最近我用OpenWRT替换了我的路由器操作系统,并在其上安装了snort(2.9):
opkg install snort
_1849393中我的唯一规则:
alert icmp any any -> [My Router Private IP like : 192.168.0.1] any (msg: "NMAP ping sweep Scan"; dsize:0;sid:10000004; rev: 1;)
问题是我跑的时候:
snort -A console -q -c /etc/snort/snort.conf -i br-lan --daq-dir /usr/lib/daq
在命令行上,它是 Okay 并且它检测到一些Nmap扫描攻击并在控制台中写入警报:
04/12-08:19:50.152690 [**] [1:10000005:2] NMAP TCP Scan [**] [Priority: 0] {TCP} 192.168.0.10:46287 -> 192.168.0.1:22
和日志文件,但当我通过以下方式启动服务时:
/etc/init.d/snort start
当我使用相同的Nmap命令( nmap -sX -p22 192.168.0.1
)时,没有任何反应并且没有创建日志文件 .
我的问题是:
-
为什么服务器没有运行?如果没有Systemctl,没有办法检测每件事情是否合适 .
-
为什么运行snort命令时创建的日志是废话?当我键入例如
cat /var/log/snort/snort.log.1523473976
我得到:
8Mvv锟6(鐖E E E E E E E E E E E E E E E E E E A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 E E E
在控制台中 .
PS :1 - cat /etc/init.d/snort
:
#!/bin/sh /etc/rc.common
# Copyright (C) 2015 OpenWrt.org
START=90
STOP=10
USE_PROCD=1
PROG=/usr/bin/snort
validate_snort_section() {
uci_validate_section snort snort "${1}" \
'config_file:string' \
'interface:string'
}
start_service() {
local config_file interface
validate_snort_section snort || {
echo "validation failed"
return 1
}
procd_open_instance
procd_set_param command $PROG "-c" "$config_file" "-q" "--daq-dir" "/usr/lib/daq/" "-i" "$interface" "-s" "-N"
procd_set_param file $CONFIGFILE
procd_set_param respawn
procd_close_instance
}
stop_service()
{
service_stop ${PROG}
}
service_triggers()
{
procd_add_reload_trigger "snort"
procd_add_validation validate_snort_section
}
2-我实际上是按照This link配置的 . 但我取消注释并设置 config logdir
:到 /var/log/snort/
.
(任何帮助将不胜感激)