Vous êtes ici : Formations en Ligne Gratuites » Catalogue » workbooks » Debian » 11 » LDF400 - Administration de la Sécurité » LDF407 - Balayage des Ports

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

--- elearning:workbooks:debian:11:sec:l107 [2025/12/04 09:30] – admin
+++ elearning:workbooks:debian:11:sec:l107 [2025/12/04 15:40] (Version actuelle) – admin
@@ Ligne 1: / Ligne 1: @@
 ~~PDF:LANDSCAPE~~
-SNORT
 Version : **2026.01**
@@ Ligne 25: / Ligne 23: @@
       * LAB #2 - Mise en place du Système de Détection d'Intrusion Snort
         * 2.1 - Installation
-        * 2.2 - Configuration de Snort
+        * 2.2 - Configuration
-          * Editer le fichier /etc/snort/snort.conf
+        * 2.3 - Utilisation
-        * 2.3 - Utilisation de snort en mode "packet sniffer"
-        * 2.4 - Utilisation de snort en mode "packet logger"
-        * 2.5 - Journalisation
       * LAB #3 - Mise en place du Système de Détection et de Prévention d'Intrusion Portsentry
         * 3.1 - Installation
@@ Ligne 599: / Ligne 594: @@
 Snort est un **S**ystème de **D**étection d'**I**ntrusion (SDI) qui surveille les requêtes entrantes, vous avertit en cas d'anomalie et enregistre les traces de toute tentative d'intrusion.
-=== Installation ===
+=== 2.1 - Installation ===
 Sous Debian 12, **snort** n'est pas installé par défaut. Qui plus est **snort** ne se trouve pas dans les dépôts standards.
@@ Ligne 607: / Ligne 602: @@
 <code>
 root@debian12:~# apt-get install -y build-essential libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev libssl-dev libluajit-5.1-dev pkg-config libhwloc-dev cmake libpcap-dev libdaq-dev libnetfilter-queue-dev libmnl-dev libnghttp2-dev autoconf libtool cmake git
-</code>
-<code>
-root@debian12:~# mkdir ~/prce2_src && cd ~/prce2_src
-root@debian12:~/prce2_src# git clone https://github.com/PCRE2Project/pcre2.git
-Cloning into 'pcre2'...
-remote: Enumerating objects: 21776, done.
-remote: Counting objects: 100% (253/253), done.
-remote: Compressing objects: 100% (151/151), done.
-remote: Total 21776 (delta 165), reused 125 (delta 102), pack-reused 21523 (from 3)
-Receiving objects: 100% (21776/21776), 20.79 MiB | 24.50 MiB/s, done.
-Resolving deltas: 100% (18190/18190), done.
+apt install build-essential libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev luajit hwloc libdumbnet-dev bison flex liblzma-dev openssl libssl-dev pkg-config libhwloc-dev cmake cpputest libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev libmnl-dev autotools-dev libluajit-5.1-dev libunwind-dev libcrep2-dev git -y
 </code>
-Téléchargez et désarchivez**snort** :
+Créez ensuite le fichier **/etc/ld.so.conf.d/local.conf** qui contient les chemins vers les bibliothèques pour **snort** :
 <code>
-root@debian12:~# mkdir ~/snort_src && cd ~/snort_src
+root@debian12:~# vi /etc/ld.so.conf.d/local.conf
-root@debian12:~/snort_src# git clone https://github.com/snort3/snort3.git
+root@debian12:~# cat /etc/ld.so.conf.d/local.conf
-Cloning into 'snort3'...
+/usr/local/lib
-remote: Enumerating objects: 123479, done.
+/usr/local/lib64
-remote: Counting objects: 100% (12563/12563), done.
+/usr/local/snort/bin
-remote: Compressing objects: 100% (1891/1891), done.
-remote: Total 123479 (delta 11060), reused 10812 (delta 10672), pack-reused 110916 (from 5)
-Receiving objects: 100% (123479/123479), 91.19 MiB | 28.36 MiB/s, done.
-Resolving deltas: 100% (104741/104741), done.
 </code>
-Créez un lien symbolique pour la bibliothèque partagée **/usr/lib64/libdnet.1** :
+Créez le répertoire **~/snort-source-files** et clonez le dépôt **https://github.com/snort3/libdaq.git** :
 <code>
-[root@centos7 ~]# ln -s /usr/lib64/libdnet.so.1.0.1 /usr/lib64/libdnet.1
+root@debian12:~# mkdir ~/snort-source-files
-</code>
-Dernièrement, modifiez les permissions sur le répertoire **/var/log/snort** :
+root@debian12:~# cd snort-source-files/
-<code>
+root@debian12:~/snort-source-files# git clone https://github.com/snort3/libdaq.git
-[root@centos7 ~]# chmod ug+x /var/log/snort
+Cloning into 'libdaq'...
+remote: Enumerating objects: 2617, done.
+remote: Counting objects: 100% (239/239), done.
+remote: Compressing objects: 100% (78/78), done.
+remote: Total 2617 (delta 199), reused 169 (delta 161), pack-reused 2378 (from 2)
+Receiving objects: 100% (2617/2617), 1.18 MiB | 13.31 MiB/s, done.
+Resolving deltas: 100% (1891/1891), done.
 </code>
-==Options de la commande==
+Procédez à la compilation et à l'installation de **libdaq** :
-Les options de cette commande sont :
 <code>
-[root@centos7 ~]# snort --help
+root@debian12:~/snort-source-files# cd libdaq/
-   ,,_     -*> Snort! <*-
+root@debian12:~/snort-source-files/libdaq# ./bootstrap
-  o"  )~   Version 2.9.11.1 GRE (Build 268)
++ autoreconf -ivf --warnings=all
-   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
+autoreconf: export WARNINGS=all
-           Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
+autoreconf: Entering directory '.'
-           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
+autoreconf: configure.ac: not using Gettext
-           Using libpcap version 1.5.3
+autoreconf: running: aclocal --force -I m4
-           Using PCRE version: 8.32 2012-11-30
+autoreconf: configure.ac: tracing
-           Using ZLIB version: 1.2.7
+autoreconf: running: libtoolize --copy --force
+libtoolize: putting auxiliary files in '.'.
+libtoolize: copying file './ltmain.sh'
+libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
+libtoolize: copying file 'm4/libtool.m4'
+libtoolize: copying file 'm4/ltoptions.m4'
+libtoolize: copying file 'm4/ltsugar.m4'
+libtoolize: copying file 'm4/ltversion.m4'
+libtoolize: copying file 'm4/lt~obsolete.m4'
+autoreconf: configure.ac: not using Intltool
+autoreconf: configure.ac: not using Gtkdoc
+autoreconf: running: aclocal --force -I m4
+autoreconf: running: /usr/bin/autoconf --force
+configure.ac:27: warning: The macro `AC_PROG_CC_C99' is obsolete.
+configure.ac:27: You should run autoupdate.
+./lib/autoconf/c.m4:1659: AC_PROG_CC_C99 is expanded from...
+configure.ac:27: the top level
+autoreconf: running: /usr/bin/autoheader --force
+autoreconf: running: automake --add-missing --copy --force-missing
+configure.ac:29: installing './ar-lib'
+configure.ac:26: installing './compile'
+configure.ac:34: installing './config.guess'
+configure.ac:34: installing './config.sub'
+configure.ac:19: installing './install-sh'
+configure.ac:19: installing './missing'
+api/Makefile.am: installing './depcomp'
+parallel-tests: installing './test-driver'
+autoreconf: Leaving directory '.'
-USAGE: snort [-options] <filter options>
+root@debian12:~/snort-source-files/libdaq# ./configure
-Options:
+...
-        -A         Set alert mode: fast, full, console, test or none  (alert file alerts only)
+config.status: executing libtool commands
-                   "unsock" enables UNIX socket logging (experimental).
-        -b         Log packets in tcpdump format (much faster!)
-        -B <mask>  Obfuscated IP addresses in alerts and packet dumps using CIDR mask
-        -c <rules> Use Rules File <rules>
-        -C         Print out payloads with character data only (no hex)
-        -d         Dump the Application Layer
-        -D         Run Snort in background (daemon) mode
-        -e         Display the second layer header info
-        -f         Turn off fflush() calls after binary log writes
-        -F <bpf>   Read BPF filters from file <bpf>
-        -g <gname> Run snort gid as <gname> group (or gid) after initialization
-        -G <0xid>  Log Identifier (to uniquely id events for multiple snorts)
-        -h <hn>    Set home network = <hn>
-                   (for use with -l or -B, does NOT change $HOME_NET in IDS mode)
-        -H         Make hash tables deterministic.
-        -i <if>    Listen on interface <if>
-        -I         Add Interface name to alert output
-        -k <mode>  Checksum mode (all,noip,notcp,noudp,noicmp,none)
-        -K <mode>  Logging mode (pcap[default],ascii,none)
-        -l <ld>    Log to directory <ld>
-        -L <file>  Log to this tcpdump file
-        -M         Log messages to syslog (not alerts)
-        -m <umask> Set umask = <umask>
-        -n <cnt>   Exit after receiving <cnt> packets
-        -N         Turn off logging (alerts still work)
-        -O         Obfuscate the logged IP addresses
-        -p         Disable promiscuous mode sniffing
-        -P <snap>  Set explicit snaplen of packet (default: 1514)
-        -q         Quiet. Don't show banner and status report
-        -Q         Enable inline mode operation.
-        -r <tf>    Read and process tcpdump file <tf>
-        -R <id>    Include 'id' in snort_intf<id>.pid file name
-        -s         Log alert messages to syslog
-        -S <n=v>   Set rules file variable n equal to value v
-        -t <dir>   Chroots process to <dir> after initialization
-        -T         Test and report on the current Snort configuration
-        -u <uname> Run snort uid as <uname> user (or uid) after initialization
-        -U         Use UTC for timestamps
-        -v         Be verbose
-        -V         Show version number
-        -X         Dump the raw packet data starting at the link layer
-        -x         Exit if Snort configuration problems occur
-        -y         Include year in timestamp in the alert and log files
-        -Z <file>  Set the performonitor preprocessor file path and name
-        -?         Show this information
-<Filter Options> are standard BPF options, as seen in TCPDump
-Longname options and their corresponding single char version
-   --logid <0xid>                  Same as -G
-   --perfmon-file <file>           Same as -Z
-   --pid-path <dir>                Specify the directory for the Snort PID file
-   --snaplen <snap>                Same as -P
-   --help                          Same as -?
-   --version                       Same as -V
-   --alert-before-pass             Process alert, drop, sdrop, or reject before pass, default is pass before alert, drop,...
-   --treat-drop-as-alert           Converts drop, sdrop, and reject rules into alert rules during startup
-   --treat-drop-as-ignore          Use drop, sdrop, and reject rules to ignore session traffic when not inline.
-   --process-all-events            Process all queued events (drop, alert,...), default stops after 1st action group
-   --enable-inline-test            Enable Inline-Test Mode Operation
-   --dynamic-engine-lib <file>     Load a dynamic detection engine
-   --dynamic-engine-lib-dir <path> Load all dynamic engines from directory
-   --dynamic-detection-lib <file>  Load a dynamic rules library
-   --dynamic-detection-lib-dir <path> Load all dynamic rules libraries from directory
-   --dump-dynamic-rules <path>     Creates stub rule files of all loaded rules libraries
-   --dynamic-preprocessor-lib <file>  Load a dynamic preprocessor library
-   --dynamic-preprocessor-lib-dir <path> Load all dynamic preprocessor libraries from directory
-   --dynamic-output-lib <file>  Load a dynamic output library
-   --dynamic-output-lib-dir <path> Load all dynamic output libraries from directory
-   --create-pidfile                Create PID file, even when not in Daemon mode
-   --nolock-pidfile                Do not try to lock Snort PID file
-   --no-interface-pidfile          Do not include the interface name in Snort PID file
-   --disable-attribute-reload-thread Do not create a thread to reload the attribute table
-   --pcap-single <tf>              Same as -r.
-   --pcap-file <file>              file that contains a list of pcaps to read - read mode is implied.
-   --pcap-list "<list>"            a space separated list of pcaps to read - read mode is implied.
-   --pcap-dir <dir>                a directory to recurse to look for pcaps - read mode is implied.
-   --pcap-filter <filter>          filter to apply when getting pcaps from file or directory.
-   --pcap-no-filter                reset to use no filter when getting pcaps from file or directory.
-   --pcap-loop <count>             this option will read the pcaps specified on command line continuously.
-                                   for <count> times.  A value of 0 will read until Snort is terminated.
-   --pcap-reset                    if reading multiple pcaps, reset snort to post-configuration state before reading next pcap.
-   --pcap-reload                   if reading multiple pcaps, reload snort config between pcaps.
-   --pcap-show                     print a line saying what pcap is currently being read.
-   --exit-check <count>            Signal termination after <count> callbacks from DAQ_Acquire(), showing the time it
-                                   takes from signaling until DAQ_Stop() is called.
-   --conf-error-out                Same as -x
-   --enable-mpls-multicast         Allow multicast MPLS
-   --enable-mpls-overlapping-ip    Handle overlapping IPs within MPLS clouds
-   --max-mpls-labelchain-len       Specify the max MPLS label chain
-   --mpls-payload-type             Specify the protocol (ipv4, ipv6, ethernet) that is encapsulated by MPLS
-   --require-rule-sid              Require that all snort rules have SID specified.
-   --daq <type>                    Select packet acquisition module (default is pcap).
-   --daq-mode <mode>               Select the DAQ operating mode.
-   --daq-var <name=value>          Specify extra DAQ configuration variable.
-   --daq-dir <dir>                 Tell snort where to find desired DAQ.
-   --daq-list[=<dir>]              List packet acquisition modules available in dir.  Default is static modules only.
-   --dirty-pig                     Don't flush packets and release memory on shutdown.
-   --cs-dir <dir>                  Directory to use for control socket.
-   --ha-peer                       Activate live high-availability state sharing with peer.
-   --ha-out <file>                 Write high-availability events to this file.
-   --ha-in <file>                  Read high-availability events from this file on startup (warm-start).
-   --suppress-config-log           Suppress configuration information output.
-</code>
+    libdaq 3.0.23
-===Configuration de Snort===
+    prefix:         /usr/local
+    sysconfdir:     ${prefix}/etc
+    libdir:         ${exec_prefix}/lib
+    includedir:     ${prefix}/include
-Snort a besoin de règles pour fonctionner correctement. Ces règles sont disponibles sous trois formes différentes :
+    cc:             gcc
+    cppflags:
+    am_cppflags:     -fvisibility=hidden -Wall -Wmissing-declarations -Wpointer-arith -Wcast-align -Wcast-qual -Wformat -Wformat-nonliteral -Wformat-security -Wundef -Wwrite-strings -Wextra -Wsign-compare -Wno-unused-parameter -fno-strict-aliasing -fdiagnostics-show-option
+    cflags:         -g -O2
+    am_cflags:       -Wstrict-prototypes -Wmissing-prototypes -Wold-style-definition -Wnested-externs
+    ldflags:
+    am_ldflags:
+    libs:
-  * **Community** - règles de base disponibles à tout le monde,
+    code_coverage_enabled:  no
-  * **Registered** - règles disponibles à toute personne possédant un compte gratuit sur le site **[[http://www.snort.org]]**,
+    code_coverage_cppflags:
-  * **Subscription** - règles les plus efficaces disponibles uniquement aux utilisateurs enregistrés **et** abonnés à un plan payant.
+    code_coverage_cflags:
+    code_coverage_ldflags:
-Le répertoire rules est donc vide lors de l'installation de Snort :
+    Build AFPacket DAQ module.. : yes
+    Build BPF DAQ module....... : yes
+    Build Divert DAQ module.... : no
+    Build Dump DAQ module...... : yes
+    Build FST DAQ module....... : yes
+    Build netmap DAQ module.... : no
+    Build NFQ DAQ module....... : yes
+    Build PCAP DAQ module...... : yes
+    Build Savefile DAQ module.. : yes
+    Build Trace DAQ module..... : yes
+    Build GWLB DAQ module...... : yes
-<code>
+root@debian12:~/snort-source-files/libdaq# make
-[root@centos7 ~]# ls /etc/snort/rules/
+...
-[root@centos7 ~]#
+make[2]: Leaving directory '/root/snort-source-files/libdaq/example'
+Making all in test
+make[2]: Entering directory '/root/snort-source-files/libdaq/test'
+make[2]: Nothing to be done for 'all'.
+make[2]: Leaving directory '/root/snort-source-files/libdaq/test'
+make[2]: Entering directory '/root/snort-source-files/libdaq'
+make[2]: Leaving directory '/root/snort-source-files/libdaq'
+make[1]: Leaving directory '/root/snort-source-files/libdaq'
+root@debian12:~/snort-source-files/libdaq# make install
+...
+----------------------------------------------------------------------
+ /usr/bin/mkdir -p '/usr/local/lib/pkgconfig'
+ /usr/bin/install -c -m 644 afpacket/libdaq_static_afpacket.pc bpf/libdaq_static_bpf.pc dump/libdaq_static_dump.pc fst/libdaq_static_fst.pc nfq/libdaq_static_nfq.pc pcap/libdaq_static_pcap.pc savefile/libdaq_static_savefile.pc trace/libdaq_static_trace.pc gwlb/libdaq_static_gwlb.pc '/usr/local/lib/pkgconfig'
+make[2]: Leaving directory '/root/snort-source-files/libdaq/modules'
+make[1]: Leaving directory '/root/snort-source-files/libdaq/modules'
+Making install in example
+make[1]: Entering directory '/root/snort-source-files/libdaq/example'
+make[2]: Entering directory '/root/snort-source-files/libdaq/example'
+ /usr/bin/mkdir -p '/usr/local/bin'
+  /bin/bash ../libtool   --mode=install /usr/bin/install -c daqtest daqtest-static '/usr/local/bin'
+libtool: install: /usr/bin/install -c .libs/daqtest /usr/local/bin/daqtest
+libtool: install: /usr/bin/install -c daqtest-static /usr/local/bin/daqtest-static
+make[2]: Nothing to be done for 'install-data-am'.
+make[2]: Leaving directory '/root/snort-source-files/libdaq/example'
+make[1]: Leaving directory '/root/snort-source-files/libdaq/example'
+Making install in test
+make[1]: Entering directory '/root/snort-source-files/libdaq/test'
+make[2]: Entering directory '/root/snort-source-files/libdaq/test'
+make[2]: Nothing to be done for 'install-exec-am'.
+make[2]: Nothing to be done for 'install-data-am'.
+make[2]: Leaving directory '/root/snort-source-files/libdaq/test'
+make[1]: Leaving directory '/root/snort-source-files/libdaq/test'
+make[1]: Entering directory '/root/snort-source-files/libdaq'
+make[2]: Entering directory '/root/snort-source-files/libdaq'
+make[2]: Nothing to be done for 'install-exec-am'.
+ /usr/bin/mkdir -p '/usr/local/lib/pkgconfig'
+ /usr/bin/install -c -m 644 libdaq.pc '/usr/local/lib/pkgconfig'
+make[2]: Leaving directory '/root/snort-source-files/libdaq'
+make[1]: Leaving directory '/root/snort-source-files/libdaq'
 </code>
-Téléchargez les règles **Registered** grâce au lien suivant contenant un **oinkcode** :
 <code>
-[root@centos7 ~]# wget https://www.dropbox.com/scl/fi/dkmuxq9j0ftahp4c3rf5p/registered.tar.gz?rlkey=mvs3qdu1kxfz9zs5mt5zy1niz&st=n90pywc2
 </code>
-Ensuite, saisissez les commandes suivantes :
+Téléchargez et désarchivez**snort** :
 <code>
-[root@centos7 ~]# tar -xvf ~/registered.tar.gz -C /etc/snort
+root@debian12:~/snort-source-files/libdaq# cd ..
-[root@centos7 ~]# ls /etc/snort/rules
-app-detect.rules        file-image.rules             netbios.rules            protocol-other.rules     server-samba.rules
+root@debian12:~/snort-source-files# git clone https://github.com/snort3/snort3.git
-attack-responses.rules  file-java.rules              nntp.rules               protocol-pop.rules       server-webapp.rules
+Cloning into 'snort3'...
-backdoor.rules          file-multimedia.rules        oracle.rules             protocol-rpc.rules       shellcode.rules
+remote: Enumerating objects: 123479, done.
-bad-traffic.rules       file-office.rules            os-linux.rules           protocol-scada.rules     smtp.rules
+remote: Counting objects: 100% (12552/12552), done.
-blacklist.rules         file-other.rules             os-mobile.rules          protocol-services.rules  snmp.rules
+remote: Compressing objects: 100% (1884/1884), done.
-botnet-cnc.rules        file-pdf.rules               os-other.rules           protocol-snmp.rules      specific-threats.rules
+remote: Total 123479 (delta 11054), reused 10808 (delta 10668), pack-reused 110927 (from 5)
-browser-chrome.rules    finger.rules                 os-solaris.rules         protocol-telnet.rules    spyware-put.rules
+Receiving objects: 100% (123479/123479), 91.19 MiB | 26.35 MiB/s, done.
-browser-firefox.rules   ftp.rules                    os-windows.rules         protocol-tftp.rules      sql.rules
+Resolving deltas: 100% (104744/104744), done.
-browser-ie.rules        icmp-info.rules              other-ids.rules          protocol-voip.rules      telnet.rules
-browser-other.rules     icmp.rules                   p2p.rules                pua-adware.rules         tftp.rules
-browser-plugins.rules   imap.rules                   phishing-spam.rules      pua-other.rules          virus.rules
-browser-webkit.rules    indicator-compromise.rules   policy-multimedia.rules  pua-p2p.rules            voip.rules
-chat.rules              indicator-obfuscation.rules  policy-other.rules       pua-toolbars.rules       VRT-License.txt
-content-replace.rules   indicator-scan.rules         policy.rules             rpc.rules                web-activex.rules
-ddos.rules              indicator-shellcode.rules    policy-social.rules      rservices.rules          web-attacks.rules
-deleted.rules           info.rules                   policy-spam.rules        scada.rules              web-cgi.rules
-dns.rules               local.rules                  pop2.rules               scan.rules               web-client.rules
-dos.rules               malware-backdoor.rules       pop3.rules               server-apache.rules      web-coldfusion.rules
-experimental.rules      malware-cnc.rules            protocol-dns.rules       server-iis.rules         web-frontpage.rules
-exploit-kit.rules       malware-other.rules          protocol-finger.rules    server-mail.rules        web-iis.rules
-exploit.rules           malware-tools.rules          protocol-ftp.rules       server-mssql.rules       web-misc.rules
-file-executable.rules   misc.rules                   protocol-icmp.rules      server-mysql.rules       web-php.rules
-file-flash.rules        multimedia.rules             protocol-imap.rules      server-oracle.rules      x11.rules
-file-identify.rules     mysql.rules                  protocol-nntp.rules      server-other.rules
 </code>
-<WRAP center round important 50%>
+Procédez à la compilation et à l'installation de **snort3** :
-**Important** - Si vous utilisez **snort** régulièrement, vous devez prendre un abonnement sur le site [[http://www.snort.org]] afin de pouvoir télécharger les mises à jour des règles.
-</WRAP>
-== Editer le fichier /etc/snort/snort.conf ==
+<code>
+root@debian12:~/snort-source-files# cd snort3/
-Lancez vi pour éditer le fichier **/etc/snort/snort.conf** :
+root@debian12:~/snort-source-files/snort3# ./configure_cmake.sh
-Modifiez la ligne qui commence par **ipvar HOME_NET** pour que celle-ci comporte l'adresse de votre réseau :
-<file>
-...
-ipvar HOME_NET 10.0.2.0/24
 ...
-</file>
+-------------------------------------------------------
+snort version 3.10.0.0
-Dans le cas où vous êtes connecté à deux ou à plusieurs réseaux directement, la ligne devrait prendre la forme suivante :
+Install options:
+    prefix:     /usr/local/snort
+    includes:   /usr/local/snort/include/snort
+    plugins:    /usr/local/snort/lib/snort
-  ipvar HOME_NET [adresse_réseau_1 ( p.e. 10.0.2.0/24 ), adresse_réseau_2 ( p.e. 10.0.0.0/8 )]
+Compiler options:
+    CC:             /usr/bin/cc
+    CXX:            /usr/bin/c++
+    CFLAGS:            -fvisibility=hidden   -DNDEBUG -g -ggdb    -O2 -g -DNDEBUG
+    CXXFLAGS:          -fvisibility=hidden   -DNDEBUG -g -ggdb    -O2 -g -DNDEBUG
+    EXE_LDFLAGS:
+    MODULE_LDFLAGS:
-Vérifiez la présence de les lignes qui commencent par **var RULE_PATH**, **Var SO_RULE_PATH** et **var PREPROC_RULE_PATH**. Celles-ci comportent les chemin relatifs des répertoires **rules** :
+Feature options:
+    DAQ Modules:    Static (afpacket;bpf;dump;fst;gwlb;nfq;pcap;savefile;trace)
+    libatomic:      System-provided
+    Hyperscan:      OFF
+    ICONV:          ON
+    Libunwind:      ON
+    LZMA:           ON
+    RPC DB:         Built-in
+    SafeC:          OFF
+    TCMalloc:       OFF
+    JEMalloc:       OFF
+    UUID:           ON
+    NUMA:           ON
+    LibML:          OFF
+-------------------------------------------------------
-<file>
+-- Configuring done
-...
+-- Generating done
-var RULE_PATH /etc/snort/rules
+-- Build files have been written to: /root/snort-source-files/snort3/build
-var SO_RULE_PATH ../so_rules
-var PREPROC_RULE_PATH ../preproc_rules
-...
-</file>
-Modifiez les deux lignes suivantes afin d'utiliser des chemins absolus :
+root@debian12:~/snort-source-files/snort3# cd build
-<file>
+root@debian12:~/snort-source-files/snort3/build# make
 ...
-var WHITE_LIST_PATH /etc/snort/rules
+[ 98%] Built target preprocessor_states
-var BLACK_LIST_PATH /etc/snort/rules
+[ 98%] Building CXX object tools/snort2lua/CMakeFiles/snort2lua.dir/snort2lua.cc.o
-...
+[ 98%] Building CXX object tools/snort2lua/CMakeFiles/snort2lua.dir/init_state.cc.o
-</file>
+[ 98%] Linking CXX executable snort2lua
+[ 98%] Built target snort2lua
+[ 98%] Building C object daqs/CMakeFiles/daq_file.dir/daq_file.c.o
+[ 98%] Linking C shared module daq_file.so
+[ 98%] Built target daq_file
+[ 98%] Building C object daqs/CMakeFiles/daq_hext.dir/daq_hext.c.o
+[100%] Linking C shared module daq_hext.so
+[100%] Built target daq_hext
-Décommentez la ligne qui commence par **ooutput unified2** concernant la journalisation et supprimez le mot **nostamp** :
+root@debian12:~/snort-source-files/snort3/build# make install
-<file>
 ...
-# unified2
+-- Up-to-date: /usr/local/snort/share/doc/snort/overview.txt
-# Recommended for most installs
+-- Installing: /usr/local/snort/share/doc/snort/snort2lua.txt
-output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types
+-- Installing: /usr/local/snort/share/doc/snort/snort_upgrade.txt
-...
+-- Installing: /usr/local/snort/share/doc/snort/config_changes.txt
-</file>
+-- Installing: /usr/local/snort/share/doc/snort/snort_upgrade.text
+-- Installing: /usr/local/snort/share/doc/snort/snort_devel.txt
-Commentez ensuite la ligne commençant par **dynamicdetection directory** :
+-- Installing: /usr/local/snort/share/doc/snort/extending.txt
+-- Installing: /usr/local/snort/share/doc/snort/style.txt
-<code>
+-- Installing: /usr/local/snort/share/doc/snort/versions.txt
-# path to dynamic rules libraries
-# dynamicdetection directory /usr/local/lib/snort_dynamicrules
 </code>
-Créez ensuite les deux fichiers ci-dessous :
+Dernièrement, modifiez la valeur $PATH de root :
 <code>
-[root@centos7 ~]# touch /etc/snort/rules/white_list.rules
+root@debian12:~/snort-source-files/snort3/build# echo $PATH
-[root@centos7 ~]# touch /etc/snort/rules/black_list.rules
+/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
-</code>
-Modifiez maintenant le fichier **/etc/sysconfig/snort** :
+root@debian12:~/snort-source-files/snort3/build# PATH="/usr/local/snort/bin:$PATH"
-<file>
+root@debian12:~/snort-source-files/snort3/build# echo $PATH
-...
+/usr/local/snort/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
-#### General Configuration
-# What interface should snort listen on?  [Pick only 1 of the next 3!]
+root@debian12:~/snort-source-files/snort3/build# vi /root/.profile
-# This is -i {interface} on the command line
-# This is the snort.conf config interface: {interface} directive
-# INTERFACE=eth0
-INTERFACE=enp0s3
-#
-# The following two options are not directly supported on the command line
-# or in the conf file and assume the same Snort configuration for all
-# instances
-...
-</file>
-Vérifiez le fichier de configuration :
+root@debian12:~/snort-source-files/snort3/build# cat /root/.profile
+# ~/.profile: executed by Bourne-compatible login shells.
-<code>
+if [ "$BASH" ]; then
-[root@centos7 ~]# snort -T -c /etc/snort/snort.conf
+  if [ -f ~/.bashrc ]; then
-...
+    . ~/.bashrc
-        --== Initialization Complete ==--
+  fi
+fi
-   ,,_     -*> Snort! <*-
+PATH=/usr/local/snort/bin:$PATH:$HOME/bin
-  o"  )~   Version 2.9.9.0 GRE (Build 56)
+export $PATH
-   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
-           Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
-           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
-           Using libpcap version 1.5.3
-           Using PCRE version: 8.32 2012-11-30
-           Using ZLIB version: 1.2.7
-           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 3.0  <Build 1>
+mesg n 2> /dev/null || true
-           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
-           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
-           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
-           Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
-           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
-           Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
-           Preprocessor Object: SF_POP  Version 1.0  <Build 1>
-           Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
-           Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
-           Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
-           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
-           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
-           Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
-           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
-Snort successfully validated the configuration!
-Snort exiting
 </code>
-=== Utilisation de snort en mode "packet sniffer" ===
+Vérifiez la bonne installation de snort3 :
-Pour visualiser les paquets à l'aide de snort, saisissez la commande suivante :
 <code>
-[root@centos7 ~]# snort -vde -c /etc/snort/snort.conf -l /var/log/snort
+root@debian12:~/snort-source-files/snort3/build# snort --version
-...
-[root@centos7 ~]# ^C
-</code>
-<WRAP center round important 50%>
+   ,,_     -*> Snort++ <*-
-**Important** - Notez l'utilisation de la combinaison de touches <key>^</key><key>c</key> pour arrêter la visualisation des paquets.
+  o"  )~   Version 3.10.0.0
-</WRAP>
+   ''''    By Martin Roesch & The Snort Team
+           http://snort.org/contact#team
-Pour surveiller une interface réseau en particulier, saisissez la commande suivante :
+           Copyright (C) 2014-2025 Cisco and/or its affiliates. All rights reserved.
+           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
-<code>
+           Using DAQ version 3.0.23
-[root@centos7 ~]# snort -vd -i enp0s3 -c /etc/snort/snort.conf
+           Using libpcap version 1.10.3 (with TPACKET_V3)
-...
+           Using LuaJIT version 2.1.0-beta3
-[root@centos7 ~]# ^C
+           Using LZMA version 5.4.1
+           Using OpenSSL 3.0.17 1 Jul 2025
+           Using PCRE2 version 10.42 2022-12-11
+           Using ZLIB version 1.2.13
 </code>
-=== Utilisation de snort en mode "packet logger" ===
+==Options de la commande==
-Pour rediriger la sortie à l'écran vers le fichier log **/var/log/snort**, saisissez la commande suivante :
 <code>
-[root@centos7 ~]# snort -de -l /var/log/snort -c /etc/snort/snort.conf
+root@debian12:~/snort-source-files/snort3/build# snort --help
-...
-[root@centos7 ~]# ^C
-</code>
-===Journalisation===
+Snort has several options to get more help:
-Constatez le contenu de **/var/log/snort** :
+-? list command line options (same as --help)
+--help this overview of help
+--help-commands [<module prefix>] output matching commands
+--help-config [<module prefix>] output matching config options
+--help-counts [<module prefix>] output matching peg counts
+--help-limits print the int upper bounds denoted by max*
+--help-module <module> output description of given module
+--help-modules list all available modules with brief help
+--help-modules-json dump description of all available modules in JSON format
+--help-plugins list all available plugins with brief help
+--help-options [<option prefix>] output matching command line options
+--help-signals dump available control signals
+--list-buffers output available inspection buffers
+--list-builtin [<module prefix>] output matching builtin rules
+--list-gids [<module prefix>] output matching generators
+--list-modules [<module type>] list all known modules
+--list-plugins list all known modules
+--show-plugins list module and plugin versions
-<code>
+--help* and --list* options preempt other processing so should be last on the
-[root@centos7 ~]# ls /var/log/snort/
+command line since any following options are ignored.  To ensure options like
-merged.log  snort.log.1501937132  snort.log.1501937470  snort.log.1501943548
+--markup and --plugin-path take effect, place them ahead of the help or list
-</code>
+options.
-Constatez le contenu du fichier de journalisation :
+Options that filter output based on a matching prefix, such as --help-config
+won't output anything if there is no match.  If no prefix is given, everything
-<code>
+matches.
-[root@centos7 ~]# tail /var/log/snort/snort.log.1501943548
-����;���3P����օY&��RT5'�E���@@��
-�Ҡ��3��;P����I�N��yE��K��=��!�ޚ�UKuD}�[�c���K��۸3��uNý�@�Mo(9�ٮ���c��n��]��`G�����LJ� ��օYJZ'��RT5EL=j@%2
-����;���3P��..����jV���
-                            ������]l�S�����W�h���օYO<'��RT5E(=k@%U
-����_��������օY���RT5'�E���@@�k
-�Ҡ����_P�����G}&2�!̴������I�����AR��!�F|�?��A��"X��-V_�Љ4����"��Ab�Ъ����bb�}�K�Dd[root@centos7 ~]# ى���]Xh-et����qB������
+Report bugs to bugs@snort.org.
 </code>
-Ce fichier étant au format **PCAP binaire**, vous pouvez le lire avec la commande suivante :
+Snort 3 utilise des modules. Pour consulter la liste des modules, utilisez la commande suivante :
 <code>
-[root@centos7 ~]# snort -r /var/log/snort/snort.log.1501943548 | more
+root@debian12:~/snort-source-files/snort3/build# snort --help-modules | more
+ac_bnfa (search_engine): Aho-Corasick Binary NFA (low memory, low performance) MPSE
+ac_full (search_engine): Aho-Corasick Full (high memory, best performance), implements search_all()
+ack (ips_option): rule option to match on TCP ack numbers
+active (basic): configure responses
+address_space_selector (policy_selector): configure traffic processing based on address space
+alert (ips_action): manage the counters for the alert action
+alert_csv (logger): output event in csv format
+alert_fast (logger): output event with brief text format
+alert_full (logger): output event with full packet dump
+alert_json (logger): output event in json format
+alert_syslog (logger): output event to syslog
+alert_talos (logger): output event in Talos alert format
+alert_unixsock (logger): output event over unix socket
+alerts (basic): configure alerts
+appid (inspector): application and service identification
+appids (ips_option): detection option for application ids
+arp (codec): support for address resolution protocol
+arp_spoof (inspector): detect ARP attacks and anomalies
+attribute_table (basic): configure hosts loading
+auth (codec): support for IP authentication header
+back_orifice (inspector): back orifice detection
+base64_decode (ips_option): rule option to decode base64 data - must be used with base64_data option
+ber_data (ips_option): rule option to move to the data for a specified BER element
+ber_skip (ips_option): rule option to skip BER element
+binder (inspector): configure processing based on CIDRs, ports, services, etc.
+block (ips_action): manage the counters for the block action
+bufferlen (ips_option): rule option to check length of current buffer
+byte_extract (ips_option): rule option to convert data to an integer variable
+byte_jump (ips_option): rule option to move the detection cursor
+byte_math (ips_option): rule option to perform mathematical operations on extracted value and a specified value or existing variable
+byte_test (ips_option): rule option to convert data to integer and compare
+cip (inspector): cip inspection
+cip_attribute (ips_option): detection option to match CIP attribute
+cip_class (ips_option): detection option to match CIP class
+cip_conn_path_class (ips_option): detection option to match CIP Connection Path Class
+cip_instance (ips_option): detection option to match CIP instance
+cip_req (ips_option): detection option to match CIP request
+cip_rsp (ips_option): detection option to match CIP response
+cip_service (ips_option): detection option to match CIP service
+cip_status (ips_option): detection option to match CIP response status
+ciscometadata (codec): support for cisco metadata
+classifications (basic): define rule categories with priority
+classtype (ips_option): general rule option for rule classification
+content (ips_option): payload rule option for basic pattern matching
+cvs (ips_option): payload rule option for detecting specific attacks
+daq (basic): configure packet acquisition interface
+dce_http_proxy (inspector): dce over http inspection - client to/from proxy
+dce_http_server (inspector): dce over http inspection - proxy to/from server
+dce_iface (ips_option): detection option to check dcerpc interface
+dce_opnum (ips_option): detection option to check dcerpc operation number
+dce_smb (inspector): dce over smb inspection
+dce_stub_data (ips_option): sets the cursor to dcerpc stub data
+dce_tcp (inspector): dce over tcp inspection
+dce_udp (inspector): dce over udp inspection
+decode (basic): general decoder rules
+--More--
 </code>
-Notez que ce fichier peut aussi être lu par la commande **tcpdump** :
+Pour obtenir une aide sur un module spécifique, utilisez la commande **snort --help-module <nom_module>** :
 <code>
-[root@centos7 ~]# tcpdump -r /var/log/snort/snort.log.1501943548 | more
+root@debian12:~/snort-source-files/snort3/build# snort --help-module ac_bnfa
-reading from file /var/log/snort/snort.log.1501943548, link-type EN10MB (Ethernet)
-:32:28.316281 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 2695230935:2695231611, ack 28164311, win 534
-, length 676
-:32:28.316485 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 676, win 65535, length 0
-:32:28.318511 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 676:768, ack 1, win 53440, length 92
-:32:28.318706 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 768, win 65535, length 0
-:32:28.318799 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 768:860, ack 1, win 53440, length 92
-:32:28.318963 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 860, win 65535, length 0
-:32:28.319081 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 860:952, ack 1, win 53440, length 92
-:32:28.319220 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 952, win 65535, length 0
-:32:28.319278 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 952:1044, ack 1, win 53440, length 92
-:32:28.319373 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 1044, win 65535, length 0
-:32:28.319457 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 1044:1136, ack 1, win 53440, length 92
-:32:28.319544 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 1136, win 65535, length 0
-:32:28.319624 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 1136:1228, ack 1, win 53440, length 92
-:32:28.319734 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 1228, win 65535, length 0
-:32:28.319787 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 1228:1320, ack 1, win 53440, length 92
-:32:28.319972 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 1320, win 65535, length 0
-:32:28.320041 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 1320:1412, ack 1, win 53440, length 92
-:32:28.320186 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 1412, win 65535, length 0
-:32:28.320240 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 1412:1504, ack 1, win 53440, length 92
-:32:28.320397 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 1504, win 65535, length 0
-:32:28.320451 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 1504:1596, ack 1, win 53440, length 92
-:32:28.320606 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 1596, win 65535, length 0
-:32:28.320659 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 1596:1688, ack 1, win 53440, length 92
-:32:28.320816 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 1688, win 65535, length 0
-:32:28.320869 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 1688:1780, ack 1, win 53440, length 92
-:32:28.320991 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 1780, win 65535, length 0
-:32:28.321047 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 1780:1872, ack 1, win 53440, length 92
-:32:28.321161 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 1872, win 65535, length 0
-:32:28.321232 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 1872:1964, ack 1, win 53440, length 92
-:32:28.321355 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 1964, win 65535, length 0
-:32:28.321426 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 1964:2056, ack 1, win 53440, length 92
-:32:28.321533 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 2056, win 65535, length 0
-:32:28.321589 IP 15.2.0.10.rev.sfr.net.ssh > 2.2.0.10.rev.sfr.net.48338: Flags [P.], seq 2056:2148, ack 1, win 53440, length 92
-:32:28.321695 IP 2.2.0.10.rev.sfr.net.48338 > 15.2.0.10.rev.sfr.net.ssh: Flags [.], ack 2148, win 65535, length 0
---More--
-</code>
+ac_bnfa
-<WRAP center round important 50%>
-**Important** - Vous pouvez utiliser le logiciel Wireshark pour visulaiser le contenu du fichier en mode graphique.
-</WRAP>
-Dernièrement, notez qu'il est aussi possible de ne journaliser le trafic que sur un seul réseau :
+Help: Aho-Corasick Binary NFA (low memory, low performance) MPSE
-  # snort -de -l /var/log/snort -h 10.0.2.0/24
+Type: search_engine
-<WRAP center round important 50%>
+Usage: global
-**Important** - Notez l'utilisation des options suivantes : **-l** indique le fichier de journalisation**, -h** indique le **home-net**.
-</WRAP>
-Pour lancer snort en arrière plan afin de surveiller l'interface **enp0s3**, utilisez la commande suivante :
+Peg counts:
-<code>
+ac_bnfa.searches: number of search attempts (sum)
-[root@centos7 ~]# /usr/sbin/snort -A fast -b -d -D -i enp0s3 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort &
+ac_bnfa.matches: number of times a match was found (sum)
-[1] 19281
+ac_bnfa.bytes: total bytes searched (sum)
-[root@centos7 ~]# Spawning daemon child...
-My daemon child 19401 lives...
-Daemon parent exiting (0)
-^C
-[1]+  Done                    /usr/sbin/snort -A fast -b -d -D -i enp0s3 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
-[root@centos7 ~]# ps aux | grep snort
-snort    19401  0.0 24.6 850984 504544 ?       Ssl  11:03   0:00 /usr/sbin/snort -A fast -b -d -D -i enp0s3 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
-root     19688  0.0  0.0 114692   964 pts/0    R+   11:04   0:00 grep --color=auto snort
 </code>
-Pour arrêter ce processus, utilisez al commande **kill**:
+Dernièrement, vous pouvez obtenir de l'aide sur la configuration de snort avec la commande suivante :
 <code>
-[root@centos7 ~]# ps aux | grep snort
+root@debian12:~/snort-source-files/snort3/build# snort --help-config | more
-snort    19401  0.0 24.6 850984 504692 ?       Ssl  11:03   0:00 /usr/sbin/snort -A fast -b -d -D -i enp0s3 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
+interval ack.~range: check if TCP ack value is 'value | min<>max | <max | >min' { 0: }
-root     20521  0.0  0.0 114692   964 pts/0    R+   11:07   0:00 grep --color=auto snort
+int active.attempts = 0: number of TCP packets sent per response (with varying sequence numbers) { 0:255 }
-[root@centos7 ~]# kill 19401
+string active.device: use 'ip' for network layer responses or 'eth0' etc for link layer
-[root@centos7 ~]# ps aux | grep snort
+string active.dst_mac: use format '01:23:45:67:89:ab'
-root     20568  0.0  0.0 114692   968 pts/0    R+   11:07   0:00 grep --color=auto snort
+int active.max_responses = 0: maximum number of responses { 0:255 }
+int active.min_interval = 255: minimum number of seconds between responses { 1:255 }
+string address_space_selector[].addr_spaces: list of address space IDs to match
+string address_space_selector[].file: use configuration in given file
+bool alert_csv.file = false: output to alert_csv.txt instead of stdout
+multi alert_csv.fields = 'timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action': selected fields will be output in given order left to right { action | class | b64_data | client_bytes | client_
+pkts | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | flowstart_time | geneve_vni | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_ge
+n | pkt_len | pkt_num | priority | proto | rev | rule | seconds | server_bytes | server_pkts | service | sgt| sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | ti
+mestamp | tos | ttl | udp_len | vlan }
+int alert_csv.limit = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }
+string alert_csv.separator = ', ': separate fields with this character sequence
+bool alert_fast.file = false: output to alert_fast.txt instead of stdout
+bool alert_fast.packet = false: output packet dump with alert
+enum alert_fast.buffers = 'none': output IPS buffer dump (evaluated by IPS rule or an inspector) { 'none' | 'rule' | 'inspector' | 'both' }
+int alert_fast.buffers_depth = 0: number of IPS buffer bytes to dump per buffer (0 is unlimited) { 0:maxSZ }
+int alert_fast.limit = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }
+bool alert_full.file = false: output to alert_full.txt instead of stdout
+int alert_full.limit = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }
+bool alert_json.file = false: output to alert_json.txt instead of stdout
+multi alert_json.fields = 'timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action': selected fields will be output in given order left to right { action | class | b64_data | client_bytes | client
+_pkts | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | flowstart_time | geneve_vni | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_g
+en | pkt_len | pkt_num | priority | proto | rev | rule | seconds | server_bytes | server_pkts | service | sgt| sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | t
+imestamp | tos | ttl | udp_len | vlan }
+int alert_json.limit = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }
+string alert_json.separator = ', ': separate fields with this character sequence
+enum alert_syslog.facility = 'auth': part of priority applied to each message { 'auth' | 'authpriv' | 'daemon' | 'user' | 'local0' | 'local1' | 'local2' | 'local3' | 'local4' | 'local5' | 'local6' | 'local7' }
+enum alert_syslog.level = 'info': part of priority applied to each message { 'emerg' | 'alert' | 'crit' | 'err' | 'warning' | 'notice' | 'info' | 'debug' }
+multi alert_syslog.options: used to open the syslog connection { cons | ndelay | perror | pid }
+bool alerts.alert_with_interface_name = false: include interface in alert info (fast, full, or syslog only)
+int alerts.detection_filter_memcap = 1048576: set available MB of memory for detection_filters { 0:max32 }
+int alerts.event_filter_memcap = 1048576: set available MB of memory for event_filters { 0:max32 }
+bool alerts.log_references = false: include rule references in alert info (full only)
+string alerts.order: change the order of rule action application
+int alerts.rate_filter_memcap = 1048576: set available MB of memory for rate_filters { 0:max32 }
+string alerts.reference_net: set the CIDR for homenet (for use with -l or -B, does NOT change $HOME_NET in IDS mode)
+string alerts.tunnel_verdicts: let DAQ handle non-allow verdicts for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls|vxlan traffic
+int appid.memcap = 1048576: max size of the service cache before we start pruning the cache { 1024:maxSZ }
+bool appid.log_stats = false: enable logging of appid statistics
+int appid.app_stats_period = 300: time period for collecting and logging appid statistics { 1:max32 }
+int appid.app_stats_rollover_size = 20971520: max file size for appid stats before rolling over the log file { 0:max32 }
+string appid.app_detector_dir: directory to load appid detectors from
+bool appid.list_odp_detectors = false: enable logging of odp detectors statistics
+string appid.tp_appid_path: path to third party appid dynamic library
+string appid.tp_appid_config: path to third party appid configuration file
+bool appid.tp_appid_stats_enable: enable collection of stats and print stats on exit in third party module
+bool appid.tp_appid_config_dump: print third party configuration on startup
+bool appid.log_all_sessions = false: enable logging of all appid sessions
+bool appid.enable_rna_filter = false: monitor only the networks specified in rna configuration
+string appid.rna_conf_path: path to rna configuration file
+string appids.~: comma separated list of application names
+ip4 arp_spoof.hosts[].ip: host ip address
+--More--
 </code>
-====LAB #3 - Mise en place du Système de Détection et de Prévention d'Intrusion Portsentry====
+===2.2 - Configuration de Snort===
-Portsentry est un **S**ystème de **D**étection et de **Prévention** d'**I**ntrusion (SDPI) qui surveille les requêtes entrantes et en cas d'anomalie bloque l'adresse IP de l'attaquant en inscrivant une règle dans le pare-feu NetFilter (Iptables).
+Pour vérifier la configuration actuelle de snort, exécutez la commande suivante :
-=== Installation ===
-Sous RHEL/CentOS 7, **portsentry** n'est pas installé par défaut. Qui plus est **portsentry** ne se trouve pas dans les dépôts standards. Installez donc le paquet **portsentry-1.2-1.el5.x86_64.rpm** à partir de l'URL ci-dessous :
 <code>
-[root@centos7 ~]# rpm -ivh https://www.dropbox.com/scl/fi/v1iniimmjkvj0kx6xllmt/portsentry-1.2-1.el5.x86_64.rpm?rlkey=zyyvgd2a1ksi27y2v2maf6fuh&st=ovf7z0d1
+root@debian12:~/snort-source-files/snort3/build# cd ~
-Loaded plugins: fastestmirror, langpacks
-portsentry-1.2-1.el5.x86_64.rpm                                                                                 |  53 kB  00:00:00
-Examining /var/tmp/yum-root-qpYJaP/portsentry-1.2-1.el5.x86_64.rpm: portsentry-1.2-1.el5.x86_64
-Marking /var/tmp/yum-root-qpYJaP/portsentry-1.2-1.el5.x86_64.rpm to be installed
-Resolving Dependencies
---> Running transaction check
----> Package portsentry.x86_64 0:1.2-1.el5 will be installed
---> Finished Dependency Resolution
-adobe-linux-x86_64                                                                                              | 2.9 kB  00:00:00
-base/7/x86_64                                                                                                   | 3.6 kB  00:00:00
-extras/7/x86_64                                                                                                 | 3.4 kB  00:00:00
-updates/7/x86_64                                                                                                | 3.4 kB  00:00:00
-Dependencies Resolved
+root@debian12:~# snort -c /usr/local/snort/etc/snort/snort.lua
+--------------------------------------------------
-=======================================================================================================================================
+o")~   Snort++ 3.10.0.0
- Package                     Arch                    Version                       Repository                                     Size
+--------------------------------------------------
-=======================================================================================================================================
+Loading /usr/local/snort/etc/snort/snort.lua:
-Installing:
+Loading snort_defaults.lua:
- portsentry                  x86_64                  1.2-1.el5                     /portsentry-1.2-1.el5.x86_64                  114 k
+Finished snort_defaults.lua:
+        output
-Transaction Summary
+        active
-=======================================================================================================================================
+        alerts
-Install  1 Package
+        daq
+        decode
-Total size: 114 k
+        host_cache
-Installed size: 114 k
+        host_tracker
-Is this ok [y/d/N]: y
+        hosts
+        network
+        packets
+        process
+        search_engine
+        so_proxy
+        stream
+        stream_ip
+        stream_icmp
+        stream_udp
+        stream_user
+        stream_file
+        arp_spoof
+        back_orifice
+        imap
+        netflow
+        normalizer
+        pop
+        sip
+        ssh
+        ssl
+        telnet
+        cip
+        dnp3
+        iec104
+        mms
+        modbus
+        opcua
+        s7commplus
+        dce_smb
+        dce_tcp
+        dce_udp
+        dce_http_proxy
+        dce_http_server
+        gtp_inspect
+        port_scan
+        smtp
+        ftp_server
+        ftp_client
+        ftp_data
+        http_inspect
+        http2_inspect
+        file_policy
+        js_norm
+        appid
+        wizard
+        ips
+        binder
+        references
+        classifications
+        file_id
+        rpc_decode
+        dns
+        stream_tcp
+        trace
+Finished /usr/local/snort/etc/snort/snort.lua:
+Loading file_id.rules_file:
+Loading file_magic.rules:
+Finished file_magic.rules:
+Finished file_id.rules_file:
+--------------------------------------------------
+ips policies rule stats
+              id  loaded  shared enabled    file
+     219       0     219    /usr/local/snort/etc/snort/snort.lua
+--------------------------------------------------
+rule counts
+       total rules loaded: 219
+               text rules: 219
+            option chains: 219
+            chain headers: 1
+--------------------------------------------------
+service rule counts          to-srv  to-cli
+                  file_id:      219     219
+                    total:      219     219
+--------------------------------------------------
+fast pattern groups
+                to_server: 1
+                to_client: 1
+--------------------------------------------------
+search engine (ac_bnfa)
+                instances: 2
+                 patterns: 438
+            pattern chars: 2602
+               num states: 1832
+         num match states: 392
+             memory scale: KB
+             total memory: 71.2812
+           pattern memory: 19.6484
+        match list memory: 28.4375
+        transition memory: 22.9453
+appid: MaxRss diff: 3084
+appid: patterns loaded: 300
+--------------------------------------------------
+pcap DAQ configured to passive.
+Snort successfully validated the configuration (with 0 warnings).
+o")~   Snort exiting
 </code>
-===Configuration===
+=== 2.3 - Utilisation de snort ===
-Modifiez le fichier **/etc/portsentry/portsentry.conf** en ajoutant la ligne **237** :
+Pour lancer Snort 3 en tant qu'outil de détection d'instrusion, utilisez la commande suivante :
 <code>
-[root@centos7 ~]# nl /etc/portsentry/portsentry.conf
+root@debian12:~# snort -c /usr/local/snort/etc/snort/snort.lua -i ens18 -A alert_fast -s 65535 -k none &
-	# PortSentry Configuration
+[2] 28057
-	#
-	# $Id: portsentry.conf,v 1.25 2003/05/23 16:15:39 crowland Exp crowland $
-	#
-	# IMPORTANT NOTE: You CAN NOT put spaces between your port arguments.
-	#
-	# The default ports will catch a large number of common probes
-	#
-	# All entries must be in quotes.
-	#######################
-	# Port Configurations #
-	#######################
-	#
-	#
-	# Some example port configs for classic and basic Stealth modes
-	#
-	# I like to always keep some ports at the "low" end of the spectrum.
-	# This will detect a sequential port sweep really quickly and usually
-	# these ports are not in use (i.e. tcpmux port 1)
-	#
-	# ** X-Windows Users **: If you are running X on your box, you need to be sure
-	# you are not binding PortSentry to port 6000 (or port 2000 for OpenWindows users).
-	# Doing so will prevent the X-client from starting properly.
-	#
-	# These port bindings are *ignored* for Advanced Stealth Scan Detection Mode.
-	#
-	# Un-comment these if you are really anal:
-	#TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,27665,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320"
-	#UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,27444,34555,32770,32771,32772,32773,32774,31337,54321"
-	#
-	# Use these if you just want to be aware:
-	TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320"
-	UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321"
-	#
-	# Use these for just bare-bones
-	#TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320"
-	#UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321"
-	###########################################
-	# Advanced Stealth Scan Detection Options #
-	###########################################
-	#
-	# This is the number of ports you want PortSentry to monitor in Advanced mode.
-	# Any port *below* this number will be monitored. Right now it watches
-	# everything below 1024.
-	#
-	# On many Linux systems you cannot bind above port 61000. This is because
-	# these ports are used as part of IP masquerading. I don't recommend you
-	# bind over this number of ports. Realistically: I DON'T RECOMMEND YOU MONITOR
-	# OVER 1024 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. You've been
-	# warned! Don't write me if you have have a problem because I'll only tell
-	# you to RTFM and don't run above the first 1024 ports.
-	#
-	#
-	ADVANCED_PORTS_TCP="1024"
-	ADVANCED_PORTS_UDP="1024"
-	#
-	# This field tells PortSentry what ports (besides listening daemons) to
-	# ignore. This is helpful for services like ident that services such
-	# as FTP, SMTP, and wrappers look for but you may not run (and probably
-	# *shouldn't* IMHO).
-	#
-	# By specifying ports here PortSentry will simply not respond to
-	# incoming requests, in effect PortSentry treats them as if they are
-	# actual bound daemons. The default ports are ones reported as
-	# problematic false alarms and should probably be left alone for
-	# all but the most isolated systems/networks.
-	#
-	# Default TCP ident and NetBIOS service
-	ADVANCED_EXCLUDE_TCP="21,22,25,53,80,110,113,135,137,138,139,443"
-	# Default UDP route (RIP), NetBIOS, bootp broadcasts.
-	ADVANCED_EXCLUDE_UDP="520,517,518,513,138,137,123,68,67,53"
-	######################
-	# Configuration Files#
-	######################
-	#
-	# Hosts to ignore
-	IGNORE_FILE="/etc/portsentry/portsentry.ignore"
-	# Hosts that have been denied (running history)
-	HISTORY_FILE="/etc/portsentry/portsentry.history"
-	# Hosts that have been denied this session only (temporary until next restart)
-	BLOCKED_FILE="/etc/portsentry/portsentry.blocked"
-	##############################
-	# Misc. Configuration Options#
-	##############################
-	#
-	# DNS Name resolution - Setting this to "1" will turn on DNS lookups
-	# for attacking hosts. Setting it to "0" (or any other value) will shut
-	# it off.
-	RESOLVE_HOST = "1"
-	###################
-	# Response Options#
-	###################
-	# Options to dispose of attacker. Each is an action that will
-	# be run if an attack is detected. If you don't want a particular
-	# option then comment it out and it will be skipped.
-	#
-	# The variable $TARGET$ will be substituted with the target attacking
-	# host when an attack is detected. The variable $PORT$ will be substituted
-	# with the port that was scanned.
-	#
-	##################
-	# Ignore Options #
-	##################
-	# These options allow you to enable automatic response
-	# options for UDP/TCP. This is useful if you just want
-	# warnings for connections, but don't want to react for
-	# a particular protocol (i.e. you want to block TCP, but
-	# not UDP). To prevent a possible Denial of service attack
-	# against UDP and stealth scan detection for TCP, you may
-	# want to disable blocking, but leave the warning enabled.
-	# I personally would wait for this to become a problem before
-	# doing though as most attackers really aren't doing this.
-	# The third option allows you to run just the external command
-	# in case of a scan to have a pager script or such execute
-	# but not drop the route. This may be useful for some admins
-	# who want to block TCP, but only want pager/e-mail warnings
-	# on UDP, etc.
-	#
-	#
-	# 0 = Do not block UDP/TCP scans.
-	# 1 = Block UDP/TCP scans.
-	# 2 = Run external command only (KILL_RUN_CMD)
-	BLOCK_UDP="1"
-	BLOCK_TCP="1"
-	###################
-	# Dropping Routes:#
-	###################
-	# This command is used to drop the route or add the host into
-	# a local filter table.
-	#
-	# The gateway (333.444.555.666) should ideally be a dead host on
-	# the *local* subnet. On some hosts you can also point this at
-	# localhost (127.0.0.1) and get the same effect. NOTE THAT
-	# 333.444.555.66 WILL *NOT* WORK. YOU NEED TO CHANGE IT!!
-	#
-	# ALL KILL ROUTE OPTIONS ARE COMMENTED OUT INITIALLY. Make sure you
-	# uncomment the correct line for your OS. If you OS is not listed
-	# here and you have a route drop command that works then please
-	# mail it to me so I can include it. ONLY ONE KILL_ROUTE OPTION
-	# CAN BE USED AT A TIME SO DON'T UNCOMMENT MULTIPLE LINES.
-	#
-	# NOTE: The route commands are the least optimal way of blocking
-	# and do not provide complete protection against UDP attacks and
-	# will still generate alarms for both UDP and stealth scans. I
-	# always recommend you use a packet filter because they are made
-	# for this purpose.
-	#
-	# Generic
-	#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
-	# Generic Linux
-	#KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"
-	# Newer versions of Linux support the reject flag now. This
-	# is cleaner than the above option.
-	#KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
-	# Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)
-	#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
-	# Generic Sun
-	#KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1"
-	# NEXTSTEP
-	#KILL_ROUTE="/usr/etc/route add $TARGET$ 127.0.0.1 1"
-	# FreeBSD
-	#KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole"
-	# Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX)
-	#KILL_ROUTE="/sbin/route add -host -blackhole $TARGET$ 127.0.0.1"
-	# Generic HP-UX
-	#KILL_ROUTE="/usr/sbin/route add net $TARGET$ netmask 255.255.255.0 127.0.0.1"
-	##
-	# Using a packet filter is the PREFERRED. The below lines
-	# work well on many OS's. Remember, you can only uncomment *one*
-	# KILL_ROUTE option.
-	##
-	# ipfwadm support for Linux
-	#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o"
-	#
-	# ipfwadm support for Linux (no logging of denied packets)
-	#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$"
-	#
-	# ipchain support for Linux
-	#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"
-	#
-	# ipchain support for Linux (no logging of denied packets)
-	#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY"
-	#
-	# iptables support for Linux
-	KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
-	# For those of you running FreeBSD (and compatible) you can
-	# use their built in firewalling as well.
-	#
-	#KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any"
-	#
-	#
-	# For those running ipfilt (OpenBSD, etc.)
-	# NOTE THAT YOU NEED TO CHANGE external_interface TO A VALID INTERFACE!!
-	#
-	#KILL_ROUTE="/bin/echo 'block in log on external_interface from $TARGET$/32 to any' | /sbin/ipf -f -"
-	###############
-	# TCP Wrappers#
-	###############
-	# This text will be dropped into the hosts.deny file for wrappers
-	# to use. There are two formats for TCP wrappers:
-	#
-	# Format One: Old Style - The default when extended host processing
-	# options are not enabled.
-	#
-	#KILL_HOSTS_DENY="ALL: $TARGET$"
-	# Format Two: New Style - The format used when extended option
-	# processing is enabled. You can drop in extended processing
-	# options, but be sure you escape all '%' symbols with a backslash
-	# to prevent problems writing out (i.e. \%c \%h )
-	#
-	#KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"
-	###################
-	# External Command#
-	###################
-	# This is a command that is run when a host connects, it can be whatever
-	# you want it to be (pager, etc.). This command is executed before the
-	# route is dropped or after depending on the KILL_RUN_CMD_FIRST option below
-	#
-	#
-	# I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS AGAINST THE HOST SCANNING
-	# YOU!
-	#
-	# TCP/IP is an *unauthenticated protocol* and people can make scans appear out
-	# of thin air. The only time it is reasonably safe (and I *never* think it is
-	# reasonable) to run reverse probe scripts is when using the "classic" -tcp mode.
-	# This mode requires a full connect and is very hard to spoof.
-	#
-	# The KILL_RUN_CMD_FIRST value should be set to "1" to force the command
-	# to run *before* the blocking occurs and should be set to "0" to make the
-	# command run *after* the blocking has occurred.
-	#
-	#KILL_RUN_CMD_FIRST = "0"
-	#
-	#
-	#KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$"
-	#KILL_RUN_CMD="/bin/mail -s 'Portscan from $TARGET$ on port $PORT$' user@host < /dev/null"
-	KILL_RUN_CMD="/bin/mail -s 'Portscan from $TARGET$ on port $PORT$' root@localhost < /dev/null"  <--------------------------------AJOUTEZ cette ligne
-	#####################
-	# Scan trigger value#
-	#####################
-	# Enter in the number of port connects you will allow before an
-	# alarm is given. The default is 0 which will react immediately.
-	# A value of 1 or 2 will reduce false alarms. Anything higher is
-	# probably not necessary. This value must always be specified, but
-	# generally can be left at 0.
-	#
-	# NOTE: If you are using the advanced detection option you need to
-	# be careful that you don't make a hair trigger situation. Because
-	# Advanced mode will react for *any* host connecting to a non-used
-	# below your specified range, you have the opportunity to really
-	# break things. (i.e someone innocently tries to connect to you via
-	# SSL [TCP port 443] and you immediately block them). Some of you
-	# may even want this though. Just be careful.
-	#
-	SCAN_TRIGGER="2"
-	######################
-	# Port Banner Section#
-	######################
-	#
-	# Enter text in here you want displayed to a person tripping the PortSentry.
-	# I *don't* recommend taunting the person as this will aggravate them.
-	# Leave this commented out to disable the feature
-	#
-	# Stealth scan detection modes don't use this feature
-	#
-	#PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT HAS BEEN LOGGED. GO AWAY."
-	# EOF
-</code>
-Pour rendre le service SysVInit compatible avec Systemd, éditez le fichier **/etc/init.d/portsentry** en supprimant la ligne **11** :
+root@debian12:~# --------------------------------------------------
+o")~   Snort++ 3.10.0.0
+--------------------------------------------------
+Loading /usr/local/snort/etc/snort/snort.lua:
+Loading snort_defaults.lua:
+Finished snort_defaults.lua:
+        active
+        alerts
+        daq
+        decode
+        host_cache
+        host_tracker
+        hosts
+        packets
+        process
+        search_engine
+        so_proxy
+        stream
+        stream_ip
+        stream_icmp
+        stream_tcp
+        stream_udp
+        stream_user
+        stream_file
+        arp_spoof
+        back_orifice
+        dns
+        imap
+        netflow
+        normalizer
+        pop
+        rpc_decode
+        sip
+        ssh
+        ssl
+        telnet
+        cip
+        dnp3
+        iec104
+        modbus
+        opcua
+        s7commplus
+        dce_smb
+        dce_tcp
+        dce_udp
+        dce_http_proxy
+        dce_http_server
+        gtp_inspect
+        smtp
+        ftp_server
+        ftp_client
+        ftp_data
+        http_inspect
+        http2_inspect
+        file_policy
+        appid
+        wizard
+        binder
+        ips
+        classifications
+        js_norm
+        file_id
+        port_scan
+        mms
+        output
+        references
+        network
+        trace
+Finished /usr/local/snort/etc/snort/snort.lua:
+Loading file_id.rules_file:
+Loading file_magic.rules:
+Finished file_magic.rules:
+Finished file_id.rules_file:
+--------------------------------------------------
+ips policies rule stats
+              id  loaded  shared enabled    file
+     219       0     219    /usr/local/snort/etc/snort/snort.lua
+--------------------------------------------------
+rule counts
+       total rules loaded: 219
+               text rules: 219
+            option chains: 219
+            chain headers: 1
+--------------------------------------------------
+service rule counts          to-srv  to-cli
+                  file_id:      219     219
+                    total:      219     219
+--------------------------------------------------
+fast pattern groups
+                to_server: 1
+                to_client: 1
+--------------------------------------------------
+search engine (ac_bnfa)
+                instances: 2
+                 patterns: 438
+            pattern chars: 2602
+               num states: 1832
+         num match states: 392
+             memory scale: KB
+             total memory: 71.2812
+           pattern memory: 19.6484
+        match list memory: 28.4375
+        transition memory: 22.9453
+appid: MaxRss diff: 3408
+appid: patterns loaded: 300
+--------------------------------------------------
+pcap DAQ configured to passive.
+Commencing packet processing
+Retry queue interval is: 200 ms
+++ [0] ens18
+[Entrée]
-<code>
+root@debian12:~# ps aux | grep 28057
-[root@centos7 ~]# nl /etc/init.d/portsentry
+root       28057  1.9  0.3 188032 56952 pts/3    Sl   15:52   0:03 snort -c /usr/local/snort/etc/snort/snort.lua -i ens18 -A alert_fast -s 65535 -k none
-	#!/bin/bash
+root       28065  0.0  0.0   6340  2056 pts/3    S+   15:54   0:00 grep 28057
-	#
-	# Startup script for the Portsentry portscan detector
-	#
-	# chkconfig: 345 98 02
-	# description: PortSentry Port Scan Detector is part of the Abacus Project \
-	#              suite of tools. The Abacus Project is an initiative to release \
-	#              low-maintenance, generic, and reliable host based intrusion \
-	#              detection software to the Internet community.
-	# processname: portsentry
-	# pidfile: /var/run/portsentry.pid  <--------------------------------SUPPRIMEZ cette ligne
-	# config: /etc/portsentry/portsentry.conf
-	# Source function library.
-...
 </code>
-Puis ajoutez la ligne **80** :
+Tuez le processus de Snort 3 :
 <code>
-...
+root@debian12:~# kill 28057
-	stop() {
+root@debian12:~# ** caught term signal
-		echo -n $"Stopping $prog: "
+== stopping
-		killproc portsentry
+-- [0] ens18
-		killall portsentry  <--------------------------------AJOUTEZ cette ligne
+--------------------------------------------------
-		RETVAL=$?
+Packet Statistics
-		echo
+--------------------------------------------------
-		[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/portsentry
+daq
-	}
+                 received: 1070
+                 analyzed: 1067
-	# See how we were called.
+                    allow: 1067
-...
+                 rx_bytes: 201558
-</code>
+--------------------------------------------------
+codec
+                    total: 1067         (100.000%)
+                      arp: 12           (  1.125%)
+                      eth: 1067         (100.000%)
+                    icmp4: 1            (  0.094%)
+                 icmp4_ip: 1            (  0.094%)
+                    icmp6: 1            (  0.094%)
+                     ipv4: 1054         ( 98.782%)
+                     ipv6: 1            (  0.094%)
+                      tcp: 1052         ( 98.594%)
+                      udp: 1            (  0.094%)
+--------------------------------------------------
+Module Statistics
+--------------------------------------------------
+ac_full
+                 searches: 2
+                    bytes: 184
+--------------------------------------------------
+appid
+                  packets: 1055
+        processed_packets: 1048
+          ignored_packets: 7
+           total_sessions: 5
+       service_cache_adds: 1
+             bytes_in_use: 168
+             items_in_use: 1
+--------------------------------------------------
+arp_spoof
+                  packets: 12
+--------------------------------------------------
+back_orifice
+                  packets: 1
+--------------------------------------------------
+binder
+              raw_packets: 19
+                new_flows: 5
+                 inspects: 24
+--------------------------------------------------
+detection
+                 analyzed: 1067
+--------------------------------------------------
+port_scan
+                  packets: 1055
+                 trackers: 8
+--------------------------------------------------
+stream
+                    flows: 5
+             total_prunes: 3
+idle_prunes_proto_timeout: 3
+       udp_timeout_prunes: 1
+      icmp_timeout_prunes: 2
+--------------------------------------------------
+stream_icmp
+                 sessions: 2
+                      max: 2
+                  created: 2
+                 released: 2
+--------------------------------------------------
+stream_tcp
+                 sessions: 2
+                      max: 2
+                  created: 2
+                 released: 2
+                 timeouts: 1
+             instantiated: 1
+                   setups: 2
+            data_trackers: 2
+              segs_queued: 639
+            segs_released: 639
+                segs_used: 638
+          rebuilt_packets: 144
+            rebuilt_bytes: 131204
+          client_cleanups: 1
+          server_cleanups: 2
+        partial_fallbacks: 2
+                 max_segs: 199
+                max_bytes: 9608
+--------------------------------------------------
+stream_udp
+                 sessions: 1
+                      max: 1
+                  created: 1
+                 released: 1
+              total_bytes: 92
+--------------------------------------------------
+wizard
+                tcp_scans: 292
+               tcp_misses: 2
+                udp_scans: 1
+               udp_misses: 1
+--------------------------------------------------
+Appid Statistics
+--------------------------------------------------
+detected apps and services
+              Application: Services   Clients    Users      Payloads   Misc       Referred
+                  unknown: 2          0          0          0          0          0
+--------------------------------------------------
+Summary Statistics
+--------------------------------------------------
+process
+                  signals: 1
+--------------------------------------------------
+timing
+                  runtime: 00:10:13
+                  seconds: 613.666561
+                 pkts/sec: 2
+o")~   Snort exiting
-Dernièrement, installez le paquet **initscripts** :
+[2]+  Done                    snort -c /usr/local/snort/etc/snort/snort.lua -i ens18 -A alert_fast -s 65535 -k none  (wd: /usr/local/snort/etc/snort)
+(wd now: ~)
-<code>
-[root@centos7 ~]# yum install -y initscripts
 </code>
-===Utilisation===
+====LAB #3 - Mise en place du Système de Détection et de Prévention d'Intrusion Portsentry====
-Démarrez le service **portsentry** :
+Portsentry est un **S**ystème de **D**étection et de **Prévention** d'**I**ntrusion (SDPI) qui surveille les requêtes entrantes et en cas d'anomalie bloque l'adresse IP de l'attaquant en inscrivant une règle dans le pare-feu NetFilter (Iptables).
-<code>
+===3.1 - Installation ===
-[root@centos7 ~]# systemctl start portsentry
-[root@centos7 ~]# systemctl status portsentry
-● portsentry.service - SYSV: PortSentry Port Scan Detector is part of the Abacus Project suite of tools. The Abacus Project is an initiative to release low-maintenance, generic, and reliable host based intrusion detection software to the Internet community.
-   Loaded: loaded (/etc/rc.d/init.d/portsentry; bad; vendor preset: disabled)
-   Active: active (running) since Sun 2017-08-06 14:48:18 CEST; 6s ago
-     Docs: man:systemd-sysv-generator(8)
-  Process: 6487 ExecStart=/etc/rc.d/init.d/portsentry start (code=exited, status=0/SUCCESS)
-   CGroup: /system.slice/portsentry.service
-           ├─6511 /usr/sbin/portsentry -atcp
-           └─6513 /usr/sbin/portsentry -audp
-Aug 06 14:48:18 centos7.fenestros.loc portsentry[6513]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP...: 517
+Utilisez simplement APT pour installer portsentry :
-Aug 06 14:48:18 centos7.fenestros.loc portsentry[6513]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP...: 518
-Aug 06 14:48:18 centos7.fenestros.loc portsentry[6513]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP...: 513
-Aug 06 14:48:18 centos7.fenestros.loc portsentry[6513]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP...: 138
-Aug 06 14:48:18 centos7.fenestros.loc portsentry[6513]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP...: 137
-Aug 06 14:48:18 centos7.fenestros.loc portsentry[6513]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP...: 123
-Aug 06 14:48:18 centos7.fenestros.loc portsentry[6513]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP...t: 68
-Aug 06 14:48:18 centos7.fenestros.loc portsentry[6513]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP...t: 67
-Aug 06 14:48:18 centos7.fenestros.loc portsentry[6513]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP...t: 53
-Aug 06 14:48:18 centos7.fenestros.loc portsentry[6513]: adminalert: PortSentry is now active and listening.
-Hint: Some lines were ellipsized, use -l to show in full.
-[root@centos7 ~]# ps aux | grep portsentry
-root      6511  0.0  0.0   6364   460 ?        Ss   14:48   0:00 /usr/sbin/portsentry -atcp
-root      6513  0.0  0.0   6364   460 ?        Ss   14:48   0:00 /usr/sbin/portsentry -audp
-root      6687  0.0  0.0 114692   972 pts/0    R+   14:48   0:00 grep --color=auto portsentry
-</code>
-Editez le fichier **/etc/portsentry/portsentry.ignore** en commentant la ligne contenant votre adresse IP :
 <code>
-[root@centos7 ~]# nl /etc/portsentry/portsentry.ignore
+root@debian12:~# apt install portsentry
-	# Put hosts in here you never want blocked. This includes the IP addresses
-	# of all local interfaces on the protected host (i.e virtual host, mult-home)
-	# Keep 127.0.0.1 and 0.0.0.0 to keep people from playing games.
-	#
-	# PortSentry can support full netmasks for networks as well. Format is:
-	#
-	# <IP Address>/<Netmask>
-	#
-	# Example:
-	#
-	# 192.168.2.0/24
-	# 192.168.0.0/16
-	# 192.168.2.1/32
-	# Etc.
-	#
-	# If you don't supply a netmask it is assumed to be 32 bits.
-	#
-	#
-	127.0.0.1/32
-	0.0.0.0
-	#########################################
-	# Do NOT edit below this line, if you   #
-	# do, your changes will be lost when    #
-	# portsentry is restarted via the       #
-	# initscript. Make all changes above    #
-	# this box.                             #
-	#########################################
-	# Exclude all local interfaces
-	#172.YY+20.0.3        <--------------------------------EDITEZ cette ligne
-	fe80::94b9:ef1e:8c65:97c6
-	127.0.0.1
-	::1
-	# Exclude the default gateway(s)
-	10.0.2.2
-	# Exclude the nameservers
-	10.0.2.3
-	# And last but not least...
-	0.0.0.0
 </code>
-**Sans** re-démarrez le service portsentry, lancez un scan des ports avec nmap :
+===3.2 - Configuration===
-<code>
+Modifiez le fichier **/etc/portsentry/portsentry.conf** en mofifiant les lignes 135, 135 et 213 et en ajoutant la ligne **270** :
-[root@centos7 ~]# nmap -sC 172.YY+20.0.3
-Starting Nmap 6.40 ( http://nmap.org ) at 2017-08-06 14:52 CEST
-^C
-You have new mail in /var/spool/mail/root
-</code>
-<WRAP center round important 50%>
-**Important** - Notez l'utilisation de la combinaison de touches <key>C</key><key>c</key> pour arrêter nmap.
-</WRAP>
-Consultez les règles d'iptables :
 <code>
-[root@centos7 ~]# iptables -L
+root@debian12:~# vi /etc/portsentry/portsentry.conf
-Chain INPUT (policy ACCEPT)
+...
-target     prot opt source               destination
+# 0 = Do not block UDP/TCP scans.
-DROP       all  --  15.2.0.10.rev.sfr.net  anywhere   <--------------------------------REGARDEZ cette ligne, elle sera différente en fonction de votre adresse IP
+# 1 = Block UDP/TCP scans.
-ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
+# 2 = Run external command only (KILL_RUN_CMD)
-ACCEPT     all  --  anywhere             anywhere
-INPUT_direct  all  --  anywhere             anywhere
+BLOCK_UDP="1"
-INPUT_ZONES_SOURCE  all  --  anywhere             anywhere
+BLOCK_TCP="1"
-INPUT_ZONES  all  --  anywhere             anywhere
+...
-DROP       all  --  anywhere             anywhere             ctstate INVALID
+# iptables support for Linux with limit and LOG support. Logs only
-REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
+# a limited number of packets to avoid a denial of service attack.
+KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP && /sbin/iptables -I INPUT -s $TARGET$ -m limit --limit 3/minute --limit-burst 5 -j LOG --log-level DEBUG --log-prefix 'Portsentry: dropping: '"
+...
+#KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$ $MODE$"
+# for examples see /usr/share/doc/portsentry/examples/
+KILL_RUN_CMD="/bin/mail -s 'Portscan from $TARGET$ on port $PORT$' root@localhost < /dev/null"
 ...
 </code>
-Dernièrement, consultez les messages destinés à root :
+===3.3 - Utilisation===
+Redémarrez le service **portsentry** :
 <code>
-[root@centos7 ~]# mail
+root@debian12:~# systemctl restart portsentry
-Heirloom Mail version 12.5 7/5/10.  Type ? for help.
-"/var/spool/mail/root": 6 messages 6 new
->N  1 trainee@centos7.fene  Sat Apr 30 12:38  16/688   "*** SECURITY information for centos7.fenestros.loc ***"
- N  2 user@localhost.fenes  Tue May  9 15:21 1238/86160 "[abrt] firefox: plugin-container killed by SIGSEGV"
- N  3 (Cron Daemon)         Sun Aug  6 11:28  25/1061  "Cron <root@centos7> /sbin/service portsentry restart >/dev/null && /sbin/ser"
- N  4 (Cron Daemon)         Sun Aug  6 14:27  26/1328  "Cron <root@centos7> /sbin/service portsentry restart >/dev/null && /sbin/ser"
- N  5 (Cron Daemon)         Sun Aug  6 14:43  25/1168  "Cron <root@centos7> /sbin/service portsentry restart >/dev/null && /sbin/ser"
- N  6 root                  Sun Aug  6 14:52  18/658   "Portscan from 10.0.2.15 on port 143"
-& 6
-Message  6:
-From root@centos7.fenestros.loc  Sun Aug  6 14:52:43 2017
-Return-Path: <root@centos7.fenestros.loc>
-X-Original-To: root@localhost
-Delivered-To: root@localhost.fenestros.loc
-Date: Sun, 06 Aug 2017 14:52:43 +0200
-To: root@localhost.fenestros.loc
-Subject: Portscan from 10.0.2.15 on port 143
-User-Agent: Heirloom mailx 12.5 7/5/10
-Content-Type: text/plain; charset=us-ascii
-From: root@centos7.fenestros.loc (root)
-Status: R
+root@debian12:~# systemctl status portsentry
+● portsentry.service - LSB: # start and stop portsentry
+     Loaded: loaded (/etc/init.d/portsentry; generated)
+     Active: active (running) since Thu 2025-12-04 16:10:22 CET; 2s ago
+       Docs: man:systemd-sysv-generator(8)
+    Process: 28347 ExecStart=/etc/init.d/portsentry start (code=exited, status=0/SUCCESS)
+      Tasks: 2 (limit: 19123)
+     Memory: 768.0K
+        CPU: 84ms
+     CGroup: /system.slice/portsentry.service
+             ├─28360 /usr/sbin/portsentry -tcp
+             └─28364 /usr/sbin/portsentry -udp
-& q
+Dec 04 16:10:22 debian12 portsentry[28364]: adminalert: Going into listen mode on UDP port: 34555
-Held 6 messages in /var/spool/mail/root
+Dec 04 16:10:22 debian12 portsentry[28364]: adminalert: Going into listen mode on UDP port: 31335
-You have mail in /var/spool/mail/root
+Dec 04 16:10:22 debian12 portsentry[28364]: adminalert: Going into listen mode on UDP port: 32770
-[root@centos7 ~]#
+Dec 04 16:10:22 debian12 portsentry[28364]: adminalert: Going into listen mode on UDP port: 32771
+Dec 04 16:10:22 debian12 portsentry[28364]: adminalert: Going into listen mode on UDP port: 32772
+Dec 04 16:10:22 debian12 portsentry[28364]: adminalert: Going into listen mode on UDP port: 32773
+Dec 04 16:10:22 debian12 portsentry[28364]: adminalert: Going into listen mode on UDP port: 32774
+Dec 04 16:10:22 debian12 portsentry[28364]: adminalert: Going into listen mode on UDP port: 31337
+Dec 04 16:10:22 debian12 portsentry[28364]: adminalert: Going into listen mode on UDP port: 54321
+Dec 04 16:10:22 debian12 portsentry[28364]: adminalert: PortSentry is now active and listening.
 </code>
-Pour nettoyer la règle, re-démarrez le service **firewalld** :
+Consultez les processus de Portsentry :
 <code>
-[root@centos7 ~]# systemctl restart firewalld
+root@debian12:~# ps aux | grep portsentry
-[root@centos7 ~]# iptables -L
+root       28360  0.0  0.0   2500   112 ?        Ss   16:10   0:00 /usr/sbin/portsentry -tcp
-Chain INPUT (policy ACCEPT)
+root       28364  0.0  0.0   2500   112 ?        Ss   16:10   0:00 /usr/sbin/portsentry -udp
-target     prot opt source               destination
+root       28369  0.0  0.0   6340  2160 pts/3    S+   16:10   0:00 grep portsentry
-ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
-ACCEPT     all  --  anywhere             anywhere
-INPUT_direct  all  --  anywhere             anywhere
-INPUT_ZONES_SOURCE  all  --  anywhere             anywhere
-INPUT_ZONES  all  --  anywhere             anywhere
-DROP       all  --  anywhere             anywhere             ctstate INVALID
-REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
-...
 </code>
 -----
 Copyright © 2025 Hugh Norris.

Piste : • LDF400 - Administration de la Sécurité

Différences

Recherche

Imprimer/exporter

Menu