snort 联动iptables 配置为IPS，NIDS

最新推荐文章于 2025-09-16 10:37:50 发布

原创

最新推荐文章于 2025-09-16 10:37:50 发布 · 4.2k 阅读

7 ·

CC 4.0 BY-SA版权

文章标签：

#ubuntu #iptables #网络 #snort #ips

本文介绍了在Ubuntu16.10上安装配置Snort2.9.9和iptables，将Snort设置为IPS的过程。内容包括禁用网络卡的LRO和GRO功能，安装依赖包，编译安装daq和snort，配置Snort为NIDS，修改配置文件，以及添加规则测试IPS功能，例如拦截百度访问。

一、环境准备
Ubuntu16.10，snort2.9.9，iptables1.6.0，daq-2.0.6

二、snort安装
首先关掉网卡的“Large Receive Offload” (lro) and “Generic Receive Offload” (gro).
看snort手册：

Some network cards have features named “Large Receive Offload” (lro) and “Generic Receive Offload” (gro). With these features enabled, the network card performs packet reassembly before they’re processed by the kernel. By default, Snort will truncate packets larger than the default snaplen of 1518 bytes. In addition, LRO and GRO may cause issues with Stream5 target-based reassembly. We recommend that you turn off LRO and GRO.

执行以下命令：

sudo vi /etc/network/interfaces

打开interfaces后加入下面两句：

post-up ethtool -K enp0s3 gro off
post-up ethtool -K enp0s3 lro off

根据自己的网卡名进行更改，关于网卡名的变更详见

Important note for people running Ubuntu 16: Begining with Ubuntu 15.10, network interfaces no longer follow the ethX standard (eth0, eth1, …). Instead, interfaces names are assigned as Predictable Network Interface Names. This means you need to check the names of your interfaces using ifconfig -a. In my case, what was originally eth0 is now ens160. If you are running Ubuntu 15.10, anywhere in this guide you see eth0, you will need to replace with your new interface name.

安装依赖包

sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-de

最低0.47元/天解锁文章