Click here to load reader

Dacs snort

  • View
    1.874

  • Download
    1

Embed Size (px)

DESCRIPTION

IDS Snort - thenewfriend_2702

Text of Dacs snort

  • 1. LI CM N Em xin gi li cm n chn thnh ti thy Vn Thin Hong - ging vin trc tiphng dn em thc hin n c s ny, v thy tn tnh hng dn, nh hng trongqu trnh lm vic, gii quyt nhng thc mc v cung cp nhng ti liu cn thit, h trv gip em rt nhiu gii quyt nhng kh khn trong qu trnh nghin cu tiny. Em xin chn thnh cm n thy. Mc LcA-TNG QUAN H THNG IDS .................................................................................... 31. Khi nim v h thng pht hin xm nhp ........................................................ 32. Cu trc ca h thng IDS Vai tr Nguyn l hot ng ............................. 43. Phn loi h thng IDS ....................................................................................... 4a.H thng pht hin xm nhp Host-Based (HIDS) ................................... 5b. H thng pht hin xm nhp Network-Based ( NIDS) .......................... 5B- TNG QUAN V H THNG IDS/IPS - SNORT ...................................................... 6 I - Gii thiu v Snort ................................................................................................... 61. Cc yu cu i vi h thng Snort .................................................................... 72. V tr ca Snort trong h thng mng.................................................................. 7 II Kin trc ca Snort ................................................................................................ 91. Modun gii m gi tin ....................................................................................... 92. Modun tin x l .............................................................................................. 103. Modun pht hin .............................................................................................. 124. Modun log v cnh bo ................................................................................... 125. Modun kt xut thng tin ................................................................................ 136. Cc ch thc thi ca Snort .......................................................................... 14a. Sniff mode .............................................................................................. 14b. Packet logger mode ................................................................................ 14c. NIDS mode ............................................................................................. 15d. Inline mode ............................................................................................ 151

2. III B lut ca Snort ................................................................................................ 16 1. Gii thiu ......................................................................................................... 16 2. Cu trc lut ca Snort .................................................................................... 17 a. Phn tiu .......................................................................................... 18 b. Cc tu chn (vi t loi tn cng) ...................................................... 22IV Lab demo ............................................................................................................ 25VI Ti liu tham kho ............................................................................................... 26A - TNG QUAN H THNGIDS H thng pht hin xm nhp IDS(Intrusion Detection System) l mt hthng c nhim v gim st cc lung d liu (lu lng) ang lu thng trn mng, ckhnng pht hin nhng hnh ng kh nghi, nhng xm nhp tri php cng nh khaithc bt hp php ngun ti nguyn ca h thng m t c th dn n xm hitnh ton n nh,tan vn v sn sng ca h thng. IDS c th phn bit c nhng cuc tn cng xut pht t bn ngoi hay tchnh bn trong h thng bng cch da vo mt database du hiu c bit v nhngcuc tn cng (smurf attack, buffer overflow, packet sniffers.). Khi mt h thngIDS c kh nng ngn chn cc cuc tn th n c gi l h thng ngn chn xmnhp IPS (Intrusion Prevention System). C rt nhiu cng c IDS, trong Snort c s dng rt nhiu v kh nngtng thch c th h tr ci t trn c hai mi trng Window v Linux. Khi Snortpht hin nhng du hiu ca mt cuc tn cng, ty thuc vo cu hnh v nhng quitc do ngi qun tr qui nh (Snort Rule) m Snort c th a ra nhng hnh ngkhc nhau, nh gi cnh bo n ngi qun tr hay ghi log file,loi b cc gi tinxm nhp h thng. 1. Khi nim v h thng pht hin xm nhp 1.1. Pht hin xm nhp l g? Pht hin xm nhp l mt tp hp cc k thut v phng php c s dng pht hin nhng hnh vi ng ng cp mng v my ch. H thng pht hinxm nhp c hai loi c bn: pht hin xm nhp da trn du hiu signature v phthin s bt thng. a) Pht hin da trn du hiu (signature) Phng php ny nhn dng cuc tn cng bng cch cch so snh du hiunhn c vi mt tp hp cc du hiu bit trc c xc nh l s tn cng.Phng php ny c hiu qu vi nhng du hiu bit trc, nh virus my tnh, c 2 3. th c pht hin bng cch s dng phn mm tm cc gi d liu c lin quann s xm nhp trong cc giao thc Internet. Da trn mt tp hp cc du hiu vcc quy tc, h thng pht hin xm nhp c th tm thy v ghi log li cc hot ngng ng v to ra cc cnh bo. Tuy nhin phng php ny hu nh khng c tcdng vi nhng cuc tn cng mi, quy m phc tp, s dng cc k thut ln trnh(evation technique) do cha c c thng tin v cuc tn cng. b) Pht hin s bt thng Phng php ny thit lp v ghi nhn trng thi hot ng n nh ca hthng, sau so snh vi trng thi ang hot ng hin hnh kim tra s chnhlch. Khi nhn ra s khc bit ln trong h thng th c kh nng xy ra mt cuctn cng, V d nh s tng t bin cc traffic truy cp vo mt website. Pht hinxm nhp da trn s bt thng thng ph thuc vo cc gi tin hin din trongphn tiu giao thc. Trong mt s trng hp cc phng php ny cho kt qu tthn so vi IDS da trn signature. Thng thng mt h thng pht hin xm nhpthu thp d liu t mng v p dng lut ca n vi d liu pht hin bt thngtrong . Snort l mt IDS ch yu da trn cc lut l, v nhng plug-in hin nay pht hin bt thng trong tiu giao thc.Qu trnh pht hin c th c m t bi 3 yu t c bn nn tng sau: Thu thp thng tin (information source): Kim tra cc gi tin trn mng. S phn tch (Analysis): Phn tch cc gi tin thu thp nhn bit hnh ng no l tn cng. Cnh bo (response): hnh ng cnh bo cho s tn cng c phn tch trn. Snort s dng cc quy tc c lu tr trong cc tp tin vn bn c th sa i.Ni quy c nhm li trong cc chuyn mc v c lu tr trong cc tp tin ringbit. Nhng tp tin ny sau c tp hp trong mt tp tin cu hnh chnh gi lsnort.conf. Snort c nhng quy nh ny trong thi gian khi ng v xy dng cutrc d liu ni b hoc dy chuyn p dng nhng quy tc ny capture d liu.Tm v s l du hiu theo cc lut l mt vic kh khn v vic x l yu cu phicapture v phn tch d liu trong mt thi gian. Snort i km vi mt tp hp phongph ca cc tin quy tc xc nh pht hin hot ng xm nhp, bn cng c th tthm hoc loi b cc quy tc ty thuc vo mc ch cnh bo ca h thng. 2. Cu trc ca h thng IDS Vai tr Hot ng Cc thnh phn c bn Sensor/Agent: Gim st v phn tch cc hot ng. Sensor thng c dng cho dng Network-base IDS/IPS trong khi Agent thng c dng cho dng Host-base IDS/IPS. Sensor/Agent l cc b cm bin c t trong h thng nhm pht hin nhng xm nhp hoc cc du hiu bt thng trn ton mng. Management Server: L thit b trung tm dng thu nhn cc thng tin t Sensor/Agent v qun l chng, management server thng l cc my trm trng mt h thng. Mt s Management Server c th thc hin vic phn tch cc thng tinv s nhn dng c cc s kin ny trong khi cc3 4. Sensor/Agent n l khng th nhn din. Database server: Dng lu tr cc thng tin t Sensor/Agent hay Management Server Console: L chng trnh cung cp giao din c th ci t trn mt my tnh bnh thng dng phc v cho tc v qun tr, hoc gim st, phn tch. 3. Phn loi IDS Cc h thng IDS c chia thnh 2 loi sau: Host-based IDS (HIDS): S dng d liu kim tra trn mt hoc vi myn pht hin xm nhp. Network-based IDS (NIDS): S dng d liu trn ton b lu thng mng,cng vi d liu kim tra t cc b cm bin v mt vi my trm phthin xm nhp. a. H thng pht hin xm nhp Host-Based (HIDS) Host-base IDS (HIDS) kim tra s xm nhp bng cch quan st v phn tchcc thng tin mc host hay h iu hnh trn nhng giao din ca h thng, nhnhng cuc gi (system call), bn ghi (audit log), hay nhng thng ip li (errormessage)Mt h thng pht hin xm nhp host-base c th kim tra cc file hthng v nhng file log ng dng pht hin du hiu hot ng ca k xm nhpnhm bo v nhng ti nguyn c bit ca h thng bao gm nhng tp tin m ch cth tn ti trn mi host. Nhim v ca HIDS l a ra phn ng, ngha l n s gi cc thng bo nngi qun tr khi pht hin nhng s kin xy ra trong thi gian thc. Khc viNIDS hot ng cng vi cc b cm bin sensor c nhim v gim st v ngn chncc cuc tn cng trn mt network segment hay trn ton h thng mng, HIDSthng c ci t v gim st cc hot ng trn mi my tnh c lp nn n cth xc nh xem mt cuc tn cng c thnh cng hay khng da vo nhng nhhng trn h thng. HIDS thng c t trn cc host xung yu ca h thng, vcc server trong vng DMZ thng l mc tiu b cc hacker tn cng u tin.Nhim v chnh ca HIDS l gim st cc thay i trn h thng, bao gm (khngphi tt c): Cc tin trnh. Cc entry ca Registry. Mc s dng CPU. Kim tra tnh ton vn v truy cp trn h thng file. Mt vi thng s khc.Cc thng s ny khi vt qua mt ngng nh trc hoc nhng thay i kh nghi trnh thng file s gy ra bo ng. HIDS c mt vai tr quan trng trong h thng bi vkhng phi tt c cc cuc tn cng u c thc hin qua mng. V d nh bng cchginh quyn truy cp mc vt l (physical access) vo mt h thng my tnh, k xmnhp c th tn cng mt h thng hay d liu m khng cn phi to ra bt c lu lngmng (network traffic) no c, do i vi cc h thng s dng NIDS s khng thpht hin ra cc tn cng ny. Mt u im khc ca HIDS l n c th ngn chn cc4 5. kiu tn cng dng s phn mnh hoc TTL, v mt host phi nhn v ti hp cc phnmnh khi x l lu lng nn IDS da trn host c th gim st chuyn ny. b. H thng pht hin xm nhp Network-Based ( NIDS) Network-based IDS (NIDS) kim tra s xm nhp bng cch s dng cc b dtm v cc b cm bin (sensor) ci t trn ton mng gim st hot ng ca hthng. Nhng b cm bin thu nhn v phn tch lu lng cng nh kim tra ccheader ca tt c cc gi tin trong thi gian thc, sau so snh cc kt qu nhnc vi mt database cc m t s lc c nh ngha hay l nhng du hiu nhn nh c xy ra mt cuc tn cng hay khng. Khi ghi nhn c mt s kin btthng, b cm bin s gi tn hiu cnh bo n trm qun tr v thc hin vi hnhng da vo cc rule c cu hnh trc. NIDS thng c t nhng v tr trng yu nh nhng network interfacekt ni h thng gia mng bn trong v mng bn ngoi gim st ton b lulng vo ra