Upload
tuan-anh-dang
View
216
Download
0
Embed Size (px)
Citation preview
7/29/2019 snort-100622051039-phpapp01
1/75
1IDS Snort10/1/2009
GVHD : TS.Phm Vn Tnh
7/29/2019 snort-100622051039-phpapp01
2/75
Hong Tin Long
Ng Trn Khnh Chu
Nguyn Ngc Thm V H Tin
Nguyn Minh Tin
10/1/2009 IDS Snort 2
7/29/2019 snort-100622051039-phpapp01
3/75
Phn I : IDSKhi nim, phn loi.Kin trcTrin khai.
Phn II : Snort. Gii thiu.
Ci t. Snort rule.
Phn III : Demo
10/1/2009 IDS Snort 3
7/29/2019 snort-100622051039-phpapp01
4/75
L mt h thng (phn mm, phn cng, hockt hp c hai) pht hin cc hnh vi xmnhp bt hp pht vo mng.
Pht hin cc hnh ng trong tin trnh tncng (FootPrinting, Scanning, Sniffer), cungcp thng tin nhn bit v a ra cnh bo.
K thut s dng trong IDS c th l :signature hoc anomaly-based, cng c thkt hp c hai.
10/1/2009 IDS Snort 4
7/29/2019 snort-100622051039-phpapp01
5/75
Ci tnhmt agent trn mt host cth. Phntch log cahiu hnh hoc cc ngdng sosnh cc skinvicsdliu pht hin
cc viphmvbomt v a ra cnh bo. Nu c viphm HIDS ghi nhnli cc hnh ng
, a ra cnh bo, v c th ngng hnh ngli trc khi n xy ra.
HIDS c th dng theo di log (log monitors),gim st tnh ton vn (intergrity monitors), phthin xm nhp mc kernel (kernel module)
10/1/2009 IDS Snort 5
7/29/2019 snort-100622051039-phpapp01
6/75
Dng bt cc gi tin trong mi trngmng, so snh gia d liu thu thp c vic s d liu nhm pht hin cc du hiu tncng.
Khi c tn cng NIDS s log cc gi tin vo cs d liu, cnh bo hoc a vo Firewall.
10/1/2009 IDS Snort 6
7/29/2019 snort-100622051039-phpapp01
7/75
Host IDS - HIDS Network - NIDS
HIDS chquan st cc host , h iu
hnh, hot ng ca ng dng (thnglm nhng cng vic nh phn tch log,kim tra tnh ton vn)
NIDS nhn ton cnh lung d liu trn
mng (NIDS thng c coi nh lsniffer)
Ch phthin nhng cuc tn cng thnh cng.
NIDS pht hin nhng cuc tn cngtim nng.
Hot nghiu qu trong nhng mitrng chuyn mch, m ha, tc cao.
Rtkh hot ng trong nhng mitrng ny.
10/1/2009 IDS Snort 7
7/29/2019 snort-100622051039-phpapp01
8/75
10/1/2009 IDS Snort 8
SENSOR
DETECTION ENGINE
PREPROCESSORS
OUTPUT
ALERT SYSTEMS
LOGGING
SYSTEMS
7/29/2019 snort-100622051039-phpapp01
9/75
10/1/2009 IDS Snort 9
7/29/2019 snort-100622051039-phpapp01
10/75
10/1/2009 IDS Snort 10
7/29/2019 snort-100622051039-phpapp01
11/75
10/1/2009 IDS Snort 11
7/29/2019 snort-100622051039-phpapp01
12/75
10/1/2009 IDS Snort 12
7/29/2019 snort-100622051039-phpapp01
13/75
10/1/2009 IDS Snort 13
7/29/2019 snort-100622051039-phpapp01
14/75
10/1/2009 IDS Snort 14
7/29/2019 snort-100622051039-phpapp01
15/75
H thng IDS (signature-based) cn mt c s dliu c sn v cc kiu tn cng nhn bitcc cuc tn cng c th xy ra, da vo du hiu
nhn bit no (signatures) cp nhtsignatures mi. Bn thn IDS khng chng li cc cuc tn cng,
hay ngn chn qu trnh khai thc li, m n ch
d tm v a ra cnh bo.t IDS u trong h thng mng mang
li hiu qu cao nht ????
10/1/2009 IDS Snort 15
7/29/2019 snort-100622051039-phpapp01
16/75
10/1/2009 IDS Snort 16
7/29/2019 snort-100622051039-phpapp01
17/75
10/1/2009 IDS Snort 17
Internet
Firewall
Router
IDS
IDS
Local
Network
LocalNetwork
Chin lc trin khai IDSph thuc vo chnhsch bo mt v tinguyn cn bo v. Cngnhiu IDS th ng nghavi vic h thng chmi v chi ph bo tr stng ln.
7/29/2019 snort-100622051039-phpapp01
18/75
10/1/2009 IDS Snort 18
7/29/2019 snort-100622051039-phpapp01
19/75
Snort l mt IDS kiu signaturebased. Chyc trn c Windows v Linux.
Snort c cc tp lut lu tr trong cc file text,
cc lut c nhm thnh cc loi khc nhau vc cha trong nhng file ring cho tng nhm.Cc file ny c ch ra trong file cu hnhsnort.conf.
Snort s c cc lut lc khi ng v xy dngmt cu trc d liu hoc cc chui p dngcc lut ln d liu thu thp c.
10/1/2009 IDS Snort 19
7/29/2019 snort-100622051039-phpapp01
20/75
Snort c cung cp 1 tp hp phong ph cc lut c nh ngha trc, tuy nhin ngi dngc th t nh ngha v a thm cc lut mi
hoc loi b mt s lut khng cn thit. Snort l stateful IDS, n c th sp xp v ghi
nhn cc cuc tn cng da trn phn on TCP. Snort c th pht hin c nhiu loi xm nhp
nh : buffer overflows, stealth port scans, CGIattacks, SMB probes, OS fingerprintingattempts
10/1/2009 IDS Snort 20
7/29/2019 snort-100622051039-phpapp01
21/75
Snort c th ci t 2 ch l inline hocpassive.
Inline: Snort tch hp vi tng la kchhot tng la kha hay drop hot cc hnhng khc nhm ngn chn cuc tn cng mn pht hin.
Passive: Snort ch pht hin xm nhp, nghilog v cnh bo.
10/1/2009 IDS Snort 21
7/29/2019 snort-100622051039-phpapp01
22/75
Apache
PHP
My Sql
BASE Libpcap
Libnet
Perl
Pear Snort
10/1/2009 IDS Snort 22
7/29/2019 snort-100622051039-phpapp01
23/75
S dngrpmqa | grep
kim tra xem gi ci t cha. S dng :
yum install
ci t nhng gi cn thiu. i vi nhng gi .rpm :
rpmivh
10/1/2009 IDS Snort 23
7/29/2019 snort-100622051039-phpapp01
24/75
S dng :wget
download cc gi ci t t mt trang web. i vi nhng gi .tar.gz :
tarxvzf cd
./configure [option]
make && make install
10/1/2009 IDS Snort 24
7/29/2019 snort-100622051039-phpapp01
25/75
Mc nh ci sn, s dng :
rpmqa | grep http
httpd-manual-2.2.11-2.fc10.i386httpd-tools-2.2.11-2.fc10.i386
httpunit-1.6.2-2.fc10.noarch
httpd-2.2.11-2.fc10.i386mod_ssl-2.2.11-2.fc10.i386
10/1/2009 IDS Snort 25
7/29/2019 snort-100622051039-phpapp01
26/75
Mc nh ci sn:
rpmqa | grep mysql
mysql-5.0.77-1.fc10.i386mysql-server-5.0.77-1.fc10.i386
mysql-devel-5.0.77-1.fc10.i386
mysql-libs-5.0.77-1.fc10.i386php-mysql-5.2.6-5.i386
10/1/2009 IDS Snort 26
7/29/2019 snort-100622051039-phpapp01
27/75
Mc nh c ci sn:rpmqa | grep php
php-5.2.6-5.i386
php-devel-5.2.6-5.i386
php-mysql-5.2.6-5.i386
php-pdo-5.2.6-5.i386
php-ldap-5.2.6-5.i386
php-common-5.2.6-5.i386
php-pear-1.7.2-2.fc10.noarch
php-gd-5.2.6-5.i386
php-cli-5.2.6-5.i386
10/1/2009 IDS Snort 27
7/29/2019 snort-100622051039-phpapp01
28/75
Ngoi ra cn cn c prel ( ci sn), libpcap,libnet. Bn nn ci t source. S dng lnh:
wget
V d :wget http://ftp.gnu.org/gnu/bison/bison-2.4.1.tar.gz
Sau ci nh mt gi .tar.gz.
10/1/2009 IDS Snort 28
7/29/2019 snort-100622051039-phpapp01
29/75
Nhng gi trn l ti thiu phi c. Nu thiubt k gi no dng lnh :
yum install
ci thm vo.
Start apache v mysql ln:
service httpd startservice mysqld start
10/1/2009 IDS Snort 29
7/29/2019 snort-100622051039-phpapp01
30/75
Download :
snort-2.8.x.x.tar.gz
snortrules-2.8.tar.gz
T trang http://www/snort.org
Lu : thng trong qu trnh ci snort s gpli libipq.hli ny lin quan n iptables do
bin dch snort ch inline. Khi , cithm iptables-devel, khi ng li dch v, ok.
10/1/2009 IDS Snort 30
http://www/snort.orghttp://www/snort.org7/29/2019 snort-100622051039-phpapp01
31/75
#tarxvzf snort-2.8.5.1.tar.gz
#cd snort-2.8.5.1
#./configure --with-mysql --enable-dynamic-plugin--enable-inline
#make
#make installS dng ./configure --help xem cc ty chn khcca snort.
10/1/2009 IDS Snort 31
7/29/2019 snort-100622051039-phpapp01
32/75
10/1/2009 IDS Snort 32
To th mc snort trong /etc
#mkdir /etc/snort
#mkdir /etc/snort/rules Copy nhng file cu hnh ca snort vo th
mc va to:
#cd /usr/local/snort-2.8.5.1/etc# cp * /etc/snort
7/29/2019 snort-100622051039-phpapp01
33/75
Gii nn snortrule-2.8.tar.gz
#tarxvzf snortrule-2.8.tar.gz
#cd rules#cp * /etc/snort/rules/
To symbolic link cho snort
#lns /usr/local/bin/snort /usr/sbin/snort
10/1/2009 IDS Snort 33
7/29/2019 snort-100622051039-phpapp01
34/75
snort chy nh mt dch v chng ta cnuser, usergroup cho snort:
#groupadd snort
#useraddg snort snort
10/1/2009 IDS Snort 34
7/29/2019 snort-100622051039-phpapp01
35/75
To v set quyn ch nhn, quyn thc thi casnort cho file log.
#mkdir/var/log/snort
#chownR snort:snort /var/log/snort
#chown 664 /var/log/snort
10/1/2009 IDS Snort 35
7/29/2019 snort-100622051039-phpapp01
36/75
#vim /etc/snort/snort.conf
Tm n dng:var RULE_PATH ../rules sa li thnh.
var RULE_PATH/etc/snort/rules y l th mc chatp lut.
Ch ra output database database lu tr nhng log
output database: log, mysql, user=snort, password =long dbname=snort host=localhost
10/1/2009 IDS Snort 36
7/29/2019 snort-100622051039-phpapp01
37/75
#cd /usr/local/snort-2.8.4.1/rpm/
# cp snortd /etc/init.d/
# cp snort.sysconfig /etc/sysconfig/snort
# chmod 755 /etc/init.d/snortd
# chkconfig snortd on
# chkconfig --add /etc/init.d/snortd
# chkconfig snortd on
10/1/2009 IDS Snort 37
7/29/2019 snort-100622051039-phpapp01
38/75
#mysqlu root
>set password root@ localhost = password(241288);
>flush privileges;
>use mysql;
>CREATE USER snort@ localhostIDENTIFIED BY long;
>flush privileges;
10/1/2009 IDS Snort 38
7/29/2019 snort-100622051039-phpapp01
39/75
> create database snort;
> GRANT CREATE, INSERT, SELECT, DELETE,
UPDATE ON snort.* to snort@localhost;
# cd /usr/local/snort-2.8.5.1/schemas/
# mysql -u root -p < create_mysql snort
Test:
#mysqlu rootp
>use snort;
>show tables;10/1/2009 IDS Snort 39
7/29/2019 snort-100622051039-phpapp01
40/75
Do web sevrer v php c ci t sn, chng ta ch cnci thm pear cho php
# pear install Image_Graph-alpha Image_Canvas-alphaImage_Color Numbers_Roman Ci addob:
# wget http://nchc.dl.sourceforge.net/sourceforge/
adodb/adodb508a.tgz
# cp adodb508a.tgz /var/www/html/# cd /var/www/html/
# tar -xvzf adodb508a.tgz
10/1/2009 IDS Snort 40
7/29/2019 snort-100622051039-phpapp01
41/75
# wget http://nchc.dl.sourceforge.net/sourceforge/
secureideas/base-1.4.2.tar.gz
# cp base-1.4.2.tar.gz /var/www/html/# cd /var/www/html/
#tar -xzvf base-1.4.2.tar.gz
# cp base_conf.php.dist base_conf.php
10/1/2009 IDS Snort 41
7/29/2019 snort-100622051039-phpapp01
42/75
#vim base_conf.php
$DBlib_path = '/var/www/html/adodb5';
$DBtype = 'mysql';
$alert_dbname = 'snort';
$alert_host = 'localhost';
$alert_port = '';
$alert_user = 'snort';$alert_password = long';
10/1/2009 IDS Snort 42
7/29/2019 snort-100622051039-phpapp01
43/75
http://127.0.0.1/base-1.4.2
Ch ng dn n th vin adodb
Khai bo cc gi tr cho co s d liu lu filelog. Nh l : Database Name, Database Host,Database User, Database Password l
username v password truy cp c s d
liu. To BASE AG (to c s d liu cho BASE)
10/1/2009 IDS Snort 43
http://127.0.0.1/base-1.4.2http://127.0.0.1/base-1.4.2http://127.0.0.1/base-1.4.2http://127.0.0.1/base-1.4.27/29/2019 snort-100622051039-phpapp01
44/75
10/1/2009 IDS Snort 44
7/29/2019 snort-100622051039-phpapp01
45/75
10/1/2009 IDS Snort 45
7/29/2019 snort-100622051039-phpapp01
46/75
10/1/2009 IDS Snort 46
7/29/2019 snort-100622051039-phpapp01
47/75
10/1/2009 IDS Snort 47
7/29/2019 snort-100622051039-phpapp01
48/75
10/1/2009 IDS Snort 48
7/29/2019 snort-100622051039-phpapp01
49/75
#snortA : Ci t ch cnh bo (altert-mode).
C nhiu mode h tr nh : fast, full, console,test or none.
Dng mode console in ra mn hnh v ghicc file log.
Fast mode dng trong ch tc ngtruyn cao.
10/1/2009 IDS Snort 49
7/29/2019 snort-100622051039-phpapp01
50/75
#snortv : bt ch sniffer. In ton b gi dliu bt c trn console (hin th cc headerIP,TCP/UDP/ICMP). Card mng phi ch
promiscuous mode . #snortd: hin th d liu layer Application
#snorte: hin th thng tin v header layer 2.
#snortvde: cc chui thp lc phn hin thnhiu d liu hn. C a ch MAC v a ch IP.vde cung cp nhiu thng tin nht.
10/1/2009 IDS Snort 50
7/29/2019 snort-100622051039-phpapp01
51/75
Lu thng tin xung file: snortdevl [filename]
Lu thng tin dng binary:
snortl [filename] -b c ngc thng tin t file binary:
snortdvr [filename]
snortdvr [filename] icmp
7/29/2019 snort-100622051039-phpapp01
52/75
#snortl /var/log/Snort : ch nh th mc lufile log. Qu trnh lu tr theo kiu phn cp.Mi mt a ch s c mt th mc v nhng
g lin quan n a ch s c lu trongy. Snort lu cc gi tin thnh cc file ASCII, vi
tn file c to ra t giao thc v s cng. #snortb: Log gi tin dng tcpdump. Ghi log
rt nhanh
10/1/2009 IDS Snort 52
7/29/2019 snort-100622051039-phpapp01
53/75
#snortc :Config-file ,ch nh file cu no muns dng.
#snortD :Chy Snort ch background. #snortI :Interface, Ch nh interface no Snort
s lng nghe. #snorts :Gi alert message n syslog. #snortT : Kim tra v bo co v cu hnh hin
ti ca snort. #snorty : Thm nm v ngy gi vo thng ipcnh bo v file log.
10/1/2009 IDS Snort 53
7/29/2019 snort-100622051039-phpapp01
54/75
Nhn gi v x l n trc khi rule p dngln gi (input plug_in)
C php:
preprocessor [:]
VD:
preprocessor frag2preprocessor stream4: detect_scans
7/29/2019 snort-100622051039-phpapp01
55/75
Cu hnh:output [:
]
VD :
output database: alert, mysql, user=rr
password=boota \
dbname=snort host=localhost
7/29/2019 snort-100622051039-phpapp01
56/75
Snort da vo cc tp lut pht hin tncng.
Cc lut thng c lu tr trong file
snort.conf. C th s dng nhiu file bng cchthm ng dn n cc file lut ny vo filecu hnh chnh.
Mi lut c vit trn mt dng. Mt rule c th pht hin nhiu loi xm nhp.
10/1/2009 IDS Snort 56
7/29/2019 snort-100622051039-phpapp01
57/75
Gm 2 phn rule header, rule option.
Rule header : cha thng tin v hnh ng mlut s thc hin. Tiu chun ca vic so snh
lut trn mt gi tin.
Rule option: cha thng ip cnh bo. Vthng tin thng tin v phn no ca gi tin
c s dng to ra cnh bo.
10/1/2009 IDS Snort 57
Rule Header Rule Option
7/29/2019 snort-100622051039-phpapp01
58/75
action protocol address port \
direction address port \
(option1 : ;option2: ;..)
10/1/2009 IDS Snort 58
Lu : du \ y ngha l xung hng. Mi lut nn
vit trong mt dng.
7/29/2019 snort-100622051039-phpapp01
59/75
Action : cc nh kiu hnh ng khi gi tin
tha cc iu kin. Thng l to cnh bo vghi log (alert, log).
nu ci snort ch inline c th chn drop
iptables hy gi d liu.
10/1/2009 IDS Snort 59
Action Protocol PortAddress Port Direction Address
7/29/2019 snort-100622051039-phpapp01
60/75
Protocol : snort c th phn tch c giaothcbao gm : TCP, UDP, ICMP,IP.
Address : a ch ngun, ch. Address c th
ca mt host, nhiu host hoc a ch mng. Direction: xc nh a ch v cng ca ngun
v ch n ( -> , ).
Port: ch dng trong giao thc TCP, UDP xc nh cng ngn v ch ca mt gi tin mlut c p dng.
10/1/2009 IDS Snort 60
7/29/2019 snort-100622051039-phpapp01
61/75
Theo sau rule header, c t trong ( ), ccoption ngn cch nhau ;
Mt action ch c thc hin khi tt c option
u tha. Mt option bao gm t kha v tham s.
Cc tham s phn bit nhau :
Nu c nhiu option chng s AND li vinhau.
10/1/2009 IDS Snort 61
7/29/2019 snort-100622051039-phpapp01
62/75
classtypes: ; phn loi lut cho mt kiutn cng c th. Kt hp vi file/etc/snort/classification.config
config classification: name,description,priority Name l tn c s dng phn loi. Tn c s
dng vi t kha classtype trong vit lut. Description : m t ngn v kiu phn loi.
Priority : th t u tin mc nh cho s phn loi, cth thay i c bng t kha priority trong RuleOption.
10/1/2009 IDS Snort 62
7/29/2019 snort-100622051039-phpapp01
63/75
ack: ;thng c dng bit cang b qut cng hay khng. Ch c ngha khic ack trong TCP header c bt.
msg: ;ghi thm chui k t vo logv cnh bo. Thng ip trong .
content: < straight text>;or content: ;
Tm ra ch k (signature) trong header ca gid liu.
10/1/2009 IDS Snort 63
7/29/2019 snort-100622051039-phpapp01
64/75
offset: < value>;dng vi content cho bit btu tm kim t u.
depth: < value>;dng vi content xc nh v
tr kt thc ca on d liu cn so snh vi vtr ban u.
dsize: [|=] < number>;tm chiu di ca
mt gi tin. (cc tn cng buffer overflows)
10/1/2009 IDS Snort 64
7/29/2019 snort-100622051039-phpapp01
65/75
rev: < revision integer>; cho bit s phin bnca snort.
priority: < value>; t kha priority gn u
tin cho mt lut. nocase: dng kt hp vi content, tm ni
dung m khng phn bit hoa thng.
Xem file nh km bit cc ty chn khc.
10/1/2009 IDS Snort 65
7/29/2019 snort-100622051039-phpapp01
66/75
Lut c t cui file snort.conf. c th tora nhiu lut s dng cc bin nh nghatrong file ny.
C th nh ngha file .rules. Trong filesnort.conf dng include ch n file ny.
# include $RULE_PATH/web-attacks.rules
C rt nhiu lut c nh ngha sn chatrong th mc /etc/snort/rules.
10/1/2009 IDS Snort 66
7/29/2019 snort-100622051039-phpapp01
67/75
alert tcp192.168.1.0/24 23-> any any (content:
confidential; msg: Detect confidential;)
bt cc gi d liu n t a ch ngun thuc
mng 192.168.1.0 /24v cng ngun 23, ti ttc cc a ch trong mng ch v tt c cc cngch. Tm signature trong header ca gi d liu
c ni dung confidential. Giao thc s dng ltcp.
10/1/2009 IDS Snort 67
7/29/2019 snort-100622051039-phpapp01
68/75
alert tcp any any -> 192.168.1.0/24 80 \
(flags: A; ack: 0; msg: TCP ping detected;)
Pht hin ai s dng Nmap qut cng.Vi gi d liu gi i c trng ack = 0, giti cng 80 bng giao thc tcp.
T kha flags c s dng tm c cthit lp trong header TCP ca gi tin.
10/1/2009 IDS Snort 68
7/29/2019 snort-100622051039-phpapp01
69/75
config classification: denial-of-service,Detection
of a Denial of Service Attack,2
alert udp any any -> 192.168.1.0/24 6838 (msg:
Dos;content: server ;classtype: denial-of-service;)
alert udp any any -> 192.168.1.0/24 6838 (msg :
Dos;content: server;classtype: denial-of-service;priority: 1;)
10/1/2009 IDS Snort 69
7/29/2019 snort-100622051039-phpapp01
70/75
alert tcp 192.168.1.0/24 any -> any any
(content: HTTP; offset: 4; depth: 40; msg:HTTP matched;)
Tm t HTTP trong header TCP ca gi dliu n t v tr th 4 n v tr 40.
Tha th xut thng bo HTTP matched.
10/1/2009 IDS Snort 70
7/29/2019 snort-100622051039-phpapp01
71/75
Smurf attack
Jolt attack.
Teardrop attack.
10/1/2009 IDS Snort 71
7/29/2019 snort-100622051039-phpapp01
72/75
Alert icmp $EXTERNAL_NET any ->
192.168.77.129 any (msg: Demo smurf
attack; sid:1000010;dsize>32;itype:0;
icmp_seq:0; icmp_id:0;)
7/29/2019 snort-100622051039-phpapp01
73/75
alert ip $EXTERNAL_NET any ->
192.168.77.129 any (msg:Demo DOS Joltattack"; dsize:408; fragbits:M;sid:268;rev:4; )
7/29/2019 snort-100622051039-phpapp01
74/75
alert udp $EXTERNAL_NET any ->192.168.77.129 any (msg:Demo DOSTeardrop attack"; fragbits:M;
id:242;sid:270;rev:6;)
7/29/2019 snort-100622051039-phpapp01
75/75
Managing security with Sornt and IDS tool
Snort Cookbook (2005)
Snort2.1IntrusionDetectionSecondEdition
snort.forum.org
securityfocus.com