前期准备
splunk环境验证
splunk相关命令
查看服务端采集了哪些客户端的日志:
./bin/splunk list deploy-clients
Deployment client: CF787A85-1BF8-4460-9FA9-469FEEB95BCD
applications: {'_server_app_39.30': {'action': 'Install', 'archive': '/home/splunk/var/run/tmp/39.30/_server_app_39.30-1727076134.bundle', 'checksum': '14553870489663539555', 'excludeFromUpdate': None, 'failedReason': "''", 'issueReload': '0', 'restartIfNeeded': '0', 'restartSplunkWeb': '0', 'restartSplunkd': '0', 'result': 'Ok', 'serverclasses': ['39.30'], 'size': '10240', 'stateOnClient': 'enabled', 'timestamp': 'Mon Sep 23 16:33:41 2024'}}
检查服务端和客户端的网络连接是否正常:
服务端运行:netstat -tnup |grep 10.227.39.30
tcp 0 0 10.227.39.38:8089 10.227.39.30:57246 ESTABLISHED 14231/splunkd
tcp 0 0 10.227.39.38:9997 10.227.39.30:57158 ESTABLISHED 14231/splunkd
客户端运行 netstat -ano
10.227.39.30:57158 10.227.39.38:9997 ESTABLISHED 3708
10.227.39.30为客户端地址,8089和9997 处于 ESTABLISHED表示网络连接正常
snort环境验证
Linux下:
在/etc/snort/rules/ 下新建一个自己的规则目录test,并新建一个规则
alert tcp any any -> any any (msg:"Test alert"; sid:1000001;)
然后在/etc/snort/snort.conf 新加一行(可以把默认的规则注释掉)
include $RULE_PATH/test/test.rules
启动snort进行验证
sudo snort -A console -c /etc/snort/snort.conf -i eth0
控制台和/var/log/snort/snort.alert.fast 都有告警输出,说明命中规则并成功生成告警
Windows下:
注意:Windows安装使用snort可以使用x86的,我这里用64位的在win10和win7都会报错,winpcap也需要单独安装(及时安装了wireshark也要再安装一次否则会出现抓不到网卡)
https://www.winpcap.org/install/bin/WinPcap_4_1_3.exe
下载:https://snort.org/downloads/archive/snort/Snort_2_9_16_Installer.x86.exe
验证:\bin>snort.exe -W
,,_ -*> Snort! <*-
o" )~ Version 2.9.16-WIN32 GRE (Build 118)
'''' By Martin Roesch & The Snort Team: Snort - Contact
Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using PCRE version: 8.10 2010-06-25
Using ZLIB version: 1.2.3
Index Physical Address IP Address Device Name Description
----- ---------------- ---------- ----------- -----------
1 FE:FC:FE:04:FF:9F 0000:0000:fe80:0000:0000:0000:5319:65d9 \Device\NPF_{07899EFF-636B-4F19-A710-DBA5CCE5616D} Intel(R) PRO/1000 MT Network Connection
snort -A console -c C:\Snort\etc\snort.conf -i 1 -l C:\Snort\log > C:\Snort\log\alert.txt
会把告警打入C:\Snort\log\alert.txt中
单条pcap包测试:
snort -r C:\Snort\pcaps\test.pcap -c C:\Snort\etc\snort.conf -l C:\Snort\log -K ascii -A console
