借用snort实现网络扫描器发现功能

  最近刚刚完成一个扫描器发现的模块，刚开始做的时候发现网络上关于这方面的资料很少，今天没什么事总结一下好了。希望能给有这方面需求的人一些帮助。

  扫描器发现功能主要是通过snort这个开源软件的预处理器sfPortscan来实现的。默认的snort配置文件中这项功能是关闭的。如果要用需要我们自己来配置。

关于这项的配置可以从snort的帮助手册上获得详细的信息：http://manual.snort.org/node17.html#SECTION00323000000000000000。这里我简单的介绍下关于这方面的配置。

要启用扫描发现功能，需要配置检测的协议类型，检测端口，灵敏级别，检测ip，需忽略扫描器ip，需忽略的被扫描ip,以及扫描日志的路径日志路径。

这是我摘取的，配置项，懒得翻译了。

8.

proto protocol

Available options:

• TCP
• UDP
• ICMP
• ip_proto
• all

9.

scan_type scan_type

Available options:

• portscan
• portsweep
• decoy_portscan
• distributed_portscan
• all

10.

sense_level level

Available options:

• low - ``Low'' alerts are only generated on error packets sent from the target host, and because of the nature of error responses, this setting should see very few false positives. However, this setting will never trigger a Filtered Scan alert because of a lack of error responses. This setting is based on a static time window of 60 seconds, after which this window is reset.

• medium - ``Medium'' alerts track connection counts, and so will generate filtered scan alerts. This setting may false positive on active hosts (NATs, proxies, DNS caches, etc), so the user may need to deploy the use of Ignore directives to properly tune this directive.

• high - ``High'' alerts continuously track hosts on a network using a time window to evaluate portscan statistics for that host. A "High" setting will catch some slow scans because of the continuous monitoring, but is very sensitive to active hosts. This most definitely will require the user to tune sfPortscan.

11.

watch_ip ip1ip2/cidr[ [portport2-port3]]

Defines which IPs, networks, and specific ports on those hosts to watch.  The list is a comma separated list of IP addresses, IP address using CIDR notation. Optionally, ports are specified after the IP address/CIDR using a space and can be either a single port or a range denoted by a dash.  IPs or networks not falling into this range are ignored if this option is used.

12.

ignore_scanners ip1ip2/cidr[ [portport2-port3]]

Ignores the source of scan alerts.  The parameter is the same format as that ofwatch_ip.

13.

ignore_scanned ip1ip2/cidr[ [portport2-port3]]

Ignores the destination of scan alerts.  The parameter is the same format as that ofwatch_ip.

14.

logfile file

This option will output portscan events to the file specified. If file does not contain a leading slash, this file will be placed in the Snort config dir.

15.

include_midstream

This option will include sessions picked up in midstream by Stream5. This can lead to false alerts, especially under heavy load with dropped packets; which is why the option is off by default.

16.

detect_ack_scans

This option will include sessions picked up in midstream by the stream module, which is necessary to detect ACK scans.  However, this can lead to false alerts, especially under heavy load with dropped packets; which is why the option is off by default.

17.

disabled

This optional keyword is allowed with any policy to avoid packet processing. This option disables the preprocessor. When the preprocessor is disabled only the memcap option is applied when specified with the configuration. The other options are parsed but not used. Any valid configuration may have "disabled" added to it.

2.2.3.2 Format

    preprocessor sfportscan: proto <protocols> \        scan_type <portscan|portsweep|decoy_portscan|distributed_portscan|all> \        sense_level <low|medium|high> \        watch_ip <IP or IP/CIDR> \        ignore_scanners <IP list> \        ignore_scanned <IP list> \        logfile <path and filename> \        disabled

2.2.3.3 Example

    preprocessor flow: stats_interval 0 hash 2    preprocessor sfportscan:\        proto { all } \        scan_type { all } \        sense_level { low }

这里要特别注意的一个事情是，配置项{}里面的选项一定要有前后空格的，否则snort会退出。

对了，原本我们一般都是一个snort监控一个网口，类似这样的snort -i eth0 -c snort.conf，可是如果这样的话，如果我们要监控四个网口便需要启动四个snort，且为了不让四个snort的日志相互覆盖，需要我们制定四个不同日志文件路径的配置文件。这是很不方便的。昨天在阅读snort的官方文档时发现，snort下面的DAQ有多种实现，

snort -i eth0:eth1:eth2:eth3 -c snort.conf 使用这种配置也是可以的。在我的主机分别对eth0,和eth1进行扫描，都有日志生成。