Professional Documents
Culture Documents
Phm Vn Tnh
10/1/2009
IDS Snort
Hong Tin Long Ng Trn Khnh Chu Nguyn Ngc Thm V H Tin Nguyn Minh Tin
10/1/2009
IDS Snort
Phn I : IDS
Khi nim, phn loi. Kin trc Trin khai.
Phn II : Snort.
Gii thiu. Ci t. Snort rule.
L mt h thng (phn mm, phn cng, hoc kt hp c hai) pht hin cc hnh vi xm nhp bt hp pht vo mng. Pht hin cc hnh ng trong tin trnh tn cng (FootPrinting, Scanning, Sniffer), cung cp thng tin nhn bit v a ra cnh bo. K thut s dng trong IDS c th l : signature hoc anomaly-based , cng c th kt hp c hai.
10/1/2009 IDS Snort 4
Ci t nh mt agent trn mt host c th. Phn tch log ca h iu hnh hoc cc ng dng so snh cc s kin vi c s d liu pht hin cc vi phm v bo mt v a ra cnh bo. Nu c vi phm HIDS ghi nhn li cc hnh ng , a ra cnh bo, v c th ngng hnh ng li trc khi n xy ra. HIDS c th dng theo di log (log monitors), gim st tnh ton vn (intergrity monitors), pht hin xm nhp mc kernel (kernel module)
10/1/2009 IDS Snort 5
Dng bt cc gi tin trong mi trng mng, so snh gia d liu thu thp c vi c s d liu nhm pht hin cc du hiu tn cng. Khi c tn cng NIDS s log cc gi tin vo c s d liu, cnh bo hoc a vo Firewall.
10/1/2009
IDS Snort
Network - NIDS
NIDS nhn ton cnh lung d liu trn mng (NIDS thng c coi nh l sniffer)
NIDS pht hin nhng cuc tn cng tim nng.
Hot ng hiu qu trong nhng mi Rt kh hot ng trong nhng mi trng chuyn mch, m ha, tc cao. trng ny.
10/1/2009
IDS Snort
PREPROCESSORS
DETECTION ENGINE
SENSOR
ALERT SYSTEMS
OUTPUT LOGGING SYSTEMS
10/1/2009 IDS Snort 8
10/1/2009
IDS Snort
10/1/2009
IDS Snort
10
10/1/2009
IDS Snort
11
10/1/2009
IDS Snort
12
10/1/2009
IDS Snort
13
10/1/2009
IDS Snort
14
H thng IDS (signature-based) cn mt c s d liu c sn v cc kiu tn cng nhn bit cc cuc tn cng c th xy ra, da vo du hiu nhn bit no (signatures) cp nht signatures mi. Bn thn IDS khng chng li cc cuc tn cng, hay ngn chn qu trnh khai thc li, m n ch d tm v a ra cnh bo. t IDS u trong h thng mng mang li hiu qu cao nht ????
10/1/2009 IDS Snort 15
10/1/2009
IDS Snort
16
IDS
Local Network
Internet
Chin lc trin khai IDS Firewall ph thuc vo chnh IDS sch bo mt v ti nguyn cn bo v. Cng nhiu IDS th ng ngha vi vic h thng chm i v chi ph bo tr s Router tng ln.
Local Network
10/1/2009
IDS Snort
17
10/1/2009
IDS Snort
18
Snort l mt IDS kiu signature based. Chy c trn c Windows v Linux. Snort c cc tp lut lu tr trong cc file text, cc lut c nhm thnh cc loi khc nhau v c cha trong nhng file ring cho tng nhm. Cc file ny c ch ra trong file cu hnh snort.conf . Snort s c cc lut lc khi ng v xy dng mt cu trc d liu hoc cc chui p dng cc lut ln d liu thu thp c.
10/1/2009 IDS Snort 19
Snort c cung cp 1 tp hp phong ph cc lut c nh ngha trc, tuy nhin ngi dng c th t nh ngha v a thm cc lut mi hoc loi b mt s lut khng cn thit. Snort l stateful IDS, n c th sp xp v ghi nhn cc cuc tn cng da trn phn on TCP. Snort c th pht hin c nhiu loi xm nhp nh : buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts
10/1/2009 IDS Snort 20
Snort c th ci t 2 ch l inline hoc passive. Inline: Snort tch hp vi tng la kch hot tng la kha hay drop hot cc hnh ng khc nhm ngn chn cuc tn cng m n pht hin. Passive: Snort ch pht hin xm nhp, nghi log v cnh bo.
10/1/2009 IDS Snort 21
10/1/2009
S dng rpm qa | grep <tn gi> kim tra xem gi ci t cha. S dng : yum install <tn gi> ci t nhng gi cn thiu. i vi nhng gi .rpm : rpm ivh <tn gi .rpm>
10/1/2009 IDS Snort 23
S dng : wget <url> download cc gi ci t t mt trang web. i vi nhng gi .tar.gz : tar xvzf <tn gi.tar.gz> cd <tn gi> ./configure [option] make && make install
10/1/2009 IDS Snort 24
Mc nh ci sn, s dng : rpm qa | grep http httpd-manual-2.2.11-2.fc10.i386 httpd-tools-2.2.11-2.fc10.i386 httpunit-1.6.2-2.fc10.noarch httpd-2.2.11-2.fc10.i386 mod_ssl-2.2.11-2.fc10.i386
10/1/2009 IDS Snort 25
Mc nh c ci sn:
rpm qa | grep php
10/1/2009
Ngoi ra cn cn c prel ( ci sn), libpcap, libnet. Bn nn ci t source. S dng lnh: wget <url> V d :
wget http://ftp.gnu.org/gnu/bison/bison-2.4.1.tar.gz
Sau ci nh mt gi .tar.gz.
10/1/2009
IDS Snort
28
Nhng gi trn l ti thiu phi c. Nu thiu bt k gi no dng lnh : yum install <tn gi> ci thm vo. Start apache v mysql ln: service httpd start service mysqld start
10/1/2009 IDS Snort 29
Download :
snort-2.8.x.x.tar.gz snortrules-2.8.tar.gz T trang http://www/snort.org
Lu : thng trong qu trnh ci snort s gp li libipq.h li ny lin quan n iptables do bin dch snort ch inline. Khi , ci thm iptables-devel, khi ng li dch v, ok.
10/1/2009 IDS Snort 30
#tar xvzf snort-2.8.5.1.tar.gz #cd snort-2.8.5.1 #./configure --with-mysql --enable-dynamic-plugin --enable-inline #make #make install S dng ./configure --help xem cc ty chn khc ca snort.
10/1/2009 IDS Snort 31
To th mc snort trong /etc #mkdir /etc/snort #mkdir /etc/snort/rules Copy nhng file cu hnh ca snort vo th mc va to: #cd /usr/local/snort-2.8.5.1/etc # cp * /etc/snort
10/1/2009 IDS Snort 32
Gii nn snortrule-2.8.tar.gz #tar xvzf snortrule-2.8.tar.gz #cd rules #cp * /etc/snort/rules/ To symbolic link cho snort #ln s /usr/local/bin/snort /usr/sbin/snort
10/1/2009
IDS Snort
33
snort chy nh mt dch v chng ta cn user, usergroup cho snort: #groupadd snort #useradd g snort snort
10/1/2009
IDS Snort
34
To v set quyn ch nhn, quyn thc thi ca snort cho file log. #mkdir/var/log/snort #chown R snort:snort /var/log/snort #chown 664 /var/log/snort
10/1/2009
IDS Snort
35
#cd /usr/local/snort-2.8.4.1/rpm/ # cp snortd /etc/init.d/ # cp snort.sysconfig /etc/sysconfig/snort # chmod 755 /etc/init.d/snortd # chkconfig snortd on # chkconfig --add /etc/init.d/snortd # chkconfig snortd on
10/1/2009
IDS Snort
37
#mysql u root >set password root@ localhost = password( 241288); >flush privileges; >use mysql; >CREATE USER snort@ localhost IDENTIFIED BY long; >flush privileges;
10/1/2009 IDS Snort 38
> create database snort; > GRANT CREATE, INSERT, SELECT, DELETE, UPDATE ON snort.* to snort@localhost; # cd /usr/local/snort-2.8.5.1/schemas/ # mysql -u root -p < create_mysql snort Test: #mysql u root p >use snort; >show tables;
10/1/2009 IDS Snort 39
# wget http://nchc.dl.sourceforge.net/sourceforge/ secureideas/base-1.4.2.tar.gz # cp base-1.4.2.tar.gz /var/www/html/ # cd /var/www/html/ #tar -xzvf base-1.4.2.tar.gz # cp base_conf.php.dist base_conf.php
10/1/2009
IDS Snort
41
#vim base_conf.php $DBlib_path = '/var/www/html/adodb5'; $DBtype = 'mysql'; $alert_dbname = 'snort'; $alert_host = 'localhost'; $alert_port = ''; $alert_user = 'snort'; $alert_password = long';
10/1/2009 IDS Snort 42
http://127.0.0.1/base-1.4.2 Ch ng dn n th vin adodb Khai bo cc gi tr cho co s d liu lu file log. Nh l : Database Name, Database Host, Database User, Database Password l username v password truy cp c s d liu. To BASE AG (to c s d liu cho BASE)
10/1/2009 IDS Snort 43
10/1/2009
IDS Snort
44
10/1/2009
IDS Snort
45
10/1/2009
IDS Snort
46
10/1/2009
IDS Snort
47
10/1/2009
IDS Snort
48
#snort A : Ci t ch cnh bo (altertmode). C nhiu mode h tr nh : fast, full, console, test or none. Dng mode console in ra mn hnh v ghi cc file log. Fast mode dng trong ch tc ng truyn cao.
10/1/2009 IDS Snort 49
#snort v : bt ch sniffer. In ton b gi d liu bt c trn console (hin th cc header IP,TCP/UDP/ICMP). Card mng phi ch promiscuous mode . #snort d: hin th d liu layer Application #snort e: hin th thng tin v header layer 2. #snort vde: cc chui thp lc phn hin th nhiu d liu hn. C a ch MAC v a ch IP. vde cung cp nhiu thng tin nht.
10/1/2009 IDS Snort 50
#snort l /var/log/Snort : ch nh th mc lu file log. Qu trnh lu tr theo kiu phn cp. Mi mt a ch s c mt th mc v nhng g lin quan n a ch s c lu trong y. Snort lu cc gi tin thnh cc file ASCII, vi tn file c to ra t giao thc v s cng. #snort b: Log gi tin dng tcpdump. Ghi log rt nhanh
10/1/2009 IDS Snort 52
#snort c :Config-file ,ch nh file cu no mun s dng. #snort D :Chy Snort ch background. #snort I :Interface, Ch nh interface no Snort s lng nghe. #snort s :Gi alert message n syslog. #snort T : Kim tra v bo co v cu hnh hin ti ca snort. #snort y : Thm nm v ngy gi vo thng ip cnh bo v file log.
10/1/2009 IDS Snort 53
Nhn gi v x l n trc khi rule p dng ln gi (input plug_in) C php: preprocessor <preprocessor_name>[: <configuration_options>] VD: preprocessor frag2 preprocessor stream4: detect_scans
Cu hnh: output <output_module_name>[: <configuration_options>] VD : output database: alert, mysql, user=rr password=boota \ dbname=snort host=localhost
Snort da vo cc tp lut pht hin tn cng. Cc lut thng c lu tr trong file snort.conf. C th s dng nhiu file bng cch thm ng dn n cc file lut ny vo file cu hnh chnh. Mi lut c vit trn mt dng. Mt rule c th pht hin nhiu loi xm nhp.
10/1/2009 IDS Snort 56
Gm 2 phn rule header, rule option. Rule header : cha thng tin v hnh ng m lut s thc hin. Tiu chun ca vic so snh lut trn mt gi tin. Rule option: cha thng ip cnh bo. V thng tin thng tin v phn no ca gi tin c s dng to ra cnh bo.
Rule Header
10/1/2009 IDS Snort
Rule Option
57
action protocol address port \ direction address port \ (option1 : <value1> ;option2: <value2>;..)
10/1/2009
IDS Snort
58
Port
Direction Address
Port
Action : cc nh kiu hnh ng khi gi tin tha cc iu kin. Thng l to cnh bo v ghi log (alert, log). nu ci snort ch inline c th chn drop iptables hy gi d liu.
10/1/2009
IDS Snort
59
Protocol : snort c th phn tch c giao thc bao gm : TCP, UDP, ICMP,IP. Address : a ch ngun, ch. Address c th ca mt host, nhiu host hoc a ch mng. Direction: xc nh a ch v cng ca ngun v ch n ( -> , <-,< > ). Port: ch dng trong giao thc TCP, UDP xc nh cng ngn v ch ca mt gi tin m lut c p dng.
10/1/2009 IDS Snort 60
Theo sau rule header, c t trong ( ), cc option ngn cch nhau ; Mt action ch c thc hin khi tt c option u tha. Mt option bao gm t kha v tham s. Cc tham s phn bit nhau : Nu c nhiu option chng s AND li vi nhau.
10/1/2009 IDS Snort 61
classtypes: <name>; phn loi lut cho mt kiu tn cng c th. Kt hp vi file /etc/snort/classification.config config classification: name,description,priority
Name l tn c s dng phn loi. Tn c s dng vi t kha classtype trong vit lut. Description : m t ngn v kiu phn loi. Priority : th t u tin mc nh cho s phn loi, c th thay i c bng t kha priority trong Rule Option.
10/1/2009 IDS Snort 62
ack: <number> ; thng c dng bit c ang b qut cng hay khng. Ch c ngha khi c ack trong TCP header c bt. msg: <message>; ghi thm chui k t vo log v cnh bo. Thng ip trong . content: < straight text>; or content: <hex data >; Tm ra ch k (signature) trong header ca gi d liu.
10/1/2009 IDS Snort 63
offset: < value>; dng vi content cho bit bt u tm kim t u. depth: < value>; dng vi content xc nh v tr kt thc ca on d liu cn so snh vi v tr ban u. dsize: [<|>|=] < number>; tm chiu di ca mt gi tin. (cc tn cng buffer overflows)
10/1/2009
IDS Snort
64
rev: < revision integer>; cho bit s phin bn ca snort. priority: < value>; t kha priority gn u tin cho mt lut. nocase: dng kt hp vi content, tm ni dung m khng phn bit hoa thng. Xem file nh km bit cc ty chn khc.
10/1/2009
IDS Snort
65
Lut c t cui file snort.conf. c th to ra nhiu lut s dng cc bin nh ngha trong file ny. C th nh ngha file .rules. Trong file snort.conf dng include ch n file ny. # include $RULE_PATH/web-attacks.rules C rt nhiu lut c nh ngha sn cha trong th mc /etc/snort/rules.
10/1/2009 IDS Snort 66
alert tcp192.168.1.0/24 23-> any any (content: confidential; msg: Detect confidential;) bt cc gi d liu n t a ch ngun thuc mng 192.168.1.0 /24v cng ngun 23, ti tt c cc a ch trong mng ch v tt c cc cng ch. Tm signature trong header ca gi d liu c ni dung confidential. Giao thc s dng l tcp.
10/1/2009 IDS Snort 67
alert tcp any any -> 192.168.1.0/24 80 \ (flags: A; ack: 0; msg: TCP ping detected;) Pht hin ai s dng Nmap qut cng. Vi gi d liu gi i c trng ack = 0, gi ti cng 80 bng giao thc tcp. T kha flags c s dng tm c c thit lp trong header TCP ca gi tin.
10/1/2009
IDS Snort
68
config classification: denial-of-service,Detection of a Denial of Service Attack,2 alert udp any any -> 192.168.1.0/24 6838 (msg: Dos;content: server ;classtype: denial-ofservice;) alert udp any any -> 192.168.1.0/24 6838 (msg : Dos;content: server;classtype: denial-ofservice;priority: 1;)
10/1/2009 IDS Snort 69
alert tcp 192.168.1.0/24 any -> any any (content: HTTP; offset: 4; depth: 40; msg: HTTP matched;) Tm t HTTP trong header TCP ca gi d liu n t v tr th 4 n v tr 40. Tha th xut thng bo HTTP matched.
10/1/2009
IDS Snort
70
10/1/2009
IDS Snort
71
Alert icmp $EXTERNAL_NET any -> 192.168.77.129 any (msg: Demo smurf attack; sid:1000010;dsize>32;itype:0; icmp_seq:0; icmp_id:0;)
alert ip $EXTERNAL_NET any -> 192.168.77.129 any (msg:Demo DOS Jolt attack"; dsize:408; fragbits:M;sid:268;rev:4; )
alert udp $EXTERNAL_NET any -> 192.168.77.129 any (msg:Demo DOS Teardrop attack"; fragbits:M; id:242;sid:270;rev:6;)
Managing security with Sornt and IDS tool Snort Cookbook (2005) Snort2.1IntrusionDetectionSecondEdition snort.forum.org securityfocus.com
10/1/2009
IDS Snort
75