SNORT Network IDS Ci

t, C u Hnh V S D ng

Cng Ngh Thng Tin v Internet ngy nay mang l i cho chng ta nhi u ti n b trong qu trnh pht tri n. My tnh khng nh ng gip x l d li u, thi t k s n ph m, qu n l khch hng v.v m cn em l i nh ng giy pht th gi n b ng nhi u chng trnh ti n ch khc. V ch c ch n my tnh cng nh ng ng d ng c a n s cn em n cho chng ta nhi u l i ch, ni m vui trong cu c s ng.

Tuy nhin bn c nh s pht tri n nhanh chng v nh ng kh nng m nh m th nh ng v n c a h th ng thng tin cng lm cho chng ta nh c u cng khng ph i l t, trong hai v n nh y c m an tan thng tin v b n quy n ph n m m khi n chng ta quan tm nhi u hn c , c bi t l khi Vi t tr thnh thnh vin th 150 c a t ch c thng m i qu c t WTO b i v khi chng ta ph i tun th nghim ng t lu t chi trong m t mi tr ng y ti m nng, c h i nhng cng l m ri ro n u nh chng ta khng tun th nghim ng t cc quy nh nh lu t s h u tr tu , b n quy n ph n m m. Bn c nh , c n ph i tng c ng kh nng an ton thng tin kh i b m t mt d li u do cc l h ng b o m t hay b hacker, virus, trojan t n cng. M t trong nh ng gi i php c th p ng t t nh t cho v n ny l tri n khai h th ng d tm xm nh p tri php - Instruction Detect System (IDS). V i IDS cc nh Qu n tr m ng hay Chuyn gia b o m t h th ng s nng cao hn kh nng an tan thng tin cho m ng my tnh c a mnh, bi t c khi no h th ng ang b t n cng hay c k x u ang ti n hnh cc h at ng kh nghi a ra c gi i php hi u qu , nhanh chng. C hai yu c u chnh khi tri n khai m t IDS l chi ph cng v i kh nng p ng linh h at c a n tr c s pht tri n nhanh chng c a cng ngh thng tin v SNORT c th p ng r t t t c hai yu c u ny. l m t ph n m m m ta c th t i v v s d ng mi n ph theo cc qui t c GPL, cho nn y u t v chi ph han tan c th yn tm. Ngai ra SNORT cn l m t s n ph m m ngu n m v c m t c ng ng pht tri n ng o c qu n l ch t ch cho nn khi c nh ng d ng xm nh p m i c pht hi n th ngay l p t c c cc nh pht tri n c nh bo v c p nh t Snort Rules m t cch nhanh chng v cc doanh nghi p c th thay i m ngu n cho ph h p v i yu c u c a mnh. V v y SNORT l ph n m m IDS m nh m v c yu thch nh t hi n nay trn th gi i trong v n pht hi n xm nh p.

Snort c 4 ch

h at d ng khc nhau l: c cc gi tin trn m ng sau s trnh by

Sniffer mode: ch ny snort s l ng nghe v k t qu trn giao di n hi n th .

Packet Logger mode : lu tr cc gi tin trong cc t p tin log. Network instruction detect system (NIDS) : y l ch d h at ng m nh m v c p d ng nhi u nh t, khi h at ng NIDS mode Snort s phn tch cc gi tin lun chuy n trn m ng v so snh v i cc thng tin c nh ngha c a ng i dng t c nh ng hnh ng tng ng nh thng bo cho qu n tr m ng khi x y ra tnh hu ng qut l i do cc hacker /attacker ti n hnh hay c nh bo virus.. Inline mode: khi tri n khai snort trn linux th chng ta c th c u hnh snort phn tch cc gi tin t iptables thay v libpcap do iptable c th drop ho c pass cc gi tin theo snort rule. I - CI T SNORT NIDS TRN WINDOWS 2K/XP/2K3

Download Snort: Download Snort trang web www.Snort.org hay http://www.security365.biz/downloads/ids

Trang ch www.snort.org Phin b n m i nh t khi chng ti bin s an bi ny l Snort.2.6.1.2. Hy ch n th m c binaries/ v th m c tng ng ch a Snort trn h i u hnh windows hay linux. y chng ta tri n khai Snort trn h th ng Windows nn s ch n win32/

Sau hy tr ra trang ch v ch n RULES => DOWNLOAD RULES v t i v t p cc quy t c (rule) m i nh t.

Download Snort Rule By gi chng ta c th ti n hnh ci t Snort trn h th ng Windows Server 2k3 hay Windows XP Pro c a mnh (ci trn my th t). Cc b n c th log in GiaiPhapAnToan.Com Download Video Demo Ci t V ng D ng Snort Network IDS 2. Ci t Snort:

Snort dng m t card m ng ch promicous mode lu gi cc gi tin tr c khi phn tch chng cho nn t t nh t l cc my tnh ch y Snort nn t cc colision domain hay trn cc my ch t p tung cc truy n thng trn m ng nh router hay gateway ho c k t n i vo cc c ng SPAN c a Switch , b n c th t Snort tr c ho c sau m t h th ng firewall ty yu c u b o m t c a t ch c. V n u h th ng m ng c nhi u phn an m ng th m i subnet (l p m ng con) ph i c m t my ch Snort c ci t, khng nh cc s n ph m thng m i khc ngai tnh nng chi ph b n quy n cao th th ng i h i c u hnh ph n c ng m n, v i Snort b n c th , vng c th ci t v c u hnh trn x386 computer, tuy nhin ta c n c a c ng c khng gian tr ng lu tr cc packet c b t gi , v v i cng ngh lu tr hi n nay th i u n y khng ph i l m t v n . Snort h at ng nh m t network sniffer l ng nghe v lu gi cc packet trn m ng sau so snh cc n i dung (payload) ho c header c a chng v i m t t p cc qui t c c nh ngha g i l cc Snort rule v khi m t s trng kh p gi a rule v cc packet th nh ng hnh ng c a

rule s c ti n hnh ty theo nh ngha. M t i m thu n l i l cc rule ny lun c c p nh t nhanh chng b i c ng ng pht tri n cho nn kh nng p ng c a Snort tr c cc d ng t n cng hi n i r t cao. Snort s d ng ba thnh ph n sau ti n hnh cng vi c c a mnh:

Packet decoder : phn tch gi tin, k c IP Header v Data Payload Detect engineer : d tm cc du hi u kh nghi theo t p h p cc quy t c. Logging v alert system : lu gi v c nh bo. Ba thnh ph n ny dng libcap lu gi gi tin khi chng ta ci Snort trn h Cn n u ta ci trn h th ng windows th ph i thay libcap b ng winpcap. i u hnh linux.

Trong bi vi t ny ti trnh by phng php ci t Snort trn h th ng Windows XP Pro. Chng ta c th t i winpcap t www.iltiloi.com v Snort t trang web www.Snort.org v ch n b n ci tren Windows. Sau click vo t p tin chng trnh Snort_Installer b t u ti n trnh ci t. Trn mn hnh Installation Options c cc c ch lu tr log file theo c s d li u SQL hay Oracle, trong bi Lab chng ti ch lu tr log trong Event Log nn s ch n ty ch n u tin l I do not plan to log to a database, or I am planing to log to one of the databse listed above

Sau khi ci t Snort chng ta c n ph i thi t l p cc tham s quan tr ng l HOME_NET v PATH_RULE m i c th kh i ng Snort v th c hi n cc cng vi c ti p theo. y l b c th ng lm cho qu trnh ci t v s d ng Snort b l i do khai bo sai. L y v d , chng ta tri n khai Snort trn l p m ng C v i dy a ch 192.168.1.0/24, v y h m t p tin snort.conf trong th m c C:Snortetc v tm n cc bi n HOME_NET v thi t l p nh sau:

Ti p theo hy khai bo ng d n C:Snortrules

n ni ch a cc quy t c snort rules v

t RULE_PATH

Khai bo cc bi n include classification.config v reference.config nh hnh d i (s a thnh include C:Snortetcclassification.config v C:Snortetcreference.config

By gi , chng ta c th copy cc rule c t o s n (download t www.giaiphapantoan.com lu ch n ng phin b n snort c tri n khai), hy gi i nn v copy th m c rules vo th m c ci t Snort trn C:Snort

Th m c rules ch a cc t p quy t c sau khi gi i nn

Copy th m c rules vo C:Snort Nh v y qu trnh chu n b han t t, tr c khi c th start snort ti n hnh sniffer hay l ng nghe cc tn hi u kh nghi cc b n hy ch nh th m c ch a log file cho Snort IDS. Hy ch y l nh sau y: C:Snortbin snort -l C:Snortlog -c C:Snortetcsnort.conf -A console

K t qu sau khi th c thi dng l nh nh sau:

II. S

D NG SNORT : Sniffer Packet: snort t vo ch promicous, n u my

S D ng Snort

ti n hnh sniffer chng ta c n ch n card m ng tnh c nhi u card hy s l nh snort W xc nh:

K t qu c a snort W cho chng a xc

nh s hi u card m ng ti n hnh

V y card m ng c s hi u l 2 Cc b n c th ch y l nh snort h chng ta s th y sniffer packet dng l nh snort v ix (v i x l s hi u c a card m ng)

C php dng l nh s d ng snort v cc ty ch n C:Snortbinsnort v i2 V i ty ch n v snort ch hi n th IP v TCP/UDP/ICMP header, n u mu n xem k t qu truy n thng c a cc ng d ng hy s d ng ty ch -vd: C:Snortbinsnort vd i2 hi n th thm cc header c a gi tin t i t ng Data Link hy s d ng dng l nh: C:Snortbinsnort vde i2

Sau khi ch y dng l nh trn hy m ca s m i v th ping www. giaiphapantoan.com r i quan st giao di n snort chng ta s th y cc tn hi u nh hnh sau:

K t qu cc packet header hi n th khi ch y snort -v

d ng ti n trnh sniffing hy nh n t h p phm Ctrl-C, Snort s trnh by b n tm t t cc gi tin b b t gi theo t ng giao th c nh UDP, ICMP

 S D ng Snort

Ch

Packer Logger:

Ngai vi c xem cc gi tin trn m ng chng ta cn c th lu tr chng trong th m c C:Snortlog v i ty ch n l, v d dng l nh sau s ghi log cc thng tin d li u t i t ng data link v TCP/IP header c a l p m ng n i b 192.168.1.0/24 C:/Snort/bin/snort -dev -l C:/Snort/log -h 192.168.1.0/24 Nh v y chng ta ti n hnh ci t v c u hnh snort ti n hnh b t gi cc gi tin, xem n i dung c a chng nhng v n cha bi n snort th c s tr thnh 1 h th ng IDS d tm xm ph m tri php. V m t h th ng nh v y c n c cc quy t c (rule) cng nh ng hnh ng c nh bo cho qu n tr h th ng khi x y ra s trng kh p c a nh ng quy t c ny. Trong ph n ti p theo,chng ta s ti n hnh c u hnh xy d ng 1 network IDS v i Snort. S D ng Snort Ch Network IDS:

T c c nh ng hnh ng c a Snort IDS u h at ng thng qua cc rule, v v y chng ta c n ph i t o m i hay ch nh s a nh ng rule c t o s n. y chng ta s tham kh o c hai tr ng h p ny. u tin, cc b n hy tham kh o dng l nh sau p d ng Snort NIDS: C:Snortbinsnort -dev -l snortlog -c snort.conf trong dng l nh ny c m t ty ch n m i l c v i gi tr l snort.conf. chng ta bi t snort.conf c lu tr trong th m c C:Snortetc ch a cc thng s i u khi n v c u hnh Snort nh cc bi n HOME_NET xc nh l p m ng, bi n RULE_PATH xc nh ng d n n ni ch a cc quy t c Snort p d ng. Trong tr ng h p ny, ty ch n c s yu c u Snort p d ng cc quy t c c khai bo trong t p tin c u hnh snort.conf khi x l cc gi tin c b t gi trn m ng. Tr c khi nghin c u su hn v Snort v nh ng quy t c c a n chng ta hy xem xt cc thnh ph n c a m t Snort rule g m c: - Rule header : l ni ch a cc action (hnh ng), protocol (giao th c truy n thng), Source IP address v Destination IP Address cng v i gi tr sunnet mask v s hi u port c a a ch IP ngu n v ch. Rule option: l ni khai bo cc c t v tnh tr ng trng kh p c a cc gi tin v i cc rule, cng nh ng c nh bo alert messenger nh trongv d sau y:

alert tcp any any -> any 80 (content: "adult"; msg: "Adult Site Access";) Dng l nh trn chng ta th y ph n rule header l alert tcp any any -> any 80 v ph n content: ("adult"; msg: "Adult Site Access";) l rule option, m c d rule option khng b t bu c ph i c trong t t c cc snort rule nhng n cho chng ta bi t cc thng tin c n thi t v l do t o rule hay cc hnh ng tng ng. V k t qu c a dng l nh ny l t o ra cc c nh bo (alert) khi cc TCP trafic t b t k a ch IP v port c g i n m t a ch IP b t k trn Port 80 m ph n n i dung (payload) c ch a t kha Adult. N u tnh hu ng ny x y ra, ngha l c m t user no trn LAN truy c p vo 1 site c ch a t Adult th m t record Adult Site Access s c ghi vo log file. i.Rule Header: Ti p theo,chng ta s i su hn v cc rule header, nh trong v d trn l alert tcp any any -> any 80, v i ph n u tin l alert chnh l rule action nh ngha hnh ng m snort s th c hi n khi cc packet trng kh p v i quy t c m ta t o ra. C 5 l ai rule action nh sau: Rule Action M t Alert T o c nh bo v ghi log file Log Ghi Log cc packet Pass B qua cc gi tin. Activate T o m t c nh bo v b t ch c nng dynamic rule. Dynamic Cha s d ng, tr khi c m t rule khc tng thch. Khi action c nh ngha, cc b n c n ph i xc nh cc giao th c nh trong v d trn l TCP, Snort h tr cc giao th c truy n thng sau TCP, UDP, ICMP, v IP. Sau chng ta s b sung IP no, ngai ra snort s d a ch l p B l /16 v a c nh chng ta cn c th a ch IP cho snort rule c a mnh, v d any l xc nh b t k a ch ng nh d ng netmask khai bo cc m t n m ng nh l p A l /8, ch l p C l /24. N u mu n khai bo m t host th s d ng /32. Bn m t dy cc my tnh nh sau:

Alert tcp any any -> [10.0.10.0/24, 10.10.10.0/24] any => (content: "Password"; msg:"Password Transfer Possible!";) Lu : trong tr ng h p dng l nh trn chia thnh 2 dng nhng khi th c hi n cc b n ph i nh p trn 1 dng. Cn n u mu n chia lm nhi u dng khc nhau cho 1 dng l nh th ph i s d ng d u , tuy nhin n u c th nn s d ng 1 dng n. Sau khi cc action, protocol v ip address c nh ngha ta c n xc nh s hi u port c a d ch v , nh 80 l cho cc d ch v truy c p Web hay cc port 21, 23 Cng c th p d ng t kha any p d ng cho t t c cc port, hay dng cc d u ; ch nh m t dy cc port no :

ghi log b t k truy n thng no t t t c m ng 10.0.10.0/24 s d ng l nh sau: Log tcp any any -> 10.0.10.0/24 23

a ch IP address v t t c port

n port 23 c a l p

Ghi log t t c truy n thng t b t k a ch IP n cc port n m trong kh ang 1 cc my thu c l p m ng 10.0.10.0/24 s d ng l nh sau: Log tcp any any -> 10.0.10.0/24 1:1024

n 1024 trn

Ghi log t t c truy n thng t cc a ch IP c s hi u port th p hn ho c b ng 1024 n cc my thu c l p m ng 10.0.10.0/24 v destination port l n hn ho c b ng 1024 s d ng c pho sau: Log tcp any :1024 -> 10.0.10.0/24 1 1024 Ngai ra, chng ta c th s d ng cc tham s ph nh ! nh tr ng h p ghi log cc truy n thng trn giao th c TCP t cc my tnh ng ai tr 172.16.40.50 p d ng cho t t c cc port n b t k trn 10.0.10.0/24 s d ng t t c cc port : Log tcp ! 172.16.40.50/32 any -> 10.0.10.0/24 any Hay tr ng h p ghi log t t c cc truy n thng ng ai tr port 23 nh sau: Log tcp any any -> 10.0.10.0/24 !23 n lc ny chng ta duy t qua m t s cc snort rule v nh n th y m i rule u c m t l nh i u h ng ->, xc nh chi u c a truy n thng i t ph i qua tri. Trong tr ng h p mu n p d ng snort rule cho cc truy n thng theo c 2 chi u th s d ng c php <> thay cho -> nh trong tr ng h p ghi log 2 chi u i v i tenlet session sau Log tcp 10.0.10.0/24 any <> 172.16.30.0/24 23 ii. Rule Option: M t snort rule c th c nhi u option khc nhau phn cch b i gi u ; v cc rule option ny s lm cho snort rule c th c p d ng linh ng, m nh m hn. Danhs ch sau y s trnh by nh ng option thng d ng th ng c p d ng trong cc snort rule: T Kha M T msg Hi n th m t thng bo trong alert v packet log file. ttl Dng id Dng flags Dng so snh cc gii tr Time To Live c a IP header. so snh m t gi tr c a IP header fragment. so snh tcp flag v i cc gi tr c nh ngha. n cc my tnh thu c l p m ng 10.0.10.0/24

ack So snh cc TCP ack cho m t gi tr

nh ngha. c nh ngha.

content So snh n i dung packet v i cc gi tr

Khi t kha msg c p d ng trong rule n s yu c u ghi nh t k v c nh bo c a snort chn thm m t thng i p c nh ngha vo trong log file hay cc c nh bo v d msg: "text here"; Khi ttl c s d ng trong rule s yu c u snort hy so snh v i m t gi tr Time To Live, tr ng h p ny th ng c p d ng d tm tuy n ng.V d n gi n sau c dng khai bo ttl: ttl: "time-value"; Cn tr ng h p trong rule s d ng t kha id n s yu c u Snort so snh v i 1 IP header fragment theo id nh nh: id: "id-value"; i v i tr ng h p c a flags option chng ta c nhi u tnh hu ng khc ty theo flag c yu c u so snh, cc ty ch n flag c khai bo nh sau: F dng cho c FIN S dng cho c SYN R dng cho c RST P dng cho c PSH A dng cho c ACK U dng cho c URG 2 dng cho Reserved bit 2 1 dng cho Reserved bit 1 0 dng cho no tcp flags set Cc tan t logic c th c p d ng cho ty ch n flag nh + dng so kh p v i t t c cc flag, * dng xc nh c s trng l p v i b t k flag no ho c ! dng so snh s trng l p mang tnh ch t l ai tr . Cc reserved bit c p d ng trong tnh hu ng pht hi n cc tr ng h p scan hay IP stack fingerprinting. Sau y l m t v d c a ty ch n flags v m t snort rule dng xc nh d tm cc SYNFIN scans: V d s d ng flags:

Alert any any -> 10.0.10.0/24 any (flags: SF; msg: "SYN FIN => Scan Possible";) Ty ch n ack c p d ng so kh p v i m t gi tr ACK tng ng trong TCP header c a packet, nh ng d ng Nmap dng cc ACK flag xc nh s t n t i c a m t host no . Trong s cc t kha th content l t kha quan tr ng nh t, khi content c p d ng snort s ki m tra n i dung c a gi tin v so snh v i gi tr c khai bo trong content, n u c s trng l p th cc hnh ng tng ng s ti n hnh. Lu l cc gi tr c p d ng v i content c tnh ch t case sensitive ( phn bi t ch hoa v ch th ng) v tng hi u qu cho qu trnh so snh Snort s d ng c ch pattern-match g i l Boyer-Moore, v i c ch ny qu trnh so snh s di n ra hi u qu hn trn cc my c c uhnh y u. C php n gi n c a t kha content l: content:"content value"; Ngai ra cn c nhi u l ai t kha khc, cc b n c th tham kh o man page (n u s d ng Snort trn Linux) ho c help page khi ch y Snort trn Windows bi t thm. Iii. Cc V D V Snort Rule: Sau y l m t s snort rule c b n cng v i nh ng m t c a chng. Cc b n c th s d ng chng lm cc m u cho qu trnh t o snort rule c a mnh. log t t c cc truy n thng k t n i n port 23 c a d ch v telnet:

Log tcp any any -> 10.0.10.0/24 23 log cc ICMP traffic n l p m ng 10.0.10.0:

Log icmp any any -> 10.0.10.0/24 any Cho php t t c cc qu trnh duy t Web m khng c n ghi log: Pass tcp any 80 -> any 80 T o m t c nh bo v i thng i p km theo : Alert tcp any any -> any 23 (msg: "Telnet Connection => Attempt";) D tm cc tnh hu ng qut m ng v i SYN/FIN : Alert tcp any any -> 10.0.10.0/24 any (msg: "SYN-FIN => scan detected"; flags: SF;) D tm cc ti n trnh qut m ng TCP NULL: Alert tcp any any -> detected"; > = 10.0.10.0/24 any (msg: "NULL scan flags: 0;) D tm cc ti n trnh OS fingerprinting: Alert tcp any any -> 10.0.10.0/24 (msg: "O/S Fingerprint => detected"; flags: S12;)

 Ti n hnh l c n i dung : alert tcp any $HOME_NET -> !$HOME_NET any (content: => "Hello"; msg:"Hello Packet";) Nh v y chng ta tham kh o cc snort rule v i cc rule action v rule option thng d ng. V qua m t s v d snort rule m u cc b n hy thi t l p cc quy t c ring t o m t snort rule cho ring mnh.Tnh hu ng sau y yu c u cc chuyn gia b o m t h th ng thi t l p m t snort rule ghi log t t c cc TCP trafic, c nh bo khi c x y ra tr ng h p s d ng l nh ping, v a ra cc c nh bo n u c ai s d ng m t m l password. Hy ti n hnh nh sau: S d ng trnh s an th o Notepad v nh p vo n i dung: log tcp any any -> any any (msg: "TCP Traffic Logged";) alert icmp any any -> any any (msg: "ICMP Traffic Alerted";) alert tcp any any -> any any (content: "password"; msg: => "Possible Password Transmitted";) Lu t p tin trn thnh c:Snortrulessecurity365.rule ,lu ch n ch Notepad khng b g n thm ph n m r ng. lu tr All file trong

ki m tra l i cc quy t c v a m i t o ra, hy xa cc t p tin trong th m c C:Snortlog v m 2 c a s dng l nh v ch y l nh sau trn c a s th nh t : C:Snortbinsnort -c Snortrulessecurity365.rule -l Snortlog

Sau ch y cc l nh ti p theo trn ca s cn l i: C:ping www.giaiphapantoan.com C:net send [ip_address] Here is my password Nh n Ctrl-C trn mn hnh th c thi Snort s th y cc gi tin c lu gi v quan st log file s th y xu t hi n cc c nh bo

Bn c nh vi c t o ra cc snort rule c a ring mnh cc b n c th p d ng cc quy t c c t o s n (download rule dnh cho snort 2.4 t i a ch http://giaiphapantoan.com/downloads/ids ). Hnh sau trh by n i dung c a m t pre-defined rule l scan.rules trong th m c C:Snortrules v cch thi t l p quy t c pht hi n FIN/SYN scan.

N u mu n p d ng rule pre-defined chng ta cng ti n hnh tng t nh i v i tr ng h p cc rule do b n thi t l p. Trong trng h p h th ng c nhi u card m ng chng ta nn xc nh r rng cc s hi u c a chng snort s d ng. Ngai ra, khi thi t l p cc quy t c cho giao th c ICMP trong ph n Port chng ta t l any. III. Qu n L Snort NIDS V i IDS Center (cnn ti p): Qua cc ph n I v II cc b n bi t c cch ci t m t h th ng snort v c u hnh nh ng tham s c n thi t nh HOME_NET, RULE_PATH cng nh cch th c thi snort ch sniffer, hay p d ng cc quy t c do chnh mnh t o ra ho c cc quy t c c thi t l p s n. V thu n ti n hn trong q a trnh qu n l v v n hnh Snort Netwrok IDS cc b nc th ci t ng d ng IDS Center, m t ng d ng mi n ph dng qu n l v v n hnh snort r t hi u qu . Download IDS center t i theo cc b c sau: Ch y file setup.exe Trn mn hnh ti p theo click Next a ch http://www.giaiphapantoan.com/downlaods/ids ti n hnh ci t

 Ch n Yes trn mn hnh License Agreement

ch p nh n cc quy

nh:

Ch n th m c ci

t v i gi tr m c

nh l C:Program FilesIDScenter v nh n Next:

Sau ch n cc gi tr m c

nh v han t t ti n trnh ci