can ban ve IDS/IPS he thong phat hien xam nhap (IDS) co nhiem vu theo doi phat hien va co the

ngan chan su xam nhap cung nhu cac hanh vi khai thac tai nguyen cua he thong mang trai phep he thong IDS thu nhap thong tin tu nhieu nguon (co the tu 1 may hoac tu 1 nut ma ng) sau do tien hanh phan tich thong tin theo cac cach khac nhau de phat hien xam nh ap trai phep khi 1 he thong IDS co kha nang ngan chan cac nguy co xam nhap thi duoc goi la h e thong phong tranh xam nhap hay con duoc goi la IPS thong thuong IDS va IPS thuong dat phia truoc firewall thong thuong voi 1 he thong mang quy mo nho thuong cho 1 may chu an ninh thi gia i phap IPS thuong duoc dung de vi IPS co the ket hop giua phat hien canh bao va ngan chan doi voi he thong mang lon thi chuc nang ngan chan thuong duoc giao cho firewall hoac 1 thiet bi chuyen dung Con IDS thi co chuc nang phat hien va canh bao

Phan loai giua IDS va IPS : Cach thong thuong phan loai giua chung la duoc vao dac diem nguon du lieu thu dc He thong IDS thuong duoc chia thanh cac loai sau : +HIDS (Host IDS ) : su dung du lieu kiem tra tu may tram de phat hien xam nha p +NIDS (network IDS) : su dung toan bo du lieu tren he thong luu thong mang 1 may hoac nhieu may +NIDS thuong co 2 thanh phan : - sensor: bo cam bien thuong dc dat o doan mang kiem soat cac cuoc luu thong nghi ngo tren doan mang - terminal : tram quan ly , nhan cac tin hieu tu bo cam bien va thong bao cho quan tri mang uu diem : - chi phi thap - kho xoa bo dau vet - co tinh doc lap cao hon IPS

Gioi thieu ve IDS phan mem -snort (trong IDS/IPS) snort la 1 phan mem ma nguon mo mien phi va co nh ieu tinh nang va chay tren nhieu he dieu hanh khac nhau vd window linux xp -snort co the bat goi tin va duoc cau hinh de chay nhu 1 NIDS *uu diem: ho tro tren nhieu giao thuc 1 snort thong thuong co cac thanh phan sau : + modul giai ma goi tin + modul tien xu ly + modul phat hien + modul log va canh bao + modul ke xuat thong tin Khi he thong snort hoat dong no se lang nghe va bat tat ca cac goi tin di chuyen qua no

Cac goi tin sau khi duoc bat se duoc dua vao modul giai ma goi tin sau do goi ti n se duoc dua vao modul tien xu ly va duoc dua den modul phat hien , tai modul phat hien nay tuy thuoc vao viec co phat hien duoc hay khong neu khong phat hien dc thi bo qua neu co phat hien se dua toi modul log va canh bao . Cuoi cung dua den modul ke xuat thong tin BO LUAT DUA VA SNORT cau truc cua bo luat : 1 bo luat co 2 phan : +rule header

+ rule option

vd alert tcp 192.168.1.0/24 23 -> any any (content:"confidental";msg: "phat hien duoc tan cong ") -rule header chua thong tin ve hanh dong duoc thuc hien khi phat hien ra co xam nhap voi goi tin va no cung chua -rule option chua thong diep canh bao va cac thong tin ve cac phan cua goi tin d ung de tao nen canh bao, han option con chua them cac thong tin phu de so sanh v oi luat cua goi tin va 1 luat nay co the phat hien duoc 1 hoac nhieu hoat dong t ham do tan cong Cau truc chung cua 1 header trong luat cua snort : Action protocol address port Diection address port trong do: Action : la phan quy dinh loai hanh dong nao duoc thuc hien khi cac d au hien cua goi tin duoc nhan dangchinh xac bang luat do ---> cac hanh dong se tao ra 1 canh bao hoac log lai cac thong dien hoac kic hoa t 1 luat khac Protocol: quy dinh viec ap dung luat cho cac goi tin chi duoc 1 giao thuc cu th e Address : phan dia chi nguon va dia chi dich, co the la 1 may don v, nhieu may hoac 1 mang nao do Port : cho ta xac dinh cong nguon va cong dic cua 1 goi tin ma tren do luat duo c ap dung Direction: se chi ra dau la nguon dau la dich vd : alert icmp any any -> any any (msg:"ping with tll=100";ttl:100) phan dung trc dau mo ngoac chinh la phan header cua luat con lai la phan option --> theo vi du tren phan hanh dong chinh la 1 canh bao se duoc tao ra con protoc ol chinh la icmp --> tuc la luat chi ap dung cho cac goi tin thuoc loai icmp , d ia chi nguon la any tuc la luat se ap dung cho tat ca cac goi tin tu moi nguon c on cong (port) cung la any Chu y : cong chi co y nghia voi goi tin tcp udb con voi icmp khong co y nghia cac hanh dong co the dua vao luat : - hanh dong 1 la pass :hanh dong nay huong dan snort bo qua goi tin nay thong th uong tren thuc te cho phep tang cuong toc do hoat dong cua snort ma nguoi quan tri khong muon ap dung kiem tra tren cac goi tin nhat dinh nao do -hanh dong 2 la log : de log goi tin , ta co the log vao 1 file hay vao co so du lieu (database) tuy thuoc vao nhu cau -hanh dong 3 la alert : dung de send 1 thong diep canh bao khi dau hieu xam nhap duoc phat hien co nhieu cach de send thong diep chung ta co the send ra 1 file hoac gui ra 1 console . CHu y khi gui thong diep canh bao thi mac dinh la goi ti

n se duoc log lai -hanh dong 4 la activate : su dung de tao 1 canh bao va kic hoat thong 1 luat kh ac -> de them cac dia chi kiem tra trong goi tin -hanh dong cuoi cung la dynamic : dynamic chi ra day la 1 luat duoc goi boi cac luat khac co hanh dong activate protocol : trong luat nay -day la thanh phan thu 2 cua luat co chuc nang dua ra cac chuc nang goi tin ma l uat se duoc ap dung --> hien tai snort se hieu duoc cac giao thuc sau IP, ICMP, TCP, UDP ADDRESS: co 2 phan dia chi cho 1 snort cac dia chi nay muc dic kiem tra nguon de n va dic den cua goi tin dia chi duoc ap dung co the la dia chi cua 1 ip don hoa c dia chi cua 1 mang deu dung tu khoa any thi ap dung cho tat ca cac dia chi va dia chi duoc viet ngay sau dau gach chep va bit trong subnet mask viec xac dinh dia chi nao la dia chi nguon va dia chi nao la dia chi dic se phu thuoc vao direction phia sau direction chinh la dia chi dich VD : alert tcp any any -> 192.168.1.10/32 80 (msg:"ttl=100";ttl=100) trong thuc te de ngan chan hoac loai tru 1 dia chi tren snort de loai tru 1 dia chi chung ta them dau cham than ! dau nay dung trc 1 dia chi thi snort se hieu r ang khong diem tra dia chi do VD tao luat ao dung cho tat cac cac goi tin ngoai tru goi co nguon xuat phat tu goi mang 192.168.2.0/24 alert icmp ![192.168.2.0/24] any -> any any (msg:"ping ttl=100";ttl:100) tren snort co the tao 1 danh sach dia chi vd ap dung luat cho tat ca cac goi tin tru goi xuat phat tu 2 lop mang 192.168.2 .0 va 192.168.8.0 alert icmp ![192.168.2.0/24, 192.168.8.0/24] ....( nhu tren ) dau ngoac vuong [] chi dung khi co dau cham than (!) phia tru0c cong (port) so hieu cong trong luat dung de ap dung cho cac goi tin den hoac di den 1 cong hay 1 pham vi cong cu the nao do vd su dung cong 23 de ap dung cho tat ca cac goi tin den tu 1 server ** chu y so cong chi ap dung voi UDP TCP con IP va ICMP ko co cong COng tren snort co the ap dung day cong thay vi 1 cong day cong thi cong bat dau va ket thuc cach nhau boi dau 2 cham (:) vd : alert udp ant 1024:2048 -> any any (jkhjh) dau ! cung duoc ap dung cho cong vd 1 vai cong thong dung 20 la ftp data 21 la ftp command 22 la ssh 23 la telnet 25 la smtp 53 DNS 80 http 110: pop3 161 SNMP 443 :https 3360 my sql .....--> tra tren mang direction trc --> sau nguon --> dich

NHUNG BO SUNG CHO CAU TRUC SNORT HO TRO CHO INLINE MODE DROP. SDROP, INJECT , REJECT -DROP :doi voi 1 hanh dong drop no se yeu cau ip table loai bo goi tin va ghi la i thong tin nhu hanh dong log -SDROP: cung tuong tu nhu DROP nhung dieu khac biet la SDROP thi khong ghi lai t hong tin tren he thong -INJECT hoac REJECT : yeu cau tu choi goi tin nghia la yeu cau loai bo thong bao cho nguon gui goi tin do Trong phien ban goc cua snort thi thu tu uu tien cho cac hanh dong la nhu sau : activation -> dynamic -> alert-> pass -> log trong inline mode thi thu tu uu tien nhu sau: activation-> dynamic -pass -drop-> sdrop-->reject -alert ->log