisy ÄÄÇ»Å͵éÀÇ ÁÖ¼ÒµéÀÌ´Ù. 
      var DNS_SERVERS [1.1.1.1/32,2.2.2.2/32]
      var SMTP_SERVERS $HOME_NET
      ...
     

4.1.1.2. Snort Àü󸮱â

´ÙÀ½Àº »ç¿ëµÇ´Â Àü󸮱âµéÀ» ¼³Á¤ÇØ¾ß ÇÑ´Ù. ´õ¿í ¸¹Àº Àü󸮱⸦ »ç¿ëÇÒ ¼ö·Ï ´õ¿í ¸¹Àº °æº¸¸¦ À¯¹ß½Ãų ¼ö ÀÖÁö¸¸ ¼º´ÉÀÌ ÀúÇϵȴÙ. µû¶ó¼­ Àü󸮱⸦ ¼±ÅÃÇϴµ¥ ÁÖÀÇÇØ¶ó.

¾î¶² Àü󸮱âµéÀº ¹Ý´ëµÇ°í Àֱ⶧¹®¿¡ ¶ÇÇÑ Marty ÀÇ Snort »ç¿ëÀÚ ¸Þ´º¾óÀ» º¸¾Æ¾ß Çϴµ¥, À̵鿡 ´ëÇØ¼­´Â »õ·Ó°Ô µµÀÔµÈ °ÍµéÀ» »ç¿ëÇØ¾ß ÇÑ´Ù.

Àü󸮱â minfrag ¿Í stream Àº stream4 ·Î Àü󸮱â defrag ´Â frag2 À¸·Î ´ëüµÇ¾ú´Ù.

frag2 ´Â snort v1.8 ¿¡ µµÀÔµÈ »õ·Î¿î IP defragmentation (´ÜÆíÈ­µÈ Á¶°¢µéÀ» ¿¬¼ÓÀûÀÎ Á¶°¢À¸·Î ¸¸µé¾îÁÜ) 󸮱â·Î defrag/minfrag º¸´Ù ´õ¿í ¸Þ¸ð¸® È¿À²ÀûÀÌ´Ù.

Snort »ç¿ëÀÚ ¸Þ´º¾ó·ÎºÎÅÍ: Stream4 ¸ðµâÀº snort ¿¡ TCP ½ºÆ®¸² ÀçÁ¶ÇÕ ¹× »óÅ¿¡ ´ëÇÑ ºÐ¼® (stateful analysis) ´É·ÂÀ» Á¦°øÇÑ´Ù. Snort ´Â °ß°íÇÑ ½ºÆ®¸² ÀçÁ¶ÇÕ ´É·Â¿¡ ÀÇÇØ "»óŰ¡ ¾ø´Â (stateless)" °ø°ÝµéÀ» ¹«½ÃÇÑ´Ù. Stream4 ¸ðµâÀº ¶ÇÇÑ »ç¿ëÀڵ鿡°Ô 256 °³ ÀÌ»óÀÇ µ¿½ÃÀûÀÎ TCP ½ºÆ®¸²À» ÃßÀûÇÒ ¼ö ÀÖµµ·Ï ÇÑ´Ù. Stream4 ´Â 64,000 °³ ÀÌ»óÀÇ TCP Á¢¼ÓÀ» ´Ù·ç±â À§ÇØ È®ÀåµÉ ¼ö ÀÖ¾î¾ß ÇÑ´Ù.

Stream4 ¸ðµâÀº stream4 ¿Í stream4_reassemble 2 °³ÀÇ Àü󸮱â·Î ÀÌ·ç¾îÁ® Àִµ¥ µÑ ¸ðµÎ »ç¿ëµÇ¾î¾ß ÇÑ´Ù.

µÎ Àü󸮱⿡ ´ëÇØ¼­´Â ¿©·¯°¡Áö ¿É¼ÇÀÌ ÀÖÁö¸¸ stream4 ¿¡ ´ëÇØ¼­´Â Æ÷Æ®½ºÄµ À̺¥Æ®½Ã °æº¸¸¦ ÁÖ±â À§ÇÑ detect_scans °ú °ø°ÝÀûÀÎ RST ÆÐŶ, SYN ÆÐŶ¿¡ µ¥ÀÌŸ°¡ ÀÖ°í À©µµ¿ì ½ÃÄö½º ³Ñ¹öÀÇ ¹üÀ§¸¦ ³Ñ¾î¼­´Â °Í°ú °°ÀÌ ½ºÆ®¸² À̺¥Æ®°¡ ÀϾ ¶§ ¾Ë¸®±â À§ÇØ detect_state_problems ¿É¼Ç¸¸À» »ç¿ëÇÒ °ÍÀÌ´Ù.

stream4_reassemble ¿¡ ´ëÇØ¼­´Â ÀçÁ¶ÇÕÀÌ ´ÜÁö ¾à°£ÀÇ ¹Ì¸® Á¤ÀÇµÈ Æ÷Æ®´ë½Å ¸ðµç Æ÷Æ®¸¦ °¨½ÃÇϵµ·Ï ÇÏ´Â ports all ¿É¼ÇÀ» »ç¿ëÇÑ´Ù. ¼ÖÁ÷È÷ ÀÌ´Â ÀÏÁ¾ÀÇ ÆíÁýÁõÀ¸·Î snort ¼¾¼­ÀÇ cpu ÀÌ¿ë»óȲ¿¡ ¿µÇâÀ» ³¢Ä£´Ù. ±×·¯³ª ÀúÀÚ´Â Æò±ÕÀûÀ¸·Î ³·Àº ÀÌ¿ë»óȲÀ» °®´Â ÆæÆ¼¾ö III 800 MHz ÄÄÇ»ÅͰ¡ ¼¼°³ÀÇ 100Mbit/s full duplex line ¿¡¼­ °¨½ÃÇÏ´Â °æ¿ì ¾î¶°ÇÑ ³ª»Û °á°úµµ ¾òÁö ¾Ê¾Ò±â ¶§¹®¿¡ ÀÌ ¿É¼ÇÀÌ ´õ¿í ÁÁÀº ÇØ°á ¹æ¹ýÀ̶ó°í »ý°¢ÇÑ´Ù.

µÎ°³ÀÇ ´Ù¸¥ Àü󸮱âµéÀº portscan ¿Í portscan-ignorehosts ·Î °¢°¢ Æ÷Æ®½ºÄµ ŽÁö ´ã´ç ¹× Æ÷Æ®½ºÄµ ŽÁö°¡ ¹«½ÃµÇ´Â È£½ºÆ®µéÀÌ´Ù.

0.0.0.0/0 ÇüŸ¦ »ç¿ëÇÏ¿© portscanÀÌ ¸ðµç ³×Æ®¿öÅ©¸¦ ã±â À§Çؼ­ Á¢±ÙµÇ¾îÁö´Â Æ÷Æ® ³Ñ¹öÀÇ ¼ö¸¦ ¼³Á¤Çϰí ÃÊ´ç ŽÁö ±â°£À» Á¤ÀÇÇ϶ó. Ãß°¡ÀûÀ¸·Î Æ÷Æ®½ºÄµ ·Î±× ÆÄÀÏ¿¡ ´ëÇÑ Àý´ë °æ·Î¸¦ Á¦°øÇØ¾ß ÇÑ´Ù.

portscan-ignorehosts ¸¦ ÀÌ¿ëÇØ ³×ÀÓ ¼­¹ö ¹× ³×Æ®¿öÅ© °ü¸® ½ºÅ×À̼ǰú °°ÀÌ ³Ê¹« ¸¹ÀÌ ¸»ÇÏ¸ç Æ÷Æ®½ºÄµ ŽÁö¸¦ À¯¹ßÇϴ ȣ½ºÆ®·ÎºÎÅÍÀÇ ¾î¶² ¼ö»óÇÑ °æº¸¸¦ Á¦°ÅÇÑ´Ù (À§ÀÇ º¯¼ö DNS_SERVERS ¸¦ º¸¶ó).

Marty ÀÇ »ç¿ëÀÚ ¸Þ´º¾ó¿¡ ¾ð±ÞµÇ¾îÀÖÁö ¾ÊÁö¸¸ ¿©±â¼­ »ç¿ëÇÒ ¾î¶² Àü󸮱âµéÀÌ ÀÖ´Ù. unidecode ´Â http_decode ¸¦ ´ëüÇϴµ¥ http ¹× UNICODE °ø°ÝÀ» Á¤±ÔÈ­ÇÑ´Ù (Ç¥ÁØÀûÀÎ »óȲÀ¸·Î ÇØ¼®ÇÑ´Ù). rpc_decode ÁÖ¾îÁø Æ÷Æ®¿¡¼­ÀÇ rpc Æ®·¡ÇÈÀ» Á¤±ÔÈ­Çϸç bo ´Â ¹é ¿À·¯Çǽº °ø°ÝÀ» °Ë»çÇϸç telnet_decode ´Â tenlnet Çù»ó ½ºÆ®¸µÀ» Á¤±ÔÈ­ÇÑ´Ù.

SPADE ¿Í °°Àº ´Ù¸¥ Àü󸮱âµéÀº ¿©±â¼­ ´Ù·çÁö ¾ÊÁö¸¸ ÃßÈÄ ¹öÀü¿¡¼­´Â ´Ù·ç¾îÁú °ÍÀÌ´Ù.

°á±¹ ¿©±â¼­ ¾ð±ÞÇÑ °ÍµéÀº /etc/snort/snort.conf ÀÇ Àü󸮱⠺κÐÀÌ´Ù.

      preprocessor frag2
      preprocessor stream4: detect_scans detect_state_problems
      preprocessor stream4_reassemble: ports all
      preprocessor unidecode: 80 8080
      preprocessor rpc_decode: 111
      preprocessor bo: -nobrute
      preprocessor telnet_decode
      preprocessor portscan: 0.0.0.0/0 6 3 /var/log/snort/portscan.log
      preprocessor portscan-ignorehosts: $DNS_SERVERS
     

4.1.1.3. Snort Ãâ·Â ¸ðµâ

´ÙÀ½Àº Ãâ·Â ¸ðµâµéÀÇ ¼³Á¤À¸·Î ÀÌ Áß¿¡¼­ syslog ¸ðµâÀÎ alert_syslog ¸¦ »ç¿ëÇØ syslog ¿¡ °æº¸¸¦ º¸³¾ °ÍÀ̸ç database ¸ðµâÀ» »ç¿ëÇØ MySQL µ¥ÀÌŸº£À̽º¿¡ Ãß°¡ÀûÀ¸·Î ±â·ÏÇÒ °ÍÀÌ´Ù.

alert_syslog ¸ðµâÀº ±â·ÏµÇ¾îÁ®¾ß ÇÏ´Â °Íµé¿¡ ´ëÇØ ¾î¶² ¿É¼ÇÀ» ÇÊ¿ä·ÎÇÑ´Ù. ÀúÀÚ¿Í °°ÀÌ ·Î±×ÆÄÀÏÀ» ºÐ¼®Çϱâ À§ÇØ SnortSnarf À» »ç¿ëÇÑ´Ù¸é LOG_PID ¿É¼ÇÀ» Ãß°¡ÇؾßÇÑ´Ù. ±×·¸Áö ¾Ê´Ù¸é SnortSnarf ¸¦ »ç¿ëÇÒ ¶§ ¹®Á¦°¡ ÀÖ´Ù.

¾Õ¿¡¼­ ¸»ÇßµíÀÌ ACID ¸¦ »ç¿ëÇÒ °ÍÀε¥ µû¶ó¼­ µ¥ÀÌŸº£À̽º¿¡ ±â·ÏÇϱâ À§ÇØ snort ¸¦ ¼³Á¤ÇÒ Çʿ䰡 ÀÖ´Ù. Ưº°ÇÑ ÀÌÀ¯¾øÀÌ MySQL À» ¼±ÅÃÇß´Ù (postgreSQL º¸´Ù MySQL À» ´õ ¸¹ÀÌ µé¾úÀ» »ÓÀÌ´Ù).

database Ãâ·Â ¸ðµâÀº ´ÙÀ½ º¯¼öµéÀ» ÇÊ¿ä·Î ÇÑ´Ù:

log | alert

alert ±â´É¿¡ ´ëÇÑ ·Î±×. log ±â´Éµµ °¡´ÉÇÏ´Ù. Æ÷Æ®½ºÄµ °æº¸¸¦ µ¥ÀÌŸº£À̽º¿¡ ÀúÀåÇÏ°í ½Í´Ù¸é alert ¸¦ »ç¿ëÇØ¾ß ÇÑ´Ù.

mysql|postgrsql|odbc|oracle|mssql

µ¥ÀÌŸº£À̽º ŸÀÔ.

user=<username>

µ¥ÀÌŸº£À̽º¿¡ »ç¿ëµÉ »ç¿ëÀÚÀ̸§À» Á¤ÀÇÇÑ´Ù.

password=<password>

ÁÖ¾îÁø »ç¿ëÀÚ¿¡ ´ëÇØ ÇÊ¿äÇÑ ÆÐ½º¿öµå.

dbname=<databasename>

±â·Ï¿¡ »ç¿ëµÇ´Â µ¥ÀÌŸº£À̽º À̸§.

host=<hostname>

µ¥ÀÌŸº£À̽º°¡ ½ÇÇàÁßÀΠȣ½ºÆ®¸¦ Á¤ÀÇÇÑ´Ù. µ¥ÀÌŸº£À̽º°¡ snort ¼¾¼­¿¡¼­ ½ÇÇàµÇ°í ÀÖ´Ù¸é localhost ¸¦ »ç¿ëÇØ¶ó.

sensor_name=<sensor name>

Çϳª ÀÌ»óÀÇ ¼¾¼­°¡ ÇϳªÀÇ µ¥ÀÌŸº£À̽º¿¡ ±â·ÏÇϰí ÀÖ´Ù¸é ¿©·¯ ¼¾¼­¸¦ ±¸º°ÇϱâÀ§ÇØ °íÀ¯ÀÇ À̸§À» ºÎ¿©ÇÑ´Ù.

/etc/snort/snort.conf ÀÇ Ãâ·Â ¸ðµâ ºÎºÐÀ» º¸ÀÚ.

       output alert_syslog: LOG_AUTH LOG_ALERT LOG_PID
       output database: alert, mysql, user=snort password=mypassword dbname=snort host=localhost sensor_name=mysensor 
      

Çϳª ÀÌ»óÀÇ snort ¼¾¼­¸¦ »ç¿ëÇϸç ÇϳªÀÇ µ¥ÀÌŸº£À̽º¿¡ ±â·ÏÇÏ°í ½Í´Ù¸é º°µµÀÇ ¸Ó½Å¿¡ Áß¾Ó µ¥ÀÌŸº£À̽º¸¦ »ç¿ëÇϱ⠹ٶõ´Ù. ÀÌ·± °æ¿ì °ø°ÝÀÌ ¹ß°ßµÉ ¶§ °æº¸ µ¥ÀÌŸ¸¦ ÇϳªÀÇ ÄÁ¼Ö°ú ¿¬°ü½Ãų ¼ö ÀÖÀ¸¸ç ´õ¿í ÁÁÀº °³¿ä¸¦ ¾òÀ» ¼ö ÀÖ´Ù.

4.1.1.4. Snort ±ÔÄ¢ ÁýÇÕ

±ÔÄ¢µéÀº snort ÀÇ ÇʼöÀûÀÎ ºÎºÐÀ¸·Î ´Ù¾çÇÑ Ç׸ñÀ¸·Î ³ª´©¾îÁ® Àִµ¥ À̵éÀº *.rules ·Î ³¡³ª¸ç /etc/snort/ ¿¡¼­ ãÀ» ¼ö ÀÖ´Ù. 1.8 ÀÌ»óÀÇ ¹öÀü¿¡¼­´Â ºÐ·ù ÇüŸ¦ ¹Ý¿µÇϱâ À§ÇØ Æ÷¸ËÀÌ º¯°æµÇ¾ú´Ù. ¶ÇÇÑ classtype ÀÇ ¿ì¼±±Ç ¼³Á¤À» Á¤ÀÇÇÒ ¼ö ÀÖ´Ù.

¿ø·¡ÀÇ snort tarball À» »ç¿ëÇϰí ÀÖ´Ù¸é ¸ðµç ±ÔÄ¢ ÆÄÀϵé°ú classification.config ÆÄÀÏÀ» º¹»çÇÏ±æ ¹Ù¶õ´Ù.

ºÐ·ù ŸÀÔÀÇ ¼³Á¤Àº /etc/snort/classification.config ÆÄÀÏ¿¡¼­ Çϴµ¥ ÀÌ ÆÄÀÏÀº ÀûÀçµÈ snort ±ÔÄ¢¿¡ ´ëÇØ ¹Ì¸® Á¶Á¤µÇ¾î Àֱ⠶§¹®¿¡ ¼Õ´î ÇÊ¿ä´Â ¾ø´Ù. ±×·¯³ª Max Vision ÀÇ vision.rules ¸¦ »ç¿ëÇÏ·Á ÇÑ´Ù¸é classtype ÀÌ ´Ù¸£±â ¶§¹®¿¡ ¾à°£ÀÇ ¶óÀεéÀ» Ãß°¡ÇØ¾ß ÇÒ °ÍÀÌ´Ù. ±×Àú ¸ðµç config classification: ¶óÀÎÀ» vision.conf ¿¡¼­ /etc/snort/classification.config ·Î º¹»çÇØ¼­ ºÙ¿©³Ö¾î¶ó. ÀÌÀü ÆÄÀÏÀÌ snort 1.8 ¿¡¼­ µµÀÔµÈ »õ·Î¿î Æ÷¸Ë¿¡ ¸ÂÁö ¾Ê´Â °æ¿ì snort 1.8 ¿¡ ´ëÇÑ vision.rules ¸¦ ÀØÁö¸»°í ¾ò¾î¶ó (http://www.whitehats.com/¿¡¼­ vision18.rules ¹× vision18.conf)

´ÙÀ½Àº vision.rulesÀ» »ç¿ëÇÑ /etc/snort/classification.config ÆÄÀÏÀÌ´Ù:

       #
       # config classification:°£·«ÇÑ À̸§, °£·«ÇÑ ¼³¸í, ¿ì¼±±Ç
       #
       #config classification: not-suspicious,Not Suspicious Traffic,0
       config classification: unknown,Unknown Traffic,1
       config classification: bad-unknown,Potentially Bad Traffic, 2
       config classification: attempted-recon,Attempted Information Leak,3
       config classification: successful-recon-limited,Information Leak,4
       config classification: successful-recon-largescale,Large Scale Information Leak,5
       config classification: attempted-dos,Attempted Denial of Service,6
       config classification: successful-dos,Denial of Service,7
       config classification: attempted-user,Attempted User Privilege Gain,8
       config classification: unsuccessful-user,Unsuccessful User Privilege Gain,7
       config classification: successful-user,Successful User Privilege Gain,9
       config classification: attempted-admin,Attempted Administrator Privilege Gain,10
       config classification: successful-admin,Successful Administrator Privilege Gain,11

       # vision18.conf ¿¡¼­ Ãß°¡µÈ ºÎºÐ
       # classification for use with a management interface
       # low risk
       config classification: not-suspicious,policy traffic that is not suspicious,0
       config classification: suspicious,suspicious miscellaneous traffic,1
       config classification: info-failed,failed information gathering attempt,2
       config classification: relay-failed,failed relay attempt,3
       config classification: data-failed,failed data integrity attempt,4
       config classification: system-failed,failed system integrity attempt,5
       config classification: client-failed,failed client integrity attempt,6
       # middle risk
       config classification: denialofservice,denial of service,7
       config classification: info-attempt,information gathering attempt,8
       config classification: relay-attempt,relay attempt,9
       config classification: data-attempt,data integrity attempt,10
       config classification: system-attempt,system integrity attempt,11
       config classification: client-attempt,client integrity attempt,12
       config classification: data-or-info-attempt,data integrity or information gathering attempt,13
       config classification: system-or-info-attempt,system integrity or information gathering attempt,14
       config classification: relay-or-info-attempt,relay of information gathering attempt,15
       # high risk
       config classification: info-success,successful information gathering attempt,16
       config classification: relay-success,successful relay attempt,17
       config classification: data-success,successful data integrity attempt,18
       config classification: system-success,successful system integrity attempt,19
       config classification: client-success,successful client integrity attempt,20
      

ºÐ·ù ¹× ±ÔÄ¢ ÆÄÀϵéÀº /etc/snort/snort.conf ÆÄÀÏ¿¡ Æ÷ÇԵǾî Àִµ¥ ¿©±â¼­ »ç¿ëµÈ ¾î¶² ±ÔÄ¢ ÆÄÀϵéÀº Ç¥ÁØ ¹èÆ÷¿¡ Æ÷ÇÔµÇ¾î ¾Ê±â ¶§¹®¿¡ CVS ¿¡¼­ º¹»çµÇ¾ú´Ù. ¿¹¸¦ µé¸é virus.rules.

Àü¿¡ ¸»ÇßµíÀÌ vision.rules ÆÄÀÏÀº µÚ¿¡ ³íÀǵǴ arachnids_upd µµ±¸¸¦ ÅëÇØ °¡Á®¿Ã °ÍÀÌ´Ù.

Arachnids_upd ´Â vision18.rules ¿¡¼­ vision.rules ·Î À̸§À» º¯°æ½ÃŰÁö¸¸ ¹°·Ð ±ÔÄ¢Àº 1.8 ÀÌ»ó ¹öÀü¿¡ ´ëÇØ ÁغñµÈ °ÍµéÀÌ´Ù.

vision.rules ¿¡¼­ÀÇ INTERNAL ¹× EXTERNAL ¿¡ ´ëÇÑ º¯¼ö Á¤Àǰ¡ snort ±ÔÄ¢°ú µ¿ÀÏÇÏÁö ¾Ê±â ¶§¹®¿¡ ÀÌ·¯ÇÑ À̸§µéÀ» º¯°æ½Ã۱â À§ÇØ ½ºÅ©¸³Æ®¸¦ »ç¿ëÇÑ´Ù. ¾Æ·¡ÀÇ arachnids_upd ÀýÀ» ºÁ¶ó.

       # Include classification & priority settings
       include /etc/snort/classification.config
       
       include /etc/snort/exploit.rules
       include /etc/snort/scan.rules
       include /etc/snort/finger.rules
       include /etc/snort/ftp.rules
       include /etc/snort/telnet.rules
       include /etc/snort/smtp.rules
       include /etc/snort/rpc.rules
       include /etc/snort/rservices.rules
       include /etc/snort/backdoor.rules
       include /etc/snort/dos.rules
       include /etc/snort/ddos.rules
       include /etc/snort/dns.rules
       include /etc/snort/netbios.rules
       include /etc/snort/web-cgi.rules
       include /etc/snort/web-coldfusion.rules
       include /etc/snort/web-frontpage.rules
       include /etc/snort/web-iis.rules
       include /etc/snort/web-misc.rules
       include /etc/snort/sql.rules
       include /etc/snort/x11.rules
       include /etc/snort/icmp.rules
       include /etc/snort/shellcode.rules
       include /etc/snort/misc.rules
       include /etc/snort/policy.rules
       include /etc/snort/info.rules
       #include /etc/snort/icmp-info.rules
       include /etc/snort/virus.rules
       include /etc/snort/local.rules
     
       # vision.rules will be catched by arachnids_upd
       include /etc/snort/vision.rules
     

/etc/snort/snort.conf ¼³Á¤À» ¸¶Ä£ ÈÄ /etc/rc.d/init.d/snortd start ¸í·ÉÀ» ÅëÇØ snort ¸¦ ½ÇÇà½Ã۰í /var/log/messages ·Î±× ÆÄÀϳ»ÀÇ ¸ðµç ¿¡·¯µéÀ» ¼öÁ¤ÇØ¾ß ÇÑ´Ù (µ¥ÀÌŸº£À̽º´Â ¾ÆÁ÷ ¼³Á¤µÇ¾î ÀÖÁö ¾Ê±â ¶§¹®¿¡ µ¥ÀÌŸº£À̽º¿Í °ü·ÃµÈ ¸ðµç ¸Þ¼¼Áö´Â ¹«½ÃÇØ¶ó). ¸ðµç °ÍÀÌ Àß ÁøÇàµÇ¾ú´Ù¸é ´Ù¸¥ ºÎºÐÀÇ ¼³Á¤À¸·Î °¡ÀÚ.

4.1.2. /etc/rc.d/init.d/snortd

/etc/rc.d/init.d/snortd ¿¡¼­´Â Àû¾îµµ ÀÎÅÍÆäÀ̽º ºÎºÐÀ» ÆíÁýÇØ¾ß Çϴµ¥, INTERFACE="eth0" ¸¦ °¢ÀÚ »ç¿ëÇÏ´Â ÀÎÅÍÆäÀ̽º·Î ¼öÁ¤Çضó. ÀÌ´Â ´Ù¸¥ ÀÌ´õ³Ý (ethx) ¹× pppx ¶Ç´Â ipppx ÀÎÅÍÆäÀ̽ºÀÏ ¼ö ÀÖ´Ù. ¿¹¸¦ µé¾î ISDN À» »ç¿ëÇϰí ÀÖ´Ù¸é ÀÎÅÍÆäÀ̽º Á¤ÀÇ´Â ´ÙÀ½°ú °°´Ù.

     INTERFACE="ippp0"
    

Snort ¼¾¼­°¡ ÇϳªÀÇ ÀÎÅÍÆäÀ̽º¿¡¼­¸¸ °¨½ÃÇϰí ÀÖ´Ù¸é snortd initscript ¸¦ »ç¿ëÇÏ´Â °ÍÀ¸·Î ÃæºÐÇÏ´Ù. ±×·¯³ª Çϳª ÀÌ»óÀÇ ÀÎÅÍÆäÀ̽º¸¦ °®°í ÀÖ´Ù¸é ÀÌ¿¡ ´ëÇØ ÀúÀÚ°¡ È®ÀåÇÑ ½ºÅ©¸³Æ®¸¦ º¸±â ¹Ù¶õ´Ù. ´ÜÁö ÇϳªÀÇ ÀÎÅÍÆäÀ̽º¸¦ °®°í ÀÖÁö¸¸ ÀúÀÚ¿Í °°ÀÌ swatch ¸¦ »ç¿ëÇÏ°í ½Í´Ù¸é swatch ºÎºÐÀ» snortd ½ºÅ©¸³Æ®·Î º¹»çÇØ¶ó (RPM ¹®¼­ÀÇ contrib ÀýÀ» º¸¶ó).

´ÙÀ½ ÀúÀÚ°¡ È®ÀåÇÑ snortd initscript ´Â snort °¡ Çϳª ÀÌ»óÀÇ ÀÎÅÍÆäÀ̽º¸¦ °¨½ÃÇÔÀ» ¾Ë ¼ö ÀÖÀ» °ÍÀÌ´Ù. ÀÎÅÍÆäÀ̽º À̸§¿¡ any ¸¦ »ç¿ëÇÒ ¼öµµ ÀÖ´Ù°í ¸»ÇÒ ¼öµµ ÀÖ´Ù. ¿Ö³ÄÇÏ¸é ±âº»ÀûÀÎ libpcap ÀÌ À̸¦ °¡´ÉÇÏ°Ô Çϱ⠶§¹®ÀÌ´Ù. ±×·¯³ª snort ¼¾¼­°¡ ¼³Ä¡µÇ¾î ÀÖ´Â ·ÎÄà ³×Æ®¿öÅ© °¨½Ã¿¡ °ü½ÉÀÌ ¾ø±â ¶§¹®¿¡ ÀÌ´Â ÀúÀÚ°¡ »ç¿ëÇÏ·Á°í ÇÏ´Â Àǵµ°¡ ¾Æ´Ï´Ù. ÀÌ ·ÎÄà ³×Æ®¿öÅ©´Â ¹æÈ­º® ¼³Ä¡¿Í °°Àº ºÎ°¡ÀûÀÎ º¸¾È ¼³Á¤ÀÌ µÇ¾î ÀÖ´Â º°µµÀÇ ³×Æ®¿öÅ© ¼¼Å©¸ÕÆ®·Î º¸¾ÈÀûÀΠȯ°æ¿¡ ÀÖ¾î¾ß ÇÑ´Ù. µû¶ó¼­ snort ³×Æ®¿öÅ© ÀÚü¸¦ ¸ñÇ¥·ÎÇÑ °ø°ÝÀÇ Å½Áö¸¦ ¿øÇÏ´Â °æ¿ì¸¦ Á¦¿ÜÇϰí´Â ½º´ÏÇÎÀº Àǹ̰¡ ¾ø´Ù. ÀÌ ¼¼Å©¸ÕÆ®¿¡ Çϳª ÀÌ»óÀÇ ¼¾¼­¸¦ »ç¿ëÇÑ´Ù¸é ¼¼Å©¸ÕÆ®¸¦ º¸È£Çϱâ À§ÇØ ¸ðµç ¼¾¼­°¡ ¾Æ´Ñ ´ÜÁö ÇϳªÀÇ ¼¾¼­¸¸ ¼³Á¤ÇÒ Çʿ䰡 ÀÖ´Ù.

ÀúÀÚ´Â /etc/rc.d/init.d/functions ³»ÀÇ ·¹µåÇÞ»çÀÇ daemon ÇÔ¼ö¿¡¼­ ÆÄ»ýµÈ »õ·Î¿î ÇÔ¼ö daemonMult ¸¦ Ãß°¡ÇÏ¿´´Ù. ÀÌ´Â ÇÁ·Î±×·¥À» Çѹø ÀÌ»ó ½Ãµ¿½Ãų ¼ö ÀÖ´Ù. ÀúÀÚ´Â »õ·Î¿î ¿É¼Ç --mult ¸¦ µµÀÔÇϱâ À§ÇØ ·¹µåÇ޻翡 daemon ÇÔ¼ö¿¡ ´ëÇÑ ÆÐÄ¡¸¦ º¸³Â´Ù. ÀÌ Ãß°¡°¡ ÀÌ·ç¾îÁø´Ù¸é daemonMult ÇÔ¼ö´Â ¾µ¸ð¾ø°Ô µÉ °ÍÀ̸ç È£ÃâÀº daemonMult ¿¡¼­ daemon --mult ·Î º¯°æµÉ °ÍÀÌ´Ù.

¶ÇÇÑ ÀúÀÚ´Â ¸®ºÎÆÃ½Ã ¿¡·¯ ¸Þ¼¼Áö¸¦ ¾ø¾Ö±â À§ÇØ ÇϺνýºÅÛ À̸§À» snort ¿¡¼­ snortd ·Î º¯°æÇÏ¿´´Ù (·¹µåÇÞ¿¡¼­ killall ½ºÅ©¸³Æ®´Â Á¤È®ÇÑ À̸§¿¡ ÀÇÁ¸ÇÑ´Ù).

ÀúÀÚÀÇ ½ºÅ©¸³Æ®¸¦ ÀÌ¿ëÇÏ¸é °¨½ÃÇÒ ´Ù¼öÀÇ ÀÎÅÍÆäÀ̽º¸¦ Á¤ÀÇÇÒ ¼ö Àִµ¥ ¹ØÀÇ ½ºÅ©¸³Æ®¿¡¼­¿Í °°ÀÌ INTERFACE ¿¡ °ø¹éÀ¸·Î ºÐ¸®µÈ ¸ñ·ÏÀ» »ç¿ëÇØ¶ó.

µè°í ÀÖ´Â ÀÎÅÍÆäÀ̽º°¡ ÀÌ¹Ì ÀÛµ¿ÁßÀÎÁö IP ÁÖ¼Ò°¡ Á¤ÀǵǾî ÀÖ´ÂÁö¸¦ º¸±â À§ÇØ ¾à°£ÀÇ Á¤»ó¼º °Ë»çµµ ¶ÇÇÑ Æ÷ÇԵǾî ÀÖ´Ù. Á¤ÀÇµÈ IP ÁÖ¼Ò°¡ ÀÖ´Ù¸é ·¹µåÇÞ ¸®´ª½ºÀÇ °æ¿ì /etc/sysconfig/network-scripts/ifcfg-(interface-name) ¿¡ ÀÖ´Â ÇØ´ç config °¡ »ç¿ëµÉ °ÍÀÌ´Ù. ±×·¸Áö ¾Ê´Ù¸é ÀÎÅÍÆäÀ̽º´Â promiscuous ¸ðµå¿¡¼­ IP ¾øÀÌ ¼³Á¤µÉ °ÍÀÌ´Ù.

ÀÌ´Â ÀÌ´õ³Ý ÀÎÅÍÆäÀ̽º¸¦ Á¦¿ÜÇÑ ¾î¶°ÇÑ ÀÎÅÍÆäÀ̽º¿¡¼­µµ ¾ÆÁ÷ Å×½ºÆ®µÇÁö ¾Ê¾Ò´Ù. ÀúÀÚ´Â °ð ISDN ÀÎÅÍÆäÀ̽º¿¡ ´ëÇØ °ËÅäÇÒ °ÍÀÌ¸ç ¾î¶°ÇÑ Â÷À̰¡ ÀÖ´Â Áö¸¦ º¸°íÇÒ °ÍÀÌ´Ù.

ÇϳªÀÇ snort ÇÁ·Î¼¼½º°¡ °¢ ÀÎÅÍÆäÀ̽º¿¡¼­ ½ÃÀÛµÇ¸ç ¶ÇÇÑ swatch°¡ ±ÔÄ¢ °»½ÅÀ» À§ÇØ snort ¸¦ Àç½ÃÀÛÇÒ ¶§ ¿¡·¯¸¦ °Ë»çÇϱâ À§ÇØ ½ÇÇàµÉ °ÍÀÌ´Ù (¹ØÀÇ swatch ÀýÀ» º¸¶ó).

snort ¸¦ ¼Ë´Ù¿îÇÒ ¶§ ¸ðµç IP ¾ø´Â ÀÎÅÍÆäÀ̽º´Â ¼Ë´Ù¿îµÉ °ÍÀÌ´Ù. ±×·¯³ª IP ¼³Á¤ÀÌ µÇ¾î ÀÖ´Â ÀÎÅÍÆäÀ̽º´Â ¼Ë´Ù¿îµÇÁö ¾ÊÀ» °ÍÀÌ´Ù. ÀÌ´Â snort'ed ÀÎÅÍÆäÀ̽º°¡ snort ¼¾¼­¿¡ ÇʼöÀûÀÎ °æ¿ì Á¢±ÙºÒ°¡¸¦ ¾ß±âÇÒ ¼ö Àֱ⠶§¹®ÀÌ´Ù.

¾Æ¸¶µµ ´õ¿í ÁÁÀº ÇØ°á¹æ¹ýÀº ´ÙÀ½°ú °°Àº ¿£Æ®¸®¿¡ ´ëÇØ ÀÎÅÍÆäÀ̽ºÀÇ config ÆÄÀÏÀ» °Ë»çÇÏ´Â °ÍÀ¸·Î

     ONBOOT=yes
    

yes °¡ ¾ø´Â °æ¿ì¿¡¸¸ ÀÎÅÍÆäÀ̽º°¡ ¼Ë´Ù¿îµÉ °ÍÀÌ´Ù. ±×·¯³ª À̰ÍÀº ¾ÆÁ÷ ±¸ÇöµÇ¾î ÀÖÁö ¾Ê´Ù.

´ÙÀ½Àº È®ÀåµÈ snort initscript ÀÌ´Ù:

#!/bin/sh
#
# snortd         Start/Stop the snort IDS daemon.
#
# chkconfig: 2345 40 60
# ¼³¸í:  Snort ´Â ÇöÀç 1100 °³ ÀÌ»óÀÇ È£½ºÆ® ¹× ³×Æ®¿öÅ© Ãë¾à¼º, Æ÷Æ®½ºÄµ, ¹éµµ¾î µîÀ» ŽÁöÇÏ´Â
#               °æ·® ³×Æ®¿öÅ© ħÀÔ Å½Áö ½Ã½ºÅÛÀÌ´Ù.
#
# June 10, 2000 -- Dave Wreski Dave Wreski <dave at linuxsecurity.com>
#   - ÃÖÃÊ ¹öÀü
# July 08, 2000 Dave Wreski <<dave at guardiandigital.com>
#   - snort user/group À» Ãß°¡ÇÏ¿´´Ù
#   - 1.6.2 ¹öÀü Áö¿ø
# April 11, 2001 Sandro Poppi <spoppi at gmx.de>
#   - ´ÙÀ̾ó ¾÷ ¶óÀÎ ¶Ç´Â ÇѰ³ ÀÌ»óÀÇ ½º´ÏÆÛ ÀÎÅÍÆäÀ̽º »ç¿ëÀ» À§ÇØ ´ÙÁß ÀÎÅÍÆäÀ̽º ¿É¼ÇÀ» Ãß°¡ÇÏ¿´´Ù
#     ÀúÀÚ´Â "-i any" ¸¦ »ç¿ëÇÏ´Â libpcap ¿É¼ÇÀÌ ÁÁÀº ¼±ÅÃÀ̶ó°í »ý°¢ÇÏÁö ¾Ê´Â´Ù.
#     ¿Ö³ÄÇϸé snort °¡ ÇѰ³ÀÌ»óÀÇ ip °¡ ¾ø´Â ÀÎÅÍÆäÀ̽ºµéÀ» °¨½ÃÇϵµ·Ï ¼³Á¤µÉ ¼ö Àֱ⠶§¹®ÀÌ´Ù.
#      ±×·¯³ª ¸ð´ÏÅÍ ÀÎÅÍÆäÀ̽º´Â º¸È£µÇÁö ¾ÊÀº »óÅ·ΠÁ¸ÀçÇÑ´Ù.
#   - ¸®ºÎÆÃÇÒ¶§ÀÇ ¿¡·¯ ¸Þ½ÃÁö¸¦ ¾ø¾Ö±â À§ÇØ ÇϺνýºÅÛ À̸§À» snort ¿¡¼­ snortd ·Î º¯°æÇÏ¿´´Ù
#      (·¹µåÇÞÀÇ killall ½ºÅ©¸³Æ®´Â Á¤È®ÇÑ À̸§¿¡ ÀÇÁ¸ÇÑ´Ù)
#   - snort ÀÇ ´ÙÁß ÀνºÅϽº¸¦ ½ÇÇà½Ãų ¼ö ÀÖµµ·Ï /etc/rc.d/init.d/functions ³»ÀÇ daemon ÇÔ¼ö¿¡¼­ ÆÄ»ýµÈ 
#      daemonMult ÇÔ¼ö¸¦ Ãß°¡ÇÏ¿´´Ù
#      (°á±¹ ÀÌ´Â ·¹µåÇÞÀÇ daemon ÇÔ¼ö³»·Î ÅëÇÕµÉ ¼ö Àִµ¥ ÀúÀÚ¿¡°Ô ¿¬¶ôÇØ¶ó)
# January 01, 2002 Sandro Poppi <spoppi at gmx.de>
#   - swatch °¡ ¼³Ä¡µÇ¾î ÀÖ´ÂÁöÀÇ °Ë»ç¸¦ Ãß°¡ÇÏ¿´´Ù
#   - ÀÌ´õ³ÝÀÌ¿ÜÀÇ ÀÎÅׯäÀ̽ºµé¿¡ ´ëÇÑ °Ë»ç¸¦ Ãß°¡ÇÏ¿´´Ù. À̵éÀº ifconfig ·Î ÀÛµ¿µÈ´Ù°í »ý°¢Çϱ⠶§¹®ÀÌ´Ù.
#
# Source function library.
. /etc/rc.d/init.d/functions

# ÇÁ·Î±×·¥À» Çѹø ÀÌ»ó ½ÃÀÛÇϱâ À§ÇÑ ÇÔ¼ö
# /etc/rc.d/init.d/functions ³»ÀÇ µ¥¸ó ÇÔ¼ö¸¦ ÀçÀÛ¼ºÇÑ °ÍÀÌ´Ù
daemonMult() {
        # ±¸¹®À» Å×½ºÆ®ÇÑ´Ù.
        gotbase=
        user=
        nicelevel=0
        while [ "$1" != "${1##-}" -o "$1" != "${1##+}" ]; do
          case $1 in
            '')    echo '$0: Usage: daemon [+/-nicelevel] {program}'
                   return 1;;
            --check)
                   shift
                   base=$1
                   gotbase="yes"
                   shift
                   ;;
            --user)
                   shift
                   daemon_user=$1
                   shift
                   ;;
            -*|+*) nicelevel=$1
                   shift
                   ;;
             *)    nicelevel=0
                   ;;
          esac
        done

        # basename À» ÀúÀåÇÑ´Ù.
        [ -z $gotbase ] && base=`basename $1`

        # ¹Ýµå½Ã ¾î´À °÷¿¡µµ ÄÚ¾î ´ýÇÁÇÏÁö ¾Êµµ·Ï ÇØ¶ó; À̰ÍÀÌ µ¥¸ó°ú °ü·ÃµÈ
        # ¹®Á¦¸¦ ÀúÁöÇÏ´Â µ¿½Ã¿¡ ¶ÇÇÑ ¾à°£ÀÇ º¸¾È ¹®Á¦¸¦ ¾ø¾Ø´Ù.
        ulimit -S -c 0 >/dev/null 2>&1

        # Echo daemon
        [ "$BOOTUP" = "verbose" ] && echo -n " $base"

        # µ¥¸óÀ» ±¸µ¿½ÃŲ´Ù.
        if [ -z "$daemon_user" ]; then
           nice -n $nicelevel initlog $INITLOG_ARGS -c "$*" && success "$base startup" || failure "$base startup"
        else
           nice -n $nicelevel initlog $INITLOG_ARGS -c "su $daemon_user -c \"$*\"" && success "$base startup" || failure "$base startup"
        fi
}

# ³×Æ®¿öÅ© ÀÎÅÍÆäÀ̽º(µé)¸¦ ÁöÁ¤Çضó
INTERFACE="eth1 eth2"

# See how we were called.
case "$1" in
start)
        if [ -x /usr/bin/swatch ] ; then
          echo -n "Starting swatch: "
          # swatch ¸¦ »ç¿ëÇϱâ À§ÇØ ÀúÀÚ°¡ ½á³Ö¾ú´Ù
          # snort ±¸µ¿½ÃÀÇ ¿¡·¯¿¡ ´ëÇÑ Áö½Ã¸¦ ¾ò±â À§ÇØ snort Àü¿¡ À̸¦ ½ÇÇà½ÃŲ´Ù
          # snort ¿É¼Ç -s ¸¦ »ç¿ëÇÑ´Ù¸é /var/log/secure ¸¦ »ç¿ëÇØ¶ó
          # snort.conf ¿¡¼­ alert_syslog: Ãâ·Â ¿É¼ÇÀ» »ç¿ëÇÑ´Ù¸é /var/log/messages ¸¦ »ç¿ëÇØ¶ó
          /usr/bin/swatch --daemon --tail /var/log/messages --config-file /etc/swatch/swatchrc &
          touch /var/lock/subsys/swatch
          echo "done."
          echo
        fi

        # ´ÙÁß ÀÎÅÍÆäÀ̽º ¿É¼ÇÀ» Ãß°¡ÇÏ¿´´Ù
        for i in `echo "$INTERFACE"` ; do
          echo -n "Starting snort on interface $i: "
          # ½ºÅ©¸³Æ® ±¸µ¿½Ã snort ¿¡ ´ëÇØ ip °¡ ¾ø´Â ½º´ÏÆÛ ÀÎÅÍÆäÀ̽º¸¦ ±¸ÇöÇϱâ À§ÇØ »ðÀÌÇÏ¿´´Ù
          # ÀÎÅÍÆäÀ̽º°¡ ¾ÆÁ÷ ÀûÀçµÇÁö ¾Ê¾Ò°Å³ª ¶Ç´Â ±¸µ¿µÇÁö ¾Ê¾Ò´Ù¸é
          if [ `/sbin/ifconfig $i 2>&1 | /bin/grep -c "Device not found"` = "0" \
               -o `/sbin/ifconfig $i 2>&1 | /bin/grep -c "UP"` = "0" ] ; then

            # ÀÌ´õ³Ý¿ÜÀÇ ´Ù¸¥ ÀÎÅÍÆäÀ̽º¸¦ °Ë»çÇÑ´Ù
            if [ `echo $i | /bin/grep -c "^eth"` = "1" ] ; then
              # ÁÖ¾îÁø ÀÎÅÍÆäÀ̽º¿¡ ´ëÇÑ config °¡ ÀÖ´ÂÁö¸¦ °Ë»çÇÑ´Ù
              # º¸Åë ÀÌ´Â ½º´ÏÆÛ ÀÎÅÍÆäÀ̽º¿¡ ´ëÇØ¼­´Â º¸¾È»óÀÇ ÀÌÀ¯·Î »ý·«µÇ¾î¾ß ÇÑ´Ù
              if [ -s "/etc/sysconfig/network-scripts/ifcfg-$i" ]; then
                # config ¸¦ »ç¿ëÇÑ´Ù
                /sbin/ifup $i
              else
                # ip °¡ ¾ø´Â ½º´ÏÆÛ ÀÎÅÍÆäÀ̽º
                /sbin/ifconfig $i up promisc
              fi
            fi
          fi
          # À§ÀÇ ÀçÀÛ¼ºµÈ µ¥¸ó ÇÔ¼ö¸¦ ½ÇÇà½ÃŲ´Ù
          daemonMult /usr/sbin/snort -u snort -g snort -d -D \
                 -i $i -I -l /var/log/snort -c /etc/snort/snort.conf
          echo
        done

        touch /var/lock/subsys/snortd

        ;;
  stop)
        echo -n "Stopping snort: "
        killproc snort
        rm -f /var/lock/subsys/snortd

        # ÀúÀÚ°¡ »ðÀÔÇÏ¿´´Ù
        if [ -x /usr/bin/swatch ] ; then
          echo
          echo -n "Stopping swatch: "
          kill `ps x|grep "/usr/bin/swatch"|grep -v grep|awk '{ print $1 }'`
          rm -f /var/lock/subsys/swatch
        fi

        # ´ÜÁö ip ÁÖ¼Ò°¡ ¾ø´Ù¸é ÀÎÅÍÆäÀ̽º¸¦ ¼Ë´Ù¿î½ÃŲ´Ù
        # ÀÌ´õ³Ý ÀÎÅÍÆäÀ̽º¶ó¸é ÀÎÅÍÆäÀ̽º¸¦ ¼Ë´Ù¿î½ÃŰ±æ ¿øÄ¡ ¾Ê±â ¶§¹®¿¡ ´ÙÀ½À» ½ÇÇà½ÃŲ´Ù
        for i in `echo "$INTERFACES"`; do
          if [`echo $i | /bin/grep -c "^eth"` = "1" -a \
              `/sbin/ifconfig $i 2>&1 | /bin/grep -c "inet addr:"` = "0" ] ; then
            /sbin/ifconfig $i down
          fi
        done
        echo
        ;;
  restart)
        $0 stop
        $0 start
        ;;
  status)
        status snort
        #status swatch
        ;;
  *)
        echo "Usage: $0 {start|stop|restart|status}"
        exit 1
esac
exit 0
    

4.1.3. /etc/snort/snort-check

ÀÌ ½© ½ºÅ©¸³Æ®´Â smbclient ¸¦ ÅëÇØ À©ÆË¾÷À» »ý¼º½ÃŰ°Å³ª ÁÖ¾îÁø »ç¶÷¿¡°Ô À̸ÞÀÏÀ» º¸³»´Âµ¥ »ç¿ëµÈ´Ù. ÀÌ´Â snort ȨÆäÀÌÁö¿¡ ¹ßÇ¥µÈ Bill Richardson ÀÇ ½ºÅ©¸³Æ®¿¡ °í¹«µÇ¾î ÀÛ¼ºÇÏ¿´´Ù.

À©ÆË¾÷ ºÎºÐÀº snort 1.8 ¿¡ µµÀÔµÈ smb Ãâ·Â ¸ðµâ·Î ÀÎÇØ ¾µ¸ð¾øÀ»Áöµµ ¸ð¸£¸ç ÀúÀÚ´Â À̸¦ ¾ÆÁ÷ Å×½ºÆ®ÇÏÁö ¾Ê¾Ò´Ù.

#!/bin/sh

# ´Ù¼öÀÇ Æ÷¸ËÀ¸·Î °æº¸¸¦ º¸³»±â À§ÇØ swatch ³»¿¡¼­ ½ÇÇàµÇ´Â ½ºÅ©¸³Æ®
# www.snort.org ¿¡ ÀÖ´Â Bill Richardson ÀÇ ½ºÅ©¸³Æ®¿¡ ¿µ°¨À» ¹Þ¾Ò´Ù
# À©ÆË¾÷À» º¸³»´Â ¿öÅ© ½ºÅ×À̼ÇÀÇ À̸§À» °®°í ÀÖ´Â "hosts" ÆÄÀÏÀ» ÀоîµéÀ̵µ·Ï
# È®ÀåµÇ¾ú´Ù. ±¸¹®Àº snortd ¿É¼Ç -M °ú °°´Ù.
# Poppi, 02.05.2001

# ¼±°áÁ¶°Ç:
# Samba °¡ Á¤È®È÷ ¼³Ä¡µÇ¾î ÀÖ¾î¾ß ÇÑ´Ù.
# °¢ÀÚ ½Ã½ºÅÛ¿¡ ¸Â°Ô ´ÙÀ½ º¯¼öµéÀ» º¯°æ½ÃŲ´Ù (·¹µåÇÞ 7.x À» »ç¿ëÇÑ´Ù¸é ¹«¹æÇÏ´Ù)

# hostfile Àº À©ÆË¾÷À» À§ÇÑ ¿öÅ© ½ºÅ×À̼ÇÀ» Æ÷ÇÔÇϰí ÀÖ´Â ÆÄÀϸíÀ» °®°í ÀÖ´Ù.
hostfile="/etc/snort/hosts"

# recipientfile Àº ¸ðµç recipient (¼ö·ÉÀÚ) ÀÇ ÁÖ¼Ò¸¦ °®°í ÀÖ´Ù.
# °¢ recipient ´Â ÇÑÁÙ¿¡ ÇϳªÀÌ´Ù.
recipientfile="/etc/snort/recipients"

# recipient ÆÄÀÏÀÌ Á¸ÀçÇÑ´Ù¸é
if [ -s "$recipientfile" ] ; then
  # À̸ÞÀÏ ÁÖ¼Ò¸¦ °®´Â recipientlist ¸¦ »ý¼ºÇÑ´Ù
  for i in `cat $recipientfile` ; do
    recipients="$recipients "$i
  done

  echo "$*" | mail -s "Snort-Alert!!!" "$recipients"
fi

# hostfile Á¸ÀçÇÑ´Ù¸é À©ÆË¾÷À» º¸³½´Ù
if [ -s "$hostfile" ] ; then
  for i in `cat $hostfile` ; do
    echo "Snort-Alert! $*" | smbclient -M $i > /dev/null 2>&1
  done
fi
     

4.1.3.1. /etc/snort/hosts

ÀÌ ÆÄÀÏ¿¡ snort ¸Þ½ÃÁö¸¦ ¹Þ´Â È£½ºÆ®ÀÇ ¿öÅ© ½ºÅ×À̼ÇÀÇ À̸§À» ÇÑÁÙ¿¡ Çϳª¾¿ ³Ö¾î¶ó.

       ws001
       ws002
       ws003
      

4.1.3.2. /etc/snort/recipients

/etc/snort/recipients ¿¡ snort °æº¸¸¦ ¹Þ±æ ¿øÇÏ´Â (¶Ç´Â ¹Þµµ·Ï µÇ¾îÀÖ´Â) ¼ö·ÉÀÚÀÇ À̸ÞÀÏ ÁÖ¼Ò¸¦ ÇÑÁÙ¿¡ Çϳª¾¿ ³Ö¾î¶ó.

       jane@internal.local.com
       henk@snort.info
       sandro@snort.info
      

µÎÆÄÀÏÁß Çϳª¶óµµ »ý·«µÈ´Ù¸é ÇØ´ç Ư¡Àº ±ÝÁöµÈ´Ù.

4.1.4. Snort ³»ºÎ Åë°èÀÚ·á

Snort ´Â ¾à°£ÀÇ ³»ºÎ Åë°èÀڷḦ Ãâ·ÂÇÒ ¼ö ÀÖ´Â ±â´ÉÀÌ ³»ÀåµÇ¾î Àִµ¥ ÀÌ´Â ´ÙÀ½ ¸í·ÉÀ» »ç¿ëÇÏ¿© ±â·ÏµÉ ¼ö ÀÖ´Ù:

/bin/kill -SIGUSR1 <pid of snort>

¶Ç´Â µ¿ÀÏ ¸Ó½Å¿¡ ÇѰ³ ÀÌ»óÀÇ snort ÇÁ·Î¼¼½º°¡ ÀÖ°í µ¿½Ã¿¡ ¸ðµç Á¤º¸¸¦ ¾ò°í ½Í´Ù¸é ´ÙÀ½ ¸í·ÉÀ» »ç¿ëÇÒ ¼ö ÀÖ´Ù:

/bin/killall -USR1 snort

À§ÀÇ ¸í·ÉÀ» »ç¿ëÇÑ °æ¿ì syslog (/var/log/messages) ¿¡¼­ ´ÙÀ½°ú °°Àº ³»ºÎ Åë°èÀڷḦ ¾ò´Â´Ù.

Sep 29 07:51:48 ids01 snort[8000]:   ===============================================================================
Sep 29 07:51:48 ids01 snort[8000]: Snort analyzed 27316 out of 27316 packets,
Sep 29 07:51:48 ids01 snort[8000]: dropping 0(0.000%) packets
Sep 29 07:51:48 ids01 snort[8000]: Breakdown by protocol:                Action Stats:
Sep 29 07:51:48 ids01 snort[8000]:     TCP: 27152      (99.400%)         ALERTS: 0
Sep 29 07:51:48 ids01 snort[8000]:     UDP: 0          (0.000%)          LOGGED: 0
Sep 29 07:51:48 ids01 snort[8000]:    ICMP: 164        (0.600%)          PASSED: 0
Sep 29 07:51:48 ids01 snort[8000]:     ARP: 0          (0.000%)
Sep 29 07:51:48 ids01 snort[8000]:    IPv6: 0          (0.000%)
Sep 29 07:51:48 ids01 snort[8000]:     IPX: 0          (0.000%)
Sep 29 07:51:48 ids01 snort[8000]:   OTHER: 0          (0.000%)
Sep 29 07:51:48 ids01 snort[8000]: DISCARD: 0          (0.000%)
Sep 29 07:51:48 ids01 snort[8000]: ===============================================================================
Sep 29 07:51:48 ids01 snort[8000]: Fragmentation Stats:
Sep 29 07:51:48 ids01 snort[8000]: Fragmented IP Packets: 0          (0.000%)
Sep 29 07:51:48 ids01 snort[8000]:     Fragment Trackers: 0
Sep 29 07:51:48 ids01 snort[8000]:    Rebuilt IP Packets: 0
Sep 29 07:51:48 ids01 snort[8000]:    Frag elements used: 0
Sep 29 07:51:48 ids01 snort[8000]: Discarded(incomplete): 0
Sep 29 07:51:48 ids01 snort[8000]:    Discarded(timeout): 0
Sep 29 07:51:48 ids01 snort[8000]:   Frag2 memory faults: 0
Sep 29 07:51:48 ids01 snort[8000]: ===============================================================================
Sep 29 07:51:48 ids01 snort[8000]: TCP Stream Reassembly Stats:
Sep 29 07:51:48 ids01 snort[8000]:         TCP Packets Used: 27152      (99.400%)
Sep 29 07:51:48 ids01 snort[8000]:          Stream Trackers: 1
Sep 29 07:51:48 ids01 snort[8000]:           Stream flushes: 0
Sep 29 07:51:48 ids01 snort[8000]:            Segments used: 0
Sep 29 07:51:48 ids01 snort[8000]:    Stream4 Memory Faults: 0
Sep 29 07:51:48 ids01 snort[8000]: ===============================================================================
     

±×·¯³ª ´ÙÀ½À» ±â¾ïÇØ¶ó: 1.8.3 ÀÌÀü ¹öÀü¿¡¼­´Â »õ·Î¿î Åë°è ÀڷḦ ¾ò±âÀ§Çؼ­´Â snort ¸¦ À籸µ¿½ÃÄÑ¾ß ÇÑ´Ù. µû¶ó¼­ ÀÌÀü ¹öÀüÀ̶ó¸é ´Ã kill -SIGUSR1 °ú snort restart ¸¦ ÇÔ²² ½ÇÇà½ÃÄѶó.

¿ì¼± óÀ½ÀÇ µÎ ¶óÀÎÀ» º¸¾Æ¾ß ÇÑ´Ù. snort °¡ ¹ö·ÁÁö´Â (dropped) ÆÐŶÀÌ ÀÖ´Ù°í ¸»ÇÑ´Ù¸é snort ¼³Á¤»Ó¸¸ÀÌ ¾Æ´Ï¶ó snort ¹Ú½ºÀÇ ¼³Á¤µµ ¸Å¿ì ÀÚ¼¼È÷ Á¶»çÇØ¾ß ÇÑ´Ù.

¿¹¸¦ µé¾î ¹Ú½º¿¡ ÇʼöÀûÀÌÁö ¾ÊÀº ¸ðµç ºÒÇÊ¿äÇÑ ¼­ºñ½º¸¦ Á¤Áö½ÃÄѶó. ±×¸®°í top ¸í·ÉÀÇ Ãâ·ÂÀ» Á¶»çÇØ¶ó. À¯ÈÞ Ä«¿îÅͰ¡ ¸Å¿ì ³·´Ù¸é ¾î¶² ÇÁ·Î¼¼½ºµéÀÌ cpu ½Ã°£À» ¼ÒºñÇÏ¸ç °á±¹ ÇØ´ç ÇÁ·Î±×·¥ ÆÐŶÀ» outsource Çϰí ÀÖ´ÂÁö ¾Ë¾Æ³»¾ß ÇÑ´Ù. ÀÌ´Â ÀûÀº ¸Þ¸ð¸® ¹×/¶Ç´Â »ç¾çÀÌ ³·Àº cpu ¸¦ °®´Â µ¿ÀÏ ¸Ó½Å¿¡¼­ ACID, µ¥ÀÌŸº£À̽º ¹× snort ¸¦ »ç¿ëÇÒ ¶§¿¡ ÇØ´çµÈ´Ù.

´Ù¸¥ µ¥ÀÌŸ ¶óÀεéÀº Àü󸮱âµé ¹× À̵éÀÇ ÀÛ¾÷¿¡ ´ëÇÑ °³¿ä¸¦ Á¦°øÇÑ´Ù. ¶ÇÇÑ ¸Þ¸ð¸® fault ºÎºÐÀ» Á¶»çÇØ¾ß ÇÑ´Ù. ¼ýÀÚ°¡ 0 ÀÌ ¾Æ´Ï¶ó¸é ¸Þ¸ð¸® »ç¿ëÀ» Á¶»çÇØ¾ß ÇÏ¸ç °á±¹ ´õ¿í ¸¹Àº ¸Þ¸ð¸®¸¦ »ç¿ëÇϵµ·Ï Àü󸮱⸦ ¼³Á¤ÇØ¾ß ÇÑ´Ù (/etc/snort/snort.conf ³»ÀÇ ÀûÀýÇÑ ºÎºÐÀ» Á¶»çÇØ¶ó).

´ÙÀ½Àº Greg Sarsons ¿¡ ¿µ°¨À» ¹ÞÀº snort ÀÇ ³»ºÎ Åë°èÀڷḦ ¾ò±â À§ÇÑ ÂªÀº ½ºÅ©¸³Æ®ÀÌ´Ù. À̸¦ ÆÄÀÏ·Î ÀúÀåÇÑ ÈÄ snort ¸¦ Àç½ÃÀÛÇØ¶ó.

Åë°èÀÚ·á ÆÄÀÏÀº /var/log/snort/archive ¿¡ ÀúÀåµÉ °ÍÀÌ¸ç µû¶ó¼­ ÀÌ µð·ºÅ丮¸¦ ¿ì¼±ÀûÀ¸·Î »ý¼ºÇØ¾ß ÇÑ´Ù.

#!/bin/bash
# syslog ¶Ç´Â kill -USR1 <snort-pid> ½ÇÇà ÈÄ »ý¼ºµÈ ÁÖ¾îÁø ÆÄÀϷκÎÅÍ
# Ưº°ÇÑ snort Åë°è ÀڷḦ »ý¼º ¹× ÃßÃâÇϱâ À§ÇÑ ½ºÅ©¸³Æ®
#
# ÀÌ ½ºÅ©¸³Æ®´Â pid °¡ ·Î±×ÆÄÀÏ¿¡ ±â·ÏµÊÀ» °¡Á¤ÇÑ´Ù.
# ÀÌ´Â snort.conf ÆÄÀÏ¿¡ ´ÙÀ½ ¶óÀÎÀ» »ç¿ëÇÏ¸é °¡´ÉÇÏ´Ù:
# output alert_syslog: LOG_AUTH LOG_ALERT LOG_PID
#
# (c) Sandro Poppi 2001
# Released under GPL

echo "Starting gathering snort internal statistics. Please be patient..."

if [ "$1." == "." -o ! -e "$1" ] ; then
  # ÁÖ¾îÁø ÆÄÀÏÀÌ ¾ø°Å³ª Á¸ÀçÇÏÁö ¾Ê´Â °æ¿ì ´ÙÀ½ µðÆúÆ® ÆÄÀÏÀ» »ç¿ëÇÑ´Ù
  log_file="/var/log/messages"

else
  # ·Î±×ÆÄÀÏÀÇ À§Ä¡°¡ Ç¥ÁØÀûÀÌÁö ¾ÊÀ»¶§´Â ¹Ýµå½Ã snort °¡ ÀÌ ·Î±× ÆÄÀÏÀ» »ç¿ëÇϵµ·Ï ÇØ¶ó
  # ±×·¸Áö ¾Ê´Ù¸é USR1 ½Ã±×³ÎÀ» º¸³¾¶§ ÀÌ ½ºÅ©¸³Æ®´Â ÀÛµ¿ÇÏÁö ¾ÊÀ» °ÍÀÌ´Ù
  log_file="$1"
fi

# snort pid ¸¦ ¾Ë¾Æ³½´Ù
snort_pid=`/sbin/pidof snort`

# ¸ðµç snort ÇÁ·Î¼¼½º¿¡ ´ëÇØ ³»ºÎ Åë°èÀڷḦ ¾ò´Â´Ù
# ÀÌ¹Ì Á¤·ÄµÈ Ãâ·ÂÀ» ¾ò±âÀ§ÇØ killall À» »ç¿ëÇÏÁö ¾Ê´Â´Ù
for i in `echo $snort_pid` ; do
  kill -USR1 $i
  
  # snort °¡ Åë°èÀڷḦ syslog ¿¡ º¸³»µµ·Ï 2Ãʵ¿¾È ÈÞ¸éÇÑ´Ù
  sleep 2
done
  
# USR1 ½Ã±×³ÎÀ» º¸³½ÈÄ Áï°¢ÀûÀ¸·Î snort ¸¦ Àç½ÃÀÛÇÑ´Ù
# ÀÌ´Â 2001³â 1¿ù 11Àϰæ ÀÌÈÄÀÇ snort CVS ¹öÀü ¶Ç´Â 1.8.2 ¹öÀü ÀÌ»óÀÇ ¸ðµç ¹öÀüÀ»
# »ç¿ëÇÒ ¶§ »ý·«µÉ ¼öµµ ÀÖ´Ù.
/etc/rc.d/init.d/snortd restart

for i in `echo $snort_pid` ; do
  # process logfile

  filename=/var/log/snort/archive/snort.`date "+%Y-%m-%d"`.$i.log
    
  # ±âÁ¸ ÆÄÀÏÀ» °Ë»çÇϰí Á¸ÀçÇÑ´Ù¸é ÆÄÀϸíÀ» º¯°æÇÑ´Ù
  if [ -e "$filename" ] ; then
    mv "$filename" "$filename.bak"
  fi
  
  egrep "snort\[$i\]:" $log_file > "$filename"
  
  # ´ÙÀ½ ¶óÀΰú °°Àº ¶óÀεéÀ» »ç¿ëÇÏ¿© ¹ö·ÁÁö´Â ÆÐŶÀÌ ÀÖ´ÂÁö Á¶»çÇÑ´Ù
  # Oct 22 18:02:06 xbgh17183 snort[573]: dropping 0(0.000%) packets 
  if [ "`egrep "dropping" $filename | awk -F "[ (]" '{ print $7 }'`" != "0" -a \
       "`egrep -c "dropping" $filename`" != "0" ] ; then
    echo "Snort's dropping packets!!! Take a look on the configuration and/or the system's performance!!!"
  fi 
  
done

echo "Gathering snort internal statistics finished..."
     

4.1.5. Snort Å×½ºÆ®Çϱâ

snort ¸¦ Å×½ºÆ®Çϱâ À§Çؼ­´Â /etc/rc.d/init.d/snortd ¸¦ ÆíÁýÇϰí ÀÎÅÍÆäÀ̽º°¡ ·çÇÁ¹é ÀÎÅÍÆäÀ̽º lo ¿¡¼­ µè°Ô ÇØ¾ß ÇÑ´Ù. ³×Æ®¿öÅ© Ä«µå°¡ ¼³Ä¡µÇ¾î ÀÖ´Â »ç¶÷ÀÇ °æ¿ì´Â ´ë½Å eth0 ¸¦ »ç¿ëÇÒ ¼ö ÀÖÁö¸¸ snot ¿Í snort °¡ µ¿ÀÏ ¸Ó½Å¿¡¼­ ½ÇÇàµÇ°í ÀÖ´Ù¸é ÀÎÅÍÆäÀ̽º¸¦ ÅëÇØ ¾î¶°ÇÑ ÆÐŶµµ Àü¼ÛµÇÁö ¾Ê±â¶§¹®¿¡ snot ¸¦ µÎ¹øÂ° pc ¸¦ »ç¿ëÇØ ½ÇÇà½ÃÄÑ¾ß ÇÑ´Ù.

snort ¸¦ Å×½ºÆ®ÇÏ´Â ¾Æ¸¶µµ °¡Àå °£´ÜÇÑ ¹æ¹ýÀº http://www.sec33.com/sniph/ ¿¡¼­ ãÀ» ¼ö ÀÖ´Â snot ¸¦ »ç¿ëÇÏ´Â °ÍÀÌ´Ù.

Snot ¸¦ À§ÇØ libnet ¸¦ ¼³Ä¡ÇØ¾ß Çϴµ¥ ·¹µåÇÞ 7.x ¿¡´Â »ç¿ë°¡´ÉÇÑ RPM ÀÌ ¾ø±â ´ë¹®¿¡ http://rpmfind.net/ ¹× ¸Çµå·¹ÀÌÅ© »çÀÌÆ® http://www.mandrake.com/ ¿¡¼­ ãÀ» ¼ö ÀÖ´Â ¸Çµå·¹ÀÌÅ© ¼ÒÇÁÆ®»çÀÇ libnet-1.0.2-6mdk.i586.rpm À» »ç¿ëÇÒ ¼ö ÀÖ´Ù. ´ëºÎºÐÀÇ ¸Çµå·¹ÀÌÅ© RPM µéÀº ·¹µåÇÞ ½Ã½ºÅÛ¿¡¼­ ¾Æ¹« ¹®Á¦¾øÀÌ »ç¿ëÇÒ ¼ö ÀÖ´Ù. ±×·¯³ª ¸Çµå·¹ÀÌÅ©´Â i386 RPM µéÀ» Á¦°øÇÏÁö ¾ÊÀ½¿¡ ÁÖÀÇÇØ¶ó µû¶ó¼­ ¿¹Àü ÆæÆ¼¾ö P5 ÀÌÀü ÇÁ·Î¼¼¼­¿¡´Â À̵éÀ» »ç¿ëÇÒ ¼ö ¾ø´Ù. ÀÌ·± °æ¿ì http://www.packetfactory.net/projects/libnet ¿¡¼­ ¼Ò½º¸¦ ¾òÀº ÈÄ ½º½º·Î ÄÄÆÄÀÏÇØ¾ß ÇÑ´Ù.

snot ¸¦ ÄÄÆÄÀÏÇϱâ À§Çؼ­´Â ´ÜÁö tarball À» untar ÇÑ ÈÄ snot µð·ºÅ丮¿¡¼­ make ¸í·ÉÀ» ½ÇÇà½ÃŰ¸é µÈ´Ù. ¿¡·¯¾øÀÌ ÄÄÆÄÀÏÀÌ Á¾·áµÇ¸é ¹Ù·Î snot ¸¦ »ç¿ëÇÒ ¼ö ÀÖ´Ù. ±×·¸Áö ¾Ê´Ù¸é ¾î¶² °³¹ß ÆÐŰÁö°¡ ¾ø´Â °æ¿ìÀÌ´Ù.

snot ¸¦ ÁغñÇϱâ À§ÇØ /etc/snort/snort.conf ÆÄÀÏÀ» snot µð·ºÅ丮·Î º¹»çÇÑ ÈÄ Çϳª ¶Ç´Â ±× ÀÌ»óÀÇ ±ÔÄ¢ ÆÄÀϵéÀ» º¹»çÇÑ snort.conf ÆÄÀÏÀÇ ³¡ºÎºÐ¿¡ cat ÇØÁÖ¸é µÈ´Ù:

cat /etc/snort/backdoor.rules >> snort.conf

±× ÈÄ ÇÑ ÄÁ¼Ö¿¡¼­ tail -f /var/log/messages À» ½ÇÇà½ÃŰ°í µ¿½Ã¿¡ ´Ù¸¥ ÄÁ¼Ö¿¡¼­ Å×½ºÆ®¸¦ ÇØ¾ß ÇÑ´Ù.

snortd initscript ¿¡¼­ ÀÎÅÍÆäÀ̽º À̸§¿¡ lo ¸¦ »ç¿ëÇß´Ù¸é ´ÙÀ½°ú °°ÀÌ snot ¸¦ ½ÇÇà½Ãų ¼ö ÀÖ´Ù.

./snot -r snort.conf -d localhost -n 5

ÀÌ ¸í·ÉÀº snot ¿¡°Ô º¹»çÇÑ snort.conf ¸¦ »ç¿ëÇϸç, ¸ñÀûÁö´Â localhost ÀÌ°í ³Ê¹« ¸¹Àº °æº¸¸¦ À¯¹ßÇÏÁö ¾Êµµ·Ï À̸¦ ÃÖ´ë 5·Î Á¦ÇÑÇ϶ó°í ÇÑ´Ù.

Ãß°¡ÀûÀÎ º¯¼ö¸¦ ¹«½ÃÇ϶ó°í ÇÏ´Â ¾à°£ÀÇ ¸Þ½ÃÁö¸¦ ¾Æ¸¶µµ ¹ÞÀ» °ÍÀÌ´Ù. ÀÌ´Â snot °¡ snort 1.8 ¿¡ µµÀÔµÈ »õ·Î¿î º¯¼ö¸¦ ´Ù·ê ¼ö ¾ø±â ¶§¹®À¸·Î ÇãµÕµÇÁö ¸»°í ±×Àú ¸Þ½ÃÁö¸¦ ¹«½ÃÇØ¶ó. snot ´Â Àß ½ÇÇàµÇ°í ÀÖ´Ù.

/var/log/messages ¿¡¼­ ¾à°£ÀÇ snort °æº¸¸¦ º¼ ¼ö ÀÖ´Ù.

Sep 10 18:22:33 ids01 snort[1536]: <lo> GateCrasher access: 192.168.213.151:6969 -> 127.0.0.1:3170
Sep 10 18:22:33 ids01 snort[1536]: <lo> GateCrasher access: 192.168.213.151:6969 -> 127.0.0.1:3170
Sep 10 18:22:33 ids01 snort[1536]: <lo> GateCrasher access: 192.168.155.231:6969 -> 127.0.0.1:57580
Sep 10 18:22:33 ids01 snort[1536]: <lo> GateCrasher access: 192.168.155.231:6969 -> 127.0.0.1:57580
Sep 10 18:22:33 ids01 snort[1536]: <lo> Deep Throat access: 192.168.170.42:2140 -> 127.0.0.1:60521
     

ºñ½ÁÇÑ °æº¸¸¦ ¾ò´Â´Ù¸é ÁÁ´Ù. ±×·¸Áö ¾Ê´Ù¸é À§¿Í À¯»çÇÑ °á°ú¸¦ ¾òÀ» ¶§±îÁö ¼³Á¤À» Á¶»çÇϱ⠹ٶõ´Ù.

ÀÌÁ¦ /etc/snort/snort.conf ¸¦ ÆíÁýÇØ INTERFACE º¯¼ö¿¡ Á¤È®ÇÑ °ªÀ» ³ÖÀº ÈÄ snort ¸¦ Àç½ÃÀÛÇØ¾ß ÇÑ´Ù.

4.2. MySQL ¼³Á¤Çϱâ

Snort °¡ MySQL ¿¡ °æº¸¸¦ º¸³¾ ¼ö ÀÖµµ·Ï Çϱâ À§Çؼ­´Â ¿ì¼± MySQL À» ¼³Ä¡ÇØ¾ß ÇÑ´Ù. ´ëºÎºÐÀÇ ¸®´ª½º ¹èÆ÷ÆÇ¿¡´Â »ç¿ëÇÒ ¼ö ÀÖ´Â MySQL ÆÐŰÁö°¡ ÀÖÀ¸¸ç µû¶ó¼­ À̸¦ ÀÌ¿ëÇÏ¸é µÈ´Ù. ±×·¸Áö ¾Ê´Ù¸é ¾Æ¸¶µµ http://www.mysql.org/ ¿¡¼­ Ÿ¸£º¼À» ´Ù¿î·Îµå¹Þ¾Æ ½ºÅ©·¡Ä¡·ÎºÎÅÍ À̸¦ ÄÄÆÄÀÏ ¹× ¼³Ä¡ÇØ¾ß ÇÒ °ÍÀÌ´Ù. À̸¦ ¼³Ä¡Çϱâ À§Çؼ­ MySQL ¿¡ Æ÷ÇԵǾî ÀÖ´Â ¹®¼­¸¦ º¸¶ó.

MySQL µ¥¸óÀ» ½ÇÇà½ÃŲ ÈÄ (·¹µåÇÞÀÇ °æ¿ì RPM À» ¼³Ä¡ÇÑ ÈÄ /etc/rc.d/init.d/mysql start ¸¦ ½ÇÇà½ÃŲ´Ù) snort µ¥ÀÌŸº£À̽º¸¦ ÃʱâÈ­½ÃÄÑ¾ß ÇÑ´Ù. ÀÌ´Â ´ÙÀ½ Àý¿¡ ±â¼úµÇ¾î ÀÖ´Ù:

[root@ids01 /root]# mysql -u root
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 133 to server version: 3.23.32

Type 'help;' or '\h' for help. Type '\c' to clear the buffer

mysql>create database snort;
Query OK, 1 row affected (0.00 sec)

mysql> connect snort
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Connection id:    139
Current database: snort

mysql> status
--------------
mysql  Ver 11.12 Distrib 3.23.32, for redhat-linux-gnu (i386)

Connection id:          139
Current database:       snort
Current user:           root@localhost
Current pager:          stdout
Using outfile:          ''
Server version:         3.23.32
Protocol version:       10
Connection:             Localhost via UNIX socket
Client characterset:    latin1
Server characterset:    latin1
UNIX socket:            /var/lib/mysql/mysql.sock
Uptime:                 1 day 2 hours 6 min 21 sec

Threads: 14  Questions: 4272  Slow queries: 0  Opens: 58  Flush tables: 1  Open tables: 18 Queries per second avg: 0.045
--------------

mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost;
Query OK, 0 rows affected (0.00 sec)

mysql> exit
Bye
    

Çʼö µ¥ÀÌŸº£À̽º Å×ÀÌºí ±¸Á¶¸¦ »ý¼º½Ã۱â À§ÇØ º»·¡ÀÇ Å¸¸£º¼ ¶Ç´Â ÀúÀÚÀÇ RPMÀÇ contrib ¿¡¼­ ãÀ» ¼ö ÀÖ´Â create_mysql ½ºÅ©¸³Æ®¸¦ »ç¿ëÇÑ´Ù.

[root@ids01 /root]# mysql -u root snort < ./contrib/create_mysql

µ¥ÀÌŸº£À̽º¿¡ ´ëÇØ »ç¿ëÀÚ¾ÆÀ̵ð/ÆÐ½º¿öµå ½ÖÀ» Ãß°¡Çϰí xxxx ¸¦ °¢ÀÚÀÇ È¯°æ¿¡ ÀûÇÕÇÑ ÆÐ½º¿öµå·Î º¯°æÇÏ´Â °ÍÀ» ±â¾ïÇØ¾ß ÇÒ °ÍÀÌ´Ù.

[root@ids01 /root]# mysql -u root mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 148 to server version: 3.23.32

Type 'help;' or '\h' for help. Type '\c' to clear the buffer

mysql> insert into user (User,Password) values('snort',PASSWORD('xxxx'));
Query OK, 1 row affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> exit
Bye
    

ÆíÀǸ¦ À§ÇØ snort Ÿ¸£º¼°ú ÀúÀÚÀÇ RPM ÀÇ contrib ¿¡ ÀÖ´Â ¾à°£ÀÇ Æ¯º°ÇÑ Å×À̺íÀ» ´ÙÀ½ ¸í·ÉÀ» »ç¿ëÇÏ¿© Ãß°¡Çضó

zcat snortdb-extra.gz | mysql -u root snort

ACID ÀÇ ÀúÀå Æ¯Â¡À» »ç¿ëÇÏ·Á¸é snort µ¥ÀÌŸº£À̽º¸¦ Á¤ÀÇÇß´ø ¹æ¹ý°ú µ¿ÀÏÇÏ°Ô ´Ù¸¥ µ¥ÀÌŸº£À̽º snort_archive (¶Ç´Â ¿øÇÏ´Â ´Ù¸¥ À̸§ÀÇ µ¥ÀÌŸº£À̽º) ¸¦ »ý¼ºÇØ¾ß ÇÒ °ÍÀÌ´Ù.

Áö±ÝºÎÅÍ µ¥ÀÌŸº£À̽º´Â /etc/snort/snort.conf ¿¡¼­ Ȱ¼ºÈ­½Ãų ¼ö ÀÖ´Â snort ÀÇ database Ãâ·Â ¸ðµâÀ» ÅëÇØ ¾ðÁ¦µçÁö ±â·Ï¿¡ »ç¿ëµÉ ¼ö ÀÖ´Ù.

4.3. ADODB ¼³Á¤Çϱâ

ADODB ´Â ACID ÀÇ Çʼö ºÎºÐÀ¸·Î ACID ¿Í °°Àº PHP ±â¹Ý ÇÁ·Î±×·¥¿¡ ´ëÇØ µ¥ÀÌŸº£À̽º ¿¬°áÀ» Áö¿øÇÑ´Ù.

À¥ ¼­¹ö¿¡ »ç¿ëÇÒ ¼ö ÀÖ´Â µð·ºÅ丮¿¡ ADODB ¸¦ ¼³Ä¡Çضó. ·¹µåÇÞÀÇ °æ¿ì ÀÌ´Â /var/www/html/adodb/ ÀÌ´Ù.

ADODB ¹öÀü 1.31 Àº adodb.inc.php ¿¡ ¹ö±×°¡ Àִµ¥ ´õ¿í »õ·Î¿î ¹öÀü¿¡¼­µµ ¹ö±×°¡ Á¸ÀçÇÒ ¼öµµ ÀÖ´Ù. °¢ÀÚÀÇ ·ÎÄà ¿ä°ÇÀ» ¹Ý¿µÇϱâ À§ÇØ 40¹øÂ° ÁÙÀÇ °æ·Î¸¦ º¯°æ½ÃÄÑ¾ß ÇÒ °ÍÀÌ´Ù. dirname() ¸í·ÉÀ» ¿ÏÀüÈ÷ Áö¿ì´Â °ÍÀÌ ÇʼöÀûÀÌ¸ç µû¶ó¼­ ´ÙÀ½°ú °°´Ù:

 if (!defined('_ADODB_LAYER')) {
        define('_ADODB_LAYER',1);

        define('ADODB_FETCH_DEFAULT',0);
        define('ADODB_FETCH_NUM',1);
        define('ADODB_FETCH_ASSOC',2);
        define('ADODB_FETCH_BOTH',3);

        GLOBAL
                $ADODB_vers,            // µ¥ÀÌŸº£À̽º ¹öÀü
                $ADODB_Database,        // »ç¿ëµÈ ¸¶Áö¸· µ¥ÀÌŸº£À̽º µå¶óÀ̹ö
                $ADODB_COUNTRECS,       // ¹ÝȯµÈ ·¹ÄÚµåÀÇ Ä«¿îÆ® ³Ñ¹ö - Á¶È¸¸¦ ´À¸®°Ô ÇÑ´Ù
                $ADODB_CACHE_DIR,       // ij½Ã ·¹ÄÚµå¼Â¿¡ ´ëÇÑ µð·ºÅ丮
                $ADODB_FETCH_MODE;      // DEFAULT, NUM, ASSOC or BOTH. Default follows native driver default...

        $ADODB_FETCH_MODE = ADODB_FETCH_DEFAULT;
        /**
         * ¾Æ·¡ÀÇ °ªÀ» ÀÌ ÆÄÀÏÀÌ ³õÀÌ´Â µð·ºÅ丮·Î ¼³Á¤Çضó
         * ADODB_RootPath ´Â ADODB_DIR ·Î À̸§ÀÌ º¯°æµÇ¾ú´Ù
         */
        if (!defined('ADODB_DIR')) define('ADODB_DIR','/var/www/html/adodb');

    

À̰ÍÀÌ ADODB ¿¡ ÇàÇØÁ®¾ß ÇÏ´Â ¸ðµç °ÍÀÌ´Ù.

4.4. PHPlot ¼³Á¤Çϱâ

PHPlot À» ´Ù¿î·ÎµåÇÑ ÈÄ À¥ ¼­¹ö°¡ ÀνÄÇÒ ¼ö ÀÖ´Â µð·ºÅ丮¿¡ ÆÐŰÁö¸¦ ³õ¾Æ¶ó. ·¹µåÇÞ¿¡¼­ ÀÌ´Â /var/www/html/phplot/ ÀÌ´Ù. ¿©±â¼­´Â ¼³Á¤ÇÒ °ÍÀÌ ¾Æ¹« °Íµµ ¾ø´Ù.

4.5. ACID ¼³Á¤Çϱâ

¾Õ¿¡¼­ ¸»ÇßµíÀÌ ACID ´Â Á¤È®È÷ ÀÛµ¿Çϱâ À§ÇØ ¸î°³ÀÇ Ãß°¡ÀûÀÎ ÇÁ·Î±×·¥ÀÌ ¼³Ä¡µÉ Çʿ䰡 ÀÖ´Ù. MySQL ¹öÀü 3.23 ÀÌ»óÀÇ µ¥ÀÌŸº£À̽º ½Ã½ºÅÛ, PHP ¸ðµâ mod_php ÀÌ ÀÖ´Â apache ¿Í °°ÀÌ PHP 4.0.2 ÀÌ»óÀ» Áö¿øÇÏ´Â À¥ ¼­¹ö¿Í ADODB ¹öÀü 0.93 ÀÌ ÇÊ¿äÇÑ ¹Ý¸é ±×·¡ÇÈ ¶óÀ̺귯¸® gd ¹öÀü 1.8 ÀÌ»ó°ú PHPlot ¹öÀü 4.4.6 ÀÌ»óÀº ¼±ÅÃÀÌÁö¸¸ ÃßõµÈ´Ù. apache, PHP ¸ðµâ ¹× gd ´Â ¸ðµç ¸®´ª½º ¹èÆ÷ÆÇ¿¡ ´Ã Æ÷ÇÔµÇ¾î ¼³Ä¡µÇ¾î Àֱ⶧¹®¿¡ ÀÌ ¹®¼­¿¡¼­´Â À̵éÀ» ´Ù·çÁö´Â ¾Ê´Â´Ù.

Snort 1.8 ÀÌ»ó¿¡ ´ëÇØ¼­´Â Àû¾îµµ ACID 0.9.6b13 ÀÌ ÇÊ¿äÇÒ °ÍÀÌ´Ù. ACID ´Â ÀúÀÚÀÇ RPM ÀÇ contrib ¿¡ ÀÖÁö¸¸ ACID ´Â ºü¸£°Ô °³¹ßµÇ°í Àֱ⠶§¹®¿¡ ÀÌÀü ¹öÀüÀÏ ¼öµµ ÀÖ´Ù. µû¶ó¼­ ´õ¿í »õ·Î¿î ¹öÀüÀÌ Á¸ÀçÇÏ´ÂÁö ´Ã ACID ÀÇ È¨ÆäÀÌÁö¸¦ º¸¾Æ¾ß ÇÑ´Ù.

ACID ¸¦ /var/www/html/acid ¿Í °°ÀÌ À¥ ¼­¹ö¿¡¼­ ÀνÄÇÒ ¼ö ÀÖ´Â µð·ºÅ丮¿¡ ¼³Ä¡Çضó.

/var/www/html/acid/acid_conf.php ¿¡¼­ °¢ÀÚÀÇ È¯°æ¿¡ ¸Âµµ·Ï ¾à°£ÀÇ º¯¼öµéÀ» ÆíÁýÇØ¾ß ÇÒ °ÍÀÌ´Ù.

¿ì¼± º¯¼ö DBtype ¿¡ µ¥ÀÌŸº£À̽º ŸÀÔÀ» Á¤ÀÇÇØ¶ó. ´ÙÀ½ alert_* ¿Í archive_* º¯¼öµéÀ» Á¤ÀÇÇØ¶ó.

ChartLib_path ¿¡ PHPlot ¿¡ ´ëÇÑ °æ·Î¸¦ Á¤ÀÇÇØ¶ó. ÀÌ ¹®¼­¿¡¼­´Â /var/www/html/phplot ÀÌ´Ù.

Á¤ÀÇÇØ¾ß ÇÒ ¸¶Áö¸· º¯¼ö´Â portscan_file ·Î snort ÀÇ Æ÷Æ®½ºÄµ ·Î±×ÆÄÀÏÀÇ Àý´ë °æ·Î¿Í ÆÄÀϸíÀ» Á¤ÀÇÇØ¶ó.

¸ðµç ´Ù¸¥ º¯¼öµéÀº ´çºÐ°£Àº ÃæºÐÇÏ´Ù. ¹°·Ð ¿ä±¸¿¡ ÀûÇÕÇÏ°Ô À̵éÀ» ÆíÁýÇÒ ¼ö ÀÖ´Ù.

´ÙÀ½Àº ÀúÀÚ°¡ »ç¿ëÇÑ config ÀÌ´Ù:

<?php

$ACID_VERSION = "0.9.6b15";

/* DB Ãß»ó ¶óÀ̺귯¸®¿¡ ´ëÇÑ °æ·Î
 *  (ÁÖÀÇ: µð·ºÅ丮 ´ÙÀ½¿¡ ¹é½½·¡½¬¸¦ Æ÷ÇÔÇÏÁö ¸¶¶ó)
 *   e.g. $foo = "/tmp"      [OK]
 *        $foo = "/tmp/"     [WRONG]
 *        $foo = "c:\tmp"    [OK]
 *        $foo = "c:\tmp\"   [WRONG]
 */
$DBlib_path = "/var/www/html/adodb";

/* ±âº»ÀûÀÎ °æº¸ µ¥ÀÌŸº£À̽º ŸÀÔ
 *
 *  MySQL       : "mysql"
 *  PostgresSQL : "postgres"
 */
$DBtype = "mysql";

/* Alert DB ¿¬°á º¯¼öµé */
 *   - $alert_dbname   : Snort °æº¸ DB ÀÇ MySQL µ¥ÀÌŸº£À̽º À̸§
 *   - $alert_host     : DB °¡ ÀúÀåµÇ´Â È£½ºÆ®
 *   - $alert_port     : DB ¿¡ Á¢¼ÓÇÏ´Â Æ÷Æ®
 *   - $alert_user     : DB »ç¿ëÀÚ
 *   - $alert_password : DB »ç¿ëÀÚÀÇ ÆÐ½º¿öµå
 *
 *  ÀÌ Á¤º¸´Â Snort µ¥ÀÌŸº£À̽º Ãâ·Â Ç÷¯±×ÀÎ ¼³Á¤¿¡¼­ ¼öÁýµÉ ¼ö ÀÖ´Ù.
 */
$alert_dbname   = "snort";
$alert_host     = "localhost";
$alert_port     = "";
$alert_user     = "snort";
$alert_password = "xxxx";

/* Archive DB ¿¬°á º¯¼öµé */
$archive_dbname   = "snort_archive";
$archive_host     = "localhost";
$archive_port     = "";
$archive_user     = "snort";
$archive_password = "xxxx";

/* »ç¿ëÇÒ DB ¿¬°á ŸÀÔ
 *   1  : ¿µ¼ÓÀûÀÎ ¿¬°áÀ» »ç¿ëÇÑ´Ù (pconnect)
 *   2  : Åë»óÀûÀÎ ¿¬°áÀ» »ç¿ëÇÑ´Ù (connect)
 */
$db_connect_method = 1;

/* ±×·¡ÇÈ ¶óÀ̺귯¸®¿¡ ´ëÇÑ °æ·Î
 *  (ÁÖÀÇ: µð·ºÅ丮 ´ÙÀ½¿¡ ¹é½½·¡½¬¸¦ Æ÷ÇÔÇÏÁö ¸¶¶ó)
 */
$ChartLib_path = "/var/www/html/phplot";

/* Â÷Æ®ÀÇ ÆÄÀÏ Æ÷¸Ë ('png', 'jpeg', 'gif') */
$chart_file_format = "png";

/* Â÷Æ®ÀÇ µðÆúÆ® Ä÷¯
 *    - $chart_bg_color_default    : Â÷Æ®ÀÇ ¹é±×¶ó¿îµå Ä÷¯
 *    - $chart_lgrid_color_default : Â÷Æ®ÀÇ ±×¸®µå¶óÀÎ Ä÷¯
 *    - $chart_bar_color_default   : Â÷Æ®ÀÇ ¸·´ë/¼± Ä÷¯
 */
$chart_bg_color_default     = array(255,255,255);
$chart_lgrid_color_default  = array(205,205,205);
$chart_bar_color_default    = array(190, 5, 5);

/* ±âÁØ ¿ä¼Ò´ç ÃÖ´ë ÁÙ¼ö */
$MAX_ROWS = 20;

/* ¸ðµç Á¶È¸ °á°ú¿¡ ´ëÇØ Ç¥½ÃÇϱâ À§ÇÑ ÁÙ¼ö */
$show_rows = 50;

/* ½º³À¼¦µ¿¾È¿¡ ¹ÝȯµÇ´Â ¾ÆÀÌÅÛ¼ö 
 *  Last _X_ # of alerts/unique alerts/ports/IP
 */
$last_num_alerts = 15;
$last_num_ualerts = 15;
$last_num_uports = 15;
$last_num_uaddr = 15;

/* ½º³À¼¦µ¿¾È¿¡ ¹ÝȯµÇ´Â ¾ÆÀÌÅÛ¼ö 
 *  °¡Àå ÀÚÁÖ ÀϾ À¯ÀÏÇÑ alerts/IPs/ports
 */
$freq_num_alerts = 5;
$freq_num_uaddr = 15;
$freq_num_uports = 15;

/* Á¶È¸ °á°ú¸¦ Ç¥½ÃÇÒ ¶§ »ç¿ëµÇ´Â ½ºÅ©·Ñ ¹öưÀÇ ¼ö */
$max_scroll_buttons = 12;

/* µð¹ö±× ¸ðµå - ¾ó¸¶³ª ¸¹Àº µð¹ö±ë Á¤º¸°¡ º¸¿©Áö´Â Áö¸¦ °áÁ¤
 * ŸÀÌ¹Ö ¸ðµå - ŸÀÌ¹Ö Á¤º¸ Ç¥½Ã
 * SQL trace ¸ðµå - SQL ¹®À» ±â·Ï
 *   0 : Ưº°ÇÑ Á¤º¸ ¾øÀ½
 *   1 : µð¹ö±ë Á¤º¸
 *   2 : È®ÀåµÈ µð¹ö±ë Á¤º¸
 *
 * HTML no cache - no-cache Áö½Ã°¡ ºê¶ó¿ìÀú·Î º¸³»Áö´Â Áö¸¦ °áÁ¤
 *                 ÀͽºÇ÷η¯¿¡ ´ëÇØ¼­´Â 1 ÀÌ´Ù
 *
 * SQL trace ÆÄÀÏ - SQL trace ¸¦ ±â·ÏÇϱâ À§ÇÑ ÆÄÀÏ
 */
$debug_mode = 0;
$debug_time_mode = 1;
$html_no_cache = 1;
$sql_trace_mode = 0;
$sql_trace_file = "";

/* Auto-Screen refresh
 * - Refresh_Stat_Page - ¾î´À Á¤µµÀÇ Åë°è ÀÚ·á ÆäÀÌÁö°¡ »õ·Ó°Ô º¸¿©Á®¾ß Çϴ°¡?
 * - Stat_Page_Refresh_Time - refresh °£°Ý (ÃÊ´ÜÀ§)
 */
$refresh_stat_page = 1;
$stat_page_refresh_time = 180;

/* °æº¸¿¡ ´ëÇØ óÀ½/ÀÌÀü/¸¶Áö¸· ŸÀÓ½ºÅÆÇÁ¸¦ Ç¥½ÃÇϴ°¡ ¶Ç´Â
 * À¯ÀÏÇÑ °æº¸ ¸ñ·Ï¿¡ ´ëÇØ ±×Àú óÀ½/¸¶Áö¸· ŸÀÓ½ºÅÆÇÁ¸¦ Ç¥½ÃÇϴ°¡
 *    1: yes
 *    0: no
 */
$show_previous_alert = 1;

/* Sets maximum execution time (in seconds) of any particular page.
 * ÁÖÀÇ: ÀÌ´Â PHP ¼³Á¤ ÆÄÀÏ º¯¼ö max_execution_time À» ¹«½ÃÇÑ´Ù.
 *       µû¶ó¼­ ½ºÅ©¸³Æ®°¡ ÃÑ ($max_script_runtime + max_execution_time) Ãʵ¿¾È ½ÇÇàµÉ ¼ö ÀÖ´Ù
 */
$max_script_runtime = 180;

/* IP ÁÖ¼Ò¿¡ ´ëÇÑ ±âÁØÀÌ °Ë»ö ½ºÅ©¸°¿¡ ¾î¶»°Ô ÀԷµǾî¾ß Çϴ°¡?
 *   1 : °¢ ¿ÁÅÝÀÌ º°µµ ÇʵåÀÌ´Ù
 *   2 : Àüü ÁÖ¼Ò°¡ ÇϳªÀÇ ÇʵåÀÌ´Ù
 */
$ip_address_input = 2;

/* IP ¸¦ FQDN (Fully Qualified Domain Name) ·Î ¹Ù²Ü °ÍÀΰ¡ (¾î¶² Á¶È¸¿¡ ´ëÇØ)?
 *    1 : yes
 *    0 : no
 */
$resolve_IP = 0;

/* summary stats °¡ ¸ðµç Á¶È¸ °á°ú ÆäÀÌÁö¿¡ ´ëÇØ °è»êµÇ¾î¾ß Çϴ°¡
 * (ÀÌ ¿É¼ÇÀ» Çã°¡ÇÏ´Â °ÍÀº ÆäÀÌÁö ·Îµù ½Ã°£À» ´À¸®°Ô ÇÒ °ÍÀÌ´Ù)
 */
$show_summary_stats = 1;

/* DNS ij½Ã À¯È¿±â°£ (ºÐ´ÜÀ§) */
$dns_cache_lifetime = 20160;

/* Whois Á¤º¸ ij½Ã À¯È¿±â°£ (ºÐ´ÜÀ§) */
$whois_cache_lifetime = 40320;

/* Snort spp_portscan ·Î±× ÆÄÀÏ */
$portscan_file = "/var/log/snort/portscan.log";

/* À̺¥Æ® ij½Ã ÀÚµ¿ °»½Å
 *
 *  À̺¥Æ® ij½Ã°¡ ¸ðµç ÆäÀÌÁö ·Î±×¿¡ ´ëÇØ °ËÁõµÇ°í °»½ÅµÇ¾î¾ß Çϴ°¡?
 *  ±×·¸Áö ¾Ê´Ù¸é ij½Ã´Â 'cache and status' ÆäÀÌÁö·ÎºÎÅÍ ¸í½ÃÀûÀ¸·Î °»½ÅµÇ¾î¾ß ÇÒ °ÍÀÌ´Ù.
 *
 *  ÁÖÀÇ: ÀÌ ¿É¼ÇÀ» Çã°¡ÇÏ´Â °ÍÀº ij½ÃµÇÁö ¾ÊÀº ¸¹Àº °æº¸°¡ ÀÖÀ»¶§ ÆäÀÌÁö ·Îµù ½Ã°£À»
 *  »ó´çÈ÷ ´À¸®°Ô ÇÒ °ÍÀÌ´Ù. ±×·¯³ª ÀÌ´Â ´ÜÁö Çѹø °Þ´Â ºÒÆíÀÌ´Ù.
 *
 *   1 : yes
 *   0 : no
 */
$event_cache_auto_update = 1;

/* ¿ÜºÎ Whois Á¶È¸¿¡ ´ëÇÑ ¸µÅ© */
$external_whois_link = "http://www.samspade.org/t/ipwhois?a=";

?>
    

ÀúÀÚ°¡ ÆÐ½º¿öµå·Î xxxx ¸¦ »ç¿ëÇß´ÂÁö ÀǾÆÇØÇÒÁö ¸ð¸¥´Ù. ÁÁ´Ù ¿©·¯ºÐÀº ¼¼»óÀÇ ¸ðµÎ°¡ »ç¿ëÇÒ ¼ö ÀÖ´Â ÆÐ½º¿öµå¸¦ ÁÁ¾ÆÇϴ°¡?

ºê¶ó¿ìÀú·Î ACID ¸¦ óÀ½ ºÒ·¯¿Ã ¶§ ¼±ÅÃµÈ µ¥ÀÌŸº£À̽º¿¡ ACID Áö¿øÀ» ¼³Ä¡ÇØ¾ß ÇÑ´Ù´Â Áö½Ã¸¦ ¾òÀ» °ÍÀÌ´Ù. Setup ¸¦ Ŭ¸¯Çضó ±×·¯¸é ACID °¡ µ¥ÀÌŸº£À̽º¿¡ Çʼö ¿£Æ®¸®¸¦ »ý¼ºÇÒ °ÍÀÌ´Ù. ¸ðµç °ÍÀÌ Á¤È®È÷ ¼³Á¤µÇ¸é Áö±Ý µ¥ÀÌÅ׺£À̽º¿¡ ÀÖ´Â ¸ðµç Á¤º¸¸¦ ¾òÀ» °ÍÀÌ´Ù. ÀϹÝÀûÀ¸·Î À̶§¿¡´Â ¾Æ¹« °Íµµ ¾øÀ» °ÍÀÌ´Ù.

snot(À­ ÀýÀ» º¸¶ó) ¶Ç´Â nmap ( http://www.nmap.org/, ¸Å¿ì ¸¹Àº ´É·ÂÀ» °®°í ÀÖ´Â Æ÷Æ®½ºÄ³³Ê) ¶Ç´Â nessus (http://www.nessus.org/, ½Ã½ºÅÛÀÇ Ãë¾à¼ºÀ» ã±â À§ÇÑ ½ºÄ³³Ê) ¸¦ »ç¿ëÇØ ¾î¶² snort ±ÔÄ¢µéÀ» À¯¹ßÇØ º¸¶ó.

À̰ÍÀÌ ÀϾ ¶§¸¶´Ù ¹Ù·Î ACID ¿¡¼­ ¸ðµç °æº¸¸¦ ¾òÀ» °ÍÀÌ´Ù.

4.6. SnortSnarf ¼³Á¤Çϱâ

SnortSnarf ´Â µ¥ÀÌŸº£À̽º´ë½Å snort ÀÇ ·Î±×ÆÄÀÏÀ» ºÐ¼®ÇÏ´Â ´Ù¸¥ µµ±¸ÀÌ´Ù.

SnortSnarf ¸¦ ¿øÇÏ´Â µð·ºÅ丮¿¡ tar ÇÑ ÈÄ ¼³Ä¡Çضó. ÀúÀÚÀÇ °æ¿ì´Â /opt/SnortSnarf ¿¡ ¼³Ä¡Çß´Ù.

Çʼö ÆÞ ¸ðµâÀ» SnortSnarf ¿¡ »ç¿ëÇÒ ¼ö ÀÖµµ·Ï /opt/SnortSnarf/Time-modules/lib/Time ¸¦ /opt/SnortSnarf/include/SnortSnarf/Time ¿¡ º¹»çÇØ¶ó.

´ÙÀ½ ¶óÀεéÀ» À¥ ¼­¹öÀÇ cgi-bin ¿¡ º¹»çÇØ¶ó (¿¹, /var/www.cgi-bin/):

     /opt/SnortSnarf/cgi/*
     /opt/SnortSnarf/include/ann_xml.pl
     /opt/SnortSnarf/include/web_utils.pl
     /opt/SnortSnarf/include/xml_help.pl
    

SnortSnarf ¿¡¼­ »ç°í¿¡ ´ëÇÑ ¸Þ¸ð¸¦ »ý¼ºÇÒ ¼ö ÀÖ´Â annotation Ư¡À» »ç¿ëÇÏ°í ½Í´Ù¸é ¿ì¼± /var/www/html/SnortSnarf/annotations µð·ºÅ丮¸¦ »ý¼ºÇؾßÇÑ´Ù. ´ÙÀ½ /opt/SnortSnarf/new-annotation-base.xml ¸¦ /var/www/html/SnortSnarf/annotations ¿¡ º¹»çÇÑ ÈÄ /opt/SnortSnarf/utilities ¿¡ ÀÖ´Â ´ÙÀ½ ¸í·ÉÀ» ½ÇÇà½ÃŲ´Ù.

./setup_anns_dir.pl -g apache /var/www/html/SnortSnarf/annotations

/var/www/html/SnortSnarf/annotations ÀÇ ±ÇÇÑÀ» °Ë»çÇØ¼­ ´ÙÀ½°ú °°µµ·Ï ÇØ¶ó.

[root@ids01 SnortSnarf]# ll -a /var/www/html/SnortSnarf/annotations/
total 16
drwxrwx---    2 root     apache       4096 May 23 14:31 .
drwxr-xr-x    8 root     root         4096 May 23 14:17 ..
-rw-r--r--    1 apache   apache        478 May 23 14:31 new-annotation-base.xml
    

ÀúÀÚ´Â ´Ù·ç±â Èûµç @INC ¿¡·¯ (ÆÞ¿¡ ´ëÇØ ´õ¿í ¸¹Àº Áö½ÄÀ» °®°í ÀÖ´Â ´©±º°¡°¡ ÀÌ ¿¡·¯µéÀ» ¾ø¾Ö´Â ¹æ¹ý¿¡ ´ëÇÑ ÈùÆ®¸¦ ÀúÀÚ¿¡°Ô ÁÙ ¼ö ÀÖ´Ù) µéÀ» ¾ø¾Ö±â À§ÇØ /opt/SnortSnarf/snortsnarf.sh wrapper ½ºÅ©¸³Æ®¸¦ ¸¸µé¾ú´Ù. ÀúÀÚ´Â ¿ÀÀü 6 ½ÃºÎÅÍ ¿ÀÈÄ 6 ½Ã±îÁö ¸Å½Ã°£ cron À» ÅëÇØ /opt/SnortSnarf/snortsnarf.sh À» ½ÇÇà½Ã۰í ÀÖ´Ù.

ÀúÀÚÀÇ crontab ¿£Æ®¸®´Â ´ÙÀ½°ú °°´Ù:

# ¿ÀÀü 6½ÃºÎÅÍ ¿ÀÈÄ 6½Ã±îÁö ¸Å½Ã°£ SnortSnarf Åë°è ÀڷḦ »ý¼ºÇÑ´Ù
0 6,7,8,9,10,11,12,13,14,15,16,17,18 * * * /opt/SnortSnarf/snortsnarf.sh
    

SnortSnarf ´Â ´Ù¼¸°³ÀÇ ·Î±×ÆÄÀÏ /var/log/messages* À» ºÐ¼®Çϱâ À§ÇØ È£ÃâµÇ¸ç »ý¼ºµÈ HTML ÆÄÀϵéÀ» /var/www/html/SnortSnarf µð·ºÅ丮³»¿¡ ³ÖÀº ÈÄ À§¿¡ ±â¼úµÈ annotation Ư¡À» ÀÌ¿ëÇÑ´Ù.

´ÙÀ½Àº /opt/SnortSnarf/snortsnarf.sh ÆÄÀÏ ³»¿ëÀÌ´Ù:

#!/bin/sh
# @INC ¹®Á¦¸¦ ¾ø¾Ö±â À§ÇØ crontab °ú ÇÔ²² »ç¿ëÇϱâ À§ÇÑ wrapper
# Poppi, 22.05.2001
cd /opt/SnortSnarf
./snortsnarf.pl -d /var/www/html/SnortSnarf -db /var/www/html/SnortSnarf/annotations/new-annotation-base.xml -dns -rulesfile /etc/snort/snort.conf -ldir "file://var/log/snort/" /var/log/messages /var/log/messages.1 /var/log/messages.2 /var/log/messages.3 /var/log/messages.4
    

snortsnarf.sh À» ½ÇÇà½ÃÄѼ­ SnortSnarf ¸¦ Å×½ºÆ®ÇÏ°í ºê¶ó¿ìÀú·Î /var/www/html/SnortSnarf/ ¸¦ Á¶»çÇØº¸¶ó.

4.7. Arachnids_upd ¼³Á¤Çϱâ

°æ°í: ¾î¶°ÇÑ ¾Ïȣȭ ¶Ç´Â ÀÎÁõ¾øÀÌ ±ÔÄ¢µéÀ» ÀÚµ¿ °»½ÅÇÏ´Â °ÍÀº °ø°ÝÀÚ°¡ IDS ¿¡¼­ Á¸Àç°¡ ¹ß°¢µÇÁö ¾ÊÀ» ¼ö ÀÖµµ·Ï ±ÔÄ¢µéÀÌ ¼Õ»óµÉ ¼ö Àֱ⶧¹®¿¡ ¹éµµ¾î¸¦ ¸¸µé ¼ö ÀÖ´Ù. µû¶ó¼­ À̸¦ Á¶½ÉÇØ¼­ »ç¿ëÇØ¾ß ÇÑ´Ù.

´Ù¸¥ ¹®Á¦´Â wwww.whitehats.com ÀÌ Á¾Á¾ ¿ÀÇÁ¶óÀÎÀ̶ó´Â °ÍÀÌ¸ç µû¶ó¼­ ¾î¶°ÇÑ ±ÔÄ¢µéµµ ´Ù¿î·Îµå¹ÞÀ» ¼ö ¾ø´Ù.

arachnids_upd ÆÐŰÁö¸¦ ¼±ÅÃÇÑ µð·ºÅ丮¿¡ ¾ÐÃàÇØÁ¦Çضó. ÀúÀÚ´Â /opt/arachnids_upd/ ¸¦ »ç¿ëÇÑ´Ù.

Snort 1.8 ÀÌ»ó¿¡ ´ëÇØ /opt/arachnids_upd/arachnids_upd.pl ¸¦ ÆíÁýÇØ¼­ ´Ù¿î·ÎµåÇÒ ÆÄÀϸíÀ» º¯°æÇØ¾ß ÇÒ °ÍÀÌ´Ù:

     my $url = "http://www.whitehats.com/ids/vision18.rules.gz";   # Default URL.
    

Arachnids_upd ´Â wget ¸¦ »ç¿ëÇϱ⠶§¹®¿¡ °¢ÀÚÀÇ ½Ã½ºÅÛ¿¡ ¼³Ä¡µÇ¾î¾ß Çϸç ÀÎÅÍ³Ý ¿¬°á°ú ÀÛµ¿µÇµµ·Ï ¼³Á¤µÇ¾î¾ß ÇÑ´Ù.

»ç¿ëÀÚ ÀÎÁõÀ» ÇÏ´Â ÇÁ¶ô½Ã ¼­¹ö¸¦ ÅëÇÑ ¿¬°áÀÇ °æ¿ì .wgetrc ¿¹Á¦ ÆÄÀÏÀÌ´Ù:

     proxy_user = user
     proxy_passwd = xxxx
     http_proxy = <proxy>:<port>
     ftp_proxy = <proxy>:<port>
     use_proxy = on
    

<proxy> ¿Í <port> ¸¦ °¢°¢ °¢ÀÚÀÇ ÇÁ¶ô½Ã À̸§ ¶Ç´Â ip ÁÖ¼Ò¿Í ÇÁ¶ô½Ã°¡ »ç¿ëÇÏ´Â Æ÷Æ® ³Ñ¹ö·Î ´ëÃ¼ÇØ¶ó. ÇÁ¶ô½Ã¸¦ »ç¿ëÇÏÁö ¾Ê´Â´Ù¸é ÀÌ ¿£Æ®¸®µé Áß ¾Æ¹«°Íµµ ÇÊ¿äÇÏÁö ¾Ê´Ù.

ÀúÀÚ´Â »õ·Î¿î ±ÔÄ¢À» ¾ò°í /etc/snort/snort.conf ÀÇ Á¤ÀÇ¿¡ ¸Â°Ô º¯¼ö À̸§ vision.rules À» º¯°æÇÏ¸ç »õ·Î¿î ±ÔÄ¢µéÀÌ À¯È¿Çϵµ·Ï snort ¸¦ Àç½ÃÀÛ½ÃŰ´Â ½© ½ºÅ©¸³Æ®¸¦ ÀÛ¼ºÇß´Ù.

#!/bin/sh
# arachnids_upd.pl À» »ç¿ëÇÏ¿© vision.rules ÆÄÀÏÀ» Á¤È®È÷ °»½ÅÇϱâ À§ÇÑ ½ºÅ©¸³Æ®
# Poppi 22.05.2001

# »õ·Î¿î ±ÔÄ¢À» ¾ò´Â´Ù (~/.wgetrc °¡ ÀÎÅͳݿ¡ Á¢¼ÓÇÒ ¼ö ÀÖµµ·Ï ¼³Á¤µÇ¾î¾ß ÇÑ´Ù)
/opt/arachnids_upd/arachnids_upd.pl -o /opt/arachnids_upd/vision.rules -b /opt/arachnids_upd/rules.backup/ -c

# /etc/snort/snort.conf ÆÄÀϳ»¿¡ »ç¿ëµÈ º¯¼öÀ̸§À¸·Î º¯°æÇÏ°í »õ·Î¿î ÆÄÀÏÀ» Á¤È®ÇÑ °÷À¸·Î º¹»çÇÑ´Ù
cat /opt/arachnids_upd/vision.rules | sed s/EXTERNAL/EXTERNAL_NET/g | sed s/INTERNAL/HOME_NET/g > /etc/snort/vision.rules

# ±ÔÄ¢µéÀÌ À¯È¿Çϵµ·Ï snort ¸¦ Àç½ÃÀÛÇÑ´Ù
/etc/rc.d/init.d/snortd restart
    

Arachnids_upd ´Â ¶ÇÇÑ ´Ù¿î·ÎµåÇÏ´Â µ¿¾È vision.rules ³»ÀÇ ±ÔÄ¢µéÀ» »èÁ¦ÇÒ ¼ö Àֱ⠶§¹®¿¡ ¿øÇÑ´Ù¸é /opt/arachnids_upd/arachnids.ignore ¸¦ ÆíÁýÇØ ¹«½ÃµÇ¾î¾ß ÇÏ´Â IDS ³Ñ¹ö¸¦ ³ÖÀ» ¼ö ÀÖ´Ù.

     # ±ÔÄ¢µéÀÌ ±ÝÁöµÇ¾î¾ß ÇÏ´Â IDS ³Ñ¹ö¸¦ ³Ö¾î¶ó.
     # ÇÑÁÙ¿¡ ÇѰ³ÀÇ IDS ³Ñ¹ö.

     # Examples:

     1      # Ignore IDS1
     2      # Ignore IDS2
     3      # Ignore ISD3
     
     # I think you get it now :)
    

4.8. Swatch ¼³Á¤Çϱâ

Swatch ´Â ¸ðµç ·Î±×ÆÄÀÏÀ» ´Ù·ç´Â ¿ì¼öÇÑ ÆÐŰÁö·Î °ø°Ý°ú °ü·ÃµÈ ¾î¶°ÇÑ °ÍÀÌ ·Î±×ÆÄÀÏ¿¡ ±â·ÏµÈ´Ù¸é °æ°íÇØÁÖµµ·Ï Á¤±Ô Ç¥ÇöÀ» ÀÌ¿ëÇØ ¼³Á¤µÉ ¼ö ÀÖ´Ù.

Swatch ´Â ´ÙÀ½ ÆÞ ¸ðµâÀÌ ¼³Ä¡µÇ¾î¾ß ÇÑ´Ù:

     perl-TimeDate
     perl-Date-Calc
     perl-Time-HiRes
     perl-File-Tail
    

Swatch ´Â ÀúÀÚÀÇ ¼Ò½º RPM http://www.lug-burghausen.org/projects/Snort-Statistics/swatch-3.0.2-1.src.rpm °ú ÇÔ²² http://www.lug-burghausen.org/projects/Snort-Statistics/swatch-3.0.2-1.noarch.rpm ¿¡¼­ RPM À¸·Î ¾òÀ» ¼ö ÀÖ´Ù.

Swatch ´Â /etc/swatch/swatch.conf ¼³Á¤ ÆÄÀÏÀ» ÅëÇØ ¼³Á¤µÈ´Ù.

ÀúÀÚ´Â ¿ø·¡ swatch ÆÐŰÁöÀÇ ¾à°£ÀÇ ´Ù¸¥ ¿¹¿Í ÇÔ²² ¹Ø¿¡ º¸ÀÌ´Â snort ¸Þ½ÃÁö¿Í ¿¡·¯¿¡ ´ëÇÑ µÎ ±ÔÄ¢À» Æ÷ÇÔÇϰí ÀÖ´Â µ¥¸ð swatch.conf ¸¦ °®´Â ¼Ò½º RPM À» ÀÛ¼ºÇϰí ÀÖ´Ù.

# global swatch.conf file
# * Poppi, 30.04.2001
# - ÃÖÃʹöÀü
#
# * Poppi, 08.06.2001
# - ¿¡·¯ Áö¿øÀ» Ãß°¡ÇÏ¿´´Ùt; ¹Ýµå½Ã snort º¸´Ù swatch ¸¦ ¸ÕÀú ½ÇÇà½ÃÄѶó;)
#
# Poppi, 19.09.2001
# - µ¿ÀÏ »ç°Ç¿¡ ´ëÇØ ³Ê¹« ¸¹Àº °æº¸¸¦ ¾òÁö ¾Êµµ·Ï throttle ¿É¼ÇÀ» Ãß°¡ÇÏ¿´´Ù

# PID °¡ ÀÖ´Â Á¤»óÀûÀÎ snort ¸Þ½ÃÁö
# 10Ãʵ¿¾È µÎ°³°¡ ÀÖ´Â °æº¸¸¦ Á¦°ÅÇØ¶ó (¿¹ pings)
watchfor /snort\[/
        bell
        exec /etc/snort/snort-check $0
        throttle 00:00:10

# snort ¿¡·¯ ¸Þ½ÃÁö´Â [!] indicator °¡ ÀÖÀ» ¼öµµ ÀÖ°í ¾øÀ» ¼öµµ ÀÖ´Ù
watchfor /snort: (\[\!\])* ERROR/
        bell
        exec /etc/snort/snort-check $0
    

ù¹øÂ° ±ÔÄ¢Àº Ãâ·Â ¸ðµâ alert_syslog ¸¦ ÅëÇØ »ý¼ºµÈ ¸ðµç °æº¸¸¦ ¾ò±â À§ÇÑ °ÍÀÌ°í µÎ¹øÂ° ±ÔÄ¢Àº (±ÔÄ¢ ÆÄÀÏ¿¡¼­ÀÇ ¿¡·¯µé°ú °°ÀÌ) ¹«¾ùÀΰ¡ À߸øµÈ °æ¿ì snort °¡ »ý¼ºÇÏ´Â ¸ðµç ¿¡·¯ ¸Þ½ÃÁöµéÀ» ¾ò±â À§ÇÑ °ÍÀÌ´Ù.

µÎ ±ÔÄ¢Àº pc ¿¡ ½ÅÈ£¸¦ º¸³» ¾Ë¸®¸ç (¸¸¾à ¼¾¼­°¡ ¿î¿µÀÚ°¡ ¾ø´Â ¹æ¿¡¼­ »ç¿ëµÇ°í ÀÖ´Ù¸é ¾Æ¹« Àǹ̵µ ¾ø´Ù) ÁÖ¾îÁø »ç¶÷¿¡°Ô °æ°íÇϱâ À§ÇØ ¾Õ¿¡¼­ ±â¼úÇÑ snort-check ½ºÅ©¸³Æ®¸¦ ÀÌ¿ëÇÑ´Ù. &0 ³»¿¡ swatch ´Â swatch ¸¦ À¯¹ßÇÑ ·Î±×ÆÄÀϳ»ÀÇ ¸ðµç ¿£Æ®¸®¸¦ Á¦°øÇÑ´Ù.

Swatch ´Â snort º¸´Ù ¸ÕÀú ½ÃÀ۵Ǿî¾ß ÇÑ´Ù. Á¤È®ÇÑ chkconfig dates ¸¦ °®´Â swatch ÀÚ½ÅÀÇ initscript ¸¦ »ý¼ºÇÏ´Â ´ë½Å ÀúÀÚ´Â À̸¦ /etc/rc.d/init.d/snortd ¿¡ Æ÷ÇÔÇÏ¿´´Ù. ¿Ö³ÄÇϸé ÀúÀÚ°¡ »ç¿ëÇÏ´Â swatch ÀÇ ÀÇÁ¸¼º¶§¹®¿¡ ÀÌ·¸°Ô Çϱâ·Î °áÁ¤Çß´Ù. ÀúÀÚ´Â ÁÁÀº ¹æ½ÄÀÌ ¾Æ´Ï¸ç swatch ºÎºÐÀÌ ºñ±³Àû ½±°Ô initscript ³»¿¡¼­ ÀÛ¼ºµÉ ¼ö ÀÖÀ½À» ¾Ë°í ÀÖ´Ù. ¾Æ¸¶µµ ÃßÈÄ¿¡ À̸¦ º¯°æÇÒ °ÍÀÌ´Ù.