Gio vin hng dn: Thc s L c Nhng Sinh vin: Bi Th Hnh Phm Vn Lnh
01/07/2014 1 CNTT K12 Mc lc I Tng quan v IDS/IPS 1.1 Gii thiu v IDS/IPS 1.2 Phn loi IDS/IPS & phn tch u nhc im 1.3 C ch hot ng ca h thng IDS/IPS
II Nghin cu ng dng Snort trong IDS/IPS
01/07/2014 CNTT K12 2 I Tng quan v IDS/IPS 1.1Gii thiu v IDS/IPS 1.1.1nh ngha
H thng pht hin xm nhp (IDS) l h thng c nhim v theo di, pht hin v (c th) ngn cn s xm nhp, cng nh cc hnh vi khai thc tri php ti nguyn ca h thng c bo v m c th dn n vic lm tn hi n tnh bo mt, tnh ton vn v tnh sn sng ca h thng. Khi mt h thng IDS c kh nng ngn chn cc nguy c xm nhp m n pht hin c th c gi l mt h thng phng chng xm nhp hay IPS.
01/07/2014 CNTT K12 3 1.1.2 S khc nhau gia IDS/IPS IDS ch c chc nng pht hin xm nhp da vo cc mu c sn.
IPS c chc nng ngn chn nhng xm nhp c nghi ng IDS.
Nhng IDS va IPS trn thc t khng c s khc bit r rng. Mt s h thng IDS c thit k vi kh nang ngn chn nh mt chc nng ty chn. Trong khi mt s h thng IPS li khng mang y chc nng ca mt h thng phng chng theo ng ngha.
01/07/2014 CNTT K12 4 1.2 Phn loi IDS/IPS & phn tch u nhc im.
Type of IDS System
NIDS HIDS Hibrid IDS
Operating Application
01/07/2014 CNTT K12 5 1.2.1 Network based IDS NIDS
IDS NIDS s dng d liu trn ton b lu thng mng cng vi d liu kim tra t mt hoc v my trm pht hin xm nhp.
01/07/2014 CNTT K12 6 u im Nhc im Chi ph thp Pht hin c cc cuc tn cng m HIDS b qua Kh xa b du vt Pht hin ra i ph kp thi C tnh c lp cao B hn ch vi Switch Hn ch v hiu nng Tng thng lng mng Gp kh khn trong vic x l cc cuc tn cng trong mt phin c m ha Gp kh khn khi pht hin cc cuc tn cng mng t cc gi tin phn mnh. 1.2.2 Host based IDS HIDS
S dng d liu kim tra t mt my trm n pht hin xm nhp.
Host-based IDS tm kim du hiu ca xm nhp vo mt host cc b; thng s dng cc c ch kim tra v phn tch cc thong tin c logic. N tm kim cc hot ng bt thng nh login, truy nhp file khng thch hp, bc leo thang cc c quyn khng c chp nhn.
01/07/2014 CNTT K12 7 u im Nhc im Xc nh c kt qu ca cuc tn cng. Gim st c cc hot ng c tht ca h thng. Pht hin cc xm nhp m NIDS b qua. Thch nghi tt vi mi trng chuyn mch, m ha. Khng yu cu thm phn cng. Kh qun tr Thng tin ngun khng an ton H thng host-based tng i t Chim ti nguyn h thng 01/07/2014 CNTT K12 8 1.3 C ch hot ng ca h thng IDS/IPS 1.3.1 M hnh pht hin s lm dng
Pht hin s lm dng l pht hin nhng k xm nhp ang c gng t nhp vo h thng m s dng mt s k thut bit.
H thng pht hin s lm dng ch thc hin kim sot i vi cc mu r rng.
01/07/2014 CNTT K12 9
01/07/2014 CNTT K12 10 begin gim bt tc hi S D end hnh ng ca h thng hin ti = kch bn xm nhp
1.3.2 M hnh pht hin s bt thng 1.3.2.1 Pht hin tnh
Gi thit: h thng c kim sot phi lun lun khng i Phn tnh ca h thng gm hai phn con: + m h thng + d liu ca h thng Hai thng tin ny c biu din di dng mt xu bit nh phn hoc mt tp cc xu. Nu biu din ny c s sai khc so vi dng thc gc th hoc c li xy ra hoc mt k xm nhp no thay i n. Lc ny b pht hin tnh s c thng bo kim tra tnh ton vn d liu. lm iu ny, b pht hin tnh a ra mt vi xu bt c nh nh ngha trng thi mong mun ca h thng, ta s thu c mt biu din v trng thi . Sau n so snh biu din trng thi thu c vi biu din tng t. Bt k s khc nhau u th hin li hoc c xm phm 01/07/2014 CNTT K12 11
1.3.2.2 Pht hin ng
Khi nim hnh vi ca h thng: l mt chui cc s kin phn bit, sinh ra bi h iu hnh nh ngha cc s kin lien quan. Khi nim ngng phn bit gia vic s dng ti nguyn hp l hay bt thng. Nu khng chc chn hnh vi l bt thng hay khng, h thng c th da vo cc tham s c thit lp trong sut qu trnh khi to lien quan n hnh vi. Tuy nhin ranh gii trong trng hp ny khng r rang, c th dn n nhng cnh bo sai. Thng thng s dng phn loi thng k v cc lch chun xc nh ranh gii. Nu hnh vi nm bn ngoi th c cnh bo c xm nhp.
01/07/2014 CNTT K12 12 1.3.3 So snh gia hai m hnh
Pht hin s lm dng Pht hi s bt thng Bao gm: C s d liu cc du hiu tn cng. Tm kim cc so khp mu ng . Hiu qu trong vic pht hin cc dng tn cng bit hay cc bin th ca cc dng tn cng bit. Khng pht hin c cc dng tn cng mi. D cu hnh hn do i hi t hn v thu nhp d liu, phn tch v cp nhp. a ra kt lun da vo php so khp mu. C th kch hot mt thng ip cnh bo nh mt du hiu chc chn, hoc cung cp d li h tr cho cc du hiu khc. Bao gm: C s d liu cc hnh ng thng thng. Tm kim lch ca hnh ng thc t so vi hnh ng thng thng. Hiu qu trong vic pht hin cc dng tn cng mi m mt h thng pht hin s lm dng b qua. Kh cu hnh hn v a ra nhiu d liu hn, phi c mt khi nim ton din v hnh vi bit hay hnh vi c mong i ca h thng. a ra kt qu da vo tng quan bng thng k gia hnh vi thc t v hnh vi c mong i ca h thng. C th h tr vic t sinh thng tin h thng mt cch t ng nhng cn c thi gian v d liu thu thp c phi r rang. 01/07/2014 CNTT K12 13 ng dng Snort trong IDS/IPS
1. Gii thiu v Snort 2. Kin trc ca Snort 3. Cu trc cua Snort 4. Ch ngn chn ca Snort
1. Gii thiu v Snort
Nort l mt NID c Martin Roeh pht trin di m hnh m ngun m. Tuy nort min ph nhng n li c rt nhiu tnh nng tuyt vi m khng phi sn phm thng mi no cng c th c c. Bn cnh vic c th hot ng nh mt ng dng thu bt gi tin thng thng, nort cn c th c cu hnh chy nhmt NID. Nort h tr kh nng hot ng trn cc giao thc au: Ethernet, 802.11,Token Ring, FDDI, Cico HDLC, LIP, PPP, v PF ca OpenBD. Kin trc ca Snort Nort bao gm nhiu thnh phn, vi mi phn c mt chc nng ring. Cc phn chnh l: Mun gii m gi tin (Packet Decoder) Mun tin xl (Preproceor) Mun pht hin (Detection Engine) Mun log v cnh bo (Logging and Alerting system) Mun kt xut thng tin (Output Module) M hnh kin trc hthng nort
1. Modun gii m gi tin Snort s dng th vin phn cp bt mi gi tin trn mng lu thng qua h thng
M un tin x l
Mun tin x l l mt mun rt quan trng i vi bt k mt h thng ID no c th chun b gi d liu a v cho mun pht hin phn tch Ba nhim v chnh ca cc mun loi ny l: Kt hp li cc gi tin Gii m v chun ha giao thc (decode/normalize) Pht hin cc xm nhp bt thng (nonrule /anormal) Mun pht hin
y l mun quan trng nht ca Nort. N chu trch nhim pht hin cc du hiu xm nhp. Mun pht hin s dng cc lut c nh ngha trc so nh vi d liu thu thp c t xc nh xem c xm nhp xy ra hay khng. Ri tip theo mi c th thc hin mt s cng vic nh ghi log, to thng bo v kt xut thng tin.
Mun pht hin Mt mun pht hin cng c kh nng tch cc phn ca gi tin ra v p dng cc lut ln tng phn no ca gi tin . Cc phn c th l: IP header Header tng giao vn: TCP, UDP Header tng ng dng: DN header, HTTP header, FTP header, Phn ti ca gi tin (bn cng c thp dng cc lut ln cc phn d liu c truyn i ca gi tin).
Mun log v cnh bo
Ty thuc vo vic mun Pht hin c nhn dng uc xm nhp hay khng m gi tin c th b ghi log hoc a ra cnh bo. Cc file log l cc file text d liu trong c th c ghi di nhiu nh dng khc nhau chng hn tcpdump.
M un kt xut thng tin Mun ny c th thc hin cc thao tc khc nhau ty theo vic bn mun lu kt qu xut ra nh th no. Ty theo vic cu hnh h thng m n c ththc hin cc cng vic nh l: Ghi log file Ghi ylog: ylog v mt chun lu tr cc file log c s dng rt nhiu trn cc h thng Unix, Linux. Ghi cnh bo vo c s d liu.
M un kt xut thng tin To file log dng xml: vic ghi log file dng xml rt thun tin cho vic trao i v chia s d liu. Cu hnh li Router, firewall. Gi cc cnh bo c gi trong gi tin s dng giao thc NMP. Cc gi tin dng NMP ny s c gi ti mt NMP server t gip cho vic qun l cc cnh bo v h thng ID mt cch tp trung v thun tin hn. Gi cc thng ip MB (erver Meage Block) ti cc my tnh Window.
B lut ca Nort
Cu trc lut ca Nort Hy xem xt mt v d n gin : alert tcp 192.168.2.0/24 23 -> any any (content:confidential; mg: Detectedconfidential) Ta thy cu trc ca mt lut lun c 2 phn : 1. Rule header 2. Rule opition
B lut ca Nort Phn Header cha thng tin v hnh ng m lut s thc hin khi pht hin ra c xm nhp nm trong gi tin v n cng cha cc tiu chun p dng lut vi gi tin . Phn Option cha mt thng ip cnh bo v cc thng tin v cc phn ca gi tin dng to nn cnh bo. Phn Option cha cc tiu chun ph thm i snh lut vi gi tin. Mt lut c th pht hin c mt hay nhiu hot ng thm d hay tn cng. Cc lut thng minh c kh nng p dng cho nhiu du hiu xm nhp.