Instrusion Detection System: 1. Định nghĩa IDS

INSTRUSION DETECTION SYSTEM
Phn 1: TNG QUAN V H THNG PHT HIN XM NHP IDS. Trong phn ny mnh s trnh by vi cc bn v mt s vn : 1. 2. 3. 4. 5. 6. 7. nh ngha IDS Chc nng ca IDS Kin trc ca IDS Phn loiIDS Cng c h tr IDS Cc k thut x l trong IDS S khc nhau c bn v IDS v IPS
Phn 2: CU HNH V TH NGHIM H THNG PHT HIN XM NHP VI SNORT IDS SOFTWARE. 1. Gii thiu v Snort IDS Software 2. Ci t v Cu hnh(Trn c hai mi trng:Linux v Windows) 3. M hnh ng dng Snort.
1. nh ngha IDS:
1.1. nh ngha: - IDS (Intrusion Detection System - h thng pht hin xm nhp) l mt h thng gim st lu thng mng, cc hot ng kh nghi v cnh bo cho h thng, nh qun tr. - IDS cng c th phn bit gia nhng tn cng t bn trong (t nhng ngi trong cng ty) hay tn cng t bn ngoi (t cc hacker). - IDS pht hin da trn cc du hiu c bit v cc nguy c bit (ging nh cch cc phn mm dit virus da vo cc du hiu c bit pht hin v dit virus) hay da trn so snh lu thng mng hin ti vi baseline (thng s o c chun ca h thng) tm ra cc du hiu khc thng. 1.2. Phn bit nhng h thng khng phi l IDS: - Theo mt cch ring bit no , cc thit b bo mt di y khng phi l IDS: H thng ng nhp mng c s dng pht hin l hng i vi vn tn cng t chi dch v (DoS) trn mt mng no . s c h thng kim tra lu lng mng. Cc cng c nh gi l hng kim tra li v l hng trong h iu hnh, dch v mng (cc b qut bo mt). Cc sn phm chng virus c thit k pht hin phn mm m nguy him nh virus, Trojan horse, worm... Mc d nhng tnh nng mc nh c th rt ging h thng pht hin xm phm v thng cung cp mt cng c pht hin l hng bo mt hiu qu. Tng la Cc h thng bo mt, mt m nh VPN, SSL, S/MIME, Kerberos, Radius 2. Chc nng ca IDS: - H thng pht hin xm nhp cho php cc t chc bo v h thng ca h khi nhng e da vi vic gia tng kt ni mng v s tin cy ca h thng thng tin. - Nhng e da i vi an ninh mng ngy cng tr nn cp thit t ra cu hi cho cc nh an ninh mng chuyn nghip c nn s dng h thng pht hin xm nhp tr khi

nhng c tnh ca h thng pht hin xm nhp l hu ch cho h, b sung nhng im yu ca h thng khcIDS c c chp nhn l mt thnh phn thm vo cho mi h thng an ton hay khng vn l mt cu hi ca nhiu nh qun tr h thng. - C nhiu ti liu gii thiu v nhng chc nng m IDS lm c nhng c th a ra vi l do ti sao nn s dng h thng IDS: Bo v tnh ton vn (integrity) ca d liu, bo m s nht qun ca d liu trong h thng. Cc bin php a ra ngn chn c vic thay i bt hp php hoc ph hoi d liu. Bo v tnh b mt, gi cho thng tin khng b l ra ngoi. Bo v tnh kh dng, tc l h thng lun sn sng thc hin yu cu truy nhp thng tin ca ngi dng hp php. Bo v tnh ring t, tc l m bo cho ngi s dng khai thc ti nguyn ca h thng theo ng chc nng, nhim v c phn cp, ngn chn c s truy nhp thng tin bt hp php. Cung cp thng tin v s xm nhp, a ra nhng chnh sch i ph, khi phc, sa cha Ni tm li ta c th tm tt IDS nh sau: - Chc nng quan trng nht l: gim st cnh bo bo v Gim st: lu lng mng v cc hot ng kh nghi. Cnh bo: bo co v tnh trng mng cho h thng v nh qun tr. Bo v: Dng nhng thit lp mc nh v s cu hnh t nh qun tr m c nhng hnh ng thit thc chng li k xm nhp v ph hoi. - Chc nng m rng: Phn bit: "th trong gic ngoi" tn cng bn trong v tn cng bn ngoi. Pht hin: nhng du hiu bt thng da trn nhng g bit hoc nh vo s so snh thng lng mng hin ti vi baseline.
Ngoi ra h thng pht hin xm nhp IDS cn c chc nng:

- Ngn chn s gia tng ca nhng tn cng - B sung nhng im yu m cc h thng khc cha lm c - nh gi cht lng ca vic thit k h thng Khi IDS chy mt thi gian s a ra c nhng im yu l iu hin nhin. Vic a ra nhng im yu nhm nh gi cht lng vic thit k mng cng nh cch b tr bo v phng th ca cc nh qun tr mng.
3. Kin trc h thng IDS:

- Ngy nay ngi ta phn bit cc h thng IDS khc nhau thng qua vic phn tch v kim tra khc nhau ca cc h thng. Mi h thng c nhng u im cng nh khuyt im ring nhng cc h thng c th c m t di m hnh tng qut chung nh sau: 3.1. Cc nhim v thc hin: - Nhim v chnh ca cc h thng pht hin xm phm l bo v cho mt h thng my tnh bng cch pht hin cc du hiu tn cng. - Vic pht hin cc tn cng ph thuc vo s lng v kiu hnh ng thch hp ( Hnh 2.3.1.a). - ngn chn xm phm tt cn phi kt hp tt gia b v by c trang b cho vic nghin cu cc mi e da. - Vic lm lnh hng s tp trung ca k xm nhp vo ti nguyn c bo v l mt nhim v quan trng khc. - Ton b h thng cn phi c kim tra mt cch lin tc. - D liu c to ra t cc h thng pht hin xm nhp c kim tra mt cch cn thn (y l nhim v chnh cho mi IDS) pht hin cc du hiu tn cng (s xm phm).
- Khi mt hnh ng xm nhp c pht hin, IDS a ra cc cnh bo n cc qun tr vin h thng
v s vic ny. - Bc tip theo c thc hin bi cc qun tr vin hoc c th l bn thn IDS bng cch li dng cc tham s o b sung (cc chc nng kha gii hn cc session, backup h thng, nh tuyn cc kt ni n by h thng, c s h tng hp l,) theo cc chnh sch bo mt ca cc t chc (Hnh

2.3.1b). Mt IDS l mt thnh phn nm trong chnh sch bo mt. - Gia cc nhim v IDS khc nhau, vic nhn ra k xm nhp l mt trong nhng nhim v c bn. - N cng hu dng trong vic nghin cu mang tnh php l cc tnh tit v vic ci t cc bn v thch hp cho php pht hin cc tn cng trong tng lai nhm vo cc c nhn c th hoc ti nguyn h thng. - Pht hin xm nhp i khi c th a ra cc bo cnh sai, v d nhng vn xy ra do trc trc v giao din mng hoc vic gi phn m t cc tn cng hoc cc ch k thng qua mail.
3.2. Kin trc ca h thng pht hin xm nhp IDS :

- Kin trc ca h thng IDS bao gm cc thnh phn chnh: thnh phn thu thp gi tin (information collection), thnh phn phn tch gi tin(Dectection), thnh phn phn hi (respontion) nu gi tin c pht hin l mt tn cng ca tin tc. Trong ba thnh phn ny th thnh phn phn tch gi tin l quan trng nht v thnh phn ny b cm bin ng vai tr quyt nh nn chng ta s i vo phn tch b cm bin hiu r hn kin trc ca h thng pht hin xm nhp l nh th no. - B cm bin c tch hp vi thnh phn su tp d liu (Hnh 2.3.2.c) mt b to s kin. Cch su tp ny c xc nh bi chnh sch to s kin nh ngha ch lc thng tin s kin. B to s kin (h iu hnh, mng, ng dng) cung cp mt s chnh sch thch hp cho cc s kin, c th l mt bn ghi cc s kin ca h thng hoc cc gi mng. S chnh sch ny cng vi thng tin chnh sch c th c lu trong h thng c bo v hoc bn ngoi. Trong trng hp no , v d khi lung d liu s kin c truyn ti trc tip n b phn tch m khng c s lu d liu no c thc hin. iu ny cng lin quan mt cht no n cc gi mng.
- Vai tr ca b cm bin l dng lc thng tin v loi b d liu khng tng thch t c t cc s kin lin quan vi h thng bo v, v vy c th pht hin c cc hnh ng nghi ng. B phn tch s dng c s d liu chnh sch pht hin cho mc ny. -Ngoi ra cn c cc thnh phn: du hiu tn cng, profile hnh vi thng thng, cc tham s cn thit (v d: cc ngng). Thm vo , c s d liu gi cc tham s cu hnh, gm c cc ch truyn thng vi module p tr. B cm bin cng c c s d liu ca ring n, gm d liu lu v cc xm phm phc tp tim n (to ra t nhiu hnh ng khc nhau). - IDS c th c sp t tp trung (v d nh c tch hp vo trong tng la) hoc phn tn. Mt IDS phn tn gm nhiu IDS khc nhau trn mt mng ln, tt c chng truyn thng vi nhau. Nhiu h thng tinh vi i theo nguyn l cu trc mt tc nhn, ni cc module nh c t chc trn mt host trong mng c bo v. Vai tr ca tc nhn l kim tra v lc tt c cc hnh ng bn trong vng c bo v v ph thuc vo phng php c a ra to phn tch bc u v thm ch m trch c hnh ng p tr. Mng cc tc nhn hp tc bo co n my ch phn tch trung tm l mt trong nhng thnh phn quan trng ca IDS. DIDS c th s dng nhiu cng c phn tch tinh vi hn, c bit c trang b s pht hin cc tn cng phn tn. Cc vai tr khc ca tc nhn lin quan n kh nng lu ng v tnh roaming ca n trong cc v tr vt l. Thm vo , cc tc nhn c th c bit dnh cho vic pht hin du hiu tn cng bit no . y l mt h s quyt nh khi ni n ngha v bo v lin quan n cc kiu tn cng mi. Gii php kin trc a tc nhn c a ra nm 1994 l AAFID (cc tc nhn t tr cho vic pht hin xm phm). N s dng cc tc nhn kim tra mt kha cnh no v cc hnh vi h thng mt thi im no . V d: mt tc nhn c th cho bit mt s khng bnh thng cc telnet session bn trong h thng n kim tra. Tc nhn c kh nng a ra mt cnh bo khi pht hin mt s kin kh nghi. Cc tc nhn c th c nhi v thay i bn trong cc h thng khc (tnh nng t tr). Mt phn trong cc tc nhn, h thng c th c cc b phn thu pht kim tra tt c cc hnh ng c kim sot bi cc tc nhn mt host c th no . Cc b thu nhn lun lun gi cc kt qu hot ng ca chng n b kim tra duy nht. Cc b kim tra nhn thng tin t cc mng (khng ch t mt host), iu c ngha l chng c th tng

quan vi thng tin phn tn. Thm vo mt s b lc c th c a ra chn lc v thu thp d liu.
Ngoi ra cn c 1 s im ch sau: - Kin trc, v tr t h thng IDS: ty thuc vo quy m t chc ca doanh nghip cng nh mc ch s dng h thng IDS ca doanh nghip. - Chin lc iu khin: l s m t r rng cho mi h thng IDS v vic kim sot , kim tra thng tin u vo u ra: + Chin lc tp trung: l vic iu khin trc tip cc thao tc nh kim tra, pht hin, phn tch, p tr, bo co t v tr trung tm: +Phn thnh nhiu thnh phn: Pht hin, kim tra t cc v tr thnh phn ri v bo co v v tr trung tm. +Phn phi: Mi vng s c nhng trung tm i din cho trung tm chnh trc tip iu khin cc thao tc gim st, kim tra bo co.
4.Phn loi IDS:

-C hai phng php khc nhau trong vic phn tch cc s kin pht hin cc v tn cng: pht hin da trn cc du hiu v pht hin s bt thng. Cc sn phm IDS c th s dng mt trong hai cch hoc s dng kt hp c hai. - Pht hin da trn du hiu: Phng php ny nhn dng cc s kin hoc tp hp cc s kin ph hp vi mt mu cc s kin c nh ngha l tn cng. - Pht hin s bt thng: cng c ny thit lp mt hin trng cc hot ng bnh thng v sau duy tr mt hin trng hin hnh cho mt h thng. Khi hai yu t ny xut hin s khc bit, ngha l c s xm nhp. Cc h thng IDS khc nhau u da vo pht hin cc xm nhp tri php v nhng hnh ng d thng. Qu trnh pht hin c th c m t bi 3 yu t c bn nn tng sau: - Thu thp thng tin (information source): Kim tra tt c cc gi tin trn mng.

- S phn tch (Analysis): Phn tch tt c cc gi tin thu thp cho bit hnh ng no l tn cng. - Cnh bo (response): hnh ng cnh bo cho s tn cng c phn tch trn. 4.1.Network Base IDS (NIDS) H thng IDS da trn mng s dng b d v b b cm bin ci t trn ton mng. Nhng b d ny theo di trn mng nhm tm kim nhng lu lng trng vi nhng m t s lc c nh ngha hay l nhng du hiu. Nhng b b cm bin thu nhn v phn tch lu lng trong thi gian thc. Khi ghi nhn c mt mu lu lng hay du hiu, b cm bin gi tn hiu cnh bo n trm qun tr v c th c cu hnh nhm tm ra bin php ngn chn nhng xm nhp xa hn. NIPS l tp nhiu sensor c t ton mng theo di nhng gi tin trong mng so snh vi vi mu c nh ngha pht hin l tn cng hay khng. c t gia kt ni h thng mng bn trong v mng bn ngoi gim st ton b lu lng vo ra. C th l mt thit b phn cng ring bit c thit lp sn hay phn mm ci t trn my tnh. Ch yu dng o lu lng mng c s dng. Tuy nhin c th xy ra hin tng nghn c chai khi lu lng mng hot ng mc cao
Li th ca Network-Based IDSs: - Qun l c c mt network segment (gm nhiu host) - "Trong sut" vi ngi s dng ln k tn cng - Ci t v bo tr n gin, khng nh hng ti mng - Trnh DOS nh hng ti mt host no . - C kh nng xc nh li tng Network (trong m hnh OSI) - c lp vi OS Hn ch ca Network-Based IDSs: - C th xy ra trng hp bo ng gi (false positive), tc khng c intrusion m NIDS bo l c intrusion. - Khng th phn tch cc traffic c encrypt (vd: SSL, SSH, IPSec) - NIDS i hi phi c cp nht cc signature mi nht thc s an ton - C tr gia thi im b attack vi thi im pht bo ng. Khi bo ng c pht ra, h thng c th b tn hi. - Khng cho bit vic attack c thnh cng hay khng. Mt trong nhng hn ch l gii hn bng thng. Nhng b d mng phi nhn tt c cc lu lng mng, sp xp li nhng lu lng cng nh phn tch chng. Khi tc mng tng ln th kh nng ca u d cng vy. Mt gii php l bo m cho mng c thit k chnh xc cho php s sp t ca nhiu u d. Khi m mng pht trin, th cng nhiu u d c lp thm vo bo m truyn thng v bo mt tt nht. Mt cch m cc hacker c gng nhm che y cho hot ng ca h khi gp h thng IDS da trn mng l phn mnh nhng gi thng tin ca h. Mi giao thc c mt kch c gi d liu gii hn, nu d liu truyn qua mng ln hn kch c ny th gi d liu s c phn mnh.

Phn mnh n gin ch l qu trnh chia nh d liu ra nhng mu nh. Th t ca vic sp xp li khng thnh vn min l khng xut hin hin tng chng cho. Nu c hin tng phn mnh chng cho, b cm bin phi bit qu trnh ti hp li cho ng. Nhiu hacker c gng ngn chn pht hin bng cch gi nhiu gi d liu phn mnh chng cho. Mt b cm bin s khng pht hin cc hot ng xm nhp nu b cm bin khng th sp xp li nhng gi thng tin mt cch chnh xc. 4.2.Host Based IDS (HIDS) Bng cch ci t mt phn mm trn tt c cc my tnh ch, IPS da trn my ch quan st tt c nhng hot ng h thng, nh cc file log v nhng lu lng mng thu thp c. H thng da trn my ch cng theo di OS, nhng cuc gi h thng, lch s s sch (audit log) v nhng thng ip bo li trn h thng my ch. Trong khi nhng u d ca mng c th pht hin mt cuc tn cng, th ch c h thng da trn my ch mi c th xc nh xem cuc tn cng c thnh cng hay khng. Thm na l, h thng da trn my ch c th ghi nhn nhng vic m ngi tn cng lm trn my ch b tn cng (compromised host). Khng phi tt c cc cuc tn cng c thc hin qua mng. Bng cch ginh quyn truy cp mc vt l (physical access) vo mt h thng my tnh, k xm nhp c th tn cng mt h thng hay d liu m khng cn phi to ra bt c lu lng mng (network traffic) no c. H thng da trn my ch c th pht hin cc cuc tn cng m khng i qua ng cng cng hay mng c theo di, hay thc hin t cng iu khin (console), nhng vi mt k xm nhp c hiu bit, c kin thc v h IDS th hn c th nhanh chng tt tt c cc phn mm pht hin khi c quyn truy cp vt l. Mt u im khc ca IDS da trn my ch l n c th ngn chn cc kiu tn cng dng s phn mnh hoc TTL. V mt host phi nhn v ti hp cc phn mnh khi x l lu lng nn IDS da trn host c th gim st chuyn ny. HIDS thng c ci t trn mt my tnh nht inh. Thay v gim st hot ng ca mt network segment, HIDS ch gim st cc hot ng trn mt my tnh. HIDS thng c t trn cc host xung yu ca t chc, v cc server trong vng DMZ - thng l mc tiu b tn cng u tin. Nhim v chnh ca HIDS l gim st cc thay i trn h thng, bao gm (not all): - Cc tin trnh. - Cc entry ca Registry. - Mc s dng CPU. - Kim tra tnh ton vn v truy cp trn h thng file. - Mt vi thng s khc. Cc thng s ny khi vt qua mt ngng nh trc hoc nhng thay i kh nghi trn h thng file s gy ra bo ng.
Li th ca HIDS: - C kh nng xc inh user lin quan ti mt event. - HIDS c kh nng pht hin cc cuc tn cng din ra trn mt my, NIDS khng c kh nng

ny. - C th phn tch cc d liu m ho. - Cung cp cc thng tin v host trong lc cuc tn cng din ra trn host ny. Hn ch ca HIDS: - Thng tin t HIDS l khng ng tin cy ngay khi s tn cng vo host ny thnh cng. - Khi OS b "h" do tn cng, ng thi HIDS cng b "h". - HIDS phi c thit lp trn tng host cn gim st . - HIDS khng c kh nng pht hin cc cuc d qut mng (Nmap, Netcat). - HIDS cn ti nguyn trn host hot ng. - HIDS c th khng hiu qu khi b DOS. - a s chy trn h iu hnh Window. Tuy nhin cng c 1 s chy c trn UNIX v nhng h iu hnh khc. V h thng IDS da trn my ch i hi phn mm IDS phi c ci t trn tt c cc my ch nn y c th l cn c mng ca nhng nh qun tr khi nng cp phin bn, bo tr phn mm, v cu hnh phn mm tr thnh cng vic tn nhiu thi gian v l nhng vic lm phc tp. Bi v h thng da trn my ch ch phn tch nhng lu lng c my ch nhn c, chng khng th pht hin nhng tn cng thm d thng thng c thc hin nhm chng li mt my ch hay l mt nhm my ch. H thng IDS da trn my ch s khng pht hin c nhng chc nng qut ping hay d cng (ping sweep and port scans) trn nhiu my ch. Nu my ch b tha hip th k xm nhp hon ton c th tt phn mm IDS hay tt kt ni ca my ch . Mt khi iu ny xy ra th cc my ch s khng th to ra c cnh bo no c. Phn mm IDS phi c ci t trn mi h thng trn mng nhm cung cp y kh nng cnh bo ca mng. Trong mt mi trng hn tp, iu ny c th l mt vn bi v phn mm IDS phi tng ng nhiu h iu hnh khc nhau. Do trc khi chn mt h thng IDS, chng ta phi chc l n ph hp v chy c trn tt c cc h iu hnh.
5.Cng c h tr cho IDS C 1 s cng c h tr cho h thng xm nhp IDS, trong phn ny chng ta s cp n bn cng c h tr : h thng phn tch tn thng, b kim tra ton vn d liu, honey pots, Padded cell. Nhng thnh phn ny c th tng cng, h tr, t chc nh th no vi h thng pht hin xm nhp IDS s c lm r nhng mc di y. 5.1 H thng phn tch nh gi tn thng S phn tch nh gi tn thng (s nh gi cng c bit nh tnh d b tn thng) l cng c kim tra xc nh liu c phi mt mng hay host c th b tn thng ti nhng s tn cng c bit. S nh gi tn thng i din cho mt trng hp c bit ca qu trnh pht hin xm nhp. Nhng thng tin bao gm tnh trng h thng v hu qa ca nhng tn cng c phn tch nh gi. Nhng thng tin ny c tng hp phn tch ti ti b cm bin.

S phn tch nh gi tn thng l mt k thut qun l an ton rt mnh v l s b sung thch hp ti vic s dng IDS, khng phi nh mt s thay th. Cn phi c mt t chc tin cy qun l nhng cng c phn tch nh gi tn thng theo di nhng h thng ny. a. Qu trnh phn tch nh gi tn thng Qu trnh phn tch nh gi tn thng bao gm nhng bc sau: - Ly 1 mu bao gm tp hp cc thuc tnh ca h thng. - Kt qu ca vic ly mc c ct vo mt ch an ton. - Kt qu ny c so snh vi t nht mt mu trc hoc mt mu l{ tng trc . - Bt kz s khc nhau gia hai tp hp c tng hp v bo co. b. Cc kiu phn tch nh gi tn thng C hai kiu phn tch nh gi tn thng dnh cho Netword-based v host-based: - Host-based: phn tch nh gi tn thng chnh l vic nh gi d liu ca h thng nh d liu, vic cu hnh, trng thi ca nhng thng tin khc. - Network-based: S phn tch nh gi tn thng yu cu 1 kt ni t xa ti h thng ch. Cng vic nh gi bao gm ghi ch li s phn hi ca h thng hay n gin l thm d xem xt bit nhng im yu ca h thng. 5.2. Kim tra ton vn d liu Nhng b kim tra ton vn d liu l nhng cng c an ton m b sung IDSs. Chng tm lc thng bo hay kim tra gii m cho nhng d liu v nhng i tng ph bnh, so snh n vi nhng gi tr tham kho v vic t nhng du hiu cho s khc nhau hay thay i. Vic kim tra gii m s gip bit ni dung ca d liu c b thay i bi tin tc hay khng. Vic thay i ni dung c nhiu k thut nhng mc ch ca tin tc l gn nhng thnh phn vo ni dung lm cu ni trao i thng tin gia h thng v my ca tin tc hoc l vi mc ch ph hoi. Mc d vic kim tra nhng thnh phn thay i trong ni dung ca d liu hay cn gi l su thng xuyn c s h tr cp nht t nhng hng chng virut, spyware hay trojan nhng vic cp nht cn qu chm so vi s pht trin ca nhng thnh phn ny. 5.3. Honey Pot v Padded Cell System Honey pot l h thng nhng cm by c thit k by nhng tin tc tn cng. Honey pot c thit k bao gm nhng mc ch sau: - Lm lch hng tin tc ra khi h thng cn bo v. - Tp hp thng tin v tin tc v hnh ng ca tin tc. - Li ko tin tc trn h thng di hn thi gian cho ngi qun tr phn hi li. Padded Cell: khc vi honey pot l hng tin tc theo k hoch ca mnh th padded cell c thit k theo di hnh ng thay i d liu ca tin tc, nh du s thay i bit mc ch ca tin tc.
6. Cc k thut x l d liu c s dng trong cc h thng pht hin xm nhp Ph thuc vo kiu phng php c s dng pht hin xm nhp, cc c ch x l khc nhau (k thut) cng c s dng cho d liu i vi mt IDS.Di y l mt s h thng c m t vn tt. 6.1. H thng Expert (Expert system) H thng ny lm vic trn mt tp cc nguyn tc c nh ngha t trc miu t cc

tn cng. Tt c cc s kin c lin quan n bo mt u c kt hp vo cuc kim nh v c dch di dng nguyn tc if-then-else. Ly v d Wisdom & Sense v ComputerWatch (c pht trin ti AT&T). 6.2. Pht hin xm nhp da trn lut (Rule-Based Intrusion Detection) Ging nh phng php h thng Expert, phng php ny da trn nhng hiu bit v tn cng. Chng bin i s m t ca mi tn cng thnh nh dng kim nh thch hp. Nh vy, du hiu tn cng c th c tm thy trong cc bn ghi (record). Mt kch bn tn cng c th c m t, v d nh mt chui s kin kim nh i vi cc tn cng hoc mu d liu c th tm kim ly c trong cuc kim nh. Phng php ny s dng cc t tng ng tru tng ca d liu kim nh. S pht hin c thc hin bng cch s dng chui vn bn chung hp vi cc c ch. in hnh, n l mt k thut rt mnh v thng c s dng trong cc h thng thng mi (v d nh: Cisco Secure IDS, Tierald eXpert-BSM (Solaris)). 6.3. Phn bit nh ngi dng (User intention identification) K thut ny m hnh ha cc hnh vi thng thng ca ngi dng bng mt tp nhim v mc cao m h c th thc hin c trn h thng (lin quan n chc nng ngi dng). Cc nhim v thng cn n mt s hot ng c iu chnh sao cho hp vi d liu kim nh thch hp. B phn tch gi mt tp hp nhim v c th chp nhn cho mi ngi dng. Bt c khi no mt s khng hp l c pht hin th mt cnh bo s c sinh ra. 6.4. Phn tch trng thi phin (State-transition analysis) Mt tn cng c miu t bng mt tp cc mc tiu v phin cn c thc hin bi mt k xm nhp gy tn hi h thng. Cc phin c trnh by trong s trng thi phin. Nu pht hin c mt tp phin vi phm s tin hnh cnh bo hay p tr theo cc hnh ng c nh trc. 6.5. Phng php Colored Petri Nets Phng php ny thng c s dng tng qut ha cc tn cng t nhng hiu bit c bn v th hin cc tn cng theo ha. H thng IDIOT ca i hc Purdue s dng Colored Petri Nets. Vi k thut ny, cc qun tr vin s d dng hn trong vic b sung thm du hiu mi. Mc d vy, vic tng qut ha mt du hiu phc tp vi d liu kim nh l mt vn gy tn nhiu thi gian. K thut ny khng c s dng trong cc h thng thng mi. 6.6. Phng php phn tch thng k (Statistical analysis approach) Hnh vi ngi dng hay h thng (tp cc thuc tnh) c tnh theo mt s bin thi gian. V d, cc bin nh l: ng nhp ngi dng, ng xut, s tp tin truy nhp trong mt khong thi gian, hiu sut s dng khng gian a, b nh, CPU Chu k nng cp c th thay i t mt vi pht n mt thng. H thng lu gi tr c ngha cho mi bin c s dng pht hin s vt qu ngng c nh ngha t trc. Ngay c phng php n gin ny cng khng th hp c vi m hnh hnh vi ngi dng in hnh. Cc phng php da vo vic lm tng quan thng tin v ngi dng ring l vi cc bin nhm c gp li cng t c hiu qu. V vy, mt m hnh tinh vi hn v hnh vi ngi dng c pht trin bng cch s dng thng tin ngi dng ngn hn hoc di hn. Cc thng tin ny thng xuyn c nng cp bt kp vi thay i trong hnh vi ngi dng. Cc phng php thng k thng c s dng trong vic b sung trong IDS da trn thng tin hnh vi ngi dng thng thng. 6.7. Neural Networks Phung php ny s dng cc thut ton ang c nghin cu ca chng nghin cu v mi quan h gia cc vector u vo - u ra v tng qut ha chng rt ra mi quan h vo/ra mi. Phng php neural network c s dng cho pht hin xm nhp, mc ch chnh l nghin cu hnh vi ca ngi tham gia vo mng (ngi dng hay k xm phm). Thc ra cc

phng php thng k cng mt phn c coi nh neural networks. S dng mng neural trn thng k hin c hoc tp trung vo cc n gin biu din mi quan h khng tuyn tnh gia cc bin v trong vic nghin cu cc mi quan h mt cch t ng. Cc thc nghim c tin hnh vi s d on mng neural v hnh vi ngi dng. T nhng kt qu cho thy rng cc hnh vi ca siu ngi dng UNIX (root) l c th d on. Vi mt s t ngoi l, hnh vi ca hu ht ngi dng khc cng c th d on. Neural networks vn l mt k thut tnh ton mnh v khng c s dng rng ri trong cng ng pht hin xm nhp. 6.8. Computer immunology Analogies Vi s nghin cu min dch c ch nh pht trin cc k thut c xy dng t m hnh hnh vi thng thng trong cc dch v mng UNIX hn l ngi dng ring l. M hnh ny gm c cc chui ngn cuc gi h thng c to thnh bi cc qu trnh. Cc tn cng khai thc l hng trong m ng dng rt c kh nng gy ra ng dn thc thi khng bnh thng. u tin, mt tp d liu kim nh tham chiu c su tp trnh by hnh vi hp l ca cc dch v, sau kin thc c bn c b sung thm vi tt c cc chui c bit r v cuc gi h thng. Cc mu sau c s dng cho vic kim tra lin tc cc cuc gi h thng, xem chui c to ra c lit k trong c s kin thc cha nu khng, mt bo cnh s c to ra. K thut ny c t l bo cnh sai rt thp. Tr ngi ca n l s bt lc trong vic pht hin li trong cu hnh dch v mng. 6.9. Machine learning (nghin cu c ch) y l mt k thut thng minh nhn to, n lu lung lnh u ra ngi dng vo cc biu mu vector v s dng nh mt tham chiu ca profile hnh vi ngi dng thng thng. Cc profile sau c nhm vo trong mt th vin lnh ngi dng c cc thnh phn chung no . Vic ti thiu ha d liu thng phi dng n mt s k thut s dng qu trnh trch d liu cha bit nhng c kh nng hu dng trc t nhng v tr d liu c lu tr vi s lng ln. Phng php ti thiu d liu ny vt tri hn i vi vic x l bn ghi h thng ln (d liu kim nh). Mc d vy, chng km hu dng i vi vic phn tch lung lu lng mng. Mt trong nhng k thut ti thiu ha d liu c bn c s dng trong pht hin xm nhp c kt hp vi cc cy phn quyt. Cc m hnh cy phn quyt cho php ai c th pht hin cc s bt thng trong mt c s d liu ln. K thut khc phi dng n cc on, cho php trch mu ca cc tn cng cha bit. iu c thc hin bng vic hp l ha cc mu c trch t mt tp kim nh n gin vi cc mu khc c cung cp cho tn cng cha bit ct gi. Mt k thut ti thiu ha d liu in hnh c kt hp vi vic tm kim cc nguyn tc kt hp. N cho php ai c th trch kin thc cha hiu trc v cc tn cng mi hoc xy dng trn mu hnh vi thng thng. S pht hin bt thng thng gy ra cc bo cnh sai. Vi vic ti thiu ha d liu, n d dng tng quan d liu lin quan n cc bo cnh vi d liu kim nh ti thiu, do gim ng k xc sut bo sai. 7. Phn loi cc du hiu 7.1. Pht hin du hiu khng bnh thng H thng pht hin xm phm phi c kh nng phn bit gia cc hot ng thng thng ca ngi dng v hot ng bt thng tm ra c cc tn cng nguy him kp thi. Mc d vy, vic dch cc hnh vi ngi dng (hoc session h thng ngi dng hon chnh) trong mt quyt nh lin quan n bo mt ph hp thng khng n gin nhiu hnh vi khng c d nh trc v khng r rng (Hnh 2). phn loi cc hnh ng, IDS phi li dng phng php pht hin d thng, i khi l hnh vi c bn hoc cc du hiu tn cng, mt thit b m t hnh vi bt thng bit (pht hin du hiu) cng c gi l kin thc c bn. 7.2. Cc mu hnh vi thng thng- pht hin bt thng

Cc mu hnh vi thng thng rt hu ch trong vic d on ngi dng v hnh vi h thng. Do cc b pht hin bt thng xy dng profile th hin vic s dng thng thng v sau s dng d liu hnh vi thng thng pht hin s khng hp l gia cc profile v nhn ra tn cng c th. hp l vi cc profile s kin, h thng b yu cu phi to ra profile ngi dng ban u o to h thng quan tm n s hp php ha hnh vi ngi dng. C mt vn lin quan n vic lm profile y l: khi h thng c php hc trn chnh n, th nhng k xm nhp cng c th o to h thng im ny, ni m cc hnh vi xm phm trc tr thnh hnh vi thng thng. Mt profile khng tng thch s c th c pht hin tt c cc hot ng xm nhp c th. Ngoi ra, cn c mt s cn thit na l nng cp profile v o to h thng, mt nhim v kh khn v tn thi gian. Cho mt tp cc profile hnh vi thng thng, mi th khng hp vi profile c lu s c coi nh l mt hot ng nghi ng. Do , cc h thng ny c c trng bi hiu qu pht hin rt cao (chng c th nhn ra nhiu tn cng mc d tn cng l mi c trong h thng), tuy nhin chng li c hin tng l to cc cnh bo sai v mt s vn . u im ca phng php pht hin bt thng ny l: c kh nng pht hin cc tn cng mi khi c s xm nhp; cc vn khng bnh thng c nhn ra khng cn nguyn nhn bn trong ca chng v cc tnh cch; t ph thuc vo IDS i vi mi trng hot ng (khi so snh vi cc h thng da vo du hiu); kh nng pht hin s lm dng quyn ca ngi dng. Nhc im ln nht ca phng php ny l: Xc sut cnh bo sai nhiu. Hiu sut h thng khng c kim tra trong sut qu trnh xy dng profile v giai on o to. Do , tt c cc hot ng ngi dng b b qua trong sut giai on ny s khng hp l. Cc hnh vi ngi dng c th thay i theo thi gian, do cn phi c mt s nng cp lin tc i vi c s d liu profile hnh vi thng thng. S cn thit v o to h thng khi thay i hnh vi s lm h thng khng c c pht hin bt thng trong giai on o to (li tiu cc). 7.3. Cc du hiu c hnh vi xu pht hin du hiu Thng tin x l h thng trong cc hnh vi bt thng v khng an ton (du hiu tn cng da vo cc h thng) thng c s dng trong cc h thng pht hin xm nhp thi gian thc (v s phc tp trong tnh ton ca chng khng cao). Cc du hiu hnh vi xu c chia thnh hai loi: Cc du hiu tn cng chng miu t cc mu hot ng c th gy ra mi e da v bo mt. in hnh, chng c th hin khi mi quan h ph thuc thi gian gia mt lot cc hot ng c th kt hp li vi cc hot ng trung tnh. Cc chui vn bn c chn cc du hiu hp vi cc chui vn bn ang tm kim cc hot ng nghi ng. Bt k hot ng no khng r rng u c th b xem xt v ngn cn. Do , chnh xc ca chng rt cao (s bo cnh sai thp). Tuy nhin chng khng thc hin mt cch hon ton v khng ngn cn hon ton cc tn cng mi. C hai phng php chnh kt hp s pht hin du hiu ny: Vic kim tra vn cc gi lp thp hn nhiu loi tn cng khai thc l hng trong cc gi IP, TCP, UDP hoc ICMP. Vi kim tra n gin v tp cc c trn gi c trng hon ton c th pht hin ra gi no hp l, gi no khng. Kh khn y c th l phi m gi v lp rp chng li. Tng t, mt s vn khc c th lin quan vi lp TCP/IP ca h thng ang c bo v. Thng th k tn cng hay s dng cch m cc gi bng qua c nhiu cng c IDS.

Kim tra giao thc lp ng dng nhiu loi tn cng (WinNuke) khai thc cc l hng chng trnh, v d d liu c bit gi n mt kt ni mng c thnh lp. pht hin c hiu qu cc tn cng nh vy, IDS phi c b sung nhiu giao thc lp ng dng. Cc phng php pht hin du hiu c mt s u im di y: t l cnh bo sai thp, thut ton n gin, d dng to c s d liu du hiu tn cng, d dng b sung v tiu ph hiu sut ti nguyn h thng ti thiu. Mt s nhc im: Kh khn trong vic nng cp cc kiu tn cng mi. Chng khng th k tha pht hin cc tn cng mi v cha bit. Phi nng cp mt c s d liu du hiu tn cng tng quan vi n. S qun l v duy tr mt IDS cn thit phi kt hp vi vic phn tch v v cc l hng bo mt, l mt qu trnh tn km thi gian. Kin thc v tn cng li ph thuc vo mi trng hot ng v vy, IDS da trn du hiu nhng hnh vi xu phi c cu hnh tun th nhng nguyn tc nghim ngt ca n vi h iu hnh (phin bn, nn tng, cc ng dng c s dng) Chng dng nh kh qun l cc tn cng bn trong. in hnh, s lm dng quyn ngi dng xc thc khng th pht hin khi c hot ng m nguy him (v chng thiu thng tin v quyn ngi dng v cu trc du hiu tn cng). Cc sn phm IDS thng mi thng s dng phng php pht hin du hiu cho hai l do. Trc tin, n d dng hn trong vic cung cp du hiu lin quan n tn cng bit v gn tn i vi mt tn cng. Th hai, c s d liu du hiu tn cng c nng cp thng xuyn (bng cch thm cc du hiu tn cng mi pht hin). 7.4. Tng quan cc mu tham s Phng php th ba v pht hin xm nhp kh khn ngoan hn hai phng php trc. N c sinh ra do nhu cu thc t rng, cc qun tr vin kim tra cc h thng khc nhau v cc thuc tnh mng (khng cn nhm n cc vn bo mt). Thng tin t c trong cch ny c mt mi trng c th khng thay i. Phng php ny lin quan n s dng kinh nghim hot ng hng ngy ca cc qun tr vin nh cc vn c bn cho vic pht hin du hiu bt thng. N c th c xem nh trng hp c bit ca phng php Profile thng thng. S khc nhau y nm ch trong thc t, mt profile l mt phn hiu bit ca con ngi. y l mt k thut mnh, bi v n cho php xm nhp da trn cc kiu tn cng khng bit. Hot ng h thng c th pht hin cc thay i tinh vi khng r rng i vi chnh hot ng . N k tha nhng nhc im trong thc t l con ngi ch hiu mt phn gii hn thng tin ti mt thi im, iu c ngha l cc tn cng no c th vt qua m khng b pht hin. 3.1. Gii thiu v Snort IDS Software 3.1.1. Mt s kin thc c bn v Snort SNORT l mt sn phm m ngun m c pht trin nhm pht hin nhng xm nhp tri php vo h thng bi nhng quy tc hay lut c thit lp sn, nhng thit lp ny da vo nhng du hiu, giao thc v s d thng. Snort s dng cc lut c lu tr trong cc file text, c th c chnh sa bi ngi qun tr. Cc lut c nhm thnh cc kiu. Cc lut thuc v mi loi c lu trong cc file khc nhau. File cu hnh chnh ca Snort l snort.conf. Snort c nhng lut ny vo lc khi to v xy dng cu trc d liu cung cp cc lut bt gi mu vi phm. Tm ra cc du hiu v

s dng chng trong cc lut l mt vn i hi s tinh t, v cng s dng nhiu lut th nng lc x l cng c i hi thu thp d liu trong thc t. Snort c mt tp hp cc lut c nh ngha trc pht hin cc hnh ng xm nhp v cc qun tr vin cng c th thm vo cc lut ca chnh mnh. Qun tr vin cng c th xa mt vi lut c to trc trnh vic bo ng sai. Snort bao gm mt hoc nhiu sensor v mt server CSDL chnh.Cc Sensor c th c t trc hoc sau firewall: * Gim st cc cuc tn cng vo firewall v h thng mng * C kh nng ghi nh cc cuc vt firewall thnh cng 3.1.2. Cc thnh phn ca Snort Snort c chia thnh nhiu thnh phn. Nhng thnh phn ny lm vic vi nhau pht hin cc cch tn cng c th v to ra output theo mt nh dng c i hi. Mt IDS da trn Snort bao gm cc thnh phn chnh sau y: Packet Decoder Preprocessor Dectection Engine Logging v Alerting System Output Modules a. Packet Decoder (B phn gii m gi) B phn gii m gi ly cc gi t cc giao din mng khc nhau v chun b cho vic gi tin c x l trc hoc c gi cho b phn pht hin. b. Preprocessor (B phn x l trc) B phn x l trc l nhng thnh phn c s dng vi Snort sp xp hoc chnh sa gi d liu trc khi b phn pht hin lm mt vi x l tm ra gi tin c c s dng bi k xm nhp hay khng. Mt vi b phn x l trc cng thc thi vic pht hin bng cch tm cc du hiu bt thng trong header ca gi tin v to ra cc cnh bo. B phn x l trc l rt quan trng trong bt k IDS no, chng chun b cho cc gi d liu c phn tch da trn cc lut trong b phn pht hin. K tn cng s dng nhiu k thut khc nhau la IDS theo nhiu cch. B phn x l trc cng c s dng ti hp cc gi tin. Trn IDS, trc khi p dng bt k lut no, phi ti hp cc gi tin li tm ra cc du hiu. B phn x l trc trong Snort c th ti hp cc gi tin, gii m HTTP URI, rp li cc dng TCP, v.v...Nhng chc nng ny rt quan trng trong h thng pht hin xm nhp c. Dectection Engine (B phn pht hin): y l phn quan trng nht ca Snort. Trch nhim ca n l pht hin c s xm nhp tn ti trong gi tin hay khng. B phn pht hin s dng cc lut ca Snort cho mc ch ny. Nu mt gi tin ging vi bt k lut no, mt hnh ng tng ng s c thc hin. y l b phn then cht v thi gian thc thi ca Snort. Da vo b my mnh nh th no v bao nhiu lut nh ngha m n c th tn nhng khong thi gian khc nhau i vi cc gi tin khc nhau. Nu lu lng trn mng l qu ln khi Snort ang hot ng trong ch NIDS, c th mt mt vi gi tin v c th thi gian p ng khng chnh xc. Lu lng trn b phn pht hin ph thuc vo cc yu t sau: * S lng cc lut * Sc mnh ca b my m Snort ang chy * Tc ca bus c s dng * Lu lng trn mng B phn pht hin hot ng theo nhng cch khc nhau cc phin bn khc nhau ca Snort.

Trong tt c phin bn 1.x ca Snort, b phn pht hin dng vic x l gi tin khi ph hp vi mt lut. Da vo lut, b phn pht hin s c cc hnh ng tng ng. iu ny c ngha l nu mt gi tin ph hp vi nhiu lut, ch c lut u tin c p dng m khng xem xt n cc lut cn li. iu ny lm ny sinh mt vn . Mt lut c u tin thp s to ra mt cnh bo c u tin thp, nu mt lut c u tin cao b xp sau trong chui lut. Vn ny c gii quyt trong Snort phin bn 2, khi m tt c cc lut c so snh trn mt gi tin trc khi to ra mt cnh bo. Sau khi so snh tt c cc lut, lut c u tin cao nht s c chn to cnh bo. V b phn pht hin trong phin bn 2 c vit li hon ton nn n nhanh hn rt nhiu so vi cc phin bn trc y. d. Logging v alerting System (H thng ghi v cnh bo): Ph thuc vo Dectection Engine pht hin tm thy trong gi tin, gi tin c th c s dng ghi li cc hnh vi hoc to ra mt cnh bo. Cc thng tin ghi li c gi trong cc file text n gin hoc cc dng khc. e. Output Modules (B phn u ra): Module u ra hoc plug-in c th hot ng theo nhiu cch ph thuc vo vic mun lu cc output c to ra bng h thng ghi v to cnh bo nh th no. 3.1.3. Cc ch hot ng ca Snort Snort c 3 ch hot ng c bn: Sniffer (snort -v). Packet logger (snort -l) Network Intrusion Detection System (snort -A hoc snort c <path_to_conf_file>). a. Snort l mt Sniffer: Cc cng c sniffer mng nh tcpdump, ethereal, v Tethereal c y cc c tnh v phn tch gi tin mt cch xut sc n theo di lng mng trn b cm bin Snort. Trong trng hp ny, s dng Snort nh l mt sniffer l kh thi. Kt qu xut ca ch Snort sniffer hi khc so vi cc sniffer khc. N rt d c v c th thy thch kh nng bt gi gi tin nhanh ca n. Mt c tnh hay ca ch ny l vic tm tt lu lng mng khi kt thc vic bt gi gi tin. Thnh thong, n c th l mt cng c g di hu dng cho nh qun tr. Bt ch sniffer cho snort bng c -v: Code:
#snort v
Trong lc khi ng, Snort hin th ch , th mc ghi log, v cc giao din m n ang lng nghe. Khi vic khi ng hon tt, Snort bt u xut cc gi tin ra mn hnh. Kt qu xut ny kh c bn : n ch hin th cc header IP,TCP/UDP/ICMP v mt s ci khc. thot ch sniffer, s dng Ctrl-C. Snort thot bng cch to ra mt bn tm tt cc gi tin c bt gi, bao gm cc giao thc, thng k phn mnh v ti hp gi tin. xem d liu ng dng, s dng c -d. Ty chn ny cung cp cc kt qu chi tit hn: Code:
# snort vd
D liu ng dng c th thy c qua cc plain text trong gi tin. Trong trng hp ny, vn bn gi t mt server DNS c th hin di dng plain text. xem c chi tit hn, bao gm cc header lp lin kt d liu, s dng c -e. Vic s dng c hai ty chn d v e s cho hin th hu nh tt c cc d liu trong gi tin:

Code:
# snort vde
Cc chui thp lc phn hin th nhiu d liu hn. C a ch MAC v a ch IP. Khi thc hin kim tra trn mt mng hoc bt gi d liu bng Snort, vic bt vde cung cp nhiu thng tin nht. lu li trong logfile thay v xut ra console, s dng: Code:
# snort -dve > ttooip.log.
Tm li, y l cc ty chn c th s dng vi ch sniffer ca Snort. Nhng ty chn ny c th chy c lp hoc kt hp vi ci khc b. Snort l mt Packet logger: Bc tip theo sau khi sniffing cc gi tin l ghi log chng. Vic ghi log ch n gin bng cch thm ty chn l, theo sau l th mc mun lu tr cc log. Th mc mc nh trong Snort l /var/log/snort. Nu xc nh mt th mc khng tn ti th Snort s bo mt thng ip li. C th s dng cc ty chn d, -a v e iu khin s lng thng tin s c ghi log cho mi gi tin. Trong v d sau y, th mc log c thit lp l /usr/local/log/snort, v cc logfile bao gm cc payload gi tin: Code:
# snort -1/usr/local/log/snort d
Khi chy trong ch ny, Snort thu thp mi gi tin n thy v lu chng trong th mc log theo kiu phn cp. Ni cch khc, mt th mc mi c to ra cho mi a ch c bt gi v d liu lin quan n a ch ny c lu trong th mc . Snort lu cc gi tin thnh cc file ASCII, vi tn file c to ra t giao thc v s cng. Cch t chc ny lm cho nh qun tr c th d dng thy c ai ang kt ni vi mng, s cng v giao thc h ang s dng (s dng ls R lit k th mc log). Hy nh xc nh bin mng ca c quan hay t chc (trong file cu hnh hoc s dng -h ) xc nh ch ghi log cho mng ca c quan. Cch t chc phn cp ny hu dng khi mt s gii hn cc host c quan tm hoc mun thong qua cc a ch IP ca cc host c bt gi. Tuy nhin, th mc log c th ngy cng nhiu v s gia tng th mc v cc file. Nu ghi log tt c lu lng trn mt mng ln th c th s b trn index Unix gii hn tng s file trong mt file h thng) trc khi b trn b nh. Nu mt ngi no thc hin vic qut mng v nh x tt c 65536 cng TCP cng nh 65536 cng UDP, s t ngt c hn 131000 file trong mt th mc n. S bng n file ny c th l mt th thch ln cho bt k mt my no, v rt d tr thnh cch tn cng DOS. Vic ghi log theo kiu nh phn c th c c bi Snort, tcpdump hoc ethereal. Cch ny lm tng tc v kh nng vn chuyn ca vic bt gi gi tin. Hu ht cc h thng c th bt gi v ghi log vi tc 100 Mbps m khng c vn g. ghi log cc gi tin theo kiu nh phn, s dng b switch. V d: Code:
#snort-b -l /usr/local/log/snort/ttip.log
Khi thc hin vic bt gi gi tin, c th c li cc file va to ra bng kha r. Kt qu ging nh sniffer ca Snort. Lu rng r khng th s dng vi C.

Code:
# snort -r /usr/local/log/snort/ttip.log
ch ny, Snort khng gii hn vic c d liu nh phn c lu tr trong ch sniffer. c. Snort l mt NIDS: Snort l mt cng c pht hin xm nhp tuyt vi. Khi c s dng nh l mt NIDS, Snort cung cp kh nng pht hin xm nhp gn nh l thi gian thc. Chng ta s xem rt nhiu cch m Snort c th c s dng nh l mt NIDS v tt c cc ty chn cu hnh c th. Trong ch cnh bo, Snort cn mt file cu hnh (tht ra, ch cn xc nh v tr ca file snort.conf l t Snort trong ch ny). V tr mc nh ca file ny l /etc/snort.conf. Nu mun t mt v tr khc, phi s dng kha c km vi v tr t file. Cc cnh bo c t trong file alert trong th mc log (mc nh l (/var/log/snort). Snort s thot ra vi vi mt li nu file cu hnh hoc th mc log khng tn ti. Cc ci t mc nh cho hu nh tt c cc mc trong file ny l kh tt (mc d s c cc cnh bo nhm). Bin duy nht chng ta mi thit lp l bin RULE_PATH, ch cho Snort ni ca cc file lut. File cnh bo nm trong th mc /var/log/snort. File ny cha cc cnh bo c to ra khi Snort ang chy. Cc cnh bo Snort c phn loi theo kiu cnh bo. Mt lut Snort cng xc nh mt mc u tin cho mt cnh bo. iu ny cho php lc cc cnh bo c u tin thp.
Phn 2: CU HNH V TH NGHIM H THNG PHT HIN XM NHP VI SNORT IDS SOFTWARE.
I. Gii thiu v Snort IDS Software: 1. nh ngha Snort: - Snort l mt sn phm m ngun m c pht trin nhm pht hin nhng xm nhp tri php vo h thng bi nhng quy tc hay lut c thit lp sn, nhng thit lp ny da vo nhng du hiu, giao thc v s d thng. - Snort s dng cc lut c lu tr trong cc file text, c th c chnh sa bi ngi qun tr. Cc lut c nhm thnh cc kiu. Cc lut thuc v mi loi c lu trong cc file khc nhau. File cu hnh chnh ca Snort l snort.conf. Snort c nhng lut ny vo lc khi to v xy dng cu trc d liu cung cp cc lut bt gi mu vi phm. Tm ra cc du hiu v s dng chng trong cc lut l mt vn i hi s tinh t, v cng s dng nhiu lut th nng lc x l{ cng c i hi thu thp d liu trong thc t. Snort c mt tp hp cc lut c nh ngha trc pht hin cc hnh ng xm nhp v cc qun tr vin cng c th thm vo cc lut ca chnh mnh. Qun tr vin cng c th xa mt vi lut c to trc trnh vic bo ng sai. - Snort bao gm mt hoc nhiu sensor v mt server CSDL chnh.Cc Sensor c th c t trc hoc sau firewall: + Gim st cc cuc tn cng vo firewall v h thng mng

+ C kh nng ghi nh cc cuc vt firewall thnh cng 2. Cc thnh phn ca Snort: - Snort c chia thnh nhiu thnh phn. Nhng thnh phn ny lm vic vi nhau pht hin cc cch tn cng c th v to ra output theo mt nh dng c i hi. Mt IDS da trn Snort bao gm cc thnh phn chnh sau y: Packet Decoder Preprocessor Dectection Engine Logging v Alerting System Output Modules a. Packet Decoder (B phn gii m gi): - B phn gii m gi ly cc gi t cc giao din mng khc nhau v chun b cho vic gi tin c x l trc hoc c gi cho b phn pht hin. b.Preprocessor (B phn x l trc): - B phn x l trc l nhng thnh phn c s dng vi Snort sp xp hoc chnh sa gi d liu trc khi b phn pht hin lm mt vi x l{ tm ra gi tin c c s dng bi k xm nhp hay khng. Mt vi b phn x l{ trc cng thc thi vic pht hin bng cch tm cc du hiu bt thng trong header ca gi tin v to ra cc cnh bo. B phn x l trc l rt quan trng trong bt k IDS no, chng chun b cho cc gi d liu c phn tch da trn cc lut trong b phn pht hin. K tn cng s dng nhiu k thut khc nhau la IDS theo nhiu cch. B phn x l trc cng c s dng ti hp cc gi tin. Trn IDS, trc khi p dng bt k lut no, phi ti hp cc gi tin li tm ra cc du hiu. B phn x l trc trong Snort c th ti hp cc gi tin, gii m HTTP URI, rp li cc dng TCP, v.v...Nhng chc nng ny rt quan trng trong h thng pht hin xm nhp c.Dectection Engine (B phn pht hin): - y l phn quan trng nht ca Snort. Trch nhim ca n l pht hin c s xm nhp tn ti trong gi tin hay khng. B phn pht hin s dng cc lut ca Snort cho mc ch ny. Nu mt gi tin ging vi bt k lut no, mt hnh ng tng ng s c thc hin. y l b phn then cht v thi gian thc thi ca Snort. Da vo b my mnh nh th no v bao nhiu lut nh ngha m n c th tn nhng khong thi gian khc nhau i vi cc gi tin khc nhau. Nu lu lng trn mng l qu ln khi Snort ang hot ng trong ch NIDS, c th mt mt vi gi tin v c th thi gian p ng khng chnh xc. Lu lng trn b phn pht hin ph thuc vo cc yu t sau: + S lng cc lut + Sc mnh ca b my m Snort ang chy + Tc ca bus c s dng + Lu lng trn mng - B phn pht hin hot ng theo nhng cch khc nhau cc phin bn khc nhau ca Snort. Trong tt c phin bn 1.x ca Snort, b phn pht hin dng vic x l gi tin khi ph hp vi mt lut. Da vo lut, b phn pht hin s c cc hnh ng tng ng. iu ny c ngha l nu mt gi tin ph hp vi nhiu lut, ch c lut u tin c p dng m khng xem xt n cc lut cn li. iu ny lm ny sinh mt vn . Mt lut c u tin thp s to ra mt cnh bo c u tin thp, nu mt lut c u tin cao b xp sau trong chui lut. Vn ny c gii quyt trong Snort phin bn

2, khi m tt c cc lut c so snh trn mt gi tin trc khi to ra mt cnh bo. Sau khi so snh tt c cc lut, lut c u tin cao nht s c chn to cnh bo. V b phn pht hin trong phin bn 2 c vit li hon ton nn n nhanh hn rt nhiu so vi cc phin bn trc y. d.Logging v alerting System (H thng ghi v cnh bo): - Ph thuc vo Dectection Engine pht hin tm thy trong gi tin, gi tin c th c s dng ghi li cc hnh vi hoc to ra mt cnh bo. Cc thng tin ghi li c gi trong cc file text n gin hoc cc dng khc. e. Output Modules (B phn u ra): - Module u ra hoc plug-in c th hot ng theo nhiu cch ph thuc vo vic mun lu cc output c to ra bng h thng ghi v to cnh bo nh th no. 3. Cc ch hot ng ca Snort: - Snort c 3 ch hot ng c bn: Sniffer (snort -v). Packet logger (snort -l) Network Intrusion Detection System (snort -A hoc snort c <path_to_conf_file>). a. Snort l mt Sniffer: - Cc cng c sniffer mng nh tcpdump, ethereal, v Tethereal c y cc c tnh v phn tch gi tin mt cch xut sc n theo di lng mng trn b cm bin Snort. Trong trng hp ny, s dng Snort nh l mt sniffer l kh thi. Kt qu xut ca ch Snort sniffer hi khc so vi cc sniffer khc. N rt d c v c th thy thch kh nng bt gi gi tin nhanh ca n. Mt c tnh hay ca ch ny l vic tm tt lu lng mng khi kt thc vic bt gi gi tin. Thnh thong, n c th l mt cng c g di hu dng cho nh qun tr. Bt ch sniffer cho snort bng c -v: Code:
#snort v
- Trong lc khi ng, Snort hin th ch , th mc ghi log, v cc giao din m n ang lng nghe. Khi vic khi ng hon tt, Snort bt u xut cc gi tin ra mn hnh. Kt qu xut ny kh c bn : n ch hin th cc header IP,TCP/UDP/ICMP v mt s ci khc. thot ch sniffer, s dng Ctrl-C. Snort thot bng cch to ra mt bn tm tt cc gi tin c bt gi, bao gm cc giao thc, thng k phn mnh v ti hp gi tin. xem d liu ng dng, s dng c -d. Ty chn ny cung cp cc kt qu chi tit hn: Code:
# snort vd
- D liu ng dng c th thy c qua cc plain text trong gi tin. Trong trng hp ny, vn bn gi t mt server DNS c th hin di dng plain text. xem c chi tit hn, bao gm cc header lp lin kt d liu, s dng c -e. Vic s dng c hai ty chn d v e s cho hin th hu nh tt c cc d liu trong gi tin:

Code:
# snort vde
- Cc chui thp lc phn hin th nhiu d liu hn. C a ch MAC v a ch IP. Khi thc hin kim tra trn mt mng hoc bt gi d liu bng Snort, vic bt vde cung cp nhiu thng tin nht. lu li trong logfile thay v xut ra console, s dng: Code:
# snort -dve > ttooip.log.
- Tm li, y l cc ty chn c th s dng vi ch sniffer ca Snort. Nhng ty chn ny c th chy c lp hoc kt hp vi ci khc b. Snort l mt Packet logger: - Bc tip theo sau khi sniffing cc gi tin l ghi log chng. Vic ghi log ch n gin bng cch thm ty chn l, theo sau l th mc mun lu tr cc log. Th mc mc nh trong Snort l /var/log/snort. Nu xc nh mt th mc khng tn ti th Snort s bo mt thng ip li. C th s dng cc ty chn d, -a v e iu khin s lng thng tin s c ghi log cho mi gi tin. Trong v d sau y, th mc log c thit lp l /usr/local/log/snort, v cc logfile bao gm cc payload gi tin: Code:
# snort -1/usr/local/log/snort d
- Khi chy trong ch ny, Snort thu thp mi gi tin n thy v lu chng trong th mc log theo kiu phn cp. Ni cch khc, mt th mc mi c to ra cho mi a ch c bt gi v d liu lin quan n a ch ny c lu trong th mc . Snort lu cc gi tin thnh cc file ASCII, vi tn file c to ra t giao thc v s cng. Cch t chc ny lm cho nh qun tr c th d dng thy c ai ang kt ni vi mng, s cng v giao thc h ang s dng (s dng ls R lit k th mc log). Hy nh xc nh bin mng ca c quan hay t chc (trong file cu hnh hoc s dng -h ) xc nh ch ghi log cho mng ca c quan. - Cch t chc phn cp ny hu dng khi mt s gii hn cc host c quan tm hoc mun thong qua cc a ch IP ca cc host c bt gi. Tuy nhin, th mc log c th ngy cng nhiu v s gia tng th mc v cc file. Nu ghi log tt c lu lng trn mt mng ln th c th s b trn index Unix gii hn tng s file trong mt file h thng) trc khi b trn b nh. Nu mt ngi no thc hin vic qut mng v nh x tt c 65536 cng TCP cng nh 65536 cng UDP, s t ngt c hn 131000 file trong mt th mc n. S bng n file ny c th l mt th thch ln cho bt k mt my no, v rt d tr thnh cch tn cng DOS. Vic ghi log theo kiu nh phn c th c c bi Snort, tcpdump hoc ethereal. Cch ny lm tng tc v kh nng vn chuyn ca vic bt gi gi tin. Hu ht cc h thng c th bt gi v ghi log vi tc 100 Mbps m khng c vn g. ghi log cc gi tin theo kiu nh phn, s dng b switch. V d: Code:

#snort-b -l /usr/local/log/snort/ttip.log
- Khi thc hin vic bt gi gi tin, c th c li cc file va to ra bng kha r. Kt qu ging nh sniffer ca Snort. Lu { rng r khng th s dng vi C. Code:
# snort -r /usr/local/log/snort/ttip.log
- ch ny, Snort khng gii hn vic c d liu nh phn c lu tr trong ch sniffer. c. Snort l mt NIDS: - Snort l mt cng c pht hin xm nhp tuyt vi. Khi c s dng nh l mt NIDS, Snort cung cp kh nng pht hin xm nhp gn nh l thi gian thc. Chng ta s xem rt nhiu cch m Snort c th c s dng nh l mt NIDS v tt c cc ty chn cu hnh c th. Trong ch cnh bo, Snort cn mt file cu hnh (tht ra, ch cn xc nh v tr ca file snort.conf l t Snort trong ch ny). V tr mc nh ca file ny l /etc/snort.conf. Nu mun t mt v tr khc, phi s dng kha c km vi v tr t file. Cc cnh bo c t trong file alert trong th mc log (mc nh l (/var/log/snort). Snort s thot ra vi vi mt li nu file cu hnh hoc th mc log khng tn ti. - Cc ci t mc nh cho hu nh tt c cc mc trong file ny l kh tt (mc d s c cc cnh bo nhm). Bin duy nht chng ta mi thit lp l bin RULE_PATH, ch cho Snort ni ca cc file lut. File cnh bo nm trong th mc /var/log/snort. File ny cha cc cnh bo c to ra khi Snort ang chy. Cc cnh bo Snort c phn loi theo kiu cnh bo. Mt lut Snort cng xc nh mt mc u tin cho mt cnh bo. iu ny cho php lc cc cnh bo c u tin thp. II. Ci t v cu hnh:

Instrusion Detection System: 1. Định nghĩa IDS

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Instrusion Detection System: 1. Định nghĩa IDS

Uploaded by

Copyright:

Available Formats

INSTRUSION DETECTION SYSTEM