這個實驗沒完成,LOG一個串一個,除錯有點麻煩,紀錄一下
snort3的部分用kali-linux2026的版本就有3.12版的
要用apt install snort3 安裝,省去了原始碼編譯
編輯snort3的設定檔
加入規則的參數跟警報的參數
建立log要放的地方
mkdir -p /var/log/snort
權限開到775
測試snort -c /etc/snort/snort.lua -T
無報錯,就可以開始跑來測試了
跑 snort -c /etc/snort/snort.lua -i eth0 -A alert_json -L /var/log/snort/
給他資料 ping google.com 測試規則是icmp
去/var/log/snort/裡面看alert的log
然後要安裝alloy的元件,讓他把LOG拋去
在 Kali 安裝 Grafana Alloy
wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor | sudo tee /etc/apt/keyrings/grafana.gpg > /dev/null
echo "deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://apt.grafana.com stable main" | sudo tee /etc/apt/sources.list.d/grafana.list
sudo apt update && sudo apt install alloy
編輯 Alloy 的設定檔:sudo nano /etc/alloy/config.alloy
監控 Kali 本地的 Snort 檔案
-------------------------------------------------------------------------------------------------------
local.file_match "snort_files" {
path_targets = [{
__address__ = "localhost",
__path__ = "/var/log/snort/alert_json.txt",
job = "snort", // 這裡改成 snort,對應你剛才在 Grafana 搜的字眼
}]
}
loki.source.file "snort_reader" {
targets = local.file_match.snort_files.targets
forward_to = [loki.process.debug_parser.receiver]
}
loki.process "debug_parser" {
// A. 先不做複雜解析,直接把整行傳進去
stage.json {
expressions = {
message = "msg",
}
}
// B. 強制手動賦予靜態標籤,這能保證標籤一定會出現
stage.static_labels {
values = {
job = "snort",
test_flag = "alloy_direct",
}
}
// C. 關鍵:註解掉 timestamp 解析
// 讓 Loki 用接收時的時間,排除「時空錯亂」導致的丟棄問題
// stage.timestamp { ... }
forward_to = [loki.write.local_loki.receiver]
}
loki.write "local_loki" {
endpoint {
// 因為你用 network_mode: host,localhost 是最穩的
url = "http://localhost:3100/loki/api/v1/push"
}
}
------------------------------------------------------------------------------------------------------
存檔後重啟服務:sudo systemctl restart alloy
-------------------------------------------------------------------------------------------------------
alloy , loki , grafana都用容器架
YAML檔的內容如下
--------------------------------------------------------------------------------------------------------
services:
# Loki: 日誌資料庫
loki:
image: grafana/loki:3.0
ports:
- "3100:3100"
command: -config.file=/etc/loki/local-config.yaml
restart: always
# Grafana: 可視化面板
grafana:
image: grafana/grafana:latest
ports:
- "3000:3000"
environment:
- GF_SECURITY_ADMIN_PASSWORD=admin # 第一次登入用 admin/admin
restart: always
# Alloy: 採集器 (取代舊的 Promtail)
alloy:
image: grafana/alloy:latest
volumes:
- ./config.alloy:/etc/alloy/config.alloy
- /var/log/snort:/var/log/snort:ro # 掛載 Snort 日志路徑
command: run --storage.path=/var/lib/alloy/data /etc/alloy/config.alloy
ports:
- "12345:12345" # Alloy UI
restart: always
---------------------------------------------------------------------------------------------------------
config.alloy以下
這檔案跟YAML放在同一目錄,建立容器時會去讀他
-----------------------------------------------------------------------------------------------------------
local.file_match "snort_logs" {
path_targets = [{"__address__" = "localhost", "filename" = "/var/log/snort/alert_json.txt"}]
}
loki.source.file "snort_scraper" {
targets = local.file_match.snort_logs.targets
forward_to = [loki.process.snort_json.receiver]
}
loki.process "snort_json" {
stage.json {
expressions = { "message" = "msg", "level" = "priority", "src" = "src_addr" }
}
forward_to = [loki.write.local_loki.receiver]
}
loki.write "local_loki" {
endpoint {
url = "http://loki:3100/loki/api/v1/push"
}
}
-----------------------------------------------------------------------------------------------------------
沒有留言:
張貼留言