You are on page 1of 44

MC LC LI NI U CHNG I : TNG QUAN V IDS/IPS 1.1 Gii thiu v IDS/IPS 1.1.1 nh ngha 1.1.

2 S khc nhau gia IDS v IPS 1.2 Phn loi IDS/IPS & phn tch u nhc im 1.2.1 Network based IDS NIDS 1.2.2 Host based IDS HIDS 1.3 C ch hot ng ca h thng IDS/IPS 1.3.1 M hnh pht hin s lm dng 1.3.2 M hnh pht hin s bt thng 1.3.2.1 Pht hin tnh 1.3.2.2 Pht hin ng 1.3.3 So snh gia hai m hnh 1.4 Mt s sn phm ca IDS/IPS CHNG II : NGHIN CU NG DNG SNORT TRONG IDS/IPS 2.1 Gii thiu v snort 2.2 Kin trc ca snort 2.2.1 Modun gii m gi tin 2.2.2 M un tin x l 2.2.3 Mun pht hin 2.2.4 Mun log v cnh bo 2.2.5 M un kt xut thong tin 2.3 B lut ca snort 2.3.1 Gii thiu 2.3.2 Cu trc lut ca Snort 2.3.2.1 Phn tiu 2.3.2.2 Cc ty chn 2.4 Ch ngn chn ca Snort : Snort Inline

2.4.1 Tch hp kh nng ngn chn vo Snort 2.4.2 Nhng b sung cho cu trc lut ca Snort h tr Inline mode CHNG III : CI T V CU HNH SNORT, TH NGHIM KH NNG PHN NG CA IDS/IPS 3.1 nh ngha cc bin 3.2 Cu hnh mun tin x l 3.3Cu hnh mun kt xut thng tin TI LIU THAM KHO

LI NI U An ninh thng tin ni chung v an ninh mng ni ring ang l vn c quan tm khng ch Vit Nam m trn ton th gii. Cng vi s pht trin nhanh chng ca mng Internet, vic m bo an ninh cho cc h thng thng tin cng tr nn cp thit hn bao gi ht. Trong lnh vc an ninh mng, pht hin v phng chng tn cng xm nhp cho cc mng my tnh l mt ti hay, thu ht c s ch ca nhiu nh nghin cu vi nhiu hng nghin cu khc nhau. Trong xu hng , n thc tp chuyn ngnh ny chng em mong mun c th tm hiu, nghin cu v pht hin v phng chng xm nhp mng vi mc ch nm bt c cc gii php, cc k thut tin tin chun b tt cho hnh trang ca mnh sau khi ra trng. Mc d c gng ht sc nhng do kin thc v kh nng nhn nhn vn cn hn ch nn bi lm khng trnh khi thiu st, rt mong c s quan tm v gp thm ca thy c v tt c cc bn. c th hon thnh c n ny , chng em xin gi li cm n su sc nht ti thy Nguyn o Trng nhit tnh hng dn, ch bo v cung cp cho chng em nhiu kin thc rt b ch trong sut qu trnh lm n. Nh s gip tn tm ca thy, chng em mi c th hon thnh c n ny. Mt ln na xin cm n thy rt nhiu !

CHNG I : TNG QUAN V IDS/IPS 1.1 Gii thiu v IDS/IPS 1.1.1 nh ngha H thng pht hin xm nhp (IDS) l h thng c nhim v theo di, pht hin v (c th) ngn cn s xm nhp, cng nh cc hnh vi khai thc tri php ti nguyn ca h thng c bo v m c th dn n vic lm tn hi n tnh bo mt, tnh ton vn v tnh sn sng ca h thng. H thng IDS s thu thp thng tin t rt nhiu ngun trong h thng c bo v sau tin hnh phn tch nhng thng tin theo cc cch khc nhau pht hin nhng xm nhp tri php. Khi mt h thng IDS c kh nng ngn chn cc nguy c xm nhp m n pht hin c th n c gi l mt h thng phng chng xm nhp hay IPS. Hnh sau minh ho cc v tr thng ci t IDS trong mng :

Hnh : Cc v tr t IDS trong mng

1.1.2 S khc nhau gia IDS v IPS C th nhn thy s khc bit gia hai khi nim ngay tn gi: pht hin v ngn chn. Cc h thng IDS c thit k vi mc ch ch yu l pht hin v cnh bo cc nguy c xm nhp i vi mng my tnh n ang bo v trong khi , mt h thng IPS ngoi kh nng pht hin cn c th t hnh ng chng li cc nguy c theo cc quy nh c ngi qun tr thit lp sn.

Tuy vy, s khc bit ny trn thc t khng tht s r rng. Mt s h thng IDS c thit k vi kh nng ngn chn nh mt chc nng ty chn. Trong khi mt s h thng IPS li khng mang y chc nng ca mt h thng phng chng theo ng ngha. Mt cu hi c t ra l la chn gii php no, IDS hay IPS? Cu tr li ty thuc vo quy m, tnh cht ca tng mng my tnh c th cng nh chnh sch an ninh ca nhng ngi qun tr mng. Trong trng hp cc mng c quy m nh, vi mt my ch an ninh, th gii php IPS thng c cn nhc nhiu hn do tnh cht kt hp gia pht hin, cnh bo v ngn chn ca n. Tuy nhin vi cc mng ln hn th chc nng ngn chn thng c giao ph cho mt sn phm chuyn dng nh mt firewall chng hn. Khi , h thng cnh bo s ch cn theo di, pht hin v gi cc cnh bo n mt h thng ngn chn khc. S phn chia trch nhim ny s lm cho vic m bo an ninh cho mng tr nn linh ng v hiu qu hn. 1.2 phn loi IDS/IPS Cch thng thng nht phn loi cc h thng IDS (cng nh IPS) l da vo c im ca ngun d liu thu thp c. Trong trng hp ny, cc h thng IDS c chia thnh cc loi sau: Host-based IDS (HIDS): S dng d liu kim tra t mt my trm n pht hin xm nhp. Network-based IDS (NIDS): S dng d liu trn ton b lu thng mng, cng vi d liu kim tra t mt hoc mt vi my trm pht hin xm nhp. 1.2.1 Network based IDS NIDS NIDS thng bao gm c hai thnh phn logic : B cm bin Sensor : t ti mt on mng, kim sot cc cuc lu thng nghi ng trn on mng . Trm qun l : nhn cc tn hiu cnh bo t b cm bin v thng bo cho mt iu hnh vin.

Hnh I : M hnh NIDS

Mt NIDS truyn thng vi hai b cm bin trn cc on mng khc nhau cng giao tip vi mt trm kim sot.
u im

Chi ph thp : Do ch cn ci t NIDS nhng v tr trng yu l c th gim st lu lng ton mng nn h thng khng cn phi np cc phn mm v qun l trn cc my ton mng. Pht hin c cc cuc tn cng m HIDS b qua: Khc vi HIDS, NIDS kim tra header ca tt c cc gi tin v th n khng b st cc du hiu xut pht t y. V d: nhiu cuc tn cng DoS, TearDrop (phn nh) ch b pht hin khi xem header ca cc gi tin lu chuyn trn mng. Kh xo b du vt (evidence): Cc thng tin lu trong log file c th b k t nhp sa i che du cc hot ng xm nhp, trong tnh hung ny HIDS kh c thng tin hot ng. NIDS s dng lu thng hin hnh trn mng pht hin xm nhp. V th, k t nhp khng th xo b c cc du vt tn cng. Cc thng tin bt c khng ch cha cch thc tn cng m c thng tin h tr cho vic xc minh v buc ti k t nhp. Pht hin v i ph kp thi : NIDS pht hin cc cuc tn cng ngay khi xy ra, v th vic cnh bo v i ph c th thc hin c nhanh hn. VD : Mt hacker thc hin tn cng DoS da trn TCP c th b NIDS pht hin v ngn chn ngay bng vic gi yu cu TCP reset nhm chm dt cuc tn cng trc khi n xm nhp v ph v my b hi.

C tnh c lp cao: Li h thng khng c nh hng ng k no i vi cng vic ca cc my trn mng. Chng chy trn mt h thng chuyn dng d dng ci t; n thun ch m thit b ra, thc hin mt vi s thay i cu hnh v cm chng vo trong mng ti mt v tr cho php n kim sot cc cuc lu thng nhy cm.
Nhc im

B hn ch vi Switch: Nhiu li im ca NIDS khng pht huy c trong cc mng chuyn mch hin i. Thit b switch chia mng thnh nhiu phn c lp v th NIDS kh thu thp c thng tin trong ton mng. Do ch kim tra mng trn on m n trc tip kt ni ti, n khng th pht hin mt cuc tn cng xy ra trn cc on mng khc. Vn ny dn ti yu cu t chc cn phi mua mt lng ln cc b cm bin c th bao ph ht ton mng gy tn km v chi ph ci t. Hn ch v hiu nng: NIDS s gp kh khn khi phi x l tt c cc gi tin trn mng rng hoc c mt lu thng cao, dn n khng th pht hin cc cuc tn cng thc hin vo lc "cao im". Mt s nh sn xut khc phc bng cch cng ho hon ton IDS nhm tng cng tc cho n. Tuy nhin, do phi m bo v mt tc nn mt s gi tin c b qua c th gy l hng cho tn cng xm nhp. Tng thng lng mng: Mt h thng pht hin xm nhp c th cn truyn mt dung lng d liu ln tr v h thng phn tch trung tm, c ngha l mt gi tin c kim sot s sinh ra mt lng ln ti phn tch. khc phc ngi ta thng s dng cc tin trnh gim d liu linh hot gim bt s lng cc lu thng c truyn ti. H cng thng thm cc chu trnh t ra cc quyt nh vo cc b cm bin v s dng cc trm trung tm nh mt thit b hin th trng thi hoc trung tm truyn thng hn l thc hin cc phn tch thc t. im bt li l n s cung cp rt t thng tin lin quan cho cc b cm bin; bt k b cm bin no s khng bit c vic mt b cm bin khc d c mt cuc tn cng. Mt h thng nh vy s khng th d c cc cuc tn cng hip ng hoc phc tp. Mt h thng NIDS thng gp kh khn trong vic x l cc cuc tn cng trong mt phin c m ho. Li ny cng tr nn trm trng khi nhiu cng ty v t chc ang p dng mng ring o VPN.

- Mt s h thng NIDS cng gp kh khn khi pht hin cc cuc tn cng mng t cc gi tin phn mnh. Cc gi tin nh dng sai ny c th lm cho NIDS hot ng sai v v. 1.2.2 Host based IDS HIDS Host-based IDS tm kim du hiu ca xm nhp vo mt host cc b; thng s dng cc c ch kim tra v phn tch cc thng tin c logging. N tm kim cc hot ng bt thng nh login, truy nhp file khng thch hp, bc leo thang cc c quyn khng c chp nhn. Kin trc IDS ny thng da trn cc lut (rule-based) phn tch cc hot ng. V d c quyn ca ngi s dng cp cao ch c th t c thng qua lnh su-select user, nh vy nhng c gng lin tc login vo account root c th c coi l mt cuc tn cng.
u im

Xc nh c kt qu ca cuc tn cng: Do HIDS s dng d liu log lu cc s kin xy ra, n c th bit c cuc tn cng l thnh cng hay tht bi vi chnh xc cao hn NIDS. V th, HIDS c th b sung thng tin tip theo khi cuc tn cng c sm pht hin vi NIDS. Gim st c cc hot ng c th ca h thng: HIDS c th gim st cc hot ng m NIDS khng th nh: truy nhp file, thay i quyn, cc hnh ng thc thi, truy nhp dch v c phn quyn. ng thi n cng gim st cc hot ng ch c thc hin bi ngi qun tr. V th, h thng host-based IDS c th l mt cng c cc mnh phn tch cc cuc tn cng c th xy ra do n thng cung cp nhiu thng tin chi tit v chnh xc hn mt h network-based IDS. Pht hin cc xm nhp m NIDS b qua: chng hn k t nhp s dng bn phm xm nhp vo mt server s khng b NIDS pht hin. Thch nghi tt vi mi trng chuyn mch, m ho: Vic chuyn mch v m ho thc hin trn mng v do HIDS ci t trn my nn n khng b nh hng bi hai k thut trn. Khng yu cu thm phn cng: c ci t trc tip ln h tng mng c sn (FTP Server, WebServer) nn HIDS khng yu cu phi ci t thm cc phn cng khc.
Nhc im

Kh qun tr : cc h thng host-based yu cu phi c ci t trn tt c cc thit b c bit m bn mun bo v. y l mt khi lng cng vic ln cu hnh, qun l, cp nht. Thng tin ngun khng an ton: mt vn khc kt hp vi cc h thng host-based l n hng n vic tin vo nht k mc nh v nng lc kim sot ca server. Cc thng tin ny c th b tn cng v t nhp dn n h thng hot ng sai, khng pht hin c xm nhp. H thng host-based tng i t : nhiu t chc khng c ngun ti chnh bo v ton b cc on mng ca mnh s dng cc h thng hostbased. Nhng t chc phi rt thn trng trong vic chn cc h thng no bo v. N c th li cc l hng ln trong mc bao ph pht hin xm nhp. V d nh mt k tn cng trn mt h thng lng ging khng c bo v c th nh hi thy cc thng tin xc thc hoc cc ti liu d b xm phm khc trn mng. Chim ti nguyn h thng : Do ci t trn cc my cn bo v nn HIDS phi s dng cc ti nguyn ca h thng hot ng nh: b vi x l, RAM, b nh ngoi. 1.3 C ch hot ng ca h thng IDS/IPS C hai cch tip cn c bn i vi vic pht hin v phng chng xm nhp l : pht hin s lm dng (Misuse Detection Model): H thng s pht hin cc xm nhp bng cch tm kim cc hnh ng tng ng vi cc k thut xm nhp c bit n (da trn cc du hiu - signatures) hoc cc im d b tn cng ca h thng. pht hin s bt thng (Anomaly Detection Model): H thng s pht hin cc xm nhp bng cch tm kim cc hnh ng khc vi hnh vi thng thng ca ngi dng hay h thng. 1.3.1 pht hin s lm dng Pht hin s lm dng l pht hin nhng k xm nhp ang c gng t nhp vo h thng m s dng mt s k thut bit. N lin quan n vic m t c im cc cch thc xm nhp vo h thng c bit n, mi cch thc

ny c m t nh mt mu. H thng pht hin s lm dng ch thc hin kim sot i vi cc mu r rng. Mu c th l mt xu bit c nh (v d nh mt virus c t vic chn xu),dng m t mt tp hay mt chui cc hnh ng ng nghi ng. y, ta s dng thut ng kch bn xm nhp (intrusion scenario). Mt h thng pht hin s lm dng in hnh s lin tc so snh hnh ng ca h thng hin ti vi mt tp cc kch bn xm nhp c gng d ra kch bn ang c tin hnh. H thng ny c th xem xt hnh ng hin ti ca h thng c bo v trong thi gian thc hoc c th l cc bn ghi kim tra c ghi li bi h iu hnh. Cc k thut pht hin s lm dng khc nhau cch thc m chng m hnh ho cc hnh vi ch nh mt s xm nhp. Cc h thng pht hin s lm dng th h u tin s dng cc lut (rules) m t nhng g m cc nh qun tr an ninh tm kim trong h thng. Mt lng ln tp lut c tch lu dn n kh c th hiu v sa i bi v chng khng c to thnh tng nhm mt cch hp l trong mt kch bn xm nhp. gii quyt kh khn ny, cc h thng th h th hai a ra cc biu din kch bn xen k, bao gm cc t chc lut da trn m hnh v cc biu din v php bin i trng thi. iu ny s mang tnh hiu qu hn i vi ngi dng h thng cn n s biu din v hiu r rng v cc kch bn. H thng phi thng xuyn duy tr v cp nht ng u vi nhng kch bn xm nhp mi c pht hin. Do cc kch bn xm nhp c th c c t mt cch chnh xc, cc h thng pht hin s lm dng s da theo theo vt hnh ng xm nhp. Trong mt chui hnh ng, h thng pht hin c th on trc c bc tip theo ca hnh ng xm nhp. B d tm phn tch thng tin h thng kim tra bc tip theo, v khi cn s can thip lm gim bi tc hi c th. 1.3.2 pht hin s bt thng Da trn vic nh ngha v m t c im ca cc hnh vi c th chp nhn ca h thng phn bit chng vi cc hnh vi khng mong mun hoc bt thng, tm ra cc thay i, cc hnh vi bt hp php.

Nh vy, b pht hin s khng bnh thng phi c kh nng phn bit gia nhng hin tng thng thng v hin tng bt thng. Ranh gii gia dng thc chp nhn c v dng thc bt thng ca on m v d liu lu tr c nh ngha r rng (ch cn mt bit khc nhau), cn ranh gii gia hnh vi hp l v hnh vi bt thng th kh xc nh hn. Pht hin s khng bnh thng c chia thnh hai loi tnh v ng 1.3.2.1 Pht hin tnh Da trn gi thit ban u l phn h thng c kim sot phi lun lun khng i. y, ta ch quan tm n phn mm ca vng h thng (vi gi s l phn cng khng cn phi kim tra). Phn tnh ca mt h thng bao gm 2 phn con: m h thng v d liu ca phn h thng . Hai thng tin ny u c biu din di dng mt xu bit nh phn hoc mt tp cc xu. Nu biu din ny c s sai khc so vi dng thc gc th hoc c li xy ra hoc mt k xm nhp no thay i n. Lc ny, b pht hin tnh s c thng bo kim tra tnh ton vn d liu. C th l: b pht hin tnh a ra mt hoc mt vi xu bit c nh nh ngha trng thi mong mun ca h thng. Cc xu ny gip ta thu c mt biu din v trng thi , c th dng nn. Sau , n so snh biu din trng thi thu c vi biu din tng t c tnh ton da trn trng thi hin ti ca cng xu bit c nh. Bt k s khc nhau no u l th hin li nh hng phn cng hoc c xm nhp. Biu din trng thi tnh c th l cc xu bit thc t c chn nh ngha cho trng thi h thng, tuy nhin iu kh tn km v lu tr cng nh v cc php ton so snh. Do vn cn quan tm l vic tm ra c s sai khc cnh bo xm nhp ch khng phi ch ra sai khc u nn ta c th s dng dng biu din c nn gim chi ph. N l gi tr tm tt tnh c t mt xu bit c s. Php tnh ton ny phi m bo sao cho gi tr tnh c t cc xu bit c s khc nhau l khc nhau. C th s dng cc thut ton checksums, messagedigest (phn loi thng ip), cc hm bm. Mt s b pht hin xm nhp kt hp cht ch vi meta-data (d liu m t cc i tng d liu) hoc thng tin v cu trc ca i tng c kim tra. V d,

meta-data cho mt log file bao gm kch c ca n. Nu kch c ca log file tng th c th l mt du hiu xm nhp. 1.3.2.2 Pht hin ng Trc ht ta a ra khi nim hnh vi ca h thng (behavior). Hnh vi ca h thng c nh ngha l mt chui cc s kin phn bit, v d nh rt nhiu h thng pht hin xm nhp s dng cc bn ghi kim tra (audit record), sinh ra bi h iu hnh nh ngha cc s kin lin quan, trong trng hp ny ch nhng hnh vi m kt qu ca n l vic to ra cc bn ghi kim tra ca h iu hnh mi c xem xt. Cc s kin c th xy ra theo trt t nghim ngt hoc khng v thng tin phi c tch lu. Cc ngng c nh ngha phn bit ranh gii gia vic s dng ti nguyn hp l hay bt thng. Nu khng chc chn hnh vi l bt thng hay khng, h thng c th da vo cc tham s c thit lp trong sut qu trnh khi to lin quan n hnh vi. Ranh gii trong trng hp ny l khng r rng do c th dn n nhng cnh bo sai. Cch thc thng thng nht xc nh ranh gii l s dng cc phn loi thng k v cc lch chun. Khi mt phn loi c thit lp, ranh gii c th c vch ra nh s dng mt s lch chun. Nu hnh vi nm bn ngoi th s cnh bo l c xm nhp. C th l: cc h thng pht hin ng thng to ra mt profile (d liu) c s m t c im cc hnh vi bnh thng, chp nhn c. Mt d liu bao gm tp cc o lng c xem xt v hnh vi, mi i lng o lng gm nhiu chiu: Lin quan n cc la chn: thi gian ng nhp, v tr ng nhp, Cc ti nguyn c s dng trong c qu trnh hoc trn mt n v thi gian: chiu di phin giao dch, s cc thng ip gi ra mng trong mt n v thi gian, Chui biu din cc hnh ng. Sau khi khi to d liu c s, qu trnh pht hin xm nhp c th c bt u. Pht hin ng lc ny cng ging nh pht hin tnh chng kim sot hnh vi bng cch so snh m t c im hin ti v hnh vi vi m t ban u

ca hnh vi c mong i (chnh l d liu c s), tm ra s khc nhau. Khi h thng pht hin xm nhp thc hin, n xem xt cc s kin lin quan n thc th hoc cc hnh ng l thuc tnh ca thc th. Chng xy dng thm mt d liu hin ti. Cc h thng pht hin xm nhp th h trc phi ph thuc vo cc bn ghi kim tra (audit record) bt gi cc s kin hoc cc hnh ng lin quan. Cc h thng sau ny th ghi li mt c s d liu c t cho pht hin xm nhp. Mt s h thng hot ng vi thi gian thc, hoc gn thi gian thc, quan st trc tip s kin trong khi chng xy ra hn l i h iu hnh to ra bn ghi m t s kin. Kh khn chnh i vi cc h thng pht hin ng l chng phi xy dng cc d liu c s mt cch chnh xc, v sau nhn dng hnh vi sai tri nh cc d liu. Cc d liu c s c th xy dng nh vic gi chy h thng hoc quan st hnh vi ngi dng thng thng qua mt thi gian di. 1.3.3 So snh gia hai m hnh
Pht hin s bt thng

Pht hin s lm dng

Bao gm: C s d liu cc du hiu tn cng. Tm kim cc so khp mu ng.

Bao gm: C s d liu cc hnh ng thng thng. Tm kim lch ca hnh ng thc t so vi hnh ng thng thng.

Hiu qu trong vic pht hin cc dng tn cng bit, hay cc bin th (thay i nh) ca cc dng tn cng bit. Khng pht hin c cc dng tn cng mi. D cu hnh hn do i hi t hn v thu thp d liu, phn tch v cp nht

Hiu qu trong vic pht hin cc dng tn cng mi m mt h thng pht hin s lm dng b qua.

Kh cu hnh hn v a ra nhiu d liu hn, phi c c mt khi nim ton din v hnh vi bit hay

a ra kt lun da vo php so khp mu (pattern matching).

C th kch hot mt thng ip cnh bo nh mt du hiu chc chn, hoc cung cp d liu h tr cho cc du hiu khc.

hnh vi c mong i ca h thng a ra kt qu da vo tng quan bng thng k gia hnh vi thc t v hnh vi c mong i ca h thng (hay chnh l da vo lch gia thng tin thc t v ngng cho php). C th h tr vic t sinh thng tin h thng mt cch t ng nhng cn c thi gian v d liu thu thp c phi r rng.

Bng So snh 2 m hnh pht hin

c c mt h thng pht hin xm nhp tt nht ta tin hnh kt hp c hai phng php trn trong cng mt h thng. H thng kt hp ny s cung cp kh nng pht hin nhiu loi tn cng hn v hiu qu hn. S h thng kt hp nh sau:

Hnh I : H thng kt hp 2 m hnh pht hin

1.4 Mt s sn phm ca IDS/IPS Phn ny gii thiu mt s sn phm IDS, IPS thng mi cng nh min ph ph bin, nhng sn phm in hnh trong lnh vc pht hin v phng chng xm nhp. Cisco IDS-4235 Cisco IDS (cn c tn l NetRanger) l mt h thng NIDS, c kh nng theo di ton b lu thng mng v i snh tng gi tin pht hin cc du hiu xm nhp. Cisco IDS l mt gii php ring bit, c Cisco cung cp ng b phn cng v phn mm trong mt thit b chuyn dng. Gii php k thut ca Cisco IDS l mt dng lai gia gii m (decode) v i snh (grep). Cisco IDS hot ng trn mt h thng Unix c ti u ha v cu hnh v c giao din tng tc CLI (Cisco Command Line Interface) quen thuc ca Cisco. ISS Proventia A201 Proventia A201 l sn phm ca hng Internet Security Systems. V mt bn cht, Proventia khng ch l mt h thng phn mm hay phn cng m n l mt h thng cc thit b c trin khai phn tn trong mng c bo v. Mt h thng Proventia bao gm cc thit b sau: Intrusion Protection Appliance: L trung tm ca ton b h thng Proventia. N lu tr cc cu hnh mng, cc d liu i snh cng nh cc quy nh v chnh sch ca h thng. V bn cht, n l mt phin bn Linux vi cc driver thit b mng c xy dng ti u cng nh cc gi dch v c ti thiu ha. Proventia Network Agent: ng vai tr nh cc b cm bin (sensor). N c b tr ti nhng v tr nhy cm trong mng nhm theo di ton b lu thng trong mng v pht hin nhng nguy c xm nhp tim n. SiteProtector: L trung tm iu khin ca h thng Proventia. y l ni ngi qun tr mng iu khin ton b cu hnh cng nh hot ng ca h thng.

Vi gii php ca Proventia, cc thit b s c trin khai sao cho ph hp vi cu hnh ca tng mng c th c th t c hiu qu cao nht. NFR NID-310 NFR l sn phm ca NFR Security Inc. Cng ging nh Proventia, NFR NID l mt h thng hng thit b (appliance-based). im c bit trong kin trc ca NFR NID l h cc b cm bin c kh nng thch ng vi rt nhiu mng khc nhau t mng 10Mbps n cc mng gigabits vi thng lng rt ln. Mt im c sc ca NFR NID l m hnh iu khin ba lp. Thay v cc thit b trong h thng c iu khin trc tip bi mt giao din qun tr (Administration Interface AI) ring bit, NFR cung cp mt c ch iu khin tp trung vi cc middle-ware lm nhim v iu khin trc tip cc thit b. SNORT Snort l phn mm IDS m ngun m, c pht trin bi Martin Roesh. Snort u tin c xy dng trn nn Unix sau pht trin sang cc nn tng khc. Snort c nh gi l IDS m ngun m ng ch nht vi nhng tnh nng rt mnh. Chi tit v Snort s c trnh by trong phn chng II ca ti .

CHNG II : NGHIN CU NG DNG SNORT TRONG IDS/IPS 2.1 Gii thiu v snort Snort l mt NIDS c Martin Roesh pht trin di m hnh m ngun m. Tuy Snort min ph nhng n li c rt nhiu tnh nng tuyt vi m khng phi sn phm thng mi no cng c th c c. Vi kin trc thit k theo kiu module, ngi dng c th t tng cng tnh nng cho h thng Snort ca mnh bng vic ci t hay vit thm mi cc module. C s d liu lut ca Snort ln ti 2930 lut v c cp nht thng xuyn bi mt cng ng ngi s dng. Snort c th chy trn nhiu h thng nn nh Windows, Linux, OpenBSD, FreeBSD, NetBSD, Solaris, HP-UX, AIX, IRIX, MacOS. Bn cnh vic c th hot ng nh mt ng dng thu bt gi tin thng thng, Snort cn c th c cu hnh chy nh mt NIDS. Snort h tr kh nng hot

ng trn cc giao thc sau: Ethernet, 802.11,Token Ring, FDDI, Cisco HDLC, SLIP, PPP, v PF ca OpenBSD. 2.2 Kin trc ca snort Snort bao gm nhiu thnh phn, vi mi phn c mt chc nng ring. Cc phn chnh l: Mun gii m gi tin (Packet Decoder) Mun tin x l (Preprocessors) Mun pht hin (Detection Engine) Mun log v cnh bo (Logging and Alerting System) Mun kt xut thng tin (Output Module) Kin trc ca Snort c m t trong hnh sau:

Hnh IV : M hnh kin trc h thng Snort

Khi Snort hot ng n s thc hin vic lng nghe v thu bt tt c cc gi tin no di chuyn qua n. Cc gi tin sau khi b bt c a vo Mun Gii m gi tin. Tip theo gi tin s c a vo mun Tin x l, ri mun Pht hin. Ti y ty theo vic c pht hin c xm nhp hay khng m gi tin c th c b qua lu thng tip hoc c a vo mun Log v cnh bo x l. Khi cc cnh bo c xc nh mun Kt xut thng tin s thc hin vic a cnh bo ra theo ng nh dng mong mun. Sau y ta s i su vo chi tit hn v c ch hot ng v chc nng ca tng thnh phn.

2.2.1 Modun gii m gi tin Snort s dng th vin pcap bt mi gi tin trn mng lu thng qua h thng. Hnh sau m t vic mt gi tin Ethernet s c gii m th no:

Hnh V: X l mt gi tin Ethernet

Mt gi tin sau khi c gii m s c a tip vo mun tin x l. 2.2.2 M un tin x l Mun tin x l l mt mun rt quan trng i vi bt k mt h thng IDS no c th chun b gi d liu a v cho mun Pht hin phn tch. Ba nhim v chnh ca cc mun loi ny l: Kt hp li cc gi tin: Khi mt lng d liu ln c gi i, thng tin s khng ng gi ton b vo mt gi tin m phi thc hin vic phn mnh, chia gi tin ban u thnh nhiu gi tin ri mi gi i. Khi Snort nhn c cc gi tin

ny n phi thc hin vic ghp ni li c c d liu nguyn dng ban u, t mi thc hin c cc cng vic x l tip. Nh ta bit khi mt phin lm vic ca h thng din ra, s c rt nhiu gi tin uc trao i trong phin . Mt gi tin ring l s khng c trng thi v nu cng vic pht hin xm nhp ch da hon ton vo gi tin s khng em li hiu qu cao. Module tin x l stream gip Snort c th hiu c cc phin lm vic khc nhau (ni cch khc em li tnh c trng thi cho cc gi tin) t gip t c hiu qu cao hn trong vic pht hin xm nhp. Gii m v chun ha giao thc (decode/normalize): cng vic pht hin xm nhp da trn du hiu nhn dng nhiu khi b tht bi khi kim tra cc giao thc c d liu c th c th hin di nhiu dng khc nhau. V d: mt web server c th chp nhn nhiu dng URL nh URL c vit di dng m hexa/Unicode, URL chp nhn c du \ hay / hoc nhiu k t ny lin tip cng lc. Chng hn ta c du hiu nhn dng scripts/iisadmin, k tn cng c th vt qua c bng cch ty bin cc yu cu gi n web server nh sau: scripts/./iisadmin scripts/examples/../iisadmin scripts\iisadmin scripts/.\iisadmin Hoc thc hin vic m ha cc chui ny di dng khc. Nu Snort ch thc hin n thun vic so snh d liu vi du hiu nhn dng s xy ra tnh trng b st cc hnh vi xm nhp. Do vy, mt s mun tin x l ca Snort phi c nhim v gii m v chnh sa, sp xp li cc thng tin u vo ny thng tin khi a n mun pht hin c th pht hin c m khng b st. Hin nay Snort h tr vic gii m v chun ha cho cc giao thc: telnet, http, rpc, arp. Pht hin cc xm nhp bt thng (nonrule /anormal): cc plugin tin x l dng ny thng dng i ph vi cc xm nhp khng th hoc rt kh pht hin c bng cc lut thng thng hoc cc du hiu bt thng trong giao thc. Cc mun tin x l dng ny c th thc hin vic pht hin xm nhp theo bt c cch no m ta ngh ra t tng cng thm tnh nng cho Snort. V d, mt plugin tin x l c nhim v thng k thng lng mng ti thi im bnh thng ri khi c thng lng mng bt thng xy ra n c th tnh ton, pht hin v a ra cnh bo (pht hin xm nhp theo m hnh thng k). Phin

bn hin ti ca Snort c i km hai plugin gip pht hin cc xm nhp bt thng l portscan v bo (backoffice). Portcan dng a ra cnh bo khi k tn cng thc hin vic qut cc cng ca h thng tm l hng. Bo dng a ra cnh bo khi h thng b nhim trojan backoffice v k tn cng t xa kt ni ti backoffice thc hin cc lnh t xa. 2.2.3 Mun pht hin y l mun quan trng nht ca Snort. N chu trch nhim pht hin cc du hiu xm nhp. Mun pht hin s dng cc lut c nh ngha trc so snh vi d liu thu thp c t xc nh xem c xm nhp xy ra hay khng. Ri tip theo mi c th thc hin mt s cng vic nh ghi log, to thng bo v kt xut thng tin. Mt vn rt quan trng trong mun pht hin l vn thi gian x l cc gi tin: mt IDS thng nhn c rt nhiu gi tin v bn thn n cng c rt nhiu cc lut x l. C th mt nhng khong thi gian khc nhau cho vic x l cc gi tin khc nhau. V khi thng lng mng qu ln c th xy ra vic b st hoc khng phn hi c ng lc. Kh nng x l ca mun pht hin da trn mt s yu t nh: s lng cc lut, tc ca h thng ang chy Snort, ti trn mng. Mt s th nghim cho bit, phin bn hin ti ca Snort khi c ti u ha chy trn h thng c nhiu b vi x l v cu hnh my tnh tng i mnh th c th hot ng tt trn c cc mng c Giga. Mt mun pht hin cng c kh nng tch cc phn ca gi tin ra v p dng cc lut ln tng phn no ca gi tin . Cc phn c th l: IP header Header tng giao vn: TCP, UDP Header tng ng dng: DNS header, HTTP header, FTP header, Phn ti ca gi tin (bn cng c th p dng cc lut ln cc phn d liu c truyn i ca gi tin) Mt vn na trong Mun pht hin l vic x l th no khi mt gi tin b pht hin bi nhiu lut. Do cc lut trong Snort cng c nh th t u tin, nn mt gi tin khi b pht hin bi nhiu lut khc nhau, cnh bo c a ra s l cnh bo ng vi lut c mc u tin ln nht.

2.2.4 Mun log v cnh bo Ty thuc vo vic mun Pht hin c nhn dng uc xm nhp hay khng m gi tin c th b ghi log hoc a ra cnh bo. Cc file log l cc file text d liu trong c th c ghi di nhiu nh dng khc nhau chng hn tcpdump. 2.2.5 M un kt xut thong tin Mun ny c th thc hin cc thao tc khc nhau ty theo vic bn mun lu kt qu xut ra nh th no. Ty theo vic cu hnh h thng m n c th thc hin cc cng vic nh l: Ghi log file Ghi syslog: syslog v mt chun lu tr cc file log c s dng rt nhiu trn cc h thng Unix, Linux. Ghi cnh bo vo c s d liu. To file log dng xml: vic ghi log file dng xml rt thun tin cho vic trao i v chia s d liu. Cu hnh li Router, firewall. Gi cc cnh bo c gi trong gi tin s dng giao thc SNMP. Cc gi tin dng SNMP ny s c gi ti mt SNMP server t gip cho vic qun l cc cnh bo v h thng IDS mt cch tp trung v thun tin hn. Gi cc thng ip SMB (Server Message Block) ti cc my tnh Windows. Nu khng hi lng vi cc cch xut thng tin nh trn, ta c th vit cc mun kt xut thng tin ring tu theo mc ch s dng. 2.3 B lut ca snort 2.3.1 Gii thiu Cng ging nh virus, hu ht cc hot ng tn cng hay xm nhp u c cc du hiu ring. Cc thng tin v cc du hiu ny s c s dng to nn cc lut cho Snort. Thng thng, cc by (honey pots) c to ra tm hiu xem cc k tn cng lm g cng nh cc thng tin v cng c v cng ngh chng s dng. V ngc li, cng c cc c s d liu v cc l hng bo mt m nhng k tn cng mun khai thc. Cc dng tn cng bit ny c dng nh cc du hiu pht hin tn cng xm nhp. Cc du hiu c th xut hin trong phn header ca cc gi tin hoc nm trong phn ni dung ca chng. H thng pht

hin ca Snort hot ng da trn cc lut (rules) v cc lut ny li c da trn cc du hiu nhn dng tn cng. Cc lut c th c p dng cho tt c cc phn khc nhau ca mt gi tin d liu . Mt lut c th c s dng to nn mt thng ip cnh bo, log mt thng ip hay c th b qua mt gi tin. 2.3.2 Cu trc lut ca Snort Hy xem xt mt v d n gin : alert tcp 192.168.2.0/24 23 -> any any (content:confidential; msg: Detected confidential) Ta thy cu trc ca mt lut c dng nh sau:

Hnh VI : Cu trc lut ca Snort Din gii:

Tt c cc Lut ca Snort v logic u gm 2 phn: Phn header v phn Option. Phn Header cha thng tin v hnh ng m lut s thc hin khi pht hin ra c xm nhp nm trong gi tin v n cng cha cc tiu chun p dng lut vi gi tin . Phn Option cha mt thng ip cnh bo v cc thng tin v cc phn ca gi tin dng to nn cnh bo. Phn Option cha cc tiu chun ph thm i snh lut vi gi tin. Mt lut c th pht hin c mt hay nhiu hot ng thm d hay tn cng. Cc lut thng minh c kh nng p dng cho nhiu du hiu xm nhp. Di y l cu trc chung ca phn Header ca mt lut Snort:
Hnh VII : Header lut ca Snort

Action: l phn qui nh loi hnh ng no c thc thi khi cc du hiu ca gi tin c nhn dng chnh xc bng lut . Thng thng, cc hnh ng to ra mt cnh bo hoc log thng ip hoc kch hot mt lut khc.

Protocol: l phn qui nh vic p dng lut cho cc packet ch thuc mt giao thc c th no . V d nh IP, TCP, UDP Address: l phn a ch ngun v a ch ch. Cc a ch c th l mt my n, nhiu my hoc ca mt mng no . Trong hai phn a ch trn th mt s l a ch ngun, mt s l a ch ch v a ch no thuc loi no s do phn Direction -> qui nh. Port: xc nh cc cng ngun v ch ca mt gi tin m trn lut c p dng. Direction: phn ny s ch ra u l a ch ngun, u l a ch ch. V d: alert icmp any any -> any any (msg: Ping with TTL=100;ttl: 100;) Phn ng trc du m ngoc l phn Header ca lut cn phn cn li l phn Option. Chi tit ca phn Header nh sau: Hnh ng ca lut y l alert : mt cnh bo s c to ra nu nh cc iu kin ca gi tin l ph hp vi lut(gi tin lun c log li mi khi cnh bo c to ra). Protocol ca lut y l ICMP tc l lut ch p dng cho cc gi tin thuc loi ICMP. Bi vy, nu nh mt gi tin khng thuc loi ICMP th phn cn li ca lut s khng cn i chiu. a ch ngun y l any: tc l lut s p dng cho tt c cc gi tin n t mi ngun cn cng th cng l any v i vi loi gi tin ICMP th cng khng c ngha. S hiu cng ch c ngha vi cc gi tin thuc loi TCP hoc UDP thi. Cn phn Option trong du ng ngoc ch ra mt cnh bo cha dng Ping with TTL=100 s c to khi tm thy iu kin TTL=100. TTL l Time To Live l mt trng trong Header IP. 2.3.2.1 Phn tiu Nh phn trn trnh by, Header ca lut bao gm nhiu phn. Sau y, l chi tit c th ca tng phn mt.
Hnh ng ca lut (Rule Action)

L phn u tin ca lut, ch ra hnh ng no c thc hin khi m cc iu kin ca lut c tho mn. Mt hnh ng c thc hin khi v ch khi tt c

cc iu kin u ph hp. C 5 hnh ng c nh ngha nhng ta c th to ra cc hnh ng ring tu thuc vo yu cu ca mnh. i vi cc phin bn trc ca Snort th khi nhiu lut l ph hp vi mt gi tin no th ch mt lut c p dng. Sau khi p dng lut u tin th cc lut tip theo s khng p dng cho gi tin y na. Nhng i vi cc phin bn sau ca Snort th tt c cc lut s c p dng gi tin . Pass: Hnh ng ny hng dn Snort b qua gi tin ny. Hnh ng ny ng vai tr quan trng trong vic tng cng tc hot ng ca Snort khi m ta khng mun p dng cc kim tra trn cc gi tin nht nh. V d ta s dng cc by (t trn mt my no ) nh cc hacker tn cng vo th ta phi cho tt c cc gi tin i n c my . Hoc l dng mt my qut kim tra an ton mng ca mnh th ta phi b qua tt c cc gi tin n t my kim tra . Log: Hnh ng ny dng log gi tin. C th log vo file hay vo c s d liu tu thuc vo nhu cu ca mnh. Alert: Gi mt thng ip cnh bo khi du hiu xm nhp c pht hin. C nhiu cch gi thng ip nh gi ra file hoc ra mt Console. Tt nhin l sau khi gi thng ip cnh bo th gi tin s c log li. Activate: s dng to ra mt cnh bo v kch hot mt lut khc kim tra thm cc iu kin ca gi tin. Dynamic: ch ra y l lut c gi bi cc lut khc c hnh ng l Activate. Cc hnh ng do ngi dng nh ngha: mt hnh ng mi c nh ngha theo cu trc sau: ruletype action_name { action definition } ruletype l t kho. Hnh ng c nh ngha chnh xc trong du ngoc nhn: c th l mt hm vit bng ngn ng C chng hn. V d nh: ruletype smb_db_alert

{ type alert output alert_smb: workstation.list output database: log, mysql, user=test password=test dbname=snort host = localhost } y l hnh ng c tn l smb_db_alert dng gi thng ip cnh bo di dng ca s pop-up SMB ti cc my c tn trong danh sch lit k trong file workstation.list v ti c s d liu MySQL tn l snort.
Protocols

L phn th hai ca mt lut c chc nng ch ra loi gi tin m lut s c p dng. Hin ti Snort hiu c cc protocol sau : IP ICMP TCP UDP Nu l IP th Snort s kim tra header ca lp lin kt xc nh loi gi tin. Nu bt k giao thc no khc c s dng th Snort s dng header IP xc nh loi protocol. Protocol ch ng vai tr trong vic ch r tiu chun trong phn header ca lut. Phn option ca lut c th c cc iu kin khng lin quan g n protocol.
Address

C hai phn a ch trong mt lut ca Snort. Cc a ch ny c dng kim tra ngun sinh ra v ch n ca gi tin. a ch c th l a ch ca mt IP n hoc l a ch ca mt mng. Ta c th dng t any p dng lut cho tt c cc a ch. a ch c vit ngay theo sau mt du gch cho v s bt trong subnet mask. V d nh a ch 192.168.2.0/24 th hin mng lp C 192.168.2.0 vi 24 bt ca subnet mask. Subnet mask 24 bt chnh l 255.255.255.0. Ta bit rng : Nu subnet mask l 24 bt th l mng lp C Nu subnet mask l 16 bt th l mng lp B

Nu subnet mask l 8 bt th l mng lp A Nu subnet mask l 32 bt th l a ch IP n. Trong hai a ch ca mt lut Snort th c mt a ch l a ch ngun v a ch cn li l a ch ch. Vic xc nh u l a ch ngun, u l a ch ch th ph thuc vo phn hng (direction). V d nh lut : alert tcp any any -> 192.168.1.10/32 80 (msg: TTL=100; ttl: 100;) Lut trn s to ra mt cnh bo i vi tt c cc gi tin t bt k ngun no c TTL = 100 i n web server 192.168.1.10 ti cng 80.
Ngn chn a ch hay loi tr a ch

Snort cung cp cho ta k thut loi tr a ch bng cch s dng du ph nh (du !). Du ph nh ny ng trc a ch s ch cho Snort khng kim tra cc gi tin n t hay i ti a ch . V d, lut sau s p dng cho tt c cc gi tin ngoi tr cc gi c ngun xut pht t mng lp C 192.168.2.0. alert icmp ![192.168.2.0/24] any -> any any (msg: Ping with TTL=100; ttl: 100;)
Danh sch a ch

Ta c th nh r ra danh sch cc a ch trong mt lut ca Snort. V d nu bn mun p dng lut cho tt c cc gi tin tr cc gi xut pht t hai mng lp C 192.168.2.0 v 192.168.8.0 th lut c vit nh sau: alert icmp ![192.168.2.0/24, 192.168.8.0/24] any -> any any (msg: Ping with TTL=100; ttl: 100;) Hai du [] ch cn dng khi c du ! ng trc.
Cng (Port Number)

S hiu cng dng p dng lut cho cc gi tin n t hoc i n mt cng hay mt phm vi cng c th no . V d ta c th s dng s cng ngun l 23 p dng lut cho tt c cc gi tin n t mt server Telnet. T any cng c dng i din cho tt c cc cng. Ch l s hiu cng ch c ngha trong cc giao thc TCP v UDP thi. Nu protocol ca lut l IP hay ICMP th s hiu cng khng ng vai tr g c. V d : alert tcp 192.168.2.0/24 23 -> any any (content: confidential; msg: Detected confidential;)

S hiu cng ch hu dng khi ta mun p dng mt lut ch cho mt loi gi tin d liu c th no . V d nh l mt lut chng hack cho web th ta ch cn s dng cng 80 pht hin tn cng.
Dy cng hay phm vi cng:

Ta c th p dng lut cho dy cc cng thay v ch cho mt cng no . Cng bt u v cng kt thc phn cch nhau bi du hai chm :. V d : alert udp any 1024:2048 -> any any (msg: UDP ports;) Ta cng c th dn cng theo kiu cn trn v cn di, tc l ch s dng cng bt u hoc cng kt thc m thi. V d nh l 1024: hoc l :2048 Du ph nh cng c p dng trong vic s dng cng. V d sau s log tt c cc gi tin ngoi tr cc gi tin xut pht t cng 53. log udp any !53 -> any any log udp Sau y l mt s cng thng dng hay l cc cng ca cc dch v thng dng nht: 20 FTP data 21 FTP 22 SSH 23 Telnet 24 SMTP 53 DNS Server 80 HTTP 110 POP3 161 SNMP 443 HTTPS 3360 MySQL
Hng Direction

Ch ra u l ngun u l ch, c th l -> hay <- hoc <>. Trng hp <> l khi ta mun kim tra c Client v Server.

2.3.2.2 Cc ty chn

Phn Rule Option nm ngay sau phn Rule Header v c bao bc trong du ngoc n. Nu c nhiu option th cc option s c phn cch vi nhau bng du chm phy ,.Nu nhiu option c s dng th cc option ny phi ng thi c tho mn tc l theo logic cc option ny lin kt vi nhau bng AND. Mi option c nh ngha bng cc t kho. Mt s cc option cn cha cc tham s. Ni chung mt option gm 2 phn: mt t kho v mt tham s, hai phn ny phn cch nhau bng du hai chm. V d dng : msg: Detected confidented; msg l t kho cn Detected confidented l tham s. Sau y l chi tit mt s cc option ca lut Snort.
T kho ack

Trong header TCP c cha trng Acknowledgement Number vi di 32 bit. Trng ny c ngha l ch ra s th t tip theo gi tin TCP ca bn gi ang c ch nhn. Trng ny ch c ngha khi m c ACK c thit lp. Cc cng c nh Nmap s dng c im ny ping mt my. V d, n c th gi mt gi tin TCP ti cng 80 vi c ACK c bt v s th t l 0. Bi vy, bn nhn s thy gi tin khng hp l v s gi tr li gi tin RST. Khi m Nmap nhn c gi tin RST th tc l a ch ch ang sng. Phng php ny vn lm vic tt i vi cc my khng tr li gi tin thuc dng ping ICMP ECHO REQUEST. Vy kim tra loi ping TCP ny th ta c th dng lut nh sau: alert tcp any any -> 192.168.1.0/24 any (flags: A; ack: 0; msg: TCP ping detected)
T kho classtype

Cc lut c th c phn loi v gn cho mt s ch u tin no nhm v phn bit chng vi nhau. hiu r hn v t kho ny ta u tin phi hiu c file classification.config (c bao gm trong file snort.conf s dng t kho include). Mi dng trong file classification.config c c php nh sau: config classification: name, description, priority trong :

name: l tn dng phn loi, tn ny s c dng vi t kho classtype trong cc lut Snort. description: m t v loi lp ny priority: l mt s ch u tin mc nh ca lp ny. u tin ny c th c iu chnh trong t kho priority ca phn option trong lut ca Snort. V d : config classification: DoS , Denial of Service Attack, 2 v trong lut: alert udp any any -> 192.168.1.0/24 6838 (msg:DoS; content: server; classtype: DoS;) alert udp any any -> 192.168.1.0/24 6838 (msg:DoS; content: server; classtype: DoS; priority: 1;) Trong cu lnh th 2 th ta ghi ln gi tr priority mc nh ca lp nh ngha.
T kho content

Mt c tnh quan trng ca Snort l n c kh nng tm mt mu d liu bn trong mt gi tin. Mu ny c th di dng chui ASCII hoc l mt chui nh phn di dng cc k t h 16. Ging nh virus, cc tn cng cng c cc du hiu nhn dng v t kho content ny dng tm cc du hiu bn trong gi tin. V d: alert tcp 192.168.1.0/24 any -> ![192.168.1.0/24] any (content: GET; msg: GET match;) Lut trn tm mu GET trong phn d liu ca tt c cc gi tin TCP c ngun i t mng 192.168.1.0/24 v i n cc a ch khng thuc mng . T GET ny rt hay c dng trong cc tn cng HTTP. Mt lut khc cng thc hin ng nhim v ging nh lnh trn nhng mu d liu li di dng h 16 l: alert tcp 192.168.1.0/24 any -> ![192.168.1.0/24] any (content: |47 45 54|; msg: GET match;)

rng s 47 h 16 chnh l bng k t ASCII : G v tng t 45 l E v 54 l T. Ta c th dng c hai dng trn trong cng mt lut nhng nh l phi dng thp lc phn gia cp k t ||. Tuy nhin khi s dng t kho content ta cn nh rng: i snh ni dung s phi x l tnh ton rt ln v ta phi ht sc cn nhc khi s dng nhiu lut c i snh ni dung. Ta c th s dng nhiu t kho content trong cng mt lut tm nhiu du hiu trong cng mt gi tin. i snh ni dung l cng vic rt nhy cm. C 3 t kho khc hay c dng cng vi t kho content dng b sung thm cc iu kin tm kim l : offset: dng xc nh v tr bt u tm kim (chui cha trong t kho content ) l offset tnh t u phn d liu ca gi tin. V d sau s tm chui HTTP bt u t v tr cch u on d liu ca gi tin l 4 byte: alert tcp 192.168.1.0/24 any -> any any (content: HTTP; offset: 4; msg: HTTP matched;) dept : dng xc nh v tr m t Snort s dng vic tm kim.T kho ny cng thng c dng chung vi t kho offset va nu trn. V d: alert tcp 192.168.1.0/24 any -> any any (content: HTTP; offset: 4; dept: 40; msg: HTTP matched;). T kho ny s gip cho vic tiu tn thi gian tm kim khi m on d liu trong gi tin l kh ln. content-list: c s dng cng vi mt file. Tn file (c ch ra trong phn tham s ca t kho ny) l mt file text cha danh sch cc chui cn tm trong phn d liu ca gi tin. Mi chui nm trn mt dng ring bit. V d nh file test c dng nh sau: test Snort NIDS v ta c lut sau: alert tcp 192.168.1.0/24 any -> any any (content-list: test;msg: This is my Test;).

Ta cng c th dng k t ph nh ! trc tn file cnh bo i vi cc gi tin khng tm thy mt chui no trong file .
T kho dsize

Dng i snh theo chiu di ca phn d liu. Rt nhiu tn cng s dng li trn b m bng cch gi cc gi tin c kch thc rt ln. S dng t kho ny, ta c th so snh ln ca phn d liu ca gi tin vi mt s no . alert ip any any -> 192.168.1.0/24 any (dsize: > 6000; msg: Goi tin co kich thuoc lon;)
T kho flags

T kho ny c dng pht hin xem nhng bit c flag no c bt (thit lp) trong phn TCP header ca gi tin. Mi c c th c s dng nh mt tham s trong t kho flags. Sau y l mt s cc c s dng trong t kho flags: Flag FIN (Finish Flag) SYN Sync Flag RST Reset Flag PSH Push Flag ACK Acknowledge Flag URG Urgent Flag Reserved Bit 1 Reserved Bit 2 No Flag set K t tham s dng trong lut ca Snort F S R P A U 1 2 0

Bng Cc c s dng vi t kho flags

Ta c th s dng cc du +, * v ! thc hin cc php ton logic AND, OR v NOT trn cc bit c mun kim tra. V d lut sau y s pht hin mt hnh ng qut dng gi tin TCP SYN-FIN: alert tcp any any -> 192.168.1.0/24 any (flags: SF; msg: SYNC-FIN packet detected;)

T kho fragbits

Phn IP header ca gi tin cha 3 bit dng chng phn mnh v tng hp cc gi tin IP. Cc bit l: Reserved Bit (RB) dng dnh cho tng lai. Dont Fragment Bit (DF): nu bit ny c thit lp th tc l gi tin khng b phn mnh. More Fragments Bit (MF): nu c thit lp th tc l cc phn khc (gi tin b phn mnh) ca gi tin vn ang cn trn ng i m cha ti ch. Nu bit ny khng c thit lp th c ngha l y l phn cui cng ca gi tin (hoc l gi duy nht). iu ny xut pht t nguyn nhn: Ni gi i phi chia gi tin IP thnh nhiu on nh do ph thuc vo n v truyn d liu ln nht cho php (Maximum Transfer Units - MTU) trn ng truyn. Kch thc ca gi tin khng c php vt qu kch thc ln nht ny. Do vy, bit MF ny gip bn ch c th tng hp li cc phn khc nhau thnh mt gi tin hon chnh. i khi cc bit ny b cc hacker s dng tn cng v khai thc thng tin trn mng ca ta. V d, bit DF c th c dng tm MTU ln nht v nh nht trn ng i t ngun xut pht n ch n. S dng fragbits, ta c th kim tra xem cc bit trn c c thit lp hay khng. V d lut sau s pht hin xem bit DF trong gi tin ICMP c c bt hay khng: alert icmp any any -> 192.168.1.0/24 any (fragbits: D; msg: Dont Fragment bit set;) Trong lut ny , D dng cho bit DF, R cho bit d tr v M cho bit MF. Ta cng c th dng du ph nh ! trong lut ny kim tra khi bit khng c bt: alert icmp any any -> 192.168.1.0/24 any (fragbits: !D; msg: Dont Fragment bit not set;) 2.4 Ch ngn chn ca Snort : Snort Inline 2.4.1 Tch hp kh nng ngn chn vo Snort Snort-inline l mt nhnh pht trin ca Snort do William Metcalf khi xng v lnh o. n phin bn 2.3.0 RC1 ca Snort, inline-mode c tch

hp vo bn chnh thc do snort.org pht hnh. S kin ny bin Snort t mt IDS thun ty tr thnh mt h thng c cc kh nng ca mt IPS, mc d ch ny vn ch l ty chn ch khng phi mc nh. tng chnh ca inline-mode l kt hp kh nng ngn chn ca iptables vo bn trong snort. iu ny c thc hin bng cch thay i mun pht hin v mun x l cho php snort tng tc vi iptables. C th, vic chn bt cc gi tin trong Snort c thc hin thng qua Netfilter v th vin libpcap s c thay th bng vic s dng ipqueue v th vin libipq. Hnh ng ngn chn ca snortinline s c thc hin bng devel-mode ca iptables. 2.4.2 Nhng b sung cho cu trc lut ca Snort h tr Inline mode h tr tnh nng ngn chn ca Snort-inline, mt s thay i v b sung c a vo b lut Snort. l a thm 3 hnh ng DROP, SDROP, INJECT v thay i trnh t u tin ca cc lut trong Snort. DROP Hnh ng DROP yu cu iptables loi b gi tin v ghi li thng tin nh hnh ng LOG. SDROP Hnh ng SDROP cng tng t nh hnh ng DROP, iu khc bit l ch Snort s khng ghi li thng tin nh hnh ng LOG. REJECT Hnh ng REJECT yu cu iptables t chi gi tin, c ngha l iptables s loi b v gi li mt thng bo cho ngun gi gi tin . Hnh ng REJECT khng ghi li bt c thng tin g. Trnh t u tin ca cc lut Trong cc phin bn gc, trnh t u tin ca cc hnh ng trong Snort l : activation->dynamic-> alert->pass->log Trong inline-mode, trnh t u tin ny c thay i nh sau : activation->dynamic->pass->drop->sdrop->reject->alert->log

CHNG III: CI T V CU HNH SNORT TRN NN CENTOS, TH NGHIM KH NNG PHN NG CA SNORT IDS/IPS 3.1 S LC V QU TRNH CI T 3.1.1 Ci cc gi yu cu sau - Ln lt ci cc gi ph thuc: ( mysql, mysql-bench, mysql-server, mysql-devel, yum-utils, php-mysql, httpd, gcc, pcre-devel, php-gd, gd, distcache-devel, mod_ssl, glib2-devel, gcc-c++, libpcap-devel, php, php-pear) - dng lnh (yum install package) ci t cho cc gi tin. - mt s gi cn thi cho snort cn phi bin dch t soure ( libnet, libdnet, daq, pcre, Snortinline, BASE, adodb ) # cd /tmp # wget http://www.filewatcher.com/m/libnet-.0.2a.tar.gz.140191.0.0.html # wget http://code.google.com/p/libdnet/downloads/detail?name=libdnet1.12.tgz&can=2&q= # wget http://sourceforge.net/projects/adodb/files/adodb-php-4-and-5/adodb4991-for-php/adodb4991.tgz/download # wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-7.9.tar.gz download snort_inline http://snort-inline.sourceforge.net/download.html download base t ngun http://sourceforge.net/projects/secureideas/files/ - sau khi download cc gi v tin hnh bin dch cho cc gi + bin dch gi libnet cd /tmp (di chuyn vo th mc tmp) tar xvzf libnet-1.0.2a.tar.gz (gi nn libnet) cd Libnet-1.0.2a (di chuyn vo th mc Libnet-1.0.2a va gii nn) ./configure && make && make install (kim tra cu hnh v bin dch libnet, du && c ngha nu cu lnh trc n thnh cng th mi thc hin cu lnh ng sau ) + bin dch gi libdnet

cd /tmp (di chuyn vo th mc tmp) tar libdnet-1.12.tgz cd libdnet-1.12 (di chuyn vo th mc libdnet-1.12 va gii nn) ./configure && make && make install (kim tra cu hnh v bin dch libdnet, du && c ngha nu cu lnh trc n thnh cng th mi thc hin cu lnh ng sau ) + bin dch gi daq cd /tmp (di chuyn n th mc tmp) tar zxvf daq-0.3.tar.gz (gii nn daq) cd daq-0.3 (di chuyn n th mc daq-0.3 va gii nn c) ./configure && make && make install (kim tra cu hnh v bin dch daq, du && c ngha nu cu lnh trc n thnh cng th mi thc hin cu lnh ng sau ) + bin dch pcre cd /tmp tar xvzf pcre-7.9.tar.gz cd pcre-7.9 ./configure && make && make install (kim tra cu hnh v bin dch pcre, du && c ngha nu cu lnh trc n thnh cng th mi thc hin cu lnh ng sau ) + bin dch snort_inline cd /tmp tar -xvf snort_inline-2.4.5a.tar.gz cd snort_inline ./configure --with-mysql && make && make install (kim tra cu hnh v bin dch snort, du && c ngha nu cu lnh trc n thnh cng th mi thc hin cu lnh ng sau ) + to password cho ti khon root trong mysql # mysqladmin -u root password new_root_password + to database # mysql -u root -p >create database snort;

+ cp ton quyn cho ti khon snort trong c s d liu snort grant all on snort.* to snortuser@localhost identified by 'snortpassword'; + cu hnh cc cnh bo s c xut vo c s d liu mysql #nano /etc/snort_inline/snort_inline.conf chnh li dng output database: log, mysql, user=snortuser password=snortpassword dbname=snort host=localhost +sau khi cu hnh song snort_inline vy l qu trnh ci t snort_inline song. gi mun hin th v qun l cc cnh bo mt cch d dng ta ci t thm base v adodb. + ci t base # tar -xvzf base-1.4.5.tar.gz # mv /tmp/base-1.4.5 /var/www/html/base + ci t adodb #tar -xvzf adodb490.tgz #mv /tmp/adodb490 /var/www/html/adodb + cu hnh base #mv /var/www/html/base/base_conf.php.dist /var/www/html/base/base_conf.php cu hnh cc bin nh sau $DBlib_path="./adodb"; $DBtype="mysql"; $alert_dbname = snort; $alert_host = localhost; $alert_port = ""; $alert_user = snortuser; $alert_password = snortpassword; $archive_dbname = snort; $archive_host = localhost; $archive_port = ""; $archive_user = snortuser;

$archive_password = snortpassword; + by gi ci t thm c gi sau hin th nh trn base #pear install --force Image_Color #pear install --force Image_Canvas #pear install --force Image_Graph + ci t thm webmin d dng qun l # yum install webmin sau khi ci t song webmin ta khi ng cc dch v # services httpd start # services mysql start https://localhost.localdomain:10000

Tt c cc thng tin cu hnh ca Snort c lu trong file snort.conf. File snort.conf bao gm 4 phn : nh ngha cc bin xc nh cu hnh mng. Cu hnh mun tin x l. Cu hnh mun kt xut thng tin. Cu hnh b lut s dng. Sau y l ni dung c th v ngha ca cc thng tin trong snort.conf. 3.1 nh ngha cc bin Snort cho php nh ngha cc bin xc nh cc thng s mng theo nh dng : var : <name> <value> Cc bin ny s c s dng trong ton b file cu hnh t v sau. V d, nu nh ngha : var : MY_NET 192.168.1.0/24 th trong ton b file config hay cc file lut k hiu MY_NET s c thay th bng gi tr 192.168.1.0/24. 3.2 Cu hnh mun tin x l Cc thng tin cu hnh cho mun tin x l c nh ngha nh sau : preprocessor <name>:<options>

Quy nh v name v options ty thuc vo tng plugin ca mun tin x l. V d : cu hnh ca plugin Portscan detection do Patrick Mullen vit nh sau : preprocessor portscan 192.168.0.1/24 5 7 /var/log/portscan.log trong : 192.168.0.1/24 l mng c theo di nguy c qut cng. 5 l s lng cng truy cp ng thi trong qu trnh qut. 7 l thi gian theo di xc nh nguy c qut cng. /var/log/portscan.log l file ghi li log ca qu trinh pht hin. 3.3Cu hnh mun kt xut thng tin Cu hnh cho mun kt xut thng tin cng c nh ngha tng t cu hnh cho mun tin x l. output <name>:<options> V d, cu hnh cho Snort kt xut thng tin cnh bo ra syslog ca mt my trong mng nh sau : output alert_syslog: host=192.168.0.1:123, LOG_AUTH LOG_ALERT Trong , host l ip v cng syslog ca my c ghi, LOG_AUTH v LOG_ALERT l cc loi log c ghi li. Snort kt xut thng tin ra c s d liu, cu hnh nh sau : database: <log | alert>, <database type>, <parameter list> Trong : log | alert : ch ra ghi li thng tin g? Log hay alert ? database type : Loi c s d liu. Snort h tr mysql, postgre sql v ms sql server. Parameter list : danh sch tham s phc v cho vic kt ni vi c s d liu. C th ty thuc vo tng loi c s d liu c th. V d, parameter list ca mysql l nh sau : dbname=snort user=snort host=localhost password=xyz. 3.4 Cu hnh b lut Phn ny ch ra cc file lut c dng. C php nh sau : include RULE_PATH/RULE_FILE V d : yu cu Snort s dng lut pht hin ddos bng dng lnh sau :

include $RULE_PATH/ddos.rules Trong , $RULE_PATH l bin ch n th mc cha cc file lut c nh ngha trong phn nh ngha cc bin cn ddos.rules l file lut. 3.5 TH NGHIM KH NNG PHN NG CA SNORT IDS/IPS truy cp vo base http://127.0.0.1/base

lc ny cha c cnh bo no v ta cha khi chy snort. gi s ta to mt rules vi du hiu nh sau:

sau include n vo file /etc/snort_inline/snort_inline.conf v khi chy snort: # snort_inline -c /etc/snort_inline/snort_inline.conf -Q ri t mt my khc ping n vi a ch ca my ping l 192.168.1.121 v a ch ca my IDS l 192.168.1.111 ta c kt qu sau.

nh vy snort IDS hot ng tt, ta th rules sau cho trng hp pht hin nmap scan cng.

sau include scan.rules vo file /etc/snort_inline/snort_inline.conf khi ng li snort_inline. t my tn cng bt nmap v scan cng ta nhn c kt qu. nh vy snort th hin l mt IPS

vo my snort v xem kt qu.

TI LIU THAM KHO


Ti liu ting Vit :

[1]

[2]

Mng my tnh v cc h thng m Tc gi : GSTS Nguyn Thc Hi NXB Gio dc 1999 Lp trnh LINUX tp 1 Tc gi : Nguyn Phng Lan, Hong c Hi NXB Gio Dc 2001 Intrusion Detection with Snort Tc gi : Rafeeq Rehman NXB Prentice Hall 2003

Ti liu ting Anh :

[3]

[4]

[5]
Websites :

Snort User Manual Tc gi : Martin Roesch, Chris Green The Snort Project 2003 Snort 2.1 Intrusion Detection

[6] [7]

http://www.snort.org http://netfilter.org http://snortinline.sourceforge.net http://hoclinux.net

You might also like