SNORT 入侵侦测

配置说明 | 验证配置 | 测试效果


snort1.png

准备

1. 确认ISR4000版本为3.16.1 以上
2. 下载思科定制的utdsnort OVA文件:连结
3. 英文官方详细手册:连结


安装

路由器内建了虚拟化平台能够运行 SNORT 入侵侦测软件。安装方式如下:

1. 上传思科定制的utdsnort OVA文件到路由器的Flash盘中。

2. 输入以下安装命令

Router#virtual-service install name UTDIPS package iosxe-utd.16.03.01.SV2982.ova
Installing package 'bootflash:/iosxe-utd.16.03.01.SV2982.ova' for virtual-service 'UTDIPS'. Once the install has finished, the VM may be activated. Use 'show virtual-service list' for progress.

Router#
Sep  7 08:39:38.976: %VMAN-5-PACKAGE_SIGNING_LEVEL_ON_INSTALL: SIP0: vman:  Package 'iosxe-utd.16.03.01.SV2982.ova' for service container 'UTDIPS' is 'Cisco signed', signing level cached on original install is 'Cisco signed'
Sep  7 08:39:40.437: %VIRT_SERVICE-5-INSTALL_STATE: Successfully installed virtual service UTDIPS
Sep  7 08:39:40.512: %ONEP_BASE-6-SS_ENABLED: ONEP: Service set Base was enabled by Default

完成后,输入 show virtual-service list,确认安装成功。

Device#show virtual-service list
Virtual Service List:

Name                    Status             Package Name                         
------------------------------------------------------------------------------      
UTDIPS                  Installed          iosxe-utd.16.03.01.SV2982.ova

3. 配置SNORT端口,并启用 virtual service 虚拟服务

interface VirtualPortGroup0
 description Management Interface
 ip address 10.20.10.253 255.255.255.252
!
interface VirtualPortGroup1
 description Data Interface
 ip address 192.168.0.1 255.255.255.252
!
virtual-service UTDIPS
 vnic gateway VirtualPortGroup0
  guest ip address 10.20.10.254
 vnic gateway VirtualPortGroup1
  guest ip address 192.168.0.2
 activate

完成后,输入 show virtual-service list,确认启动成功。

Device#sh virtual-service list 
Virtual Service List:

Name                    Status             Package Name                         
------------------------------------------------------------------------------
UTDIPS                  Activated          iosxe-utd.16.03.01.SV2982.ova

4. 配置 SNORT 功能,并启用 SNORT

配置特征库更新服务器前,记得确认路由器上已配置DNS服务器(例如:ip name-server 8.8.8.8)

utd engine standard
 threat detection
 logging server 10.1.30.208 syslog level warning
 signature update server cisco username CCOuser password
utd
 engine standard

5. 在端口上套用 SNORT 服务

Interface gi0/0/0
 utd enable
除非特别注明,本页内容采用以下授权方式: Creative Commons Attribution-ShareAlike 3.0 License