{"id":3,"date":"2006-08-16T04:07:26","date_gmt":"2006-08-16T01:07:26","guid":{"rendered":"http:\/\/blog.hostwebtr.com\/?p=3"},"modified":"2006-08-16T04:07:26","modified_gmt":"2006-08-16T01:07:26","slug":"debian-sarge-31-bridgesnort_inlineclamav-kurulumu-icin-epey-kirli-bir-dokuman","status":"publish","type":"post","link":"https:\/\/www.48k.com.tr\/debian-sarge-31-bridgesnort_inlineclamav-kurulumu-icin-epey-kirli-bir-dokuman\/","title":{"rendered":"debian sarge 3.1 Bridge+Snort Inline+Clamav kurulumu i\u00e7in epey kirli bir d\u00f6k\u00fcman"},"content":{"rendered":"

A\u00e7\u0131klama<\/strong><\/p>\n

Bu belgede debian linux \u00fczerine snort_inline kurulumunu anlatmaya \u00e7al\u0131\u015ft\u0131m.Snort_inline’in kurulum sonras\u0131 \u00f6zelle\u015ftirmeleri sizlere ait.Benim o kadar vaktim olmad\u0131.Ancak belgede anlat\u0131lan \u015fekilde kurulum mezzanine’de ger\u00e7ekle\u015ftirildi ve tek istemcili ( o istemci ben oluyorum:) ) networkte 3 hafta kadar testi edildi.Test yorumlar\u0131n\u0131 belgenin sonunda bulabilirsiniz.
\nSnort_inline i\u00e7in bulabilece\u011finiz pek az belgede ilk g\u00f6ze \u00e7arpan \u00f6zellik bridge modda \u00e7al\u0131\u015fmas\u0131.Kan\u0131mca bu \u00e7ok iyi bir \u00f6zellik.Bridge,nat moda g\u00f6re daha esnek ve g\u00fcvenli.Ayr\u0131ca daha az u\u011fra\u015ft\u0131r\u0131yor:)
\nBu y\u00fczden linux \u00fczerinde bridge mod deneyimi olmayanlar i\u00e7in k\u0131sa bir b\u00f6l\u00fcm haz\u0131rlad\u0131m.
\nGelelim snort_inline’\u0131n ne oldu\u011funa.Snort_inline, snort’un i\u015flevi bak\u0131m\u0131ndan de\u011fi\u015ftirilmi\u015f hali.Snort sadece bir sald\u0131r\u0131 tespit arac\u0131yken,snort_inline kar\u015f\u0131m\u0131za bir sald\u0131r\u0131 koruma arac\u0131 olarak \u00e7\u0131k\u0131yor.Koruma snortta oldu\u011fu gibi yine kural tabanl\u0131.Snort a\u011fda ge\u00e7en paketleri koklad\u0131ktan sonra kurallara g\u00f6re sizi uyar\u0131rken,snort_inline yine bu kurallara g\u00f6re iptables kural\u0131ndan gelen paketleri \u00f6ld\u00fcr\u00fcyor veya reddediyor.Bu durumda snort_inline kurmay\u0131 d\u00fc\u015f\u00fcnd\u00fc\u011f\u00fcn\u00fcz sistemin \u00e7ekirde\u011finde iptables\/netfilter i\u00e7in ip_queue deste\u011fi olmas\u0131
\ngerekiyor.Bunu biraz a\u00e7\u0131klamak laz\u0131m.\u015e\u00f6yleki,iptables, queue deste\u011fi ile paketi kullan\u0131c\u0131 alan\u0131n\u0131 i\u00e7in kuyru\u011fa sokar.Kullan\u0131c\u0131 alan\u0131nda paketi bekleyen bir uygulama varsa i\u015flenir,yoksa paket drop edilir.Tahmin edebilece\u011finiz gibi o uygulama da snort_inline’d\u0131r.
\nBu a\u00e7\u0131klamalardan sonra kuruluma ba\u015flayal\u0131m.<\/p>\n

Bridge Mode i\u00e7in haz\u0131rl\u0131klar<\/strong><\/p>\n

apt-get install bridge-utils modconf ebtables \/\/bridge mod i\u00e7in gerekli paketleri kuruyoruz.<\/p>\n

ifconfig eth0 0.0.0.0 promisc up \/\/ ethernet aray\u00fczlerine ait ip leri de\u011fi\u015ftiriyoruz.
\nifconfig eth1 0.0.0.0 promisc up<\/p>\n

brctl addbr br0 \/\/ brctl ile br0 ad\u0131nda yeni bir bridge aray\u00fcz\u00fc olu\u015fturuyoruz.
\nbrctl addif br0 eth0 \/\/ ilk ethernet bridge ekleniyor.
\nbrctl addif br0 eth1 \/\/ ve ikincisi de.<\/p>\n

Bu i\u015flemlerden sonra ifconfig komutu verdi\u011finizde iki fiziksel ethernet aray\u00fcz\u00fcn\u00fcn d\u0131\u015f\u0131nda bir de bridge aray\u00fcz g\u00f6r\u00fcyor olmal\u0131s\u0131n\u0131z.Opsiyonel olarak bu aray\u00fcze bir ip ve gateway verebilirsiniz.Hemen bir \u00f6rnekle a\u00e7\u0131klayal\u0131m.<\/p>\n

ifconfig br0 192.168.160.100 netmask 255.255.255.0 up
\nroute add default gw 192.168.160.1 dev br0 \/\/ linuxun kendisi b\u00f6ylece nete \u00e7\u0131kabilir.<\/p>\n

Ip verirken i\u00e7 networkunuze uygun bir ip vermelisiniz.E\u011fer bu aray\u00fcze bir ip vermesseniz makinan\u0131n kendisi nete ba\u011flanamayacakt\u0131r.Ama lokasyon olarak arkas\u0131nda bulunan makinalar\u0131n nete \u00e7\u0131kmas\u0131na engel olmayacakt\u0131r.<\/p>\n

Snort_inline kurulumu<\/strong><\/p>\n

Kurulumda sorun ya\u015famamak i\u00e7in debian depolar\u0131ndan kurulmas\u0131 gereken paketler
\nlibpcap0.8
\nlibpcap0.8-dev
\nlibpcre3
\nlibpcre3-dev
\nsnort-rules-default
\niptables-dev
\nlibclamav1 ve libclamav-dev \/\/ snort_inline’a clamav deste\u011fi i\u00e7in gerekli.E\u011fer bu \u00f6zelli\u011fi istemiyorsan\u0131z,kurmayabilirsiniz.<\/p>\n

Yukar\u0131da ad\u0131 ge\u00e7en paketleri \u015fu \u015fekilde kurabilirsiniz.<\/p>\n

apt-get install libpcap0.8 libpcap0.8-dev libpcre3 libpcre3-dev iptables-dev libclamav1 libclamav-dev snort-rules-default<\/p>\n

libdnet kurulumu<\/p>\n

not : libdnet ve libdnet-dev paketleri debian depolar\u0131nda var.ancak bunlar\u0131 kurduktan sonra bir t\u00fcrl\u00fc snort_inline a g\u00f6steremedim.siz sorunun sebebini bulabilirseniz l\u00fctfen bilgilendirin.u\u011fra\u015famam diyorsan\u0131z,kaynaktan kurulum size sorun \u00e7\u0131karmayacakt\u0131r.<\/p>\n

wget http:\/\/belnet.dl.sourceforge.net\/sourceforge\/libdnet\/libdnet-1.11.tar.gz
\ntar zxvf libdnet-1.11.tar.gz
\n.\/configure && make
\nmake install<\/p>\n

Yukar\u0131daki gibi libdneti kurduktan sonra snort_inline’\u0131 kurmaya ba\u015fl\u0131yoruz.Debian depolar\u0131nda aramay\u0131n.Unstable\/Sid kategorisinde bile bulamass\u0131n\u0131z.<\/p>\n

http:\/\/snort-inline.sourceforge.net\/download.html
\nadresinden paketi indirdikten sonra paketi a\u015fa\u011f\u0131daki gibi sisteminize kurun.
\ntar zxvf snort_inline-2.4.5a.tar.gz
\n.\/configure –enable-inline –enable-clamav<\/p>\n

–enable-clamav parametresi snort_inline’\u0131 clam antivir\u00fcs ile beraber \u00e7al\u0131\u015ft\u0131rmak i\u00e7in gereklidir.Sisteminize ek bir y\u00fck istemiyorsan\u0131z kurmay\u0131n.Ancak \u015firket i\u00e7i networkler i\u00e7in olduk\u00e7a faydal\u0131d\u0131r.<\/p>\n

make
\nmake install
\nYukar\u0131daki a\u015famalar\u0131 sorunsuz ge\u00e7tiyseniz art\u0131k kurulum sonras\u0131 ayarlara ge\u00e7ebiliriz.<\/p>\n

Kurulum ba\u015far\u0131yla ger\u00e7ekle\u015ftikten sonra make install komutu snort_inline’\u0131 \/usr\/local\/bin alt\u0131na atacakt\u0131r.
\nKurulum dizininin alt\u0131ndaki etc dizinindeki dosyalar\u0131 al\u0131p uygun bir yere yerle\u015ftirin.\u00d6rne\u011fin \/usr\/local\/etc\/snort_inline
\nalt\u0131na atabilirsiniz.<\/p>\n

S\u0131ra snort_inline i\u00e7in en \u00f6nemli k\u0131sma geldi.Kurallar…
\nE\u011fer debian depolar\u0131ndan snort-rules-default paketini indirdiyseniz,bu dosyalar sisteminizde \/etc\/snort\/rules
\nalt\u0131nda bulunuyor olmal\u0131.Bir kural \u00f6rne\u011fine g\u00f6z atal\u0131m.<\/p>\n

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:”POP3 DELE negative argument attempt”; flow:to_server,established; content:”DELE”; nocase; pcre:”\/^DELE\\s+-\\d\/smi”; reference:bugtraq,6053; reference:bugtraq,7445; reference:cve,20022-1539; classtype:misc-attack; sid:2121; rev:9;)<\/p>\n

Dikkatinizi \u00e7ekmek istedi\u011fim nokta kural\u0131n “alert” ile ba\u015fl\u0131yor olmas\u0131.Bu da snort’un sald\u0131r\u0131 tespit sistemi olmas\u0131ndan kaynaklan\u0131yor.
\nKural\u0131n snort_inline ile birlikte etkili olmas\u0131 i\u00e7in \u00fc\u00e7 kural tipi kullanabiliriz.<\/p>\n

drop: paket iptables arac\u0131l\u0131\u011f\u0131yla bloklan\u0131r.snort olay\u0131 loglar.
\nreject: paket yine iptables taraf\u0131ndan bloklan\u0131r.snort olay\u0131 loglar ve e\u011fer protokol tcp ise tcp reset,protokol
\nudp ise kar\u015f\u0131ya “icmp port unreachable” g\u00f6nderilir.<\/p>\n

sdrop: paket iptables taraf\u0131ndan bloklan\u0131r.hi\u00e7bir\u015fey loglanmaz.<\/p>\n

Ben drop kullanmay\u0131 tercih ettim ama siz nas\u0131l de\u011fi\u015ftirece\u011finize karar verin ve
\na\u015fa\u011f\u0131daki script ile b\u00fct\u00fcn kurallar\u0131 de\u011fi\u015ftirin<\/p>\n

#!\/bin\/bash
\nfor file in $(ls -1 *.rules)
\ndo
\nsed -e ‘s:^alert:drop:g’ ${file} > ${file}.new
\nmv ${file}.new ${file} -f
\ndone<\/p>\n

Kurallar\u0131 de\u011fi\u015ftirdikten sonra sistemin do\u011fru \u00e7al\u0131\u015fmas\u0131 i\u00e7in yapman\u0131z gereken bir nokta daha var.
\nsnort_inline.conf dosyan\u0131z\u0131 a\u00e7\u0131n.\u0130lk tan\u0131mlamalar aras\u0131nda HOME_NET de\u011fi\u015fkenini kendi sisteminize g\u00f6re
\nde\u011fi\u015ftirin.Bu sizin g\u00fcvenilir a\u011f\u0131n\u0131z olmal\u0131d\u0131r.<\/p>\n

\u00d6rne\u011fin;<\/p>\n

var HOME_NET 192.168.160.0\/24<\/p>\n

gibi.<\/p>\n

Ayr\u0131ca g\u00fcvenilmeyen a\u011f tan\u0131mlaman\u0131z gerekiyor.Ben \u015f\u00f6yle yapt\u0131m<\/p>\n

var EXTERNAL_NET !$HOME_NET<\/p>\n

Kurallar\u0131n\u0131z\u0131n bulundu\u011fu dizine g\u00f6re RULE_PATH de\u011fi\u015fkenini d\u00fczenledikten sonra dosyay\u0131 kaydedip \u00e7\u0131k\u0131n.<\/p>\n

Son olarak snort_inline’\u0131 daemon modunda \u00e7al\u0131\u015ft\u0131rmadan \u00f6nce iptables’a forward edilen b\u00fct\u00fcn paketleri
\nkuyru\u011fa sokmas\u0131n\u0131 s\u00f6yl\u00fcyoruz<\/p>\n

iptables -I FORWARD -j QUEUE<\/p>\n

ve sonunda….<\/p>\n

\/usr\/local\/bin\/snort_inline -Q -D -c \/usr\/local\/etc\/snort_inline\/snort_inline.conf -l \/var\/log\/snort<\/p>\n

Not:Iptables stratejiniz tamamiyle size kalm\u0131\u015f bi\u015fey.Hangi paketleri y\u00f6n\u00fcne g\u00f6re nas\u0131l snort_inline’a y\u00f6nlendirmek
\nisterseniz,iptables kural\u0131n\u0131 da ona g\u00f6re belirlemelisiniz.<\/p>\n","protected":false},"excerpt":{"rendered":"

A\u00e7\u0131klama Bu belgede debian linux \u00fczerine snort_inline kurulumunu anlatmaya \u00e7al\u0131\u015ft\u0131m.Snort_inline’in kurulum sonras\u0131 \u00f6zelle\u015ftirmeleri sizlere ait.Benim o kadar vaktim olmad\u0131.Ancak belgede anlat\u0131lan \u015fekilde kurulum mezzanine’de ger\u00e7ekle\u015ftirildi ve tek istemcili ( o istemci ben oluyorum:) ) networkte 3 hafta kadar testi edildi.Test yorumlar\u0131n\u0131 belgenin sonunda bulabilirsiniz. Snort_inline i\u00e7in bulabilece\u011finiz pek az belgede ilk g\u00f6ze \u00e7arpan \u00f6zellik bridge […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[291],"tags":[280,281,282,283,75,284,285,78,79,286,287,288,289,290],"class_list":["post-3","post","type-post","status-publish","format-standard","hentry","category-uncategorized-tr","tag-anti-virus","tag-antivirus","tag-bridge-mode","tag-clamav","tag-firewall","tag-gateway","tag-guvenlik","tag-ids","tag-ips","tag-layer-2","tag-linux","tag-snort","tag-snort-inline","tag-snort_inline"],"_links":{"self":[{"href":"https:\/\/www.48k.com.tr\/wp-json\/wp\/v2\/posts\/3"}],"collection":[{"href":"https:\/\/www.48k.com.tr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.48k.com.tr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.48k.com.tr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.48k.com.tr\/wp-json\/wp\/v2\/comments?post=3"}],"version-history":[{"count":0,"href":"https:\/\/www.48k.com.tr\/wp-json\/wp\/v2\/posts\/3\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.48k.com.tr\/wp-json\/wp\/v2\/media?parent=3"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.48k.com.tr\/wp-json\/wp\/v2\/categories?post=3"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.48k.com.tr\/wp-json\/wp\/v2\/tags?post=3"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}