Professional Documents
Culture Documents
Tm hiu h thng pht hin xm nhp Snort v gii php kt hp Snort vi Iptable
Gio vin hng dn: inh Tin Thnh Sinh vin thc hin: Trn Xun Cng Nguyn Hin Hi L Khc Giang Ng Vn Hng
Company
LOGO
31-Jul-13 1
Ni Dung
1.Tng quan v IDS/IPS
31-Jul-13
1.1 nh ngha L h thng c nhim v theo di, pht hin v c th ngn cn s xm nhp, cng nh cc hnh vi tri php H thng IDS thu thp thng tin t nhiu ngun trong h thng ri tin hnh phn tch 1.2 Cc thnh phn v chc nng ca IDS/IPS
31-Jul-13
1.3
31-Jul-13
1.3.2
31-Jul-13
1.4 C ch hot ng ca h thng IDS / IPS 1.4.1 Pht hin s lm dng H thng s pht hin bng cch tm kim cc hnh ng tng ng vi cc k thut bit n hoc im d b tn cng ca h thng 1.4.2 Pht hin s bt thng: da trn vic nh ngha v m t c im cc hnh vi c th chp nhn ca h thng Pht hin tnh Pht hin ng
31-Jul-13
1.4.3 So snh gia 2 m hnh Pht hin s lm dng v pht hin S bt thng
Bao gm: C s d liu cc hnh ng thng thng. Tm kim lch ca hnh ng thc t so vi hnh ng thng thng.
Hiu qu trong vic pht hin cc dng tn Hiu qu trong vic pht hin cc dng tn cng bit, hay cc bin th (thay i nh) ca cng mi m mt h thng pht hin s lm cc dng tn cng bit. Khng pht hin c dng b qua. cc dng tn cng mi. D cu hnh hn do i hi t hn v thu thp d liu, phn tch v cp nht Kh cu hnh hn v a ra nhiu d liu hn, phi c c mt khi nim ton din v hnh vi bit hay hnh vi c mong i ca h thng a ra kt qu da vo tng quan bng thng k gia hnh vi thc t v hnh vi c mong i ca h thng (hay chnh l da vo lch gia thng tin thc t v ngng cho php).
C th kch hot mt thng ip cnh bo nh mt du hiu chc chn, hoc cung cp d liu h tr cho cc du hiu khc.
C th h tr vic t sinh thng tin h thng mt cch t ng nhng cn c thi gian v d liu thu thp c phi r rng.
31-Jul-13
1.5
Mt s sn phm IDS/IPS Cisco IDS-4235: l h thng NIDS c kh nng theo di ton b lu thng mng v i snh tng gi tin pht hin cc du hiu xm nhp ISS Proventia A201: l sn phm ca Internet Security Systems. N khng ch l phn cng hay phn mm m l c h thng cc thit b c trin khai phn tn trong mng Intrusion Protection Appliance: lu tr cu hnh mng, cc d liu i snh. N l mt phin bn Linux vi cc driver thit b mng c xy dng ti u Proventia Network Agent: ng vai tr nh b cm bin Sensor. B tr ti v tr nhy cm SiteProtector: l trung tm iu khin h thng proventia NFR NID-310: NFR l sn phm ca NFR Security. Gm nhiu b cm bin thch ng vi nhiu mng khc nhau SNORT: 1.6 So snh gia IDS v IPS
31-Jul-13
31-Jul-13
2.1
Snort l mt NIDS c Martin Roesh pht trin di m hnh m ngun m Nhiu tnh nng tuyt vi pht trin theo kiu module C s d liu lut ln n 2930 lut Snort h tr hot ng trn cc giao thc: Ethernet, Token Ring, FDDI, Cisco HDLC SLIP, PPP, v PE ca Open BDS 2.2 Kin trc ca mt Snort Modun gii m gi tin (Packet Decoder) Modun tin x l (Preprocessors) Modun pht hin (Detection Eng) Modun log v cnh bo (Logging and Alerting System) Modun kt xut thng tin (Output module)
31-Jul-13
10
2.2.1 Modun gii m gi tin Snort s dng th vin pcap bt mi gi tin trn mng lu thng qua h thng mt gi tin sau khi gii m s c a tip vo modun tin x l 2.2.2 Modun tin x l L modun rt quan trng chun b gi d liu a vo cho modun pht hin phn tch 3 nhim v chnh: Kt hp cc gi tin li: thng tin truyn i khng ng gi ton b vo 1 gi tin. Snort sau khi nhn c phi thc hin ghp ni c c d liu nguyn dng Gii m chun ha giao thc: cng vic pht hin xm nhp da trn du hiu nhn dng nhiu khi b tht bi khi kim tra cc giao thc c d liu c th c th hin di nhiu dng khc nhau Pht hin cc xm nhp bt thng: i ph vi cc xm nhp khng th hoc kh Pht hin bng lut thng thng 2.2.3 Modun pht hin: pht hin cc du hiu xm nhp. N s dng cc lut c nh ngha trc so snh v d liu thu thp c C kh nng tch cc thnh ca gi tin ra v p dng ln tng phn
31-Jul-13
11
2.2.4: Modun log v cnh bo: Ty thuc vo modun pht hin c nhn dng c hay khng m gi tin c th b ghi vo log hoc a ra cnh bo 2.2.5: Modun kt xut thng tin Thc hin cc thao tc khc nhau ty thuc vo vic bn mun lu kt qu kt xut ra nh th no. N c th thc hin nhiu cng vic: Ghi log file Ghi syslog: l chun lu tr cc file log Ghi cnh bo vo c s d liu To file log dng xml Cu hnh li Router, Firewall Gi cc cnh bo c gi trong cc gi tin s dng giao thc SNMP Gi cc thng ip SMB
31-Jul-13
12
2.3 B lut ca Snort 2.3.1 Gii thiu Thng thng cc tn cng hay xm nhp u li du hiu ring. Cc thng tin ny c s dng to nn cc lut ca Snort Cc lut c th c p dng cho tt c cc phn khc nhau ca gi tin Mt lut c th c s dng to nn mt thng ip cnh bo, log mt thng ip hay c th b qua mt gi tin 2.3.2 Cu trc lut ca Snort
31-Jul-13
13
2.3.2.1 Phn tiu : Cha thng tin v hnh ng m lut s thc hin Cu trc chung ca phn header mt lut ca Snort Header ca mt lut bao gm cc phn: Hnh ng ca lut (Rule Action): ch ra cc hnh ng m iu kin ca lut c tha mn. Mt hnh ng c thc hin khi tt c cc iu kin ph hp Pass: hnh ng ny hng dn snort b qua gi tin ny Log: c th log gi tin vo file hay c s d liu Alert: gi thng ip cnh bo khi c du hiu xm nhp Activate: to cnh bo v kch hot mt lut khc kim tra thm cc iu kin Dynamic: y l lut c gi bi cc lut khc c hnh ng l Activate Protocols: Ch ra loi gi tin m lut s p dng IP ICMP TCP/UDP
31-Jul-13 14
2.3.2.2 Cc ty chn: nm ngay sau phn Rule Header c bao bc trong du ngoc n. Nu c nhiu option th phn cch nhau bng du , v cc ty chn ny phi ng thi tha mn T kha ack: trong TCP header th trng ack di 32bit ch ra s th t tip theo ca gi tin alert tcp any any -> 192.168.1.0/24 any (flags: A; ack: 0; msg: TCP ping detected) T kha classtype: file classification.conf bao gmtrong file snort.conf. Mi dng c c php: config classification: name, description, priority name: dng phn loi, c dng vi t kha classtype trong cc lut description: m t v loi lp ny priority: ch u tin mc nh ca lp ny config classification: DoS , Denial of Service Attack, 2 T kha contents: kh nng c t ca snort l tm mt mu d liu bn trong. Mu ny c th Di dng chui ASCII, hoc chui nh phn alert tcp 192.168.1.0/24 any -> ![192.168.1.0/24] any (content: GET; msg: GET match;) T kha dsize: dng i snh chiu di phn d liu alert ip any any -> 192.168.1.0/24 any (dsize: > 6000; msg: Goi tin co kich thuoc lon;)
31-Jul-13
16
31-Jul-13
17
2.4 Ch ngn chn ca Snort: Snort Inline 2.4.1 Tch hp kh nng ngn chn vo Snort: tng l kt hp kh nng ngn chn ca Iptables vo trong Snort. iu ny thc hin bng cch thay i modun pht hin v x l cho php Snort tng tc vi Iptable. Vic chn bt cc gi tin thc hin thng qua Netfilter 2.4.2 Nhng b xung cho cu trc lut ca Snort h tr Inline mode DROP: yu cu Iptables loi b gi tin v ghi li thng tin nh hnh ng Log SDROP: tng t DROP nhng khng ghi li Log REJECT: yu cu Iptable t chi gi tin. Iptables s loi b gi tin v gi li mt thng bo cho ngun gi g tin Trnh t u tin ca cc lut: Trong phin bn gc: activation->dynamic-> alert->pass->log Trong inline mode trnh u tin: activation->dynamic->pass->drop->sdrop->reject->alert->log
31-Jul-13
18
31-Jul-13
19