Scribd Logo
Upload

Welcome to Scribd!

  • Slide Ips Ids 0589

    Uploaded by

    letranganh
    165 views19 pages

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    165 views19 pages

    Slide Ips Ids 0589

    Uploaded by

    letranganh

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 19

    Firewalls

    Tm hiu h thng pht hin xm nhp Snort v gii php kt hp Snort vi Iptable

    Gio vin hng dn: inh Tin Thnh Sinh vin thc hin: Trn Xun Cng Nguyn Hin Hi L Khc Giang Ng Vn Hng

    Nguyn Ngc nh Bi Vn Ti Trng Vn Trng Dng Trung Kin

    Company

    LOGO
    31-Jul-13 1

    Ni Dung
    1.Tng quan v IDS/IPS

    2.Nghin cu ng dng SNORT trong IDS/IPS

    3.Ci t v cu hnh Snort trn nn CentOS. Kt hp SNORT vi IPTABLES

    31-Jul-13

    1.Tng quan v IDS/IPS

    1.1 nh ngha L h thng c nhim v theo di, pht hin v c th ngn cn s xm nhp, cng nh cc hnh vi tri php H thng IDS thu thp thng tin t nhiu ngun trong h thng ri tin hnh phn tch 1.2 Cc thnh phn v chc nng ca IDS/IPS

    31-Jul-13

    Tng quan v IDS/IPS

    1.3

    Phn loi IDS/IPS 1.3.1 Network Based IDS (NIDS)

    31-Jul-13

    1.3.2

    Host Based IDS (HIDS)

    31-Jul-13

    Tng quan v IDS/IPS

    1.4 C ch hot ng ca h thng IDS / IPS 1.4.1 Pht hin s lm dng H thng s pht hin bng cch tm kim cc hnh ng tng ng vi cc k thut bit n hoc im d b tn cng ca h thng 1.4.2 Pht hin s bt thng: da trn vic nh ngha v m t c im cc hnh vi c th chp nhn ca h thng Pht hin tnh Pht hin ng

    31-Jul-13

    Pht hin s lm dng

    Pht hin s bt thng

    1.4.3 So snh gia 2 m hnh Pht hin s lm dng v pht hin S bt thng

    Bao gm: C s d liu cc du hiu tn cng. Tm kim cc so khp mu ng.

    Bao gm: C s d liu cc hnh ng thng thng. Tm kim lch ca hnh ng thc t so vi hnh ng thng thng.

    Hiu qu trong vic pht hin cc dng tn Hiu qu trong vic pht hin cc dng tn cng bit, hay cc bin th (thay i nh) ca cng mi m mt h thng pht hin s lm cc dng tn cng bit. Khng pht hin c dng b qua. cc dng tn cng mi. D cu hnh hn do i hi t hn v thu thp d liu, phn tch v cp nht Kh cu hnh hn v a ra nhiu d liu hn, phi c c mt khi nim ton din v hnh vi bit hay hnh vi c mong i ca h thng a ra kt qu da vo tng quan bng thng k gia hnh vi thc t v hnh vi c mong i ca h thng (hay chnh l da vo lch gia thng tin thc t v ngng cho php).

    a ra kt lun da vo php so khp mu (pattern matching).

    C th kch hot mt thng ip cnh bo nh mt du hiu chc chn, hoc cung cp d liu h tr cho cc du hiu khc.

    C th h tr vic t sinh thng tin h thng mt cch t ng nhng cn c thi gian v d liu thu thp c phi r rng.

    31-Jul-13

    1.5

    Mt s sn phm IDS/IPS Cisco IDS-4235: l h thng NIDS c kh nng theo di ton b lu thng mng v i snh tng gi tin pht hin cc du hiu xm nhp ISS Proventia A201: l sn phm ca Internet Security Systems. N khng ch l phn cng hay phn mm m l c h thng cc thit b c trin khai phn tn trong mng Intrusion Protection Appliance: lu tr cu hnh mng, cc d liu i snh. N l mt phin bn Linux vi cc driver thit b mng c xy dng ti u Proventia Network Agent: ng vai tr nh b cm bin Sensor. B tr ti v tr nhy cm SiteProtector: l trung tm iu khin h thng proventia NFR NID-310: NFR l sn phm ca NFR Security. Gm nhiu b cm bin thch ng vi nhiu mng khc nhau SNORT: 1.6 So snh gia IDS v IPS

    31-Jul-13

    2. NGHIN CU NG DNG SNORT TRONG IDS/IPS


    Gii thiu v Snort Kin trc ca Snort B lut ca Snort Ch ngn chn ca Snort: Snort - Inline

    2.1 2.2 2.3 2.4

    31-Jul-13

    2.1

    Gii thiu v Snort

    Snort l mt NIDS c Martin Roesh pht trin di m hnh m ngun m Nhiu tnh nng tuyt vi pht trin theo kiu module C s d liu lut ln n 2930 lut Snort h tr hot ng trn cc giao thc: Ethernet, Token Ring, FDDI, Cisco HDLC SLIP, PPP, v PE ca Open BDS 2.2 Kin trc ca mt Snort Modun gii m gi tin (Packet Decoder) Modun tin x l (Preprocessors) Modun pht hin (Detection Eng) Modun log v cnh bo (Logging and Alerting System) Modun kt xut thng tin (Output module)

    31-Jul-13

    10

    2.2.1 Modun gii m gi tin Snort s dng th vin pcap bt mi gi tin trn mng lu thng qua h thng mt gi tin sau khi gii m s c a tip vo modun tin x l 2.2.2 Modun tin x l L modun rt quan trng chun b gi d liu a vo cho modun pht hin phn tch 3 nhim v chnh: Kt hp cc gi tin li: thng tin truyn i khng ng gi ton b vo 1 gi tin. Snort sau khi nhn c phi thc hin ghp ni c c d liu nguyn dng Gii m chun ha giao thc: cng vic pht hin xm nhp da trn du hiu nhn dng nhiu khi b tht bi khi kim tra cc giao thc c d liu c th c th hin di nhiu dng khc nhau Pht hin cc xm nhp bt thng: i ph vi cc xm nhp khng th hoc kh Pht hin bng lut thng thng 2.2.3 Modun pht hin: pht hin cc du hiu xm nhp. N s dng cc lut c nh ngha trc so snh v d liu thu thp c C kh nng tch cc thnh ca gi tin ra v p dng ln tng phn

    31-Jul-13

    11

    2.2.4: Modun log v cnh bo: Ty thuc vo modun pht hin c nhn dng c hay khng m gi tin c th b ghi vo log hoc a ra cnh bo 2.2.5: Modun kt xut thng tin Thc hin cc thao tc khc nhau ty thuc vo vic bn mun lu kt qu kt xut ra nh th no. N c th thc hin nhiu cng vic: Ghi log file Ghi syslog: l chun lu tr cc file log Ghi cnh bo vo c s d liu To file log dng xml Cu hnh li Router, Firewall Gi cc cnh bo c gi trong cc gi tin s dng giao thc SNMP Gi cc thng ip SMB

    31-Jul-13

    12

    2.3 B lut ca Snort 2.3.1 Gii thiu Thng thng cc tn cng hay xm nhp u li du hiu ring. Cc thng tin ny c s dng to nn cc lut ca Snort Cc lut c th c p dng cho tt c cc phn khc nhau ca gi tin Mt lut c th c s dng to nn mt thng ip cnh bo, log mt thng ip hay c th b qua mt gi tin 2.3.2 Cu trc lut ca Snort

    31-Jul-13

    13

    2.3.2.1 Phn tiu : Cha thng tin v hnh ng m lut s thc hin Cu trc chung ca phn header mt lut ca Snort Header ca mt lut bao gm cc phn: Hnh ng ca lut (Rule Action): ch ra cc hnh ng m iu kin ca lut c tha mn. Mt hnh ng c thc hin khi tt c cc iu kin ph hp Pass: hnh ng ny hng dn snort b qua gi tin ny Log: c th log gi tin vo file hay c s d liu Alert: gi thng ip cnh bo khi c du hiu xm nhp Activate: to cnh bo v kch hot mt lut khc kim tra thm cc iu kin Dynamic: y l lut c gi bi cc lut khc c hnh ng l Activate Protocols: Ch ra loi gi tin m lut s p dng IP ICMP TCP/UDP
    31-Jul-13 14

    NGHIN CU NG DNG SNORT TRONG IDS/IPS


    2.3.2.1 Phn tiu Address: c a ch ngun v a ch ch. a ch c th l 1 a ch IP n hoc a ch ca mt mng. Ta dng t any p lut cho tt c cc a ch alert tcp any any -> 192.168.1.10/32 80 (msg: TTL=100; ttl: 100;) Ngn chn a ch hay loi tr a ch: s dng du (!) trc s ch cho Snort khng kim tra gi tin n hoc i t a ch alert icmp ![192.168.2.0/24] any -> any any (msg: Ping with TTL=100; ttl: 100;) Danh sch a ch alert icmp ![192.168.2.0/24, 192.168.8.0/24] any -> any any (msg: Ping with TTL=100; ttl: 100;) Cng (Port number): p dng lut cho gi tin n hoc i t 1 cng hay phm vi cng alert tcp 192.168.2.0/24 23 -> any any (content: confidential; msg: Detected confidential;) Dy cng hay phm vi cng alert udp any 1024:2048 -> any any (msg: UDP ports;) Hng direction: ch ra u l ngun u l ch
    31-Jul-13 15

    NGHIN CU NG DNG SNORT TRONG IDS/IPS

    2.3.2.2 Cc ty chn: nm ngay sau phn Rule Header c bao bc trong du ngoc n. Nu c nhiu option th phn cch nhau bng du , v cc ty chn ny phi ng thi tha mn T kha ack: trong TCP header th trng ack di 32bit ch ra s th t tip theo ca gi tin alert tcp any any -> 192.168.1.0/24 any (flags: A; ack: 0; msg: TCP ping detected) T kha classtype: file classification.conf bao gmtrong file snort.conf. Mi dng c c php: config classification: name, description, priority name: dng phn loi, c dng vi t kha classtype trong cc lut description: m t v loi lp ny priority: ch u tin mc nh ca lp ny config classification: DoS , Denial of Service Attack, 2 T kha contents: kh nng c t ca snort l tm mt mu d liu bn trong. Mu ny c th Di dng chui ASCII, hoc chui nh phn alert tcp 192.168.1.0/24 any -> ![192.168.1.0/24] any (content: GET; msg: GET match;) T kha dsize: dng i snh chiu di phn d liu alert ip any any -> 192.168.1.0/24 any (dsize: > 6000; msg: Goi tin co kich thuoc lon;)

    31-Jul-13

    16

    NGHIN CU NG DNG SNORT TRONG IDS/IPS


    2.3.2.2 Cc ty chn T kha flags: pht hin nhng bit c flag no c bt alert tcp any any -> 192.168.1.0/24 any (flags: SF; msg: SYNC-FIN packet detected;) T kha fragbits: phn IP header ca gi tin cha 3bit dng chng phn mnh Reserved Bit (RB): dng dnh cho tng lai Dont Fragment Bit (DF): bit ny c thit lp th gi tin khng b phn mnh More Fragments Bit (MF): bit ny c thit lp th cc phn khc ca gi tin ang trn ng i m cha ti ch. Nu bit ny khng c thit lp th c ngha y l phn cui cng ca gi tin(gi tin duy nht) alert icmp any any -> 192.168.1.0/24 any (fragbits: D; msg: Dont Fragment bit set;)

    31-Jul-13

    17

    2.4 Ch ngn chn ca Snort: Snort Inline 2.4.1 Tch hp kh nng ngn chn vo Snort: tng l kt hp kh nng ngn chn ca Iptables vo trong Snort. iu ny thc hin bng cch thay i modun pht hin v x l cho php Snort tng tc vi Iptable. Vic chn bt cc gi tin thc hin thng qua Netfilter 2.4.2 Nhng b xung cho cu trc lut ca Snort h tr Inline mode DROP: yu cu Iptables loi b gi tin v ghi li thng tin nh hnh ng Log SDROP: tng t DROP nhng khng ghi li Log REJECT: yu cu Iptable t chi gi tin. Iptables s loi b gi tin v gi li mt thng bo cho ngun gi g tin Trnh t u tin ca cc lut: Trong phin bn gc: activation->dynamic-> alert->pass->log Trong inline mode trnh u tin: activation->dynamic->pass->drop->sdrop->reject->alert->log

    31-Jul-13

    18

    3.CI T V CU HNH SNORT TRN NN CENTOS.KT HP SNORT VI IPTABLES

    Mi thy gio v cc bn cng theo di phn demo

    31-Jul-13

    19

    You might also like