Ban in

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables
CHNG 1 TNG QUAN V H THNG PHT HIN V NGN CHN XM NHP
H thng pht hin xm nhp ra i cch y khong 25 nm v n tr nn rt hu dng cho vic bo v cc h thng mng v h thng my tnh. Bng cch a ra cc cnh bo khi c du hiu ca s xm nhp n h thng. Nhng h thng IDS vn c nhiu hn ch khi a ra cc cnh bo sai v cn c ngi gim st. Th h tip theo ca IDS l h thng IPS ra i nm 2004, ang tr nn rt ph bin v ang dn thay th cho cc h thng IDS. H thng IPS bao gm c ch pht hin, a ra cc cnh bo v cn c th ngn chn cc hot ng tn cng bng cch kt hp vi firewall.
1.1. H THNG PHT HIN XM NHP 1.1.1. Khi nim H thng pht hin xm nhp IDS l thit b phn cng, phn mm hay c s kt hp ca c hai thc hin vic gim st, theo di v thu thp thng tin t nhiu ngun khc nhau. Sau s phn tch tm ra du hiu ca s xm nhp hay tn cng h thng v thng bo n ngi qun tr h thng. Ni mt cch tng qut, IDS l h thng pht hin cc du hiu lm hi n tnh bo mt, tnh ton vn v tnh sn dng ca h thng my tnh hoc h thng mng, lm c s cho bo m an ninh h thng. 1.1.2. Pht hin xm nhp Pht hin xm nhp l tp hp cc k thut v phng php c s dng pht hin cc hnh vi ng ng c cp mng v my ch. H thng pht hin xm nhp phn thnh hai loi c bn: H thng pht hin da trn du hiu xm nhp. H thng pht hin cc du hiu bt thng. K tn cng c nhng du hiu, ging nh l virus, c th c pht hin bng cch s dng phn mm. Bng cch tm ra d liu ca gi tin m c cha bt k du hiu xm nhp hoc d thng c bit n. Da trn mt tp hp cc du
Vn nh Qun-0021 Trang 1
hiu (signatures) hoc cc qui tc (rules). H thng pht hin c th d tm, ghi li cc hot ng ng ng ny v a ra cc cnh bo. Anomaly-based IDS thng da vo phn header giao thc ca gi tin c cho l bt thng. Trong mt s trng hp cc phng php c kt qu tt hn vi Signature-based IDS. Thng thng IDS s bt ly cc gi tin trn mng v i chiu vi cc rule tm ra cc du hiu bt thng ca gi tin. 1.1.3. Chnh sch ca IDS Trc khi ci t mt h thng IDS ln h thng th cn phi c mt chnh sch pht hin k tn cng v cch x l khi pht hin ra cc hot ng tn cng. Bng cch no chng phi c p dng. Cc chnh sch cn cha cc phn sau (c th thm ty theo yu cu ca tng h thng): Ai s gim st h thng IDS? Ty thuc vo IDS, c th c c ch cnh bo cung cp thng tin v cc hnh ng tn cng. Cc cnh bo ny c th hnh thc vn bn n gin (simple text) hoc chng c th dng phc tp hn. C th c tch hp vo cc h thng qun l mng tp trung nh HP Openview hoc MySQL database. Cn phi c ngi qun tr gim st cc hot ng xm nhp v cc chnh sch cn c ngi chu trch nhim. Cc hot ng xm nhp c th c theo di v thng bo theo thi gian thc bng cch s dng ca s pop-up hoc trn giao din web. Cc nh qun tr phi c kin thc v cnh bo v mc an ton ca h thng. Ai s iu hnh IDS? Nh vi tt c cc h thng, IDS cn c c bo tr thng xuyn. Ai s x l cc s c v nh th no? Nu cc s c khng c x l th IDS xem nh v tc dng. Cc bo co c th c to v hin th vo cui ngy hoc cui tun hoc cui thng. Cp nht cc du hiu. Cc hacker th lun to ra cc k thut mi tn cng h thng. Cc cuc tn cng ny c pht hin bi h thng IDS da trn cc du hiu tn cng. Cc ti liu th rt cn thit cho cc d n. Cc chnh sch IDS nn c m t di dng ti liu khi cc cuc tn cng c pht hin. Cc ti liu c th
bao gm cc log n gin hoc cc vn bn. Cn phi xy dng mt s hnh thc ghi v lu tr ti liu. Cc bo co cng l cc ti liu. 1.1.4. Kin trc ca h thng pht hin xm nhp Kin trc ca mt h thng IDS bao gm cc thnh phn chnh sau: Thnh phn thu thp gi tin (information collection), thnh phn phn tch gi tin (detection) v thnh phn phn hi (respotion). Trong ba thnh phn ny, thnh phn phn tch gi tin l quan trng nht v b cm bin (sensor) ng vai tr quan quyt nh nn cn c phn tch hiu r hn v kin trc ca mt h thng pht hin xm nhp
Hnh 1-1. Kin trc ca mt h thng pht hin xm nhp B cm bin c tch hp vi thnh phn su tp d liu. B to s kin. Cch su tp ny c xc nh bi chnh sch to s kin nh ngha ch lc thng tin s kin. B to s kin (h iu hnh, mng, ng dng) cung cp mt s chnh sch thch hp cho cc s kin, c th l mt bn ghi cc s kin ca h thng hoc cc gi mng. S chnh sch ny cng vi thng tin chnh sch c th c lu trong h thng c bo v hoc bn ngoi. Vai tr ca b cm bin l dng lc thng tin v loi b d liu khng tng thch t c t cc s kin lin quan vi h thng bo v, v vy c th pht hin c cc hnh ng nghi ng. B phn tch s dng c s d liu chnh sch pht hin cho mc ny. Ngoi ra cn c cc thnh phn: du hiu tn cng, profile hnh vi thng thng, cc tham s cn thit (v d: cc ngng). Thm vo
Vn nh Qun-0021
Trang 3
, c s d liu gi cc tham s cu hnh, gm c cc ch truyn thng vi module p tr. B cm bin cng c c s d liu ca ring n, gm d liu lu v cc xm phm phc tp tim n (to ra t nhiu hnh ng khc nhau). IDS c th c sp t tp trung (v d nh c tch hp vo trong tng la) hoc phn tn. Mt IDS phn tn gm nhiu IDS khc nhau trn mt mng ln, tt c chng truyn thng vi nhau. Nhiu h thng tinh vi i theo nguyn l cu trc mt tc nhn, ni cc module nh c t chc trn mt host trong mng c bo v. Vai tr ca tc nhn l kim tra v lc tt c cc hnh ng bn trong vng c bo v v ph thuc vo phng php c a ra. To phn tch bc u v thm ch m trch c hnh ng p tr. Mng cc tc nhn hp tc bo co n my ch phn tch trung tm l mt trong nhng thnh phn quan trng ca IDS. DIDS c th s dng nhiu cng c phn tch tinh vi hn, c bit c trang b s pht hin cc tn cng phn tn. Cc vai tr khc ca tc nhn lin quan n kh nng lu ng v tnh roaming ca n trong cc v tr vt l. Thm vo , cc tc nhn c th c bit dnh cho vic pht hin du hiu tn cng bit no . y l mt h s quyt nh khi ni n ngha v bo v lin quan n cc kiu tn cng mi. Gii php kin trc a tc nhn c a ra nm 1994 l AAFID (cc tc nhn t tr cho vic pht hin xm phm). N s dng cc tc nhn kim tra mt kha cnh no v cc hnh vi h thng mt thi im no . V d: mt tc nhn c th cho bit mt s khng bnh thng cc telnet session bn trong h thng n kim tra. Tc nhn c kh nng a ra mt cnh bo khi pht hin mt s kin kh nghi. Cc tc nhn c th c nhi v thay i bn trong cc h thng khc (tnh nng t tr). Mt phn trong cc tc nhn, h thng c th c cc b phn thu pht kim tra tt c cc hnh ng c kim sot bi cc tc nhn mt host c th no . Cc b thu nhn lun lun gi cc kt qu hot ng ca chng n b kim tra duy nht. Cc b kim tra nhn thng tin t cc mng (khng ch t mt host), iu c ngha l chng c th tng quan vi thng tin phn tn. Thm vo mt s b lc c th c a ra chn lc v thu thp d liu.
Vn nh Qun-0021
Trang 4
Hnh 1-2. Gii php kin trc a tc nhn 1.1.5. Phn loi h thng pht hin xm nhp C hai loi c bn l: Network-based IDS v Host-based IDS. 1.1.5.1. Network-based IDS (NIDS) NIDS l mt h thng pht hin xm nhp bng cch thu thp d liu ca cc gi tin lu thng trn cc phng tin truyn dn nh (cables, wireless) bng cch s dng cc card giao tip. Khi mt gi d liu ph hp vi qui tc ca h thng, mt cnh bo c to ra thng bo n nh qun tr v cc file log c lu vo c s d liu. a. Li th ca NIDS Qun l c mt phn on mng (network segment). Trong sut vi ngi s dng v k tn cng. Ci t v bo tr n gin, khng lm nh hng n mng. Trnh c vic b tn cng dch v n mt host c th. C kh nng xc nh c li tng network. c lp vi h iu hnh. b. Hn ch ca NIDS C th xy ra trng hp bo ng gi, tc l khng c du hiu bt thng m IDS vn bo. Khng th phn tch c cc lu lng c m ha nh SSH, IPSec, SSL
Vn nh Qun-0021
Trang 5
NIDS i hi phi lun c cp nht cc du hiu tn cng mi nht thc s hot ng hiu qu. Khng th cho bit vic mng b tn cng c thnh cng hay khng, ngi qun tr tin hnh bo tr h thng. Mt trong nhng hn ch l gii hn bng thng. Nhng b thu thp d liu phi thu thp tt c lu lng mng, sp xp li v phn tch chng. Khi tc mng tng ln th kh nng ca b thu thp thng tin cng vy. Mt gii php l phi m bo cho mng c thit k chnh xc.
Mt cch m hacker c gng che y cho hot ng ca h khi gp cc h thng IDS l phn mnh d liu gi tin. Mi giao thc c mt kch c gi d liu c hn, nu d liu truyn qua mng truyn qua mng ln hn kch c ny th d liu b phn mnh. Phn mnh n gin l qu trnh chia nh d liu. Th t sp xp khng thnh vn min l khng b chng cho d liu, b cm bin phi ti hp li chng. Hacker c gng ngn chn pht hin bng cch gi nhiu gi d liu phn mnh chng cho. Mt b cm bin khng pht hin c cc hot ng xm nhp nu khng sp xp gi tin li mt cch chnh xc.
Vn nh Qun-0021
Trang 6
Hnh 1-3. Network-based IDS 1.1.5.2. Host-based IDS (HIDS) HIDS l h thng pht hin xm nhp c ci t trn cc my tnh (host). HIDS ci t trn nhiu kiu my ch khc nhau, trn my trm lm vic hoc my notebook. HIDS cho php thc hin mt cch linh hot trn cc phn on mng m NIDS khng thc hin c. Lu lng gi n host c phn tch v chuyn qua host nu chng khng tim n cc m nguy him. HIDS c th hn vi cc nn ng dng v phc v mnh m cho h iu hnh. Nhim v chnh ca HIDS l gim st s thay i trn h thng. HIDS bao gm cc thng phn chnh: Cc tin trnh. Cc entry ca registry. Mc s dng CPU. Kim tra tnh ton vn v truy cp trn file h thng. Mt vi thng s khc. Cc thng s ny vt qua mt ngng nh trc hoc thay i kh nghi trn h thng s gy ra cnh bo.
Vn nh Qun-0021
Trang 7
a. u im ca HIDS C kh nng xc nh cc user trong h thng lin quan n s kin. HIDS c kh nng pht hin cc cuc tn cng din ra trn mt my, NIDS khng c kh nng ny. C kh nng phn tch cc d liu c m ha. Cung cp cc thng tin v host trong lc cuc tn cng ang din ra trn host. b. Hn ch ca HIDS Thng tin t HIDS s khng cn ng tin cy ngay sau khi cuc tn cng vo host ny thnh cng. Khi h iu hnh b tha hip tc l HIDS cng mt tc dng. HIDS phi c thit lp trn tng host cn gim st. HIDS khng c kh nng pht hin vic thm d mng (Nmap, Netcat). HIDS cn ti nguyn trn host hot ng. HIDS c th khng pht huy c hiu qu khi b tn cng t chi dch v DoS. a s c pht trin trn h iu hnh Window. Tuy nhin cng c mt s chy trn Linux hoc Unix. V HIDS cn c ci t trn cc my ch nn s gy kh khn cho nh qun tr khi phi nng cp phin bn, bo tr phn mm v cu hnh. Gy mt nhiu thi gian v pht tp. Thng h thng ch phn tch c nhng lu lng trn my ch nhn c, cn cc lu lng chng li mt nhm my ch, hoc cc hnh ng thm d nh qut cng th chng khng pht huy c tc dng. Nu my ch b tha hip hacker c th tt c HIDS trn my . Khi HIDS s b v hiu ha. Do HIDS phi cung cp y kh nng cnh bo. Trong mi trng hn tp iu ny c th tr thnh vn nu HIDS phi tng thch vi nhiu h iu hnh. Do , la chn HIDS cng l vn quan trng
Vn nh Qun-0021
Trang 8
Hnh 1-4. Host-based IDS 1.1.5.3. So snh gia NIDS v HIDS Bng 1-1. So snh, nh gi gia NIDS v HIDS Chc nng Bo v trong mng LAN Bo v ngoi mng LAN D dng cho vic qun tr Tnh linh hot Gi thnh D dng trong vic b sung
**** **** HIDS NIDS
Cc nh gi C hai u bo v khi user hot ng
****
****
khi trong mng LAN Ch c HIDS Tng ng nh nhau xt v bi
****
****
****
cnh qun tr chung HIDS l h thng linh hot hn HIDS l h thng u tit kim hn
****
**
***
nu chn ng sn phm C hai tng ng nhau
Vn nh Qun-0021
Trang 9
o to ngn hn cn thit **** Tng gi thnh Bng tn cn yu cu trong LAN Network overhead Bng tn cn yu cu (Internet) Cc yu cu v cng m rng Chu k nng cp cho cc client Kh nng thch nghi trong cc nn ng dng Ch qut thanh ghi cc b Bn ghi
**** ** **** ** 0 ***
HIDS yu cu vic o to t hn
**
NIDS
**
HIDS tiu tn t hn NIDS s dng bng tn LAN rng,
cn HIDS th khng NIDS cn 2 yu cu bng tn mng
i vi bt k mng LAN no C hai u cn bng tn Internet
**
cp nht kp thi cc file mu NIDS yu cu phi kch hot m rng
****
cng m bo lu lng LAN ca bn c qut HIDS nng cp tt c cc client vi
mt file mu trung tm NIDS c kh nng thch nghi trong
****
cc nn ng dng hn Ch HIDS mi c th thc hin cc
kiu qut ny C hai h thng c chc nng bn
***
***
ghi C hai h thng u c chc nng
Chc nng cnh bo
***
***
cnh bo cho tng c nhn v qun tr vin
Qut PAN Loi b gi tin
Ch c HIDS qut cc vng mng c

**** -
nhn ca bn Ch cc tnh nng NIDS mi c
****
Vn nh Qun-0021
Trang 10
phng thc ny Cn nhiu kin thc chuyn mn khi Kin thc chuyn mn
*** ****
ci t v s dng NIDS i vi ton b vn bo mt mng ca bn
Qun l tp trung Kh nng v hiu ha cc h s ri ro
**
***
NIDS c chim u th hn NIDS c h s ri ro nhiu hn so vi
****
HIDS R rng kh nng nng cp phn
Kh nng cp nht
mm l d hn phn cng. HIDS c

*** ***
th c nng cp thng qua script c tp trung
Cc nt pht hin nhiu on mng LAN

**** **
HIDS c kh nng pht hin theo nhiu on mng ton din hn
1.2. H THNG NGN CHN XM NHP 1.2.1. Khi nim H thng ngn chn xm nhp IPS l mt k thut an ninh mi, kt hp cc u im ca k thut firewall v h thng pht hin xm nhp IDS. C kh nng pht hin cc cuc tn cng v t ng ngn chn cc cuc tn cng . IPS khng n gin l d cc cuc tn cng, chng c kh nng ngn chn hoc cn tr cc cuc tn cng . Chng cho php t chc u tin, thc hin cc bc ngn chn tn cng. Phn ln cc h thng IPS c t vnh ai mng, kh nng bo v tt c cc thit b trong mng. 1.2.2. Kin trc ca h thng ngn chn xm nhp Mt h thng IPS gm c 3 module chnh: Module phn tch gi tin. Module pht hin tn cng. Module phn ng.
Vn nh Qun-0021
Trang 11
1.2.2.1 Module phn tch gi tin Module ny c nhim v phn tch cu trc thng tin ca gi tin. NIC Card ca my tnh c gim st c t ch promiscuous mode, tt c cc gi tin qua chng u c sao chp li v chuyn ln lp trn. B phn tch gi tin c thng tin tng trng trong gi tin, xc nh chng thuc kiu gi tin g, dch v g, s dng loi giao thc noCc thng tin ny c chuyn ln module pht hin tn cng. 1.2.2.2 Module pht hin tn cng y l module quan trng nht ca h thng pht hin xm nhp, c kh nng pht hin ra cc cuc tn cng. C mt s phng php pht hin ra cc du hiu xm nhp hoc cc kiu tn cng (signature-based IPS, anomally-based IPS,). a. Phng php d s lm dng: Phng php ny phn tch cc hot ng ca h thng, tm kim cc s kin ging vi cc mu tn cng bit trc. Cc mu tn cng ny c gi l du hiu tn cng. Do vy phng php ny cn gi l phng php d du hiu. Phng php ny c u im l pht hin cc cuc tn cng nhanh v chnh xc, khng a ra cc cnh bo sai dn n lm gim kh nng hot ng ca mng v gip cho ngi qun tr xc nh cc l hng bo mt trong h thng ca minh. Tuy nhin, phng php ny c nhc im l khng pht hin c cc cuc tn cng khng c trong c s d liu, cc kiu tn cng mi, do vy h thng phi lun lun cp nht cc kiu tn cng mi. b. Phng php d s khng bnh thng: y l k thut d thng minh, nhn dng ra cc hnh ng khng bnh thng ca mng. Quan nim ca phng php ny v cc cuc tn cng l khc vi cc hot ng bnh thng. Ban u chng s lu tr cc m t s lc v cc hot ng bnh thng ca h thng. Cc cuc tn cng s c nhng hnh ng khc so vi bnh thng v phng php ny c th nhn dng ra. C mt s k thut d s khng bnh thng ca cc cuc tn cng.
Vn nh Qun-0021
Trang 12
Pht hin mc ngng: K thut ny nhn mnh vic o m cc hot ng bnh thng trn mng. Cc mc ngng v cc hot ng bnh thng c t ra. Nu c s bt thng no , v d nh ng nhp vo h thng qu s ln qui nh, s lng cc tin trnh hot ng trn CPU, s lng mt loi gi tin c gi qu mcTh h thng cho rng c du hiu ca s tn cng. Pht hin nh qu trnh t hc: K thut ny bao gm 2 bc, khi bt u thit lp h thng pht hin tn cng s chy ch t h v to h s v cch c x ca mng vi cc hot ng bnh thng. Sau thi gian khi to, h thng s chy ch lm vic, tin hnh theo di, pht hin cc hot ng bt thng ca mng bng cch so snh vi h s c to. Ch t hc c th chy song song vi ch lm vic cp nht h s ca mnh nhng nu d ra cc du hiu tn cng th ch t hc phi ngng li cho n khi cuc tn cng kt thc Pht hin s khng bnh thng ca giao thc: K thut ny cn c vo hot ng ca cc giao thc, cc dch v ca h thng tm ra cc gi tin khng hp l, cc hot ng bt thng vn l du hiu ca s xm nhp. K thut ny rt hiu qu trong vic ngn chn cc hnh thc qut mng, qut cng thu thp thng tin h thng ca hacker. Phng php d s khng bnh thng ca h thng rt hu hiu trong vic pht hin cc kiu tn cng t chi dch v DoS. u im ca phng php ny l c th pht hin cc kiu tn cng mi, cung cp thng tin hu ch b sung cho phng php d s lm dng. Tuy nhin, chng c nhc im l thng gy ra cc cnh bo sai lm gim hiu sut hot ng ca mng. 1.2.2.3 Module phn ng Khi c du hiu ca s tn cng hoc xm nhp, module pht hin tn cng s gi tn hiu bo hiu c s tn cng hoc xm nhp n module phn ng. Lc module phn ng s kck hot firewall thc hin chc nng ngn chn cuc tn cng. Ti module ny, nu ch a ra cc cnh bo ti cc ngi qun tr v dng li th h thng ny c gi l h thng phng th b ng. Module phn ng
Vn nh Qun-0021
Trang 13
ny ty theo h thng m c cc chc nng khc nhau. Di y l mt s k thut ngn chn: Terminate session: C ch ca k thut ny l h thng IPS gi gi tin reset, thit lp li cuc giao tip ti c client v server. Kt qu cuc giao tip s c bt u li, cc mc ch ca hacker khng t c, cuc tn cng b ngng li. Tuy nhin phng php ny c mt s nhc im nh thi gian gi gi tin reset n ch l qu lu so vi thi gian gi tin ca hacker n c Victim, dn n reset qu chm so vi cuc tn cng, phng php ny khng hiu ng vi cc giao thc hot ng trn UDP nh DNS, ngoi ra gi Reset phi c trng sequence number ng (so vi gi tin trc t client) th server mi chp nhn, do vy nu hacker gi cc gi tin vi tc nhanh v trng sequence number thay i th rt kh thc hin c phng php ny. Drop attack: K thut ny dng firewall hy b gi tin hoc chn ng mt gi tin n, mt phin lm vic hoc mt lung thng tin gia hacker v victim. Kiu phn ng ny l an ton nht nhng li c nhc im l d nhm vi cc gi tin hp l. Modify firewall polices: K thut ny cho php ngi qun tr cu hnh li chnh sch bo mt khi cuc tn cng xy ra. S cu hnh li l tm thi thay i cc chnh sch iu khin truy cp bi ngi dng c bit trong khi cnh bo ti ngi qun tr. Real-time Alerting: Gi cc cnh bo thi gian thc n ngi qun tr h nm c chi tit cc cuc tn cng, cc c im v thng tin v chng. Log packet: Cc d liu ca cc gi tin s c lu tr trong h thng cc file log. Mc ch cc ngi qun tr c th theo di cc lung thng tin v l ngun thng tin gip cho module pht hin tn cng hot ng. Ba module trn hat ng theo tun t to nn h thng IPS hon chnh. Mt h thng IPS c xem l thnh cng nu chng hi t c cc yu t: thc hin
Vn nh Qun-0021
Trang 14
nhanh, chnh xc, a ra cc thng bo hp l, phn tch c ton b thng lng, cm bin ti a, ngn chn thnh cng v chnh sch qun l mm do. Cc kiu tn cng mi ngy cng pht trin e da n s an ton ca cc h thng mng. Vi cc u im ca mnh, h thng IPS dn tr thnh khng th thiu trong cc h thng bo mt. 1.2.3. Cc kiu IPS c trin khai trn thc t Trn thc t c 2 kiu IPS c trin khai l: Promiscuous mode IPS v Inline IPS. 1.2.3.1 Promiscuous mode IPS Mt IPS ng trn firewall. Nh vy lung d liu vo h thng mng s cng i qua firewall v IPS. IPS c th kim sot lung d liu vo, phn tch v pht hin cc du hiu xm nhp, tn cng. Vi v tr ny, promiscuous mode IPS c th qun l firewall, ch dn firewall ngn chn cc hnh ng ng ng.
Hnh 1-5. Promiscous mode IPS
Vn nh Qun-0021
Trang 15
1.2.3.2. In-line mode IPS V tr IPS t trc firewall, lung d liu phi i qua chng trc khi n c firewall. im khc chnh so vi promiscouous mode IPS l c thm chc nng traffic-blocking. iu ny lm cho IPS c th ngn chn lung giao thng nguy him nhanh hn promiscuous mode IPS nhanh hn. Tuy nhin khi t v tr ny lm cho tc lung thng tin ra vo mng chm hn. Vi mc tiu ngn chn cc cuc tn cng, h thng IPS phi hot ng theo thi gian thc. Tc hot ng ca h thng l mt yu t v cng quan trng. Qu trnh pht hin xm nhp phi nhanh c th ngn chn cc cuc tn cng ngay tc th. Nu khng p ng c iu ny th cc cc cuc tn cng thc hin xong. H thng IPS tr nn v tc dng.
Hnh 1-6. Inline mode IPS
Vn nh Qun-0021
Trang 16
1.2.4. Cng ngh ngn chn xm nhp ca IPS 1.2.4.1. Signature-based IPS
Hnh 1-7. Signature-based IPS L to ra cc rule gn lin vi nhng hot ng xm nhp tiu biu. Vic to ra cc signature-based yu cu ngi qun tr phi tht r cc k thut tn cng, nhng mi nguy hi v cn phi bit pht trin nhng signature c th d tm nhng cuc tn cng v cc mi nguy hi cho h thng ca mnh. Signature-based IPS gim st tt c cc traffic v so snh vi d liu hin c. Nu khng c s a ra nhng cnh bo cho ngi qun tr bit v cuc tn cng . xc nh c mt du hiu tn cng th cn phi bit cu trc ca kiu tn cng, signature-based IPS s xem header ca gi tin hoc phn payload ca d liu. Mt signature-based l mt tp nhng nguyn tc s dng xc nh nhng hot ng xm nhp thng thng. Nhng nghin cu v nhng k thut nhm tm ra du hiu tn cng, nhng mu v phng php vit ra cc du hiu tn cng. Khi cng nhiu phng php tn cng v phng php khai thc c khm ph, nhng nh sn xut cung cp bn cp nht file du hiu. Khi cp nht file du hiu th h thng IPS c th phn tch tt c lu lng trn mng. Nu c du hiu no trng vi file du hiu th cc cnh bo c khi to a. Li ch ca vic dng Signature-Based IPS: Nhng file du hiu c to nn t nhng hot ng v phng php tn cng c bit, do nu c s trng lp th xc sut xy ra mt cuc tn cng l rt cao. Pht hin s dng sai s c t cnh bo nhm (false positive report) hn kiu pht hin s bt thng. Pht hin da trn du hiu khng theo di nhng mu lu lng hay tm kim nhng s bt thng. Thay vo n theo di nhng
hot ng n gin tm s tng xng i vi bt k du hiu no c nh dng. Bi v phng php pht hin s dng sai da trn nhng du hiu, khng phi nhng mu lu lng. H thng IPS c th c nh dng v c th bt u bo v mng ngay lp tc. Nhng du hiu trong c s d liu cha nhng hot ng xm nhp bit v bn m t ca nhng du hiu ny. Mi du hiu trong c s d liu c th c thy cho php, khng cho php nhng mc cnh bo khc nhau cng nh nhng hnh ng ngn cn khc nhau, c th c nh dng cho nhng du hiu ring bit. Pht hin s dng sai d hiu cng nh d nh dng hn nhng h thng pht hin s bt thng . File du hiu c th d dng c ngi qun tr thy v hiu hnh ng no phi c tng xng cho mt tn hiu cnh bo. Ngi qun tr bo mt c th c th bt nhng du hiu ln, sau h thc hin cuc kim tra trn ton mng v xem xem c cnh bo no khng. Chnh v pht hin s dng sai d hiu ,b sung, kim tra, do nh qun tr c nhng kh nng to ln trong vic iu khin cng nh t tin vo h thng IPS ca h. b. Nhng hn ch ca Signature-Based IPS: Bn cnh nhng li im ca c ch pht hin s dng sai th n cng tn ti nhiu hn ch. Pht hin s dng sai d dng hn trong nh dng v hiu, nhng chnh s gin n ny tr thnh ci gi phi tr cho s mt mt nhng chc nng v overhead. y l nhng hn ch: Khng c kh nng pht hin nhng cuc tn cng mi hay cha c bit : H thng IPS s dng pht hin s dng sai phi bit trc nhng hot ng tn cng n c th nhn ra t tn cng . Nhng dng tn cng mi m cha tng c bit hay khm ph trc y thng s khng b pht hin. Khng c kh nng pht hin nhng s thay i ca nhng cuc tn cng bit : Nhng file du hiu l nhng file tnh tc l chng khng thch nghi vi mt vi h thng da trn s bt thng. Bng cch thay i cch tn cng, mt k xm nhp c th thc hin cuc xm nhp m khng b pht hin(false negative).
Vn nh Qun-0021
Trang 18
Kh nng qun tr c s d liu nhng du hiu : Trch nhim ca nh qun tr bo mt l bo m file c s d liu lun cp nht v hin hnh. y l cng vic mt nhiu thi gian cng nh kh khn. Nhng b b cm bin phi duy tr tnh trng thng tin : Ging nh firewall, b cm bin phi duy tr trng thi d liu. Hu ht nhng b cm bin gi trng thi thng tin trong b nh tm li nhanh hn, nhng m khong trng th gii hn. 1.2.4.2. Anomaly-based IPS Pht hin da trn s bt thng hay m t s lc phn tch nhng hot ng ca mng my tnh v lu lng mng nhm tm kim s bt thng. Khi tm thy s bt thng, mt tn hiu cnh bo s c khi pht. S bt thng l bt c s chch hng hay i khi nhng th t, dng, nguyn tc thng thng. Chnh v dng pht hin ny tm kim nhng bt thng nn nh qun tr bo mt phi nh ngha u l nhng hot ng, lu lng bt thng. Nh qun tr bo mt c th nh ngha nhng hot ng bnh thng bng cch to ra nhng bn m t s lc nhm ngi dng (user group profiles). Bn m t s lc nhm ngi dng th hin ranh gii gia nhng hot ng cng nh nhng lu lng mng trn mt nhm ngi dng cho trc. Nhng nhm ngi dng c nh ngha bi k s bo mt v c dng th hin nhng chc nng cng vic chung. Mt cch in hnh, nhng nhm s dng nn c chia theo nhng hot ng cng nh nhng ngun ti nguyn m nhm s dng. Mt web server phi c bn m t s lc ca n da trn lu lng web, tng t nh vy i vi mail server. Bn chc chn khng mong i lu lng telnet vi web server ca mnh cng nh khng mun lu lng SSH n vi mail server. Chnh v l do ny m bn nn c nhiu bn m t s lc khc nhau cho mi dng dch v c trn mng ca bn. a dng nhng k thut c s dng xy dng nhng bn m t s lc ngi dng v nhiu h thng IPS c th c nh dng xy dng nhng profile ca chng. Nhng phng php in hnh nhm xy dng bn m t s lc nhm ngi dng l ly mu thng k (statistical sampling), da trn nhng nguyn tc v nhng mng neural.
Vn nh Qun-0021
Trang 19
Mi profile c s dng nh l nh ngha cho ngi s dng thng thng v hot ng mng. Nu mt ngi s dng lm chch qu xa nhng g h nh ngha trong profile, h thng IPS s pht sinh cnh bo.
Hnh 1-8. Anomaly-Based IPS a. Li ch ca vic dng Anomaly-Based IPS Vi phng php ny, k xm nhp khng bao gi bit lc no c, lc no khng pht sinh cnh bo bi v h khng c quyn truy cp vo nhng profile s dng pht hin nhng cuc tn cng. Nhng profile nhm ngi dng rt ging c s d liu du hiu ng lun thay i khi mng ca bn thay i. Vi phng php da trn nhng du hiu, k xm nhp c th kim tra trn h thng IPS ca h ci g lm pht sinh tn hiu cnh bo . File du hiu c cung cp km theo vi h thng IPS, v th k xm nhp c th s dng h thng IPS thc hin kim tra Mt khi k xm nhp hiu ci g to ra cnh bo th h c th thay i phng php tn cng cng nh cng c tn cng nh bi h IPS. Chnh v pht hin bt thng khng s dng nhng c s d liu du hiu nh dng trc nn k xm nhp khng th bit chnh xc ci g gy ra cnh bo. Pht hin bt thng c th nhanh chng pht hin mt cuc tn cng t bn trong s dng ti khon ngi dng b tha hip (compromised user account) . Nu ti khon ngi dng l s hu ca mt ph t qun tr ang c s dng thi hnh qun tr h thng, h IPS s dng pht hin bt thng s gy ra
Vn nh Qun-0021
Trang 20
mt cnh bo min l ti khon khng c s dng qun tr h thng mt cch bnh thng. u im ln nht ca pht hin da trn profile hay s bt thng l n khng da trn mt tp nhng du hiu c nh dng hay nhng t tn cng c bit profile c th l ng v c th s dng tr tu nhn to xc nh nhng hot ng bnh thng. Bi v pht hin da trn profile khng da trn nhng du hiu bit, n thc s ph hp cho vic pht hin nhng cuc tn cng cha h c bit trc y min l n chch khi profile bnh thng. Pht hin da trn profile c s dng pht hin nhng phng php tn cng mi m pht hin bng du hiu khng pht hin c. b. Hn ch ca vic dng Anomaly-Based IPS: Nhiu hn ch ca phng php pht hin bt thng phi lm vi vic sng to nhng profile nhm ngi dng , cng nh cht lng ca nhng profile ny . Thi gian chun b ban u cao. Khng c s bo v trong sut thi gian khi to ban u. Thng xuyn cp nht profile khi thi quen ngi dng thay i. Kh khn trong vic nh ngha cch hnh ng thng thng : H thng IPS ch tht s tt khi n nh ngha nhng hnh ng no l bnh thng. nh ngha nhng hot ng bnh thng thm ch cn l th thch khi m mi trng ni m cng vic ca ngi dng hay nhng trch nhim thay i thng xuyn. Cnh bo nhm: Nhng h thng da trn s bt thng c xu hng c nhiu false positive bi v chng thng tm nhng iu khc thng. Kh hiu : Hn ch cui cng ca phng php pht hin da trn s bt thng l s phc tp. Ly mu thng k, da trn nguyn tc, v mng neural l nhng phng cch nhm to profile m tht kh hiu v gii thch.
Vn nh Qun-0021
Trang 21
1.2.4.3. Policy-Based IPS
Hnh 1-9 Policy-Based IPS
Mt Policy-Based IPS n s phn ng hoc c nhng hnh ng nu c s vi phm ca mt cu hnh policy xy ra. Bi vy, mt Policy-Based IPS cung cp mt hoc nhiu phng thc c u chung ngn chn. a. Li ch ca vic dng Policy-Based IPS. Ta c th policy cho tng thit b mt trong h thng mng. Mt trong nhng tnh nng quan trng ca Policy-Based IPS l xc thc v phn ng nhanh, rt t c nhng cnh bo sai. y l nhng li ch c th chp nhn c bi v ngi qun tr h thng a cc security policy ti IPS mt cch chnh xc n l g v n c c cho php hay khng? b. Hn ch ca vic dng Policy-Based IPS. Khi cng vic ca ngi qun tr cc k vt v. Khi mt thit b mi c thm vo trong mng th li phi cu hnh. Kh khn khi qun tr t xa. 1.2.4.4. Protocol Analysis-Based IPS Gii php phn tch giao thc(Protocol Analysis-Based IPS) v vic chng xm nhp th cng tng t nh Signature-Based IPS, nhng n s i su hn v vic phn tch cc giao thc trong gi tin (packet).V d: Mt hacker bt u chy mt chng trnh tn cng ti mt Server. Trc tin hacker phi gi mt gi tin IP cng vi kiu giao thc, theo mt RFC, c th khng cha d liu trong payload. Mt Protocol Analysis-Based s pht hin ra kiu tn cng c bn trn mt s giao thc.
Vn nh Qun-0021
Trang 22
Kim tra kh nng ca giao thc xc nh gi tin c hp php hay khng? Kim tra ni dung trong Payload (pattern matching). Thc hin nhng cnh co khng bnh thng. 1.3. SO SNH GIA H THNG IDS V IPS mc c bn nht, IDS kh th ng, theo di d liu ca packet i qua mng t mt port gim st, so snh cc traffic ny n cc rules c thit lp v a ra cc cnh bo nu pht hin bt k du hiu bt thng no. Mt h thng IDS c th pht hin hu ht cc loi traffic c hi b tng la trt, bao gm cc cuc tn cng t chi dich v, tn cng d liu trn cc ng dng, ng nhp tri php my ch, v cc phn mm c hi nh virus, Trojan, v worms. Hu ht cc h thng IDS s dng mt s phng php pht hin ra cc mi e da, thng da trn du hiu xm nhp v phn tch trng thi ca giao thc. IDS lu cc file log vo CSDL v to ra cc cnh bo n ngi qun tr. IDS cho tm nhn su vi cc hot ng mng, nn n gip xc nh cc vn vi chnh sch an ninh ca mt t chc. Vn chnh ca IDS l thng a ra cc bo ng gi. Cn phi ti a ha tnh chnh xc trong vic pht hin ra cc du hiu bt thng . 1.3.1. Li th ca IPS mc c bn nht, IPS c tt c tnh nng ca h thng IDS. Ngoi ra n cn ngn chn cc lung lu lng gy nguy hi n h thng. N c th chm dt s kt ni mng ca k ang c gng tn cng vo h thng, bng cch chn ti khon ngi dng, a ch IP, hoc cc thuc tnh lin kt n k tn cng. Hoc chn tt c cc truy cp vo my ch, dch v, ng dng. Ngoi ra, mt IPS c th phn ng vi cc mi e da theo hai cch. N c th cu hnh li cc iu khin bo mt khc nh router hoc firewall, chn ng cc cuc tn cng. Mt s IPS thm ch cn p dng cc bn v li nu my ch c l hng. Ngoi ra, mt s IPS c th loi b cc ni dung c hi t cuc tn cng, nh xa cc tp tin nh km vi mail ca user m cha ni dung nguy him n h thng.
Vn nh Qun-0021
Trang 23
1.3.2. Bo v hai ln Bi v IDS v IPS c t cc v tr khc nhau trn mng. Chng nn c s dng ng thi. Mt h thng IPS t bn ngoi mng s ngn chn c cc cuc tn cng zero day, nh l virus hoc worm. Ngay c cc mi e da mi nht cng c th c ngn chn. Mt IDS t bn trong mng s gim st c cc hot ng ni b.
Vn nh Qun-0021
Trang 24
CHNG 2 SNORT V IPTABLES TRN H IU HNH LINUX
C hai cch ph bin bo v h thng mng l firewall v h thng pht hin xm nhp IDS. Tuy nhin chng mang li hiu qu khng cao khi hot ng c lp. S kt hp gia h thng pht hin xm nhp Snort (Snort_inline) v iptables firewall ca h iu hnh Linux thc s mang li hiu qu cao trong vic pht hin v ngn chn cc cuc tn cng tri php n h thng mng. Chng ny s gii thiu v h thng pht hin xm nhp Snort v iptables firewall ca Linux v s kt hp ca chng xy dng nn mt h thng IPS hon chnh.
2.1. TNG QUAN V SNORT

2.1.1. Gii thiu v Snort Snort l mt h thng ngn chn xm nhp v pht hin xm nhp m ngun m c pht trin bi sourcefire. Kt hp nhng li ch ca du hiu, giao thc v du hiu bt thng, Snort l cng ngh IDS/IPS c trin khai rng ri trn ton th gii. Snort l mt ng dng bo mt hin i c ba chc nng chnh: n c th phc v nh mt b phn lng nghe gi tin, lu li thng tin gi tin hoc mt h thng pht hin xm nhp mng (NIDS). Bn cnh c rt nhiu add-on cho Snort qun l (ghi log, qun l, to rules). Tuy khng phi l phn li ca Snort nhng cc thnh phn ny ng vai tr quan trng trong vic s dng cng nh khai thc cc tnh nng ca Snort. Thng thng, Snort ch ni chuyn vi TCP/IP. Mc d, vi cc phn ty chnh m rng, Snort c th thc hin h tr cc giao thc mng khc, chng hn nh Novells IPX. TCP/IP l mt giao thc ph bin ca Internet. Do , Snort ch yu phn tch v cnh bo trn giao thc TCP/IP. 2.1.2. Cc yu cu vi h thng Snort 2.1.2.1. Qui m ca h thng mng cn bo v Ni mt cch tng qut, qui m mng cng ln, cc my mc cn phi tt hn v d nh cc Snort sensor. Snort cn c th theo kp vi qui m ca mng, cn
c khng gian cha cc cnh bo, cc b x l nhanh v b nh x l nhng lung lu lng mng. 2.1.2.2. Phn cng my tnh Yu cu phn cng ng mt vai tr thit yu trong vic thit k mt h thng an ninh tt. 2.1.2.3. H iu hnh Snort chy trn nhiu h iu hnh khc nhau nh: Linux, FreeBSD, NetBSD, OpenBSD, v Window. Cc h thng khc c h tr bao gm kin trc Sparc-Solaric, MacOS X v MkLinux, v PA-RISC HP UX. 2.1.2.4. Cc phn mm h tr khc Ngoi cc h iu hnh c bn, mt s cng c c bn gip bin dch Snort nh: autoconf and automake, gcc, lex and yacc, or the GNU equivalents ex and bison, libpcap. Mt s cng c gip qun l Snort nh cng c phn tch console ph bin cho h thng pht hin (ACID) c giao din web. Mt s cng c ph bin nh: ACID, Oinkmaster, SnortSnart, SnortResport. 2.1.3. V tr ca Snort trong h thng mng 2.1.3.1. Gia Router v firewall
Hnh 2-1. Snort-sensor t gia Router v firewall
Vn nh Qun-0021
Trang 26
2.1.3.2. Trong vng DMZ
Hnh 2-2. Snort-sensor t trong vng DMZ 2.1.3.3. Sau firewall
Hnh 2-3. Snort-sensor t sau firewall
Vn nh Qun-0021
Trang 27
2.1.4. Cc thnh phn ca Snort Snort c chia thnh nhiu thnh phn mt cch logic. Nhng thnh phn ny lm vic cng nhau pht hin cc cuc tn cng c th v to ra cc nh dng cn thit t h thng pht hin. Snort bao gm cc thnh phn chnh sau y: Packet Decoder Preprocessors Detection Engine Loging and alerting system Output Modules hnh 2.4 cho thy cc thnh phn ny c sp xp. Bt k d liu no n t internet u i vo packet decoder. Trn ng i ca n vi cc module u ra, n hoc b loi b, ghi nhn hoc mt cnh bo c to ra.
Hnh 2-4. Cc thnh phn ca Snort 2.1.4.1. Packet Decoder (b phn gii m gi tin) Cc gi d liu i vo qua cc cng giao tip mng, cc cng giao tip ny c th l: Ethernet, SLIP, PPP V c gii m bi packet decoder, trong xc nh giao thc c s dng cho gi tin v d liu ph hp vi hnh vi c cho php ca phn giao thc ca chng. Packet Decoder c th to ra cc cnh bo ring ca mnh da trn cc tiu ca giao thc, cc gi tin qu di, bt thng hoc khng chnh xc cc ty chn TCP c thit lp trong cc tiu , v cc hnh vi khc. C th kch hot hoc v hiu ha cc cnh bo di dng cho tt c cc trng trong tp tin snort.conf.
Vn nh Qun-0021
Trang 28
Sau khi d liu c gii m ng, chng s c gi n b phn tin x l (preprocessor). 2.1.4.2. Preprocessor (b phn tin x l) Cc Preprocessor l nhng thnh phn hoc plug-in c th s dng cho Snort sp xp, chnh sa cc gi d liu trc khi b phn Detection Engine lm vic vi chng. Mt s Preprocessor cng thc hin pht hin du hiu d thng bng cch tm trong phn tiu ca gi tin v to ra cc cnh bo. Preprocessor rt quan trng vi bt k h thng IDS no chun b d liu cn thit v gi tin b phn Detection Engine lm vic. Preprocessor cn dng ti hp gi tin cho cc gi tin c kch thc ln. Ngoi ra n cn gii m cc gi tin c m ha trc khi chuyn n b phn Detection Engine. 2.1.4.3. Detection Engine (b phn kim tra) Detection Engine l b phn quan trng nht ca Snort. Trch nhim ca n l pht hin bt k du hiu tn cng no tn ti trong gi tin bng cch s dng cc rule i chiu vi thng tin trong gi tin. Nu gi tin l ph hp vi rule, hnh ng thch hp c thc hin Hiu sut hot ng ca b phn ny ph thuc cc yu t nh: S lng rule, cu hnh my m Snort ang chy, tc bus s dng cho my Snort, lu lng mng. Detection Engine c th phn chia gi tin v p dng rule cho cc phn khc nhau ca gi tin. Cc phn c th l: Phn IP header ca gi tin Phn header ca tn transport: y l phn tiu bao gm TCP, UDP hoc cc header ca tng transport khc. N cng c th lm vic vi header ca ICMP. Phn header ca cc lp ng dng: Bao gm header ca lp ng dng, nhng khng gii hn, DNS header, FTP header, SNMP header, v SMTP header. Packet payload: C ngha l c th to ra rule c s dng bi detection engine tm kim mt chui bn trong d liu ca gi tin.
Vn nh Qun-0021
Trang 29
B phn ny hot ng theo hai cch khc nhau theo hai phin bn ca Snort. Phin bn 1.x: Vic x l gi tin cn hn ch trong trng hp cc du hiu trong gi tin ph hp vi du hiu trong nhiu rule. Khi nu c rule no c p dng trc th cc rule cn li s b b qua mc d cc rule c u tin khc nhau. Nh vy s ny sinh trng hp cc rule c u tin cao hn b b qua. Phin bn 2.x: Nhc im trn ca phin bn 1.x c khc phc hon ton nh vo c ch kim tra trn ton b rule. Sau ly ra rule c u tin cao nht to thng bo.
Tc ca phin bn 2.x nhanh hn rt nhiu so vi phin bn 1.x nh phin bn 2.x c bin dch li. 2.1.4.4. Logging and Alerting System (B phn ghi nhn v thng bo) Khi b phn detection engine pht hin ra cc du hiu tn cng th n s thng bo cho b phn Logging and Alerting System. Cc ghi nhn, thng bo c th c lu di dng vn bn hoc mt s nh dng khc. Mc nh th chng c lu ti th mc ./var/log/snort. 2.1.4.5. Output Modules (b phn u ra) B phn u ra ca Snort ph thuc vo vic ta ghi cc ghi nhn, thng bo theo cch thc no. C th cu hnh b phn ny thc hin cc chc nng sau: Lu cc ghi nhn v thng bo theo nh dng cc file vn bn hoc vo c s d liu. Gi thng tin SNMP. Gi cc thng ip n h thng ghi log. Lu cc ghi nhn v thng bo vo c s d liu (MySQL, Oracle). To u ra XML. Chnh sa cu hnh trn Router, Firewall. Gi cc thng ip SMB.
Vn nh Qun-0021
Trang 30
2.1.5. Cc ch thc thi ca Snort 2.1.5.1. Sniff mode ch ny, Snort hot ng nh mt chng trnh thu thp v phn tch gi tin thng thng. Khng cn s dng file cu hnh, cc thng tin Snort s thu c khi hot ng ch ny: Date and time. Source IP address. Source port number. Destination IP address. Destination port. Transport layer protocol used in this packet. Time to live or TTL value in this packet. Type of service or TOS value. Packer ID. Length of IP header. IP payload. Dont fragment or DF bit is set in IP header. Two TCP flags A and P are on. TCP sequence number. Acknowledgement number in TCP header. TCP Window field. TCP header length. 2.1.5.2. Pakcet logger mode Khi chy ch ny, Snort s tp hp tt c cc packet n thy c v a vo log theo cu trc phn tng. Ni cch khc, mt th mc mi s c to ra ng vi mi a ch n bt c, v d liu s ph thuc vo a ch m n lu trong th mc . Snort t cc packet vo trong file ASCII, vi tn lin quan n giao thc v cng. S sp xp ny d dng nhn ra ai ang kt ni vo mng ca
Vn nh Qun-0021
Trang 31
mnh v giao thc, cng no ang s dng. n gin s dng sch cc th mc.
ls-R
hin danh
Tuy nhin s phn cp ny s to ra nhiu th mc trong gi cao im nn rt kh xem ht tt c th mc v file ny. Nu ai s dng full scan vi 65536 TCP Port v 65535 UDP ports v s to ra 131000 hoc tng y file . Log vi dng nh phn (binary) tt c nhng g c th c c bi Snort, n lm tng c kh nng bt gi tin ca Snort. Hu ht cc h thng c th capture v log tc 100Mbps m khng c vn g.
log packet ch nh phn, s dng c -b:
#Snort -b -l /usr/local/log/Snort/temp.log
Khi capture, ta c th c li file mi va to ra ngay vi c -r v phn hin th ging nh mode sniffer:

#Snort -r /usr/local/log/Snort/temp.log
Trong phn ny Snort khng gii hn dc cc file binary trong ch sniffer. Ta c th chy Snort ch NIDS vi vic set cc rule hoc filters tm nhng traffic nghi ng. 2.1.5.3. NIDS mode Snort thng c s dng nh mt NIDS. N nh, nhanh chng, hiu qu v s dng cc rule p dng ln gi tin. Khi pht hin c du hiu tn cng trong gi tin th n s ghi li v to thng bo. Khi dng ch ny phi khai bo file cu hnh cho Snort hot ng. Thng tin v thng bo khi hot ng ch ny: Fast mode: Date and time, Alert message, Source and destination IP address, Source and destination ports, Type of packet. Full mode: Gm cc thng tin nh ch fast mode v thm mt s thng tin sau: TTL value, TOS value, Length of packet header, length of packet, Type of packet, Code of packet, ID of packet, Sequence number. 2.1.5.4. Inline mode y l phin bn chnh sa t Snort cho php phn tch cc gi tin t firewall iptables s dng cc tp lnh mi nh: pass, drop, reject.
Vn nh Qun-0021
Trang 32
2.1.6. Preprocessor (B tin x l) 2.1.6.1. Gii thiu B phn preprocessor l mt trong nhng b phn quan trng, cu thnh nn mt h thng Snort hon thin. Cc tin x l l cc module vi nhng on m phc tp c bin dch nhm nng cao kh nng thc thi cho Snort. Cc preprocessor khng ch thc thi cc chc nng kim tra, r sot cc giao thc thng thng m chng cn c kh nng to ra cc thng bo, gim ti rt nhiu cho b phn Detection Engine. Qu trnh s dng v vn hnh cc preprocessor mt cch thch hp lm cho h thng IDS tr nn uyn chuyn linh hot hn rt nhiu, lm tng kh nng nhn dng cc packet nghi ng, tng kh nng nhn din attacker s dng cc k thut nh lc hng IDS. 2.1.6.2 M hnh
Hnh 2-5. M hnh x l ca b phn tin x l
Vn nh Qun-0021
Trang 33
2.1.6.3 Mt s tin x l thng dng a. Frag3 Cc IDS hot ng nh vo vic i chiu cc rule vi tng packet ring bit. Do , k tn cng c th chia nh gi tin ra (thay i kch thc gi tin) nh la c ch ny. Do frag3 thc hin ghp ni gi tin li vi nhau thnh mt gi hon chnh ri mi chuyn n b phn Detection Engine x l. Frag3 c a ra nhm thay th cho Frag2 v c cc c im sau: Thc thi nhanh hn Frag2 trong vic x l cc d liu pht tp ( khong 250%). C hai c ch qun l b nh thc thi cho tng mi trng ring bit. S dng cng ngh anti-evasion (chng kh nng nh la ca k tn cng). Frag2 s dng thut ton splay trees trong vic qun l d liu cu trc gi tin phn mnh. y l mt thut ton tin tin nhng gii thut ny ch ph hp vi d liu c t s thay i. Cn khi t thut ton ny trong mi trng m d liu c s bin i cao th b hn ch v kh nng thc thi (performance). gii quyt nhng hn ch th Frag3 ra i. Frag3 s dng cu trc d liu sfxhash qun l d liu trong mi trng phn mnh cao. Target-based analysis l mt khi nim mi trong NIDS. tng ca h thng ny l da vo h thng ch thc t trong mng thay v ch da vo cc giao thc v thng tin tn cng cha bn trong n. Nu mt k tn cng c nhiu thng tin v h thng ch hn IDS th chng c th nh la c cc IDS. b. Stream5 Stream5 l mt module theo kiu target-based, c thit k gip Snort chng li cc tn ti cc sensor bng cch gi nhiu cc packet cha d liu ging nhau nh trong rule nhm cho IDS bo ng sai. Stream5 thay th cho cc tin x l nh Stream4 v flow. N c kh nng theo di c phin ca TCP v UDP. Stream4 v Stream5 khng th dng ng thi. V vy khi dng Stream5 th phi xa b cu hnh Stream4 v Flow trong file cu hnh snort.config Cc c im ca Stream5:
Vn nh Qun-0021
Trang 34
Transport protocols Cc phin TCP c nh ngha thng qua kt ni TCP. Cc phin UDP c thit lp l kt qu ca hng lot gi UDP gi ng thi trn cng mt cng. Target-based Trong stream 5 cng gii thiu v cc action target-based iu khin vic chng cho d liu v cc du hiu bt thng trong gi TCP khc. Cc phng thc iu khin qu trnh chng cho d liu, gi tr TCP Timestamp, d liu trong SYN, FIN,v cc chnh sch u c h tr trong stream 5 c nghin cu trn nhiu h iu hnh khc nhau. Stream API Stream5 h tr y Stream API cho php cu hnh ng cc giao thc hoc cc Preprocessor khi c yu cu ca giao thc thuc lp ng dng, xc nh cc session no b b qua, cp nht thng tin v cc sensor mi m c th c s dng cho sau ny. Rule Options Stream5 thm vo la chn stream-size. La chn ny cho php cc rule i chiu lu lng theo cc byte c xc nh trc, c xc nh bi thng s TCP sequence number. nh dng:
Stream_size:<direction>,<operation>,<size>
+ Direction nhn cc gi tr sau: Client: ch cho d liu pha client Server : ch cho d liu pha server Both: cho d liu c hai pha Either: cho d liu mt trong hai bn hoc l client hoc l server. + Operator: =, <, >, !=, <=, => Ngoi ra cn mt s tin x l khc nh: sfPortscan. RPC Decode. Performance Monitor. HTTP inspect.
Vn nh Qun-0021
Trang 35
SMTP Preprocessor. FTP/Telnet Preprocessor. SSH. DCE/ RPC. SSL/ TLS. ARP Spoof Preprocessor. DCE/ RPC 2 Preprocessor. 2.1.7. Cu trc ca Rules Mt trong nhng chc nng c nh gi cao nht ca Snort l cho php ngi s dng t vit cc rule ca ring mnh. Ngoi s lng ln cc rule i km vi Snort, ngi qun tr c th vn dng kh nng ca mnh pht trin ra cc rule ring thay v ph thuc vo cc c quan, t chc bn ngoi. Vy rule l g? Rule l tp hp cc qui tc la chn cc traffic mng ph hp vi mt m hnh nh trc. Rule Snort c chia lm hai phn: rule header v rule options. 2.1.7.1. Rule header. Rule header cha thng tin xc nh mt packet cng nh tt c nhng g cn thc hin vi tt c cc thuc tnh ch nh trong rule. Rule header bao gm cc phn sau: Rule actions, protocol, IP address, port number, Direction operator.
Hnh 2-6. Cu trc ca rule header
Vn nh Qun-0021
Trang 36
a. Rule action Cho Snort bit phi lm g khi n tm thy mt gi tin ph hp vi rule, c nm hnh ng c mc nh sn trong Snort: alert: Cnh bo v ghi li packet. log: ghi li packet. pass: b qua packet. Active: Cnh bo v thc hin gi mt rule khc. Dynamic: trng thi idle cho n khi mt rule khc c kch hot. Ngoi ra khi chy Snort ch inline, cn thm cc ty chn l drop, reject v sdrop. drop: cho php iptables b qua packet ny v log li packet va b qua. reject: cho php iptables b qua packet ny, log li packet, ng thi gi thng bo t chi n my ngun. sdrop: cho php iptables b qua packet ny nhng khng log li packet, cng khng thng bo n my ngun. b. Protocols Trng tip theo ca rule l protocol. Hin nay Snort ch h tr bn giao thc sau: TCP, UDP, ICMP, IP. Trong tng lai c th h tr thm cc giao thc khc nh: ARP, IGRP, GRE, OSPF, RIP c. IP address Cc a ch IP c hnh thnh bi dng thp phn: xxxx.xxxx.xxxx.xxxx v mt CIDR. Snort khng cung cp c ch tra cu tn host tng ng vi a ch IP. CIDR : cho bit a ch lp mng. Cc nh dng: Any: bt k a ch IP no. Static: mt a ch IP duy nht. Class: mt lp cc a ch IP. Negation: Ph nh li cc a ch trn. d. Port number Port number c th c xc nh gm:
Vn nh Qun-0021
Trang 37
Any ports: C ngha l bt k port no. Static port: l ch nh mt port duy nht, nh: 80 (web), 21 (telnet), Ranger: phm vi cc port c th c p dng. e. Direction Operator Ch ra hng i ca rule, c hai loi l: : ch ra hng ca rule bt ngun t a ch IP v port bn tri . : Hng ca rule ny l hai chiu, iu ny s thun li cho vic phn tch c hai mt ca mt traffic, nh l telnet hoc POP3 f. Active/ Dynamic rules Active/ Dynamic rules cung cp cho snort nhng tnh nng mnh m. C mt rule khc khi hnh ng c thc hin vi mt s gi tin. iu nay rt hu ch cho snort thc hin ghi li mt s rule c th. 2.1.7.2. Rule Options y chnh l tri tim chnh ca Snort, c 4 loi rule options chnh: general, Payload, Non-Payload, Post- detections. a. General options Cung cp thng tin v rule nhng khng gy ra bt k nh hng no n qu trnh pht hin packet. msg: c s dng thm mt chui k t vo vic ghi log hoc a ra cnh bo. Thm vo thng ip sau du ngoc kp. nh dng:
msg: <message text>;
V d:
alert tcp 192.168.1.0/24 any any any (msg: <HTTP matched>; content: HTTP, offset: 4)
reference: L t kha cho php tham chiu n cc h thng pht hin cc kiu tn cng bn ngoi. N khng ng mt vai tr quan trng no trong c ch pht hin. C nhiu h thng tham kho nh CVE v Brugtraq nhng h thng ny gi thng tin v cc kiu tn cng c bit.
Vn nh Qun-0021
Trang 38
nh dng:
reference: <id system>, <id>;
V d:
alert tcp any any -> any 21 (msg:"IDS287/ftp-wuftp260-venglinlinux"; flags:AP; content:"|31c031db IDS287; 31c9b046 cd80 31c031db|";
reference:arachnids,
reference:bugtraq,1387;
reference:cve,CAN-2000-1574;)
gid: L t kha dng xc nh b phn no ca snort s to ra s kin khi thc thi, n gip cho qu trnh gii m ca preprocessor. Nu khng c nh ngha trong rule n s ly gi tr l 1. trnh xung t vi cc rule mc nh ca snort, khuyn co ly gi tr ln hn 1.000.000. T kha gid c s dng vi t kha sid. nh dng :
gid: <generator id>;
V d:
alert tcp any any -> any 80 (content:"BOB"; gid:1000001; sid:1; rev:1;)
sid: L t kha duy nht xc nh snort rule, n cho php cc thnh phn output xc nh cc rule d dng hn. Option ny nn dng vi t kha dev. nh dng:
sid: <snort rules id>;
+ id <100: D tr cho tng lai. + 100<id<1.000.000: Xc nh rule i km theo bng phn phi. + id>1.000.000: Do ngi vit rule t nh ngha. V d:
alert tcp any any -> any 80 (content:"BOB"; sid:1000983; rev:1;)
rev: T kha ch ra s revision ca rule. Nu rule c cp nht, th t kha ny c s dng phn bit gia cc phin bn. Cc module output cng c th s dng t kha ny nhn dng s revision. Option ny nn dng vi t kha dev.
Vn nh Qun-0021
Trang 39
nh dng :
rev: <revison integer>;
V d:
alert tcp any any -> any 80 (content:"BOB"; sid:1000983; rev:1;)
Classtype Classtype l t kha s dng phn loi rule pht hin tn cng khc nhau. nh dng:
classtype: <class name>;
V d:
alert tcp any any -> any 80 (msg:"EXPLOIT ntpdx overflow"; dsize: >128; classtype:attempted-admin; priority:10 );
priority y l t kha ch u tin cho rule, t kha classtype ch ra u tin mc nh. Tuy nhin nu ta thit lp thm gi tr ny n c th ghi ln gi tr mc nh . nh dng:
priority: <priority interger>;
V d:
alert TCP any any -> any 80 (msg: "WEB-MISC phf attempt"; flags:A+; content: "/cgi-bin/phf"; priority:10;)
metadata: Cho php ngi dng nhng thm thng tin v rule. nh dng:
Metadata : key1 value1 Metadata : key1 value1, key2value2
V d:
alert tcp any any -> any 80 (msg: "Shared Library Rule Example"; metadata:engine shared, soid 3|12345;)
b. Payload Detection Rule Options Tm kim thng tin trong phn payload ca packet. Phn ny gm cc t kha nh: content, nocase, rawbytes, depth, offset, distance, within, http client body, http cookie, http header, http method, http uri, fast pattern, uricontent, urilent, isdataat, pcre, byte test, byte jump, ftpbuonce, asn1, cvs.
Vn nh Qun-0021
Trang 40
content Content l t kha im quan trng trong Snort, n cho php ngi dng thit lp cc rule nhm tm ra ni dung c bit trong gi tin. Vic la chn d liu cho gi content tng i pht tp, n c th cha d liu dng vn bn hoc dng nh phn nh dng:
content : [!] <content string>;
V d:
alert tcp any any -> any 139(content:"|5c00|P|00|I|00|P|00|E|00 5c|";)
Hoc ph nh:
alert tcp any any -> any 80 (content:!"GET";)
Nocase L t kha c s dng kt hp vi t kha content. N khng c i s, mc ch ca n l thc hin vic tm kim mu c th khng phn bit k t hoa hoc thng. nh dng
No case;
V d:
alert tcp any any -> any 21 (msg:"FTP ROOT"; content:"USER root"; nocase;)
offset offset l t kha s dng kt hp vi t kha content. S dng kha ny, c th bt u tm kim t mt v tr xc nh so vi v tr bt u ca gi tin. S dng mt con s nh l i s ca t kha ny nh dng:
Offset: <number>;
depth depth l t kha c s dng kt hp vi t kha content xc nh gii hn ca vic so snh mu. S dng t kha ny, c th xc nh mt v tr so vi v tr bt u. D liu sau v tr ny s khng c tm kim so mu. Nu dng c
Vn nh Qun-0021
Trang 41
t kha offset v depth th c th xc nh mt khong d liu thc hin vic so snh mu. nh dng:
depth :<number>;
V d:
alert tcp any any -> any 80 (content: "cgi-bin/phf"; offset:4; depth:20;)
distance T kha distance cng tng t nh offset, im khc bit l offset cho bit v tr tm kim tnh t u payload, trong khi distance s tnh t v tr ca mu trc . T kha ny c dng kt hp vi t kha content. nh dng:
distance: <byte count>;
V d:
alert tcp any any -> any any (content:"ABC"; content: "DEF"; distance:1;)
c. Non-Payload Detection Rule Options Tm kim thng tin trong phn non-payload ca packet, bao gm cc t kha: frag ,offset, ttl, tos, id, ipopts, fragbits, dsize, flags, flow, flowbits, seq, ack, window, itype, icode, icmp id, icmp seq, rpc, ip proto, sameip, stream size. ttl L t kha c s dng kim tra trng TTL (time to live) trong phn header ip ca gi tin. T kha ny c th s dng vi tt c cc giao thc xy dng trn IP nh ICMP, UDP v TCP. S dng t kha ttl kim tra ai ang c gng traceroute h thng mng. tos y l t kha c s dng pht hin mt gi tr c th trong trng TOS (Type of service) ca IP Header. nh dng:
tos: [!] <number>;
Vn nh Qun-0021
Trang 42
id id l t kha c s dng kim tra trng ID ca header gi tin IP. Mc ch ca n l pht hin cc cch tn cng mt s ID c nh. nh dng:
id: <number>;
dsize dsize l t kha c s dng tm chiu di mt phn d liu ca gi tin. Nhiu cch tn cng s dng l hng trn b m bng cch gi gi tin c kch tht ln. S dng t kha ny tm thy gi tin c chiu di d liu ln hoc nh hn mt s xc nh. nh dng:
dsize : [<>] <number> [<><number>];
V d: flags flags l t kha c s dng tm ra bit flag no c thit lp trong header TCP ca gi tin. Cc bit sau c th c kim tra: F- FIN S-SYN R-RST P-PSH A-ACK U-URG 1- Reserved bit 1 2- Reserved bit 2 0- No TCP flags set Mt s ty chn khc c s dng + Ph hp vi mt hoc nhiu bit c ch ra. * Ph hp vi bt k bit no c thit lp ! Ph hp vi cc bit khng c thit lp. nh dng:
flags:[!|*|+]<FSRPAU120>[,<FSRPAU120>];
Vn nh Qun-0021
Trang 43
V d:
alert tcp any any -> any any (flags:SF,12;)
d. Post-Detection Rule Options Xy ra khi mt rule c kch hot, gm cc t kha: logto, session, resp, react, tag, activated by, count. 2.2. FIREWALL IPTABLES TRONG H IU HNH LINUX 2.2.1. Gii thiu v Iptables Iptables l mt ng dng tng la lc gi d liu rt mnh, min ph v c sn trn h iu hnh linux (kernel 2.4 tr i). Netfilter/iptables gm c 2 phn chnh. Netfilter trong nhn v iptables nm ngoi nhn. Iptables chu trch nhim giao tip vi ngi s dng v netfilter y cc lut ca ngi dng vo cho netfilter x l. Netfilter tin hnh lc cc gi d liu mc IP. Netfilter lm vic trc tip trong nhn, nhanh v khng lm gim tc ca h thng.
Hnh 2-7. Netfilter/iptables Tin thn ca iptables l ipchain (kernel 2.2) v mt trong nhng im ci tin quan trng ca iptables l stateful packet filtering. Iptables cn cung cp cc tnh nng nh NAT (Network Address Tranlation) v rate limit rt hu hiu khi chng DoS. 2.2.2. C ch x l ca iptables 2.2.2.1. Cu trc ca iptables Iptables c chia lm 4 bng (tables): Bng filter dng lc gi d liu. Bng NAT dng thao tc vi cc gi d liu c NAT ngun hay NAT ch.
Vn nh Qun-0021
Trang 44
Bng Mangle dng thay i cc thng s trong gi IP. V bng conntrack dng theo di cc kt ni. Mi tables c nhiu chui (chains). Chain gm nhiu lut (rule) thao tc vi gi d liu. Rule c th l: ACCEPT-Chp nhn gi d liu. DROP-Th gi. REJECT-Loi b gi. REFERENCE-Tham chiu n chain khc. 2.2.2.2. Cc i a ch IP ng (dynamic IP) NAT ng l mt trong nhng k thut chuyn i a ch IP NAT (Network Address Translation). Cc a ch IP ni b c chuyn sang IP NAT nh sau. NAT Router m nhn vic chuyn dy IP ni b 169.168.0.x sang dy IP mi 203.162.2.x. Khi c gi liu vi IP ngun l 192.168.0.200 n router, router s i IP ngun thnh 203.162.2.200 sau mi gi ra ngoi. Qu trnh ny gi l SNAT (Source-NAT, NAT ngun). Router lu d liu trong mt bng gi l bng NAT ng. Ngc li, khi c mt gi t liu t gi t ngoi vo vi IP ch l 203.162.2.200, router s cn c vo bng NAT ng hin ti i a ch ch 203.162.2.200 thnh a ch ch mi l 192.168.0.200. Qu trnh ny gi l DNAT (Destination-NAT, NAT ch). Lin lc gia 192.168.0.200 v 203.162.2.200 l hon ton trong sut (transparent) qua NAT router. NAT router tin hnh chuyn tip (forward) gi d liu t 192.168.0.200 n 203.162.2.200 v ngc li. 2.2.2.3 Cch ng gi a ch IP. NAT Router chuyn dy IP ni b 192.168.0.x sang mt IP duy nht l 203.162.2.4 bng cch dng cc s hiu cng (port-number) khc nhau. Chng hn khi c gi d liu IP vi ngun 192.168.0.168:1204, ch 211.200.51.15:80 n router, router s i ngun thnh 203.162.2.4:26314 v lu d liu ny vo mt bng gi l bng masquerade ng. Khi c mt gi d liu t ngoi vo vi ngun l 221.200.51.15:80, ch 203.162.2.4:26314 n router, router s cn c vo bng masquerade ng hin ti i ch t 203.162.2.4:26314 thnh
192.168.0.164:1204. Lin lc gia cc my trong mng LAN vi my khc bn ngoi hon ton trong sut qua router.
2.2.3. C ch x l gi tin. Tt c mi gi d liu u c kim tra bi iptables bng cch dng cc bng tun t xy dng sn (queue). C 3 loi bng ny gm : Mangle table: chu trch nhim bin i quality of service bits trong TCP header. Thng thng loi table ny c ng dng trong SOHO (Small Office/Home Office). Filter queue: chu trch nhim thit lp b lc packet (packet filtering), c ba loi built-in chains c m t thc hin cc chnh sch v firewall (firewall policy rules). Forward chain: Cho php packet ngun chuyn qua firewall. Input chain: Cho php nhng gi tin i vo t firewall. Output chain: Cho php nhng gi tin i ra t firewall. NAT queue: thc thi chc nng NAT (Network Address Translation), cung cp hai loi built-in chains sau y: Pre-routing chain: NAT t ngoi vo trong ni b. Qu trnh NAT s thc hin trc khi thc thi c ch routing. iu ny thun li cho vic i a ch ch a ch tng thch vi bng nh tuyn ca firewall, khi cu hnh ta c th dng kha DNAT m t k thut ny. Post-routingchain: NAT t trong ra ngoi. Qu trnh NAT s thc hin sau khi thc hin c ch nh tuyn. Qu trnh ny nhm thay i a ch ngun ca gi tin. K thut ny c gi l NAT one-to-one hoc many-to-one, c gi l Source NAT hay SNAT.
Vn nh Qun-0021
Trang 46
Bng 2-1. Cc loi queues v chain cng chc nng ca n Loi queue Chcnng queues Quy tc x l gi (chain) FORWARD Chc nng ca chain Lc gi d liu i n cc server khc kt ni trn cc NIC khc Filter Lc gi INPUT OUTPUT Network Address NAT Translation ( Bin dch a ch mng ) PREROUTING ca firewall. Lc gi i n firewall Lc gi i ra khi firewall Vic thay i a ch din ra trc khi dn ng. Thay i a ch ch s gip gi d liu ph hp vi bng ch ng ca firewall. S dng destination NAT or DNAT. POSTROUTING Vic thay i a ch din ra sau khi dn ng . S dng source NAT, or SNAT. OUTPUT NAT s dng cho cc gi d liu xut pht t firewall . Him khi dng trong mi SOHO (small PREROUTING Chnh sa Mangle TCP header . POSTROUTING OUTPUT INPUT FORWARD office trng - home
office) . iu chnh cc bit quy nh cht lng dch v trc khi dn ng. Him khi dng trong
mi trng SOHO (Small Office - Home Office) .
Vn nh Qun-0021
Trang 47
Hnh 2-8. M t s lc v qun l trong iptables
V d: M t ng i ca gi d liu u tin, gi d liu n mng A , tip n c kim tra bi mangle table PREROUTING chain (nu cn). Tip theo l kim tra gi d liu bi nat table's PREROUTING chain kim tra xem gi d liu c cn DNAT hay khng? DNAT s thay i a ch ch ca gi d liu . Ri gi d liu c dn i . Nu gi d liu i vo mt mng c bo v, th n s c lc bi FORWARD chain ca filter table, v nu cn gi d liu s c SNAT trong POSTROUTING chain thay i IP ngun trc khi vo mng B. Nu gi d liu c nh hng i vo trong bn trong firewall , n s c kim tra bi INPUT chain trong mangle table, v nu gi d liu qua c cc kim tra ca INPUT chain trong filter table, n s vo trong cc chng trnh ca server bn trong firewall . Khi firewall cn gi d liu ra ngoi . Gi d liu s c dn v i qua s kim tra ca OUTPUT chain trong mangle table( nu cn ), tip l kim tra trong OUTPUT chain ca nat table xem DNAT (DNAT s thay i a ch n) c cn hay khng v OUTPUT chain ca filter table s kim tra gi d liu nhm pht hin cc gi d liu khng c php gi i. Cui cng trc khi gi d liu c a ra li Internet, SNAT and QoS s c kim tra trong POSTROUTING chain.
Vn nh Qun-0021
Trang 48
Hnh 2-9. ng i ca gi d liu
Vn nh Qun-0021
Trang 49
2.2.4 Target Target l hnh ng s din ra khi mt gi d liu c kim tra v ph hp vi mt yu cu no . Khi mt target c nhn dng , gi d liu cn nhy ( jump ) thc hin cc x l tip theo . Bng sau lit k cc targets m iptables s dng. Bng 2-2. Miu t cc target m iptables hay s dng nht Tar ngha iptables ngng x l gi d liu v chuyn tip ACCEPT n vo mt ng dng cui hoc h iu hnh x l . Iptables ngng x l gi DROP d liu v gi d liu b chn, loi b. --log-prefix string Thng tin ca gi s c a Iptables s thm vo log vo syslog kim tra. message mt chui do ngi Iptables tip tc x l gi dung nh sn . Thng vi quy lut k tip . thng l thng bo l do v sao gi b b . Ty Chn
LOG
Vn nh Qun-0021
Trang 50
--reject-with qualifier Tham s qualifier s cho bit loi thng bo gi tr li pha gi. Qualifier gm cc loi Tng t nh DROP, nhngsau: icmp-port-
n s gi tr li cho pha ngiunreachable(default) REJECT gi mt thng bo li rngicmp-net-unreachable gi b chn v loi b . icmp-host-unreachable icmp-proto-nreachable icmp-net-prohibited host-prohibited tcp-reset echo-ply. icmp-
Dng
thc
hin
--to-destination ipaddress
Destination network address DNAT translation, a ch ch ca gi d liu s c vit li. Iptables s vit li a ch ipaddress vo a ch ch ca gi d liu. Dng thc hin Source Network SNAT address
--to-source <address> [-<address>][:<Port> -<port>] Miu t IP v port s c vit li bi iptables .
translation, vit li a ch ngun ca gi d liu.
Vn nh Qun-0021
Trang 51
Dng thc hin Source [--to-ports <port>[Networkaddress <port>]] MASQUERADE Translation. Mc nh th a Ghi r tm cc port ngun ch IP ngun s ging nh IP m port ngun gc c th ngun ca firewall. nh x c.
2.2.5 u im v nhc im ca Iptables 2.2.5.1. u im Linux c nhiu ngi tha nhn nh l mt nn tng h iu hnh an ton, t b tn cng, khng ch bi kin trc ca phn li bn di, m cn nh nhng lp gip tr bo v bn trn. Mt trong nhng lp che chn hiu qu nht lp ngoi cng l phn mm tng la ngun m ni ting iptables. u im ca iptables l ch chng l mt phn ca li Linux 2.4 (v sau ny). Iptables l mt cng c qun l cu hnh tng la. Vi n, c th to ra mt tp cc i tng m t tng la ca bn, cc my ch v cc mng con ca mng ca bn v sau ko nhng i tng ny vo trong cc quy tc cch x s trin khai tng la ca bn. iu d dng hn nhiu so vi sa cha cc tp tin cu hnh mt cch th cng v n l ngun m. Ngoi ra Iptables cn c: L mt statefull firewall. Filter packet da trn a ch MAC v cc c ca TCP header. NAT tt hn. H tr vic tch hp mt cch trong sut vi cc chng trnh nh Web proxy: Squid. Mt u im khc ca iptables n l gii hn c s lng kt ni, gip cho ta chng c cc c ch tn cng nh DoS (Denial of Service attack). 2.2.5.2. Nhc im Nhc im ln nht ca iptables l vic ci t v hiu r cu hnh chng khng d dng cht no. S dng tng la cn phi x l mt lng ln thng tin nn vic x l lc thng tin c th lm chm qu trnh kt ni ca ngi kt ni.
Vic s dng tng la ch hu hiu i vi nhng ngi khng thnh tho k thut vt tng la, nhng ngi s dng khc c hiu bit c th d dng vt qua tng la bng cch s dng cc proxy khng b ngn chn. 2.3. KT HP GIA SNORT-INLINE V IPTABLES 2.3.1. Snort-inline Snort inline v c bn l mt phin bn sa i ca snort chp nhn cc gi tin t iptables v IPFW qua libipq (linux) hoc lm chch hng cc socket (FreeBSD). N nhn c cc gi tin c gi t netfilter firewall vi s tr gip ca th vin libipq, so snh chng vi cc du hiu xm nhp ca snort v s drop chng nu ging vi rule. Sau cng gi chng li netfilter ni m snort-inline drop cc gi tin. 2.3.2. Snort-inline v Iptables Netfilter l mt module ca kernel linux c sn cc phin bn kernel 2.4 tr i. N cung cp 3 chc nng chnh: Packet filtering: Accept hay drop cc gi tin. NAT : Thay i a ch ngun/ ch ca a ch IP ca cc gi tin. Packet mangling : nh dng cc gi tin. IPtables l mt cng c cn thit cu hnh netfilter, n cn phi c chy bi quyn root. Sau , nu mt gi tin ph hp vi du hiu tn cng ca Snort_inline, n c gn th libipq v gi tr li Netfilter ni m n c drop. Snort_inline c hai ch : Drop mode v Replace mode. a. Drop mode: Mt packet c drop khi n ph hp vi cc du hiu tn cng. C 3 ty chn trong ch ny: drop: Drop mt gi tin, gi mt thit lp n my ch, ghi li s kin. sdrop: Drop mt gi tin m khng gi thit lp n my ch. ignore: Drop mt packet, gi mt thit lp n my ch, khng ghi li s kin.
Vn nh Qun-0021
Trang 53
b. Replace mode: Packet b sa i nu n ph hp vi du hiu tn cng.
Hnh 2-10. Snort-inline v netfilter
Vn nh Qun-0021
Trang 54
CHNG 3 TRIN KHAI H THNG IPS VI SNORT-INLINE V IPTABLES
Trong chng ny chng ta tin hnh trin khai mt h thng IPS trn thc t s dng snort_inline v iptables firewall ca Linux tin hnh ngn chn cc hot ng tri php n h thng mng c IPS bo v.
3.1. M HNH TRIN KHAI
Hnh 3-1. M hnh trin khai IPS vi snort-inline v iptables 3.1.1. M t yu cu 3.1.1.1. Yu cu my ch: Ci t h iu hnh linux, c th l CentOS. Ci t snort-inline v cc cng c h tr, bt chc nng firewall iptables ca h thng xy dng mt h thng IPS. My ch v IPS System ci chung trn host c Server c a ch IP tnh l 192.168.2.2 3.1.1.2. Yu cu my hacker: My tn cng vo h thng chy h iu hnh Linux-Backtrack4. y l mt h iu hnh vi rt nhiu cng c bo mt c h tr. Cu hnh a ch IP tnh l 192.168.2.3
Vn nh Qun-0021
Trang 55
3.2. CI T SNORT 3.2.1. Ci t cc gi h tr u tin cn ci cc gi phn mm h tr sau: httpd mysql-sever php-mysql iptables Pcre httpd-devel mysql-devel php-mbstring iptables-devel pcre-devel mysql php php-mcryp libnet gcc
Trong ca s dng lnh dng lnh sau ci t:

root@localhost# yum install <tn gi>
3.2.2. Cu hnh mysql v ci phpmyadmin 3.2.2.1. Cu hnh mysql

[root@localhost]# chkconfig --levels 235 mysqld on [root@localhost]# /etc/init.d/mysqld start [root@localhost]# mysqladmin -u root password mysqlpassword
3.2.2.2. Ci t phpmypadmin phpmyadmin dng qun l mysql

[root@localhost]# wget http://packages.sw.be/rpmforgerelease/rpmforge-release-0.3.6-1.el5.rf.i386.rpm [root@localhost]# rpm -Uvh rpmforge-release-0.3.61.el5.rf.i386.rpm [root@localhost]# yum install phpmyadmin [root@localhost]# vi /etc/httpd/conf.d/phpmyadmin.conf
# # Web application to manage MySQL # #<Directory "/usr/share/phpmyadmin"> # Order Deny,Allow # Deny from all # Allow from 127.0.0.1 #</Directory> Alias /phpmyadmin /usr/share/phpmyadmin Alias /phpMyAdmin /usr/share/phpmyadmin Alias /mysqladmin /usr/share/phpmyadmin
Vn nh Qun-0021
Trang 56
[root@localhost]# vi /usr/share/phpmyadmin/config.inc.php
Thay $cfg['Servers'][$i]['auth_type'] = 'cookie'; Bng $cfg['Servers'][$i]['auth_type'] = 'http'; 3.2.3. Ci t Snort_inline Download snort_inline ti a ch:
[root@localhost#wget http://sourceforge.net/projects/snortinline/files/snort_inline%20source%20%282.8.x%29/snort_inline2.8.2.1-RC1/snort_inline-2.8.2.1-RC1.tar.gz/download [root@localhost]# tar xvfz snort_inline-2.8.2.1-RC1.tar.gz [root@localhost]# mkdir /etc/snort_inline [root@localhost]# mkdir /etc/snort_inline/rules/ [root@localhost]# cp snort_inline-2.8.2.1-RC1/etc/* /etc/snort_inline/ [root@localhost]# cp /root/snort_inline02.8.2.1RC1/etc/reference.config /etc/snort_inline/rules [root@localhost]# cp /root/snort_inline02.8.2.1RC1/etc/classification.config /etc/snort_inline/rules [root@localhost]# vi /etc/snort_inline/snort_inline.conf
Tm dng
# var RULE_PATH /etc/snort_inline/drop-rules
Thay th thnh
# var RULE_PATH /etc/snort_inline/rules output database: log, mysql, user=snort password=12345
dbname=snort host=localhost [root@localhost]# cd snort_inline-2.8.2.1 ./configure with-mysql --enable-dynamicplugin ./make && make install
Nh vy, ci t xong. Copy rule vo th mc /etc/snort_inline/rules 3.2.4. Ci t, cu hnh ACIDBase qun l Snort Cn phi m bo ci t cc phm mm sau: Snort_inline. Apache. PHP. MySQL.
Vn nh Qun-0021
Trang 57
Adodb (download ti a ch http://sourceforge.net/projects/adodb/files/ sau gii nn copy vo th mc /var/www/html/) Bc 1: To c s d liu trong mysql To c s d liu vi tn snort, to 6 bng sau: acid_event, acid_ag, acid_ag_alert, acid_ip_cache, base_roles, base_users. Cc bng ny i km theo bng phn phi ACIDBase. Bc 2: chnh sa ni dung file base_conf.php ng dn n th mc ci t Base: $BASE_urlpath = '/base';
ng dn n th mc adodb: $DBlib_path = '/var/www/html/adodb';
C s d liu s dng: $DBtype = 'mysql'; Khai bo tn c s d liu, ti khon ng nhp, mt khu

$alert_dbname $alert_host $alert_port $alert_user = 'snort'; = 'localhost'; = ''; = 'snort';
$alert_password = '12345';
3.2.5. To file khi ng Snort_inline cng vi h iu hnh To mt file snortd trong th mc /etc/init.d/ vi ni dung sau
#!/bin/bash # # snort_inline start(){ # Start daemons. echo "Starting ip_queue module:" lsmod | grep ip_queue >/dev/null || /sbin/modprobe ip_queue; # echo "Starting iptables rules:" # iptables traffic sent to the QUEUE: # accept internal localhost connections iptables -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT iptables -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT # send all the incoming, outgoing and forwarding traffic to the QUEUE iptables -A INPUT -j QUEUE iptables -A FORWARD -j QUEUE iptables -A OUTPUT -j QUEUE # Start Snort_inline echo "Starting snort_inline: " /usr/local/bin/snort_inline -c /etc/snort_inline/snort_inline.conf -Q -D -v \ -l /var/log/snort_inline # -Q -> process the queued traffic # -D -> run as a daemon # -v -> verbose # -l -> log path # -c -> config path } stop() {
Vn nh Qun-0021
Trang 58
# Stop daemons. # Stop Snort_Inline # echo "Shutting down snort_inline: " killall snort_inline # Remove all the iptables rules and # set the default Netfilter policies to accept echo "Removing iptables rules:" iptables -F # -F -> flush iptables iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT # -P -> default policy } restart(){ stop start } case "$1" in
start) start ;;
stop) stop ;;
restart) restart ;; *) echo $"Usage: $0 {start|stop|restart|}" exit 1 esac
Sau copy file ny vo th mc ./root/sbin/ 3.2.6. To rule cho Snort_inline To rule lu ti /root/etc/snort_inline/rules Ta to 2 rule nh sau: Rule 1:
alert icmp any any 192.168.2.2/24 80 (msg: ping; ttl:128;sid:1000001;)
Rule trn c ngha l h thng s a ra cnh bo khi c bt k my no ping n my ch c a ch 192.168.2.2. Gi tr ttl=128 y l gi tr mc nh ca gi icmp.
Vn nh Qun-0021
Trang 59
Rule th 2:
drop icmp any any 192.168.1.9/24 80 (msg: Drop Ping; ttl:100;sid:1000002;)
Rule ny c ngha l IPS s ngt kt ni n server nu c bt k my no s dng lnh ping vi gi icmp c gi tr ttl=100. 3.3. DEMO KT QU Trc tin ta ch chy rule th 1, t my hacker ta tin s dng lnh ping n a ch sever. Kt qu thu c nh sau: Bc 1: Ti my hacker
Hnh 3-2. T my hacker ping vi gi tr ttl=100 n my ch Kt qu: Khi chng ta s nhn li c tn hiu reply t my server.
Vn nh Qun-0021
Trang 60
Bc 2: Ti my server Ta truy cp vo ACIDBase xem log c ghi li:
Hnh 3-3. Cc file log c ghi li ti server
Vn nh Qun-0021
Trang 61
Bc 3: Ta tin hnh dng lnh ping vi gi tr tll=100.
Hnh 3-4. T my hacker tin hnh ping n my server Kt qu: Server khng reply li, my hacker khng th kt ni n IPS Server.
Vn nh Qun-0021
Trang 62
Bc 4: Ta truy cp vo Acid base xem log
Hnh 3-5. Cc file log c h thng IPS ghi li
Vn nh Qun-0021
Trang 63
KT LUN V HNG M
KT LUN
V mt l thuyt lun vn nu c nhng vn c bn nht ca mt h thng pht hin xm nhp v h thng ngn chn xm nhp. Bn cnh a ra c gii php xy dng mt h thng IPS trn thc t c trin khai rt hiu qu v c nh gi cao. xy dng thnh cng mt h thng IPS trn thc t v hot ng ng vi cc yu cu t ra. Hn ch ca ti l ch trin khai h thng trn mt phn on mng nh, nn cha nh gi c ht hiu xut ca h thng v cc vn h thng IPS s gp phi khi trin khai trn thc t
HNG M
ng dng trin khai h thng IPS vi Snort v iptables trn thc t nh gi ht hiu nng cng nh cc vn s gp phi. T c bin php khc phc, hon thin hn cho h thng. ng dng Snort xy dng cc h thng IDS, IPS ln c th t ti cc ISP hn ch cc hot ng tn cng mng cho mt mng ln. Xy dng v pht trin h thng IPS phn tn.
Vn nh Qun-0021
Trang 64
TI LIU THAM KHO

1. Ting vit
[1] Trn Vn Kh Firewall trong linux bng iptables. i Hc Duy Tn, 2008.
2. Ting Anh
[1] 2003 [2] Jay Beale and Snort Development Team Snort 2.1 Instrusion Detection Second The snort project - Snort Users Manual. Sourcefire Inc, 2009 Red Hat Product Documentation Team - Red Hat Enterprice Linux 4: Security Rafeeq Ur Rehman Intrusion Detection Systems with Snort. Prentice Hall PTR,
edition. Syngress Publishing, Inc, 2004 [3] [4]
Guide. Red Hat Inc, 2008
3. Trang web tham kho

[1] http://www.windowsecurity.com/articles/Intrusion_Detection_Systems_IDS_Part_I__netw ork_intrusions_attack_symptoms_IDS_tasks_and_IDS_architecture.html [2] http://www.windowsecurity.com/articles/IDS-Part2-Classification-methods-
techniques.html [3] [4] [5] [6] [8] [9] http://www.windowsecurity.com/articles/Hids_vs_Nids_Part2.html http://www.openmaniak.com/inline_final.php http://www.focus.com/fyi/it-security/ids-vs-ips/ http://linuxgazette.net/117/savage.html http://snort.org http://sourcefire.com
[10] http://hvaonline.net
Vn nh Qun-0021
Trang 65

Ban in

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ban in

Uploaded by

Copyright:

Available Formats

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

CHNG 1 TNG QUAN V H THNG PHT HIN V NGN CHN XM NHP

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

Cc nh gi C hai u bo v khi user hot ng

khi trong mng LAN Ch c HIDS Tng ng nh nhau xt v bi

nu chn ng sn phm C hai tng ng nhau

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

HIDS tiu tn t hn NIDS s dng bng tn LAN rng,

cn HIDS th khng NIDS cn 2 yu cu bng tn mng

i vi bt k mng LAN no C hai u cn bng tn Internet

cp nht kp thi cc file mu NIDS yu cu phi kch hot m rng

cng m bo lu lng LAN ca bn c qut HIDS nng cp tt c cc client vi

mt file mu trung tm NIDS c kh nng thch nghi trong

cc nn ng dng hn Ch HIDS mi c th thc hin cc

kiu qut ny C hai h thng c chc nng bn

ghi C hai h thng u c chc nng

Chc nng cnh bo

cnh bo cho tng c nhn v qun tr vin

Qut PAN Loi b gi tin

Ch c HIDS qut cc vng mng c

nhn ca bn Ch cc tnh nng NIDS mi c

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

ci t v s dng NIDS i vi ton b vn bo mt mng ca bn

Qun l tp trung Kh nng v hiu ha cc h s ri ro

NIDS c chim u th hn NIDS c h s ri ro nhiu hn so vi

HIDS R rng kh nng nng cp phn

mm l d hn phn cng. HIDS c

th c nng cp thng qua script c tp trung

Cc nt pht hin nhiu on mng LAN

HIDS c kh nng pht hin theo nhiu on mng ton din hn

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

Hnh 1-5. Promiscous mode IPS

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

Hnh 1-6. Inline mode IPS

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

1.2.4.3. Policy-Based IPS

Hnh 1-9 Policy-Based IPS

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

CHNG 2 SNORT V IPTABLES TRN H IU HNH LINUX

2.1. TNG QUAN V SNORT

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

Hnh 2-1. Snort-sensor t gia Router v firewall

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

2.1.3.2. Trong vng DMZ

Hnh 2-2. Snort-sensor t trong vng DMZ 2.1.3.3. Sau firewall

Hnh 2-3. Snort-sensor t sau firewall