网上关于snort、及与iptables联动文章很多，转来转去，没几篇照着能欢快的跑起来的，总没准有个坑，好吧，史上最详细版，坑少、最严谨的一篇操作指南如下：
0x1、Snort安装篇
596K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2K6L8X3!0J5N6q4)9J5k6h3!0J5k6#2)9J5c8X3c8G2j5%4g2E0k6h3&6@1M7#2!0q4c8W2!0n7b7#2)9^5b7#2!0q4y4#2!0n7b7W2)9&6x3#2!0q4y4g2)9&6x3q4)9^5z5q4!0q4y4#2!0n7b7W2!0n7y4q4!0q4y4W2)9^5b7g2!0m8y4q4!0q4y4#2!0m8c8q4)9^5z5h3!0K6i4@1f1%4i4@1t1I4i4@1u0n7i4@1f1#2i4K6W2q4i4K6S2n7i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1@1i4@1t1^5i4K6S2n7i4@1f1^5i4@1u0p5i4@1u0p5i4@1f1$3i4K6S2o6i4K6R3%4i4@1f1#2i4@1q4r3i4@1u0o6M7r3q4H3k6i4t1`.
安装包下载
a08K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6H3j5h3&6Q4x3X3g2T1j5h3W2V1N6g2)9J5k6h3y4G2L8g2)9J5c8Y4y4Q4x3V1j5I4L8K6N6h3y4f1q4G2M7g2!0q4y4W2)9^5c8W2)9&6x3q4!0q4y4g2)9^5c8W2)9&6y4W2!0q4y4#2!0m8x3q4)9^5x3g2)9K6b7g2)9J5y4X3&6T1M7%4m8Q4x3@1t1@1j5i4f1#2
安装过程：
根据官方安装指导手册，安装前需要一些依赖文件

步骤1：安装gcc,flex,bison,….. libdnet、libdnet-devel
[root@localhost ~]# yum -y install gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel libdnet libdnet-devel
这里交代下，libdnet、libdnet-devel这两个依赖包，不确定一定能yum 安装上，可能yum –y install不报错，但snort编译时会还出错，可以下面两种方法解决： 

方法1:下载libdnet进行源码编译安装，文件上面网盘有下载，下面为操作步骤：
cd /usr/local/src/libdnet-1.xx 
./configure –with-pic 
make 
make install 
cd /usr/local/lib
ldconfig –v /usr/local/lib  别忘了，容易忽略
可能会出以下错误：
checking how to run the C++ preprocessor... /lib/cpp
configure: error: C++ preprocessor "/lib/cpp" fails sanity check
解决办法：
yum install glibc-headers gcc-c++

方法2:升级yum –y update
然后运行，直接yum -y install gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel libdnet libdnet-devel


步骤2: 安装DAQ-2.0.x
tar zxvf daq-2.0.6.tar.gz
./configure
make
make install
cd /usr/local/lib 
ldconfig -v /usr/local/lib 别忘了，容易忽略

步骤3:安装snort-2.9.8.3
tar zxvf snort-2.9.8.3.tar.gz
./configure --enable-sourcefire
make
make install
cd /usr/local/lib 
ldconfig -v /usr/local/lib

0x2、snort基本配置
1.  cd /etc/
2.  mkdir -p snort
3.  cd snort-2.9.8.3
4.  cp etc/* /etc/snort/
5.  tar zxvf snortrules-snapshot-2983.tar.gz -C /etc/snort/ 
6.  解压规则到snort目录下，snort精华所在
7.  touch /etc/snort/rules/white_list.rules 
8.  touch /etc/snort/rules/black_list.rules 
9.  groupadd -g 40000 snort
10.  useradd snort -u 40000 -d /var/log/snort -s /sbin/nologin -c SNORT_IDS –g snort 
11.  cd /etc/snort 
12.  chown -R snort:snort * 
13.  chown -R snort:snort /var/log/snort 

修改/etc/snort/snort.conf配置文件，参考如下：
# such as:  c:\snort\rules
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules

# If you are using reputation preprocessor set these
# Currently there is a bug with relative paths, they are relative to where snort is
# not relative to snort.conf like the above variables
# This is completely inconsistent with how other vars work, BUG 89986
# Set the absolute path appropriately
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

尝试启动snort –c /etc/snort/snort.conf，会报如下错误：
ERROR: snort.conf(253) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such file or directory. Fatal Error, Quitting.
解决办法：
mkdir -p /usr/local/lib/snort_dynamicrules
chown -R snort:snort /usr/local/lib/snort_dynamicrules
chmod -R 700 /usr/local/lib/snort_dynamicrules

规则添加：(很重要)
发现2.9.8这个版本下载后，rules目录下有些策略默认是空的,比如/etc/snort/rules/scan.rules
# to the VRT Certified Rules License Agreement (v2.0).
#
#------------
# SCAN RULES
#------------
需要我们自己完善,这些规则可以参考其他人写的，完善到自己的snort rules中
ebfK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2L8r3c8G2L8X3c8W2N6W2)9J5c8W2y4F1L8%4u0@1i4K6u0r3j5X3I4G2j5W2)9J5c8X3#2S2M7%4c8W2M7W2)9J5c8Y4u0#2L8r3g2K6i4K6u0r3M7$3y4S2L8W2)9J5k6i4u0#2L8r3g2K6

规则编写可以参考这个网站：
a95K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3q4K6k6h3y4#2M7X3W2@1P5i4y4A6N6r3g2Q4x3X3g2U0L8$3#2Q4x3V1k6X3L8%4u0W2L8Y4y4A6j5%4y4Q4x3V1k6K6L8X3!0J5N6q4)9K6c8X3k6F1j5h3#2W2i4K6y4p5K9s2m8A6L8X3N6Q4y4h3k6X3K9h3&6Q4x3X3g2H3j5$3q4H3i4K6t1$3M7Y4g2D9k6i4y4F1j5h3#2W2i4K6y4p5M7Y4g2D9k6i4y4K6N6r3g2S2L8s2c8Z5i4K6u0W2M7Y4g2D9k6i4x3`.

当然也可以结合自己需要，定制一些特殊规则,给几个常用的，可以添加到local.rules文件
1、检测xss跨站脚本规则: －> /etc/snort/rules/local.rules 
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"NII Cross-site scripting attempt"; flow:to_server,established; pcre:"/((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/i"; classtype:Web-application-attack; sid:9000; rev:5;)

2、检测nmap类扫描规则： -> /etc/snort/rules/scan.rules
alert tcp any any -> any any (msg:"SYN FIN Scan"; flags: S;sid:9000000;)
alert tcp any any -> any any (msg:"FIN Scan"; flags: F;sid:9000001;)
alert tcp any any -> any any (msg:"NULL Scan"; flags: 0;sid:9000002;)
alert tcp any any -> any any (msg:"XMAS Scan"; flags: FPU;sid:9000003;)
alert tcp any any -> any any (msg:"Full XMAS Scan"; flags: SRAFPU;sid:9000004;)
alert tcp any any -> any any (msg:"URG Scan"; flags: U;sid:9000005;)
alert tcp any any -> any any (msg:"URG FIN Scan"; flags: FU;sid:9000006;)
alert tcp any any -> any any (msg:"PUSH FIN Scan"; flags: FP;sid:9000007;)
alert tcp any any -> any any (msg:"URG PUSH Scan"; flags: PU;sid:9000008;)
alert tcp any any -> any any (flags: A; ack: 0; msg:"NMAP TCP ping!";sid:9000009;)

3、检测一句话(中国菜刀webshell)规则：-> /etc/snort/rules/local.rules 
alert tcp any any -> any 80 (msg:"China Chopper PHP/Backdoor Detected"; content:"|62 61 73 65 36 34 5f 64 65 63 6f 64 65|"; rawbytes;reference:url,1c6K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3k6A6M7X3g2W2P5h3g2Q4x3X3g2U0L8$3#2Q4x3V1k6T1L8r3!0Y4i4K6u0r3N6r3g2U0K9r3&6A6j5$3q4D9i4K6u0r3j5X3!0@1L8X3g2@1i4K6u0V1j5h3y4@1K9i4k6A6N6r3W2W2M7#2)9J5k6s2u0W2M7$3g2S2M7X3y4Z5i4K6u0r3x3U0l9I4x3#2)9J5c8U0l9^5i4K6u0r3j5Y4u0W2j5h3E0A6L8X3N6Q4x3X3c8V1L8%4N6F1i4K6u0V1N6r3S2W2i4K6u0V1j5$3S2A6L8X3q4Q4x3X3c8U0K9r3!0H3M7r3g2J5i4K6u0V1N6$3g2T1i4K6u0V1M7$3S2W2L8r3I4Q4x3X3c8H3j5i4u0@1i4K6u0V1K9g2)9J5k6h3S2@1L8h3I4Q4x3@1u0Q4x3U0k6F1j5Y4y4H3i4K6y4n7j5$3I4S2M7%4y4@1P5i4m8W2i4K6y4m8N6s2u0G2K9X3q4F1i4K6u0V1j5h3y4@1K9i4k6A6N6s2W2Q4x3@1u0Q4x3U0k6F1j5Y4y4H3i4K6y4n7M7$3W2V1i4K6y4m8y4e0l9H3x3o6l9%4i4K6y4n7i4K6t1$3L8X3u0K6M7q4)9K6b7Y4u0W2N6W2)9K6b7e0q4Q4x3@1u0Q4x3U0V1`.
alert tcp any any -> any 80 ( sid:900001; content:"base64_decode";http_client_body;flow:to_server,established; content:"POST"; nocase;http_method;msg:"Webshell Detected Apache";)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "China Chopper with first Command Detected";flow:to_server,established; content: "FromBase64String";content: "z1"; content:"POST"; nocase;http_method;reference:url,24bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3k6A6M7X3g2W2P5h3g2Q4x3X3g2U0L8$3#2Q4x3V1k6T1L8r3!0Y4i4K6u0r3N6r3g2U0K9r3&6A6j5$3q4D9i4K6u0r3j5X3!0@1L8X3g2@1i4K6u0V1j5h3y4@1K9i4k6A6N6r3W2W2M7#2)9J5k6s2u0W2M7$3g2S2M7X3y4Z5i4K6u0r3x3U0l9I4x3#2)9J5c8U0l9^5i4K6u0r3j5Y4u0W2j5h3E0A6L8X3N6Q4x3X3c8V1L8%4N6F1i4K6u0V1N6r3S2W2i4K6u0V1j5$3S2A6L8X3q4Q4x3X3c8U0K9r3!0H3M7r3g2J5i4K6u0V1N6$3g2T1i4K6u0V1M7$3S2W2L8r3I4Q4x3X3c8H3j5i4u0@1i4K6u0V1K9g2)9J5k6h3S2@1L8h3I4Q4x3@1u0U0L8r3q4K6M7%4c8&6M7r3g2Q4x3@1q4%4k6h3u0Q4x3X3c8S2M7s2m8D9K9h3y4S2N6r3W2G2L8W2)9J5k6r3q4@1N6r3q4U0K9#2)9K6b7W2)9J5y4X3&6T1M7%4m8Q4x3@1u0K6K9h3c8Q4x3@1q4Q4x3U0k6F1j5Y4y4H3i4K6y4n7z5e0l9H3x3o6l9H3x3e0l9I4i4K6y4n7i4K6t1&6

4、检测sql注入规则
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection - Paranoid"; flow:to_server,established;uricontent:".pl";pcre:"/(\%27)|(\')|(\-\-)|(%23)|(#)/i"; classtype:Web-application-attack; sid:9099; rev:5;)

5、heartbeart规则
alert tcp any any -> any 443 (msg:"Heartbeat request"; content:"|18 03 02 00|"; rawbytes;sid:100000)

最后提下攻击日志，snort攻击日志一般存与/var/log/snort/下，会生成alert纪录攻击日志,snort.xxxxx纪录详情，当然输出格式支持很多种syslog，csv、也可以将攻击日志写入mysql（2.9x以后版本需要借助barnyard2，如果只是web网站上部署，没必要建议你安装图像界面、管理控制台、开源东西，最小化安装、功能能跑起来，未必是坏事.）

一般攻击日志，导出csv格式就可以了，纪录的也不是很详细，丢数据库个人觉得意义不是特大，自己结合实际情况吧。
导出csv方法：
vim /etc/snort/snort.conf
output alert_csv: /var/log/snort/alert.csv msg,proto,timestamp,src,srcport,dst,dstport

0x3、snort与iptables联动,升级为IPS
Step 1 :
Go to b51K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3y4Z5j5h3!0@1K9h3y4Q4x3X3g2G2M7X3N6Q4x3V1k6Y4N6h3q4J5k6r3W2S2L8W2)9J5c8W2!0o6x3W2!0m8x3s2c8G2i4K6t1$3L8X3u0K6M7q4)9K6b7X3c8G2N6$3&6D9L8$3q4V1i4K6t1$3L8X3u0K6M7q4)9K6b7V1N6#2j5i4u0V1K9h3q4F1i4K6u0W2i4K6t1$3L8X3u0K6M7q4)9K6b7W2c8Z5k6g2)9J5y4X3&6T1M7%4m8Q4x3@1u0U0N6i4u0J5k6h3&6@1i4K6t1$3L8X3u0K6M7q4)9K6b7Y4k6W2M7Y4y4A6L8$3&6Q4x3U0k6F1j5Y4y4H3i4K6y4n7j5i4y4Q4x3U0k6F1j5Y4y4H3i4K6y4n7j5i4c8Q4x3U0k6F1j5Y4y4H3i4K6y4n7N6r3S2A6M7#2)9J5y4X3&6T1M7%4m8Q4x3@1u0%4M7X3W2@1K9h3&6Y4i4K6t1$3L8X3u0K6M7q4)9K6b7X3W2K6i4K6t1$3L8X3u0K6M7q4)9K6b7Y4k6W2M7Y4y4A6L8$3&6Q4x3U0k6F1j5Y4y4H3i4K6y4n7x3g2)9J5k6e0N6Q4x3X3f1`.
wget 368K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3y4Z5j5h3!0@1K9h3y4Q4x3X3g2G2M7X3N6Q4x3V1k6Y4N6h3q4J5k6r3W2S2L8W2)9J5c8X3N6#2j5i4u0V1K9h3q4F1i4K6u0V1x3g2)9J5k6e0N6Q4x3X3g2@1j5i4u0Q4x3X3g2Y4P5R3`.`.
Step 2 :
Untar the package.
tar -xzvf guardian-1.7.tar.gz
Step 3 :
cd guardian-1.7
cp guardian.pl /usr/local/bin/
cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
cp guardian.conf /etc/snort/
touch /etc/snort/guardian.ignore
touch /etc/snort/guardian.target
touch /var/log/snort/guardian.log

Step 4 :
vi /etc/snort/guardian.conf
Make the file looks like this (the IP address of HostIpAddr may be different from yours).
HostIpAddr取消注释，写自己eth0 ip地址


Step 5:
Vim /etc/snort/guardian.target
将步骤4中监听的eth0 ip地址写进来,这里别落下了，网上已有文章，这里是个坑，导致关联有问题


Step 6:
Vim /etc/snort/snort.conf注释掉output alert_syslog:LOG_AUTH LOG_ALERT,至于下一行的需不需要output alert_csv结合自己需要。

配置完毕

0x4、效果演示：
步骤1:先瞅瞅iptables、空空如也：

步骤2:启动guardian

步骤3:启动snort:
snort –c /etc/snort/snort.conf


步骤4:模拟攻击，发现一会就被干掉了



行文不易，且看且珍惜吧

[培训]科锐逆向工程师培训第53期2025年7月8日开班！