最近我用OpenWRT替换了我的路由器操作系统,并在其上安装了snort(2.9):

opkg install snort

_1849393中我的唯一规则:

alert icmp any any -> [My Router Private IP like : 192.168.0.1] any (msg: "NMAP ping sweep Scan"; dsize:0;sid:10000004; rev: 1;)

问题是我跑的时候:

snort -A console -q -c /etc/snort/snort.conf -i br-lan --daq-dir /usr/lib/daq

在命令行上,它是 Okay 并且它检测到一些Nmap扫描攻击并在控制台中写入警报:

04/12-08:19:50.152690  [**] [1:10000005:2] NMAP TCP Scan [**] [Priority: 0] {TCP} 192.168.0.10:46287 -> 192.168.0.1:22

和日志文件,但当我通过以下方式启动服务时:

/etc/init.d/snort start

当我使用相同的Nmap命令( nmap -sX -p22 192.168.0.1 )时,没有任何反应并且没有创建日志文件 .

我的问题是:

  • 为什么服务器没有运行?如果没有Systemctl,没有办法检测每件事情是否合适 .

  • 为什么运行snort命令时创建的日志是废话?当我键入例如 cat /var/log/snort/snort.log.1523473976 我得到:

8Mvv锟6(鐖E E E E E E E E E E E E E E E E E E A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 E E E
在控制台中 .

PS :1 - cat /etc/init.d/snort

#!/bin/sh /etc/rc.common
# Copyright (C) 2015 OpenWrt.org

START=90
STOP=10

USE_PROCD=1
PROG=/usr/bin/snort

validate_snort_section() {
    uci_validate_section snort snort "${1}" \
        'config_file:string' \
        'interface:string'
}

start_service() {
    local config_file interface

    validate_snort_section snort || {
        echo "validation failed"
        return 1
    }

    procd_open_instance
    procd_set_param command $PROG "-c" "$config_file" "-q" "--daq-dir" "/usr/lib/daq/" "-i" "$interface" "-s" "-N"
    procd_set_param file $CONFIGFILE
    procd_set_param respawn
    procd_close_instance
}

stop_service()
{
    service_stop ${PROG}
}

service_triggers()
{
    procd_add_reload_trigger "snort"
    procd_add_validation validate_snort_section
}

2-我实际上是按照This link配置的 . 但我取消注释并设置 config logdir :到 /var/log/snort/ .

(任何帮助将不胜感激)

linux logging service openwrt snort