You are on page 1of 73

Honeypots

Chng I: Tng quan


Trong nhng nm gn y, cc cuc xm nhp mng gia tng ng k, do s ph dng ca cc cng c tn cng c t ng hoc c lp kch bn. iu ny thc y s quan tm n cc h thng Honeypots, h thng ny c th c dng by v gii m cc phng php tn cng. Cc chuyn gia bo mt cho bit: cc k tn cng hin u ang rt ngn ngm khi phi tn cng vo mt h thng Linux dng trung bnh. Chi ph cho mt cuc t nhp thnh cng vo mt h thng s dng Linux cao hn nhiu so vi chi ph b ra t nhp vo h thng s dng Windows. D n mang tn Honeypots c to ra vi mc ch gi lp cc h thng mng Linux bnh thng cu nh cc cuc tn cng nhm nghin cu an ton ca cc h thng my ch Linux. Cc kt qu nghin cu do Honeypots a ra cho bit: khong thi gian tn ti an ton ca cc h thng my ch chy Linux gia tng t ngt trong 2 nm gn y. Honeypots ch ra rng: Trong giai on hin nay, mt h thng my ch Linux cha c ci y cc bn sa li vn c th chu ng an ton trung bnh l 3 thng trc cc cuc tn cng, khi so snh vi giai on 2001-2002 ch l 72 gi. Mt s h thng my ch ca d n an ton trong sut 9 thng tri trc mi cuc tn cng. D n Honeypots c thit k nhm mc ch nghin cu, d tm v thu ht mi cuc tn cng bt k ca Internet vo cc h thng my ch Linux, Windows. T xa n nay mi cuc tn cng trn Internet dng nh cha bao gi gim. Cc nh nghin cu ca d n ch ra rng: hu ht mi cuc tn cng trn i u nhm vo cc h thng s dng Windows, n gin ch v mc ph bin qu mc ca h iu hnh ny v bo mt ngon n n mc m mi k tn cng u khng th cng li c. Lance Spitzner, ch tch ca d n Honeynet, cho bit: Tn cng vo mt ngi dng bt k t ra d dng hn nhiu so vi tn cng vo mt h thng my tnh ca ngn hng. Ngn hng c bo v rt tt nhng ngi dng th khng. Chng no khng cn ngi dng tn cng th hy tn cng ngn hng.

___________________________________________________________________________

Honeypots

D n ny khng a ra cc nghin cu so snh vi Windows, nhng Spitzner ch ra rng cc c quan chuyn v bo mt nh Symantec hoc Internet Storm Center (ISC) cng nhn rng c rt nhiu cuc tn cng vo cc h thng Honeynet Windows. Mt d n khc ca ISC o lng thi gian tn ti ca cc h thng Windows trc cc cuc tn cng v cho ra nhiu kt qu kh th v nh sau: Thi gian tn ti trung bnh trc cc cuc tn cng ca mt s h thng chy Windows trong cc th nghim ca ISC gim nhanh t 55 pht trong giai on ma thu 2003 xung ch cn 20 pht vo dp cui nm 2004. Thm hi nht l vo giai on ma xun 2004, mt h thng Windows ch kp sng c 15 pht trc khi b h gc. Microsoft vt vt rng thi gian tn ti ngn nh th - ngay c trong Windows XP Service Pack 2 - l do c qu nhiu ngi s dng. D n Honeynet cn nhc k trc khi phn b cc h thng khp mi ni trn th gii thu ht cc cuc tn cng. Cc my tnh chuyn cu nh ca Honeynet c phn b u trong cc mng gia nh n cc doanh nghip va v nh. D n trin khai 12 trm honeynet 8 quc gia l M, n , Anh, Pakistan, Hy Lp, B o Nha, Brazil v c. Bao gm 24 h thng Unix v gi lp Unix, 19 h thng Linux hu ht l Red Hat bao gm: 1 h thng Red Hat 7.2, 5 h thng Red Hat 7.3, 1 Red Hat 8.0, 8 Red Hat 9.0 v 1 h thng Fedora Core. Cc h thng khc na bao gm: 1 chy Suse 7.2, 1 Suse 6.3, 2 Solaris Sparc 8, 2 Solaris Sparc 9 v 1 h thng chy FreeBSD 4.4. D n Honeynet l mt cuc nghin cu phi li nhun do cc cng ty bo mt thnh lp nn, bao gm cc cng ty tm c nh: Foundstone, Counterpane, Security Focus v SourceFire.

I.1 Honeypots
Honeypots l mt h thng ti nguyn thng tin c xy dng vi mc ch gi lp nh la nhng k s dng v xm nhp khng hp php, thu ht s ch ca chng, ngn khng cho chng tip xc vi h thng tht. - Trong lnh vc an ton mng, mt Honeypots l mt h thng my tnh c thit k c bit bt tt c hot ng v cc file c khi to bi mt th phm c nh ginh quyn truy cp tri php ti h thng. Cc Honeypots c th m phng gi lp

___________________________________________________________________________

Honeypots

- Honeypots nh mt mc bo v firewall hn l bo v h thng mng. V d, nu mt firewall bo v mt mng, th Honeypots thng c t bn ngoi firewall. iu ny cho php cc th phm trn Internet nhn c quyn truy cp y ti bt k dch v vo ca Honeypots. Lu rng, tng l ghi li nhng hot ng ca th phm, ch khng phi ngn chn chng khi vic ginh quyn truy cp ti Honeypots. - Mt Honeypots l mt hnh nm c thit k quan st nhng cuc tn cng ca hacker. Mt honeynet l mt mng c thit lp xung quanh nhng hnh nm lure (nh) v ghi li nhng bc tn cng ca hacker. Bng vic nghin cu cc cuc tn cng tht, nhng ngi nghin cu hy vng c th c c nhng bc tin mi trong vic pht trin k hoch phng ng. Mi khi Honeypots c s tn cng th ngi nghin cu c th hc c nhng k thut tn cng mi v c th dng Honeypots tm ra nhng rootkit (n np v trnh khng b pht hin, c s dng h tr giu cc on m c), li v cc backdoor (cng sau, c hacker ci vo my b tn cng sau ny quay li my d dng hn) trc khi chng i vo h thng. Cn phi xy dng h thng phng ng v phi c kh nng giu v dodge (ln trnh) nhng cuc tn cng m h thng khng th p tr li. y l mt vn rt quan trng nghin cu mt cch an ton v nhng my tnh nhng khong cch xa. Thay th vo vic i tm chng th chng s t tm n. Mt h thng Honeypots b tn cng khc ch ra rng hnh ng u tin ca k tn cng l thay i password root, password admin ca h thng (iu ny lm cho ngi qun tr h thng hoc ch h thng khng th ng nhp vo). Khng mt k tn cng no quan tm n vic kim tra s hin din ca Tripwire (mt h thng kim tra tnh ton vn ca h thng), y l h thng c mc nh trong Red Hat Linux v c s dng nh l mt Honeypots. Mt khi Tripwire chy, tt c nhng "hidden"

___________________________________________________________________________

Honeypots

Honeypots c s khc bit, gia Honeypots nghin cu v Honeypots sn phm. Nhng Honeypots nghin cu da trn nhng thng tin tnh bo t c v k tn cng cng nh phng php, k thut ca hacker. Trong khi , nhng sn phm Honeypots c mc ch l lm gim nhng nguy him cho ngun lc IT ca cng ty v cung cp nhng cnh bo pht hin cho cc cuc tn cng trn c s h tng mng, ng thi on c v lm chch hng cc cuc tn cng khi h thng sn phm trong mi trng gim st ca Honeypots. Chng c miu t nh nhng mng cc h thng sn phm c kt ni ti Internet (c th khng qua firewall). H thng ny l mt h thng sn phm chun vi nhng ng dng thc t c s dng bi cc cng ty trn mng. Trong thc t, n hon ton c kh nng l mt bn sao (clone) ca h thng sn phm v c trin khai thnh Honeypots, nhng thng tin confidential (b mt) c g b hoc thay th bi nhng thng tin tng t nhng khng mang gi tr thc. Cng c th chy mt Honeypots hoc mt honeynet ti nh hoc ti nhng cng ty nh. Trong thc t, c th trin khai mt phn mm n gin nh l Linux honey, nh Niels Provos, l nhng phn mm c th bt chc nhng phn hi ca rt nhiu nhng dch v bit. Trong trng hp ny, c th thu thp d liu t nhng cuc tn cng bng nhng worm t ng v initial nhng bc tip theo ca mt cuc tn cng bi con ngi. Tuy nhin, illusion (o) l gii hn v khng phi bao gi cng t c mt mc cao sau khi nhng d liu xuyn qua. c th tip cn vi nhng hnh ng xy ra trong bng ti, cn phi c mt honeynet: mt thit b trc tip kt ni ti mng, ci m c th b probe (d tm), b tn cng. Ch cn vi my tnh, mt kt ni ti mng (thm ch vi mt IP ng) v mt s kin thc v an ton thng tin l s hu mng admit (nhn, np) nhng hacker t tt c mi ni trn th gii.

I.2 Nhim v ca n
Mi sinh vin cn lm mt n cui kha trc khi ra trng cng c thm kinh nghim nghin cu cng nh tng hp cc kin thc c hc. V n ca em l nghin cu tm hiu v Honeypots. Cc bc nghin cu v thc hin :

___________________________________________________________________________

Honeypots

+ Hin thc h thng mng o Honeypots. + Chng minh h thng mng tn ti. + Scan port v cc dch v gi lp trn mng . + Theo di v pht hin ra xm nhp. cng chnh l nhim v cn hon thnh ca n ny.

I.3 Cu trc n
Tm tt n c chia lm 5 chng: Chng I: Tng quan Gii thiu v Honeypots. Nhim v v cu trc ca ti. Cc loi hnh Honeypots. Honeynet. V tr t h thng Honeypots. Cu hnh thit lp Honeypots. Gii thiu. Cu hnh ci t. S dng. Chi tit file m phng gi lp h thng Honeypots. Kt qu thc hin.

Chng II: Honeypots

Chng III: Gi lp mng vi Honeyd Chng IV: H thng pht hin xm nhp

Chng V: M phng h thng Honeypots

___________________________________________________________________________

Honeypots

Chng II: Honeypots


II.1 Cc loi hnh Honeypots
Gm hai loi chnh: Tng tc thp v tng tc cao + Tng tc thp (Low Interaction): M phng gi lp cc dch v, ng dng, v h iu hnh. Mc ri ro thp, d trin khai v bo dng nhng b gii hn v dch v. + Tng tc cao (High Interaction): L cc dch v, ng dng v h iu hnh thc. Mc thng tin thu thp c cao. Nhng ri ro cao v tn thi gian vn hnh v bo dng.
Low Interaction + BackOfficer Friendly + Specter + Honeyd + Honeynet High Interaction

Hnh 2.1: Loi hnh Honeypots

II.1.1 BackOfficer Friendly (BOF)


Mt loi hnh Honeypots tng tc thp rt d vn hnh v cu hnh v c th hot ng trn bt k phin bn no ca Windows v Unix nhng ch tng tc c vi mt s dch v n gin nh FTP, Telnet, SMTP

II.1.2 Specter
Cng l loi hnh Honeypots tng tc thp nhng kh nng tng tc tt hn BOF, gi lp trn 14 cng, c th cnh bo v qun l t xa. Tuy nhin ging BOF th specter b gii hn s dch v v cng khng linh hot.

II.1.3 Honeyd
+ Honeyd lng nghe trn tt c cc cng TCP v UDP, nhng dch v m phng c thit k vi mc ch ngn chn v ghi li nhng cuc tn cng, tng tc vi k tn cng vi vai tr mt h thng nn nhn. + Honeyd c th gi lp cng mt lc nhiu h iu hnh khc nhau.
___________________________________________________________________________

Honeypots

+ Hin nay, Honeyd c nhiu phin bn v c th m phng c khong 473 h iu hnh. + Honeyd l loi hnh Honeypots tng tc thp c nhiu u im tuy nhin Honeyd c nhc im l khng th cung cp mt h iu hnh tht tng tc vi tin tc v khng c c ch cnh bo khi pht hin h thng b xm nhp hay gp nguy him.

II.1.4 Honeynet

Hnh 2.2: M hnh honeynet (GenII)

___________________________________________________________________________

Honeypots

- Honeynet l hnh thc Honeypots tng tc cao. Khc vi cc Honeypots, Honeynet l mt h thng tht, hon ton ging mt mng lm vic bnh thng. Honeynet cung cp cc h thng, ng dng, cc dch v tht. - Quan trng nht khi xy dng mt honeynet chnh l honeywall. Honeywall l gateway gia Honeypots v mng bn ngoi. N hot ng tng 2 nh l Bridged. Cc lung d liu khi vo v ra t Honeypots u phi i qua honeywall. Cc chc nng ca Honeynet Bt k mt h thng Honeynet no cng phi thc hin c ba iu kin: Kim sot d liu, bt d liu v phn tch chng. - Kim sot d liu C th hiu l m cnh ca cho hacker i vo, cho php xm nhp honeynet nhng li ng ca ra, ngn khng cho hacker pht tn nhng on m c hi ra mng lm vic bn ngoi v Internet.

Hnh 2.3: Kim sot d liu Honeynet GenIII s dng ba cch kim sot d liu. + m s kt ni t honeynet ra ngoi: nu ln hn mc cho php th s cm kt ni. + S dng Snort-inline: y l mt phn mm m ngun m pht trin ln t Snort lm vic nh mt h thng ngn chn xm nhp (IPS) da trn c s d liu v cc hnh thc tn cng thu thp c t trc ra quyt nh. + Kim sot bng thng. - Bt d liu
___________________________________________________________________________

Honeypots

y l mc ch chnh ca tt c cc loi hnh Honeynet - thu thp nhiu nht thng tin v k tn cng theo nhiu mc: cc hot ng ca mng, cc hot ng ng dng, cc hot ng ca h thng. Honeynet GenIII s dng Sebek bt d liu. y l mt kernel n t ti cc my Honeypots v server l honeywall gateway.

Hnh 2.4: Hot ng ca Sebek Khi m k tn cng xm nhp vo h thng v tng tc vi mt Honeypots. Tt c cc hot ng ca hacker ny u c b mt chuyn v sebek server thu thp v x l. - Phn tch d liu Phn tch da trn giao din walleye ca Honeywall hoc bng Ethereal.

II.2 K hoch trin khai Honeypots


trin khai mt Honeypots cn c mt qu trnh x l k thut tt cng vi vic thc hin ng k hoch s gip trin khai thnh cng h thng. Danh sch di y a ra cc bc thc hin: + Xc nhn Honeypots l c cho php to dng trong mi trng h thng . + Xc nh mc tiu Honeypots. Ti sao li mun chy mt Honeypots. + Dng n nghin cu hay l bo v h thng t chc my tnh. + Xc nh vai tr con ngi trong vic to ra v duy tr mt Honeypots. C chuyn mn k thut trin khai mt cch chnh xc v duy tr mt Honeypots khng? C

___________________________________________________________________________

Honeypots

10

phn mm v phn cng trin khai cha? thi gian hng ngy s mt duy tr v phn tch d liu nh th no? Tip tc tho lun, nghin cu theo kp nhng Honeypots mi v khai thc mt cch hiu qu. + Cc loi Honeypots s trin khai l nghin cu hoc sn phm, thc hay o. + Xc nh ci t cu hnh thit b mng cn thit to ra Honeypots. K hoch v cu hnh mt s thnh phn h tr Honeypots v tool (cnh bo, ng nhp, gim st, qun l). + Thu thp cc thit lp ca vic gim st, ng nhp v cc tool phn tch hp php. + Trin khai k hoch phc hi li. Lm th no phc hi h thng Honeypots nguyn bn sau khi n c khai thc s dng dn ti vic b h hi. + Trin khai Honeypots v cc thnh phn h tr n, kim tra vic trin khai, nh gi cc cng c pht hin xm nhp, th nghim xem h thng Honeypots hot ng tt khng. + Phn tch cc kt qu v tm ra nhng thiu st. Tinh chnh cc h thng Honeypots da trn cc bi c hc v nghin cu. Lp li cc bc cn thit.

II.2.1 Li ko ngi tn cng


Nu l ra Honeypots theo cch m nhng a ch IP v cc port c truy xut ti t Internet, th n s c truy cp mt cch nhanh chng. Trung bnh hng ngy cc a ch IP cng khai trn Internet c thm d hng chc ln. Theo s liu thng k t nhiu d n ca Honeypots cho thy rng c nhiu hn mt trm ln thm d mt ngy, v hu ht cc my ch lu tr u xy ra tn cng trong vng mt tun. Cc worm t Internet s qut nhiu ln trong ngy. Nhiu qun tr ca Honeypots ghi li thnh cng nhng tn hi xy ra cha n 20 pht. Chnh v nhng nguyn nhn mt s qun tr vin ca Honeypots nhanh chng v tch cc ng vng Honeypots ca h ti danh sch mail v website ca hacker. Nhng qun tr vin ng cc v tr Honeypots ca h khm ph mt s ti phm nghim trng. Thu thp cc thng tin chng c v nhng hnh vi xm nhp tri php. Vic to ra Honeypots khng bao gi nn qung b s hin din hay mi gi cc hacker v n s nh bi cc mc ch chnh ca Honeypots.

II.2.2 Xc nh mc tiu

___________________________________________________________________________

Honeypots

11

thit k h thng Honeypots cn xc nh cc mc tiu, mun chn ni no t Honeypots. C rt nhiu cu hi cn c tr li trc khi bt u, bao gm c nhng iu sau y: - L do chnh mun to ra h thng Honeypots? - Mi trng OS l g gi lp Honeypots? - Gi lp nhng lai Server hoc Service g? - Mun theo di cc mi e da t bn trong, bn ngoi hay c 2? c cu tr li cho nhng cu hi ny v c bn cn xc nh l s nghin cu hay to ra cc sn phm Honeypots, v lm nh th no? cu hnh n ra sao?. Sn phm Honeypotss nn m phng theo cc ng dng, dch v, v my ch tn ti. Nu lm ng vi tng tc cao, n s gy kh khn cho tin tc trong vic nhn bit v tng tc vi Honeypots. .

Hnh 2.5: V d v mt sn phm Honeynet V d, gi s h thng mng bao gm my ch chy HH Windows Server 2003 chy IIS 6.0, Windows 2000 Server chy Microsoft SQL Server 2000, Windows NT 4.0 Server, v mt Windows 2000 Server chy IIS 6.0. Sn phm honeypots s c gng m phng ging nh nhng ci my ch v cc dch v trn

II.3 V tr t h thng Honeypots


C 3 vng chnh t h thng Honeypots:
___________________________________________________________________________

Honeypots

12

- External Placement (t vng ngoi). - Internal Placement (t vng trong). - DMZ Placement (t vng DMZ) Mi vng t Honeypots u c nhng u im v nhc im ty theo mc ch ca vic to ra Honeypots lm g.

II.3.1 t vng ngoi


L vng nm ngoi Internet vi v tr ny th s khng c bc tng la no ng trc Honeypots, cc Honeypots v mng li honepots s chia s cng mt a ch IP subnet cng cng.

II.3.2 t vng trong


V tr Honeypots nm bn trong mng v bc tng la gia ngn cch n vi th gii Internet. V tr ny l cch tt nht to ra mt h thng cnh bo sm cho bit bt k s khai thc t bn ngoi vo v bo v mng ni b, bt cc e da xy ra cng mt lc. Mt v d cho thy khi m worm Blaster tn cng, nhiu cng ty trin khai firewall v cu hnh kha port 135 ngn chn an ton t cc worm nhng worm c th ln i qua firewall trn ng links v t nhng my tnh laptop, thit b di ng. Sau khi qua bc tng la cc worm c th gy nhim cc my tnh ni b cha c v li h iu hnh v li bo mt.

II.3.3 t vng DMZ


DMZ l mt vng nm ring l so vi LAN nhm mc ch t nhng server public nh web server, mail server, ftp server. Vic t mt Honeypots trn vng DMZ thng l la chn tt nht ca cc cng ty, n c th c t dc theo cc my server trong vng DMZ v cung cp cnh bo sm mi da cho v tr . Mt router t gia firewall ca DMZ c thm vo nh l mt lp iu khin d liu. DMZ c th c cc a ch IP cng cng v ring t. Cc v tr ca Honeypots trong DMZ l mt v tr l tng cho vic thit lp, nhng hu ht cc v tr t m hnh l phc tp. Ngoi ra, v n nm trn DMZ, khng phi l tt nht cho vic cnh bo sm cho mt cuc tn cng lm h hi mng ni b. So snh gia cc v tr t Honeypots.

___________________________________________________________________________

Honeypots

13

V tr Vng ngoi

u im D xy dng, trin khai S lng thit b cn thit t. Tt cho vic gim st nhn

Nhc im iu khin d liu km Ri ro cao nht cho cc sn phm mng Honeypots. Ci t phc tp hn nhiu. Cn phi quyt nh cho php cc port/ chuyn hng trc tip. Ci t phc tp.

Vng trong

vin bn trong. H thng cnh bo sm bo v backup.

DMZ

C th iu khin d liu tt

H thng cnh bo khng c mnh. Cn phi quyt nh cho php cc port/ chuyn hng trc tip.

___________________________________________________________________________

Honeypots

14

Chng 3: Gi lp mng vi Honeyd


c pht trin v duy tr bi Niels Provos, Honeyd l mt chng trnh nn nh nhng c rt nhiu tnh nng ni tri. Honeyd gi lp cc my o trong mt mng my tnh. N c th gi lp mt h iu hnh bt k, cho php m phng cc dch v TCP/IP khc nhau nh HTTP, SMTP, SSH.... Honeyd c s dng trong vic xy dng Honeynet, thit lp cc Honeypots d hacker t nhp vo h thng. Mt tnh nng hu ch ca Honeyd l c kh nng gi lp mt topology mng vi y cc thng s nh cc bc mng, t l tht thot, tr khi truyn v bng thng ch vi duy nht mt my ch nm trong mng. Kh nng ny cho php gi lp cc mng my tnh phc tp th nghim, n cng ng gi mt mng my tnh i vi hacker bn ngoi mng, by hacker vo mng Honeypots. Mt s tnh nng Honeyd cung cp thit lp mng Honeypots: + Gi lp cc topology mng phc tp. + Cu hnh cc thng s ca mng nh tr, t l tht thot v bng thng. + H tr nhiu router u vo phc v nhiu mng. + Tch hp cc my vt l vo topology mng. + nh tuyn bt i xng. + ng hm GRE thit lp cc mng phn tn. Phn ny s hng dn cch to cc topology mng, s dng Honeyd v cc cu hnh mu. Cung cp c php cu hnh lnh v cch dng cc tp tin cu hnh. Tp trung vo tng bc xy dng mt mng my tnh v xem xt k cc tp tin cu hnh. Khung chng trnh Honeyd thit lp Honeypots: CREATE <template name> #ANNOTATE "<personality name>" SET <template name> ETHERNET "<Ethernet name>" SET <template name> PERSONALITY <personality name> SET DEFAULT <template name> TCP ACTION <action> SET DEFAULT <template name> UDP ACTION <action> SET DEFAULT <template name> ICMP ACTION <action>

___________________________________________________________________________

Honeypots

15

ADD <template name> <protocol> PORT <number> <action> ADD <template name> <protocol> PORT <number> "<script engine to call> <script file>" SET <template name> UPTIME <seconds> SET <template name> DROPRATE IN <%>
SET <template name> UID <number> GID <number>

BIND <IP address(es)> <template name> Gii thch cho on chng trnh trn: Create: To ra template #annotate: ch thch tn h iu hnh Ch ra Ethernet t cho template phc v vic kt ni ra bn ngoi. Gn h iu hnh cho template to trn. Ci t cc action cho protocol TCP, UDP, ICMP trong action c 3 loi: Open M ton b s cng c trn mt protocol. Block Tt c cc packets ca protocol c ch nh l dropped, khi c ch nh honeypots s khng respond packet cho protocol, port. Reset Cho bit tt c cc port l ng. Nu 1 TCP port l ng th honeypot o respond vi 1 TCP RST ti 1 packet SYN cho port ny. Nu l UDP port ng th honeypot o replies vi 1 mt thng bo ICMP port-unreachable. Thm port km theo protocol cng vi action Thm script chy cc dch v trn cc port. Thit lp cc bin system: UPTIME thi gian h thng chy bao lu tnh bng giy. DROPRATE IN t l (%) rt c ch nh ca packets gi t Honeyd m phng mt mng bn rn. UID and GID nh danh duy nht v nh danh trn ton cu ca cc my tnh o (number). Sau y s xy dng mt mng vt l bao gm 4 my tnh bn cng vi mt h thng c dng lm my ch Honeyd. Mng o m gi lp s c t trn my ch Honeyd. Honeyd lm vic trn nn Unix, ri c chuyn sang Windows bi Michael Davis. Trong v d ny, s dng mt my Windows Server 2003 lm my
___________________________________________________________________________

Honeypots

16

ch Honeyd. Mng vt l s dng di a ch 10.0.0.0/24, v my ch Honeyd c gn cho a ch IP 10.0.0.1 nh hnh 3.1.

Hnh 3.1: Honeyd host

III.1 Cc bc thit lp 2 Honeypots


u tin xem qua cch thc thit lp 2 mng Honeypots trn my ch Honeyd. Xy dng 2 Honeypots s dng h iu hnh Windows trn a ch IP 10.0.0.51 v 10.0.0.52. ng sc mu xanh trong hnh 2 cha cc Honeypots m my ch Honeyd to ra. Trc khi cu hnh v chy Honeyd, cn phi chc rng my ch Honeyd tr li cc gi tin yu cu ARP (Address resolution packet - gi tin phn gii a ch) cho cc IP ca cc Honeypots lm ch. Trc khi khi ng Honeyd, cn cung cp cho Honeyd mt tp tin cu hnh (trong trng hp ny l tp tin lab1.config) cha cc thng tin gi lp 2 my c h iu hnh Windows. Tp tin cu hnh s c ni dung tng i d hiu nh sau:

___________________________________________________________________________

Honeypots

17

#Windows computers #annotate "Microsoft Windows 2003 Server SP1" create window set window ethernet "vmware" set window personality "Microsoft Windows 2003 Server SP1" set window default icmp action reset set window default tcp action block set window default udp action reset add window tcp port 80 "perl scripts\iisemulator-0.95\iisemul8.pl" add window tcp port 139 open add window udp port 138 open add window udp port 137 open add window udp port 135 open bind 10.0.0.51 window bind 10.0.0.52 window Cc cu hnh trn to mt mu tn l window v gn 2 a ch IP cho Honeypots vi mu . Mu trn yu cu Honeyd ng gi h iu hnh Microsoft Windows 2003 Server SP1 khi mt my khch c gng xc minh Honeypots vi nmap hoc Xprobe. M 5 port trn Honeypots: 80/tcp, 139/tcp, 137/udp, 138/udp v 135/udp. Khi mt my kt ni ti cng 80 ca Honeypots, Honeypots s thc thi perl scripts\iisemulator-0.95\iisemul8.pl gi lp IIS. i vi cc cng c ng, Honeypots s tr li yu cu bng mt thng ip RST trong trng hp giao thc TCP hoc mt thng ip ICMP Port Unreachable trong trng hp giao thc UDP. Vi tp tin cu hnh ny, c th chy Honeyd t cu hnh lnh: C:\winhoneyd\WinHoneyd_1.5c.exe -d -i 2 -f C:\winhoneyd\lab1.config 10.0.0.51 10.0.0.52 Ty chn d l bin la chn tt nht cho vic thc thi Honeyd ty chn ny hot ng kn o trong nn sau, -i <interface> l ty chn ch ra interface m

___________________________________________________________________________

Honeypots

18

honeyd lng nghe v kt ni vi mng, -f <filename> thc thi file cu hnh. bit c tt c network interfaces dng ty chn N.

T thi im ny, Honeyd bt u lng nghe v tr li cc gi tin i vi 2 h thng o m n to ra ti a ch 10.0.0.51 v 10.0.0.52. My ch Honeyd vn c th c truy cp t bn ngoi, nn cn phi bo v a ch IP ca my ch Honeyd bng tng la c th l phn mm "Kerio WinRoute Firewall.

___________________________________________________________________________

Honeypots

19

Hnh 3.2: Thit lp 2 Honeypots

III.2 Thit lp mt router trong mng

Hnh 3.3: Router trong mng Honeypots

___________________________________________________________________________

Honeypots

20

Gi lp mt mng n gin vi Honeyd s dng khng gian a ch 10.0.1.0/24 cha 2 Honeypots c tch khi mng LAN bi mt router Cisco (R1) nh hnh 3.3. gi lp mng ny, u tin l to mt router Cisco a ch 10.0.0.100: #Cisco router create router set router ethernet "vmware" set router personality "Cisco 7200 router running IOS 12.1(14)E6" set router default icmp action reset set router default tcp action reset set router default udp action reset add router tcp port 23 "perl scripts\router-telnet.pl" C php "route entry" c dng ch nh cng vo mng o t mng LAN, y l Router R1: route entry 10.0.0.100 network 10.0.0.0/24 cu hnh trn thng bo cho Honeyd bit rng 10.0.0.100 l cng vo mng o 10.0.0.0/24 v cng l a ch ca router. Nh vy l c th c nhiu router u vo, mi router phc v cho mt phm vi mng khc nhau. Mng 10.0.1.0/24 c th c truy cp thng qua router R1. ch nh mng no c th c kt ni trc tip v khng cn cc bc mng t xa, cch dng lnh "route link" nh sau: route 10.0.0.100 link 10.0.1.0/24 a ch IP u tin c ch nh ra trn l IP ca router. a ch mng c ch nh sau t kho "link" cho bit mng no c th c truy cp trc tip. Nhiu lnh link c th c dng gn nhiu subnet trc tip n mt router. Router s s dng mu route m thit lp bng lnh. bind 10.0.0.100 route Hai Honeypots s dng mu winxp thit lp trn s c gn vi cc a ch IP 10.0.1.51 v 10.0.1.52:

___________________________________________________________________________

Honeypots

21

create winxp set winxp ethernet "vmware" set winxp personality "Microsoft Windows XP" set winxp default icmp action reset set winxp default tcp action block set winxp default udp action open add winxp tcp port 23 open add winxp tcp port 80 open bind 10.0.1.51 winxp bind 10.0.1.52 winxp n y, vic cu hnh mng n gin hon tt. Chy lnh trn my Honeyd v cung cp cho n tp tin cu hnh mng gi lp hot ng.

III.3 Thit lp mt mng vi 2 router

Hnh 3.4: Honeypots vi 2 router


___________________________________________________________________________

Honeypots

22

By gi hy xem xt mt trng hp phc tp hn. Trong hnh 3.4, thm vo mt mng khc ngn cch vi mng ban u bi router R2 vi a ch IP 10.0.1.100. Mng mi c a ch trong di 10.1.0.0/24 v cha 2 Honeypots a ch 10.1.0.51 v 10.1.0.52. u tin thm vo mt cng ni (R2) trong tp tin cu hnh. Bng cu hnh "route add net", c th thm vo mng o mt cng ni. p dng trong trng hp ny c dng sau: route 10.0.0.100 add net 10.1.0.0/24 10.0.1.100 Cu hnh trn cho thy Honeyd bit rng 10.0.0.100 l IP ca Router R1, c ch nh kt ni ti mng 10.1.0.0/24 thng qua cng ni 10.0.1.100 (router R2). a ch IP u tin trn cu hnh lnh l ca R1, a ch cui l ca cng ni mi, v di a ch c ch nh l ca mng c truy cp thng qua cng ni mi. Sau khi thm vo router R2, phi ch nh a ch IP no c th c kt ni trc tip t R2. Mt ln na li dng lnh "route link" lm vic ny. Trong mng ca mnh, mng con 10.1.0.0/24 c truy cp trc tip t R2, nn cu lnh c dng sau: route 10.0.1.100 link 10.1.0.0/24 Tip theo thm vo 2 Honeypots bng cch gn a ch IP ca chng vi mu Honeypots. bind 10.1.0.51 window bind 10.1.0.52 window Tng kt li, c th ch nh mt ng vo mng o vi lnh "route entry network". ch nh cc mng c th c truy cp trc tip t mt cng ni, dng cu hnh lnh "route link". Thm mt cng ni mi truy cp vo mng con bng cu hnh "route add net". y l 3 cu hnh c bn xy dng topology mng ln vi Honeyd. Bng cch s dng kt hp cc cu hnh ny, c th gi lp cc mng phc tp. By gi, s m rng mng thm mt mc na nghin cu thm cc c tnh ni tri khc ca Honeyd.

III.4 Thit lp tr, tht thot v bng thng

___________________________________________________________________________

Honeypots

23

Thm vo mt mng th 3, bao gm 2 Honeypots nm cch R2 mt hop nh hnh 3.5.

Hnh 3.5: Thit lp tr, tht thot v bng thng Thm mng ny vo trong tp tin cu hnh: route 10.0.1.100 add net 10.1.1.0/24 10.1.0.100 latency 50ms loss 0.1 bandwidth 1Mbps route 10.1.0.100 link 10.1.1.0/24 bind 10.1.1.51 window bind 10.1.1.52 window Cc cu hnh trn s ch nh a ch IP 10.1.0.100 lm cng ni truy cp vo mng 10.1.1.0/24, v trin khai 2 Honeypots a ch 10.1.1.51 v 10.1.1.52. Cu hnh "route add net" cng thit lp cc tham s v tr khi truyn, tn tht v bng thng ca kt ni gia router R2 v R3. Trong thc t, mi bc mng gi tin i qua s thm mt khong thi gian tr truyn nht nh. iu ny c th c gi lp thng qua t kha latency - tr trn mi bc mng c th c ch nh ra bng s mili giy truyn i. Mng my tnh

___________________________________________________________________________

Honeypots

24

trong thc t cng khng ging nh trong trng hp l tng khi truyn gi tin - mt s gi tin c th b tht thot. T kha loss c dng minh ha hnh vi ca cc lin kt trong mng bng cch ch ra t l phn trm (%) tht thot. Honeyd cng a gi tin vo hng i nu mt lin kt b chim bi mt gi tin trc . Ty thuc vo bng thng phc v cho lin kt, gi tr tr c th thay i. Bng thng ca mt lin kt c ch nh bng Kpbs, Mbps hoc Gbps vi t kho bandwidth.

III.5 Tch hp cc my vt l vo topology mng


Honeyd cng h tr vic tch hp cc topology mng o vi cc my ch vt l trn mng. Gi s mun tch hp vo mng o mt my ch nm ti a ch 10.1.1.53. My ch ny c t trong mng LAN cha my ch Honeyd v cc my bn khc, nhng mun t mt cch logic sau vi bc nhy bn trong mng o. Hnh 3.6 m t cu trc ca mng: Dng lnh "bind" gn mt my ch vt l bn ngoi vo trong mng. Cu hnh s nh sau: bind 10.1.1.53 to eth0 Cu hnh trn bo cho Honeyd bit rng 10.1.1.53 c th c kt ni thng qua giao din eth0; v 10.1.1.53 nm trong phn mng sau router R3 (mt cch logic), mt gi tin ti a ch IP s chy qua R1, R2 v R3 trc khi n 10.1.1.53. thy iu ny, hy ln theo ng nh tuyn n 10.1.1.53 t my bn trn mng LAN: C:\>tracert 10.1.1.53 Tracing route to 10.1.1.53 over a maximum of 30 hops 1 * * * Request timed out. 2 <10 ms 10 ms 10 ms 10.0.1.100 3 10 ms 20 ms 20 ms 10.1.0.100 4 10 ms 20 ms 20 ms 10.1.1.53 Trace complete.

___________________________________________________________________________

Honeypots

25

Hnh 3.6: Tch hp cc my vt l vo topology mng My 10.1.1.53 c kt ni thng qua 3 trm trung gian o, mc d n nm trn cng mng vt l vi cc my khc.

III.6 Thit lp nhiu router u vo


route entry 10.0.0.200 network 10.2.0.0/24 route 10.0.0.200 link 10.2.0.0/24 route 10.0.0.200 add net 10.2.1.0/24 10.2.0.100 route 10.2.0.100 link 10.2.1.0/24 bind 10.0.0.200 router bind 10.2.0.100 router bind 10.2.0.51 window bind 10.2.0.52 window bind 10.2.1.51 window bind 10.2.1.52 window

___________________________________________________________________________

Honeypots

26

Honeyd cng cho php thit lp nhiu ng vo mng o. V d: hnh 3.7 thm vo mt mng mi c kt ni thng qua router R4 10.0.0.200. To mt u vo mi kh n gin: dng lnh "rounte entry" mt ln na nh ngha router mi. Phn cn li ca mng c th c xy dng thng qua vic kt hp "route add net" vi "route link". i vi mng ny, c mt cu hnh cho im vo th 2 v mng ng sau n:

Hnh 3.7: Thit lp nhiu router u vo

___________________________________________________________________________

Honeypots

27

Cu hnh "route entry" thm vo mt router mi R4 ti IP 10.0.0.200 phc v cho mng 10.2.0.0/24, route link ch nh mng 10.2.0.0/24 c th c kt ni trc tip thng qua router R4. Route add net sau thm mt cng vo ti 10.2.0.100 phc v cho mng 10.2.1.0/24. Tip , route link ch th rng mng 10.2.1.0/24 c th c kt ni trc tip t router mi ny. Gn a ch IP ca router mi vi mu router, v 4 a ch honeyd vi mu window.

III.7 ng hm GRE thit lp mng phn tn

Hnh 3.8: ng hm GRE thit lp mng phn tn Mt tnh nng ni tri khc ca Honeyd l kh nng truyn d liu thng qua ng hm t mt mng o trong my ch Honeyd ti cc mng khc t xa thit lp mt mng phn tn. Tnh nng ny c s dng gi lp mt mng phn tn thng qua my ch Honeyd hoc dng mt my ch Honeyd phc v nhiu mng phn tn. Trong phn sau, s thit lp my ch Honeyd ng vai tr nh mt tp hp cc Honeypots tng tc, mt dng site tp trung. Cc thnh phn tham gia c th
___________________________________________________________________________

Honeypots

28

kim sot mt phn ca khng gian a ch IP bng cch nh tuyn ti khng gian a ch thng qua mt ng hm ti my ch Honeyd. Hnh 3.8 m t h thng mng ny: hiu cch cu hnh ng hm GRE (Generic Route Encapsulation), s xem xt mt phin bn n gin ca mng pht trin. Trong hnh 3.8, mng 10.3.1.0/24 c t xuyn qua WAN, c th l xuyn qua mng li quc gia. Dng tnh nng ng hm GRE ca Honeyd, c th truyn d liu t router R7 ti router o R6 nh th 2 router c kt ni trc tip vi nhau. i vi ngi dng trn mng xuyn quc gia, iu ny c v nh mng gi lp bn trong my ch Honeyd ch cch mt trm truyn, khi lu thng c thc hin thng qua ng hm qua lin kt o c thit lp gia 2 router. My ch Honeyd ca ta c th nh c s dng phc v mt mng xa. cu hnh my ch Honeyd thit lp ng hm GRE nh hnh 3.8, phi thm R6 - router c giao din bn ngoi l 172.20.254.1 nh mt router o c th trin khai ng hm. R6 l mt router vo mi cho php lu thng ti mng 10.3.2.0/24. Khi n khng cn thit phi trin khai router cho vic truyn d liu thng qua ng hm, s d hiu cu hnh cho router o: route entry 172.20.254.1 network 10.3.2.0/24 Sau m t mng 10.3.2.0/24 c kt ni trc tip t router trn vi lnh "route link" route 172.20.254.1 link 10.3.2.0/24 thit lp ng hm, dng cu trc "route add net tunnel". u cui th nht ca ng hm l a ch IP bn ngoi ca Router R6, vd 172.20.254.1. a ch IP vt l ca router xa 172.30.254.1 s l u cui th 2 ca ng hm. Trong tp tin cu hnh, s ch nh router o v mng xa m s dng ng hm kt ni, nh sau: route 172.20.254.1 add net 10.3.1.0/24 tunnel 172.20.254.1 172.30.254.1 Ch l router R7 xuyn qua WAN phi c cu hnh lm u cui cho ng hm GRE t router o v nh tuyn cc gi tin n ch. n y, mi lu thng t mng 10.3.1.0/24 ti cc Honeypots cung cp bi Honeyd s c thc hin thng qua ng hm GRE gia router R6 v R7. Vi chc

___________________________________________________________________________

Honeypots

29

nng ny, c th c mt mng phn tn v to mt topology mng o xuyn qua chng che du i mng vt l khi cc cuc tn cng t bn ngoi. Mt s Operating System: Cisco 1601 router running IOS 12.0(8) Cisco 1601R router running IOS 12.1(5) Cisco 2611 router running IOS 12.2(7a) Cisco 2620 running IOS 12.2(19a) Cisco 3600 router running IOS 12.2(6c) Cisco 4000 Series running IOS 12.0(10.3) Cisco 5200 router running IOS v12.0(15) Cisco 7200 router running IOS 12.1(14)E6 Cisco 7204 router running IOS 12.1(19) Cisco 7206 router running IOS Version 12.2(13)T8 Cisco 837 router running IOS 12.3(11)T Cisco IOS 12.0(21) (On a 2514 router) Cisco IOS 12.0(3.3)S (perhaps a 7200 router) Cisco IOS 12.0(5)WC3 - 12.0(16a) Cisco IOS 12.0(7)T (on a 1700 router) Cisco IOS 12.1(4) on a 2600 router Cisco IOS 12.2(8)T5 on a 7507 router Linux 2.4.20 (Itanium) Linux 2.4.20 (Red Hat) Linux 2.4.20 (X86, Redhat 7.3) Linux 2.4.20 - 2.4.22 w/grsecurity.org patch Linux 2.4.20 x86 Linux 2.4.20-ac2 Linux 2.4.21 (Suse, X86) Linux 2.4.21 (x86) Linux 2.4.21 (x86, RedHat) Microsoft Windows Server 2003 Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server 2003 or XP SP2 Microsoft Windows Server 2003 Standard Edition Microsoft Windows XP Home Edition Microsoft Windows XP Home Edition (German) SP1 Microsoft Windows XP Home SP1 Microsoft Windows XP Pro Microsoft Windows XP Pro (German) Microsoft Windows XP Pro (German) SP1

___________________________________________________________________________

Honeypots

30

Chng IV: H thng pht hin xm nhp


IV.1 Gii thiu
Intrusion Detection l thit b bo mt v cng quan trng. Intrusion Detection Systems (IDS) l gii php bo mt c b sung cho Firewalls (hnh di y th hin iu ). Mt IDS c kh nng pht hin ra cc on m c hi hot ng trong h thng mng v c kh nng vt qua c Firewall. C hai dng chnh ca IDS l: Network Based v Host Based

Hnh 4.1: Network Based v Host Based Network Based Mt Network-Based IDS s kim tra cc giao tip trn mng vi thi gian thc (real-time). N kim tra cc giao tip, qut header ca cc gi tin, v c th kim tra ni dung ca cc gi pht hin ra cc on m nguy him hay cc dng tn cng khc nhau. Mt Network-Based IDS hot ng tin cy trong vic kim tra, pht hin cc dng tn cng trn mng, v d nh da vo bng thng (bandwidth-based) ca tn cng Denied of Service (DoS).

___________________________________________________________________________

Honeypots

31

Host Based Mt Host-Based IDS ch lm nhim v gim st v ghi li log cho mt my ch (host-system). y l dng IDS vi gii hn ch gim st v ghi li ton b nhng kh nng ca host-system (n bao gm c h iu hnh v cc ng dng cng nh ton b service ca my ch ). Host-Based IDS c kh nng pht hin cc vn nu cc thng tin v my ch c gim st v ghi li. L thit b bo mt cho pht hin cc tn cng trc tip ti mt my ch. Active Detection and Passive Detection IDS l mt h thng t ng gim st trong thi gian thc (Network-Based IDS) hay xem st li cc thit lp gim st (audit log) nhm pht hin ra cc li bo mt v cc tn cng trc tip ti h thng mng hay ti mt my ch. C hai phng thc c bn IDS pht hin ra cc tn cng hay cc nguy c bo mt l: Signature Detection v Anomaly Detection. Signature Detection s so snh cc tnh hung thc t vi cc dng tn cng (signatures) c lu tr trong d liu ca IDS. Anomaly Detection s hot ng ty thuc vo mi trng v c th pht hin ra nhng bin c bt thng. Anomaly-detection da vo nhng hot ng bnh thng ca h thng t ng pht hin ra nhng iu khng bnh thng v phn tch xem l dng tn cng no. Mt IDS active detection: pht hin v tr li c thit k c hnh ng nhanh nht nhm gim thiu cc nguy him c th xy ra vi h thng. Vic tr li c th nh tt my ch hay tt cc dch v, ngt cc kt ni. Mt IDS vi passive detection s tr li nhng khng c cc hnh ng trc tip chng li cc tn cng. N c th ghi li log ca ton b h thng v cnh bo cho ngi qun tr h thng. IDS l thit b pht hin tn cng DoS rt tt; pht hin cc bugs (li h thng), flaws (l hng, khim khuyt) hoc cc tnh nng n, v qut ports. Nhng n khng c kh nng pht hin cc tn cng da trn cc email cha cc on m nguy him.

___________________________________________________________________________

Honeypots

32

Cc thnh phn ca IDS hot ng gim st mng.

Hnh 4.2: Cc thnh phn ca IDS hot ng gim st mng Hnh di y IDS yu cu Firewall chn port 80 trong 60 giy chng li cc tn cng vo my ch Web ci IIS.

___________________________________________________________________________

Honeypots

33

Hnh 4.3: IDS yu cu Firewall chn port 80 C hai yu cu chnh khi trin khai mt IDS l chi ph cng vi kh nng p ng linh hat ca n trc s pht trin nhanh chng ca cng ngh thng tin v SNORT c th p ng rt tt c hai yu cu ny. l mt phn mm m c th ti v v s dng min ph, cho nn yu t v chi ph hon ton c th yn tm. Ngoi ra SNORT cn l mt sn phm m ngun m v c mt cng ng pht trin ng o c qun l cht ch cho nn khi c nhng dng xm nhp mi c pht hin th ngay lp tc c cc nh pht trin cnh bo v cp nht Snort Rules mt cch nhanh chng v cc doanh nghip c th thay i m ngun cho ph hp vi yu cu ca mnh. V vy SNORT l phn mm IDS mnh m v c yu thch nht hin nay trn th gii trong vn pht hin xm nhp.

___________________________________________________________________________

Honeypots

34

Snort c 4 ch hot dng khc nhau l: Sniffer mode: c cc gi tin trn mng sau s trnh by kt qu trn giao din hin th, ch ny snort s lng nghe. Packet Logger mode : lu tr cc gi tin trong cc tp tin log. Network instruction detect system (NIDS) : y l ch hat ng mnh m v c p dng nhiu nht, khi hat ng NIDS mode Snort s phn tch cc gi tin lun chuyn trn mng v so snh vi cc thng tin c nh ngha ca ngi dng t c nhng hnh ng tng ng nh thng bo cho qun tr mng khi xy ra tnh hung qut li do cc hacker/attacker tin hnh hay cnh bo virus.. Inline mode: khi trin khai snort trn linux th c th cu hnh snort phn tch cc gi tin t iptables (trong iptables chia ra thnh cc bng (tables); trong mi bng s chia ra thnh nhiu chui (chains) x l packet ty theo tnh hung (hng i ca packets); trong mi chain s c cc lut (rules) m mnh s cu hnh x l cc packets tng ng vi mi chain) thay v libpcap do iptable c th drop hoc pass cc gi tin theo snort rule.

IV.2 Ci t Snort trn Windowns IV.2.1. Ci t Snort


C th t Snort trc hoc sau mt h thng firewall ty yu cu bo mt ca t chc. V nu h thng mng c nhiu phn an mng th mi subnet (lp mng con) phi c mt my ch Snort c ci t, khng nh cc sn phm thng mi khc ngoi tnh nng chi ph bn quyn cao th thng i hi cu hnh phn cng mng, vi Snort th c th ci t v cu hnh trn x386 computer, tuy nhin cn c a cng c khng gian trng lu tr cc packet c bt gi, v vi cng ngh lu tr hin nay th iu ny khng phi l mt vn . Snort hot ng nh mt network sniffer lng nghe v lu gi cc packet trn mng sau so snh cc ni dung hoc header ca chng vi mt tp cc qui tc c nh ngha gi l cc Snort rule v khi mt s trng khp gia rule v cc packet th nhng hnh ng ca rule s c tin hnh ty theo nh ngha. Mt im thun li l cc rule ny lun c cp nht nhanh chng bi cng ng pht trin cho nn kh nng p ng ca Snort trc cc dng tn cng hin i rt cao.

___________________________________________________________________________

Honeypots

35

Snort s dng ba thnh phn sau tin hnh cng vic ca mnh: Packet decoder : phn tch gi tin, k c IP Header v Data Payload Detect engineer : d tm cc du hiu kh nghi theo tp hp cc quy tc. Logging v alert system : lu gi v cnh bo. Ba thnh phn ny dng libcap lu gi gi tin khi ci Snort trn h iu hnh linux. Cn nu ci trn h thng windows th phi thay libcap bng winpcap. Ti winpcap t www.iltiloi.com v Snort www.snort.org v chn bn ci trn Windows. Sau click vo tp tin chng trnh Snort_Installer.exe bt u tin trnh ci t. Trn mn hnh Installation Options c cc c ch lu tr log file theo c s d liu SQL hay Oracle, trong phn ny ch lu tr log nn s chn ty chn u tin l I do not plan to log to a database, or I am planing to log to one of the databse listed above

Hnh 4.4: Ci t Snort

___________________________________________________________________________

Honeypots

36

Sau khi ci t Snort tip theo cn phi thit lp cc tham s quan trng nh HOME_NET v PATH_RULE s dng Snort v thc hin cc cng vic tip theo. y l bc m thng lm cho qu trnh ci t v s dng Snort b li do khai bo sai. File C:\Snort\etc\snort.conf l file cha nhiu ci t v mt phin bn mi c th thay i d gy ra nhm ln. File snort.conf iu khin mi th v vic Snort s gim st ci g, chng t bo v nh th no, cc lut g chng s dng tm thy lu lng nguy him, v thm ch l cch chng gim st cc lu lng nguy him tim tng m khng c nh ngha bng cc du hiu nh th no. File ny c t chc thnh nhiu phn v cha nhiu cc li ch thch v hng dn s dng mt vi ty chn c th i vi cc mc cu hnh khc nhau): Cc bin cu hnh. Cu hnh b gii m v b phn pht hin ca Snort. Cu hnh tin x l. Cu hnh xut thng tin. Cc file km theo. Cc bin cu hnh Phn u ca file dnh cho vic ghi li mt vi thng tin cu hnh. Hu ht cc bin c s dng bi cc lut Snort xc nh chc nng ca mt vi hin th v v tr ca cc phn khc. Cc bin vch ra cch b tr mi trng m Snort c th quyt nh s kin no s to ra cnh bo. Cc bin tm kim c a ch IP v cng TCP m mt dch v ang lng nghe. Theo mc nh, cc bin c khai bo vi gi tr bt k. N ng vi bt k a ch IP no. Khi gi tr ny c s dng, n c th to ra mt s lng ln cc cnh bo nhm. xc nh mt a ch n, ch cn nh vo a ch IP : var HOME_NET 10.0.0.100 Cng c th xc nh nhiu a ch, cc nhm a ch nm trong du ngoc vung v cc a ch cch nhau bi du phy (khng c khong trng): var HOME_NET [10.10.0.52,192.168.1.23,172.16.30.52] Cng c th xc nh mt khng gian a ch bng cch xc nh s cc bit trong subnet mask.

___________________________________________________________________________

Honeypots

37

var HOME_NET 10.0.0.0/24 C th kt hp cc kiu ghi a ch nh sau : var HOME_NET [192.168.33.12,172.16.0.0/16,10.0.0.51,10.0.0.0/24] C th s dng k t ! ph nh. Lu rng khi thit lp cc bin th ch s dng tn bin. Khi tht s s dng bin th phi t k t $ trc tn bin. V d sau y s thit lp bin EXTERNAL_NET l tt c cc a ch khng nm trong bin HOME_NET: var EXTERNAL_NET !$HOME_NET Mt vi bin cn gn cho s cng, khng phi l a ch IP. Gn 1 cng n, 1 dy cc cng lin tc hoc l ph nh ca 1 cng. V d: var ORACLE_PORTS 1521 var ORACLE_PORTS 8000:8080 (cc cng t 8000 n 8080) var ORACLE_PORTS :8080 (cc cng ln hn 8080) var SHELLCODE_PORTS !80 (khng phi cng 80) Cc bin mc nh trong file snort.conf l: HOME_NET - s dng xc nh a ch IP ca h thng ang bo v. EXTERNAL_NET - nn s dng k t ! xc nh mi th khng nm trong mng bn trong !$EXTERNAL. Cc bin c s dng nh ngha cc Server chy cc dch v m c cc lut xc nh l : DNS_SERVERS SMTP_SERVERS HTTP_SERVERS SQL_SERVERS TELNET_SERVERS SNMP_SERVERS HTTP_PORTS Cng 80 l cng mc nh ca HTTP. SHELLCODE_PORTS Thng c t l cc cng khng phi l 80

___________________________________________________________________________

Honeypots

38

ORACLE_PORTS Xc nh cng m Orale lng nghe. Mc nh, Oracle lng nghe cng 1521. AIM_SERVERS Bin ny c s dng bi cc lut gim st lu lng peer-to-peer v instant messenger. N c cu hnh vi cc danh sch a ch server AOL Instant Messenger. Danh sch ny thay i theo thi gian. RULE_PATH Bin ny cn c thit lp ng, nu khng, Snort s khng hot ng. N ch n v tr cc lut trong file h thng. Nu cc lut c t trong C:\Snort\rules th phi thit lp bin nh sau : var RULE_PATH C:/Snort/rules

IV.2.2 Cu hnh b gii m v b phn pht hin ca Snort


B gii m Snort gim st cu trc gi tin m bo chng c xy dng theo qui nh. Nu mt gi tin c kch thc l, mt tp hp ty chn l, hoc l cc thit lp khng ph bin, Snort s to ra mt cnh bo. Nu khng quan tm n cc cnh bo ny hoc l s lng cc cnh bo nhm qu ln th c th tt vic to ra cnh bo ca b gii m. Theo mc nh, tt c cc cnh bo u c bt. tt mt kiu cnh bo c th, xa k t # u dng. Cc ty chn cu hnh b gii m: # config disable_decode_alerts # config disable_tcpopt_experimental_alerts # config disable_tcpopt_obsolete_alerts # config disable_tcpopt_ttcp_alerts # config disable_tcpopt_alerts # config disable_ipopt_alerts config order: [pass, alert, log, activation, or dynamic] Thay i th t cc lut c nh gi. config alertfile: alerts Thit lp file cnh bo output. config decode_arp Bt gii m arp (snort -a).

___________________________________________________________________________

Honeypots

39

config dump_chars_only Bt dump k t (snort -C). config dump_payload Dump thng tin lp ng dng (snort -d). config decode_data_link Gii m header lp 2 (snort -e). config set_gid: 30 Thay i GID (snort -g). config interface: <interface name> Thit lp giao din mng (snort -i). config alert_with_interface_name Gn tn cho cnh bo (snort -I). config logdir: /var/log/snort Thit lp th mc log (snort -l). config umask: <umask> Thit lp umask khi ang chy (snort -m). config pkt_count: N Thot ra sau N gi tin (snort -n). config nolog Tt vic ghi log (vn cn cnh bo) (snort -N). config quiet Tt cc u v trng thi bn bo co (snort -q). config set_uid: <id> Thit lp UID (snort -u). config utc S dng UTC thay v thi gian cc b cho timestamp (snort-U). config verbose S dng ghi log Verbose cho stdout (snort -U). config dump_payload_verbose B raw packet bt u t lp lin kt (snort -X ).

___________________________________________________________________________

Honeypots

40

config show_year Hin th nm trong timestamps (snort -y). - Cu hnh tin x l Cc b tin x l phc v mt s mc ch. Chng chun ha lu lng cho nhiu loi dch v, m bo rng d liu trong cc gi tin m Snort gim st s c 1 nh dng m cc du hiu s c nhn ra. Mt chc nng khc ca b tin x l l t bo v. Nhiu loi tn cng c thit k gy nhm ln hoc lm trn ngp b cm bin NIDS, v vy m k tn cng c th thc hin tn cng m khng b pht hin. Tin x l frag2 v stream4 ch yu l cc c ch phng th. Li ch cui cng ca b tin x l l chng m rng kh nng ca Snort pht hin cc iu bt thng m c th l du hiu xm nhp. - Cu hnh xut kt qu Mt trong nhng sc mnh tht s ca Snort l cc ty chn xut cc cnh bo v thng tin pht hin xm nhp. Nhiu nh qun tr Snort s dng cc ng dng ca cng ty th ba gim st v nghin cu thng tin to ra bi Snort. lm c vic , Snort phi xut d liu theo mt nh dng c th. Output plug-ins thc hin nhim v ny. Lu rng vic s dng mt vi plug-in ny i hi nh qun tr phi thc hin mt vi bc khi Snort c bin dch. V d, cho php Snort xut d liu ra mt c s d liu MySQL, MySQL client cn c ci t trn h thng Snort v ty chn --with-mysql phi c xc nh vi cu lnh ../configure. Mt vi ty chn ch s dng c trn cc platform c th. V d, ch h thng Window c th log trc tip vo Microsoft SQL Server vi plug-in mysql (h thng Unix phi dng ODBC vi plug-in odbc). Nhiu plug-in output c th c bt, cho php nhiu cng c c trin khai bi nh qun tr. - C s d liu Plug-in c s d liu cho php vit nhiu c s d liu lin quan vi nhau trn cng mt h thng ang chy Snort hoc trn mt host khc. Khi ghi log vo mt c s d liu, nhiu thng tin c ghi li bao gm cc cnh bo, lin quan n host, v gi tin gy ra cnh bo lm cho vic phn bit gia cc cnh bo tht v gi d dng hn. Thnh thong vic ghi log vo mt server c s d liu c th gy ra nghn c chai, v

___________________________________________________________________________

Honeypots

41

ch c mt cnh bo c ghi log vo 1 thi im. Mt server c s d liu c cu hnh tt c th gii quyt vn ny. Plug-in output c s d liu c nh dng sau : output database: <log|alert>, <database type>, <parameter list> <log|alert> Chn log hoc alert. Log gi thng tin log n c s d liu, v alert gi cc cnh bo. Lu rng log bao gm cc thng tin cnh bo v thng tin gi tin to ra cnh bo. Nu mun gi c hai n c s d liu, cn chn 2 dng output c s d liu. < database type> y l ni xc nh kiu c s d liu m ghi log. Snort h tr cc dng sau : mysql, postgresql, oracle, odbc, and mssql. Khi cu hnh mt plug-in output c s d liu c th, thit lp cc thng s sau (khng c du phy gia cc thng s) : Thng s v m t chi tit. Host: a ch IP ca server c s d liu. Nu trng, n s l my cc b (local machine) port: Cng m c s d liu ang lng nghe. Ch cn xc nh nu khng s dng cng chun. dbname=<database name> Tn c s d liu ghi log user Username m Snort s dng ghi log vo c s d liu. password Password c s dng log vo c s d liu. C th xc nh mc chi tit c s dng khi gi thng tin n c s d liu. Full s bao gm tt c thng tin m Snort thu thp, bao gm c header v thng tin gi tin. Fast th nhanh hn 1 cht, nhng bao gm t thng tin hn nh tn cnh bo, a ch v cng ngun, ch v thi gian. Full c khuyn dng. - Cc file km theo Thnh phn cui cng trong file snort.conf l cc mc nh km. Cu lnh include ni cho Snort nh km thng tin trong cc file t trong file h thng Snort.

___________________________________________________________________________

Honeypots

42

Nhng file ny bao gm thng tin cu hnh v cc file cha lut m Snort s dng pht hin xm nhp. ng dn mc nh nn c xc nh sm trong cu hnh. S dng bin $RULE_PATH ch v tr ca chng, hoc s dng tn y ch cc file lut m mun s dng. Nhiu file nh km c th c s dng trong mt cu hnh. y l mu cu hnh nh km ni cho Snort cc file lut no c s dng : # include $RULE_PATH/telnet.rules (khng s dng file lut ny) include $RULE_PATH/dos.rules include $RULE_PATH/icmp.rules Nu ang s dng ci t phn loi mc u tin hoc tham chiu n bt k mt h thng no, s dng cc mc sau y. m bo rng cc file ny tn ti khi khi ng Snort. Nhng file ny gip phn loi v u tin cho cc cnh bo ty theo mc . Chnh sa file classification.config theo mun. Sau khi file ny c cu hnh theo nhu cu c th s dng console tm kim cc cnh bo c u tin cao nht. File reference.config bao gm cc link n cc trang web vi thng tin v tt c cc cnh bo. N rt hu dng. # include classification & priority settings include classification.config # include reference systems include reference.config V d v Snort rule: Sau y l mt s snort rule c bn cng vi nhng m t ca chng. Log tt c cc truyn thng kt ni n port 23 ca dch v telnet: log tcp any any -> 10.0.1.0/24 23 Log cc ICMP traffic n lp mng 10.0.1.0: log icmp any any -> 10.0.1.0/24 any Cho php tt c cc qu trnh duyt Web m khng cn ghi log: Pass tcp any 80 -> any 80 To mt cnh bo vi thng ip km theo : alert tcp any any -> any 23 (msg: "Telnet Connection => Attempt"; ) D tm cc tnh hung qut mng vi SYN/FIN : alert tcp any any -> 10.0.10.0/24 any (msg: "SYN-FIN => scan detected"; flags: SF; )

___________________________________________________________________________

Honeypots

43

D tm cc tin trnh qut mng TCP NULL: alert tcp any any -> detected"; > = 10.0.10.0/24 any (msg: "NULL scan flags: 0; ) D tm cc tin trnh OS fingerprinting: alert tcp any any -> 10.0.10.0/24 (msg: "O/S Fingerprint => detected"; flags: S12; ) Tin hnh lc ni dung : alert tcp any $HOME_NET -> !$HOME_NET any (content: => "Hello"; msg:"Hello Packet";) Qua mt s v d snort rules mu trn, c th thit lp cc quy tc ring to mt snort rule ring. Sau y l tnh hung yu cu cc chuyn gia bo mt h thng thit lp mt snort rule ghi log tt c cc TCP trafic, cnh bo khi c xy ra trng hp s dng lnh ping, v a ra cc cnh bo nu c ai s dng mt m l password. Hy tin hnh nh sau: S dng trnh son tho Notepad v nhp vo ni dung: log tcp any any -> any any (msg: "TCP Traffic Logged"; ) alert icmp any any -> any any (msg: "ICMP Traffic Alerted"; ) alert tcp any any -> any any (content: "password"; msg: => "Possible Password Transmitted"; ) Lu tp tin trn (C:\Snort\rules\demo.rules) Chy Snort: C:Snort\bin\snort -c C:/Snort/rules/demo.rules -l C:/Snort/log c file log (C:\Snort\log\alert.ids) xem chi tit cnh bo. Nu trin khai Snort trn lp mng A vi dy a ch 10.0.0.0/24, th m tp tin snort.conf trong th mc C:\Snort\etc\ v tm n cc bin HOME_NET ri thit lp nh sau: var HOME_NET 10.0.0.0/24 Khai bo ng dn n ni cha cc quy tc snort rules RULE_PATH C:\Snort\rules

Hnh 4.5: ng dn file rules

___________________________________________________________________________

Honeypots

44

Khai bo cc bin include classification.config v reference.config nh hnh di (sa thnh include C:\Snort\etc\classification.config v C:\Snort\etc\reference.config

Hnh 4.6: ng dn file classification.config v reference.config By gi, c th copy cc rule c to sn hoc download t internet ch chn ng phin bn snort c trin khai, gii nn v copy th mc rules vo th mc ci t Snort trn C:\Snort Th mc rules cha cc tp quy tc sau khi gii nn.

Hnh 4.7: Th mc cha chng trnh Snort v rules

___________________________________________________________________________

Honeypots

45

Nh vy qu trnh chun b han tt, trc khi c th start snort tin hnh sniffer hay lng nghe cc tn hiu kh nghi th hy ch nh th mc cha log file cho Snort IDS. Hy chy lnh sau y: C:\Snort\bin\snort -l C:\Snort\log -c C:\Snort\etc\snort.conf -A console

Hnh 4.8: Chy chng trnh

Hnh 4.9: Kt qu sau khi thc thi dng lnh

IV.3 S dng Snort IV.3.1 S dng Snort Sniffer Packet


tin hnh sniffer cn chn card mng snort t vo ch promicous (sniff hn hp), nu my tnh c nhiu card hy s lnh snort W xc nh:

___________________________________________________________________________

Honeypots

46

Hnh 4.10: S hiu card mng Kt qu ca snort W xc nh s hiu card mng Vy card mng c s hiu l 2. Chy lnh snort h s thy tin hnh sniffer packet s dng lnh snort v ix (vi x l s hiu ca card mng)

___________________________________________________________________________

Honeypots

47

Hnh 4.11: Ty chn ca lnh chy trong Snort C php dng lnh s dng snort v cc ty chn C:\Snort\bin\snort v i2 Vi ty chn v snort ch hin th IP v TCP/UDP/ICMP header, nu mun xem kt qu truyn thng ca cc ng dng hy s dng ty ch -vd: C:\Snort\bin\snort vd i2 hin th thm cc header ca gi tin ti tng Data Link hy s dng dng lnh: C:\Snort\bin\snort vde i2

Hnh 4.12: Chy Snort vi ty chn v Sau khi chy dng lnh trn hy m ca s mi v th ping mt host no ri quan st giao din snort s thy cc tn hiu. dng tin trnh sniffing hy nhn t hp phm Ctrl-C, Snort s trnh by bn tm tt cc gi tin b bt gi theo tng giao thc nh UDP, ICMP

Hnh 4.13: Dng chy Snort


___________________________________________________________________________

Honeypots

48

IV.3.2 S dng Snort ch packer logger


Ngoi vic xem cc gi tin trn mng th cn c th lu tr chng trong th mc C:\Snort\log vi ty chn l, v d dng lnh sau s ghi log cc thng tin d liu ti tng data link v TCP/IP header ca lp mng ni b 10.0.0.0/24 C:\Snort\bin\snort -dev -l C:/Snort/log -h 10.0.0.0/24 Nh vy tin hnh ci t v cu hnh snort tin hnh bt gi cc gi tin, xem ni dung ca chng nhng vn cha bin snort thc s tr thnh mt h thng IDS d tm xm phm tri php. V mt h thng nh vy cn c cc quy tc (rule) cng nhng hnh ng cnh bo cho qun tr h thng khi xy ra s trng khp ca nhng quy tc ny. Trong phn tip theo, s tin hnh cu hnh xy dng mt network IDS vi Snort.

IV.3.3 S dng Snort ch Network IDS


Tt c nhng hnh ng ca Snort IDS u hat ng thng qua cc rule, v vy cn phi to mi hay chnh sa nhng rule c to sn. u tin c dng lnh sau p dng Snort NIDS: C:\Snort\bin\snort -dev i2 -l C:/Snort/log c C:/Snort/etc/snort.conf trong dng lnh ny c mt ty chn mi l c vi gi tr l file snort.conf. Trong file ny cha cc thng s iu khin v cu hnh Snort nh cc bin HOME_NET xc nh lp mng, bin RULE_PATH xc nh ng dn n ni cha cc quy tc Snort p dng. Trong trng hp ny, ty chn c s yu cu Snort p dng cc quy tc c khai bo trong tp tin cu hnh snort.conf khi x l cc gi tin c bt gi trn mng. Trc khi nghin cu su hn v Snort v nhng quy tc ca n hy xem xt cc thnh phn ca mt Snort rule gm c: + Rule header : l ni cha cc action (hnh ng), protocol (giao thc truyn thng), Source IP address v Destination IP Address cng vi gi tr sunnet mask v s hiu port ca a ch IP ngun v ch. Tip theo s i su hn v cc rule header, v d alert tcp any any -> any any, vi phn u tin l alert chnh l rule action nh ngha hnh ng m snort s thc hin khi cc packet trng khp vi quy tc m to ra. C 5 loi rule action nh sau:

___________________________________________________________________________

Honeypots

49

Rule action alert log pass activate dynamic

M t To cnh bo v ghi log file Ghi log cc packet B qua cc gi tin. To mt cnh bo v bt chc nng dynamic rule. Cha s dng, tr khi c mt rule khc tng thch.

Khi action c nh ngha, cn phi xc nh cc giao thc nh trong v d trn l TCP, Snort h tr cc giao thc truyn thng sau: TCP, UDP, ICMP, v IP. Sau s b sung a ch IP cho snort rule ca mnh, v d any l xc nh bt k a ch IP no, ngoi ra snort s dng nh dng netmask khai bo cc mt n mng nh lp A l /8, a ch lp B l /16 v a ch lp C l /24. Nu mun khai bo mt host th s dng /32. Bn cnh c th c mt dy cc my tnh nh sau: alert tcp any any -> [10.0.1.0/24, 10.0.0.0/24] any => (content: "Password"; msg:"Password Transfer Possible!";) Sau khi cc action, protocol v ip address c nh ngha th cn xc nh s hiu port ca dch v, nh 80 l cho cc dch v truy cp Web hay cc port 21, 23, Cng c th p dng t kha any p dng cho tt c cc port, hay dng cc du ; ch nh mt dy cc port no : ghi log bt k truyn thng no t tt c a ch IP address v tt c port n port 21 ca lp mng 10.0.1.0/24 s dng lnh sau: log tcp any any -> 10.0.1.0/24 21 Ghi log tt c truyn thng t bt k a ch IP n cc port nm trong khong 1 n 1024 trn cc my thuc lp mng 10.0.1.0/24 s dng lnh sau: log tcp any any -> 10.0.10.0/24 1:1024 Ghi log tt c truyn thng t cc a ch IP c s hiu port thp hn hoc bng 1024 n cc my thuc lp mng 10.0.1.0/24 v destination port ln hn hoc bng 1024 s dng c php sau: log tcp any :1024 -> 10.0.10.0/24 1 1024

___________________________________________________________________________

Honeypots

50

Ngoi ra, c th s dng cc tham s ph nh ! nh trng hp ghi log cc truyn thng trn giao thc TCP t cc my tnh ngoi tr 192.168.34.4 p dng cho tt c cc port n bt k trn 10.0.1.0/24 s dng tt c cc port: log tcp ! 192.168.34.4 /32 any -> 10.0.10.0/24 any n lc ny duyt qua mt s cc snort rule v nhn thy mi rule u c mt lnh iu hng ->, xc nh chiu ca truyn thng i t phi qua tri. Trong trng hp mun p dng snort rule cho cc truyn thng theo c 2 chiu th s dng c php <> thay cho -> nh trong trng hp ghi log 2 chiu i vi FTP session sau: log tcp 10.0.10.0/24 any <> 172.16.30.0/24 21 + Rule option: l ni khai bo cc c t v tnh trng trng khp ca cc gi tin vi cc rule, cng nhng cnh bo alert messenger nh trong v d sau y: alert tcp any any -> any 80 (content: "adult"; msg: "Adult Site Access";) Dng lnh trn thy phn rule header l alert tcp any any -> any 80 v phn content: ("adult"; msg: "Adult Site Access";) l rule option, mc d rule option khng bt buc phi c trong tt c cc snort rule nhng n cho bit cc thng tin cn thit v l do to rule hay cc hnh ng tng ng. V kt qu ca dng lnh ny l to ra cc cnh bo (alert) khi cc TCP trafic t bt k a ch IP v port c gi n mt a ch IP bt k trn Port 80 m phn ni dung (payload) c cha t kha Adult. Nu tnh hung ny xy ra, ngha l c mt user no trn LAN truy cp vo 1 site c cha t Adult th mt record Adult Site Access s c ghi vo log file. Mt snort rule c th c nhiu option khc nhau phn cch bi du ; v cc rule option ny s lm cho snort rule c th c p dng linh ng, mnh m hn. Danh sch sau y s trnh by nhng option thng dng thng c p dng trong cc snort rule: T Kha msg ttl id Flags ack content M T Hin th mt thng bo trong alert v packet log file. Dng so snh cc gii tr Time To Live ca IP header. Dng so snh mt gi tr ca IP header fragment. Dng so snh tcp flag vi cc gi tr c nh ngha. So snh cc TCP ack cho mt gi tr c nh ngha. So snh ni dung packet vi cc gi tr c nh ngha.

___________________________________________________________________________

Honeypots

51

Khi t kha msg c p dng trong rule n s yu cu ghi nht k v cnh bo ca snort chn thm mt thng ip c nh ngha vo trong log file hay cc cnh bo v d. msg: "text here"; Khi ttl c s dng trong rule s yu cu snort hy so snh vi mt gi tr Time To Live, trng hp ny thng c p dng d tm tuyn ng.V d n gin sau c dng khai bo ttl: ttl: "time-value"; Cn trng hp trong rule s dng t kha id n s yu cu Snort so snh vi 1 IP header fragment theo id nh nh: id: "id-value"; i vi trng hp ca flags option th c nhiu tnh hung khc ty theo flag c yu cu so snh, cc ty chn flag c khai bo nh sau: F dng cho c FIN S dng cho c SYN R dng cho c RST P dng cho c PSH A dng cho c ACK U dng cho c URG 2 dng cho Reserved bit 2 1 dng cho Reserved bit 1 0 dng cho no tcp flags set Cc ton t logic c th c p dng cho ty chn flag nh + dng so khp vi tt c cc flag, * dng xc nh c s trng lp vi bt k flag no hoc ! dng so snh s trng lp mang tnh cht lai tr. Sau y l mt v d ca ty chn flags v mt snort rule dng xc nh d tm cc SYN-FIN scans: V d s dng flags: alert any any -> 10.0.0.0/24 any (msg: "SYN FIN => Scan Possible"; flags: SF;) Ty chn ack c p dng so khp vi mt gi tr ACK tng ng trong TCP header ca packet, nh ng dng Nmap dng cc ACK flag xc nh s tn ti ca mt host no .

___________________________________________________________________________

Honeypots

52

Trong s cc t kha th content l t kha quan trng nht, khi content c p dng snort s kim tra ni dung ca gi tin v so snh vi gi tr c khai bo trong content, nu c s trng lp th cc hnh ng tng ng s tin hnh. Ch l cc gi tr c p dng vi content c tnh cht case sensitive (phn bit ch hoa v ch thng). Vi c ch ny qu trnh so snh s din ra hiu qu hn trn cc my c cu hnh yu. C php n gin ca t kha content: content:"content value". Ngoi ra cn c nhiu loi t kha khc, c th tham kho man page (nu s dng Snort trn Linux) hoc help page khi chy Snort trn Windows.

___________________________________________________________________________

Honeypots

53

Chng V: M phng h thng Honeypots


V.1 Tng hp cu hnh Honeypots
Phn trn cho thy cch cu hnh v thit lp topology mng s dng Honeyd. Bng cch dng mt s lnh kt hp vi nhau ta gi lp cc mng phc tp v m hnh hot ng ca mng. Mng thit lp bao gm cc tnh nng sau: - Nhiu im vo - Nhiu trm a ti ch - Lin kt vi tr truyn, tn tht v bng thng - Tch hp my vt l bn ngoi vo topo mng - Thit lp Honeyd phn tn vi ng hm GRE Vi mi phin bn mi ca Honeyd, cng ngy cng c thm cc chc nng mi v hu ch c pht trin thm. ################################################# #tp tin: honeyd.config for a sample network #a virtual network step-by-step. The network we simulate #has multiple hops, two entry points, a GRE tunnel to a remote location # and integrates external physical hosts to the virtual network. ################################################# #To create the router at the entry point, use the #route entry command and specify the IP address of #the router and the network reachable through it. route entry 10.0.0.100 network 10.0.0.0/16 #To specify the IP addresses directly reachable from #a router, use the route link configuration. In the #example below, we specify that the 10.0.1.0/24 #network is directly reachable from the 10.0.0.100 router. route 10.0.0.100 link 10.0.1.0/24 # Add a new router connected to an existing router
___________________________________________________________________________

Honeypots

54

#in the network by using the route add net #directive. Specify the network range that can be #reached by the new router and the IP address of the #new router. In the example below, we add #10.0.1.100 as a new router that serves the #10.1.0.0/16 network and connected to the first #router 10.0.0.100 route 10.0.0.100 add net 10.1.0.0/16 10.0.1.100 #Specify the range of IP addresses that are directly #reachable from the new router with the route link #configuration. Here, we indicate that 10.1.0.0/16 #is directly accessible from the router 10.0.1.100 we #newly added route 10.0.1.100 link 10.1.0.0/16 #Here we add another router connected to 10.0.1.100 #that can reach the 10.1.1.0/24 network. The new #router takes the IP 10.1.0.100. Additionally, we #also specify the network characteristics of that #link using the latency, loss and bandwidth keywords. route 10.0.1.100 add net 10.1.1.0/24 10.1.0.100 latency 50ms loss 0.1 bandwidth 1Mbps #With the route link configuration, we next #specify that the 10.1.1.0/24 network is directly #accessible from the 10.1.0.100 router. route 10.1.0.100 link 10.1.1.0/24 #External physical machines can be integrated into the #virtual network topology of the honeynet. The bind #to interface configuration is used to attach external #machines into the network. In our example here, #the external machine at 10.1.1.53 is integrated #into the virtual network through eth0.

___________________________________________________________________________

Honeypots

55

bind 10.1.1.53 to eth0 #Multiple entry points may be defined in Honeyd for the #virtual network by using additional route entry #configurations. Here we add 10.0.0.200 as a new entry #router and then define an entire network behind it. route entry 10.0.0.200 network 10.2.0.0/16 route 10.0.0.200 link 10.2.0.0/24 route 10.0.0.200 add net 10.2.1.0/24 10.2.0.100 route 10.2.0.100 link 10.2.1.0/24 # We can setup GRE tunnels to other networks located across #a WAN or the Internet by using the tunnel keyword. #For simplicity, we first create a dedicated virtual router 172.20.254.1 #for the GRE tunneling. The 10.3.2.0/24 network containing Honeypots #is directly connected to this virtual router. #To setup a tunnel to the 10.3.1.0/24 network #located across the WAN, we setup a tunnel with 172.20.254.1 and # 172.30.254.1 as the two points of termination. The destination #router should know how to decapsulate the GRE packets and #route them to the 10.3.1.0/24 network. The source and #destination are specified after the tunnel keyword of the #route add net configuration line as follows. route entry 172.20.254.1 network 10.3.2.0/24 route 172.20.254.1 link 10.3.2.0/24 route 172.20.254.1 add net 10.3.1.0/24 tunnel 172.20.254.1 172.30.254.1 #IP addresses are assigned to virtual hosts that we #want to simulate within Honeyd with the bind #configuration. Here, we bind the Honeypots IPs #to a template called windows that we have defined.

___________________________________________________________________________

Honeypots

56

create windows set windows personality "Windows NT 4.0 Server SP5-SP6" add windows tcp port 80 "perl scripts/iis-0.95/iisemul8.pl" add windows tcp port 139 open add windows tcp port 137 open add windows udp port 137 open add windows udp port 135 open set windows default tcp action reset set windows default udp action reset bind 10.0.1.51 windows bind 10.0.1.52 windows bind 10.1.0.51 windows bind 10.1.0.52 windows bind 10.1.1.51 windows bind 10.1.1.52 windows bind 10.2.0.51 windows bind 10.2.0.52 windows bind 10.2.1.51 windows bind 10.2.1.52 windows bind 10.3.2.51 windows bind 10.3.2.52 windows #The routers we have created in the virtual network #also need to be bound to templates to model their #behavior. We have created a template called router #and bound the router IP addresses to that template.

___________________________________________________________________________

Honeypots

57

create router set router personality "Cisco IOS 11.3 - 12.0(11)" set router default tcp action reset set router default udp action reset add router tcp port 23 "perl scripts/router-telnet.pl" set router uid 32767 gid 32767 set router uptime 1327650 bind 10.0.0.100 router bind 10.0.1.100 router bind 10.1.0.100 router bind 10.0.0.200 router bind 10.2.0.100 router bind 172.20.254.1 router

V.2 File cu hnh cho bi demo thit lp h thng Honeypots


Tn file chng trnh Honeyd l demo_honeyd.config

Hnh 5.1: S mng gi lp v bng phn mm Friendly Pinger.

___________________________________________________________________________

Honeypots

58

Cc router: R1 vi IP 10.0.0.100 R2 vi IP 10.0.1.100 R3 vi IP 10.0.1.200 R4 vi IP 10.1.0.100 R5 vi IP 10.2.0.100 Trong tt c cc router u chy h iu hnh Cisco 7200 router running IOS 12.1(14)E6 v ring router R1 th m port 23 v c dch v telnet ang chy thng qua script, cc router cn li th bnh thng cc port u ng. Cc my server v client: pc1 vi IP 10.0.1.51 pc2 vi IP 10.0.1.52 pc3 vi IP 10.1.0.51 pc4 vi IP 10.1.0.52 pc5 vi IP 10.1.1.51 pc6 vi IP 10.1.1.52 pc7 vi IP 10.2.1.51 Cc pc1 v pc7 l server chy h iu hnh Microsoft Windows 2003 Server Enterprise Edition ng thi m port 23,80 cho dch v Telnet, IIS chy thng qua script. Pc2 v pc4 chy h iu hnh Linux 2.6.8 (Ubuntu) v ang m port 21, 80 cho dch v FTP, IIS chy thng qua script. Pc3 chy h iu hnh Microsoft Windows 2003 Server Enterprise Edition v ang m port 25, 110 cho dch v SMPT, POP3 chy thng qua script. Pc5 v pc6 l client chy h iu hnh Microsoft Windows XP Home Edition, c 2 u ang m port 138, 139, 445. #annotate "Cisco 7200 router running IOS 12.1(14)E6" #annotate "Linux 2.6.8 (Ubuntu)" #annotate "Microsoft Windows 2003 Server Enterprise Edition" #annotate "Microsoft Windows XP Home Edition" route entry 10.0.0.100 network 10.0.1.0/24

___________________________________________________________________________

Honeypots

59

route 10.0.0.100 link 10.0.1.0/24 route 10.0.0.100 link 10.0.0.100/32 route 10.0.0.100 add net 10.1.0.0/24 10.0.1.100 route 10.0.0.100 add net 10.1.1.0/24 10.0.1.100 route 10.0.0.100 add net 10.2.0.0/24 10.0.1.200 route 10.0.0.100 add net 10.2.1.0/24 10.0.1.200 route 10.0.1.100 link 10.1.0.0/24 route 10.0.1.100 link 10.0.1.100/32 route 10.0.1.100 add net 10.1.1.0/24 10.1.0.100 latency 500ms loss 0,5 bandwidth 1Mbps route 10.0.1.200 link 10.2.0.0/24 route 10.0.1.200 link 10.0.1.200/32 route 10.0.1.200 add net 10.2.1.0/24 10.2.0.100 route 10.1.0.100 link 10.1.1.0/24 route 10.1.0.100 link 10.1.0.100/32 route 10.2.0.100 link 10.2.1.0/24 route 10.2.0.100 link 10.2.0.100/32 create linux set linux ethernet "vmware" set linux personality "Linux 2.6.8 (Ubuntu)" set linux default icmp action reset set linux default tcp action reset set linux default udp action reset add linux tcp port 21 "sh scripts\ftp.sh" add linux tcp port 80 "perl scripts\iisemulator-0.95\iisemul8.pl" create router1 set router1 ethernet "vmware" set router1 personality "Cisco 7200 router running IOS 12.1(14)E6" set router1 default icmp action reset

___________________________________________________________________________

Honeypots

60

set router1 default tcp action reset set router1 default udp action reset add router1 tcp port 23 "perl scripts\router-telnet.pl" create router2 set router2 ethernet "vmware" set router2 personality " Cisco 4000 Series running IOS 12.0(10.3" set router2 default icmp action reset set router2 default tcp action reset set router2 default udp action reset create win2k3_1 set win2k3_1 ethernet "vmware" set win2k3_1 personality "Microsoft Windows 2003 Server Enterprise Edition" set win2k3_1 default icmp action block set win2k3_1 default tcp action reset set win2k3_1 default udp action reset add win2k3_1 tcp port 23 "perl scripts\faketelnet.pl" add win2k3_1 tcp port 80 "perl scripts\iisemulator-0.95\iisemul8.pl" create win2k3_2 set win2k3_2 ethernet "vmware" set win2k3_2 personality "Microsoft Windows 2003 Server Enterprise Edition" set win2k3_2 default icmp action reset set win2k3_2 default tcp action reset set win2k3_2 default udp action reset add win2k3_2 tcp port 25 "perl scripts\smtp.pl" add win2k3_2 tcp port 110 "sh scripts\pop3.sh" create winxp

___________________________________________________________________________

Honeypots

61

set winxp ethernet "vmware" set winxp personality "Microsoft Windows XP Home Edition" set winxp default icmp action reset set winxp default tcp action reset set winxp default udp action reset add winxp udp port 138 open add winxp tcp port 139 open add winxp tcp port 445 open set winxp uptime 2230938 set winxp droprate in 0.005 set winxp uid 202909 gid 1389090 bind 10.0.0.100 router1 bind 10.0.1.100 router2 bind 10.0.1.200 router2 bind 10.0.1.51 win2k3_1 bind 10.0.1.52 linux bind 10.1.0.100 router2 bind 10.1.0.51 win2k3_2 bind 10.1.0.52 linux bind 10.1.1.51 winxp bind 10.1.1.52 winxp bind 10.2.0.100 router2 bind 10.2.1.51 win2k3_1 Lnh thc thi file cu hnh trn: C:\winhoneyd-1.5c\WinHoneyd_1.5c.exe -d -p nmap.prints -a nmap.assoc -x xprobe2.conf -i 2 -f C:\winhoneyd-1.5c\demo_honeyd.config -l C:\winhoneyd1.5c\log\honeyd 10.0.0.100 10.0.1.100 10.0.1.200 10.0.1.51 10.0.1.52 10.1.0.100 10.1.0.51 10.1.0.52 10.1.1.51 10.1.1.52 10.2.0.100 10.2.1.51

___________________________________________________________________________

Honeypots

62

Sau khi chy lnh trn my honeyd s to ra mt h thng my tnh gi lp cc dch v, cc port c open. Dng my client chy win XP vi a ch 10.0.0.14 ci t cc phn mm Scan. u tin ta s chng minh l h thng mng o c to ra bng cch dng cc tool nh Net tools, Friendly Pinger, SolarWinds LANsurveyor trong SolarWinds LANsurveyor l tool dng scan v v li s mng ca ton b h thng nhng do tool ny scan tng a ch IP khng ph hp vi mng c qu nhiu mng con v cc dy IP khc nhau v vy s tm thay th bng Friendly Finger tool ny khng s dng cch scan IP m dng thit lp s mng do ta t cu hnh ging vi m hnh mng m ta to ra t Honeyd, chng ta s add cc router, computer, line v tng ng vi cc a ch IP ri sau dng cc tin ch ca chnh tool ny chng minh l h thng mng o tn ti. hnh 5.1 s m t iu ny.

Hnh 5.2: Tracert 10.2.1.51 minh ha m hnh mng chy

___________________________________________________________________________

Honeypots

63

Mt cch na l dng Net tools nhng tool ny th ko cho thy c s mng m ch scan IP xem a ch no alive. Vi vic s dng cc tool c bn trn cho thy mt h thng mng o c to ra, bc tip theo l d tm xem mng c nhng dch v no v port no ang m. thc hin vic ny dng tool nmap. nmap l mt tool scan port rt mnh v ni danh t lu c gii hacker tin dng cng nh cc nh qun tr mng. N h tr ton b cc phng thc scan port, scan OS (operating system), ngoi ra n cn h tr cc phng thc scan hostname, service chy trn h thng . nmap hin gi c c giao din ho v giao din command line cho ngi dng, chy trn c mi trng. NIX v Windows. Phn mm nmap min ph download ti a ch: http://nmap.org/download.html Di y l cch s dng nmap scan.

Hnh 5.3: Ty chn chy nmap ___________________________________________________________________________

Honeypots

64

Hnh 5.4: Ty chn chy nmap

Cc dng Scan Nmap h tr. nmap sT: trong ch -s l Scan, cn ch T l dng TCP scan nmap sU: l s dng UDP Scan nmap sP: s dng Ping scan nmap sF: s dng FIN Scan nmap sX: s dng phng thc XMAS Scan nmap sN: s dng phng thc NULL Scan nmap sV: s dng Scan tn cc ng dng v version ca n nmap SR /I RPC s dng scan RPC Cc option cao cp kt hp vi cc dng scan trong Nmap.

___________________________________________________________________________

Honeypots

65

- O: s dng bit h iu hnh chy trn my ch v nh dng Nmap s dng phng thc scan l XMAS Scan v on bit h iu hnh ca: http://www.stsi.com.vn/ dng cu lnh: nmap sX O http://www.stsi.com.vn/. - p: gii port s dng scan: nmap p 1-1024 10.0.0.1 s scan t port 1 n 1024 hoc nmap p 80 10.0.0.0/24 ch scan port 80 ngoi ra cn dng ty chn ny kt hp vi service nh ftp, http scan trc tip: nmap p ftp,http 10.0.0.0/24.

Hnh 5.5: Scan port v services - F: Ch nhng port trong danh sch scan ca Nmap - v: S dng Scan hai ln nhm tng tin cy v hiu qu ca phng thc scan no ang c s dng. - P0: khng s dng ping Scan nhm mc ch gim thiu cc qu trnh qut ngn chn scan trn cc trang web hay my ch. V d mun Scan trang web http://www.stsi.com.vn/ bng phng thc UDP Scan s port s dng l t 1 ti 1024 v s dng hai ln nng cao hiu qu, khi scan s khng ping ti trang ny: Nmap sU p 1-1024 v P0 http://www.stsi.com.vn/ Ngoi ra nmap cn h tr tnh nng scan n nhm trnh nhng qu trnh qut trn server nh s dng: -Ddecoy_host1, decoy2 s n qu trnh Scan. -6: Scan IPv6 Ngoi ra Nmap cn c nhng options output kt qu ra nhiu nh dng file khc nhau.

___________________________________________________________________________

Honeypots

66

Hnh 5.6: Scan tcp

Hnh 5.7: Scan udp Sau khi pht hin ra cc dch v, cc port c m trn router v server, s ln lt th tm cch xm nhp vo, ng thi chy Snort ghi log v alert. Snort dve i2 l c:/snort/log c c:/snort/rules/demo.rules h 10.0.0.0/24

Chy cu lnh trn my Honeyd dng Honeypors th snort bt u lng nghe. Ti my client a ch IP l 10.0.0.14 s dng cc cu lnh n gin nh ping, telnet, ftp ti cc Honeypots kt qu ca cc lnh ny s c snort ghi log li v a ra cc alerts.

Hnh 5.8: Kt thc vic theo di pht hin xm nhp

___________________________________________________________________________

Honeypots

67

Hnh 5.9: Th mc cha file log

Hnh 5.10: Ni dung ca file alert.ids

___________________________________________________________________________

Honeypots

68

Hnh 5.11: Log file th hin kt ni ftp

Hnh 5.12: Log file th hin kt ni telnet Tip tc vi file demo1.rules c ni dung: alert tcp any any -> any 23 (msg: "Telnet Connection => Attempt";) alert tcp any any -> any any (msg: "ACK => scan detected"; flags: SA;) alert tcp any any -> any any (msg: "SYN => scan detected"; flags: SS;) alert tcp any any -> any any (msg: "NULL scan ???detected"; flags: 0;) alert tcp any any -> any any (msg: "O/S Fingerprint => detected"; flags: S12;) Chy file ny vi lnh: Snort dve i2 l c:/snort/alert c c:/snort/rules/demo1.rules h 10.0.0.0/24 Sau khi chy xong th snort s lng nghe, ti my client dng Nmap scan Nmap sA 10.0.0.1, nmap sS 10.0.0.1, quay li my ch Honeyd dng Honeypots theo di folder c:\snort\alert s thy file alert.ids trong c nhng cnh bo v file log:

___________________________________________________________________________

Honeypots

69

Hnh 5.13: Th mc cnh bo v cha folder log

Hnh 5.14: File log th hin cho vic dng nmap scan

Hnh 5.15: Ni dung file cnh bo

___________________________________________________________________________

Honeypots

70

Cc hnh minh ha Chng V th hin y mt h thng mng gi lp cng vi cc dch v, ng thi cng a ra c nhng cnh bo nhm pht hin ra cc xm nhp. Kt thc cho vic thc hin nhim v trong n ny.

___________________________________________________________________________

Honeypots

71

Kt lun
Sau qu trnh nghin cu, tm hiu v Honeyd thit lp h thng Honeypots cng vi vic hin thc em rt ra c mt s nhn xt: Nhng kin thc t c. Honeypots chnh l mt la chn tt cho vic by hacker v tm ra nhng phng php tn cng cng nh bo v h thng mng thit cho doanh nghip cng nh cc t chc. Vic to ra h thng mng my tnh o cng vi cc dch v gi lp l mt trong nhng phn quan trng ca Honeypots. Mt s tnh nng Honeyd cung cp thit lp mng Honeypots c hin thc trong n: + Gi lp cc topology mng phc tp. + Gi lp cc dch v trn mng thng qua scripts. + Cu hnh cc thng s ca mng nh tr, t l tht thot v bng thng. + H tr nhiu router u vo phc v nhiu mng. Thng qua vic demo cho thy h thng Honeypots c to ra, dng c cc dch v, qut c cc dch v, cc port cng nh pht hin cnh bo cc xm nhp vo mng. Ci t v s dng Honeyd. Honeypots c chia thnh nhiu loi c nhng tool th min ph cng c nhng tool th phi mua bng tin. B li c mt thun li l cu hnh setup h thng Honeypots yu cu cu hnh khng cao v c th chy trn nhiu h iu hnh khc nhau. Nhng mt hn ch. Vic chuyn i ci t h thng Honeypots thit lp trn Linux sang Windows gy ra khng t kh khn, ng thi cng khng th khai thc ht chc nng v hot ng ca Honeyd khi to ra Honeypots Trong phn nghin cu trn dng li Honeyd mt dng tng tc ca Honeypots v thuc tng tc thp ln cng cha p ng y nhng chc nng v hiu qu tt nht, cng nh vic to ra h thng tht tng tc vi tin tc.

___________________________________________________________________________

Honeypots

72

Vi nhng kh khn nht nh v trang thit b, kin thc thc t cho nn vic thit lp Honeypots dng Honeynet cha thnh cng. Hng pht trin. Nghin cu m rng cc h thng, cng c khc cng c chc nng nhim v gi lp mng, theo di pht hin xm nhp v bo v mng. Trin khai Snort nhm pht hin xm nhp cng vi Honeypots mt cch hiu qu nhm nng cao vic bo v mng. Tch cc a cc h thng ny p dng trn m hnh mng ca cc doanh nghip v cc t chc. im mnh ca Honeypots chnh l honeynet. Khc vi cc Honeypots, Honeynet l mt h thng tht, hon ton ging mt mng lm vic bnh thng. Honeynet cung cp cc h thng, ng dng, cc dch v tht. Quan trng nht khi xy dng mt honeynet chnh l honeywall. Honeywall l gateway gia Honeypots v mng bn ngoi. N hot ng tng 2 nh l Bridged. Cc lung d liu khi vo v ra t Honeypots u phi i qua honeywall. T ti ny c th pht trin rng hn v cao hn bng vic thit lp Honeypots dng Honeynet kt hp vi vic s dng Snort ci t trn Linux.

___________________________________________________________________________

Honeypots

73

Ti liu tham kho


+ Ti liu [1] [2] [3] [4] [5] [6] [7] [8] Roger A.Grimes Apress Honeypots For Windows 2005 Roshen Chandran, Sangita Pakala simulating_networks_with_honeyd [http://www.paladion.net] Dec 14, 2003 Version: 0.5 Addison Wesley Virtual Honeypots From Botnet Tracking to Intrusion Detection. July.2007 Whitepaper InternetScanner_7.0_SP2_Asset_OS_Ident _033105 Laura Chappell. Security Auditing with Nmap (Network Mapper). Angela Orebaugh Becky Pinkard Nmap in the enterprise your guide to network scaning Jan.2008 Kerry J. Cox Christopher Gerg Managing Security with Snort and IDS Tools O'Reilly August 2004 Martin Roesch Chris Green Snort Users Manual Snort Release: 2.0.0 8th April 2003 + Website http://www.honeypots.net/honeypots/projects http://www.honeypots.net/honeypots/products http://www.honeynet.org http://www.projecthoneypot.org http://www.snort.org/.

___________________________________________________________________________

You might also like