Prima oara trebuie sa verifici daca ai modulul de kernel
"ip_queue". Logheaza-te ca root si scrie:
- Cod:
-
# lsmod | grep ip_queue
Daca nu spune nimic, scrie:
- Cod:
-
# modprobe ip_queue
apoi
- Cod:
-
# lsmod | grep ip_queue
ar trebui sa arate ceva in genul: ip_queue 10977 1
Daca arata asa, e bine. Trecem mai departe.
1. Downloadam pachetele de care avem nevoie:
-snort_inline=>
http://mesh.dl.sourceforge.net/sourceforge/snort-inline/snort_inline-2.4.3-RC4.tar.gz (sa nu iei alta versiune, mie doar asta imi merge anti exploitu asta)
- libdnet ==>
http://switch.dl.sourceforge.net/sourceforge/libdnet/libdnet-1.11.tar.gz- libnet ==>
http://www.packetfactory.net/libnet/dist/libnet.tar.gz- pcre ==>
http://fresh.t-systems-sfr.com/unix/src/misc/pcre-6.7.tar.gz- iptables-devel ==>
Pentru Fedora, scrie:
yum install iptables-develPentru Mandriva, scrie
urpmi iptables-develPentru Debian, scrie
apt-get install iptables-devel2. Le instalam in ordinea asta:
- Cod:
-
# tar xzvf libdnet-1.11.tar.gz
# cd libdnet-1.11
# ./configure
# make
# make install
# tar xzvf libnet.tar.gz
# cd libnet
# ./configure
# make
# make install
# tar xzvf pcre-6.6.tar.gz
# cd pcre-6.6
# ./configure
# make
# make install
Apoi snort_inline:
- Cod:
-
# tar xzvf snort_inline-2.4.3-RC4.tar.gz
# cd snort_inline-2.4.3-RC4
# ./configure
# make
# make install
Daca la configure iti da eroare ca ii lipseste si o alta librarie
inafara de cele de mai sus, va trebui sa o instalezi tu.
Daca la compilare iti da eroare de make[3]: *** [spo_alert_fast.o] Error
1, trebuie sa:
- Cod:
-
# cd /root
# wget ftp://ftp.linux.ro/kernel.org/linux/kernel/v2.6/linux-2.6.9.tar.bz2
# bzip2 -cd linux-2.6.9.tar.bz2 | tar xf -
# cd /usr/include
# mv linux linux.vechi
# ln -s /root/linux-2.6.9/include/linux/ linux
si inapoi la instalarea snort_inline. daca ai folosit chestia asta,
trebuie sa o aducem inapoi la normal:
# cd /usr/include
# rm -rf linux
# mv linux.vechi linux
Dupa ce snort_inline a fost instalat, trecem la configurare:
- Cod:
-
# cd snort_inline-2.4.3-RC4
# mkdir rules
# cp etc/classification.config rules/
# cp etc/reference.config rules/
# mkdir /etc/snort_inline
# cp etc/* /etc/snort_inline/
# cp rules/ /etc/snort_inline/ -R
Deschizi cu un editor text fisierul: /etc/snort_inline/snort_inline.conf
si inlocuiesti linia:
var RULE_PATH /etc/snort_inline/drop_rules
cu
var RULE_PATH /etc/snort_inline/rules
Apoi te duci jos, in acelasi fisier, si in loc de:
- Cod:
-
### The Drop Rules
# Enabled
include $RULE_PATH/exploit.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/nntp.rules
### Disabled
Lasi doar:
- Cod:
-
### The Drop Rules
# Enabled
include $RULE_PATH/hlds1.rules
include $RULE_PATH/hlds2.rules
include $RULE_PATH/hlds3.rules
### Disabled
Apoi, trebuie sa creezi si editezi cele 3 fisiere dupa cum urmeaza:
/etc/snort_inline/rules/hlds1.rules trebuie sa contina:
- Cod:
-
alert udp any any <> any 27015 (msg: "HLDS Exploit"; \
content: "\"\\\""; replace: " ";)
/etc/snort_inline/rules/hlds2.rules trebuie sa contina:
- Cod:
-
alert udp any any <> any 28015 (msg: "HLDS Exploit"; \
content: "\"\\\""; replace: " ";)
/etc/snort_inline/rules/hlds3.rules trebuie sa contina:
- Cod:
-
alert udp any any <> any 29015 (msg: "HLDS Exploit"; \
content: "\"\\\""; replace: " ";)
Mai departe:
- Cod:
-
# mkdir /var/log/snort_inline
Apoi facem regulile de iptables pentru fiecare port udp:
- Cod:
-
# iptables -I INPUT -p udp --dport 27015 -j QUEUE
# iptables -I INPUT -p udp --dport 28015 -j QUEUE
# iptables -I INPUT -p udp --dport 29015 -j QUEUE
Si ultima, pornim snort_inline:
- Cod:
-
# /usr/local/bin/snort_inline -c /etc/snort_inline/snort_inline.conf -Q -N -l /var/log/snort_inline/ -t /var/log/snort_inline/ -v -D
Ca sa porneasca la startup-ul linuxului, trebuie sa adaugi in
/etc/rc.d/rc.local :
/sbin/modprobe ip_queue
/sbin/iptables -I INPUT -p udp --dport 27015 -j QUEUE
/sbin/iptables -I INPUT -p udp --dport 28015 -j QUEUE
/sbin/iptables -I INPUT -p udp --dport 29015 -j QUEUE
/usr/local/bin/snort_inline -c /etc/snort_inline/snort_inline.conf -Q -N
-l /var/log/snort_inline/ -t /var/log/snort_inline/ -v -D
Cam asta ar fi. 27015, 28015 , 29015 sunt porturile pe care ruleaza serverul, deci pot fi inlocuite cu orice
Autor : laddu