7/29/2019 snort-100622051039-phpapp01

1/75

1IDS Snort10/1/2009

GVHD : TS.Phm Vn Tnh

7/29/2019 snort-100622051039-phpapp01

2/75

Hong Tin Long

Ng Trn Khnh Chu

Nguyn Ngc Thm V H Tin

Nguyn Minh Tin

10/1/2009 IDS Snort 2

7/29/2019 snort-100622051039-phpapp01

3/75

Phn I : IDSKhi nim, phn loi.Kin trcTrin khai.

Phn II : Snort. Gii thiu.

Ci t. Snort rule.

Phn III : Demo

10/1/2009 IDS Snort 3

7/29/2019 snort-100622051039-phpapp01

4/75

L mt h thng (phn mm, phn cng, hockt hp c hai) pht hin cc hnh vi xmnhp bt hp pht vo mng.

Pht hin cc hnh ng trong tin trnh tncng (FootPrinting, Scanning, Sniffer), cungcp thng tin nhn bit v a ra cnh bo.

K thut s dng trong IDS c th l :signature hoc anomaly-based, cng c thkt hp c hai.

10/1/2009 IDS Snort 4

7/29/2019 snort-100622051039-phpapp01

5/75

Ci tnhmt agent trn mt host cth. Phntch log cahiu hnh hoc cc ngdng sosnh cc skinvicsdliu pht hin

cc viphmvbomt v a ra cnh bo. Nu c viphm HIDS ghi nhnli cc hnh ng

, a ra cnh bo, v c th ngng hnh ngli trc khi n xy ra.

HIDS c th dng theo di log (log monitors),gim st tnh ton vn (intergrity monitors), phthin xm nhp mc kernel (kernel module)

10/1/2009 IDS Snort 5

7/29/2019 snort-100622051039-phpapp01

6/75

Dng bt cc gi tin trong mi trngmng, so snh gia d liu thu thp c vic s d liu nhm pht hin cc du hiu tncng.

Khi c tn cng NIDS s log cc gi tin vo cs d liu, cnh bo hoc a vo Firewall.

10/1/2009 IDS Snort 6

7/29/2019 snort-100622051039-phpapp01

7/75

Host IDS - HIDS Network - NIDS

HIDS chquan st cc host , h iu

hnh, hot ng ca ng dng (thnglm nhng cng vic nh phn tch log,kim tra tnh ton vn)

NIDS nhn ton cnh lung d liu trn

mng (NIDS thng c coi nh lsniffer)

Ch phthin nhng cuc tn cng thnh cng.

NIDS pht hin nhng cuc tn cngtim nng.

Hot nghiu qu trong nhng mitrng chuyn mch, m ha, tc cao.

Rtkh hot ng trong nhng mitrng ny.

10/1/2009 IDS Snort 7

7/29/2019 snort-100622051039-phpapp01

8/75

10/1/2009 IDS Snort 8

SENSOR

DETECTION ENGINE

PREPROCESSORS

OUTPUT

ALERT SYSTEMS

LOGGING

SYSTEMS

7/29/2019 snort-100622051039-phpapp01

9/75

10/1/2009 IDS Snort 9

7/29/2019 snort-100622051039-phpapp01

10/75

10/1/2009 IDS Snort 10

7/29/2019 snort-100622051039-phpapp01

11/75

10/1/2009 IDS Snort 11

7/29/2019 snort-100622051039-phpapp01

12/75

10/1/2009 IDS Snort 12

7/29/2019 snort-100622051039-phpapp01

13/75

10/1/2009 IDS Snort 13

7/29/2019 snort-100622051039-phpapp01

14/75

10/1/2009 IDS Snort 14

7/29/2019 snort-100622051039-phpapp01

15/75

H thng IDS (signature-based) cn mt c s dliu c sn v cc kiu tn cng nhn bitcc cuc tn cng c th xy ra, da vo du hiu

nhn bit no (signatures) cp nhtsignatures mi. Bn thn IDS khng chng li cc cuc tn cng,

hay ngn chn qu trnh khai thc li, m n ch

d tm v a ra cnh bo.t IDS u trong h thng mng mang

li hiu qu cao nht ????

10/1/2009 IDS Snort 15

7/29/2019 snort-100622051039-phpapp01

16/75

10/1/2009 IDS Snort 16

7/29/2019 snort-100622051039-phpapp01

17/75

10/1/2009 IDS Snort 17

Internet

Firewall

Router

IDS

IDS

Local

Network

LocalNetwork

Chin lc trin khai IDSph thuc vo chnhsch bo mt v tinguyn cn bo v. Cngnhiu IDS th ng nghavi vic h thng chmi v chi ph bo tr stng ln.

7/29/2019 snort-100622051039-phpapp01

18/75

10/1/2009 IDS Snort 18

7/29/2019 snort-100622051039-phpapp01

19/75

Snort l mt IDS kiu signaturebased. Chyc trn c Windows v Linux.

Snort c cc tp lut lu tr trong cc file text,

cc lut c nhm thnh cc loi khc nhau vc cha trong nhng file ring cho tng nhm.Cc file ny c ch ra trong file cu hnhsnort.conf.

Snort s c cc lut lc khi ng v xy dngmt cu trc d liu hoc cc chui p dngcc lut ln d liu thu thp c.

10/1/2009 IDS Snort 19

7/29/2019 snort-100622051039-phpapp01

20/75

Snort c cung cp 1 tp hp phong ph cc lut c nh ngha trc, tuy nhin ngi dngc th t nh ngha v a thm cc lut mi

hoc loi b mt s lut khng cn thit. Snort l stateful IDS, n c th sp xp v ghi

nhn cc cuc tn cng da trn phn on TCP. Snort c th pht hin c nhiu loi xm nhp

nh : buffer overflows, stealth port scans, CGIattacks, SMB probes, OS fingerprintingattempts

10/1/2009 IDS Snort 20

7/29/2019 snort-100622051039-phpapp01

21/75

Snort c th ci t 2 ch l inline hocpassive.

Inline: Snort tch hp vi tng la kchhot tng la kha hay drop hot cc hnhng khc nhm ngn chn cuc tn cng mn pht hin.

Passive: Snort ch pht hin xm nhp, nghilog v cnh bo.

10/1/2009 IDS Snort 21

7/29/2019 snort-100622051039-phpapp01

22/75

Apache

PHP

My Sql

BASE Libpcap

Libnet

Perl

Pear Snort

10/1/2009 IDS Snort 22

7/29/2019 snort-100622051039-phpapp01

23/75

S dngrpmqa | grep

kim tra xem gi ci t cha. S dng :

yum install

ci t nhng gi cn thiu. i vi nhng gi .rpm :

rpmivh

10/1/2009 IDS Snort 23

7/29/2019 snort-100622051039-phpapp01

24/75

S dng :wget

download cc gi ci t t mt trang web. i vi nhng gi .tar.gz :

tarxvzf cd

./configure [option]

make && make install

10/1/2009 IDS Snort 24

7/29/2019 snort-100622051039-phpapp01

25/75

Mc nh ci sn, s dng :

rpmqa | grep http

httpd-manual-2.2.11-2.fc10.i386httpd-tools-2.2.11-2.fc10.i386

httpunit-1.6.2-2.fc10.noarch

httpd-2.2.11-2.fc10.i386mod_ssl-2.2.11-2.fc10.i386

10/1/2009 IDS Snort 25

7/29/2019 snort-100622051039-phpapp01

26/75

Mc nh ci sn:

rpmqa | grep mysql

mysql-5.0.77-1.fc10.i386mysql-server-5.0.77-1.fc10.i386

mysql-devel-5.0.77-1.fc10.i386

mysql-libs-5.0.77-1.fc10.i386php-mysql-5.2.6-5.i386

10/1/2009 IDS Snort 26

7/29/2019 snort-100622051039-phpapp01

27/75

Mc nh c ci sn:rpmqa | grep php

php-5.2.6-5.i386

php-devel-5.2.6-5.i386

php-mysql-5.2.6-5.i386

php-pdo-5.2.6-5.i386

php-ldap-5.2.6-5.i386

php-common-5.2.6-5.i386

php-pear-1.7.2-2.fc10.noarch

php-gd-5.2.6-5.i386

php-cli-5.2.6-5.i386

10/1/2009 IDS Snort 27

7/29/2019 snort-100622051039-phpapp01

28/75

Ngoi ra cn cn c prel ( ci sn), libpcap,libnet. Bn nn ci t source. S dng lnh:

wget

V d :wget http://ftp.gnu.org/gnu/bison/bison-2.4.1.tar.gz

Sau ci nh mt gi .tar.gz.

10/1/2009 IDS Snort 28

7/29/2019 snort-100622051039-phpapp01

29/75

Nhng gi trn l ti thiu phi c. Nu thiubt k gi no dng lnh :

yum install

ci thm vo.

Start apache v mysql ln:

service httpd startservice mysqld start

10/1/2009 IDS Snort 29

7/29/2019 snort-100622051039-phpapp01

30/75

Download :

snort-2.8.x.x.tar.gz

snortrules-2.8.tar.gz

T trang http://www/snort.org

Lu : thng trong qu trnh ci snort s gpli libipq.hli ny lin quan n iptables do

bin dch snort ch inline. Khi , cithm iptables-devel, khi ng li dch v, ok.

10/1/2009 IDS Snort 30

http://www/snort.orghttp://www/snort.org

7/29/2019 snort-100622051039-phpapp01

31/75

#tarxvzf snort-2.8.5.1.tar.gz

#cd snort-2.8.5.1

#./configure --with-mysql --enable-dynamic-plugin--enable-inline

#make

#make installS dng ./configure --help xem cc ty chn khcca snort.

10/1/2009 IDS Snort 31

7/29/2019 snort-100622051039-phpapp01

32/75

10/1/2009 IDS Snort 32

To th mc snort trong /etc

#mkdir /etc/snort

#mkdir /etc/snort/rules Copy nhng file cu hnh ca snort vo th

mc va to:

#cd /usr/local/snort-2.8.5.1/etc# cp * /etc/snort

7/29/2019 snort-100622051039-phpapp01

33/75

Gii nn snortrule-2.8.tar.gz

#tarxvzf snortrule-2.8.tar.gz

#cd rules#cp * /etc/snort/rules/

To symbolic link cho snort

#lns /usr/local/bin/snort /usr/sbin/snort

10/1/2009 IDS Snort 33

7/29/2019 snort-100622051039-phpapp01

34/75

snort chy nh mt dch v chng ta cnuser, usergroup cho snort:

#groupadd snort

#useraddg snort snort

10/1/2009 IDS Snort 34

7/29/2019 snort-100622051039-phpapp01

35/75

To v set quyn ch nhn, quyn thc thi casnort cho file log.

#mkdir/var/log/snort

#chownR snort:snort /var/log/snort

#chown 664 /var/log/snort

10/1/2009 IDS Snort 35

7/29/2019 snort-100622051039-phpapp01

36/75

#vim /etc/snort/snort.conf

Tm n dng:var RULE_PATH ../rules sa li thnh.

var RULE_PATH/etc/snort/rules y l th mc chatp lut.

Ch ra output database database lu tr nhng log

output database: log, mysql, user=snort, password =long dbname=snort host=localhost

10/1/2009 IDS Snort 36

7/29/2019 snort-100622051039-phpapp01

37/75

#cd /usr/local/snort-2.8.4.1/rpm/

# cp snortd /etc/init.d/

# cp snort.sysconfig /etc/sysconfig/snort

# chmod 755 /etc/init.d/snortd

# chkconfig snortd on

# chkconfig --add /etc/init.d/snortd

# chkconfig snortd on

10/1/2009 IDS Snort 37

7/29/2019 snort-100622051039-phpapp01

38/75

#mysqlu root

>set password root@ localhost = password(241288);

>flush privileges;

>use mysql;

>CREATE USER snort@ localhostIDENTIFIED BY long;

>flush privileges;

10/1/2009 IDS Snort 38

7/29/2019 snort-100622051039-phpapp01

39/75

> create database snort;

> GRANT CREATE, INSERT, SELECT, DELETE,

UPDATE ON snort.* to snort@localhost;

# cd /usr/local/snort-2.8.5.1/schemas/

# mysql -u root -p < create_mysql snort

Test:

#mysqlu rootp

>use snort;

>show tables;10/1/2009 IDS Snort 39

7/29/2019 snort-100622051039-phpapp01

40/75

Do web sevrer v php c ci t sn, chng ta ch cnci thm pear cho php

# pear install Image_Graph-alpha Image_Canvas-alphaImage_Color Numbers_Roman Ci addob:

# wget http://nchc.dl.sourceforge.net/sourceforge/

adodb/adodb508a.tgz

# cp adodb508a.tgz /var/www/html/# cd /var/www/html/

# tar -xvzf adodb508a.tgz

10/1/2009 IDS Snort 40

7/29/2019 snort-100622051039-phpapp01

41/75

# wget http://nchc.dl.sourceforge.net/sourceforge/

secureideas/base-1.4.2.tar.gz

# cp base-1.4.2.tar.gz /var/www/html/# cd /var/www/html/

#tar -xzvf base-1.4.2.tar.gz

# cp base_conf.php.dist base_conf.php

10/1/2009 IDS Snort 41

7/29/2019 snort-100622051039-phpapp01

42/75

#vim base_conf.php

$DBlib_path = '/var/www/html/adodb5';

$DBtype = 'mysql';

$alert_dbname = 'snort';

$alert_host = 'localhost';

$alert_port = '';

$alert_user = 'snort';$alert_password = long';

10/1/2009 IDS Snort 42

7/29/2019 snort-100622051039-phpapp01

43/75

http://127.0.0.1/base-1.4.2

Ch ng dn n th vin adodb

Khai bo cc gi tr cho co s d liu lu filelog. Nh l : Database Name, Database Host,Database User, Database Password l

username v password truy cp c s d

liu. To BASE AG (to c s d liu cho BASE)

10/1/2009 IDS Snort 43

http://127.0.0.1/base-1.4.2http://127.0.0.1/base-1.4.2http://127.0.0.1/base-1.4.2http://127.0.0.1/base-1.4.2

7/29/2019 snort-100622051039-phpapp01

44/75

10/1/2009 IDS Snort 44

7/29/2019 snort-100622051039-phpapp01

45/75

10/1/2009 IDS Snort 45

7/29/2019 snort-100622051039-phpapp01

46/75

10/1/2009 IDS Snort 46

7/29/2019 snort-100622051039-phpapp01

47/75

10/1/2009 IDS Snort 47

7/29/2019 snort-100622051039-phpapp01

48/75

10/1/2009 IDS Snort 48

7/29/2019 snort-100622051039-phpapp01

49/75

#snortA : Ci t ch cnh bo (altert-mode).

C nhiu mode h tr nh : fast, full, console,test or none.

Dng mode console in ra mn hnh v ghicc file log.

Fast mode dng trong ch tc ngtruyn cao.

10/1/2009 IDS Snort 49

7/29/2019 snort-100622051039-phpapp01

50/75

#snortv : bt ch sniffer. In ton b gi dliu bt c trn console (hin th cc headerIP,TCP/UDP/ICMP). Card mng phi ch

promiscuous mode . #snortd: hin th d liu layer Application

#snorte: hin th thng tin v header layer 2.

#snortvde: cc chui thp lc phn hin thnhiu d liu hn. C a ch MAC v a ch IP.vde cung cp nhiu thng tin nht.

10/1/2009 IDS Snort 50

7/29/2019 snort-100622051039-phpapp01

51/75

Lu thng tin xung file: snortdevl [filename]

Lu thng tin dng binary:

snortl [filename] -b c ngc thng tin t file binary:

snortdvr [filename]

snortdvr [filename] icmp

7/29/2019 snort-100622051039-phpapp01

52/75

#snortl /var/log/Snort : ch nh th mc lufile log. Qu trnh lu tr theo kiu phn cp.Mi mt a ch s c mt th mc v nhng

g lin quan n a ch s c lu trongy. Snort lu cc gi tin thnh cc file ASCII, vi

tn file c to ra t giao thc v s cng. #snortb: Log gi tin dng tcpdump. Ghi log

rt nhanh

10/1/2009 IDS Snort 52

7/29/2019 snort-100622051039-phpapp01

53/75

#snortc :Config-file ,ch nh file cu no muns dng.

#snortD :Chy Snort ch background. #snortI :Interface, Ch nh interface no Snort

s lng nghe. #snorts :Gi alert message n syslog. #snortT : Kim tra v bo co v cu hnh hin

ti ca snort. #snorty : Thm nm v ngy gi vo thng ipcnh bo v file log.

10/1/2009 IDS Snort 53

7/29/2019 snort-100622051039-phpapp01

54/75

Nhn gi v x l n trc khi rule p dngln gi (input plug_in)

C php:

preprocessor [:]

VD:

preprocessor frag2preprocessor stream4: detect_scans

7/29/2019 snort-100622051039-phpapp01

55/75

Cu hnh:output [:

]

VD :

output database: alert, mysql, user=rr

password=boota \

dbname=snort host=localhost

7/29/2019 snort-100622051039-phpapp01

56/75

Snort da vo cc tp lut pht hin tncng.

Cc lut thng c lu tr trong file

snort.conf. C th s dng nhiu file bng cchthm ng dn n cc file lut ny vo filecu hnh chnh.

Mi lut c vit trn mt dng. Mt rule c th pht hin nhiu loi xm nhp.

10/1/2009 IDS Snort 56

7/29/2019 snort-100622051039-phpapp01

57/75

Gm 2 phn rule header, rule option.

Rule header : cha thng tin v hnh ng mlut s thc hin. Tiu chun ca vic so snh

lut trn mt gi tin.

Rule option: cha thng ip cnh bo. Vthng tin thng tin v phn no ca gi tin

c s dng to ra cnh bo.

10/1/2009 IDS Snort 57

Rule Header Rule Option

7/29/2019 snort-100622051039-phpapp01

58/75

action protocol address port \

direction address port \

(option1 : ;option2: ;..)

10/1/2009 IDS Snort 58

Lu : du \ y ngha l xung hng. Mi lut nn

vit trong mt dng.

7/29/2019 snort-100622051039-phpapp01

59/75

Action : cc nh kiu hnh ng khi gi tin

tha cc iu kin. Thng l to cnh bo vghi log (alert, log).

nu ci snort ch inline c th chn drop

iptables hy gi d liu.

10/1/2009 IDS Snort 59

Action Protocol PortAddress Port Direction Address

7/29/2019 snort-100622051039-phpapp01

60/75

Protocol : snort c th phn tch c giaothcbao gm : TCP, UDP, ICMP,IP.

Address : a ch ngun, ch. Address c th

ca mt host, nhiu host hoc a ch mng. Direction: xc nh a ch v cng ca ngun

v ch n ( -> , ).

Port: ch dng trong giao thc TCP, UDP xc nh cng ngn v ch ca mt gi tin mlut c p dng.

10/1/2009 IDS Snort 60

7/29/2019 snort-100622051039-phpapp01

61/75

Theo sau rule header, c t trong ( ), ccoption ngn cch nhau ;

Mt action ch c thc hin khi tt c option

u tha. Mt option bao gm t kha v tham s.

Cc tham s phn bit nhau :

Nu c nhiu option chng s AND li vinhau.

10/1/2009 IDS Snort 61

7/29/2019 snort-100622051039-phpapp01

62/75

classtypes: ; phn loi lut cho mt kiutn cng c th. Kt hp vi file/etc/snort/classification.config

config classification: name,description,priority Name l tn c s dng phn loi. Tn c s

dng vi t kha classtype trong vit lut. Description : m t ngn v kiu phn loi.

Priority : th t u tin mc nh cho s phn loi, cth thay i c bng t kha priority trong RuleOption.

10/1/2009 IDS Snort 62

7/29/2019 snort-100622051039-phpapp01

63/75

ack: ;thng c dng bit cang b qut cng hay khng. Ch c ngha khic ack trong TCP header c bt.

msg: ;ghi thm chui k t vo logv cnh bo. Thng ip trong .

content: < straight text>;or content: ;

Tm ra ch k (signature) trong header ca gid liu.

10/1/2009 IDS Snort 63

7/29/2019 snort-100622051039-phpapp01

64/75

offset: < value>;dng vi content cho bit btu tm kim t u.

depth: < value>;dng vi content xc nh v

tr kt thc ca on d liu cn so snh vi vtr ban u.

dsize: [|=] < number>;tm chiu di ca

mt gi tin. (cc tn cng buffer overflows)

10/1/2009 IDS Snort 64

7/29/2019 snort-100622051039-phpapp01

65/75

rev: < revision integer>; cho bit s phin bnca snort.

priority: < value>; t kha priority gn u

tin cho mt lut. nocase: dng kt hp vi content, tm ni

dung m khng phn bit hoa thng.

Xem file nh km bit cc ty chn khc.

10/1/2009 IDS Snort 65

7/29/2019 snort-100622051039-phpapp01

66/75

Lut c t cui file snort.conf. c th tora nhiu lut s dng cc bin nh nghatrong file ny.

C th nh ngha file .rules. Trong filesnort.conf dng include ch n file ny.

# include $RULE_PATH/web-attacks.rules

C rt nhiu lut c nh ngha sn chatrong th mc /etc/snort/rules.

10/1/2009 IDS Snort 66

7/29/2019 snort-100622051039-phpapp01

67/75

alert tcp192.168.1.0/24 23-> any any (content:

confidential; msg: Detect confidential;)

bt cc gi d liu n t a ch ngun thuc

mng 192.168.1.0 /24v cng ngun 23, ti ttc cc a ch trong mng ch v tt c cc cngch. Tm signature trong header ca gi d liu

c ni dung confidential. Giao thc s dng ltcp.

10/1/2009 IDS Snort 67

7/29/2019 snort-100622051039-phpapp01

68/75

alert tcp any any -> 192.168.1.0/24 80 \

(flags: A; ack: 0; msg: TCP ping detected;)

Pht hin ai s dng Nmap qut cng.Vi gi d liu gi i c trng ack = 0, giti cng 80 bng giao thc tcp.

T kha flags c s dng tm c cthit lp trong header TCP ca gi tin.

10/1/2009 IDS Snort 68

7/29/2019 snort-100622051039-phpapp01

69/75

config classification: denial-of-service,Detection

of a Denial of Service Attack,2

alert udp any any -> 192.168.1.0/24 6838 (msg:

Dos;content: server ;classtype: denial-of-service;)

alert udp any any -> 192.168.1.0/24 6838 (msg :

Dos;content: server;classtype: denial-of-service;priority: 1;)

10/1/2009 IDS Snort 69

7/29/2019 snort-100622051039-phpapp01

70/75

alert tcp 192.168.1.0/24 any -> any any

(content: HTTP; offset: 4; depth: 40; msg:HTTP matched;)

Tm t HTTP trong header TCP ca gi dliu n t v tr th 4 n v tr 40.

Tha th xut thng bo HTTP matched.

10/1/2009 IDS Snort 70

7/29/2019 snort-100622051039-phpapp01

71/75

Smurf attack

Jolt attack.

Teardrop attack.

10/1/2009 IDS Snort 71

7/29/2019 snort-100622051039-phpapp01

72/75

Alert icmp $EXTERNAL_NET any ->

192.168.77.129 any (msg: Demo smurf

attack; sid:1000010;dsize>32;itype:0;

icmp_seq:0; icmp_id:0;)

7/29/2019 snort-100622051039-phpapp01

73/75

alert ip $EXTERNAL_NET any ->

192.168.77.129 any (msg:Demo DOS Joltattack"; dsize:408; fragbits:M;sid:268;rev:4; )

7/29/2019 snort-100622051039-phpapp01

74/75

alert udp $EXTERNAL_NET any ->192.168.77.129 any (msg:Demo DOSTeardrop attack"; fragbits:M;

id:242;sid:270;rev:6;)

7/29/2019 snort-100622051039-phpapp01

75/75

Managing security with Sornt and IDS tool

Snort Cookbook (2005)

Snort2.1IntrusionDetectionSecondEdition

snort.forum.org

securityfocus.com