Khóa luận Snort
Transcript of Khóa luận Snort
-
7/25/2019 Kha lun Snort
1/106
i
Tp. HCh Minh, ngy thng nm 2013
NHIM V T NGHIP
Hv tn sinh vin: ................................................. MSSV: ......................................
Chuyn ngnh: ........................................................ Lp: .........................................
Gio vin hng dn: ................................................................................................
Ngy giao ti:.................................... Ngy np ti:........................................
1. Tn ti:
...............................................................................................................................................
...............................................................................................................................................
2. Cc sliu, ti l iu ban u
...............................................................................................................................................
...............................................................................................................................................
3. Ni dung thuyt minh v tnh ton
...............................................................................................................................................
...............................................................................................................................................
...............................................................................................................................................
...............................................................................................................................................
...............................................................................................................................................
4. Sn phm
...............................................................................................................................................
...............................................................................................................................................
Trng i Hc S Phm KThut Tp.HCM
Khoa o To Cht Lng Cao
-----***----
Cng Ha X Hi ChNgha Vit Nam
c lpTdoHnh phc
----***----
Trng ngnh Gio vin hng dn
-
7/25/2019 Kha lun Snort
2/106
ii
NHN XT CA GIO VIN HNG DN
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
Gio vin hng dn
-
7/25/2019 Kha lun Snort
3/106
iii
NHN XT CA GIO VIN PHN BIN
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
Gio vin phn bin
-
7/25/2019 Kha lun Snort
4/106
1
LI CM N
Sau nhiu thng tm hiu, nghin cu v ci t, ti Tm hiu v xy dng h
thng phng chng v pht hin xm nhp sdng Snort/Snortsamv c bn
hon thnh. Trong thi gian thc hin ti em nhn c nhiu sgip
tbn b, cc anh chv thy c.
Em xin chn thnh gi li cm n n sgip , sng vin v ng h tinh thn
ca gia nh v b bn hon thnh ti ny.
Em cng xin chn thnh cm n qu thy c ti trng i hc S Phm KThut Tp. HCh Minh, v Khoa o to Cht lng cao to iu kin cho
em c nghin cu v hc tp. c bit em xin chn thnh c m n thy Nguyn
ng Quang lun nhit tnh nhc nh, c thc em lm vic chm ch, thy ch
bo v gi em nhiu bi bo co em c ththam kho v hon thnh ti. Thy
c nhng gp v cni dung v trnh by em c th hon thnh bi bo co
mt cch tt nht
Mc d rt cgng hon thnh ti mt cch tt nht, nhng chc chn
ti svn cn tn ti nhng thiu st. Em lun mong mi nhn c cc gp , cc
tho lun vcc vn ny.
Sinh vin thc hin
Nguyn Vn Quang
-
7/25/2019 Kha lun Snort
5/106
2
TM TT
Xy dng h thng phng chng v pht hin xm nhp l mt gii php nhm
nng cao tnh bo mt ca h thng. Xy dng h thng pht hin xm nhp khng
nhm mc ch thay th h thng tng la m ch gipb sung, thu thp tht nhiu
thng tin cho qu trnh ngn chn cc cuc tn cng.
Ngoi cc khi nim, k thut pht hin hin xm nhp ca mt h thng pht hin
xm nhp. Kha lun cn tm hiu v mt h thng pht hin xm nhp da trn
mng l Snort v mt m-un SnortSam kt hp vi iptables nhm mc ch ngnchn tn cng.
Mc tiu chnh ca kha lun l hiu r nht v cu trc ca tp lut Snort. Hnh
thnh t duy phn tch h thng thay v trin khai h thng. T xy dng ra cc
tp lut cho nhng tnh hung c th ca tng h thng.
Ni dung chnh ca kha lun c th chia thnh 3 phn chnh:
Phn 1:Bao gm cc ni dung chnh v h thng pht hin xm nhp, m hnh, kthut pht hin
Phn 2:Chi tit k thut v h thng pht hin xm nhp mng Snort/SnortSam.
Kin trc ca h thng Snort, cu trc lut ca Snort.
Phn 3:Phn tch mt vi dng tn cng, phn tch cc lut tng ng. Demo h
thng.
T kha: pht hin xm nhp, h thng pht hin xm nhp, pht hin da trn s
bt thng, pht hin da trn mu, Snort, SnortSam, SYN Flood, Apache Killer
-
7/25/2019 Kha lun Snort
6/106
3
ABSTRACT
For enchanced security of system, we implement a intrusion detection system and
intrusion prevention system for our system. Deploy IDS/IPS dont replace firewall
system so supplenment and collected many infomations for prevention attacks.
Graduation thesis is researched about define, intrusion detection technology of
intrusion detection system (IDS). It still is researched about Snort, SnortSam with
iptables for prevention attacks.
Main objectives of graduation thesis is system administrator have knowledge about
rule syntax, analytics system. Build own Snort rule for him system.
Content of graduation thesis include three main part :
Part 1:Intrusion detection, network diagram, intrusion detection technology.
Part 2:Snort/SnortSam, Snort architecture, Snort rule syntax.
Part3:Analytics a few attacks, analytics a few rules for attack and demo.
Keywords: intrusion detection, intrusion detection system, anomaly based intrusion
detection, misuse/signature based intrusion detection, Snort, SnortSam, SYN Flood,
Apache Killer.
-
7/25/2019 Kha lun Snort
7/106
4
MC LC
DANH MC HNH V ..................................................................................................... 7
DANH MC TVIT TT ............................................................................................ 9
PHN I: T VN ...................................................................................................10
PHN II: GII QUYT VN ................................................................................... 3
CHNG 1: HTHNG PHT HIN XM NHP (IDS) ...................................... 5
1.1. Gii thiu .................................................................................................................. 5
1.2. Hthng pht hin xm nhp l g? ...................................................................... 5
1.2.1. Network-based IDS........................................................................................... 7
1.2.2. Host-based IDS.................................................................................................. 8
1.3. Cc kthut pht hin xm nhp ........................................................................10
1.3.1. Anomaly Based Intrusion Detection .............................................................10
1.3.2. Misuse/Signature Based Intrusion Detection...............................................12
1.4. t IDS trong hthng mng...............................................................................13
CHNG 2: GII THIU VSNORT/SNORTSAM ...............................................15
2.1. Snort l g? ..............................................................................................................15
2.2. Trin khai hthng Snort .....................................................................................15
2.2.1. Yu cu phn cng ..........................................................................................16
2.2.2. Hiu hnh v cc gi phn mm khc .....................................................17
2.3. c im ca Snort................................................................................................17
2.3.1. Packet Sniffer (Decoder) ................................................................................19
2.3.2. Preprocessors ...................................................................................................20
2.3.3. Detection Engine .............................................................................................21
-
7/25/2019 Kha lun Snort
8/106
5
2.3.4. Thnh phn cnh bo/logging........................................................................23
2.4. Cc chhot ng ca Snort ...........................................................................24
2.4.1 Chsniffer v chlog ...........................................................................24
2.4.2 ChNIDS .....................................................................................................25
2.5. Gii thiu v SnortSam .........................................................................................26
2.5.1. Snort Output Plug-in .......................................................................................27
2.5.2. Blocking Agent................................................................................................28
CHNG3: PREPROCESSORS V OUTPUT PLUG-INS....................................30
3.1. Preprocessors ..........................................................................................................30
3.1.1. Frag3 .................................................................................................................31
3.1.2. Stream5 .............................................................................................................35
3.1.4. HTTP Inspect ...................................................................................................39
3.2. Output ......................................................................................................................40
CHNG 4: LUT TRONG SNORT ..........................................................................42
4.1. Rule Header ............................................................................................................43
4.1.1. Rule Action ......................................................................................................43
4.1.2. Protocol.............................................................................................................44
4.1.3. IP Address ........................................................................................................44
4.1.4. Port ....................................................................................................................444.1.5. iu hng.......................................................................................................45
4.1.6. Activate/Dynamic rule....................................................................................45
4.2. Rule Options ...........................................................................................................46
4.2.1. General..............................................................................................................46
4.2.2. Payload .............................................................................................................48
-
7/25/2019 Kha lun Snort
9/106
6
4.2.3. Non-Payload ....................................................................................................51
4.2.3. Post-detection ..................................................................................................57
CHNG 5: PHN TCH MT SLUT TRONG SNORT .................................61
5.1. Kho st lut scan ..................................................................................................61
5.2 Win.Trojan.Ibabyfa.dldr.........................................................................................64
5.3. TCP-SYN Flood .....................................................................................................65
5.4 Apache Killer (CVE-2011-3192) ..........................................................................67
CHNG 6: CI T V CU HNH SNORT .......................................................71
6.1 S hthng .........................................................................................................71
6.2. Ci t Snort v SnortSam ....................................................................................72
6.3. Thnghim cc kiu tn cng .............................................................................83
KT QUT C ...................................................................................................86
PHN KT LUN ...........................................................................................................88
TI LIU THAM KHO................................................................................................91
-
7/25/2019 Kha lun Snort
10/106
7
DANH MC HNH V
Hnh 1.1: OSSEC c trin khai trn cc Server. ..................................................... 9
Hnh 1.2: Cc mu khc thng. .................................................................................10
Hnh 1.3: Phn tch chuyn trng thi.........................................................................12
Hnh 1.4: Cc vtr t IDS trong hthng mng. ...................................................14
Hnh 2.1: Kin trc ca Snort. .....................................................................................18
Hnh 2.2: Cc gi tin i vo Sniffer............................................................................19
Hnh 2.3: Gii m gi tin. .............................................................................................20
Hnh 2.4: Qu trnh xl Preprocessors. .................................................................21
Hnh 2.5: Gi tin c xl Detection Engine bng cc lut. ............................22
Hnh 2.6: Thnh phn cnh bo v logging. ..............................................................24
Hnh 3.1: Qu trnh tin xl. .....................................................................................31
Hnh 3.2: Phn loi cc hiu hnh..........................................................................34
Hnh 3.3: ngha cc tham s cu hnh ton cc. ....................................................36
Hnh 3.4: ngha cc tham s cu hnh TCP. ...........................................................38
Hnh 3.5: ngha cc tham s cu hnh UDP. ..........................................................38
Hnh 3.6: ngha cc tham s cu hnh ICMP. ........................................................38
Hnh 3.7: ngha cc tham s cu hnh IP. ...............................................................38
Hnh 4.1: Cu trc lut trong Snort. ............................................................................43
Hnh 4.2: Bng reference..............................................................................................47
Hnh 4.3: Bng ipopts. ..................................................................................................52
Hnh 4.4: Bng flag .......................................................................................................53
Hnh 4.5: Bng Type ca ICMP Header.....................................................................55
-
7/25/2019 Kha lun Snort
11/106
8
Hnh 4.6: Gi trCode ca ICMP Header ..................................................................56
Hnh 4.7: Tham sca tkha detection_filter. .......................................................59
Hnh 5.1: Giao thc bt tay ba bc. ..........................................................................66
Hnh 5.2: SYN Flood ....................................................................................................66
Hnh 5.3: HTTP Request bnh thng. .......................................................................68
Hnh 5.4: HTTP Request to bi Apache Killer........................................................68
Hnh 6.1: M hnh trin khai trong thc tvi mt vng DMZ. ............................71
Hnh 6.2: M hnh thc nghim. .................................................................................71
Hnh 6.2: Bng danh sch cc my trong hthng mng. .......................................71
Hnh 6.3: M hnh xl ca Snort, MySQL, Base...................................................72
-
7/25/2019 Kha lun Snort
12/106
9
DANH MC T VIT TT
CNSS Committee on National Security Systems
IDS Intrusion Detection System
IPS Intrusion Prevention System
NIDS Netword-base IDS
HIDS Host-based IDS
ICMP Internet Control Message ProtocolIP Internet Protocol
TCP Transmission Control Protocol
UDP User Datagram Protocol
DoS Denial-of-Service
DDoS Distributed Denial-of-Service
GNU/GPL GNU General Public License
ACID Analysis Console for Intrusion Databases
BASE Basic Analysis and Security Engine
ISP Internet Service Provider
FDDI Fiber Distributed Data Interface
ACL Access Control List
HTTP Hypertext Transfer Protocol
-
7/25/2019 Kha lun Snort
13/106
10
PHN I
T VN
-
7/25/2019 Kha lun Snort
14/106
1
Tnh cp thit ca ti.
X hi ngy cng pht trin, Internet tr thnh mt phn khng th thiu i vi
tng c nhn, doanh nghip, cc t chc, trng hc cng nh chnh ph. Internet
du nhp vo Vit Nam c hn 15 nm, tr thnh cng c, phng thc gip
cho cc doanh nghip tip cn vi khch hng, cung cp dch v, qun l d liu
ca t chc mt cch hiu qu v nhanh chng.
Cng vi s pht trin theo chiu hng tt, cc cuc tn cng v xm nhp mng
ca nhng k xu cng pht trin theo. Khng ch trn th gii m Vit Nam vn
an ton thng tin v ang tr thnh vn nng bng. S a dng v phc
tp trong cc loi hnh tn cng gy ra nhiu kh khn cho vic ngn chn vphng chng.
Thng mi in t Vit Nam cng pht trin th cng tr thnh mc tiu ca
nhiu attacker hn. Thng mi in t tr thnh mc tiu c nhiu gi tr thu
li hn, hp dn cc attacker b nhiu cng sc hn trong vic xm nhp v ph
hoi.
Mt h thng phng chng v pht hin xm nhp s gip ngi qun tr c thlun lun theo di v thu thp nhiu thng tin ng gi cho qu trnh chng li cc
hnh thc tn cng v xm nhp .
Mc tiu nghin cu.
Nghin cu chung v h thng pht hin xm nhp, cc c im, kin trc ca mt
h thng pht hin xm nhp, c bit l cc k thut pht hin xm nhp ang
c p dng.
Nghin cu v h thng pht hin xm nhp Snort, cch ci t, cu hnh, trin khai
trong h thng mng.
Phn tch cc du hiu ca cc hnh thc tn cng, hnh thnh nn cc lut tng
ng vi c im ca cc dng tn cngv xm nhp
Nghin cu, trin khai SnortSam nh mt add-on ca Snort nhm chn cc cuc
xm nhp c ch nh.
-
7/25/2019 Kha lun Snort
15/106
2
i tng nghin cu.
i tng nghin cu ca ti l h thng pht hin xm nhp ni chung. H
thng pht hin xm nhp Snort, add-ons ca Snort l SnortSam.
Nghin cu v hnh thnh cc tp lut i vi cc dng tn cng, xm nhp c th.
Phng php nghin cu.
Nghin cu v l thuyt pht hin xm nhp thng qua cc ti liu cc bi bo co.
Nghin cu l thuyt v Snort thng qua ti liu t trang ch ca Snort, ti liu
hng dn cho ngi s dng t Sourcefire v cc ngun ti liu khc.
Nghin cu v SnortSam thng qua ti liu v hng dn s dng t tr ang ch caSnortSam.
Trin khai h thng trn my o Virtualbox, xy dng h thng mng n gin m
t mt h thng mng nh trong thc t. Trin khai cc dch v nh trong m hnh
mng cnh.
Tm hiu v cc phng thc xm nhp, tn cng v khai thc l hng, cng c v
cch thc thc hin.Trin khai tn cng, xm nhp, khai thc l hng. Sau c log, phn tch gi tin
bt c, chuyn ha thnh cc lut nhm pht hin v ngn chn.
-
7/25/2019 Kha lun Snort
16/106
3
PHN II
GII QUYT VN
-
7/25/2019 Kha lun Snort
17/106
4
Ni dung
Cc ni dung chnh trong phn ny bao gm: h thng pht hin xm nhp, Snort,SnortSam, cu trc v cch vit cc lut trong Snort. Ci t trin khai Snort trong
h thng mng, demo tn cng v pht hin.
Chng 1, H thng pht hin xm nhp (IDS), tng quan v h thng pht hin
xm nhp, k thut pht hin xm nhp, phn loi cc h thng ph hin xm nhp .
t h thng IDS trn h thng mng nh th no.
Chng 2,Gii thiu v Snort/S nortSam.Chng 3, Preprocessors v Output Plug-ins, tin x l trong Snort v phn
output.
Chng 4, Lut trong Snort, cu trc ca mt lut trong Snort.
Chng 5, Phn tch mt s lut trong Snort, trnh by mt s dng tn cng v
tp lut km theo.
Chng 5, Ci t v cu hnh Snort/SnortSam.
Chng 6, Demo pht hin xm nhp v phng chng datrn Snort/SnortSam.
-
7/25/2019 Kha lun Snort
18/106
5
CHNG 1
H THNG PHT HIN XM NHP (IDS)
1.1. Gii thiu
K thut pht hin xm nhp khng phi l mt k thut mi. V n c p
dng nhiu trong cc lnh vc khc nhau ch khng ch ring lnh vc an ton thng
tin ca mng my tnh. V d n gin nht mc th thy v k thut pht hin
xm nhp l h thng cnh bo bng chung trn t con. Nguyn l hot ng
rt n gin, h thng c bt nn v nu c ai chm vo chic t th ci sh cnh bo rng c k ang xm nhp.
Tng t nh cc h thng tng la, h thng pht hin xm nhp c xy dng
bo v cc ti nguyn ca h thng mng trc nhng attacker khng mong
mun. Vy ti sao li cn mt IDS trong khi c mt h thng tng la ri? Nh
trong ti Tm hiu v Firewall v trin khai trn ClearOS ta bit rng
ging nh trong th gii thc tng lac dng ln ging nh con ngi xy
tng, thu v s, mua kha ca ngn cn k trm xm nhp vo h thng ca
mnh. Tuy nhin d c bo v nh th no cng khng m bo rng chng ta c
th bit ht cc phng php m k trm c th tn cng c. V vy ngoi h
thng ngn chn k xm nhp ra (tng la) cn c th trin khai cc h thng cnh
bo nh chung bo ng, camera quan st, h thng cnh bo...
Tng t nh vy trong h thng mng, khng ai c th chc chn rng cc phn
cng v cc ch bo v khcc th chn c ht cc cuc tn cng cng nh
bit c ht cc phng php caattacker. Chnh v vym cn xy dng mt h
thng IDS pht hin cc du hiu bt thng, cnh bo khi c biu hin bt
thng v gim st cc hot ng ra vo h thng phn tch v ngn chn kp
thi (Monitor and Logging).
1.2. H thng pht hin xm nhp l g?
-
7/25/2019 Kha lun Snort
19/106
6
Theo nh ngha trong ti liu CNSSI-4009 ca y ban An ninh Quc gia ca Hoa
K th intrusion ngha lhnh ng truy cp tri php bng cch vt qua c
ch bo mt ca h thng.
Computer Intrusion l hnh ng c tnh truy cp vo mt my tnh mc d
khng c s cho php hoc tm cch vt qua quyn truy cp ( c) c thm
quyn truy cp vo cc ti nguyn khc v thu thp thng tin.
Intrusion Detectionl qu trnh theo di cc s kin xy ra trong mt h thng
my tnh hoc trong mt h thng mng. Sau phn tch cc du hiu ca cc s
c c th xy ra. Cc s c c th l hnh ng vi phm cc chnh sch bo mt
hoc cc tiu chun v an ninh ca h thng hoc cng c th l cc mi e da nh thng ca doanh nghip. Nguyn nhn xy ra cc s c ny c th l do cc phn
mm c hi nh virus, worm, trojan, spyware... cng c th l hnh ng c xm
nhp t Internet hoc vt qu quyn truy cp thng thng. Tuy vy cng c
nhng nguyn nhn khch quan v d nh ngi s dng g nhm a ch ca mt
my tnh v c gng truy cp vo mt h thng m mnh khng c php.
Intr usion Detection Systems (IDS) c th l mt thit b phn cng (cc thit b
pht hin xm nhp ca Cisco (Cisco IDSM-2 hoc Cisco IPS 4200 Series
Sensors)) hoc cngc th l mt ng dng phn mm gip gim st my tnh, h
thng mng trc cc hnh ng e da n h thng hoc vi phm chnh sch an
ninh v bo co li cho ngi qun tr h thng. Mt h thng pht hin xm nhp
ci t trn h thng mng ging nh mt h thng cnh bo chng trm (burglar
alarm) trong mt ngi nh.
Mt s h thng pht hin xm nhp cn kim lun c chc nng ngn chn ccmi e da tuy nhin iu c th khng cn thit v cng khng phi l chc
nng chnh ca ca mt h thng gim st.
Mt h thng pht hin xm nhp c bn s xc nh cc mi nguy hi, ghi li
thng tin v chng v sau bo co li cc thng tin .
Ni ngn gn v chc nng ca mt h thng pht hin xm nhp l gim s t
(lu lng mng), cnh bo (bo co tnh trng mng cho h thng v ngi qun
-
7/25/2019 Kha lun Snort
20/106
7
tr), bo v (dng cc thit lp mc nh v cu hnh t ngi qun tr m c
nhng hnh ng chng li s xm nhp)
IDS c th c phn loi theo chc nng thnh 2 loi l Network-based IDSv
Host-based IDS. Mi loi c mt cch tip cn ring bit theo di v bo v d
liu v mi loi cng c nhng u nhc im ring.
1.2.1. Network-based IDS
H thng pht hin xm nhp da trn mng hot ng nh mt thit b c lp trn
mng. N thng c t cc segment mng hoc cc im kt ni gia cc
vng mng khc nhau. Nh n c th gim st lu lng mng t nhiu host
khc nhau trong vng mng . NIDS c th l mt thit b phn cng hoc phnmm.
V cu trc th NIDS thng bao gm mt tp hp cc cm bin (sensors) c
t cc im khc nhau trong h thng mng. Cc cm bin ny s thc hin gim
st lu lng mng, thc hin phn tch cc b lu lng mng v bo co v
cho trung tm qun l (Center Management Console).
Mt s NIDS: Snort, Suricata, cc NIDS ca Cisco, Juniper...
u im ca NIDS:
Qun l c c mt network segment (gm nhiu host). Chi ph thp v
c th gim st c mt h thng mng ln vi ch vi thit b(mng c
thit k tt).
Trong sut i vi c ngi dng v cc attacker.
Ci t v bo tr n gin, khng nh hng ti mng.
Nhc im ca NIDS:
NIDS c th gp kh khn trong vic x l tt c cc gi tin trn mt
mng c kch thc ln v mt lu thng cao. iu ny dn n NIDS
c th s khng th pht hin ra mt cuc tn cng khi mng ang trng
thi over-whelming (qu ti).
-
7/25/2019 Kha lun Snort
21/106
8
B hn ch bi switch. Trn cc mng chuyn mch hin i, cc switch
c s dng nhiu chia mng ln thnh cc segment nh d qun
l. V th dn n NIDS khng th thu thp c thng tin trong ton h
thng mng. Do ch kim tra trn segment m n kt ni trc tip nn nkhng th pht hin tn cng trn mt segment khc. Vn ny dn n
vic doanh nghip phi mua mt s lng ln cm bin nu mun bao
ph ton h thng mng ca h, lm tng chi ph.
NIDS khng th phn tch c cc thng tin b m ha (SSL, SSH...).
Mt s h thng NIDS c th gp kh khn vi dng tn cng phn mnh
gi d liu (fragmenting packets).
NIDS khng th phn bit c mt cuc tn cng thnh cng hay tht
bi. N ch c th phn bit c c mt cuc tn cng c khi
xng. iu ny ngha l bit c cuc tn cng thnh cng hay
tht bi ngi qun tr phi iu tra cc my ch v xc nh n c b
xm nhp hay khng?
1.2.2. Host-based IDS
H thng pht hin xm nhp da trn my ch hot ng trn mt my trm n.
HIDS s s dng cc ti nguyn ca my ch theo di lu lng truy cp v
pht hin cc cuc tn cng nu c. Bng cch ny HIDS c th theo di c tt c
cc hot ng trn host nh tp tinlog v nhng lu lng mng ra vo host.
Ngoi ra n cn t heo di h iu hnh, lch s s sch, cc thng ip bo li ca
my ch.
Khng phi hu ht cc cuc tn cng u thng qua h thng mng, nn khngphi lc no NIDS cng c th pht hin c cuc tn cng trn mt host. V d,
k tn cng c quyn physical access, t c th xm nhp vo host m khng
cn to ra bt c network traffic no.
Mt u im ca HIDS so vi NIDS l n c th ngn chn cc cuc tn cng
phn mnh (Fragmentation Attacks). Bi vy nn HIDS thng c ci t trn
-
7/25/2019 Kha lun Snort
22/106
9
cc trn cc my ch xung yu ca t chc, cc server trong vng DMZ (do l mc
tiu tn cng chnh).
HIDS cng thng theo di nhng g thay i trn h thng nh cc thuc tnh ca
h thng tp tin, cc thuc tnh (kch thc, v tr, quyn) ca tp tin, pht hin
tp tin mi c tora hay xa i.
Mt s HIDS: Symantec ESM, OSSEC, Tripwire ...
Hnh 1.1: OSSEC c trin khaitrn cc Server.
u im ca HIDS: Pht hin cc cuc tn cng nn cc my ch m NIDS khng th pht
hin ra.
C th gim st cc lung traffic b m ha.
Khng b nh hng bi cc thit b chuyn mch (switch).
Nhc im ca HIDS:
Kh qun l hn do phi ci ln tt c cc host cn bo v nn vic cu
hnh, qun l, cp nht l mt khi lng ln cng vic cn thc hin.
NIDS khng t h pht hin vic qut mng (network scan bng nmap) do
ch gim st trn host m n c ci t.
C th b v hiu ha bi tn cng t chi dch v (DoS).
-
7/25/2019 Kha lun Snort
23/106
10
Chim ti nguyn h thng: Do ci t trn my cn bo v nn n s s
dng ti nguyn ca h thng nh RAM, CPU, Hard Disk dn n c th
lm gim hiu sut ca vic gim st.
HIDS s cht khi h iu hnh ca host b cht.
1.3. Cc k thut pht hin xm nhp
phn ny s tm hiu v nhng k thut c s dng trn IDS pht hin ra
cc cuc xm nhp. V c bn c 2 k thut c s dng pht hin s xm
nhp l:
Pht hin s bt thng (Anomaly Based ID)
Pht hin s lm dng/du hiu(Misuse/Signature Based ID).
1.3.1. Anomaly Based Intrusion Detecti on
u tin, d thng ( anomaly) cn c bit n nh s sai khc, s ring bit
vi nhng mu c sn trong d liu hoc khng ph hp vi nhng khi nim, hnh
vi thng thng ca h thng. Hnh di l mt v d v s khc thng ca O1,
O2, O3 v c hnh vi v cu to so vi N1 v N2.
Hnh 1.2: Cc mu khc thng.
K thut pht hin da trn s bt thng c thit k nhm pht hin cc mu
hnh vi(patterns of behavior) khc xa vi nhng hnh vi thng thng sau gn
c l c th xm nhp i vi nhng hnh vi ny.
u im:
-
7/25/2019 Kha lun Snort
24/106
11
Mt IDS c xy dng da tn k thut pht hin bt thng c th pht
hin ra cc hnh vi khng bnh thng v do n c th pht hin ra
triu chng ca cccuc tn cng m khng cn bit chi tit, c th v
loi tn cng . Ni n gin l n c th pht hin ra cc cuc tn cngcha tng c bit n.
Pht hin s bt thngc th c s dng cung cp cc thng tin,
m cc thng tin ny c th c xy dng cc du hiu (signature) s
dng trong k thut misuse detector.
Nhc im:
Phng php tip cn s bt thng thng to ra mt s lng ln cc
bo ng sai do khng th on c hnh vi ca ngi s dng v h
thng mng.
Phng php tip cn s bt thng yu cu phi thng xuyn c
o to t cc bn ghi ca h thng nhm bit c u l cc hnh vi
bnh thng.
Pht hin xm nhp da trn s bt thng rt hu hiu trong vic pht hin cccuc tn cng nh:
Lmdng giao thc v cng dch v.
Tn cng tchi dch v.
Buffer Overflow.
Cc bin php v k thut c s dng trongpht hin bt thngbao gm:
Pht hin giao thc bt thng (Protocol Anomaly Detection). Giao thc
bt thng ngha l nhng trng hp vi phm cc nh dng, cc tiu
chun cc hnh vi c quy nh thnh chun Internet t trc . V
d: Kch thc gi tin ICMP ti a l65,535 bytes attacker c tnh gi
mt gi tin c kch thc ln hn kch thc tiu chun nhm gy ra
li trn bm.
-
7/25/2019 Kha lun Snort
25/106
12
Pht hin xm nhp da trn qu trnh t hc: Qu trnh ny gm 2 bc,
bc 1 sau khi h thng c thit lp th c ho h thng chy t do v to
h s v cc hot ng mng vi trng thi bnh thng. Sau thi gian
khi to, h thng s i vo qu trnh lm vic, h thng s tin hnh theodi v pht hin cc hot ng bt thng da trn vic so snh trng thi
hin ti vi trng thi h s c to.
Pht hin xm nhp da trn s thng k bt thng (Statistical Anomaly
Based Intrusion Detection). K thut ny nhn mnh vic o m cc hot
ng bnh thng trn mng. V d ng nhp qu s ln quy nh, s tin
trnh hot ng qu mc trn CPU, s lnggi tin c gi qu mc
1.3.2. Misuse/Signature Based Intrusion Detection
Bng cch so snh du hiu ca cc i tng ang quan st vi du hiu ca cc
hnh thc xm nhp bit trc. Hai k thut c s dng trong phng pht
pht hin xm nhp da trn du hiu l:
Expression matching (biu thc ph hp).
State transition analysis (phn tch chuyn trng thi).
Hnh 1.3: Phn tch chuyn trng thi.
-
7/25/2019 Kha lun Snort
26/106
13
u im:
t bo sai v c bit l rt hiu qu i vi cc hnh thc xm nhp
c bit n.
Nhanh chng v ng tin c y trong vic xc nh cng c v k thut tn
cng. T ngi qun tr h thng c th nhanh chng a ra cc bin
php x l kp thi.
Nhc im:
hiu qu trong vic pht hin xm nhp th phng php ny phi
thng xuyn cp nht du hiu ca cc hnh thc xm nhp mi.
Cc du hiu dng pht hin nu khng c thit k cht ch th c
th s khng th pht hin ra cc cuc tn cng bin th.
1.4. t IDS trong h thng mng
Vn cn quan tm khi sdng IDS l t n u trong hthng mng sao
cho cc cm bin c t c thnhn thy tt ccc lu lng di chuyn trn h
thng mng.
bit nn t cc cm bin u c thtrli mt vi cu hi nh sau:
Cc ti nguyn cn bo vl g?
H thng mng c thit k nh th no, hnh mng thit k theo
kiu bus, vng hay kiu sao hay kiu kt hp?
Mun t cm bin trc tng la (lc trc) hay sau tng la (khng
lc)?
Hthng mng sdng thit bg hub, switch?
Router nh tuyn t nh thno trong hthng mng?
Tm li, nn t cm bin ni no m n c th thy c lng traffic cng
nhiu cng tt. c thl vtr kt ni gia cc segment vi nhau.
Mt im lu l cc IDS trong m hnh di c gn vo cc hub m bo
khng b st bt c lu lng mng no. Tuy nhin c th gn cc IDS ny vo
-
7/25/2019 Kha lun Snort
27/106
14
port gim st trn switch (span port, port monitoring), khi d liu i qua switch
n s gi mt bn sao ti cc IDS.
Hnh 1.4: Cc v tr t IDS trong h thng mng.
-
7/25/2019 Kha lun Snort
28/106
15
CHNG 2
GII THIU V SNORT/SNORTSAM
2.1. Snort l g?
Snort l mt h thng phng chng v pht hin xm nhp da trn mng (IPS/IDS)
ngun mc pht trin bi Sourcefire. Kt hp vic kim tra du hiu, giao thc
v du hiu bt thng, Snort c trin khai rng khp trn ton th gii. Vi
hng triu lt download v hn 400.000 lt ngi dng ng k, Snort tr
thnh tiu chun cah thng phng chng v pht hin xm nhp.
Chc nng chnh ca Snort l packet sniffing,packet loggingv network-based
intrusion detection.
Ti sao Snort li tr nn ph bin nh vy.
D dng cu hnh: Snort lm vic nh th no, tp tincu hnh u, cc
lut nh th no ngi qun tr u c th bit v cu hnh theo mnh
c. K c vic to ra cc lutmi.
Snort l phn mm m ngun m: Snort c pht hnh di giy php
GNU/GPL iu ny c ngha l bt c ai cng c th s dngSnort mt
cch min ph d l doanh nghip hay ngi dng c nhn. Ngoi ra v
l phn mm m ngun m nn Snort c mt cng ng ngi s dng
ln, sn sng h tr nucbt c thc mc g.
Chy trn nhiu nn tng khc nhau: Khng ch chy trn cc h iuhnh ngun m nh GNU/Linux m Snort cn c th chy c trn cc
nn tng thng mi nh Microsoft Windows, Solaris, HP-UX...
Snort thng xuyn c cp nht: Cc lut ca Snort thng xuyn
c b sung v cp nht cc hnh thc xm nhp mi. Ngi s dng c
th d dng ti v thttp://www.snort.org.
2.2. Trin khai h thng Snort
http://www.snort.org/http://www.snort.org/http://www.snort.org/http://www.snort.org/ -
7/25/2019 Kha lun Snort
29/106
16
2.2.1. Yu cu phn cng
Rt kh a ra mt yu cu chung nht cho phn cng ci t Snort v iu
ny cn ph thuc vo nhiu yu t khc nhau. Hai yu t cn quan tm n vic
la chn phn cng cho h thng Snort l lu lng traffic trn h thng v yu
cu x l, lu tr i vi h thng Snort. Yu cu phn cng ca h thng i vi
mt doanh nghip ln nh cc ISP s khc rt nhiu so vi mt mng small home.
xc nh phn cng ci t Snort cho h thng c th tr li mt vi cu hi
sau xc nh c iu :
H thng mng l mng small home, small bussiness, large enterprise hay
l mt ISP. Lu lng traffic thng thng trong h thng l bao nhiu?
Lu lng traffic gia h thng internal v mng Internet bn ngoi l
khong bao nhiu? V ngc li?
Ni lu tr cc cnh bo (alerts) ca Snort l u?
Thi gian lu tr cc cnh bo ny l bao lu?
C mun lu tr cc gi tin lin quan n cc cnh bo ny hay khng?
Tuy Snort khng c bt k yu cu phn cng c bit no tuy nhin nu phn cng
mnh th s mt s li im. V Snort l mt h thng pht hin xm nhp da trn
mng nn nuc mt a cng c dung lng lu tr ln v tc quay nhanh th
h thng Snort s hot ng mt cch trn tru hn. V d i vi mt mng doanh
nghip c th chia phn vng /varvi dung lng l 100 GB. Ngoi ra nu c yu
cu cao th c th s dng RAID lu tr.
Bn s cn mt card mng (NIC) c tc cao vic sniffer cc gi tin tr nn ddng hn. V d nu tc card mng di 100Mb/s th nn s dng mt card
mng tc 100Mb/s. Nu tc card mng qu thp th Snort c th b l
mt vi gi tin v dn n thng tin thu thp b sai khc. Ngoi ra nn c thm mt
card mng khc kt ni ti ngi qun tr thng qua giao thc SSH hoc qua Web
Interface, trnh vic s dng chung vi card mng sniffer gi tin.
-
7/25/2019 Kha lun Snort
30/106
17
Nu h thngmngln, s lng cm bin (sensor) nhiu nn cn nhc vic tng
RAM cho h thng h thng khng b lag khi x l qua nhiu thng tin gi v.
2.2.2. H iu hnh v cc gi phn mm khc
Snort c th chy trn nhiu nn tng h iu hnh khc nhau. Snort c th chy
trn cc nn tng x86 nh GNU/Linux, FreeBSD, OpenBSD, NetBSD v Windows.
Ngoi ra n cn h tr c kin trc Sparc vi cc nn tng h iu hnh nh:
Solaris, MacOS-X, HP-UX...
Ngoi h iu hnh, nuc nh compile Snort t source code th cn m bo
cc phn mm sau c ci t trn h thng.
autoconf v automake.
gcc.
lex v yacc hoc GNU flex v bison.
libpcap.
Hu ht cc phn mm ny u c th download tihttp://www.gnu.org/ v libpcap
c th download tihttp://www.tcpdump.org
Ngoi ra nu c nh ci cc Snort add-on hoc cc cng c qun l v d nh mt
add-on ph bin Analysis Console for Intrusion Detection (ACID) Web interface
th cn ci t thm Apache Web Server (nn s dng giao thc SSL bo mt),
PHP v c s d liu lu tr cc cnh bo th cn ci MySQL hoc PostgreSQL.
Mt vi add-on ph bin:
ACID.
Oinkmaster. SnortSnarf.
SnortReport.
Snorby.
Nu qun tr t xa thng qua giao thc SSH th cn cu hnh SSH.
2.3. c im ca Snort
http://www.gnu.org/prep/ftp.htmlhttp://www.gnu.org/prep/ftp.htmlhttp://www.gnu.org/prep/ftp.htmlhttp://www.tcpdump.org/http://www.tcpdump.org/http://www.tcpdump.org/http://www.tcpdump.org/http://www.gnu.org/prep/ftp.html -
7/25/2019 Kha lun Snort
31/106
18
chNIDS, sau khi cc gi tin i vo v vt qua packet sniffer, d liu s
c gi thng qua bt kpreprocessor no c cu hnh trong snort.conf . D
liu tip tc i qua detection engine, kim tra xem c ph hp vi cc lut trong tp
tinsnort.conf hay khng? Cc gi ph hp sc gi n thnh phn cnh bo vghi li ( alert and logging) vt qua bt koutput plug-in c chn, sau n s
c ghi li (log) hoc cnh bo ty theo cu hnh.
Kin trc ca Snort gm 4 phn c bn sau:
The Sniffer (Packet Decoder).
The Preprocessors.
The Detection Engine. The Output.
Hnh di y cung cp mtci nhn d hiu v kin trc v quy trnh x l ca
Snort. Tng tng n nh mt my phn loi ng xu.
Hnh 2.1: Kin trc ca Snort.
Tinxu c a vo (packet c a vo t trc mng chnh)
Tin xu c gi thng qua mt ci mng xc nh xem n c phi l
xu hay khng v c gi n li hay khng (preprocessors)
Tip n tin xu c sp xp theo loi. V d phn loi theo gi tr ca
ng xu (Detection Engine).
Cui cng nhim v ca ngi qun tr l xc nh xem lm g vi n
(ghi li v lu vo c s d liu).
-
7/25/2019 Kha lun Snort
32/106
19
Preprocessors, detection engine v alert system u l cc plug-ins. iu ny gip
cho cho vic chnh sa h thng theo mong mun ca ngi qun tr mt cch d
dng.
2.3.1. Packet Sniffer (Decoder)
Packet Sniffer l mt thit b phn cng hoc phn mm c t vo trong mng.
Chc nng ca n tng t nh vic nghe ln trn in thoi di ng, nhng thay v
hot ng trn mng in thoi n nghe ln trn mng d liu. Bi v trong m hnh
mng c nhiu giao thc cao cp nh TCP, UDP, ICMP... nn cng vic ca packet
sniffer l n phi phn tch cc giao thc thnh thng tin m con ngi c th
c v hiu c. Packet Sniffer c th c s dng vi cc mc ch nh:
Phn tch mng v troubleshooting.
Performance network and bechmarking.
Nghe ln mt khu clear-text v nhng d liu khc.
M ha lu lng mng c th trnh c vic sniffer cc gi tin. Ty vo mc
ch m packet sniffer c th s dng cho mc ch tt hoc xu.
Hnh 2.2: Cc gi tin i vo Sniffer.
Khi Snort nhn cc gi tin t qu trnh sniffer n s i vo qu trnh gii m .
Chnh xc th ni m gi tin i vo b gii m ph thuc vo lp lin kt m trc
c c. Snort h tr mt s lp lin kt tpcap: Ethernet, 802.11, Token ring,
FDDI, Cisco HDLC, SLIP, PPP v OpenBSDs PF. trn lp lin kt Snort h tr
gii m cc giao thc khc nhau, bao gm IP, ICMP, TCP, UDP (chi tit trong m
ngun src/decode.c)
-
7/25/2019 Kha lun Snort
33/106
20
Bt k l lp lin ktno ang c s dng, tt c cc b gii m s u lm vic
theo mt kiu chung. i vi trng hp cc lp c th, con tr trong cu trc ca
gi tin s c thit lp tr ti mt phn khc ca gi tin. Da vo cc thng tin
gii m c, n s gi cc lp cao hn v gii m cho n khi khng cn b giim no na.
Hu ht cc mng hin nay trin khai Snort l mng Ethernet nn s xt th mt v
d gii m mt gi tin trong mng ny. u tin khi gi tin i vo n s phi i qua
chc nng DecodeEthPkt. Sau , overlaying cu trc Ethernet ln u ca phn d
liu, a ch MAC ngun v ch v loi tng tip theo (ether_type) s c bit.
Da trn gi tr ether_type, b giiar m tip theo s c gi. Gi s gi tr ca
ether_type l 2048 (ETHERNET_TYPE_IP) th tng tip theo l tng IP v nn gi
b gii m DecodeIPv tip tc n khi khng cn b gii m no.
DecodeIPv6
IPv6
DecodeEthPkt
Ethernet
DecodeIP
IP
DecodeARP
ARP
DecodeIPX
IPX
DecodeIPOptions
IP Options
DecodeTCP
TCP DecodeUDP DecodeICMP
DecodeVLAN
802.1Q
DecodePPPoEPkt
PPP Over Ethernet
DecodeTCPOptions
TCP Options
DecodeIPOnly
Embedded IP
Hnh 2.3: Gii m gi tin.
2.3.2. Preprocessors
-
7/25/2019 Kha lun Snort
34/106
21
Preprocessors l plug-in cho php phn tch c php d liu theo nhng cch khc
nhau. Nu chy Snort m khng c bt c cu hnh no v preprocessors trong tp
tin cu hnhs ch thy tng gi d liu ring r trn mng. iu ny c th lm
IDS b qua mt s cuc tncng, v nhiu loi hnh tn cng hin i c tnh phnmnh d liu hoc c tnh t phn c hi ln mt gi tin v phn cn li ln gi
tin khc (k thut ln trn).
D liu s c a vo Preprocessors sau khi i qua b gii m gi tin (packet
decoder). Snort cung cp mt lot cc Preprocessors v d nh:Frag3 (mt module
chng phn mnhgi tin IP),sfPortscan(module c thit k chng li cc cuc
trinh st, nh scan port, xc nh dch v, scan OS), Stream5 (module ti gp cc
gi tin tng TCP)
thi im hin ti Snortc 10 preprocesstor c m t trong hng dn ca
Snort ti a ch (http://manual.snort.org/node17.html).
Hnh 2.4: Qu trnh x l Preprocessors.
2.3.3. Detection Engine
u vo l cc gi tin c sp xp qu trnh preprocessors. Detection engine
l mt phn ca h thng pht hin xm nhp da trn du hiu. Detection engine s
ly d liu t preprocessors v kim trachng thng qua cc lut. Nu cc lut
http://manual.snort.org/node17.htmlhttp://manual.snort.org/node17.htmlhttp://manual.snort.org/node17.htmlhttp://manual.snort.org/node17.html -
7/25/2019 Kha lun Snort
35/106
22
khp vi d liu trong gi tin, n s c gi ti h thng cnh bo, nu khng n
s b b qua nh hnh pha di.
d hnh dungc th hiu v d v vic phn loi ng xu. Thng thng c cc
ng xu: 1 xu, 2 xu, 5 xu. Nu xut hin tin giy 10 xu th n s bi b i.
Cc lutc th c chia thnh 2 phn:
Phn Hearder: gm cc hnh ng (log hay alert), loi giao thc (TCP,
UDP, ICMP...), a ch IP ngun, a ch IP ch v port.
Phn Options: l phn ni dung ca gi tin c to ra ph hp vi
lut.
Lut l phn quan trng m bt c ai tm hiu v Snort cn phi nm r. Cc lut
trong Snort c mt c php c th. C php ny c th lin quan n giao thc, ni
dung, chiu di, hearder v mt vi thng s khc. Mt khi hiu c cu trc cc
luttrong Snort, ngi qun tr c th d dng tinh chnh v ti u ha chc nng
pht hin xm nhp ca Snort. T c th nh ngha cc lutph hp vitng
mi trng v h thng mng.
Hnh 2.5: Gi tin c x l Detection Engine bng cc lut.
-
7/25/2019 Kha lun Snort
36/106
23
2.3.4. Thnh phn cnh bo/logging
Cui cng sau khi cc lut ph hp vi d liu, chng s c chuyn ti thnh
phn cnh bo v ghi li (alert and loggin component). C ch log s lu tr cc gi
tin kch hot cc lut cn c ch cnh bo s thng bo cc phn tch b tht bi.
Ging nh Preprocessors, chc nng ny c cu hnh trong tp tin snort.conf, c
th ch nh cnh bo v ghi li trong tp tin cu hnh nu mun kch hot.
D liu l gi tr cnh bo, nhngc th chn nhiu cch gi cc cnh bo ny
cng nh ch nh ni ghi li cc gi tin. C th gi cnh bo th ng qua SMB
(Server Message Block) pop-up ti my trm Windows, ghi chng di dng
logfile, gi qua mng thng qua UNIX socket hoc thng qua giao thc SNMP.Cnh bo cng c th lu tr di dng c s d liu SQL nh MySQL hoc
PostgerSQL. Thm ch mt vi h thng ca cc hng th 3 c th gi cnh bo
thng qua SMS ti in thoi di ng.
C rt nhiu cc add-on gip ngi qun tr nhn cc cnh bo cng nh phn tch
cc d liu mt cch trc quan.
The Analysis Console for IntrusionDetection (ACID): c bit nh
mt add-on phn tch c php log da trn PHP, search engine v l mt
front-end phn tch log ca Snort.
http://www.andrew.cmu.edu/user/rdanyliw/snort/
SGUIL (Snort GUI for Lamerz) l mt cng c phn tch tuyt vi khc.
Oinkmaster: l mt Pert script gip cp nht cc lut ca Snort v
comment nu khng mun sau mi ln cp nht.
IDS Pol icy Managerl mt giao dinqun ldnh cho Windows XP. SnortSnarf: L mt chng trnh vit bng Pert gip to v cung cp cc
bn bo co loggn ymt cch tng hpdi dng HTML.
Swatch: http://swatch.sourceforge.net l mt cng c gim st syslog
theo thi gian thc v gi cnh bo bng email.
http://www.andrew.cmu.edu/user/rdanyliw/snort/http://www.andrew.cmu.edu/user/rdanyliw/snort/http://swatch.sourceforge.net/http://swatch.sourceforge.net/http://swatch.sourceforge.net/http://www.andrew.cmu.edu/user/rdanyliw/snort/ -
7/25/2019 Kha lun Snort
37/106
24
BASE: http://sourceforge.net/projects/secureideas/ Basic Analysis and
Security Engine l mt plug-in phn tch v truy vn cc cnh bo ca
Snort rt ng gi.
Hnh 2.6: Thnh phn cnh bo v logging.
2.4. Cc ch hot ng ca Snort
2.4.1 Ch sniffer v ch log
chy Snort chsniffer sdng tham s-v.
$ snort v
Ty chn ny ch cho php hin th cc IP v TCP/UDP/ICMP header, ngoi ra
khng cn thm g khc. Nu mun hin th thm d liu tng ng dng phi
thm ty chnd.
$ snort vd
http://sourceforge.net/projects/secureideas/http://sourceforge.net/projects/secureideas/http://sourceforge.net/projects/secureideas/ -
7/25/2019 Kha lun Snort
38/106
25
Ty chn ny scho php hin thcphn dliu v tiu ca gi tin. Nu mun
hin thnhiu hn cc thng tin khc v dnh phn header tng data-link thm
ty chn e.
$ snort vdehoc$ snort d v e
u im ca snort so vi cc ng dng bt gi tin khc l:
C th lu cc tp tin log sau khi sniffer gi tin xung c s d liu nh
MySQL hoc PostgreSQL.
Tp tin log c th hin thdng ASCII theo tng a chIP ring bit, gip
d dng phn tch.
Ngoi ra tp tin log cng c thc lu trdi dng tp tin nhphn theo
nh dng ca tcpdump.
chy Snort chlogger sdng tham s-l.
$ snort dev l /home/user/log
Cu lnh trn cho php sau khi bt cc gi tin, lu trchng di dng tp tin log.
Ngoi ra c th lu trcc tp tin log da trn cc a chIP truy cp. V dcu
lnh sau s cho php ta bt, in ra mn hnh v lu trli cc gi tin TCP/IP cng
vi tiu tng data-link, dliu ca gi tin ca tt ccc gi tin i vo ta ch
ca lp mng C.
$ snort dev l /hom/user/log -h 192.168.1.0/24
Trng hp mun chy snort chlogger lu trcc tp tin log dng nhphn
c thsdng ty chnb, v sdng ty chnr c cc tp tin nhphn c
ghi li.
$ snort l /log b
$ snort dv r packet.log
2.4.2 Ch NIDS
khi chy Snort ch pht hin xm nhp mng khng cn bt tt ccc gi
tin.
-
7/25/2019 Kha lun Snort
39/106
26
$/snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf
Tham s-c c sdng chnh tp tin cu hnh ca snort. Mc nh cc tp
tin log sc lu tr ti /var/log/snort. Khi chy chNIDS c th
bty chnv tng tc , do khng cn thit phi bt cc gi tin v in ra mnhnh.
2.5. Gi i thiu vSnortSam
Chc nng ca Snort chl pht hin xm nhp v cnh bo cho ngi qun trbit
v nhng xm nhp , n khng th ngn chn cc cuc tn cng . thc hin
c chc nng ngn chn mt cch chng (active response) c thsdng cc
plug-in dnh cho Snort nh SnortSam, Fwsnort hay snort_inline lm iu ny.
Cc plug-in s thay i hoc chn cc lu lng mng da trn a ch IP
(SnortSam), da trn giao thc tng Transport (Fwsnort) hay tng Application
(Snort_inline).
Mt im cn lu l mt hthng ngn chn xm nhp ngoi vic ngn chn cc
gi tin i vo h thng n cn c th thay i trc tip cc gi tin khi chng
c chuyn qua mng. Bi vy Fwsnort v snort_inline c xp vo h thngngn chn xm nhp (IPS) cn SnortSam chc xp vo hthng phn ng ch
ng (Active Response System)
Ni dung phn ny s tm hiu v SnortSam mt plug-in ca Snort cho php t
ng chn cc a chIP da trn cc tng la nh:
Checkpoint Firewall-1
Cisco PIX firewalls
Cisco Routers (sdng ACL)
Former Netscreen, now Juniper firewalls
IP Filter (ipf), trn cc dng Unix-like OS v dFreeBSD
FreeBSD's ipfw2 (phin bn 5.x)
OpenBSD's Packet Filter (pf)
-
7/25/2019 Kha lun Snort
40/106
27
Linux IPchains
Linux IPtables
Linux EBtables
WatchGuard Firebox firewalls
8signs firewalls trn Windows
MS ISA Server firewall/proxy trn Windows
CHX packet filter
Ali Basel's Tracker SNMP thng qua SNMP-Interface-down plug-in.
SnortSam bao gm hai phn ring bit. Mt phn l mt tp hp ca cc sa i
trong tp tin m ngun, mrng Snort bng cch thm mt m-unoutput mi
l: alert_fwsam. Phn cn li l mt tc nhn sgiao tip trc tip vi tng la gi
l agent. Tc nhn ny c tht ngay trn chnh cc tng la nu tng la l
iptables, hoc trn pf nu h thng l BSD hoc trn Checkpoints Firewall-1 nu
hthng l Windows. i vi cc tng la phn cng nh Cisco PIX th tc nhn
ny ca SnortSam phi t trn mt my ring bit rnh ring giao tip vi PIX.V phng thc hot ng. Snort sgim st cc lung lu lng trn mng, v khi
mt lut ca Snort c kch hot (gp mt traffic ph hp), Snort sgi u ra cho
m-unfwsam. M-un fwsam sau s gi mt tin nhn m ha ti cho agent
c t trn tng la. Agentny skim tra xem tin nhn c phi c gi
ti tmt ngun c thm quyn hay khng, nu ng n sgii m thng ip va
nhn c v kim tra xem cc a chIP no c yu cu chn. SnortSam sr
sot xem cc a ch IP c nm trong danh sch trng (white-list) hay khng.
Nu IP khng nm trong danh sch trng, SnortSam syu cu tng la chn
a chIP trong mt khong thi gian c nh ngha ttrc.
2.5.1. Snort Output Plug-in
Phn Output yu cu chnh sa ctp tin cu hnh v lut ca Snort. Phn output
ny sgiao tip vi agent trn tng la thng qua giao thc TCP hot ng port
898. Phn output plug-in ny htrm ha giao tip vi phn agent vi mt kha
-
7/25/2019 Kha lun Snort
41/106
28
c nh ngha trc trong tp tin cu hnh. Thut ton m ha SnortSam ang
sdng l Twofish.
i vi tp tin cu hnh snort.conf thm dng ny vo:
output alert_fwsam: 192.168.10.1/sn0r3sam
i vi cc lut sthm ty chnfwsam v thi gian vo sau mi lut. V d, mun
chn mt a ch IP no vi khong thi gian l mt gi s thm chui
:fwsam:src, 1 hour;
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-CGI /wwwboard/passwd.txt access";
flow:to_server,established;
uricontent:"/wwwboard/passwd.txt"; nocase;
reference:arachnids,463; reference:cve,CVE 1999-0953;
reference:nessus,10321; reference:bugtraq,649;
classtype:attempted-recon; sid:807; rev:7; fwsam: src, 1
hour;)
2.5.2. Blocking Agent
Phn ny s c trch nhim tng tc trc tip vi cc tng la thay cho phn
output plug-in trn Snort. Nu Snort pht hin mt cuc tn cng ph hp vi bt
kmt quy tc no nh trong v dtrn n st hit lp mt phin m ha TCP
gi mt thng ip cha cc IP ngun tcc gi tin gy ra cnh bo + thi gian m
a chIP bcm.
V phin m ha TCP sgiao tip thng qua port 898 (hoc bt cport no c
cu hnh) nn cm m bo l tng la cho php giao tip trn port ny. Trng thica tt ccc a ch IP bcm sc t trong tp tin /var/log/snortsam.state.
Tp tin cu hnh ca SnortSam t ti /etc/snortsam.confdi y l mt s ty
chn quan trng c thc sdng trong tp tin cu hnh.
accept: Cho php cc cm bin c th ca Snort c thgiao tip vi phn
agent trn tng la. Nhiu cm bin cng c thc cu hnh vi ty chn
ny cng vi cc kha dng m ha ring: accept /,
-
7/25/2019 Kha lun Snort
42/106
29
defautlkey: Thit lp kha mc nh c sdng cho tt ccc cm bin.
port: Thit lp port lng nghe tcc cm bin ca Snort. Mc nh l port
TCP 898.
dontblock: Chnh mt host hoc mt mng m SnortSam sbqua ngayckhi pht hin mt cuc tn cng tngun ny.
logfile: Chnh ng dn lu logfile m SnortSam s ghi. Tp ny cng
lit k tt ccc a chIP m SnortSam chn km theo thi gian chn.
daemon: Chy agent nh mt dch v.
bindip: Gii hn phn agent trn tng la lng nghe trn mt a chIP vi
mt card mng nht nh. iu ny lm gim khnng tn cng cc agent v
gii hn sng kt ni ti cc agent .
: Chnh loi tng la cthm agent ang chy
trn v cng giao tip m cc lut nn thm vo.
keyinterval : Ty chn ny cho php cc agent yu c u hoc to cc
kha m ha mi sau mi khong thi gian no . Mc nh nu khng
thit lp l 4 ting.
email : : Ty chn ny chophp xc nh my ch email. Khi mt a ch no b block, SnortSam s
gi thng bo ti a ch email c cu hnh.
V d:
accept 192.168.20.3, sn0r3sam
bindip 192.168.20.1
iptables eth0
logfile /var/log/snortsam.log
daemon
-
7/25/2019 Kha lun Snort
43/106
30
CHNG 3
PREPROCESSORS V OUTPUT PLUG-INS
3.1. Preprocessors
Nh trong chng pha trn, chng ta c nhng hiu bit c bn v cu trc v
cch lm vic ca Snort. Ngoi ra cng c ci nhn tng qut v preprocessors trong
Snort. Vy chc nng chnh ca preprocessor l g?
Preprocessors c gii thiu ln u trong phin bn 1.5 ca Snort. Ban u n
c bit n vi chc nng bnh thng ha cc giao thc mng. Ngy nay,
preprocessor khng chm nhim chc nng bnh thng ha cc giao thc na
m n cn c thpht hin xm nhp da trn s bt thng v to ra nhng
cnh bo ring. Trong thc tSnort ni bt vi chc nng pht hin xm nhp da
theo mu v cc du hiu c sn. Cc plug-inpreprocessors c bsung vo ngoi
mc ch to u ra cho detection engine m n cn c chc nng to ra cc cnh
bo thng qua vic pht hin cc im bt thng trong cc lu lng mng i vohthng.
Phn ny stm hiu mt vi tin xl quan trng, c bit l cc tin xl ti hp
cc gi tin, mt hnh thc c thgip cc attacker ln trn khi cc ht hng pht
hin xm nhp.
Cc preprocessors cc khu ch khi pht hin cc cuc tn cng phn mnh gi
tin nhm mc ch nh la h thng pht hin xm nhp nh Tiny FragmentAttack, Overlaping Fragment Attack, Teardrop Fragment Attack.
-
7/25/2019 Kha lun Snort
44/106
31
Hnh 3.1: Qu trnh tin xl.
3.1.1. Frag3
-
7/25/2019 Kha lun Snort
45/106
32
Trong tin xl frag3 c mt khi nim mi c a ra l target-based.
tng ca thut ngny nh sau: Mt IDS c t trong h thng mng, nhng
IDS ny hon ton khng bit c cc hiu hnh trn cc my trm trong h
thng mng m n theo di. Cc gi tin phn m nh sau c ghp li ti ccmy trm ny. Vn t ra l nu cc attacker bit c mc tiu ca chng l
mt my trm ci t hiu hnh Linux. Chng ctnh phn mnh dliu sao cho
nu ti hp cc mnh ny trn hiu hnh Windows th khng c bt chiu ng
g, nhng nu hiu hnh Linux ti hp cc phn mnh th sgy ra mt l
hng c thkhai thc c.
iu quan trng l nu IDS c iu chnh ti hp cc phn mnh nh trn h
iu hnh Windows th IDS skhng thpht hin c cuc tn cng nh trn. V
attacker nh la c IDS v xm nhp vo c hthng mng m khng gp
bt trc g.
tng t ra l cu hnh sao cho IDS c thkim sot c cc hiu hnh ci
t trn cc my trm trong hthng mng. Nu c bt kgi tin no c gi ti
my trm , IDS sphn tch v ti hp cc phn mnh nh hiu hnh ti my
trm .
Cu hnh: C hai chthtin xl trong vic cu hnh Frag3 l cu hnh ton cc
v cu hnh ng c. C thc nhiu cu hnh ng c nhng chduy nht mt cu
hnh ton cu.
Cu hnh ton cu:
Tn tin xl: frag3_global
Cc ty chn (cc ty chn ny c phn cch bng du phy ,)
- max_frags : S lng ti a cc phn mnh c theo
di ng thi. Mc nh l 8192.
- memcap : B nh tqun, mc nh l 4MB. Con s ny
thhin bnh ln nht m Frag3 c php sdng.
- prealloc_memcap :
-
prealloc_frags :
-
7/25/2019 Kha lun Snort
46/106
33
- disabled:
Cu hnh ng c:
Tn tin xl: frag3_engine
Cc ty chn (cch nhau bi khong trng)
-
timeout : Thi gian timeout ca phn mnh. Nhng
phn mnh tn ti trn hthng sau thi gian ny sbhy. Mc nh l
60s.
- min_ttl : Gi tr TTL ti thiu chp nhn c cho mt
phn mnh gi tin. Mc nh l 1, chp nhn gi trt1-255.
-
detect_anomalies: Pht hin cc phn mnh dthng.
-
bind_to : Danh sch cc a ch IP b rng buc vi
cu hnh ny. Tin x l ny sch x l vi cc a chch c trong
danh sch ny. Mc nh l tt c.
- overlap_limit : Gii hn s phn mnh chng cho
trn mi gi tin. Mc nh gi trl 0 ngha l khng gii hn. Yu cu
ty chn detect_anomalies phi c thit lp trc .
- min_fragment_length : nh ngha kch thc nh
nht ca mt phn mnh (kch thc phn payload) c chp nhn.
Nhng phn mnh c kch thc nhhn hoc bng sbcoi l c hi
v sc mt hnh ng xl. Mc nh gi trl 0 khng gii hn, gi
tr ti thiu l 0. Ty chn ny cng yu cu ty chn
detect_anomalies c thit lp trc.
-
policy :La chn ch chng phn mnh da trn mctiu. Gm cc loi nh first, last, bsd, bsd-right, linux, windows v
solaris. Mc nh l bsd.
-
7/25/2019 Kha lun Snort
47/106
34
Platform Type Platform Type
AIX 2 BSD Linux 2.4 (RedHat
7.1-7.3)
Linux
AIX 4.3 8.9.3 BSD MacOS First
Cisco IOS Last OpenBSD Linux
FreeBSD BSD OS/2 BSD
HP JetDirect BSD-right OSF1 V4.0,5.0,5.1 BSD
HP-UX B.10.20 BSD SunOS 4.1.4 BSD
HP-UX 11.00 First SunOS
5.5.1,5.6,5.7,5.8First
IRIX 6.2, 6.3 BSD Tru64 Unix
V5.0A,V5.1
BSD
IRIX64 6.4 BSD Windows
(95/98/NT4/W2K/XP)
Windows
Hnh 3.2: Phn loi cc hiu hnh.
Output: Frag3 c khnng pht hin tm loi khc nhau ca dthng. Phn output
da trn cc gi tin v lm vic vi tt ccc choutput khc ca Snort. Cc
cnh bo output ny c thtm thy trong
/preproc_rules/preprocessor.rules ca tp tin m ngun Snort vi
gid=123.
V d:
preprocessor frag3_global: prealloc_nodes 8192
preprocessor frag3_engine: policy linux, bind_to
192.168.1.0/24
preprocessor frag3_engine: policy first, bind_to
[10.1.47.0/24,172.16.8.0/24]
preprocessor frag3_engine: policy last, detect_anomalies
-
7/25/2019 Kha lun Snort
48/106
35
3.1.2. Stream5
Tin xl Stream5 cng l mt m-un ti hp TCP da trn mc tiu. N c kh
nng theo di cc phin ca cgiao thc TCP v UDP. Vi tin xl ny, cc lut
flow v flowbits c thc sdng cho clu lng TCP v UDP.
Stream5 cng tng tnh Frag3, tc l IDS s x l cc lung d liu da vo
mc tiu. Stream5 sxl vic chng cho dliu v cc du hiu bt thng ca
kt ni TCP.
Mt sv dvvic nhn dng sbt thng trn giao thc TCP nh: dliu tn
ti trong gi SYN, d liu nhn c vt qu kch thc ca ca sTCP.
a. Cu hnh ton cc
preprocessor stream5_global:
Ty chn M t
track_tcp Theo di phin TCP. Mc nh l yes
max_tcp
S phin TCP ti a c ng thi theo di. Mc
nh l 262144, ti a l 1048576, ti thiu l1.
memcap
B nh cho lu tr gi tin TCP. Mc nh l"8388608" (8MB), ti a l "1073741824" (1GB), tithiu l "32768" (32KB).
track_udp Theo diphin UDP. Mc nh l yes.
max_udp
S phin UDP ti a c ng thi theo di. Mcnh l "131072", ti a l "1048576", ti thiu l"1".
track_icmp Theo di phin ICMP. Mc nh l no.
max_icmp
S phin ICMP ti a c ng thi theo di. Mcnh l "65536", ti a l "1048576", ti thiu l "1".
track_ip Theo di phin IP. Mc nh l no
-
7/25/2019 Kha lun Snort
49/106
36
max_ip S phin IP ti a c ng thi theo di. Mc nhl "16384", ti a l "1048576", ti thiu l "1".
disabled
Ty chn v hiu ha stream5, mc nh ty chn
ny c tt.
flush_on_alertTng thch ngc. y ra mt TCP stream khi mtcnh bo c to ra. Mc nh c tt.
show_rebuilt_packetsIn/hin th cc gi tin sau khi c xy dng li(debug). Mc nh c tt.
prune_log_max
In ra mt thng bo khi mt phin chm dt hoc
tiu tn nhiu hn s bytes c quy nh. Mc nhl "1048576" (1MB), ti thiu l "0" (disabled) hocnu khng b v hiu ha th ti thiu l "1024" vti a l 1073741824".
Hnh 3.3: ngha cc tham scu hnh ton cc.
b. Cu hnh cho giao thc TCP
preprocessor stream5_tcp:
Ty chn M t
bind_to Dy a ch IP s c p dng chnh sch ny.Mc nh lbt k a ch no.
timeout Thi gian ch ca mt phin. Mc nh l 30,ti thiu l 1 v ti a l 86400 (khong 1ngy).
policy Chnh sch ny p dng cho h iu hnh mctiu no.
overlap_limit Gii hn s lng gi tin chng cho nhau trnmt phin. Mc nh l 0 (khng gii hn) tia l"255".
max_window S TCP window ti a cho php. Mc nh l
-
7/25/2019 Kha lun Snort
50/106
37
0 (khng gii hn) v ti a l "1073725440"(65535 dch tri14). Ty chn ny c s dng chng DoS.
require_3whs []
Mt phin thit lp ch hon thnh khi thc hinqu trnh bt tay 3 bc, mc nh n c tt.S giy ch thi gian gia hn ca mt phin hinti. Ti thiu l 0 (khng xem xt thi gianthit lp) v ti a l86400.
detect_anomalies Pht hin v cnh bo s bt thng ca giaothc TCP. Mc nh n c tt.
check_session_hijacking Kim tra kiu tn cng TCP Session Hijackingbng cch kim tra a ch MAC ca hai u ktni c ging trong qu trnh bt tay ba bc haykhng.
dont_store_large_packets Khng lu cc gi tin qu ln vo buffer trongqu trnh ti phn mnh.
dont_reassemble_async Khng i cc gi tin ti hp nu lu lng
mng khng c tm thy c hai hng.
max_queued_bytes Hn ch s bytes i cho vic ti phn mnh trnmt phin TCP. Mc nh l "1048576" (1MB).Gi tr "0" c ngha l khng gii hn v gi tr ti thiu khc 0 l 1024, ti a l"1073741824" (1GB).
max_queued_segs Hn ch s segments i cho vic ti phn mnh
trn mt phin TCP. Mc nh l 2621. Gi tr"0" ngha l khng gii hn, ti thiu l 2 vti a l "1073741824" (1GB).
ports
Ch nh danh sch cc port client, server hocc hai pha trong vic ti phn mnh gi tin. Mcnh l cc port:21 23 25 42 53 80 110 111 135136 137 139 143 445 513 514 1433 1521 24013306.
-
7/25/2019 Kha lun Snort
51/106
38
protocol
Ch nh danh sch cc dch v client, serverhoc c hai pha trong vic ti phn mnh gi tin.Mc ch l cc dch v:ftp telnet smtpnameserver dns http pop3 sunrpc dcerpc netbios-ssn imap login shell mssql oracle cvs mysql.
Hnh 3.4: ngha cc tham s cu hnh TCP.
c. Cu hnh cho giao thc UDP
preprocessor stream5_udp: [timeout ],
[ignore_any_rules]
Ty chn M t
timeout Thi gian ch ca mt phin. Mc nh l30, ti thiu l 1 v ti a l 86400.
ignore_any_rulesKhng x l bt k lut no any any.Mc nh c tt.
Hnh 3.5: ngha cc tham s cu hnh UDP.
d. Cu hnh cho giao thc ICMP
preprocessor stream5_icmp: [timeout ]
Ty chn M t
timeout Thi gian ch ca mt phin. Mc nh l30, ti thiu l 1 v ti a l 86400.
Hnh 3.6: ngha cc tham s cu hnh ICMP.
e. Cu hnh cho giao thc IP
preprocessor stream5_ip: [timeout ]
Ty chn M t
timeout Thi gian ch ca mt phin. Mc nh l30, ti thiu l 1 v ti a l 86400.
Hnh 3.7: ngha cc tham s cu hnh IP.
-
7/25/2019 Kha lun Snort
52/106
39
V d1:
preprocessor stream5_global: max_tcp 8192, track_tcp yes,
track_udp yes, track_icmp no
preprocessor stream5_tcp: policy first,
use_static_footprint_sizes
preprocessor stream5_udp: ignore_any_rules
V d2:
preprocessor stream5_global: track_tcp yes
preprocessor stream5_tcp: bind_to 192.168.1.0/24, policy
windows
preprocessor stream5_tcp: bind_to 10.1.1.0/24, policy linux
preprocessor stream5_tcp: policy solaris
3.1.3. sfPortscan
M-un sfPortscan c pht trin bi Sourcefire, n c thit knhm pht hin
cc hnh thc thm d h thng trc khi tn cng. Trong giai on trinh st h
thng, attacker s xc nh cc giao thc mng, dch vmy chhoc h iu hnh
mc tiu. Giai on cha phi l giai on xm nhp nhng attacker c ththu thp
c nhiu thng tin hu ch chun bcho qu trnh xm nhp. Mt cng cqut
cng cc kmnh m v phbin hin nay n Nmap. Nmap y cc kthut
qut cng hin nay v sfPortscan c thit knhm chng li nhng kthut qut
cng tNmap.
3.1.4. HTTP Inspect
HTTP trthnh mt trong nhng giao thc ph bin v thng dng trn Internet.
Nn y m mt giao thc rt c cc attacker a chung. Attacker c thsdng
s linh hot ca cc Web server cgng n thn v che du hnh vi tn cng
trc cc NIDS. V dtrong mu sau, cc mu pht hin nh trong Snort schc
thpht hin c dng foo/bar m khng thpht hin cfoo\bar.
http://www.abc/foo/bar/xyz.php
http://www.abc/foo/bar/xyz.phphttp://www.abc/foo/bar/xyz.phphttp://www.abc/foo/bar/xyz.php -
7/25/2019 Kha lun Snort
53/106
40
http://www.abc/foo\bar\xyz.php
Ngoi ra Attacker cn c th sdng v s cc kthut m ha da trn m hex
vi uft-8. http_inspect schx l trn tng gi tin, iu ny c ngha l nhng
chui m n xl phi c ti hp trc bng tin xlstream5.
V ddi y v cc phng thc GET, chng u c chung mt chc nng ging
hnhau, c cc webserver xl ging hnhau.
GET /../../../../etc/passwd HTTP /1.1
GET %2f..%2f..%2f..%2f..%2fetc%2 fpasswd HTTP /1.1
GET
%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%
73%77%64
HTTP /1.1
Trn y l mt v d v tn cng directory traversal, hay cn gi vi cc tn
khc nh dot-dot-slash,directory clumbing. L hnh thc tn cng truy cp n
nhng file v th mc m c lu bn ngoi webroot. M t h thng pht hin xm
nhp hiu c phng thc GET ca giao thc HTTP nn n scho php requestny. Tuy nhin vn l c v hn cch m ha cc chui c hi dn n vic nu
ta cu hnh mt IDS nhm pht hin chui c hi ny da trn signature th
khng thm bo s pht hin c ht. Mt cch khc l bnh thng ha
chui ny, sau so snh n vi mt danh sch known bad pht hin.
3.2. Output
M-un ouput c thm vo Snort t phin bn 1.6. Chng cho php Snort cnhiu cu hnh linh hot hn trong vic nh dng v trnh by dliu u ra cho
ngi qun trh thng. Cc m-un output ny sc khi chy khi mt skin
cnh bo hoc yu cu ghi log c gi, sau qu trnh tin xl v pht hin thng
qua detection engine.
Trong tp tin cu hnh ca Snort ta c thcu hnh nhiu m-un u ra khc nhau
v cc m-un ny sc gi t htkhi c mt skin no xy ra. Mc nh
http://www.abc/foo/bar/xyz.phphttp://www.abc/foo/bar/xyz.phphttp://www.abc/foo/bar/xyz.php -
7/25/2019 Kha lun Snort
54/106
41
cc cnh bo v cc tp tin log sc ghi vo th mc /var/log/snorthoc
bt kth mc no m ngi qun trcu hnh.
Snort htrnhiu m-un output khc nhau bao gm:
alert_syslog: Cu hnh ny cho php Snort sgi thng bo ti syslog.
alert_fast:Cc cnh bo ca Snort sc in ra mt cch nhanh chng nht.
y l mt phng php ghi cc cnh bo nhanh hn hn so vi alert_full v n
khng cn in ra tt cphn header ca gi tin v bi v n chin ra trong mt tp tin
duy nht.
alert_full: Cc cnh bo sc in ra vi y phn header ca cc gi
tin. Mc nh thng tin sc lu ti /var/log/snort hoc mt th mc c ch
nh. Snort sto ra cc th mc con cha cc cnh bo ng vi mi IP, iu ny
lm cho hot ng ca Snort chm i do n khng c khuyn khch sdng.
alert_unixsock:Ty chn ny yu cu thit lp mt UNIX domain socket v
gi cnh bo ti n. Cc chng trnh hoc cc tin trnh mrng slng nghe trn
socket gip cho vic nhn cc cnh bo cc cc gi d liu trong thi gian thc.
log_tcpdump:Ty chn cu hnh ny cho php Snort ghi cc t p tin log nh
dng tp tin ca chng trnh tcpdump. iu ny c bit hu ch trong vic tng
hp v phn tch cc thng tin vi s lng ln. C rt nhiu cng cc thc
c nh dng ny ln n rt hu ch.
csv:y l mt nh dng lu trdng text vi cc trng c phn cch nhau
bi du phy. nh dng ny gip ta c thddng import vo cc c sdliu.
unified v unified2:L hai nh dng u ra thng nht, phin bn unified2
l phin bn ci tin ca unified. u im ca phng php lu tr vi cc nh
dng u ra thng nht l: cho php ddng trong vic lu trv qun l, c tc
nhanh hn hn so vi cc phng php khc, tp tin xut ra kh c thchnh sa
ni dung.
log_null:Ty chn ny hu ch trong mt strng hp mun to ra mt vi
quy tc cnh bo lu lng truy cp mng m khng mun ghi ra cc tp tin log.
-
7/25/2019 Kha lun Snort
55/106
42
CHNG 4
LUT TRONG SNORT
Gii thiu
Lut trong Snort ta c th hiu mt cch n gin n ging nh cc quy tc v
lut l trong th gii thc. Ngha l n s c phn m t mt trng thi v hnh ng
g s xy ra khi trng thi ng. Mt trong nhng im ng gi nht ca Snort
l kh nng cho php ngi s dng c th t vit cc lut ca ring mnh hoc
ty bin cc lut c sn cho ph hp vi h thng mng ca mnh. Ngoi mt c s
d liu ln m ngi s dng c th download t trang ch ca Snort, ngi qun
tr c th t pht trin cc lut cho h thng ca mnh. Thay v phi ph thuc vo
nh cung cp, mt c quan bn ngoi, hoc phi cp nht khi c mt cuc tn cng
mi hay mt phng php khai thc l hng mi c pht hin. Ngi qun tr c
th vit ring mt lut dnh cho h thng ca mnh khi nhn thy cc lu lng
mng bt thng v so snh vi b lut c cng ng pht trin. u im ca
vic t vit cc lut l c th ty bin v cp nht mt cch cc k nhanh chng khi
h thng mng c s bt thng.
V d:Nuc ngi c gng mca t thci s h..
Phn tch y ta hnh ng ci h s c thc hin nu c du hiu l c
ngi c gng m ca t.
Trong h thng mng cng vy, ta khng th s dng ngn ng t nhin hng ngy m t du hiu hay trng thi ca h thng mng c. V d:Nu c mt kt ni
SSH c a ch IP Public kt ni ti my ch web th chn li . Mc d y l mt
m t kh c th, tuy nhin Snort li khng th hiu c. Lut trong Snort s gip
ta d dng m t du hiu ny theo ngn ng m Snort c th hiu c.
bit cch vit mt lut t cc d liu ca h thng ta cn phi hiu cu trc ca
lut trong Snort nh th no. Mt lut trong Snort c chia thnh hai phn l
-
7/25/2019 Kha lun Snort
56/106
43
phn header v options. Phn header bao gm: rule action, protocol, a ch ip
ngun, a ch ip ch, subnetmask, port ngun, port ch. Phn options bao gm
cc thng ip cnh bo, thng tin cc phn ca gi tin s c kim tra xc nh
xem hnh ng no s c p dng.
4.1. Rule Header
Rule Header
Hnh 4.1: Cu trc lut trong Snort.
4.1.1. Rule Action
Phn Header s cha cc thng tin xc nh ai, u, ci g ca mt gi tin, cng
nh phi lm g nu tt c cc thuc tnh trong lut c hin ln. Mc u tin
trong mt lut chnh l phn rule action, rule action s ni cho Snort bit phi
lm g khi thycc gi tin ph hp vi cc lut c quy nh sn. C 5 hnh
ng mc nh trong Snort l: alert (cnh bo), log (ghi li log), pass (cho qua),
active (kch hot), dynamic. Ngoi ra nuchy Snort ch inline cn c thm
cc ty chn b sung nh drop, reject v sdrop.
alert- to ra cnh bo s dng phng php la chn trc v sau
ghi log li cc gi tin.
log- ghi log li cc gi tin.
pass-b qua gi tin .
active- cnh bo v sau bt mt dynamic rule khc kim tra thm
iu kin ca gi tin.
dynamic - duy tr trng thi nhn ri cho n khi c kch hot bi
mt active rule sau hnh ng nh mt log rule
Rule
ActionProtocol Src/Des Port
Rule Option
-
7/25/2019 Kha lun Snort
57/106
44
drop- chn gi tin v ghi log li.
reject- chn gi tin, ghi log li v gi tr v mt thng ip.
sdrop- chn gi tin nhng khng ghi log li.
hnh ng do user t nh ngha.
4.1.2. Protocol
Trng tip theo trong lut l protocol. C 4 giao thc m Snort hin ang phn
tch cc hnh vi bt thng l TCP, UDP, ICMP v IP.
4.1.3. IP Address
Mc tip theo ca phnheader l a ch IP. Cc a ch ny dng kim tra
ni i v ni n ca mt gi tin. a ch ip c th l a ch ca mt my n
hoc cng c th l a ch ca mt lp mng. T kha anyc s dng nh
ngha mt a ch bt k.
Mt a ch ip s c vit di dng ip_address/netmask. iu ny c ngha l nu
netmask l /24 th lp mng l lp mng C, /16 l lp mng B hoc /32 l ch
mt my n. V d: a ch 192.168.1.0/24 c ngha l mt di my c a ch IP t
192.168.1.1-192.168.1.255.
Trong hai a ch IP trong mt lut Snort th s c mt a ch IP ngun v mt a
ch IP ch. Vic xc nh u l a ch ngun, u l a ch ch ph thuc vo
.
Ngoi ra ton t phnh c th c p dng cho vic nh a ch IP. C ngha l
khi s dng ton t ny th Snort s b qua vic kim tra a ch ca gi tin .
Ton t l !.Ngoi ra ta c th nh ngha mt danh s ch cc a ch IP bngcch vit lin tip chng cch nhau bi mt du ,.
V d:
alert tcp any any ![192.168.1.0/24, 172.16.0.0/16] 80
(msg:\ Cho phep truy cap)
4.1.4. Port
-
7/25/2019 Kha lun Snort
58/106
45
Port c th c nh ngha bng nhiu cch. Vi t kha anyging nh a ch
IP ch c th s dng bt k port no. Gn mt port c nh v d nh gn kim
tra port 80 http hocport 22 ssh . Ngoi ra ta cng c th s dng ton t ph nh
b qua mt port no hoc lit k mt di cc port.
V d:
log udp any any 192.168.1.0/24 1:1024 -port bt k ti dy port t 1
- 1024.
log udp any any 192.168.1.0/24 :6000 - port bt k ti dy port nh
hn 6000.
log udp any any 192.168.1.0/24 500: - port bt k ti dy port ln
hn 500.
log udp any any 192.168.1.0/24 !6000:6010-port bt k ti bt k
port no, b qua dy port t 6000 6010.
4.1.5. iu hng
Ton t hng ch ra u l hng ngun, u l hng ch. Phn ach IP
v port pha bn tri ca ton t c coi nh l a ch ngun v port ngun,
phn bn phi c coi nh a ch ch v port ch. Ngoi ra cn c ton t
Snort s xem cp a ch/port ngun v ch l nh nhau. Ngha l n s ghi/phn
tch c hai pha ca cuc hi thoi.
V d:
log tcp !192.168.1.0/24 any 192.168.1.0/24 23
4.1.6. Activate/Dynamic rule
Cp lut ny cung cp cho Snort mt kh nng rt mnh m. Active rule ging nh
alert rule nhng khc mt im l n c thm trng: activates. Dynamic rule ging
nh log rule nhng n c th trng: activated_byv count.
V d:
-
7/25/2019 Kha lun Snort
59/106
46
activate tcp !$HOME_NET any $Home_Net 143 (flags:PA;
content: |E8C0FFFFFF|/bin; activates:1; msg:IMAP buffer
overflow!;)
dynamic tcp !$HOME_NET any $HOME_NET 143 (activated_by:1;count:50;)
4.2. Rule Options
Rule options chnh l trung tm ca vic pht hin xm nhp. Ni dung cha cc
du hiu xc nh mt cuc xm nhp. N nm ngay sau phn Rule Header v
c bc bi du ngoc n (). Tt c cc rule options s c phn cch nhau
bi du chm phy ;, phn i s s c tch ra bi dy hai chm :.
C 4 loi rule options chnh bao gm:
- General : Ty chn ny cung cp thng tin v lut nhng khng c bt c
nh hng no trong qu trnh pht hin.
-
Payload: Ty chnlin quan n phn ti trong mt gi tin.
- Non-payload: Bao gm cc ty chn khng lin quan n phn ti ca gi
tin (header).
-
Post-detection : Cc ty chn ny s gy ra nhng quy tc c th sau khi
mt lut c kch hot.
4.2.1. General
a. msg
msg l mt t kha ph bin v hu ch c s dng khi mun gn thm mt
chui vn bn vo log v cnh bo. Chui vn bn s c bc trong du ngoc
kp . Nu mun th hin k t c bit th thm du \ ng trc.
V d:
msg: Chui vn bn c t y.
b. reference
reference l mt t kha c s dng khi mun tham chiu thng tin t mt h
thng khc trn Internet.
-
7/25/2019 Kha lun Snort
60/106
47
System URL Prefix
bugtraq http://www.securityfocus.com/bid
cve http://cve.mitre.org/cgi-bin/cevname.cgi?name=
nessus http://cgi.nessus.org/plugins/dump.php3?id=
arachnids http://www.whitehats.com/info/IDS (down)
mcafee http://vil.nai.com/vil/content/v_
osvdb http://osvdb.org/show/osvdb
url http://
Hnh 4.2: Bng reference.
Cu trc:
reference:, ; [reference:, ;]
V d:
alert tcp any any -> any 7070 (msg:"IDS411/dos-realaudio";
flags:AP;content:"|fff4 fffd 06|";\
reference:arachnids,IDS411;)
alert tcp any any -> any 21 (msg:"IDS287/ftp-wuftp260-
venglin-linux"; flags:AP; content:"|31c031db 31c9b046 cd80
31c031db|"; reference:arachnids,IDS287;
reference:bugtraq,1387; reference:cve,CAN-2000-1574;)
c. sid
T khasidc s dng xc nh duy nht mt lut trong Snort. Ty chn ny
cho php output plug-in c th nh danh cc lut mt cch d dng. Ty chn ny
nn c s dng vi t kha rev.
-
7/25/2019 Kha lun Snort
61/106
48
>= 1000, 000 s dng cho cc lut cc b.
d. rev
T kha rev c s dng nh danh cc sa i trong lut ca Snort . T kha
ny thng c s dng phn bit cc phin bn lut khc nhau.
e. classtype
T kha classtype dng phn loi cc hnh thc tn cng km theo u tin
ca loi tn cng . Cc hnh thc c nh ngha trong tp tin
classification.config.
config classification: , ,
config classification: web-application-attack,Web Application
Attack,1
config classification: network-scan, Detection of a Network
Scan,3
config classification: misc-activity,Misc activity,3
f. priority
c s dng gn mc nghim trng ca mt quy tc.Trng classtype gn
gi tr u tin mc nh ca mt loi tn cng tuy nhin ta c th ghi u tin
vi t kha ny.
Cu trc:
priority:;
V d:alert tcp any any -> any 80 (msg:"WEB-MISC phf attempt";\
flags:A+; content:"/cgi-bin/phf"; priority:10;)
4.2.2. Payload
a. content
T kha contentcho php ngi s dng thit lp cc lut cho php tm kim cc
chuic th trong phn ti ca gi tin v kch hot cc cnh bo da trn cc d
-
7/25/2019 Kha lun Snort
62/106
49
liu .Ni dung c th dng ASCII, m nh phn hoc s kt hp ca c hai.D
liu nh phn phi c bc trong k t | | (ng ng) v c biu din dng
s thp lc phn.
V d:
alert tcp any any -> any 139 (content:"|5c
00|P|00|I|00|P|00|E|00 5c|";)
alert tcp any any -> any 80 (content:!"GET";)
b. nocase
S dng kt hp vi t kha content tm kim cc ni dung m khng phn bit
ch hoa ch thng.
c. rawbyte
T kha rawbytescho php cc lut xem xt cc gi d liu th cha c gii m.
V d:
alert tcp any any -> any 21 (msg:"Telnet NOP"; content:"|FF \
F1|"; rawbytes;)
d. depth
T kha depthc s dng xc nh khong cch bao xa m lut s tm
kim ti. Ti thiu l 1 v ti a l 65535. c s dng kt hp vi t kha
content gii hn ni dung tm kim, kt hp vi t kha offsetth ta s xc nh
c mt khong d liu so snh vi mu trong content.
e. offsetT kha offsetc s dng xc nh im bt u tm kim mu trong mt
gi tin. T kha ny cho php gi tr t -65535 ti 65535.T kha offset c s
dng kt hp vi t kha content gii hn khong khng gian tm kim.
V d:
alert tcp 192.168.1.0/24 any -> any any (content: \"HTTP";
offset: 4; depth: 40; msg: "HTTP matched";)
-
7/25/2019 Kha lun Snort
63/106
50
C mt sth vhai lut sau:
content:"GET"; offset:0; content:"downloads"; offset:13;
content:"GET"; content:"downloads";
f. distance
T kha distancec s dng trong trng hp mun b qua bao nhiu byte t
ni dung tm kim trc .
V d:
content:"GET"; depth:3; content:"downloads"; distance:10;
Lut trn c ngha l sau khi tm c chui GET trong 3 byte u tin catrng dliu, lut sdi chuyn thm 10 byte so vi v tr cui cng ca GET v
sau mi tm kim download.
g. within
T kha within c s dng m bo rng c nhiu nht N byte gia cc mu
ni dung tm kim. N gn ging vi t kha depthnhng n khng bt u t u
ca gi tin nh depthm bt u t mu trc .V d:
content:"GET"; depth:3 content:"download"; distance:10 \
within:9;
Lut ny tng t nh lut trn, tm GET trong 3 byte u tin ca trng d
liu, di chuyn thm 10 byte bt u t GET v tm khp download. Tuynhin,
download phi xut hin trong 9 byte tip theo.h. uricontent
Tng t nh t kha contentngoi tr vic n c s dng tm kim chui
trong trng URI.
V d:
log tcp any any -> any 80 (content: "Logging PHF"; \
uricontent:"/cgibin/phf";)
-
7/25/2019 Kha lun Snort
64/106
51
i. pcre(http://www.pcre.org/)
PCRE l t vit tt ca Perl Compatible Regular Expressions c th dch l biu
thcchnh quy tng thch vi Perl. Perl l mt ngn ng kt xut v bo co thc
dng dng x l v thao tc trn cc chui k t.
V d:
alert tcp any any -> any 80 (content:"/foo.php?id="; \
pcre:"/\/foo.php?id=[0-9]{1,10}/iU";)
Luttrn thc hin mt tm kim trong HTTP URI m khng phn hoa thng phn
pha sau ca chui foo.php?id=.
4.2.3. Non-Payload
a.ttl
T kha ttlc s dng kim tra gi tr time-to-live trong IP Header. T kha
ttlc s dng pht hin mt hnh ngc gng traceroute mng.
Cu trc:
ttl:[, =, =];
ttl:[]-[];
V d:
ttl:
-
7/25/2019 Kha lun Snort
65/106
52
d.ipopts
T kha ipoptsc s dng kim tra trng IP Option trong IP Header. Trng
ny c kch thc 20bit v c cc gi tr sau:
rr Record Router
eol End of list
nop No Op
ts Time Stamp