H thng pht hin v ngn

chn xm nhp mng

(IDS/IPS)

Gio vin hng dn:
Thc s L c Nhng
Sinh vin:
Bi Th Hnh
Phm Vn Lnh


01/07/2014 1 CNTT K12
Mc lc
I Tng quan v IDS/IPS
1.1 Gii thiu v IDS/IPS
1.2 Phn loi IDS/IPS & phn tch u nhc im
1.3 C ch hot ng ca h thng IDS/IPS

II Nghin cu ng dng Snort trong IDS/IPS

01/07/2014 CNTT K12 2
I Tng quan v IDS/IPS
1.1Gii thiu v IDS/IPS
1.1.1nh ngha

H thng pht hin xm nhp (IDS) l h thng c
nhim v theo di, pht hin v (c th) ngn cn s xm
nhp, cng nh cc hnh vi khai thc tri php ti nguyn
ca h thng c bo v m c th dn n vic lm tn
hi n tnh bo mt, tnh ton vn v tnh sn sng ca h
thng.
Khi mt h thng IDS c kh nng ngn chn cc
nguy c xm nhp m n pht hin c th c gi l
mt h thng phng chng xm nhp hay IPS.


01/07/2014 CNTT K12 3
1.1.2 S khc nhau gia IDS/IPS
IDS ch c chc nng pht hin xm nhp da vo cc
mu c sn.

IPS c chc nng ngn chn nhng xm nhp c nghi
ng IDS.

Nhng IDS va IPS trn thc t khng c s khc bit r
rng. Mt s h thng IDS c thit k vi kh nang
ngn chn nh mt chc nng ty chn. Trong khi mt
s h thng IPS li khng mang y chc nng ca mt
h thng phng chng theo ng ngha.


01/07/2014 CNTT K12 4
1.2 Phn loi IDS/IPS & phn tch u
nhc im.

Type of IDS System


NIDS HIDS Hibrid IDS

Operating Application

01/07/2014 CNTT K12 5
1.2.1 Network based IDS NIDS

IDS NIDS s dng d liu trn ton b lu thng mng
cng vi d liu kim tra t mt hoc v my trm pht
hin xm nhp.

01/07/2014 CNTT K12 6
u im Nhc im
Chi ph thp
Pht hin c cc cuc
tn cng m HIDS b
qua
Kh xa b du vt
Pht hin ra i ph kp
thi
C tnh c lp cao
B hn ch vi Switch
Hn ch v hiu nng
Tng thng lng mng
Gp kh khn trong vic x l cc cuc tn
cng trong mt phin c m ha
Gp kh khn khi pht hin cc cuc tn
cng mng t cc gi tin phn mnh.
1.2.2 Host based IDS HIDS

S dng d liu kim tra t mt my trm n
pht hin xm nhp.

Host-based IDS tm kim du hiu ca xm
nhp vo mt host cc b; thng s dng cc
c ch kim tra v phn tch cc thong tin c
logic. N tm kim cc hot ng bt thng
nh login, truy nhp file khng thch hp, bc
leo thang cc c quyn khng c chp nhn.

01/07/2014 CNTT K12 7
u im Nhc im
Xc nh c kt qu ca
cuc tn cng.
Gim st c cc hot
ng c tht ca h thng.
Pht hin cc xm nhp m
NIDS b qua.
Thch nghi tt vi mi
trng chuyn mch, m
ha.
Khng yu cu thm phn
cng.
Kh qun tr
Thng tin ngun khng an
ton
H thng host-based tng
i t
Chim ti nguyn h thng
01/07/2014 CNTT K12 8
1.3 C ch hot ng ca h thng IDS/IPS
1.3.1 M hnh pht hin s lm dng

Pht hin s lm dng l pht hin
nhng k xm nhp ang c gng t nhp
vo h thng m s dng mt s k thut
bit.

H thng pht hin s lm dng ch thc
hin kim sot i vi cc mu r rng.

01/07/2014 CNTT K12 9








01/07/2014 CNTT K12 10
begin
gim bt
tc hi
S
D
end
hnh ng ca
h thng hin
ti = kch bn
xm nhp

1.3.2 M hnh pht hin s bt thng
1.3.2.1 Pht hin tnh


Gi thit: h thng c kim sot phi lun lun khng i
Phn tnh ca h thng gm hai phn con:
+ m h thng
+ d liu ca h thng
Hai thng tin ny c biu din di dng mt xu bit nh phn
hoc mt tp cc xu. Nu biu din ny c s sai khc so vi dng
thc gc th hoc c li xy ra hoc mt k xm nhp no thay
i n. Lc ny b pht hin tnh s c thng bo kim tra tnh
ton vn d liu. lm iu ny, b pht hin tnh a ra mt vi xu
bt c nh nh ngha trng thi mong mun ca h thng, ta s thu
c mt biu din v trng thi . Sau n so snh biu din trng
thi thu c vi biu din tng t. Bt k s khc nhau u th hin
li hoc c xm phm
01/07/2014 CNTT K12 11












1.3.2.2 Pht hin ng

Khi nim hnh vi ca h thng: l mt chui cc
s kin phn bit, sinh ra bi h iu hnh nh ngha cc
s kin lien quan.
Khi nim ngng phn bit gia vic s dng
ti nguyn hp l hay bt thng.
Nu khng chc chn hnh vi l bt thng hay
khng, h thng c th da vo cc tham s c thit lp
trong sut qu trnh khi to lien quan n hnh vi. Tuy nhin
ranh gii trong trng hp ny khng r rang, c th dn n
nhng cnh bo sai.
Thng thng s dng phn loi thng k v cc
lch chun xc nh ranh gii. Nu hnh vi nm bn ngoi
th c cnh bo c xm nhp.

01/07/2014 CNTT K12 12
1.3.3 So snh gia hai m hnh

Pht hin s lm dng Pht hi s bt thng
Bao gm:
C s d liu cc du hiu tn cng.
Tm kim cc so khp mu ng
.
Hiu qu trong vic pht hin cc dng tn cng
bit hay cc bin th ca cc dng tn cng bit.
Khng pht hin c cc dng tn cng mi.
D cu hnh hn do i hi t hn v thu nhp d
liu, phn tch v cp nhp.
a ra kt lun da vo php so khp mu.
C th kch hot mt thng ip cnh bo nh mt
du hiu chc chn, hoc cung cp d li h tr cho
cc du hiu khc.
Bao gm:
C s d liu cc hnh ng thng thng.
Tm kim lch ca hnh ng thc t so vi
hnh ng thng thng.
Hiu qu trong vic pht hin cc dng tn cng
mi m mt h thng pht hin s lm dng b qua.
Kh cu hnh hn v a ra nhiu d liu hn, phi
c mt khi nim ton din v hnh vi bit hay
hnh vi c mong i ca h thng.
a ra kt qu da vo tng quan bng thng k
gia hnh vi thc t v hnh vi c mong i ca
h thng.
C th h tr vic t sinh thng tin h thng mt
cch t ng nhng cn c thi gian v d liu thu
thp c phi r rang.
01/07/2014 CNTT K12 13
ng dng Snort trong IDS/IPS

1. Gii thiu v Snort
2. Kin trc ca Snort
3. Cu trc cua Snort
4. Ch ngn chn ca Snort

1. Gii thiu v Snort

Nort l mt NID c Martin Roeh pht trin di
m hnh m ngun m. Tuy nort min ph nhng n
li c rt nhiu tnh nng tuyt vi m khng phi
sn phm thng mi no cng c th c c.
Bn cnh vic c th hot ng nh mt ng dng
thu bt gi tin thng thng, nort cn c th c
cu hnh chy nhmt NID. Nort h tr kh
nng hot ng trn cc giao thc au: Ethernet,
802.11,Token Ring, FDDI, Cico HDLC, LIP, PPP,
v PF ca OpenBD.
Kin trc ca Snort
Nort bao gm nhiu thnh phn, vi mi phn
c mt chc nng ring.
Cc phn chnh l:
Mun gii m gi tin (Packet Decoder)
Mun tin xl (Preproceor)
Mun pht hin (Detection Engine)
Mun log v cnh bo (Logging and
Alerting system)
Mun kt xut thng tin (Output Module)
M hnh kin trc hthng nort

1. Modun gii m gi tin
Snort s dng th vin phn cp bt mi
gi tin trn mng lu thng qua h thng

M un tin x l

Mun tin x l l mt mun rt quan trng
i vi bt k mt h thng ID no c th
chun b gi d liu a v cho mun pht
hin phn tch
Ba nhim v chnh ca cc mun loi ny l:
Kt hp li cc gi tin
Gii m v chun ha giao thc
(decode/normalize)
Pht hin cc xm nhp bt thng (nonrule
/anormal)
Mun pht hin

y l mun quan trng nht ca Nort. N
chu trch nhim pht hin cc du hiu
xm nhp. Mun pht hin s dng cc
lut c nh ngha trc so nh vi d
liu thu thp c t xc nh xem c
xm nhp xy ra hay khng. Ri tip theo
mi c th thc hin mt s cng vic nh
ghi log, to thng bo v kt xut thng tin.

Mun pht hin
Mt mun pht hin cng c kh nng tch cc
phn ca gi tin ra v p dng cc lut ln tng
phn no ca gi tin . Cc phn c th l:
IP header
Header tng giao vn: TCP, UDP
Header tng ng dng: DN header, HTTP header,
FTP header,
Phn ti ca gi tin (bn cng c thp dng cc
lut ln cc phn d liu c truyn i ca gi tin).

Mun log v cnh bo

Ty thuc vo vic mun Pht hin c
nhn dng uc xm nhp hay khng m
gi tin c th b ghi log hoc a ra cnh
bo. Cc file log l cc file text d liu
trong c th c ghi di nhiu nh
dng khc nhau chng hn tcpdump.

M un kt xut thng tin
Mun ny c th thc hin cc thao tc khc
nhau ty theo vic bn mun lu kt qu xut
ra nh th no.
Ty theo vic cu hnh h thng m n c
ththc hin cc cng vic nh l:
Ghi log file
Ghi ylog: ylog v mt chun lu tr cc file
log c s dng rt nhiu trn cc h thng
Unix, Linux.
Ghi cnh bo vo c s d liu.

M un kt xut thng tin
To file log dng xml: vic ghi log file dng xml rt
thun tin cho vic trao i v chia s d liu.
Cu hnh li Router, firewall.
Gi cc cnh bo c gi trong gi tin s dng giao
thc NMP. Cc
gi tin dng NMP ny s c gi ti mt NMP server
t gip cho
vic qun l cc cnh bo v h thng ID mt cch tp
trung v thun tin hn.
Gi cc thng ip MB (erver Meage Block) ti cc
my tnh Window.

B lut ca Nort

Cu trc lut ca Nort
Hy xem xt mt v d n gin :
alert tcp 192.168.2.0/24 23 -> any any
(content:confidential; mg:
Detectedconfidential)
Ta thy cu trc ca mt lut lun c 2 phn :
1. Rule header
2. Rule opition

B lut ca Nort
Phn Header cha thng tin v hnh ng m lut
s thc hin khi pht hin ra c xm nhp nm trong
gi tin v n cng cha cc tiu chun p dng
lut vi gi tin .
Phn Option cha mt thng ip cnh bo v cc
thng tin v cc phn ca gi tin dng to nn
cnh bo. Phn Option cha cc tiu chun ph
thm i snh lut vi gi tin. Mt lut c th
pht hin c mt hay nhiu hot ng thm d
hay tn cng. Cc lut thng minh c kh nng p
dng cho nhiu du hiu xm nhp.

The end!
01/07/2014 CNTT K12 27