8/2/2019 Mo Hinh Snort

1/17

1

MC LC1. GII THIU ........................................................................................................................... 32. THAO TC CHUNG.............................................................................................................. 43. PHN TCH TP TIN LUT (RULES FILE PARSING) ......................................................84. CU TRC DLIU SAU KHI PHN TCH (DATA STRUCTURES AFTER PARSING)..

.............................................................................................................................................. 11

5. KHI TO CA B PHT HIN GI TIN NHANH......................................................... 136. NHNG CNG C VNHNG TI NGUYN (TOOLS AND RESOURCES)............... 167. NHNG THNG K MNGUN (SOURCE CODE STATISTICS)................................. 17

8/2/2019 Mo Hinh Snort

2/17

2

NHNG M HNH CA SNORTTc gi: Andrs Felipe Arboleda (aarboleda@unicauca.edu.co)

Charles Edward Bedn (cbedon@unicauca.edu.co)

Universidad del Cauca Colombia

14th April 2005

Version 0.2 alpha

Ref: http://afrodita.unicauca.edu.co/~cbedon/snort/snort.html

Bin son v cp nht: L Tin

Ngy cp nht: 31/08/07.

8/2/2019 Mo Hinh Snort

3/17

3

1. GII THIU

Mc ch gii thiu nhng m hnh ny v nhng hm ca Snort. Nhng i tng

t m hnh tun t UML (nhng hnh ch nht pha trn trong cc m hnh) ch r nhng

tp tin cha m ngun v nhng thng ip (nhng mi tn) gii thiu nhng cch gi hm

vi nhng tp tin m ngun tng ng.Tt c nhng m hnh tun t c sp xp bng cch thc hin, ni cch khc, Snort

thc hin bt u vi m hnh c minh ha trong hnh 1 hnh 2...

Ti liu ny khng m t chi tit m ngun ca Snort, n ch a ra nhng bn

cho nhng ngipht trin mun bit cch c m ngun ca Snort.

Nhng m hnh ny kim tra Snort 2.2.0, thc hin bt lnh sau:

snort -d -l -c

8/2/2019 Mo Hinh Snort

4/17

4

2. THAO TC CHUNG

Hnh 1: M hnh khi Snort

Mi module c m t nh sau:

o Module gii m (Decoder): chuyn nhng gi tin bt c thnh nhng cu

trc v nhng nh danh lin kt nhng tng giao thc. Sau , n lm tng

ti p theo, m ha IP TCP hay UDP hay loi giao thc khc ly nhng

thng tin hu ch nh nhng cng v nhng a ch... Snort s cnh bo nu

n tm thy nhng header khng ng cu trc, chiu di TCP bt thng...

o Tin x l (Preprocessor): Chng c th c xem nh dng b lc m xc

nh nhng thuc tnh mun a vo kim tra sau (trong nhng m hnh k

tip nh: B d tm (Detection Engine), nh nghi ngnhng kt ni th n

nhng cng TCP/UDP hay rt nhiu gi tin UDP gi n trong mt khong

thi gian ngn (Hin tng: D cng Port Scan). Hm tin x l ly cc

hm c kh nng nguy him cho b d (Detection Engine) bng cch c gng

tm nhng mu bit.

8/2/2019 Mo Hinh Snort

5/17

5

Nhng t p tin cha nhng lut (Rules Files): C nhng t p tin cha

danh sch nhng lut vi ca php cho trc. C php ny bao gm: nhng

giao thc, a ch, kt xut gn kt lin i (output plug-ins associated)...

Nhng tp tin lut c cp nht ging nh nhng tp tin nh ngha virus.

o Nhng plug-in cho b d (Detection Plug-ins): Nhng module c

tham chiu t nhng nh ngha ca n trong nhng t p tin cha lut, v

chng c dng xc nh nhng mu tn cng bt c khi no mt lut

c tha.

o B d tm (Detection Engine): thng dng ca nhng b sung b d; n

khp (match) nhng gi tin tng phn nhng lut trc y np vo b

nhk t lc Snort khi to.

o Nhng plug-in kt xut (output plug-ins):Nhng module ny chophp nh

dng nhng thng bo (nhng cnh bo, nhng nht k logs) cho ngi

dng truy xut chng bng nhiu cch (console, nhng t p tin bn ngoi

(external files), nhng CSDL...)

8/2/2019 Mo Hinh Snort

6/17

6

Hnh 2: Snort khi to (M hnh tun t1)

Hnh 3: Snort khi to (M hnh tun t2)

8/2/2019 Mo Hinh Snort

7/17

7

Hnh 4: Phn tch (Parse) tp tin lut (M hnh tun t3).

8/2/2019 Mo Hinh Snort

8/17

8

3. PHN TCH TP TIN LUT (RULES FILE PARSING)

Ch : Nhng hm tip theo vi tp tin ./parser.c

Hm ParseRulesFile()

Hm ny phn tch, bi 1 chu k, mi dng tp tin cu hnh (V d: snort.conf). Nu

dng l mt lut hp l (khng phi l mt ch thch), n c a qua mt bphn tchlut (hm ParseRule() ).

Hm ParseRule()

Hm ny c thc thi mt ln cho mi lut hp l trong tp tin cu hnh. Ban u,

n tm nhng dng khngphi l nhng lutpht hin xm nhp(detection rules), ni cch

khc, nhng ch dn ging nh include, var, tin x l (preprocessor), nhng plug-in kt

xut, n gi nhng hm khi to cho mi mt lutpht hin xm nhp.

Nu mt lut c tha, iu c ngha l bt u cnh bo (alert), ghi nht k

(log) , pass, s hot ha (activation) hay ng (dynamic), lut c kim chng v a vo

b nhbng hm ProcessHeadNode().

Nhng lutpht hin (Detection rules) c cha trong b nhbn trong nhng cu

trc RuleTreeNode (RTN) v OptTreeNode (OTN) nh nhng cu trc c khai bo

trong tp tin ./rules.h

Ch : Tham kho thm cu hi 3.17 How does rule ordering work? of

[SnortFAQ 03].

Hm ProcessHeadNode()

Vi prototype: ProcessHeadNode(RuleTreeNode *test_node, ListHead *list,

protocol)

N dng mt con tr RTN vi test_node v nhng gn kt vo cui nhng dy RTN

ca giao thc tng ng trong ListHead trbi danh sch [Schildt 90].

8/2/2019 Mo Hinh Snort

9/17

9

Hnh 5: Nhng cu trc dliu (Data structures) kt hp vi hm

ProcessHeadNode().

Hm ParseRuleOptions()

Vi prototype: ParseRuleOptions(char *rule, int rule_type, int protocol)

N to nhng OTN v nhng gn kt (attaches) chng vi RTN trbi bit ton ccrtn_tmp m c t bi hm ProcessHeadNode().

Cui cng n c gi trc y bng lut ParseRule().

Trong cch ny ly cu trc nhng RTN v nhng OTN lin kt ma trn ( chng ta

gi ma trn lin kt n mt cu trc lin kt kt ni 2 chiu) m t nhng lut c

cha trong b nh. Nhng RTN gi d liu trc y cho bi Header lut (rule header),

trong khi nhng OTN gi d liu cho bi phn ty chn lut (Rule Options Section).

V d:

alert tcp any any -> 192.168.1.0/24 111 (content:|00 01 86 a5|; msg:mountd access;)

|------------------- Header ------------------|---------------------- Options ------------------------|

Ma trn lin kt c minh ha sau y. Trong hnh mi vung i din cho mt

cu trc d liu v mi mi tn, mt con tr.

8/2/2019 Mo Hinh Snort

10/17

10

Hnh 6: Ma trn kt ni (Linked matrix)

8/2/2019 Mo Hinh Snort

11/17

11

4. CU TRC D LIU SAU KHI PHN TCH (DATA

STRUCTURES AFTER PARSING)

Sau khi tp tin lut c phn tch, nhng lut ny c cha trong nhng RTN v

OTN theo cu trc sau:

Hnh 7: Cch lu trnhng lut.

Con tr RuleLists lbin ton cc m t trong tp tin ./parser.c, n dng xem xt

k (go over) tt c cc lut cha trong b nh. N tr n thnh phn u tin ca danh sch

lin kt RuleListNode. Mi node ca danh sch c mt con tr ListHead, mi loi lut c

mt cu trc (Cnhbo-Alert, ng-Dynamic, Nht k-Log, Pass v Kch hot-Activation).Cui cng, mi ListHead c 4 con tr, tng ng vi 4 giao thc (IP, TCP, UDP v

ICMP), mi con tr tr n mt ma trn lin kt nhng RTN v nhng OTN (ni cha cc

lut).

8/2/2019 Mo Hinh Snort

12/17

12

Hnh 8: Khi to b pht hin gi tin nhanh - M hnh tun t4

(Fast packet detection engine initialization)

8/2/2019 Mo Hinh Snort

13/17

13

5. KHI TO CA B PHT HIN GI TIN NHANH

(INITIALIZATION OF THE FAST PACKET DETECTION ENGINE)

Khi to bt u bng cch gi hm fpCreateFastPacketDetection() trong t p tin

./fpcreate.c t hm SnortMain(). Hm fpCreateFastPacketDetection() xem xt k tt c

cc lut c trong b nh dng bin ton cc RuleLists vi con tr RuleListNode, milut c phn lp tng ng vi ni dung ca n (Content, UriContent hay NoContent).

Ni dung c xc nh thng qua OTN tng ng vi lut. Trong OTN ny cha mt

trng gi l ds_list, n l mt mng con tr tr n nhng cu trc d liu khc nhau,ph

thuc vo loi ca nhng cu trc ny m ni dung c gn.

Sau khi phn lp u tin, n c xc nh nu lut l k thut 2 chiu v mt trong

cc hm prmAddRule(), prmAddRuleUri() hay prmAddRuleNC() c gi ph thuc

vo loi ni dung (content type). Nhng hm ny sp xp nhng lut vo trong nhngbng

tng ng vi cng ngun (source-port) v cng ch (destination-port) trong lut. Mc

tiu ca cch ny l lm cho vic so snh nhng gi tin vi nhng lut nhanh hn.

8/2/2019 Mo Hinh Snort

14/17

14

Hnh 9: Cu trc dliu tng ng vi b pht hin gi tin nhanh.

8/2/2019 Mo Hinh Snort

15/17

15

Nu chng ta thy hm fpCreateFastPacketDetection(), chng ta tm thy khai

bo mt PORT_RULE_MAP cho mi giao thc (tcp, udp, ip, icmp), bn trong mi

PORT_RULE_MAP c 3 nhm ca PORT_GROUP: mt l bng port ngun

(prmSrcPort), ti p theo l bng port ch (prmDstPort), v cui cng l bng c im

chung (generic) (prmGeneric) c dng cho nhng lut vi srcport=any v

dstport=any.

Hnh 10: Khi mt gi tin n (M hnh tun t5).

8/2/2019 Mo Hinh Snort

16/17

16

Hnh 11: Khi mt gi tin n (M hnh tun t6).

6. NHNG CNG C V NHNG TI NGUYN (TOOLS AND

RESOURCES)

Tc gi dng nhng cng c v ti nguyn sau th nghim:

OpenOffice 1.1.4

S.: Linux (Mandrake 10.1 Official).

IDE: Kdevelop v3.0 (GNU tools: make, gdb, ...)

8/2/2019 Mo Hinh Snort

17/17

17

7. NHNG THNG K M NGUN (SOURCE CODE

STATISTICS)

Vi Snort 2.2.0

Thng tin chung

Number of .c files 135Number of .h files 154

Number of source code lines (approx.) 99.317

Total size of files 2471.751 bytes

S lng ca nhng tp tin .c v .h trong mt thmc

Directory

Number

of .c

files

Number

of .h

files

Number of

code lines

in .c files

Number of

code lines in

.h files

Total code

lines in .c

and .h files

./ 27 41 26.794 5.821 32.615

./detection-plugins 28 28 10.417 756 11.173

./output-plugins 11 11 7.417 362 7.779

./parser 1 1 312 48 360

./preprocessors 18 19 17.724 951 18.675

./preprocessors/flow 13 16 4.498 835 5.333

./preprocessors/HttpInspect 14 19 5.885 923 6.808

./sfutil 17 18 12.587 1.974 14.561

./win32/WIN32-Code 6 1 1.887 126 2.013

TOTALS: 135 154 87.521 11.796 99.317