Professional Documents
Culture Documents
Phn 1: TNG QUAN V H THNG PHT HIN XM NHP IDS. Trong phn ny mnh s trnh by vi cc bn v mt s vn : 1. 2. 3. 4. 5. 6. 7. nh ngha IDS Chc nng ca IDS Kin trc ca IDS Phn loiIDS Cng c h tr IDS Cc k thut x l trong IDS S khc nhau c bn v IDS v IPS
Phn 2: CU HNH V TH NGHIM H THNG PHT HIN XM NHP VI SNORT IDS SOFTWARE. 1. Gii thiu v Snort IDS Software 2. Ci t v Cu hnh(Trn c hai mi trng:Linux v Windows) 3. M hnh ng dng Snort.
1. nh ngha IDS:
1.1. nh ngha: - IDS (Intrusion Detection System - h thng pht hin xm nhp) l mt h thng gim st lu thng mng, cc hot ng kh nghi v cnh bo cho h thng, nh qun tr. - IDS cng c th phn bit gia nhng tn cng t bn trong (t nhng ngi trong cng ty) hay tn cng t bn ngoi (t cc hacker). - IDS pht hin da trn cc du hiu c bit v cc nguy c bit (ging nh cch cc phn mm dit virus da vo cc du hiu c bit pht hin v dit virus) hay da trn so snh lu thng mng hin ti vi baseline (thng s o c chun ca h thng) tm ra cc du hiu khc thng. 1.2. Phn bit nhng h thng khng phi l IDS: - Theo mt cch ring bit no , cc thit b bo mt di y khng phi l IDS: H thng ng nhp mng c s dng pht hin l hng i vi vn tn cng t chi dch v (DoS) trn mt mng no . s c h thng kim tra lu lng mng. Cc cng c nh gi l hng kim tra li v l hng trong h iu hnh, dch v mng (cc b qut bo mt). Cc sn phm chng virus c thit k pht hin phn mm m nguy him nh virus, Trojan horse, worm... Mc d nhng tnh nng mc nh c th rt ging h thng pht hin xm phm v thng cung cp mt cng c pht hin l hng bo mt hiu qu. Tng la Cc h thng bo mt, mt m nh VPN, SSL, S/MIME, Kerberos, Radius 2. Chc nng ca IDS: - H thng pht hin xm nhp cho php cc t chc bo v h thng ca h khi nhng e da vi vic gia tng kt ni mng v s tin cy ca h thng thng tin. - Nhng e da i vi an ninh mng ngy cng tr nn cp thit t ra cu hi cho cc nh an ninh mng chuyn nghip c nn s dng h thng pht hin xm nhp tr khi
- Khi mt hnh ng xm nhp c pht hin, IDS a ra cc cnh bo n cc qun tr vin h thng
v s vic ny. - Bc tip theo c thc hin bi cc qun tr vin hoc c th l bn thn IDS bng cch li dng cc tham s o b sung (cc chc nng kha gii hn cc session, backup h thng, nh tuyn cc kt ni n by h thng, c s h tng hp l,) theo cc chnh sch bo mt ca cc t chc (Hnh
- Vai tr ca b cm bin l dng lc thng tin v loi b d liu khng tng thch t c t cc s kin lin quan vi h thng bo v, v vy c th pht hin c cc hnh ng nghi ng. B phn tch s dng c s d liu chnh sch pht hin cho mc ny. -Ngoi ra cn c cc thnh phn: du hiu tn cng, profile hnh vi thng thng, cc tham s cn thit (v d: cc ngng). Thm vo , c s d liu gi cc tham s cu hnh, gm c cc ch truyn thng vi module p tr. B cm bin cng c c s d liu ca ring n, gm d liu lu v cc xm phm phc tp tim n (to ra t nhiu hnh ng khc nhau). - IDS c th c sp t tp trung (v d nh c tch hp vo trong tng la) hoc phn tn. Mt IDS phn tn gm nhiu IDS khc nhau trn mt mng ln, tt c chng truyn thng vi nhau. Nhiu h thng tinh vi i theo nguyn l cu trc mt tc nhn, ni cc module nh c t chc trn mt host trong mng c bo v. Vai tr ca tc nhn l kim tra v lc tt c cc hnh ng bn trong vng c bo v v ph thuc vo phng php c a ra to phn tch bc u v thm ch m trch c hnh ng p tr. Mng cc tc nhn hp tc bo co n my ch phn tch trung tm l mt trong nhng thnh phn quan trng ca IDS. DIDS c th s dng nhiu cng c phn tch tinh vi hn, c bit c trang b s pht hin cc tn cng phn tn. Cc vai tr khc ca tc nhn lin quan n kh nng lu ng v tnh roaming ca n trong cc v tr vt l. Thm vo , cc tc nhn c th c bit dnh cho vic pht hin du hiu tn cng bit no . y l mt h s quyt nh khi ni n ngha v bo v lin quan n cc kiu tn cng mi. Gii php kin trc a tc nhn c a ra nm 1994 l AAFID (cc tc nhn t tr cho vic pht hin xm phm). N s dng cc tc nhn kim tra mt kha cnh no v cc hnh vi h thng mt thi im no . V d: mt tc nhn c th cho bit mt s khng bnh thng cc telnet session bn trong h thng n kim tra. Tc nhn c kh nng a ra mt cnh bo khi pht hin mt s kin kh nghi. Cc tc nhn c th c nhi v thay i bn trong cc h thng khc (tnh nng t tr). Mt phn trong cc tc nhn, h thng c th c cc b phn thu pht kim tra tt c cc hnh ng c kim sot bi cc tc nhn mt host c th no . Cc b thu nhn lun lun gi cc kt qu hot ng ca chng n b kim tra duy nht. Cc b kim tra nhn thng tin t cc mng (khng ch t mt host), iu c ngha l chng c th tng
Ngoi ra cn c 1 s im ch sau: - Kin trc, v tr t h thng IDS: ty thuc vo quy m t chc ca doanh nghip cng nh mc ch s dng h thng IDS ca doanh nghip. - Chin lc iu khin: l s m t r rng cho mi h thng IDS v vic kim sot , kim tra thng tin u vo u ra: + Chin lc tp trung: l vic iu khin trc tip cc thao tc nh kim tra, pht hin, phn tch, p tr, bo co t v tr trung tm: +Phn thnh nhiu thnh phn: Pht hin, kim tra t cc v tr thnh phn ri v bo co v v tr trung tm. +Phn phi: Mi vng s c nhng trung tm i din cho trung tm chnh trc tip iu khin cc thao tc gim st, kim tra bo co.
Li th ca Network-Based IDSs: - Qun l c c mt network segment (gm nhiu host) - "Trong sut" vi ngi s dng ln k tn cng - Ci t v bo tr n gin, khng nh hng ti mng - Trnh DOS nh hng ti mt host no . - C kh nng xc nh li tng Network (trong m hnh OSI) - c lp vi OS Hn ch ca Network-Based IDSs: - C th xy ra trng hp bo ng gi (false positive), tc khng c intrusion m NIDS bo l c intrusion. - Khng th phn tch cc traffic c encrypt (vd: SSL, SSH, IPSec) - NIDS i hi phi c cp nht cc signature mi nht thc s an ton - C tr gia thi im b attack vi thi im pht bo ng. Khi bo ng c pht ra, h thng c th b tn hi. - Khng cho bit vic attack c thnh cng hay khng. Mt trong nhng hn ch l gii hn bng thng. Nhng b d mng phi nhn tt c cc lu lng mng, sp xp li nhng lu lng cng nh phn tch chng. Khi tc mng tng ln th kh nng ca u d cng vy. Mt gii php l bo m cho mng c thit k chnh xc cho php s sp t ca nhiu u d. Khi m mng pht trin, th cng nhiu u d c lp thm vo bo m truyn thng v bo mt tt nht. Mt cch m cc hacker c gng nhm che y cho hot ng ca h khi gp h thng IDS da trn mng l phn mnh nhng gi thng tin ca h. Mi giao thc c mt kch c gi d liu gii hn, nu d liu truyn qua mng ln hn kch c ny th gi d liu s c phn mnh.
Li th ca HIDS: - C kh nng xc inh user lin quan ti mt event. - HIDS c kh nng pht hin cc cuc tn cng din ra trn mt my, NIDS khng c kh nng
6. Cc k thut x l d liu c s dng trong cc h thng pht hin xm nhp Ph thuc vo kiu phng php c s dng pht hin xm nhp, cc c ch x l khc nhau (k thut) cng c s dng cho d liu i vi mt IDS.Di y l mt s h thng c m t vn tt. 6.1. H thng Expert (Expert system) H thng ny lm vic trn mt tp cc nguyn tc c nh ngha t trc miu t cc
Trong lc khi ng, Snort hin th ch , th mc ghi log, v cc giao din m n ang lng nghe. Khi vic khi ng hon tt, Snort bt u xut cc gi tin ra mn hnh. Kt qu xut ny kh c bn : n ch hin th cc header IP,TCP/UDP/ICMP v mt s ci khc. thot ch sniffer, s dng Ctrl-C. Snort thot bng cch to ra mt bn tm tt cc gi tin c bt gi, bao gm cc giao thc, thng k phn mnh v ti hp gi tin. xem d liu ng dng, s dng c -d. Ty chn ny cung cp cc kt qu chi tit hn: Code:
# snort vd
D liu ng dng c th thy c qua cc plain text trong gi tin. Trong trng hp ny, vn bn gi t mt server DNS c th hin di dng plain text. xem c chi tit hn, bao gm cc header lp lin kt d liu, s dng c -e. Vic s dng c hai ty chn d v e s cho hin th hu nh tt c cc d liu trong gi tin:
Cc chui thp lc phn hin th nhiu d liu hn. C a ch MAC v a ch IP. Khi thc hin kim tra trn mt mng hoc bt gi d liu bng Snort, vic bt vde cung cp nhiu thng tin nht. lu li trong logfile thay v xut ra console, s dng: Code:
# snort -dve > ttooip.log.
Tm li, y l cc ty chn c th s dng vi ch sniffer ca Snort. Nhng ty chn ny c th chy c lp hoc kt hp vi ci khc b. Snort l mt Packet logger: Bc tip theo sau khi sniffing cc gi tin l ghi log chng. Vic ghi log ch n gin bng cch thm ty chn l, theo sau l th mc mun lu tr cc log. Th mc mc nh trong Snort l /var/log/snort. Nu xc nh mt th mc khng tn ti th Snort s bo mt thng ip li. C th s dng cc ty chn d, -a v e iu khin s lng thng tin s c ghi log cho mi gi tin. Trong v d sau y, th mc log c thit lp l /usr/local/log/snort, v cc logfile bao gm cc payload gi tin: Code:
# snort -1/usr/local/log/snort d
Khi chy trong ch ny, Snort thu thp mi gi tin n thy v lu chng trong th mc log theo kiu phn cp. Ni cch khc, mt th mc mi c to ra cho mi a ch c bt gi v d liu lin quan n a ch ny c lu trong th mc . Snort lu cc gi tin thnh cc file ASCII, vi tn file c to ra t giao thc v s cng. Cch t chc ny lm cho nh qun tr c th d dng thy c ai ang kt ni vi mng, s cng v giao thc h ang s dng (s dng ls R lit k th mc log). Hy nh xc nh bin mng ca c quan hay t chc (trong file cu hnh hoc s dng -h ) xc nh ch ghi log cho mng ca c quan. Cch t chc phn cp ny hu dng khi mt s gii hn cc host c quan tm hoc mun thong qua cc a ch IP ca cc host c bt gi. Tuy nhin, th mc log c th ngy cng nhiu v s gia tng th mc v cc file. Nu ghi log tt c lu lng trn mt mng ln th c th s b trn index Unix gii hn tng s file trong mt file h thng) trc khi b trn b nh. Nu mt ngi no thc hin vic qut mng v nh x tt c 65536 cng TCP cng nh 65536 cng UDP, s t ngt c hn 131000 file trong mt th mc n. S bng n file ny c th l mt th thch ln cho bt k mt my no, v rt d tr thnh cch tn cng DOS. Vic ghi log theo kiu nh phn c th c c bi Snort, tcpdump hoc ethereal. Cch ny lm tng tc v kh nng vn chuyn ca vic bt gi gi tin. Hu ht cc h thng c th bt gi v ghi log vi tc 100 Mbps m khng c vn g. ghi log cc gi tin theo kiu nh phn, s dng b switch. V d: Code:
#snort-b -l /usr/local/log/snort/ttip.log
Khi thc hin vic bt gi gi tin, c th c li cc file va to ra bng kha r. Kt qu ging nh sniffer ca Snort. Lu rng r khng th s dng vi C.
ch ny, Snort khng gii hn vic c d liu nh phn c lu tr trong ch sniffer. c. Snort l mt NIDS: Snort l mt cng c pht hin xm nhp tuyt vi. Khi c s dng nh l mt NIDS, Snort cung cp kh nng pht hin xm nhp gn nh l thi gian thc. Chng ta s xem rt nhiu cch m Snort c th c s dng nh l mt NIDS v tt c cc ty chn cu hnh c th. Trong ch cnh bo, Snort cn mt file cu hnh (tht ra, ch cn xc nh v tr ca file snort.conf l t Snort trong ch ny). V tr mc nh ca file ny l /etc/snort.conf. Nu mun t mt v tr khc, phi s dng kha c km vi v tr t file. Cc cnh bo c t trong file alert trong th mc log (mc nh l (/var/log/snort). Snort s thot ra vi vi mt li nu file cu hnh hoc th mc log khng tn ti. Cc ci t mc nh cho hu nh tt c cc mc trong file ny l kh tt (mc d s c cc cnh bo nhm). Bin duy nht chng ta mi thit lp l bin RULE_PATH, ch cho Snort ni ca cc file lut. File cnh bo nm trong th mc /var/log/snort. File ny cha cc cnh bo c to ra khi Snort ang chy. Cc cnh bo Snort c phn loi theo kiu cnh bo. Mt lut Snort cng xc nh mt mc u tin cho mt cnh bo. iu ny cho php lc cc cnh bo c u tin thp.
Phn 2: CU HNH V TH NGHIM H THNG PHT HIN XM NHP VI SNORT IDS SOFTWARE.
I. Gii thiu v Snort IDS Software: 1. nh ngha Snort: - Snort l mt sn phm m ngun m c pht trin nhm pht hin nhng xm nhp tri php vo h thng bi nhng quy tc hay lut c thit lp sn, nhng thit lp ny da vo nhng du hiu, giao thc v s d thng. - Snort s dng cc lut c lu tr trong cc file text, c th c chnh sa bi ngi qun tr. Cc lut c nhm thnh cc kiu. Cc lut thuc v mi loi c lu trong cc file khc nhau. File cu hnh chnh ca Snort l snort.conf. Snort c nhng lut ny vo lc khi to v xy dng cu trc d liu cung cp cc lut bt gi mu vi phm. Tm ra cc du hiu v s dng chng trong cc lut l mt vn i hi s tinh t, v cng s dng nhiu lut th nng lc x l{ cng c i hi thu thp d liu trong thc t. Snort c mt tp hp cc lut c nh ngha trc pht hin cc hnh ng xm nhp v cc qun tr vin cng c th thm vo cc lut ca chnh mnh. Qun tr vin cng c th xa mt vi lut c to trc trnh vic bo ng sai. - Snort bao gm mt hoc nhiu sensor v mt server CSDL chnh.Cc Sensor c th c t trc hoc sau firewall: + Gim st cc cuc tn cng vo firewall v h thng mng
- Trong lc khi ng, Snort hin th ch , th mc ghi log, v cc giao din m n ang lng nghe. Khi vic khi ng hon tt, Snort bt u xut cc gi tin ra mn hnh. Kt qu xut ny kh c bn : n ch hin th cc header IP,TCP/UDP/ICMP v mt s ci khc. thot ch sniffer, s dng Ctrl-C. Snort thot bng cch to ra mt bn tm tt cc gi tin c bt gi, bao gm cc giao thc, thng k phn mnh v ti hp gi tin. xem d liu ng dng, s dng c -d. Ty chn ny cung cp cc kt qu chi tit hn: Code:
# snort vd
- D liu ng dng c th thy c qua cc plain text trong gi tin. Trong trng hp ny, vn bn gi t mt server DNS c th hin di dng plain text. xem c chi tit hn, bao gm cc header lp lin kt d liu, s dng c -e. Vic s dng c hai ty chn d v e s cho hin th hu nh tt c cc d liu trong gi tin:
- Cc chui thp lc phn hin th nhiu d liu hn. C a ch MAC v a ch IP. Khi thc hin kim tra trn mt mng hoc bt gi d liu bng Snort, vic bt vde cung cp nhiu thng tin nht. lu li trong logfile thay v xut ra console, s dng: Code:
# snort -dve > ttooip.log.
- Tm li, y l cc ty chn c th s dng vi ch sniffer ca Snort. Nhng ty chn ny c th chy c lp hoc kt hp vi ci khc b. Snort l mt Packet logger: - Bc tip theo sau khi sniffing cc gi tin l ghi log chng. Vic ghi log ch n gin bng cch thm ty chn l, theo sau l th mc mun lu tr cc log. Th mc mc nh trong Snort l /var/log/snort. Nu xc nh mt th mc khng tn ti th Snort s bo mt thng ip li. C th s dng cc ty chn d, -a v e iu khin s lng thng tin s c ghi log cho mi gi tin. Trong v d sau y, th mc log c thit lp l /usr/local/log/snort, v cc logfile bao gm cc payload gi tin: Code:
# snort -1/usr/local/log/snort d
- Khi chy trong ch ny, Snort thu thp mi gi tin n thy v lu chng trong th mc log theo kiu phn cp. Ni cch khc, mt th mc mi c to ra cho mi a ch c bt gi v d liu lin quan n a ch ny c lu trong th mc . Snort lu cc gi tin thnh cc file ASCII, vi tn file c to ra t giao thc v s cng. Cch t chc ny lm cho nh qun tr c th d dng thy c ai ang kt ni vi mng, s cng v giao thc h ang s dng (s dng ls R lit k th mc log). Hy nh xc nh bin mng ca c quan hay t chc (trong file cu hnh hoc s dng -h ) xc nh ch ghi log cho mng ca c quan. - Cch t chc phn cp ny hu dng khi mt s gii hn cc host c quan tm hoc mun thong qua cc a ch IP ca cc host c bt gi. Tuy nhin, th mc log c th ngy cng nhiu v s gia tng th mc v cc file. Nu ghi log tt c lu lng trn mt mng ln th c th s b trn index Unix gii hn tng s file trong mt file h thng) trc khi b trn b nh. Nu mt ngi no thc hin vic qut mng v nh x tt c 65536 cng TCP cng nh 65536 cng UDP, s t ngt c hn 131000 file trong mt th mc n. S bng n file ny c th l mt th thch ln cho bt k mt my no, v rt d tr thnh cch tn cng DOS. Vic ghi log theo kiu nh phn c th c c bi Snort, tcpdump hoc ethereal. Cch ny lm tng tc v kh nng vn chuyn ca vic bt gi gi tin. Hu ht cc h thng c th bt gi v ghi log vi tc 100 Mbps m khng c vn g. ghi log cc gi tin theo kiu nh phn, s dng b switch. V d: Code:
- Khi thc hin vic bt gi gi tin, c th c li cc file va to ra bng kha r. Kt qu ging nh sniffer ca Snort. Lu { rng r khng th s dng vi C. Code:
# snort -r /usr/local/log/snort/ttip.log
- ch ny, Snort khng gii hn vic c d liu nh phn c lu tr trong ch sniffer. c. Snort l mt NIDS: - Snort l mt cng c pht hin xm nhp tuyt vi. Khi c s dng nh l mt NIDS, Snort cung cp kh nng pht hin xm nhp gn nh l thi gian thc. Chng ta s xem rt nhiu cch m Snort c th c s dng nh l mt NIDS v tt c cc ty chn cu hnh c th. Trong ch cnh bo, Snort cn mt file cu hnh (tht ra, ch cn xc nh v tr ca file snort.conf l t Snort trong ch ny). V tr mc nh ca file ny l /etc/snort.conf. Nu mun t mt v tr khc, phi s dng kha c km vi v tr t file. Cc cnh bo c t trong file alert trong th mc log (mc nh l (/var/log/snort). Snort s thot ra vi vi mt li nu file cu hnh hoc th mc log khng tn ti. - Cc ci t mc nh cho hu nh tt c cc mc trong file ny l kh tt (mc d s c cc cnh bo nhm). Bin duy nht chng ta mi thit lp l bin RULE_PATH, ch cho Snort ni ca cc file lut. File cnh bo nm trong th mc /var/log/snort. File ny cha cc cnh bo c to ra khi Snort ang chy. Cc cnh bo Snort c phn loi theo kiu cnh bo. Mt lut Snort cng xc nh mt mc u tin cho mt cnh bo. iu ny cho php lc cc cnh bo c u tin thp. II. Ci t v cu hnh: