曾经有一段时间，很多人发私信咨询我，说自己手机、电脑、微信、QQ等被监控了，并且他还信誓旦旦的说，下载了各种终端杀毒软件，都无法解除监控，并且也无法取证，报警了也没用，我对此表示相当同情，可能他遇到了非常厉害的黑客，绕过了所有杀毒软件，思量再三，我给出的解决方案是基于流量侧的行为检查，如果流量侧也没用异常，那么大概率是幻想，毕竟云网端安全三驾马车，都给你安排了两驾了，实在是没折了～ailx10网络安全优秀回答者网络安全硕士去咨询一、安装依赖包sudo apt updatesudo apt install build-essential libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev luajit hwloc libdnet-dev libdumbnet-dev bison flex liblzma-dev openssl libssl-dev pkg-config libhwloc-dev cmake cpputest libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev libmnl-dev autotools-dev libluajit-5.1-dev libunwind-dev二、安装snort3 daq（用于网络流量采集）

git clone https://github.com/snort3/libdaq.git./bootstrap./configuresudo makesudo make install三、安装snort3 (大约30分钟)git clone https://github.com/snort3/snort3.gitsudo ./configure_cmake.sh --prefix=/usr/localcd build/sudo makesudo make installsudo ldconfig四、网卡开启混杂模式（可以抓到局域网所有通信）sudo ip link set dev eth0 promisc on五、下载snort3 社区规则wget https://www.snort.org/downloads/community/snort3-community-rules.tar.gzsudo mkdir /var/log/snortsudo mkdir /usr/local/etc/rulessudo tar xzf snort3-community-rules.tar.gz -C /usr/local/etc/rules/六、修改snort3 默认配置文件/usr/local/etc/snort/snort.luaHOME_NET = '192.168.0.1/24'EXTERNAL_NET = '!$HOME_NET'ips.include = '/usr/local/etc/rules/snort3-community-rules/snort3-community.rules',七、检验snort3 初始配置注意：如果是32位系统，这里会报错snort -c /usr/local/etc/snort/snort.luasort3 安装成功八、新增测试规则文件 /usr/local/etc/rules/local.rulesalert icmp any any -> $HOME_NET any (msg:"[警告]检测到 ICMP connection 请及时处理"; sid:1000001; rev:1;)九、启动snort3 验证效果检测到另外2台主机之间存在ICMP通信，咱们的snort3就会告警sudo snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i eth0 -A alert_fast -s 65535 -k none发布于 2022-11-05 17:34・IP 属地江苏