Professional Documents
Culture Documents
BO CO MN HC
CHUYN II
ti:
: o Th M Chu
Phan Th Thu Hng
Nhm
: 78B
Ngi hng dn : Ts.Nguyn Tn Khi
Nng 2011
Trang 2
MC LC
CHNG 1. C S L THUYT........................................................................8
1.1. Gii thiu......................................................................................................8
1.1.1. Gii thiu IDS:....................................................................................8
1.1.2. Gii thiu v SNORT:........................................................................9
1.2. Kin trc ca Snort:....................................................................................10
1.2.1. Modun gii m gi tin - Packet Decoder.........................................10
1.2.2. M un tin x l - Preprocessors...................................................11
1.2.3. Mun pht hin- Detection Engine................................................13
1.2.4. Mun log v cnh bo - Logging and Alerting System................14
1.2.5. M un kt xut thng tin - Output Module....................................14
1.2.6. Cc ch thc thi ca Snort:..........................................................15
1.3. B lut ca Snort:.......................................................................................17
1.3.1. Gii thiu..........................................................................................17
1.3.2. Cu trc lut ca Snort......................................................................18
1.3.3. Phn tiu .......................................................................................19
1.3.4. Cc ty chn.....................................................................................23
CHNG 2. THIT K V XY DNG H THNG ...................................29
2.1. Phn tch yu cu........................................................................................29
2.1.1. Ci t Server configuration tools:...................................................29
2.1.2. Ci t cc th vin Bison, Libpcap, Libpcre, LipNet.....................30
2.1.3. Ci Snort:..........................................................................................32
2.2. To database lu cc alert:..........................................................................32
2.3. Cu hnh snort:............................................................................................33
2.3.1. To group v user chy snort.......................................................33
2.3.2. To rules cho snort:...........................................................................33
2.4. Ci t BASE..............................................................................................34
CHNG 3. TRIN KHAI V NH GI KT QU ...................................36
3.1. Mi trng trin khai..................................................................................36
3.2. Mt s kt qu cc chc nng ca chng trnh........................................36
3.3. nh gi v nhn xt..................................................................................39
Trang 3
DANH MC T VIT TT
Trang 4
Trang 5
DANH MC HNH V
Trang 6
TNG QUAN V TI
1. Bi cnh v l do thc hin ti
3. Kt cu ca n
Cu trc t chc ca bi bo co bao gm:
Tng quan v ti
Chng 1. C s l thuyt
Chng 2. Thit k v xy dng h thng
Chng 3. Trin khai v nh gi kt qu
Kt lun
Ti liu tham kho
Trang 7
Chng 1.
1.1.
C S L THUYT
Gii thiu
1.1.1.
1.1.1.1.
Khi nim:
Trang 8
1.1.2.
Trang 9
1.2.
Khi Snort hot ng n s thc hin vic lng nghe v thu bt tt c cc gi tin
no di chuyn qua n. Cc gi tin sau khi b bt c a vo Mun Gii m gi
tin. Tip theo gi tin s c a vo mun Tin x l, ri mun Pht hin. Ti
y ty theo vic c pht hin c xm nhp hay khng m gi tin c th c b
qua lu thng tip hoc c a vo mun Log v cnh bo x l. Khi cc
cnh bo c xc nh mun Kt xut thng tin s thc hin vic a cnh bo ra
theo ng nh dng mong mun. Sau y ta s i su vo chi tit hn v c ch
hot ng v chc nng ca tng thnh phn.
1.2.1.
Trang 10
1.2.2.
M un tin x l - Preprocessors
1.2.3.
y l mun quan trng nht ca Snort. N chu trch nhim pht hin cc
du hiu xm nhp. Mun pht hin s dng cc lut c nh ngha trc so
snh vi d liu thu thp c t xc nh xem c xm nhp xy ra hay khng.
Ri tip theo mi c th thc hin mt s cng vic nh ghi log, to thng bo v
kt xut thng tin.
Mt vn rt quan trng trong mun pht hin l vn thi gian x l cc
gi tin: mt IDS thng nhn c rt nhiu gi tin v bn thn n cng c rt
nhiu cc lut x l. C th mt nhng khong thi gian khc nhau cho vic x l
cc gi tin khc nhau. V khi thng lng mng qu ln c th xy ra vic b st
hoc khng phn hi c ng lc. Kh nng x l ca mun pht hin da trn
mt s yu t nh: s lng cc lut, tc ca h thng ang chy Snort, ti trn
mng. Mt s th nghim cho bit, phin bn hin ti ca Snort khi c ti u ha
chy trn h thng c nhiu b vi x l v cu hnh my tnh tng i mnh th c
th hot ng tt trn c cc mng c Giga.
Mt mun pht hin cng c kh nng tch cc phn ca gi tin ra v p
dng cc lut ln tng phn no ca gi tin . Cc phn c th l:
IP header
Header tng giao vn: TCP, UDP
Header tng ng dng: DNS header, HTTP header, FTP header,
Phn ti ca gi tin (bn cng c th p dng cc lut ln cc phn d
liu c truyn i ca gi tin)
Mt vn na trong Mun pht hin l vic x l th no khi mt gi tin
b pht hin bi nhiu lut. Do cc lut trong Snort cng c nh th t u tin,
nn mt gi tin khi b pht hin bi nhiu lut khc nhau, cnh bo c a ra s
l cnh bo ng vi lut c mc u tin ln nht.
Trang 13
1.2.4.
Mun
System
Ty thuc vo vic mun Pht hin c nhn dng uc xm nhp hay khng
m gi tin c th b ghi log hoc a ra cnh bo. Cc file log l cc file text d liu
trong c th c ghi di nhiu nh dng khc nhau chng hn tcpdump.
1.2.5.
1.2.6.
1.2.6.1.
Sniff mode
Source IP address.
Destination IP address.
Destination port.
Packer ID.
Length of IP header.
IP payload.
1.2.6.2.
NIDS mode
Trang 16
Fast mode: Date and time, Alert message, Source and destination IP
address, Source and destination ports, Type of packet.
1.3.
B lut ca Snort:
1.3.1.
Gii thiu
1.3.2.
Hy xem xt mt v d n gin :
alert tcp 192.168.2.0/24 23 -> any any (content:confidential; msg:
Detected confidential)
Ta thy cu trc ca mt lut c dng nh sau:
Din gii:
Tt c cc Lut ca Snort v logic u gm 2 phn: Phn header v phn
Option.
- Phn Header cha thng tin v hnh ng m lut s thc hin khi pht
hin ra c xm nhp nm trong gi tin v n cng cha cc tiu chun p
dng lut vi gi tin .
- Phn Option cha mt thng ip cnh bo v cc thng tin v cc phn ca
gi tin dng to nn cnh bo. Phn Option cha cc tiu chun ph thm
i snh lut vi gi tin. Mt lut c th pht hin c mt hay nhiu
hot ng thm d hay tn cng. Cc lut thng minh c kh nng p dng
cho nhiu du hiu xm nhp.
Di y l cu trc chung ca phn Header ca mt lut Snort:
V d:
alert icmp any any -> any any (msg: Ping with TTL=100;ttl: 100;)
Phn ng trc du m ngoc l phn Header ca lut cn phn cn li l
phn Option. Chi tit ca phn Header nh sau:
-
1.3.3.
Phn tiu
Nh phn trn trnh by, Header ca lut bao gm nhiu phn. Sau y, l
chi tit c th ca tng phn mt.
Hnh ng ca lut (Rule Action)
L phn u tin ca lut, ch ra hnh ng no c thc hin khi m cc
iu kin ca lut c tho mn. Mt hnh ng c thc hin khi v ch khi tt
c cc iu kin u ph hp. C 5 hnh ng c nh ngha nhng ta c th
to ra cc hnh ng ring tu thuc vo yu cu ca mnh. i vi cc phin bn
Trang 19
alert tcp any any -> 192.168.1.10/32 80 (msg: TTL=100; ttl: 100;)
Lut trn s to ra mt cnh bo i vi tt c cc gi tin t bt k ngun no
c TTL = 100 i n web server 192.168.1.10 ti cng 80.
Ngn chn a ch hay loi tr a ch
Snort cung cp cho ta k thut loi tr a ch bng cch s dng du ph
nh (du !). Du ph nh ny ng trc a ch s ch cho Snort khng kim tra
cc gi tin n t hay i ti a ch . V d, lut sau s p dng cho tt c cc gi
tin ngoi tr cc gi c ngun xut pht t mng lp C 192.168.2.0.
alert icmp
![192.168.2.0/24]
TTL=100; ttl: 100;)
any
-> any
Danh sch a ch
Ta c th nh r ra danh sch cc a ch trong mt lut ca Snort. V d nu
bn mun p dng lut cho tt c cc gi tin tr cc gi xut pht t hai mng lp C
192.168.2.0 v 192.168.8.0 th lut c vit nh sau:
alert icmp
![192.168.2.0/24, 192.168.8.0/24] any -> any any (msg:
Ping with TTL=100; ttl: 100;)
Hai du [] ch cn dng khi c du ! ng trc.
Cng (Port Number)
S hiu cng dng p dng lut cho cc gi tin n t hoc i n mt cng
hay mt phm vi cng c th no . V d ta c th s dng s cng ngun l 23
p dng lut cho tt c cc gi tin n t mt server Telnet. T any cng c
dng i din cho tt c cc cng. Ch l s hiu cng ch c ngha trong cc
giao thc TCP v UDP thi. Nu protocol ca lut l IP hay ICMP th s hiu cng
khng ng vai tr g c.
V d :
alert tcp 192.168.2.0/24 23 -> any any (content: confidential; msg:
Detected confidential;)
S hiu cng ch hu dng khi ta mun p dng mt lut ch cho mt loi gi
tin d liu c th no . V d nh l mt lut chng hack cho web th ta ch
cn s dng cng 80 pht hin tn cng.
Dy cng hay phm vi cng:
Trang 22
1.3.4.
Cc ty chn
Phn Rule Option nm ngay sau phn Rule Header v c bao bc trong du
ngoc n. Nu c nhiu option th cc option s c phn cch vi nhau bng
du chm phy ,.Nu nhiu option c s dng th cc option ny phi ng
thi c tho mn tc l theo logic cc option ny lin kt vi nhau bng AND.
Mi option c nh ngha bng cc t kho. Mt s cc option cn cha cc
tham s. Ni chung mt option gm 2 phn: mt t kho v mt tham s, hai phn
ny phn cch nhau bng du hai chm. V d dng :
msg: Detected confidented;
msg l t kho cn Detected confidented l tham s.
Sau y l chi tit mt s cc option ca lut Snort.
T kho ack
Trang 23
any
->
192.168.1.0/24
any
T kho classtype
Cc lut c th c phn loi v gn cho mt s ch u tin no
nhm v phn bit chng vi nhau. hiu r hn v t kho ny ta u tin phi
hiu c file classification.config (c bao gm trong file snort.conf s dng t
kho include). Mi dng trong file classification.config c c php nh sau:
config classification: name, description, priority
trong :
-
description: m t v loi lp ny
V d :
config classification: DoS , Denial of Service Attack, 2
v trong lut:
alert udp any any -> 192.168.1.0/24
server; classtype: DoS;)
alert udp any any -> 192.168.1.0/24
server; classtype: DoS; priority: 1;)
Trang 24
6838
(msg:DoS; content:
6838
(msg:DoS; content:
Trang 25
alert tcp 192.168.1.0/24 any -> any any (content: HTTP; offset: 4; msg:
HTTP matched;)
- dept : dng xc nh v tr m t Snort s dng vic tm kim.T kho
ny cng thng c dng chung vi t kho offset va nu trn.
V d:
alert tcp 192.168.1.0/24 any -> any any (content: HTTP; offset: 4; dept:
40; msg: HTTP matched;).
T kho ny s gip cho vic tiu tn thi gian tm kim khi m on d liu
trong gi tin l kh ln.
alert tcp 192.168.1.0/24 any -> any any (content-list: test;msg: This is my
Test;).
Ta cng c th dng k t ph nh ! trc tn file cnh bo i vi cc gi
tin khng tm thy mt chui no trong file .
T kho dsize
Dng i snh theo chiu di ca phn d liu. Rt nhiu tn cng s dng
li trn b m bng cch gi cc gi tin c kch thc rt ln. S dng t kho
ny, ta c th so snh ln ca phn d liu ca gi tin vi mt s no .
alert ip any any -> 192.168.1.0/24 any (dsize: > 6000; msg: Goi tin co kich
thuoc lon;)
T kho flags
Trang 26
Flag
FIN (Finish Flag)
SYN Sync Flag
RST Reset Flag
PSH Push Flag
ACK Acknowledge Flag
URG Urgent Flag
Reserved Bit 1
Reserved Bit 2
No Flag set
lut ca Snort
F
S
R
P
A
U
1
2
0
Trang 28
Chng 2.
THIT K V XY DNG H
THNG
2.1.
Phn tch yu cu
Ci t h thng pht hin xm nhp vi snort, Log ca snort s c ghi vo
c s d liu ca MySQL, Ngi qun tr s theo di Log thng qua giao din ca
BASE (Basic Analysis And Security Engine).
Cc gi cn ci t bao gm:
-
2.1.1.
Ci t apache:
sudo apt-get install apache2
Ci t php5:
sudo apt-get install php5 libapache2-mod-php5
Ci t phpmyadmin:
sudo apt-get install phpmyadmin
Ci t mysql:
sudo apt-get install mysql-server mysql-client
Trang 29
2.1.2.
2.1.2.1.
Ci th vin flex.
Ti flex v my:
root@Ubuntu:/home/chau/Desktop/Install#
wget http://biznetworks.dl.sourceforge.net/sourceforge
2.5.35.tar.gz
-
/flex/flex-
Cd n th mc ci t:
root@Ubuntu:/home/chau/Desktop/Install# cd /usr/local
-
Gii nn flex:
Cd n flex-2.5.35
root@Ubuntu:/usr/local# cd flex-2.5.35
-
root@Ubuntu:/usr/local/flex-2.5.35# ./configure
root@Ubuntu:/usr/local/flex-2.5.35# make && make install
2.1.2.2.
Ci th vin Bison:
Ci libpcap
cp
libpcap-1.0.0.tar.gz
root@Ubuntu:/home/chau/Desktop/Install# cd /usr/local
root@Ubuntu:/usr/local# tar -xvzf libpcap-1.0.0.tar.gz
root@Ubuntu:/usr/local# cd libpcap-1.0.0
root@Ubuntu:/usr/local/libpcap-1.0.0# ./confugure
root@Ubuntu:/usr/local/libpcap-1.0.0# make && make install
2.1.2.4.
Ci t pcre
root@ubuntu:/home/chau/Desktop/Install#
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre7.9.tar.gz
root@ubuntu:/home/chau/Desktop/Install # cp pcre-7.9.tar.gz /usr/local/
root@Ubuntu:/home/chau/Desktop/Install# cd /usr/local
root@Ubuntu:/usr/local# tar -xvzf pcre-7.9.tar.gz
root@Ubuntu:/usr/local# cd pcre-7.9
root@Ubuntu:/usr/local/pcre-7.9# ./configure
root@Ubuntu:/usr/loca/pcre-7.9l# make && make install
2.1.2.5.
Ci Libnet :
root@Ubuntu:/home/chau/Desktop/Install#
wget ftp://64.50.238.52/.1/gentoo/distfiles/libnet-1.1.2.1.tar.gz
root@ubuntu:/home/chau/Desktop/Install # cp libnet-1.1.2.1.tar.gz /usr/local/
root@Ubuntu:/home/chau.Desktop/Instal# cd /usr/local/
root@Ubuntu:/usr/local# tar -xvzf libnet-1.1.2.1.tar.gz
Trang 31
root@Ubuntu:/usr/local# cd libnet
root@Ubuntu:/usr/local/ libnet# ./configure
root@Ubuntu:/usr/local/ libnet# make && make install
2.1.3.
Ci Snort:
root@Ubuntu:/home/chau/Desktop/Install#
wget http://www.procyonlabs.com/mirrors/snort/snort-2.8.4.1.tar.gz
root@ubuntu:/home/chau/Desktop/Install # cp snort-2.8.4.1.tar.gz /usr/local/
root@ubuntu:/home/chau/Desktop/Install # cd /usr/local/
root@Ubuntu:/usr/local# tar -xvzf snort-2.8.4.1.tar.gz
root@Ubuntu:/usr/local# cd snort-2.8.4.1
root@Ubuntu:/usr/local/ snort-2.8.4.1# ./configure --with-mysql
root@Ubuntu:/usr/local/ snort-2.8.4.1# make && make install
2.2.
To database lu cc alert:
-
-u root p
-
root@Ubuntu:~# cd /usr/local/snort-2.8.4.1/schemas/
Trang 32
root@Ubuntu:/usr/local/snort-2.8.4.1/schemas#
create_mysql snort
mysql
-u
root
-p
<
2.3.
Cu hnh snort:
2.3.1.
To group v user:
root@Ubuntu:~# groupadd snort
root@Ubuntu:~# useradd -g snort snort
2.3.2.
-
To th mc snort
root@Ubuntu:~#mkdir /etc/snort
root@Ubuntu:~# mkdir /etc/snort/rules
alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)
Lu li file icmp.rules.
Trang 33
2.4.
-
Ci t BASE
Web server v PHP ci t sn ta cn ci thm vi gi pear cho PHP.
Ci t ADODB
root@Ubuntu:/home/chau/Desktop/Install#
wget http://nchc.dl.sourceforge.net/sourceforge/adodb/adodb508a.tgz
root@Ubuntu:/home/chau/Desktop/Install# cp adodb508a.tgz /var/www/
root@Ubuntu:/home/chau/Desktop/Install# cd /var/www/
root@Ubuntu:/var/www# tar -xvzf adodb508a.tgz
-
Ci BASE:
root@Ubuntu:/home/chau/Desktop/Install#
wget http://nchc.dl.sourceforge.net/sourceforge/secureideas/base-1.4.2.tar.gz
root@Ubuntu:/home/chau/Desktop/Install# cp base-1.4.2.tar.gz /var/www/
root@Ubuntu:/home/chau/Desktop/Install# cd /var/www/
root@Ubuntu:/var/www# tar -xzvf base-1.4.2.tar.gz
root@Ubuntu:/var/www# rm -rf base-1.4.2.tar.gz
root@Ubuntu:/var/www# cd base-1.4.2/
root@Ubuntu:/var/www/base-1.4.2# cp base_conf.php.dist base_conf.php
root@Ubuntu:/var/www/base-1.4.2# vi base_conf.php
Chnh li thng s cc dng sau:
Trang 34
$DBlib_path = '/var/www/adodb5';
$DBtype = 'mysql';
$alert_dbname = 'snort';
$alert_host = 'localhost';
$alert_port = '';
$alert_user = 'snort';
$alert_password = '123456';
$archive_exists = 1; # Set this to 1 if you have an
archive DB
$archive_dbname = 'snort';
$archive_host = 'localhost';
$archive_port = '';
$archive_user = 'snort';
$archive_password = '123456';
/* Whois query */
$external_whois_link = '';
/* DNS query */
$external_dns_link = '';
/* SamSpade "all" query */
$external_all_link = '';
Trang 35
Chng 3.
TRIN KHAI V NH GI KT
QU
3.1.
3.2.
Trang 36
Hnh 7: Log ca snort c th hin thng qua giao din ca BASE, giao thc ICMP
Trang 37
Hnh 9: Bng iphdr ca database snort cha version, ip_len, ip_id, ip_ttl, ip_csum
ca my windown.
Hnh 10
Trang 38
Hnh 11:
3.3.
nh gi v nhn xt
ci t thnh cng h thng pht hin v chng xm nhp Snort chy trn
h iu hnh Ubuntu.
H thng Snort vi cc chc nng:
Trang 39
V mt l thuyt:
V mt thc nghim:
ci t thnh cng h thng pht hin v chng xm nhp Snort chy trn
h iu hnh Ubuntu.
H thng Snort vi cc chc nng:
Pht hin s xm nhp t bn ngoi vo h thng.
Th hin cc Log cu snort qua giao din Base.
Lu tr thi gian, a ch ip ca h thng xm nhp qua cc bng
c s d liu ca snort trong phpmyadmin.
2. Nhng vn tn ti
Snort ch c th chng li cc cuc tn cng mt cch hiu qu nu nh n
bit c du hiu (signature) ca cc cuc tn cng . Da vo im ny, cc
Hacker c th iu chnh cc cuc tn cng thay i signature ca cuc tn cng
. T , cc cuc tn cng ny c th qua mt c s gim st ca Snort.
Trang 40
http://en.wikipedia.org/wiki/Snort_%28software%29
[4]
http://www.download.com.vn/security+firewall+tools/22939_snort-forlinux.aspx
Trang 41