Baocao Linux Snort1

TRNG I HC BCH KHOA
KHOA CNG NGH THNG TIN
B MN MNG V TRUYN THNG
BO CO MN HC
CHUYN II
ti:
TM HIU V KHAI THC DCH V

SNORT
Sinh vin
: o Th M Chu
Phan Th Thu Hng
Nhm
: 78B
Ngi hng dn : Ts.Nguyn Tn Khi
Nng 2011
o Th M Chu & Phan Th Thu Hng Nhm 78B
NHN XT CA GIO VIN HNG DN

.......................................................................................................................................................
.......................................................................................................................................................
.......................................................................................................................................................
.......................................................................................................................................................
.......................................................................................................................................................
.......................................................................................................................................................
.......................................................................................................................................................
.......................................................................................................................................................
.......................................................................................................................................................
.......................................................................................................................................................
.......................................................................................................................................................
.......................................................................................................................................................
.......................................................................................................................................................
.......................................................................................................................................................
.......................................................................................................................................................
.......................................................................................................................................................
.......................................................................................................................................................
.......................................................................................................................................................
.......................................................................................................................................................
.......................................................................................................................................................
.......................................................................................................................................................
.......................................................................................................................................................
Trang 2
Tm hiu v khai thc dch v SNORT
MC LC
CHNG 1. C S L THUYT........................................................................8
1.1. Gii thiu......................................................................................................8
1.1.1. Gii thiu IDS:....................................................................................8
1.1.2. Gii thiu v SNORT:........................................................................9
1.2. Kin trc ca Snort:....................................................................................10
1.2.1. Modun gii m gi tin - Packet Decoder.........................................10
1.2.2. M un tin x l - Preprocessors...................................................11
1.2.3. Mun pht hin- Detection Engine................................................13
1.2.4. Mun log v cnh bo - Logging and Alerting System................14
1.2.5. M un kt xut thng tin - Output Module....................................14
1.2.6. Cc ch thc thi ca Snort:..........................................................15
1.3. B lut ca Snort:.......................................................................................17
1.3.1. Gii thiu..........................................................................................17
1.3.2. Cu trc lut ca Snort......................................................................18
1.3.3. Phn tiu .......................................................................................19
1.3.4. Cc ty chn.....................................................................................23
CHNG 2. THIT K V XY DNG H THNG ...................................29
2.1. Phn tch yu cu........................................................................................29
2.1.1. Ci t Server configuration tools:...................................................29
2.1.2. Ci t cc th vin Bison, Libpcap, Libpcre, LipNet.....................30
2.1.3. Ci Snort:..........................................................................................32
2.2. To database lu cc alert:..........................................................................32
2.3. Cu hnh snort:............................................................................................33
2.3.1. To group v user chy snort.......................................................33
2.3.2. To rules cho snort:...........................................................................33
2.4. Ci t BASE..............................................................................................34
CHNG 3. TRIN KHAI V NH GI KT QU ...................................36
3.1. Mi trng trin khai..................................................................................36
3.2. Mt s kt qu cc chc nng ca chng trnh........................................36
3.3. nh gi v nhn xt..................................................................................39
Trang 3
DANH MC T VIT TT
Trang 4
DANH MC BNG BIU
Trang 5
DANH MC HNH V
Trang 6
TNG QUAN V TI
1. Bi cnh v l do thc hin ti
Bn cnh s pht trin nhanh chng v nhng kh nng mnh m th nhng

vn ca h thng thng tin cng lm cho chng ta nhc u cng khng phi l
t, trong vn nhy cm an ton thng tin khin chng ta quan tm nhiu hn
c. Chng ta cn phi tng cng kh nng an ton thng tin khi b mt mt d
liu do cc l hng bo mt hay b hacker, virus, trojan tn cng
Mt trong nhng gii php c th p ng tt nht cho vn ny l trin khai
h thng d tm xm nhp tri php - Instruction Detect System (IDS). C hai yu
cu chnh khi trin khai mt IDS l chi ph cng vi kh nng p ng linh hot
ca n trc s pht trin nhanh chng ca cng ngh thng tin v SNORT c th
p ng rt tt c hai yu cu ny.
Thy c cc chc nng ca dch v Snort chng em xin chn ti Tm
hiu v khai thc dch v snort lm ti mn hc ca mnh.
2. Phng php trin khai ti

Nghin cu cc ti liu lin quan ca h iu hnh Ubuntu.
Nghin cu ti liu lin quan n Snort (khi nim, chc nng, cc lut, cch
ci t)
Trin khai ci t cu hnh server-client trn my o.
Chy v kim tra hot ng ca dch v snort
3. Kt cu ca n
Cu trc t chc ca bi bo co bao gm:
Tng quan v ti
Chng 1. C s l thuyt
Chng 2. Thit k v xy dng h thng
Chng 3. Trin khai v nh gi kt qu
Kt lun
Ti liu tham kho
Trang 7
Chng 1.
1.1.
C S L THUYT
Gii thiu
1.1.1.
Gii thiu IDS:
1.1.1.1.
Khi nim:
IDS Intrucsion Detection System / H thng pht hin xm nhp.

IDS l mt h thng phng chng, nhm pht hin cc hnh ng tn cng vo
mt mng. Mc ch ca n l pht hin v ngn nga cc hnh ng ph hoi i
vi vn bo mt h thng, hoc nhng hnh ng trong tin trnh tn cng nh
su tp, qut cc cng. Mt tnh nng chnh ca h thng ny l cung cp thong tin
nhn bit v nhng hnh ng khng bnh thng v a ra cc cnh bo, thng
bo cho qun tr vin mng kha cc kt ni ang tn cng ny. Thm vo cng
c IDS cng c th phn bit gia nhng tn cng bn trong t bn trong t chc
(t chnh nhn vin hoc khch hng) v tn cng t bn ngoi (tn cng t
hacker).
1.1.1.2.
Phn loi IDS:
Cch thng thng nht phn loi cc h thng IDS l da vo c im

ca ngun d liu thu thp c. Trong trng hp ny, cc h thng IDS c
chia lm cc loi sau:
Host-based IDS (HIDS): S dng d liu kim tra t mt my trm n
pht hin xm nhp. Chc nng chnh l bo v ti nguyn trn my

ch v mt s h thng nh WebHost, Mailhost
Network-based IDS (NIDS): S dng d liu trn ton b lu thng
mng, cng vi d liu kim tra t mt hoc mt vi my trm pht

hin xm nhp. Nhim v l ngn chn v qun l gi tin trc khi
chuyn vo h thng.
Trang 8
1.1.2.
Gii thiu v SNORT:
Snort l mt sn phm m ngun m c pht trin nhm pht hin nhng

xm nhp tri php vo h thng bi nhng quy tc hay lut c thit lp sn,
nhng thit lp ny da vo nhng du hiu, giao thc v s d thng.
Snort s dng cc lut c lu tr trong cc file text, c th c chnh sa
bi ngi qun tr. Cc lut c nhm thnh cc kiu. Cc lut thuc v mi loi
c lu trong cc file khc nhau. File cu hnh chnh ca Snort l snort.conf. Snort
c nhng lut ny vo lc khi to v xy dng cu trc d liu cung cp cc
lut bt gi mu vi phm. Tm ra cc du hiu v s dng chng trong cc lut l
mt vn i hi s tinh t, v cng s dng nhiu lut th nng lc x l cng
c i hi thu thp d liu trong thc t. Snort c mt tp hp cc lut c
nh ngha trc pht hin cc hnh ng xm nhp v cc qun tr vin cng c
th thm vo cc lut ca chnh mnh. Qun tr vin cng c th xa mt vi lut
c to trc trnh vic bo ng sai.
Snort bao gm mt hoc nhiu sensor v mt server CSDL chnh.Cc Sensor
c th c t trc hoc sau firewall:
Gim st cc cuc tn cng vo firewall v h thng mng
C kh nng ghi nh cc cuc vt firewall thnh cng
C s d liu lut ca Snort ln ti 2930 lut v c cp nht thng

xuyn bi mt cng ng ngi s dng. Snort c th chy trn nhiu h thng nn
nh Windows, Linux, OpenBSD, FreeBSD, NetBSD, Solaris, HP-UX, AIX, IRIX,
MacOS.
Bn cnh vic c th hot ng nh mt ng dng thu bt gi tin thng
thng, Snort cn c th c cu hnh chy nh mt NIDS. Snort h tr kh
nng hot ng trn cc giao thc sau: Ethernet, 802.11,Token Ring, FDDI, Cisco
HDLC, SLIP, PPP, v PF ca OpenBSD.
Trang 9
1.2.
Kin trc ca Snort:

Snort c chia thnh nhiu thnh phn. Nhng thnh phn ny lm vic vi
nhau pht hin cc cch tn cng c th v to ra output theo mt nh dng

c i hi. Mt IDS da trn Snort bao gm cc thnh phn chnh sau y:
Packet Decoder
Preprocessor
Dectection Engine
Logging v Alerting System

Output Modules
Kin trc ca Snort c m t trong hnh sau:
Hnh 1: M hnh kin trc h thng Snort
Khi Snort hot ng n s thc hin vic lng nghe v thu bt tt c cc gi tin
no di chuyn qua n. Cc gi tin sau khi b bt c a vo Mun Gii m gi
tin. Tip theo gi tin s c a vo mun Tin x l, ri mun Pht hin. Ti
y ty theo vic c pht hin c xm nhp hay khng m gi tin c th c b
qua lu thng tip hoc c a vo mun Log v cnh bo x l. Khi cc
cnh bo c xc nh mun Kt xut thng tin s thc hin vic a cnh bo ra
theo ng nh dng mong mun. Sau y ta s i su vo chi tit hn v c ch
hot ng v chc nng ca tng thnh phn.
1.2.1.
Modun gii m gi tin - Packet Decoder
Snort s dng th vin pcap bt mi gi tin trn mng lu thng qua h

thng. Hnh sau m t vic mt gi tin Ethernet s c gii m th no:
Trang 10
Hnh 2: X l mt gi tin Ethernet
Mt gi tin sau khi c gii m s c a tip vo mun tin x l.

Nhim v ch yu ca h thng ny l phn tch gi d liu th bt c trn mng
v phc hi thnh gi d liu hon chnh lp application, lm input cho h thng
dectection engine.
Qu trnh phc hi gi d liu c tin hnh t lp Datalink cho ti lp
Application theo th t ca Protocol Stack.
1.2.2.
M un tin x l - Preprocessors
Mun tin x l l mt mun rt quan trng i vi bt k mt h thng

IDS no c th chun b gi d liu a v cho mun Pht hin phn tch. Ba
nhim v chnh ca cc mun loi ny l:
Kt hp li cc gi tin: Khi mt lng d liu ln c gi i, thng tin s
khng ng gi ton b vo mt gi tin m phi thc hin vic phn mnh, chia gi
tin ban u thnh nhiu gi tin ri mi gi i. Khi Snort nhn c cc gi tin ny
n phi thc hin vic ghp ni li c c d liu nguyn dng ban u, t
mi thc hin c cc cng vic x l tip. Nh ta bit khi mt phin lm vic
Trang 11
ca h thng din ra, s c rt nhiu gi tin uc trao i trong phin . Mt gi

tin ring l s khng c trng thi v nu cng vic pht hin xm nhp ch da
hon ton vo gi tin s khng em li hiu qu cao. Module tin x l stream
gip Snort c th hiu c cc phin lm vic khc nhau (ni cch khc em li
tnh c trng thi cho cc gi tin) t gip t c hiu qu cao hn trong vic
pht hin xm nhp.
Gii m v chun ha giao thc (decode/normalize): cng vic pht hin xm
nhp da trn du hiu nhn dng nhiu khi b tht bi khi kim tra cc giao thc c
d liu c th c th hin di nhiu dng khc nhau. V d: mt web server c
th chp nhn nhiu dng URL nh URL c vit di dng m hexa/Unicode,
URL chp nhn c du \ hay / hoc nhiu k t ny lin tip cng lc. Chng hn ta
c du hiu nhn dng scripts/iisadmin, k tn cng c th vt qua c bng
cch ty bin cc yu cu gi n web server nh sau:
scripts/./iisadmin
scripts/examples/../iisadmin
scripts\iisadmin
scripts/.\iisadmin
Hoc thc hin vic m ha cc chui ny di dng khc. Nu Snort ch thc
hin n thun vic so snh d liu vi du hiu nhn dng s xy ra tnh trng b
st cc hnh vi xm nhp. Do vy, mt s mun tin x l ca Snort phi c
nhim v gii m v chnh sa, sp xp li cc thng tin u vo ny thng tin
khi a n mun pht hin c th pht hin c m khng b st. Hin nay
Snort h tr vic gii m v chun ha cho cc giao thc: telnet, http, rpc, arp.
Pht hin cc xm nhp bt thng (nonrule /anormal): cc plugin tin x l
dng ny thng dng i ph vi cc xm nhp khng th hoc rt kh pht
hin c bng cc lut thng thng hoc cc du hiu bt thng trong giao thc.
Cc mun tin x l dng ny c th thc hin vic pht hin xm nhp theo bt
c cch no m ta ngh ra t tng cng thm tnh nng cho Snort. V d, mt
plugin tin x l c nhim v thng k thng lng mng ti thi im bnh thng
ri khi c thng lng mng bt thng xy ra n c th tnh ton, pht hin v
a ra cnh bo (pht hin xm nhp theo m hnh thng k). Phin bn hin ti ca
Snort c i km hai plugin gip pht hin cc xm nhp bt thng l portscan
Trang 12
v bo (backoffice). Portcan dng a ra cnh bo khi k tn cng thc hin vic

qut cc cng ca h thng tm l hng. Bo dng a ra cnh bo khi h
thng b nhim trojan backoffice v k tn cng t xa kt ni ti backoffice thc
hin cc lnh t xa.
1.2.3.
Mun pht hin- Detection Engine
y l mun quan trng nht ca Snort. N chu trch nhim pht hin cc
du hiu xm nhp. Mun pht hin s dng cc lut c nh ngha trc so
snh vi d liu thu thp c t xc nh xem c xm nhp xy ra hay khng.
Ri tip theo mi c th thc hin mt s cng vic nh ghi log, to thng bo v
kt xut thng tin.
Mt vn rt quan trng trong mun pht hin l vn thi gian x l cc
gi tin: mt IDS thng nhn c rt nhiu gi tin v bn thn n cng c rt
nhiu cc lut x l. C th mt nhng khong thi gian khc nhau cho vic x l
cc gi tin khc nhau. V khi thng lng mng qu ln c th xy ra vic b st
hoc khng phn hi c ng lc. Kh nng x l ca mun pht hin da trn
mt s yu t nh: s lng cc lut, tc ca h thng ang chy Snort, ti trn
mng. Mt s th nghim cho bit, phin bn hin ti ca Snort khi c ti u ha
chy trn h thng c nhiu b vi x l v cu hnh my tnh tng i mnh th c
th hot ng tt trn c cc mng c Giga.
Mt mun pht hin cng c kh nng tch cc phn ca gi tin ra v p
dng cc lut ln tng phn no ca gi tin . Cc phn c th l:
IP header
Header tng giao vn: TCP, UDP
Header tng ng dng: DNS header, HTTP header, FTP header,
Phn ti ca gi tin (bn cng c th p dng cc lut ln cc phn d
liu c truyn i ca gi tin)
Mt vn na trong Mun pht hin l vic x l th no khi mt gi tin
b pht hin bi nhiu lut. Do cc lut trong Snort cng c nh th t u tin,
nn mt gi tin khi b pht hin bi nhiu lut khc nhau, cnh bo c a ra s
l cnh bo ng vi lut c mc u tin ln nht.
Trang 13
1.2.4.
Mun
log v cnh bo - Logging and Alerting
System
Ty thuc vo vic mun Pht hin c nhn dng uc xm nhp hay khng
m gi tin c th b ghi log hoc a ra cnh bo. Cc file log l cc file text d liu
trong c th c ghi di nhiu nh dng khc nhau chng hn tcpdump.
Hnh 3: Mooddun log v cnh bo
1.2.5.
M un kt xut thng tin - Output Module
Mun ny c th thc hin cc thao tc khc nhau ty theo vic bn mun

lu kt qu xut ra nh th no. Ty theo vic cu hnh h thng m n c th thc
hin cc cng vic nh l:
Ghi log file
Ghi syslog: syslog v mt chun lu tr cc file log c s dng rt
nhiu trn cc h thng Unix, Linux.
Ghi cnh bo vo c s d liu.
To file log dng xml: vic ghi log file dng xml rt thun tin cho vic
trao i v chia s d liu.
Cu hnh li Router, firewall.
Trang 14
Gi cc cnh bo c gi trong gi tin s dng giao thc SNMP. Cc

gi tin dng SNMP ny s c gi ti mt SNMP server t gip cho
vic qun l cc cnh bo v h thng IDS mt cch tp trung v thun
tin hn.
Gi cc thng ip SMB (Server Message Block) ti cc my tnh
Windows.
Nu khng hi lng vi cc cch xut thng tin nh trn, ta c th vit cc
mun kt xut thng tin ring tu theo mc ch s dng.
1.2.6.
Cc ch thc thi ca Snort:
1.2.6.1.
Sniff mode
ch ny, Snort hot ng nh mt chng trnh thu thp v phn tch gi

tin thng thng. Khng cn s dng file cu hnh, cc thng tin Snort s thu c
khi hot ng ch ny:
-
Date and time.
Source IP address.
Source port number.
Destination IP address.
Destination port.
Transport layer protocol used in this packet.
Time to live or TTL value in this packet.
Type of service or TOS value.
Packer ID.
Length of IP header.
IP payload.
Dont fragment or DF bit is set in IP header.
Two TCP flags A and P are on.
TCP sequence number.
Acknowledgement number in TCP header.
TCP Window field.
TCP header length.

Trang 15
1.2.6.2.
Packet logger mode
Khi chy ch ny, Snort s tp hp tt c cc packet n thy c v a

vo log theo cu trc phn tng. Ni cch khc, mt th mc mi s c to ra
ng vi mi a ch n bt c, v d liu s ph thuc vo a ch m n lu
trong th mc . Snort t cc packet vo trong file ASCII, vi tn lin quan n
giao thc v cng. S sp xp ny d dng nhn ra ai ang kt ni vo mng ca
mnh v giao thc, cng no ang s dng. n gin s dng ls-R hin danh
sch cc th mc.
Tuy nhin s phn cp ny s to ra nhiu th mc trong gi cao im nn rt
kh xem ht tt c th mc v file ny. Nu mt ngi no thc hin vic
qut mng ca bn v nh x tt c 65536 cng TCp cng nh 65536 cng UDP,
bn s t ngt c hn 131000 file trong mt th mc n.
Log vi dng nh phn (binary) tt c nhng g c th c c bi Snort, n
lm tng c kh nng bt gi tin ca Snort. Hu ht cc h thng c th capture
v log tc 100Mbps m khng c vn g.
log packet ch nh phn, s dng c -b:
#Snort -b -l /usr/local/log/Snort/temp.log
Khi capture, ta c th c li file mi va to ra ngay vi c -r v phn
hin th ging nh mode sniffer:
#Snort -r /usr/local/log/Snort/temp.log
Trong phn ny Snort khng gii hn dc cc file binary trong ch
sniffer. Ta c th chy Snort ch NIDS vi vic set cc rule hoc filters tm
nhng traffic nghi ng.
1.2.6.3.
NIDS mode
Snort thng c s dng nh mt NIDS. N nh, nhanh chng, hiu qu v

s dng cc rule p dng ln gi tin. Khi pht hin c du hiu tn cng trong
gi tin th n s ghi li v to thng bo. Khi dng ch ny phi khai bo file
cu hnh cho Snort hot ng. Thng tin v thng bo khi hot ng ch ny:
Trang 16

-
Fast mode: Date and time, Alert message, Source and destination IP
address, Source and destination ports, Type of packet.
Full mode: Gm cc thng tin nh ch fast mode v thm mt s thng

tin sau: TTL value, TOS value, Length of packet header, length of
packet,Type of packet, Code of packet, ID of packet, Sequence number.
1.3.
B lut ca Snort:
1.3.1.
Gii thiu
Snort ch yu l mt IDS da trn lut, tuy nhin cc input plug-in cng tn

ti pht hin s bt thng trong cc header ca giao thc.
Snort s dng cc lut c lu tr trong cc file text, c th c chnh sa
bi ngi qun tr. Cc lut c nhm thnh cc kiu. Cc lut thuc v mi loi
c lu trong cc file khc nhau. File cu hnh chnh ca Snort l snort.conf. Snort
c nhng lut ny vo lc khi to v xy dng cu trc d liu cung cp cc
lut bt gi d liu. Tm ra cc du hiu v s dng chng trong cc lut l mt
vn i hi s tinh t, v bn cng s dng nhiu lut th nng lc x l cng
c i hi thu thp d liu trong thc t. Snort c mt tp hp cc lut c
nh ngha trc pht hin cc hnh ng xm nhp v bn cng c th thm vo
cc lut ca chnh bn. Bn cng c th xa mt vi lut c to trc trnh
vic bo ng sai.
Cng ging nh virus, hu ht cc hot ng tn cng hay xm nhp u c
cc du hiu ring. Cc thng tin v cc du hiu ny s c s dng to nn
cc lut cho Snort. Thng thng, cc by (honey pots) c to ra tm hiu xem
cc k tn cng lm g cng nh cc thng tin v cng c v cng ngh chng s
dng. V ngc li, cng c cc c s d liu v cc l hng bo mt m nhng k
tn cng mun khai thc. Cc dng tn cng bit ny c dng nh cc du
hiu pht hin tn cng xm nhp. Cc du hiu c th xut hin trong phn
header ca cc gi tin hoc nm trong phn ni dung ca chng. H thng pht hin
ca Snort hot ng da trn cc lut (rules) v cc lut ny li c da trn cc
du hiu nhn dng tn cng. Cc lut c th c p dng cho tt c cc phn khc
nhau ca mt gi tin d liu .
Trang 17
Mt lut c th c s dng to nn mt thng ip cnh bo, log mt

thng ip hay c th b qua mt gi tin.
1.3.2.
Cu trc lut ca Snort
Hy xem xt mt v d n gin :
alert tcp 192.168.2.0/24 23 -> any any (content:confidential; msg:
Detected confidential)
Ta thy cu trc ca mt lut c dng nh sau:
Hnh 4: Cu trc lut ca Snort
Din gii:
Tt c cc Lut ca Snort v logic u gm 2 phn: Phn header v phn
Option.
- Phn Header cha thng tin v hnh ng m lut s thc hin khi pht
hin ra c xm nhp nm trong gi tin v n cng cha cc tiu chun p
dng lut vi gi tin .
- Phn Option cha mt thng ip cnh bo v cc thng tin v cc phn ca
gi tin dng to nn cnh bo. Phn Option cha cc tiu chun ph thm
i snh lut vi gi tin. Mt lut c th pht hin c mt hay nhiu
hot ng thm d hay tn cng. Cc lut thng minh c kh nng p dng
cho nhiu du hiu xm nhp.
Di y l cu trc chung ca phn Header ca mt lut Snort:
Hnh 5: Header lut ca Snort
- Action: l phn qui nh loi hnh ng no c thc thi khi cc du hiu

ca gi tin c nhn dng chnh xc bng lut . Thng thng, cc hnh
ng to ra mt cnh bo hoc log thng ip hoc kch hot mt lut khc.
- Protocol: l phn qui nh vic p dng lut cho cc packet ch thuc mt
giao thc c th no . V d nh IP, TCP, UDP
- Address: l phn a ch ngun v a ch ch. Cc a ch c th l mt my
n, nhiu my hoc ca mt mng no . Trong hai phn a ch trn th
Trang 18
mt s l a ch ngun, mt s l a ch ch v a ch no thuc loi no

s do phn Direction -> qui nh.
- Port: xc nh cc cng ngun v ch ca mt gi tin m trn lut c
p dng.
- Direction: phn ny s ch ra u l a ch ngun, u l a ch ch.
V d:
alert icmp any any -> any any (msg: Ping with TTL=100;ttl: 100;)
Phn ng trc du m ngoc l phn Header ca lut cn phn cn li l
phn Option. Chi tit ca phn Header nh sau:
-
Hnh ng ca lut y l alert : mt cnh bo s c to ra nu nh

cc iu kin ca gi tin l ph hp vi lut(gi tin lun c log li mi khi
cnh bo c to ra).
Protocol ca lut y l ICMP tc l lut ch p dng cho cc gi tin thuc

loi ICMP. Bi vy, nu nh mt gi tin khng thuc loi ICMP th phn
cn li ca lut s khng cn i chiu.
a ch ngun y l any: tc l lut s p dng cho tt c cc gi tin n

t mi ngun cn cng th cng l any v i vi loi gi tin ICMP th
cng khng c ngha. S hiu cng ch c ngha vi cc gi tin thuc loi
TCP hoc UDP thi.
Cn phn Option trong du ng ngoc ch ra mt cnh bo cha dng Ping

with TTL=100 s c to khi tm thy iu kin TTL=100. TTL l Time
To Live l mt trng trong Header IP.
1.3.3.
Phn tiu
Nh phn trn trnh by, Header ca lut bao gm nhiu phn. Sau y, l
chi tit c th ca tng phn mt.
Hnh ng ca lut (Rule Action)
L phn u tin ca lut, ch ra hnh ng no c thc hin khi m cc
iu kin ca lut c tho mn. Mt hnh ng c thc hin khi v ch khi tt
c cc iu kin u ph hp. C 5 hnh ng c nh ngha nhng ta c th
to ra cc hnh ng ring tu thuc vo yu cu ca mnh. i vi cc phin bn
Trang 19
trc ca Snort th khi nhiu lut l ph hp vi mt gi tin no th ch mt lut

c p dng. Sau khi p dng lut u tin th cc lut tip theo s khng p dng
cho gi tin y na. Nhng i vi cc phin bn sau ca Snort th tt c cc lut s
c p dng gi tin .
-
Pass: Hnh ng ny hng dn Snort b qua gi tin ny. Hnh ng ny

ng vai tr quan trng trong vic tng cng tc hot ng ca Snort khi
m ta khng mun p dng cc kim tra trn cc gi tin nht nh. V d ta
s dng cc by (t trn mt my no ) nh cc hacker tn cng vo
th ta phi cho tt c cc gi tin i n c my . Hoc l dng mt my
qut kim tra an ton mng ca mnh th ta phi b qua tt c cc gi
tin n t my kim tra .
Log: Hnh ng ny dng log gi tin. C th log vo file hay vo c s

d liu tu thuc vo nhu cu ca mnh.
Alert: Gi mt thng ip cnh bo khi du hiu xm nhp c pht hin.

C nhiu cch gi thng ip nh gi ra file hoc ra mt Console. Tt
nhin l sau khi gi thng ip cnh bo th gi tin s c log li.
Activate: s dng to ra mt cnh bo v kch hot mt lut khc kim tra

thm cc iu kin ca gi tin.
Dynamic: ch ra y l lut c gi bi cc lut khc c hnh ng l

Activate.
Cc hnh ng do ngi dng nh ngha: mt hnh ng mi c nh
ngha theo cu trc sau:

ruletype action_name
{
action definition
}
ruletype l t kho.
Hnh ng c nh ngha chnh xc trong du ngoc nhn: c th l mt
hm vit bng ngn ng C chng hn.
V d:
ruletype smb_db_alert
{
ype alert
Trang 20
output alert_smb: workstation.list

output database: log, mysql, user=test password=test
dbname=snort host = localhost
}
y l hnh ng c tn l smb_db_alert dng gi thng ip cnh bo
di dng ca s pop-up SMB ti cc my c tn trong danh sch lit k trong file
workstation.list v ti c s d liu MySQL tn l snort.
Protocols
L phn th hai ca mt lut c chc nng ch ra loi gi tin m lut s c
p dng. Hin ti Snort hiu c cc protocol sau : IP, ICMP, TCP, UDP.
Nu l IP th Snort s kim tra header ca lp lin kt xc nh loi gi tin.
Nu bt k giao thc no khc c s dng th Snort s dng header IP xc
nh loi protocol. Protocol ch ng vai tr trong vic ch r tiu chun trong phn
header ca lut. Phn option ca lut c th c cc iu kin khng lin quan g n
protocol.
Address
C hai phn a ch trong mt lut ca Snort. Cc a ch ny c dng
kim tra ngun sinh ra v ch n ca gi tin. a ch c th l a ch ca mt IP
n hoc l a ch ca mt mng. Ta c th dng t any p dng lut cho tt c
cc a ch.
a ch c vit ngay theo sau mt du gch cho v s bt trong subnet
mask. V d nh a ch 192.168.2.0/24 th hin mng lp C 192.168.2.0 vi 24 bt
ca subnet mask. Subnet mask 24 bt chnh l 255.255.255.0. Ta bit rng :
Nu subnet mask l 24 bt th l mng lp C
Nu subnet mask l 16 bt th l mng lp B
Nu subnet mask l 8 bt th l mng lp A
Nu subnet mask l 32 bt th l a ch IP n.
Trong hai a ch ca mt lut Snort th c mt a ch l a ch ngun v a
ch cn li l a ch ch. Vic xc nh u l a ch ngun, u l a ch ch th
ph thuc vo phn hng (direction).
V d nh lut :
Trang 21
alert tcp any any -> 192.168.1.10/32 80 (msg: TTL=100; ttl: 100;)
Lut trn s to ra mt cnh bo i vi tt c cc gi tin t bt k ngun no
c TTL = 100 i n web server 192.168.1.10 ti cng 80.
Ngn chn a ch hay loi tr a ch
Snort cung cp cho ta k thut loi tr a ch bng cch s dng du ph
nh (du !). Du ph nh ny ng trc a ch s ch cho Snort khng kim tra
cc gi tin n t hay i ti a ch . V d, lut sau s p dng cho tt c cc gi
tin ngoi tr cc gi c ngun xut pht t mng lp C 192.168.2.0.
alert icmp
![192.168.2.0/24]
TTL=100; ttl: 100;)
any
-> any
any (msg: Ping with
Danh sch a ch
Ta c th nh r ra danh sch cc a ch trong mt lut ca Snort. V d nu
bn mun p dng lut cho tt c cc gi tin tr cc gi xut pht t hai mng lp C
192.168.2.0 v 192.168.8.0 th lut c vit nh sau:
alert icmp
![192.168.2.0/24, 192.168.8.0/24] any -> any any (msg:
Ping with TTL=100; ttl: 100;)
Hai du [] ch cn dng khi c du ! ng trc.
Cng (Port Number)
S hiu cng dng p dng lut cho cc gi tin n t hoc i n mt cng
hay mt phm vi cng c th no . V d ta c th s dng s cng ngun l 23
p dng lut cho tt c cc gi tin n t mt server Telnet. T any cng c
dng i din cho tt c cc cng. Ch l s hiu cng ch c ngha trong cc
giao thc TCP v UDP thi. Nu protocol ca lut l IP hay ICMP th s hiu cng
khng ng vai tr g c.
V d :
alert tcp 192.168.2.0/24 23 -> any any (content: confidential; msg:
Detected confidential;)
S hiu cng ch hu dng khi ta mun p dng mt lut ch cho mt loi gi
tin d liu c th no . V d nh l mt lut chng hack cho web th ta ch
cn s dng cng 80 pht hin tn cng.
Dy cng hay phm vi cng:
Trang 22
Ta c th p dng lut cho dy cc cng thay v ch cho mt cng no .

Cng bt u v cng kt thc phn cch nhau bi du hai chm :.
V d : alert udp any 1024:2048 -> any any (msg: UDP ports;)
Ta cng c th dn cng theo kiu cn trn v cn di, tc l ch s dng
cng bt u hoc cng kt thc m thi. V d nh l 1024: hoc l :2048
Du ph nh cng c p dng trong vic s dng cng. V d sau s log tt
c cc gi tin ngoi tr cc gi tin xut pht t cng 53.
log udp any !53 -> any any log udp
Sau y l mt s cng thng dng hay l cc cng ca cc dch v thng
dng nht: 20 FTP data, 21 FTP, 22 SSH, 23 Telnet, 24 SMTP, 53 DNS Server, 80
HTTP, 110 POP3, 161 SNMP, 443 HTTPS, 3360 MySQL
Hng Direction
Ch ra u l ngun u l ch, c th l -> hay <- hoc <>. Trng hp <> l
khi ta mun kim tra c Client v Server.
1.3.4.
Cc ty chn
Phn Rule Option nm ngay sau phn Rule Header v c bao bc trong du
ngoc n. Nu c nhiu option th cc option s c phn cch vi nhau bng
du chm phy ,.Nu nhiu option c s dng th cc option ny phi ng
thi c tho mn tc l theo logic cc option ny lin kt vi nhau bng AND.
Mi option c nh ngha bng cc t kho. Mt s cc option cn cha cc
tham s. Ni chung mt option gm 2 phn: mt t kho v mt tham s, hai phn
ny phn cch nhau bng du hai chm. V d dng :
msg: Detected confidented;
msg l t kho cn Detected confidented l tham s.
Sau y l chi tit mt s cc option ca lut Snort.
T kho ack
Trang 23
Trong header TCP c cha trng Acknowledgement Number vi di 32

bit. Trng ny c ngha l ch ra s th t tip theo gi tin TCP ca bn gi ang
c ch nhn. Trng ny ch c ngha khi m c ACK c thit lp.
Cc cng c nh Nmap s dng c im ny ping mt my. V d, n c th
gi mt gi tin TCP ti cng 80 vi c ACK c bt v s th t l 0. Bi vy,
bn nhn s thy gi tin khng hp l v s gi tr li gi tin RST. Khi m Nmap
nhn c gi tin RST th tc l a ch ch ang sng. Phng php ny vn
lm vic tt i vi cc my khng tr li gi tin thuc dng ping ICMP ECHO
REQUEST.
Vy kim tra loi ping TCP ny th ta c th dng lut nh sau:
alert tcp any
TCP ping detected)
any
->
192.168.1.0/24
any
(flags: A; ack: 0; msg:
T kho classtype
Cc lut c th c phn loi v gn cho mt s ch u tin no
nhm v phn bit chng vi nhau. hiu r hn v t kho ny ta u tin phi
hiu c file classification.config (c bao gm trong file snort.conf s dng t
kho include). Mi dng trong file classification.config c c php nh sau:
config classification: name, description, priority
trong :
-
name: l tn dng phn loi, tn ny s c dng vi t kho

classtype trong cc lut Snort.
description: m t v loi lp ny
priority: l mt s ch u tin mc nh ca lp ny. u tin ny

c th c iu chnh trong t kho priority ca phn option trong lut
ca Snort.
V d :
config classification: DoS , Denial of Service Attack, 2
v trong lut:
alert udp any any -> 192.168.1.0/24
server; classtype: DoS;)
alert udp any any -> 192.168.1.0/24
server; classtype: DoS; priority: 1;)
Trang 24
6838
(msg:DoS; content:
6838
(msg:DoS; content:
Trong cu lnh th 2 th ta ghi ln gi tr priority mc nh ca lp

nh ngha.
T kho content
Mt c tnh quan trng ca Snort l n c kh nng tm mt mu d liu bn
trong mt gi tin. Mu ny c th di dng chui ASCII hoc l mt chui nh
phn di dng cc k t h 16. Ging nh virus, cc tn cng cng c cc du hiu
nhn dng v t kho content ny dng tm cc du hiu bn trong gi tin. V
d:
alert tcp 192.168.1.0/24 any -> ![192.168.1.0/24] any (content: GET;
msg: GET match;)
Lut trn tm mu GET trong phn d liu ca tt c cc gi tin TCP c
ngun i t mng 192.168.1.0/24 v i n cc a ch khng thuc mng . T
GET ny rt hay c dng trong cc tn cng HTTP.
Mt lut khc cng thc hin ng nhim v ging nh lnh trn nhng mu
d liu li di dng h 16 l:
alert tcp 192.168.1.0/24 any -> ![192.168.1.0/24] any (content: |47 45 54|;
msg: GET match;)
rng s 47 h 16 chnh l bng k t ASCII : G v tng t 45 l E v
54 l T. Ta c th dng c hai dng trn trong cng mt lut nhng nh l phi
dng thp lc phn gia cp k t ||.
Tuy nhin khi s dng t kho content ta cn nh rng:
i snh ni dung s phi x l tnh ton rt ln v ta phi ht sc cn nhc
khi s dng nhiu lut c i snh ni dung.
Ta c th s dng nhiu t kho content trong cng mt lut tm nhiu du
hiu trong cng mt gi tin.
i snh ni dung l cng vic rt nhy cm.
C 3 t kho khc hay c dng cng vi t kho content dng b sung
thm cc iu kin tm kim l :
Trang 25
offset: dng xc nh v tr bt u tm kim (chui cha trong t kho

content ) l offset tnh t u phn d liu ca gi tin. V d sau s tm chui
HTTP bt u t v tr cch u on d liu ca gi tin l 4 byte:
alert tcp 192.168.1.0/24 any -> any any (content: HTTP; offset: 4; msg:
HTTP matched;)
- dept : dng xc nh v tr m t Snort s dng vic tm kim.T kho
ny cng thng c dng chung vi t kho offset va nu trn.
V d:
alert tcp 192.168.1.0/24 any -> any any (content: HTTP; offset: 4; dept:
40; msg: HTTP matched;).
T kho ny s gip cho vic tiu tn thi gian tm kim khi m on d liu
trong gi tin l kh ln.
content-list: c s dng cng vi mt file. Tn file (c ch ra trong phn

tham s ca t kho ny) l mt file text cha danh sch cc chui cn tm
trong phn d liu ca gi tin. Mi chui nm trn mt dng ring bit. V
d nh file test c dng nh sau:
test
Snort
NIDS
v ta c lut sau:
alert tcp 192.168.1.0/24 any -> any any (content-list: test;msg: This is my
Test;).
Ta cng c th dng k t ph nh ! trc tn file cnh bo i vi cc gi
tin khng tm thy mt chui no trong file .
T kho dsize
Dng i snh theo chiu di ca phn d liu. Rt nhiu tn cng s dng
li trn b m bng cch gi cc gi tin c kch thc rt ln. S dng t kho
ny, ta c th so snh ln ca phn d liu ca gi tin vi mt s no .
alert ip any any -> 192.168.1.0/24 any (dsize: > 6000; msg: Goi tin co kich
thuoc lon;)
T kho flags
Trang 26
T kho ny c dng pht hin xem nhng bit c flag no c bt (thit

lp) trong phn TCP header ca gi tin. Mi c c th c s dng nh mt tham
s trong t kho flags. Sau y l mt s cc c s dng trong t kho flags:
K t tham s dng trong
Flag
FIN (Finish Flag)
SYN Sync Flag
RST Reset Flag
PSH Push Flag
ACK Acknowledge Flag
URG Urgent Flag
Reserved Bit 1
Reserved Bit 2
No Flag set
lut ca Snort
F
S
R
P
A
U
1
2
0
Bng 1:Cc c s dng vi t kho flags
Ta c th s dng cc du +, * v ! thc hin cc php ton logic AND, OR

v NOT trn cc bit c mun kim tra. V d lut sau y s pht hin mt hnh
ng qut dng gi tin TCP SYN-FIN:
alert tcp any any -> 192.168.1.0/24 any (flags: SF; msg: SYNC-FIN packet
detected;)
T kho fragbits
Phn IP header ca gi tin cha 3 bit dng chng phn mnh v tng hp
cc gi tin IP. Cc bit l:
Reserved Bit (RB) dng dnh cho tng lai.
Dont Fragment Bit (DF): nu bit ny c thit lp th tc l gi tin

khng b phn mnh.
More Fragments Bit (MF): nu c thit lp th tc l cc phn khc (gi

tin b phn mnh) ca gi tin vn ang cn trn ng i m cha ti ch.
Nu bit ny khng c thit lp th c ngha l y l phn cui cng ca
gi tin (hoc l gi duy nht). iu ny xut pht t nguyn nhn: Ni gi
i phi chia gi tin IP thnh nhiu on nh do ph thuc vo n v truyn
d liu ln nht cho php (Maximum Transfer Units - MTU) trn ng
truyn. Kch thc ca gi tin khng c php vt qu kch thc ln
nht ny. Do vy, bit MF ny gip bn ch c th tng hp li cc phn
khc nhau thnh mt gi tin hon chnh.
Trang 27
i khi cc bit ny b cc hacker s dng tn cng v khai thc thng tin

trn mng ca ta. V d, bit DF c th c dng tm MTU ln nht v nh nht
trn ng i t ngun xut pht n ch n.
S dng fragbits, ta c th kim tra xem cc bit trn c c thit lp hay
khng. V d lut sau s pht hin xem bit DF trong gi tin ICMP c c bt hay
khng:
alert icmp any any -> 192.168.1.0/24 any (fragbits: D; msg: Dont Fragment
bit set;)
Trong lut ny , D dng cho bit DF, R cho bit d tr v M cho bit MF. Ta
cng c th dng du ph nh ! trong lut ny kim tra khi bit khng c bt:
alert icmp any any -> 192.168.1.0/24 any (fragbits: !D; msg: Dont
Fragment bit not set;)
Trang 28
Chng 2.
THIT K V XY DNG H
THNG
2.1.
Phn tch yu cu
Ci t h thng pht hin xm nhp vi snort, Log ca snort s c ghi vo
c s d liu ca MySQL, Ngi qun tr s theo di Log thng qua giao din ca
BASE (Basic Analysis And Security Engine).
Cc gi cn ci t bao gm:
-
Server configuration tools: chn mc nh

Web server cn cc gi sau:Apache, Php, Php_mysql, Phpmyadmin
MySQL Database cn cc gi sau:Mysql-connector-odbc, Mysql-
server, Mysql-clien, Mysql-devel, Php-mysq

Cc gi h tr cho snort nh: libpcap (bao gm hai gi libpcap v
libpcap-devel nu ci t rpm) khuyn khch ci t source, th vin Bison, libpcre,

lipNet.
Ci t gi Snort-2.8.4.1.
2.1.1.
Ci t Server configuration tools:
Server configuration tools dng lu cc alert ca snort vo c s d liu

mysql, s sng BASE(Basic Analysis And Security Engine) th hin biu
phn tch h thng. Ta tin hnh ci t nh sau:
-
Ci t apache:
sudo apt-get install apache2
Ci t php5:
sudo apt-get install php5 libapache2-mod-php5
Ci t phpmyadmin:
sudo apt-get install phpmyadmin
Ci t mysql:
sudo apt-get install mysql-server mysql-client
Trang 29
Trong qu trnh ci t mysql cn nhp user v password truy cp vo

mysql server.
2.1.2.
Ci t cc th vin Bison, Libpcap, Libpcre, LipNet.
2.1.2.1.
Ci th vin flex.
bin dch libpcap thnh cng ta cn ci th vin h tr flex. Ta tin hnh

ti flex v v ci t theo link:
http://biznetnetworks.dl.sourceforge.net/sourceforge/flex/flex-2.5.35.tar.gz.
Tin hnh ci t theo cc bc sau:
-
Ti flex v my:
root@Ubuntu:/home/chau/Desktop/Install#
wget http://biznetworks.dl.sourceforge.net/sourceforge
2.5.35.tar.gz
-
/flex/flex-
Copy file flex vo th mc ci t.
root@Ubuntu:/home/chau/Desktop/Install# cp flex-2.5.35.tar.gz /usr/local/

-
Cd n th mc ci t:
root@Ubuntu:/home/chau/Desktop/Install# cd /usr/local
-
Gii nn flex:
root@Ubuntu:/usr/local# tar -xvzf flex-2.5.35.tar.gz

-
Cd n flex-2.5.35
root@Ubuntu:/usr/local# cd flex-2.5.35
-
Cu hnh, bin dch v ci t flex
root@Ubuntu:/usr/local/flex-2.5.35# ./configure
root@Ubuntu:/usr/local/flex-2.5.35# make && make install
2.1.2.2.
Ci th vin Bison:
Ta thc hin cc bc tng t nh ci flex.

wget http://ftp.gnu.org/gnu/bison/bison-2.4.1.tar.gz
root@Ubuntu:/home/chau/Desktop/Install# cp bison-2.4.1.tar.gz /usr/local/
Trang 30
root@Ubuntu:/usr/local # tar -xvzf bison-2.4.1.tar.gz

root@Ubuntu:/usr/local # cd bison-2.4.1
root@Ubuntu:/usr/local/bison-2.4.1# ./configure
root@Ubuntu:/usr/local/bison-2.4.1# make && make install
2.1.2.3.
Ci libpcap
Ci libpcap t source: http://www.tcpdump.org/release/libpcap-1.0.0.tar.gz

root@ubuntu:/home/chau/Desktop/Install#
wget http://www.tcpdump.org/release/libpcap-1.0.0.tar.gz
root@ubuntu:/home/chau/Desktop/Install
/usr/local/
cp
libpcap-1.0.0.tar.gz
root@Ubuntu:/usr/local# tar -xvzf libpcap-1.0.0.tar.gz
root@Ubuntu:/usr/local# cd libpcap-1.0.0
root@Ubuntu:/usr/local/libpcap-1.0.0# ./confugure
root@Ubuntu:/usr/local/libpcap-1.0.0# make && make install
2.1.2.4.
Ci t pcre
root@ubuntu:/home/chau/Desktop/Install#
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre7.9.tar.gz
root@ubuntu:/home/chau/Desktop/Install # cp pcre-7.9.tar.gz /usr/local/
root@Ubuntu:/usr/local# tar -xvzf pcre-7.9.tar.gz
root@Ubuntu:/usr/local# cd pcre-7.9
root@Ubuntu:/usr/local/pcre-7.9# ./configure
root@Ubuntu:/usr/loca/pcre-7.9l# make && make install
2.1.2.5.
Ci Libnet :
wget ftp://64.50.238.52/.1/gentoo/distfiles/libnet-1.1.2.1.tar.gz
root@ubuntu:/home/chau/Desktop/Install # cp libnet-1.1.2.1.tar.gz /usr/local/
root@Ubuntu:/home/chau.Desktop/Instal# cd /usr/local/
root@Ubuntu:/usr/local# tar -xvzf libnet-1.1.2.1.tar.gz
Trang 31
root@Ubuntu:/usr/local# cd libnet
root@Ubuntu:/usr/local/ libnet# ./configure
root@Ubuntu:/usr/local/ libnet# make && make install
2.1.3.
Ci Snort:
wget http://www.procyonlabs.com/mirrors/snort/snort-2.8.4.1.tar.gz
root@ubuntu:/home/chau/Desktop/Install # cp snort-2.8.4.1.tar.gz /usr/local/
root@ubuntu:/home/chau/Desktop/Install # cd /usr/local/
root@Ubuntu:/usr/local# tar -xvzf snort-2.8.4.1.tar.gz
root@Ubuntu:/usr/local# cd snort-2.8.4.1
root@Ubuntu:/usr/local/ snort-2.8.4.1# ./configure --with-mysql
root@Ubuntu:/usr/local/ snort-2.8.4.1# make && make install
2.2.
To database lu cc alert:
-
ng nhp sql bng sql-client: root@Ubuntu:/usr/local# mysql
-u root p
-
Nhp password cho user root ca mysql.
Sau khi ng nhp thnh cng, ta to user mysql s dng
cho snort. User c tn l snort v password l 123456.

mysql> use mysql;
mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY '123456';
mysql> flush privileges;
-
To CSDL cho snort c tn l snort:
mysql> create database snort;

-
Cp quyn cho ti khon snort.
mysql> GRANT CREATE, INSERT, SELECT, DELETE, UPDATE ON snort.*

to snort@localhost;
-
To cc bng: vo th mc schames m bn gii nn snort:
root@Ubuntu:~# cd /usr/local/snort-2.8.4.1/schemas/
Trang 32
root@Ubuntu:/usr/local/snort-2.8.4.1/schemas#
create_mysql snort
mysql
-u
root
-p
<
S c yu cu nhp password cho user root. Ta nhp password ca root

cu lnh c thc thi.
2.3.
Cu hnh snort:
2.3.1.
To group v user chy snort
- To mt lin kt mm (symbolic link) ca file snort binary n

/usr/sbin/snort, tp tin snort binary nm ng dn /usr/local/bin/snort:
root@Ubuntu:/usr/local/snort-2.8.4.1#
ln -s /usr/local/bin/snort /usr/sbin/snort
-
To group v user:
root@Ubuntu:~# groupadd snort
root@Ubuntu:~# useradd -g snort snort
Set quyn s hu v cho php Snort ghi log vo th mc cha log

root@Ubuntu:~# chown snort:snort /var/log/snort/
2.3.2.
-
To rules cho snort:
To th mc snort
root@Ubuntu:~#mkdir /etc/snort
root@Ubuntu:~# mkdir /etc/snort/rules
To th mc cho Snort lu file log

root@Ubuntu:~# mkdir /var/log/snort/
Chp cc file cn thit vo th mc c to:

root@Ubuntu:~# cd /usr/local/snort-2.8.4.1/etc/
root@Ubuntu:/usr/local/snort-2.8.4.1/etc# cp */etc/snort
- To file rules. Vo file /etc/snort/rules/icmp.rules to ni dung cho file cho

file icmp.rules:
alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)
Lu li file icmp.rules.
Trang 33
- Chnh li file cu hnh snort.conf tr ti file icmp.rules v thng tin truy
nhp vo mysql. Vo xa ht ni dung ca file cu hnh snort.conf. To ni dung

mi cho file cu hnh snort.conf:
include /etc/snort/rules/icmp.rules
output database: log,mysql, user=snort password = 123456 dbname=snort
host=localhost
Lu li file cu hnh.
2.4.
-
Ci t BASE
Web server v PHP ci t sn ta cn ci thm vi gi pear cho PHP.
root@Ubuntu:/home/chau/Desktop/Install# pear install Image_Graph-alpha

Image_Canvas-alpha Image_Color Numbers_Roman
root@Ubuntu:/home/chau/Desktop/Install# apt-get install php-pear
-
Ci t ADODB
wget http://nchc.dl.sourceforge.net/sourceforge/adodb/adodb508a.tgz
root@Ubuntu:/home/chau/Desktop/Install# cp adodb508a.tgz /var/www/
root@Ubuntu:/home/chau/Desktop/Install# cd /var/www/
root@Ubuntu:/var/www# tar -xvzf adodb508a.tgz
-
Ci BASE:
wget http://nchc.dl.sourceforge.net/sourceforge/secureideas/base-1.4.2.tar.gz
root@Ubuntu:/home/chau/Desktop/Install# cp base-1.4.2.tar.gz /var/www/
root@Ubuntu:/home/chau/Desktop/Install# cd /var/www/
root@Ubuntu:/var/www# tar -xzvf base-1.4.2.tar.gz
root@Ubuntu:/var/www# rm -rf base-1.4.2.tar.gz
root@Ubuntu:/var/www# cd base-1.4.2/
root@Ubuntu:/var/www/base-1.4.2# cp base_conf.php.dist base_conf.php
root@Ubuntu:/var/www/base-1.4.2# vi base_conf.php
Chnh li thng s cc dng sau:
Trang 34
$DBlib_path = '/var/www/adodb5';
$DBtype = 'mysql';
$alert_dbname = 'snort';
$alert_host = 'localhost';
$alert_port = '';
$alert_user = 'snort';
$alert_password = '123456';
$archive_exists = 1; # Set this to 1 if you have an
archive DB
$archive_dbname = 'snort';
$archive_host = 'localhost';
$archive_port = '';
$archive_user = 'snort';
$archive_password = '123456';
/* Whois query */
$external_whois_link = '';
/* DNS query */
$external_dns_link = '';
/* SamSpade "all" query */
$external_all_link = '';
Sa li ng dn cho BASE: root@Ubuntu:/var/www# mv base-1.4.2/ base/
Trang 35
Chng 3.
TRIN KHAI V NH GI KT
QU
3.1.
Mi trng trin khai

Dch v pht hin v chng xm nhp Snort c ci t trn h iu hnh
Ubuntu 10, chy trn my o VMware Workstation 7.0.
3.2.
Mt s kt qu cc chc nng ca chng trnh
Hnh 6: My Windowns truy cp vo h thng my Ubuntu
Trang 36
Hnh 7: Log ca snort c th hin thng qua giao din ca BASE, giao thc ICMP
Hnh 8: Bng acid_event ca database Snort cha cc thng s v ip ngun, ip ch,

thi gian my windown truy cp vo h thng qua gi ICMP
Trang 37
Hnh 9: Bng iphdr ca database snort cha version, ip_len, ip_id, ip_ttl, ip_csum
ca my windown.
Hnh 10
Trang 38
Hnh 11:
3.3.
nh gi v nhn xt
ci t thnh cng h thng pht hin v chng xm nhp Snort chy trn
h iu hnh Ubuntu.
H thng Snort vi cc chc nng:
Pht hin s xm nhp t bn ngoi vo h thng.
Th hin cc Log cu snort qua giao din Base.

Lu tr thi gian, a ch ip ca h thng xm nhp qua cc bng
c s d liu ca snort trong phpmyadmin.

Tuy nhin, h thng ch c ci t trn my o WM ware. Cc chc nng
ca snort cha khai thc ht.
Trang 39
KT LUN V HNG PHT TRIN

1. Nhng kt qu t c
V mt l thuyt:
Qua nghin cu tm hiu l thuyt v ng dng l thuyt chng em hiu r

hn v hot ng h iu hnh Ubuntu. Hiu r hn v mt s dch v pht hin v
chng xm nhp mng c bit l dch v Snort. Trong qu trnh xy dng v ci
t Snort chng em hc c thm nhiu iu v kin thc mng.
V mt thc nghim:
ci t thnh cng h thng pht hin v chng xm nhp Snort chy trn
h iu hnh Ubuntu.
H thng Snort vi cc chc nng:
Pht hin s xm nhp t bn ngoi vo h thng.
Th hin cc Log cu snort qua giao din Base.
Lu tr thi gian, a ch ip ca h thng xm nhp qua cc bng
c s d liu ca snort trong phpmyadmin.
2. Nhng vn tn ti
Snort ch c th chng li cc cuc tn cng mt cch hiu qu nu nh n
bit c du hiu (signature) ca cc cuc tn cng . Da vo im ny, cc
Hacker c th iu chnh cc cuc tn cng thay i signature ca cuc tn cng
. T , cc cuc tn cng ny c th qua mt c s gim st ca Snort.
3. Hng pht trin

Nghin cu su hn v cch thc hot ng ca snort. Tin hnh ci t snort
trn my ch, chy v kim th qu trinhg pht hin v chng xm nhm ca snort
trn my ch
Trang 40
TI LIU THAM KHO

[1] Cc trang web hu dng nh Google.
[2] http://www.snort.org/
[3]
http://en.wikipedia.org/wiki/Snort_%28software%29
[4]
http://www.download.com.vn/security+firewall+tools/22939_snort-forlinux.aspx
Trang 41

Baocao Linux Snort1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Baocao Linux Snort1

Uploaded by

Copyright:

Available Formats

TRNG I HC BCH KHOA

KHOA CNG NGH THNG TIN

B MN MNG V TRUYN THNG

TM HIU V KHAI THC DCH V

o Th M Chu & Phan Th Thu Hng Nhm 78B

NHN XT CA GIO VIN HNG DN

Tm hiu v khai thc dch v SNORT

o Th M Chu & Phan Th Thu Hng Nhm 78B

Tm hiu v khai thc dch v SNORT

DANH MC BNG BIU

o Th M Chu & Phan Th Thu Hng Nhm 78B

Tm hiu v khai thc dch v SNORT

Bn cnh s pht trin nhanh chng v nhng kh nng mnh m th nhng

2. Phng php trin khai ti

o Th M Chu & Phan Th Thu Hng Nhm 78B

Gii thiu IDS:

IDS Intrucsion Detection System / H thng pht hin xm nhp.

Phn loi IDS:

Cch thng thng nht phn loi cc h thng IDS l da vo c im

pht hin xm nhp. Chc nng chnh l bo v ti nguyn trn my

mng, cng vi d liu kim tra t mt hoc mt vi my trm pht

Tm hiu v khai thc dch v SNORT

Gii thiu v SNORT:

Snort l mt sn phm m ngun m c pht trin nhm pht hin nhng

Gim st cc cuc tn cng vo firewall v h thng mng

C kh nng ghi nh cc cuc vt firewall thnh cng

C s d liu lut ca Snort ln ti 2930 lut v c cp nht thng

o Th M Chu & Phan Th Thu Hng Nhm 78B

Kin trc ca Snort:

nhau pht hin cc cch tn cng c th v to ra output theo mt nh dng

Logging v Alerting System

Kin trc ca Snort c m t trong hnh sau:

Hnh 1: M hnh kin trc h thng Snort

Modun gii m gi tin - Packet Decoder

Snort s dng th vin pcap bt mi gi tin trn mng lu thng qua h

Tm hiu v khai thc dch v SNORT

Hnh 2: X l mt gi tin Ethernet

Mt gi tin sau khi c gii m s c a tip vo mun tin x l.

Mun tin x l l mt mun rt quan trng i vi bt k mt h thng

o Th M Chu & Phan Th Thu Hng Nhm 78B

ca h thng din ra, s c rt nhiu gi tin uc trao i trong phin . Mt gi

Tm hiu v khai thc dch v SNORT

v bo (backoffice). Portcan dng a ra cnh bo khi k tn cng thc hin vic

Mun pht hin- Detection Engine

o Th M Chu & Phan Th Thu Hng Nhm 78B

log v cnh bo - Logging and Alerting

Hnh 3: Mooddun log v cnh bo

M un kt xut thng tin - Output Module

Mun ny c th thc hin cc thao tc khc nhau ty theo vic bn mun

Tm hiu v khai thc dch v SNORT

Gi cc cnh bo c gi trong gi tin s dng giao thc SNMP. Cc

Cc ch thc thi ca Snort:

ch ny, Snort hot ng nh mt chng trnh thu thp v phn tch gi

Date and time.

Source port number.

Transport layer protocol used in this packet.

Time to live or TTL value in this packet.

Type of service or TOS value.

Dont fragment or DF bit is set in IP header.

Two TCP flags A and P are on.

TCP sequence number.

Acknowledgement number in TCP header.

TCP Window field.

TCP header length.